Page 1 www.zyxel.com ZyWALL/USG/ATP /VPN Series ATP100/ ATP100W/ ATP200/ ATP500/ ATP700 / ATP800 USG20-VPN / USG20W-VPN / USG40 / USG40W / USG60 / USG60W / USG110 / UGS210 / USG310/ USG1100 /USG1900 / USG2200-VPN USG FLEX 100/ USG FLEX 200/ USG FLEX 500 VPN50 / VPN100 /VPN300 /VPN1000 Security Firewalls Edition 5, June/2020...
Page 2: Table Of Contents
© 2020 ZyXEL Communications Corporation Table of Content How to Configure Site-to-site IPSec VPN with Amazon VPC ....20 Set Up the IPSec VPN Tunnel on the Amazon VPC ......21 Set Up the IPSec VPN Tunnel on the ZyWALL/USG ......25 Test the IPSec VPN Tunnel ..............
Page 3 www.zyxel.com What Could Go Wrong? ..............85 How to Configure IPSec Site to Site VPN while one Site is behind a NAT router ......................87 Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) ......................87 Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) ....................
Page 4 www.zyxel.com Test the IPSec VPN Tunnel ..............157 What Could Go Wrong? ..............160 How to Configure IPSec VPN with ZyWALL IPSec VPN Client ....161 Set Up the ZyWALL/USG IPSec VPN Tunnel ........162 Set Up the ZyWALL IPSec VPN Client ..........166 Test the IPSec VPN Tunnel ..............
Page 5 www.zyxel.com Set up the Failover Command Line (ZyWALL/USG HQ) ....239 Test the IPSec VPN Tunnel ..............240 What Could Go Wrong? ..............242 How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind a NAT router ....................244 Set Up the L2TP VPN Tunnel on the ZyWALL/USG_HQ ......
Page 6 www.zyxel.com Set Up the L2TP VPN Tunnel on the iOS Mobile Device ....305 Test the L2TP over IPSec VPN Tunnel ..........308 What Could Go Wrong? ..............310 How to Import ZyWALL/USG Certificate for L2TP over IPsec in Android mobile phone ...................
Page 7 www.zyxel.com Test the SSL VPN Tunnel ............... 360 What Could Go Wrong? ..............362 How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1) on the Windows 10 Operating System ........... 363 Set up the SSL VPN Tunnel with Windows 10 ........363 What Can Go Wrong? ...............
Page 8 www.zyxel.com Set Up the Security Policy on the ZyWALL/USG ....... 409 Test the Result ..................410 What Could Go Wrong? ..............411 How to Configure Content Filter 2.0 with HTTPs Domain Filter ....412 Application Scenario ................412 Set Up the Content Filter on the ZyWALL/USG ........413 Set Up the Security Policy on the ZyWALL/USG .......
Page 9 www.zyxel.com Set Up the VRPT Server ................ 445 Set Up the ZyWALL/USG Remote Server Setting ........ 448 Test the Remote Server ............... 449 What Could Go Wrong? ..............449 How to Setup and send logs to the USB storage ........450 Set Up the USB System Settings ............
Page 10 www.zyxel.com Set Up the Schedule Run ..............488 Check the Result ................. 488 How To Register Your Device and Services at myZyXEL.com ..... 489 Account Creation ................490 Device Registration ................492 Service Registration (In the Case of Standard License) ....493 Device Management (In the Case of Registering Bundled Licenses) .......................
Page 11 www.zyxel.com Set Up the SSL Inspection on the ZyWALL/USG ......... 530 Set Up the Security Policy on the ZyWALL/USG ......... 531 Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System ................531 Test the Result ..................537 What Could Go Wrong? ..............
Page 12 www.zyxel.com Test the Result ..................567 Set up the URL Blocking on the ATP series ........568 Test the Result ..................568 How to Use Sandboxing to Detect Unknown Malware ......570 Set Up Sandboxing on ATP ..............571 Test the Result ..................573 What Can Go Wrong? ................
Page 13 www.zyxel.com How to Configure DNS Inbound Load Balancing to balance DNS Queries Among Interfaces ..................595 Set Up the DNS Inbound Load Balancing on the ZyWALL/USG ..596 Set Up the NAT Rule on the ZyWALL/USG ......... 597 Test the Result ..................598 What Could Go Wrong? ..............
Page 14 www.zyxel.com Set Up the 3G/LTE Interface on the ZyWALL/USG ......634 Set Up the Trunk on the ZyWALL/USG ..........635 Test the Result ..................636 What Could Go Wrong? ..............637 How to Configure Two Different WAN Interfaces with Different IP Addresses in the Same VLAN ..............
Page 15 www.zyxel.com How to create a Wi-Fi VLAN interfaces to separate staff network and Guest network ..................666 Set up Wi-Fi VLAN interfaces .............. 667 Test result ....................677 What could go wrong ................ 679 How to Set Up WiFi Networks with Microsoft Active Directory Authentication ..................
Page 16 www.zyxel.com Save the Firmware on the USB ............705 Plug the USB into the Device ............. 706 The Device Checks Running Partition for the Model ID and the Firmware Version ................. 706 Check Firmware Status ............... 707 What Can Go Wrong? ................ 708 How to Configure DHCP Option 60 –...
Page 17 www.zyxel.com Connect All Ethernet Cables Back on Device 1 ......732 Firmware Downgrade on Device 2 ........... 732 Enable Device HA Pro on Device 2 ..........733 Test the Result ..................733 Appendix. Edit the Configuration File ............734 How to replace one defect device of HA Pro ........736 Scenario and Topology ..............
Page 18 www.zyxel.com Check the synchronization status on Active device ..... 754 Check the synchronization status on Passive device .... 755 Fail cases ..................757 Exception case ................758 What Can Go Wrong? ................ 759 How to setup Two-Factor Authentication for admin login ....760 Setup SMTP function on your device ..........
Page 19 www.zyxel.com 19/782...
Page 20: How To Configure Site-To-Site Ipsec Vpn With Amazon Vpc
www.zyxel.com How to Configure Site-to-site IPSec VPN with Amazon VPC This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and an Amazon VPC platform. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 21: Set Up The Ipsec Vpn Tunnel On The Amazon Vpc
www.zyxel.com Set Up the IPSec VPN Tunnel on the Amazon VPC Sign into the Amazon AWS Management Console. Go to Networking > VPC. Amazon AWS Management Console > Networking > VPC In the upper left-hand of the screen, click Start VPC Wizard. Amazon VPC Management Console >...
Page 22 www.zyxel.com Select a VPC Configuration > VPC with a Private Subnet Only and Hardware VPN Access VPC with a Private Subnet Only and Hardware VPN, add your IP CIDR block and Private subnet. Click Next. VPC with a Private Subnet Only and Hardware VPN 22/782...
Page 23 www.zyxel.com Configure your VPN, add your ZyWALL/USG public IP address into Customer Gateway IP. Name your Customer Gateway name and VPN Connection name. Click Create VPC at the bottom of the blade. Configure your VPN In the VPC Dashboard, go to VPN Connections. Select Download Configuration from the upper bar.
Page 24 www.zyxel.com VPC Dashboard > VPN Connections Open the downloaded configuration txt. file, it displays IKE SA, IPSec SA and Gateway IP address. Please make sure all the settings match your ZyWALL/USG’s setting. Configuration txt. File 24/782...
Page 25: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the Amazon VPC. Click Next. Quick Setup >...
Page 26 www.zyxel.com Choose Advanced to create a VPN rule with the customize phase 1, phase 2 settings and authentication method. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 27 www.zyxel.com Then, configure the Secure Gateway IP as the peer Amazon VPC’s Gateway IP address (in the example, 52.39.135.203); select My Address to be the interface connected to the Internet. Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time which Amazon VPC supports.
Page 28 www.zyxel.com Continue to Phase 2 Settings to select the Encapsulation, Encryption, Authentication, and SA Life Time settings which Amazon VPC supports. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the Amazon VPC.
Page 29 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 2 Setting) 29/782...
Page 30 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
Page 31: Test The Ipsec Vpn Tunnel
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
Page 32: What Could Go Wrong
www.zyxel.com Ping from Local LAN to AWS VPC private Subnet for verification: What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the Amazon VPC IKE Phase 1 setup list.
Page 33: How To Configure Site-To-Site Ipsec Vpn With Microsoft (Ms) Azure
www.zyxel.com How to Configure Site-to-site IPSec VPN with Microsoft (MS) Azure This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and a Microsoft (MS) Azure platform. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 34: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the MS Azure. Click Next. Quick Setup >...
Page 35 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the peer MS Azure’s Gateway IP address (in the example, 13.75.42.148);...
Page 36 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 1 Setting) Note: For more information about the IPsec Parameters supported in MS Azure, see the Microsoft Azure Documentation About VPN devices for Site-to-Site VPN Gateway connections.
Page 37 www.zyxel.com Continue to Phase 2 Settings to select the Encapsulation, Encryption, Authentication, and SA Life Time settings which MS Azure supports. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the MS Azure.
Page 38 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
Page 39: Set Up The Ipsec Vpn Tunnel On The Ms Azure
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Set Up the IPSec VPN Tunnel on the MS Azure Sign into the Windows Azure Management Portal. In the upper left-hand corner of the screen, click +New >...
Page 40 www.zyxel.com Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create. New > Networking > Virtual Network > Select a deployment model On the Create virtual network page, enter the NAME for the VPN network. For example, VPN_Vnet_to_USG.
Page 41 www.zyxel.com Then, click the Create button. After clicking Create, you will see a tile on your dashboard that will reflect the progress of your VNet. The tile will change as the VNet is being created. New > Networking > Virtual Network > Create virtual network In the portal, navigate to the virtual network to which you just created.
Page 42 www.zyxel.com GatewaySubnet. You should not name it anything else, or the gateway will not work. Add the IP Address range for your gateway. Click OK at the bottom of the blade to create the subnet. VPN Vnet_to_USG > Settings > Subnet > Add subnet In the portal, go to New, then Networking.
Page 43 www.zyxel.com For Gateway type, select VPN. For VPN type, select Policy-based. For Resource Group, the resource group is determined by the Virtual Network that you select. For Location, make sure it's showing the location that both your Resource Group and VNet exist in. New >...
Page 44 www.zyxel.com gateway, you can use the same location as the virtual network gateway. But, this is not required. The local network gateway can be in a different location. Click Create to create the local network gateway. New > Networking > Local network gateway 44/782...
Page 45 www.zyxel.com Locate your virtual network gateway (VPN_Connection_to_USG in this example) and click Settings > Connection > Add connection, Name your connection. For Connection type, select Site-to-site (IPSec). For Virtual network gateway, the value is fixed because you are connecting from this gateway (VPN_GW_to_USG in this example).
Page 46: Test The Ipsec Vpn Tunnel
www.zyxel.com When the connection is complete, you'll see it appear in the Connections blade for your Gateway. VPN_Connection_to_USG > Settings > Connections Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar.
Page 47 www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. MONITOR > VPN Monitor > IPSec Go to Azure_Vnet_USG > Settings to check the tunnel DATA IN and DATA OUT. VPN >...
Page 48 www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access. PC behind ZyWALL/USG > Window 7 > cmd > ping 10.1.0.33 PC behind MS Azure>...
Page 49: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the MS Azure IKE Phase 1 setup list. MONITOR > Log If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings.
Page 50: How To Configure Gre Over Ipsec Vpn Tunnel
www.zyxel.com How to Configure GRE over IPSec VPN Tunnel This example shows how to use the VPN Setup Wizard to create a GRE over IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site. When the GRE over IPSec VPN tunnel is configured, each site can be accessed securely.
Page 51: Set Up The Zywall/Usg Gre Over Ipsec Vpn Tunnel Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next. Quick Setup >...
Page 52 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 111.250.184.80).
Page 53 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 54 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 55 www.zyxel.com CONFIGURATION > Network > Interface > Tunnel > Add 55/782...
Page 56: Set Up The Zywall/Usg Gre Over Ipsec Vpn Tunnel Of Corporate Network (Branch)
www.zyxel.com Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next. Quick Setup >...
Page 57 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the HQ’s WAN IP address (in the example, 61.228.245.247).
Page 58 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 59 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 60: Test The Gre Over Ipsec Vpn Tunnel
www.zyxel.com CONFIGURATION > Network > Interface > Tunnel > Add Test the GRE over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
Page 61: What Could Go Wrong
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound (Bytes)/Outbound (Bytes) Traffic. MONITOR > VPN Monitor > IPSec What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings.
Page 62 www.zyxel.com 62/782...
Page 63: How To Configure Site-To-Site Ipsec Vpn Where The Peer Has A Static Ip Address
www.zyxel.com How to Configure Site-to-site IPSec VPN Where the Peer has a Static IP Address This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with the Peer has a Static IP Address. The example instructs how to configure the VPN tunnel between each site.
Page 64 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type 64/782...
Page 65 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) 65/782...
Page 66 www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZyWALL/USG.
Page 67 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 68: (Branch)
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next.
Page 69 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 70 www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG.
Page 71 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 72: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZYWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 73: What Could Go Wrong
www.zyxel.com PC at Branch Office > Window 7 > cmd > ping 192.168.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre- Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 74 www.zyxel.com MONITOR > Log Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
Page 75: How To Configure Site-To-Site Ipsec Vpn Where The Peer Has A Dynamic Ip Address
www.zyxel.com How to Configure Site-to-site IPSec VPN Where the Peer has a Dynamic IP Address This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with the Peer has a Dynamic IP Address. The example instructs how to configure the VPN tunnel between each site.
Page 76 www.zyxel.com (HQ) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method.
Page 77 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site with Dynamic Peer. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Type a secure Pre-Shared Key (8-32 characters).
Page 78 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 79: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Branch Has A Dynamic Ip Address)
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 80 www.zyxel.com (Branch has a Dynamic IP Address) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings to create a Site-to-site VPN Rule Name. Quick Setup > VPN Setup Wizard > WelcomeQuick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key.
Page 81 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68).
Page 82 www.zyxel.com Set Local Policy to be the ZyWALL/USG local IP address that can use the VPN tunnel and set Remote Policy to the peer ZyWALL/USG local IP address that can use the VPN tunnel. Click OK. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel.
Page 83: Test The Ipsec Vpn Tunnel
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 84 www.zyxel.com Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic.
Page 85: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre- Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 86 www.zyxel.com MONITOR > Log Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
Page 87: How To Configure Ipsec Site To Site Vpn While One Site Is Behind A Nat Router
www.zyxel.com How to Configure IPSec Site to Site VPN while one Site is behind a NAT router This example shows how to use the VPN Setup Wizard to create a IPSec Site to Site VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while one Site is behind a NAT router.
Page 88 www.zyxel.com Network (HQ) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next. Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method.
Page 89 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.30.40). Then, type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).
Page 90 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Page 91: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Branch)
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 92 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 93 www.zyxel.com Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.20.30). Then, type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).
Page 94 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Page 95: Set Up The Nat Router (Using Zywall Usg Device In This Example)
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set Up the NAT Router (Using ZyWALL USG device in this example) Go to CONFIGURATION > Network > NAT > Add. Select the Incoming Interface on which packets for the NAT rule must be received.
Page 96 www.zyxel.com Defined Original IP field and Type the translated destination IP address that this NAT rule supports. CONFIGURATION > Network > NAT > Add Go to CONFIGURATION > Security Policy > Policy Control. IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports: IP protocol = 50 →...
Page 97: Test The Ipsec Vpn Tunnel
www.zyxel.com CONFIGURATION > Security Policy > Policy Control Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
Page 98: What Could Go Wrong
www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC behind ZyWALL/USG (HQ) > Window 7 > cmd > ping 192.168.20.33 PC behind ZyWALL/USG (Branch) >...
Page 99: How To Configure Hub-And-Spoke Ipsec Vpn
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR >...
Page 100: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg By Using Vpn Concentrator Hub_Hq-To-Branch_A
www.zyxel.com With just two branch offices, you could just manually set up VPN tunnels between HQ and the branches. With many branches it's best to use the VPN Concentrator to set up branch-HQ tunnels automatically. ZyWALL/USG Hub-and-Spoke VPN Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
Page 101 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 102 www.zyxel.com Then, configure the Secure Gateway IP as the Branch A’s Gateway IP address (in the example, 172.16.20.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Branch A’s Pre-Shared Key. Set Local Policy to be the IP address range of the network connected to the Hub_HQ and Remote Policy to be the IP address range of the network connected to the Branch A.
Page 103 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 104: Hub_Hq-To-Branch_B
www.zyxel.com Hub_HQ-to-Branch_B In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome 104/782...
Page 105 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 106 www.zyxel.com Then, configure the Secure Gateway IP as the Branch B’s Gateway IP address (in the example, 172.16.30.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Branch B’s Pre-Shared Key. Set Local Policy to be the IP address range of the network connected to the Hub_HQ and Remote Policy to be the IP address range of the network connected to the Branch B.
Page 107 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 108: Hub_Hq Concentrator
www.zyxel.com Hub_HQ Concentrator In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > Concentrator, add a VPN Concentrator rule. Select VPN tunnels to be in the same member group and click Save. 108/782...
Page 109: Spoke_Branch_A
www.zyxel.com Spoke_Branch_A In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome 109/782...
Page 110 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 111 www.zyxel.com Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key. Set Local Policy to be the IP address range of the network connected to the Spoke_Branch_A and Remote Policy to be the IP address range of the network connected to the Hub_HQ.
Page 112 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 113 www.zyxel.com Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_A to Spoke_Branch_B. Click Create new Object and set Address to be the local network behind the Spoke_Branch_B. Select Source Address to be the local network behind the 113/782...
Page 114: Spoke_Branch_B
www.zyxel.com Spoke_Branch_A. Then, scroll down the Destination Address list to choose the newly created Spoke_Branch_B_LOCAL address. Click OK. Network > Routing > Policy Route Spoke_Branch_B In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 115 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 116 www.zyxel.com Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key. Set Local Policy to be the IP address range of the network connected to the Spoke_Branch_B and Remote Policy to be the IP address range of the network connected to the Hub_HQ.
Page 117 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 118 www.zyxel.com Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_B to Spoke_Branch_A. Click Create new Object and set Address to be the local network behind the Spoke_Branch_A. Select Source Address to be the local network behind the 118/782...
Page 119: Test The Ipsec Vpn Tunnel
www.zyxel.com Spoke_Branch_B. Then, scroll down the Destination Address list to choose the newly created Spoke_Branch_A_LOCAL address. Click OK. Network > Routing > Policy Route Test the IPSec VPN Tunnel 119/782...
Page 120 www.zyxel.com Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection Spoke_Branch_A >...
Page 121 www.zyxel.com Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_B 121/782...
Page 122 www.zyxel.com Spoke_Branch_A > MONITOR > VPN Monitor > IPSec 122/782...
Page 123: What Could Go Wrong
www.zyxel.com Spoke_Branch_B > MONITOR > VPN Monitor > IPSec What Could Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 124 www.zyxel.com If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check ZyWALL/USG and SonicWALL Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. Make sure the all ZyWALL/USG units’...
Page 125: Set Up The Ipsec Vpn Tunnel Of Zywall/Usg Without Using Vpn Concentrator Hub_Hq-To-Branch_A
www.zyxel.com Set Up the IPSec VPN Tunnel of ZyWALL/USG without Using VPN Concentrator Hub_HQ-to-Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Branch A’s Gateway IP address (in the example, 172.16.20.1).
Page 126 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 126/782...
Page 127 www.zyxel.com Click Create new Object on the upper bar to add the address range of the local network behind Hub_HQ to Branch_B and an address of local network behind Branch A. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be HQ-to-Branch_B and Remote Policy to Branch_A which are...
Page 128: Hub_Hq-To-Branch_B
www.zyxel.com Hub_HQ-to-Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Branch B’s Gateway IP address (in the example, 172.16.30.1).
Page 129 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 129/782...
Page 130 www.zyxel.com Click Create new Object on the upper bar to add the address range of the local network behind Hub_HQ to Branch_A and an address of local network behind Branch B. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be HQ-to-Branch_B and Remote Policy to Branch_B which are...
Page 131: Spoke_Branch_A
www.zyxel.com Spoke_Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK.
Page 132 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 132/782...
Page 133 www.zyxel.com Click Create new Object on the upper bar to add the address of the local network behind Branch A and the address range of the local network behind Hub_HQ to Branch_B. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be Branch_A and Remote Policy to HQ-to-Branch_B which are...
Page 134: Spoke_Branch_B
www.zyxel.com Spoke_Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK.
Page 135 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 135/782...
Page 136 www.zyxel.com Click Create new Object on the upper bar to add the address of local network behind Branch B and address range of local network behind Hub_HQ to Branch_A. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be Branch_B and Remote Policy to HQ-to-Branch_A which are...
Page 137: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection Spoke_Branch_A >...
Page 138 www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_A Hub_HQ >...
Page 139 www.zyxel.com Spoke_Branch_A > MONITOR > VPN Monitor > IPSec Spoke_Branch_B > MONITOR > VPN Monitor > IPSec 139/782...
Page 140: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 141 www.zyxel.com If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check ZyWALL/USG and SonicWALL Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. Make sure the all ZyWALL/USG units’...
Page 142: How To Use Dual-Wan To Perform Fail-Over On Vpn Using The Vpn Concentrator
www.zyxel.com How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN Concentrator This is an example of using Dual-WAN to perform fail-over on a hub-and-spoke VPN with the HQ ZyWALL/USG as the hub and spoke VPNs to Branches A and B. When the VPN tunnel is configured, traffic passes between branches via the hub (HQ).
Page 143: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg Hub_Hq-To
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG Hub_HQ-to- Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Branch A’s wan1 IP address (in the example, 172.16.20.1) and Secondary Gateway IP as the Branch A’s wan2 IP address (in the example, 172.100.120.1).
Page 144 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 144/782...
Page 145 www.zyxel.com Click Create new Object to add the address of local network behind Hub_HQ and an address of local network behind Branch A. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be Hub_HQ and Remote Policy to Branch_A which are newly created.
Page 146: Hub_Hq-To-Branch_B
www.zyxel.com Hub_HQ-to-Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Branch B’s wan1 IP address (in the example, 172.16.30.1) and Secondary Gateway IP as the Branch B’s wan2 IP address (in the example, 172.100.130.1).
Page 147 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to enable VPN Connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 147/782...
Page 148 www.zyxel.com Click Create new Object to add an address of local network behind Hub_HQ and an address of local network behind Branch B. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be Hub_HQ and Remote Policy to Branch_B which are newly created.
Page 149: Hub_Hq Concentrator
www.zyxel.com Hub_HQ Concentrator In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > Concentrator, add a VPN Concentrator rule. Select VPN tunnels to the same member group and click Save. 149/782...
Page 150: Spoke_Branch_A
www.zyxel.com Spoke_Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Hub_HQ’s wan1 IP address (in the example, 172.16.10.1) and Secondary Gateway IP as the Hub_HQ’s wan2 IP address (in the example, 172.100.110.1).
Page 151 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 151/782...
Page 152 www.zyxel.com Click Create new Object to add the address of local network behind Branch A and an address of local network behind Hub_HQ CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be Spoke_Branch_A_LOCAL and Remote Policy to Hub_HQ which are newly created.
Page 153: Spoke_Branch_B
www.zyxel.com Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_A to Spoke_Branch_B. Click Create new Object and set the address to be the local network behind the Spoke_Branch_B. Select Source Address to be the local network behind the Spoke_Branch_A.
Page 154 www.zyxel.com address (in the example, 172.100.110.1). Select Fall back to Primary Peer Gateway when possible and set desired Fall Back Check Interval time. Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK. CONFIGURATION >...
Page 155 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway Click Create new Object to add the address of local network behind Branch B and an address of local network behind Hub_HQ.
Page 156 www.zyxel.com Set Local Policy to be Spoke_Branch_B_LOCAL and Remote Policy to Hub_HQ which are newly created. Click OK. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_B to Spoke_Branch_A.
Page 157: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection Spoke_Branch_A >...
Page 158 www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_A Hub_HQ >...
Page 159 www.zyxel.com Spoke_Branch_A > MONITOR > VPN Monitor > IPSec Spoke_Branch_B > MONITOR > VPN Monitor > IPSec 159/782...
Page 160: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 161: How To Configure Ipsec Vpn With Zywall Ipsec Vpn Client
www.zyxel.com How to Configure IPSec VPN with ZyWALL IPSec VPN Client This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and a ZyWALL IPSec VPN Client. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 162: Set Up The Zywall/Usg Ipsec Vpn Tunnel
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings for Configuration Provisioning wizard to create a VPN rule that can be used with the ZyWALL IPSec VPN Client. Click Next. Quick Setup >...
Page 163 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-1 Type a secure Pre-Shared Key (8-32 characters).
Page 164 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-3 Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 165 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning. In the General Settings section, select the Enable Configuration Provisioning. Then, go to the Configuration section and click Add to bind a configured VPN Connection to Allowed User. Click Activate and Apply to save the configuration. CONFIGURATION >...
Page 166: Set Up The Zywall Ipsec Vpn Client
www.zyxel.com Set Up the ZyWALL IPSec VPN Client Download ZyWALL IPSec VPN Client software from ZyXEL Download Library: http://www.zyxel.com/support/download_landing.shtml Open ZyWALL IPSec VPN Client, select CONFIGURATION > Get from Server. CONFIGURATION > Get from Server Enter the WAN IP address or URL for the ZyWALL/USG in the Gateway Address. If you changed the default HTTPS Port on the ZyWALL/USG, and then enter the new one here.
Page 167 www.zyxel.com CONFIGURATION > Get from Server > Step 1: Authentication CONFIGURATION > Get from Server > Step 2: Processing 167/782...
Page 168 www.zyxel.com Then, you will see the Configuration successful page, click OK to exit the wizard. CONFIGURATION > Get from Server > Configuration successful 168/782...
Page 169: Test The Ipsec Vpn Tunnel
www.zyxel.com Go to VPN Configuration > IKEv1, right click the WIZ_VPN_PROVISIONING and select Open tunnel. You will see the Tunnel opened on the bottom right of the screen. VPN CONFIGURATION > IKE V1 > WIZ_VPN_PROVISIONING > Open tunnel Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION >...
Page 170 www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic. MONITOR > VPN Monitor > IPSec To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other.
Page 171: What Can Go Wrong
www.zyxel.com What Can Go Wrong? If you see [info] log message such as below, please make sure both ZyWALL/USG and ZyWALL IPSec VPN Client use the same Pre-Shared Key to establish the IKE MONITOR > Log If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 172 www.zyxel.com Make sure the service HTTPS Port on IPSec VPN Client application is available. Make sure the To-ZyWALL security policies allow IPSec VPN traffic to the ZyWALL/USG. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
Page 173: How To Configure Site-To-Site Ipsec Vpn With Fortigate
www.zyxel.com How to Configure Site-to-site IPSec VPN with FortiGate This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a FortiGate router. The example instructs how to configure the VPN tunnel between each site. The example instructs how to configure the VPN tunnel between each site.
Page 174: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next. Quick Setup >...
Page 175 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the FortiGate’s WAN IP address (in the example, 172.100.30.40).
Page 176 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 177: Set Up The Ipsec Vpn Tunnel On The Fortigate
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 178 www.zyxel.com Type the Name used to identify this VPN connection, configure Remote Gateway IP as the peer ZyWALL/USG’s WAN IP address. Select the Interface which is connected to the Internet. VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) > Network Go to Authentication section, enter Pre-shared Key and choose negotiation Mode the same as the peer ZyWALL/USG’s.
Page 179 www.zyxel.com Configure Phase 1 Proposal and Diffie-Hellman Group as the peer ZyWALL/USG Advanced Settings’ Phase 1 Settings > Proposal and Key Group. VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) > Phase 1 Proposal Go to Phase 2 Selectors > Advanced and configure Phase 2 Proposal as the peer ZyWALL/USG Advanced Settings’...
Page 180 www.zyxel.com 180/782...
Page 181 www.zyxel.com This screen provides a summary of the VPN tunnel. Click OK to exit the configuration page. VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) 181/782...
Page 182: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 183: What Could Go Wrong
www.zyxel.com PC behind FortiGate> Window 7 > cmd > ping 192.168.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and FortiGate must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 184 www.zyxel.com please check ZyWALL/USG and FortiGate Phase 2 Settings. Both ZyWALL/USG and FortiGate must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR > Log Make sure the both ZyWALL/USG and FortiGate security policies allow IPSec VPN traffic.
Page 185: How To Configure Site-To-Site Ipsec Vpn With Watchguard
www.zyxel.com How to Configure Site-to-site IPSec VPN with WatchGuard This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a WatchGuard router. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 186: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the WatchGuard. Click Next. Quick Setup >...
Page 187 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the WatchGuard’s WAN IP address (in the example, 172.100.30.63).
Page 188 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 189: Set Up The Ipsec Vpn Tunnel On The Watchguard
www.zyxel.com your ZyWALL/USG’s WAN IP Address (in the example, 172.101.30.73). Then, configure Authentication > Remote ID Type as IPv4 and set the Content as your WatchGuard’s External IP Address (in the example, 172.100.30.63). Click OK. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication >...
Page 190 www.zyxel.com In the WatchGuard VPN > Branch Office VPN > Gateway > General Settings create a Site-to-site VPN Gateway Name and set a secure Pre-Shared Key. VPN > Branch Office VPN > Gateway > General Settings > Credential Method To add a Gateway Endpoint, click Add. VPN >...
Page 191 www.zyxel.com 191/782...
Page 192 www.zyxel.com Then, go to VPN > Branch Office VPN > Gateway > Phase 1 Settings to select negotiation Mode the same as your ZyWALL/USG’s Phase 1 Settings. Make sure you enable both NAT Traversa and Dead Peer Detection options if both options are enabled in the ZyWALL/USG.
Page 193 www.zyxel.com Then, go to VPN > Branch Office VPN > Tunnel to add a Tunnel Route Settings. In the Local IP section, set the Network IP to be the IP address range of the network connected to the WatchGuard. In the Remote IP section, set the Network IP to be the IP address range of the network connected to the ZyWALL/USG.
Page 194 www.zyxel.com Go to VPN > Branch Office VPN > Tunnel > Phase 2 Settings to create a Tunnel Name. Then, select the Gateway. Make sure you enable Perfect Forward Secrecy and select Diffie-Hellman Group 2. Then, scroll down Phase 2 Proposals and add the encryption types to match your ZyWALL/USG’s VPN Connection >...
Page 195: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 196: What Could Go Wrong
www.zyxel.com PC behind ZyWALL/USG > Window 7 > cmd > ping 192.168.10.33 PC behind WatchGuard> Window 7 > cmd > ping 192.168.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings.
Page 197 www.zyxel.com please check ZyWALL/USG and WatchGuard Phase 2 Settings. Both ZyWALL/USG and WatchGuard must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR > Log Make sure the both ZyWALL/USG and WatchGuard security policies allow IPSec VPN traffic.
Page 198: How To Configure Site-To-Site Ipsec Vpn With Cisco
www.zyxel.com How to Configure Site-to-site IPSec VPN with Cisco This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a Cisco router. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 199: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the Cisco. Click Next. Quick Setup >...
Page 200 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the Cisco’s Gateway IP address (in the example, 172.100.30.80);...
Page 201 www.zyxel.com Continue to Phase 2 Settings to select the desired Encapsulation, Encryption, Authentication, and Perfect Forward Secrecy (PFS) settings. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the Cisco.
Page 202 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) 202/782...
Page 203 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 204: Set Up The Ipsec Vpn Tunnel On The Cisco
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 205 www.zyxel.com Go to VPN > Site-to-site > IKE Policies, click Add to create a new IKE Policy Name. Then, select Encryption, Hash, Pre-shared Key and D-H Group to match your ZyWALL/USG’s VPN Gateway > Phase 1 Settings. Set Lifetime to 24 hours and click OK then click Save to exit the IKE Policies page.
Page 206 www.zyxel.com Go to VPN > Site-to-site > Transform Sets, click Add to create a new Transform Set name. Then, select Integrity and Encryption to match your ZyWALL/USG’s VPN Connection > Phase 2 Settings. Click OK and click Save to exit the Transform Sets page.
Page 207 www.zyxel.com address range of the network connected to the ZyWALL/USG (Address Object created in Step 1) VPN > Site-to-site > IPsec Policies > Basic Settings Then, go to Advanced Settings enable PFS and DPD if you enable both options in the ZyWALL/USG.
Page 208 www.zyxel.com 208/782...
Page 209: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 210 www.zyxel.com To test whether a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC behind ZyWALL/USG > Window 7 > cmd > ping 192.168.75.33 PC behind Cisco>...
Page 211: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and Cisco must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 212: How To Configure Site-To-Site Ipsec Vpn With A Sonicwall Router
www.zyxel.com How to Configure Site-to-site IPSec VPN with a SonicWALL router This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a SonicWALL router. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 213: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the SonicWALL. Click Next. Quick Setup >...
Page 214 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the SonicWALL’s Gateway IP address (in the example, 172.100.20.23);...
Page 215 www.zyxel.com Continue to Phase 2 Settings to select the desired Encapsulation, Encryption, Authentication, and SA Life Time settings. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the SonicWALL.
Page 216 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) 216/782...
Page 217 www.zyxel.com Note: The Phase 1 and Phase 2 settings established here must match the Phase 1 and Phase 2 settings configured later in the SonicWALL. 217/782...
Page 218 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 219 www.zyxel.com Go to VPN Gateway > Show Advanced Settings > Authentication to configure your Local ID Type and Peer ID Type to match your SonicWALL’s VPN > Settings > VPN Policies > General > IKE Authentication > Local IKE ID and Peer IKE ID. VPN Gateway >...
Page 220: Set Up The Ipsec Vpn Tunnel On The Sonicwall
www.zyxel.com Set Up the IPSec VPN Tunnel on the SonicWALL In the SonicWALL VPN > Settings > VPN Policies, click Add to create a new VPN policy. Select Policy Type to be the Site to Site, select Authentication Method to 220/782...
Page 221 www.zyxel.com be the IKE using Preshared Secret. Type the ZyWALL/USG's WAN IP Address to be the IPsec Primary Gateway Name or Address (in the example, 172.10.120.11). In the IKE Authentication section, set the Shared Secret to be the same as your ZyWALL/USG’s Pre-Shared Key.
Page 222 www.zyxel.com Go to Remote Network and create a new address IP address range of the network connected to the ZyWALL/USG. Then, scroll down the list to choose the newly created Address Object to be the Remote Network. VPN > Settings > VPN Policies > Network 222/782...
Page 223 www.zyxel.com In the SonicWALL VPN > Settings > VPN Policies > Proposals > IKE (Phase 1) Proposal and set Exchange, DH Group, Encryption and Authentication to match your ZyWALL/USG’s VPN Gateway > Show Advanced Settings > Phase 1 Settings. Go to IKE (Phase 2) Proposal and set the Protocol, Encryption and Authentication to match your ZyWALL/USG’s VPN Connection >...
Page 224: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 225 www.zyxel.com Go to SonicWALL VPN > VPN Settings > VPN Policies, the status green light is on. VPN > VPN Settings > VPN Policies Go to SonicWALL VPN > VPN Settings > Currently Active VPN Tunnels > VPN Tunnel Statics to check Tunnel valid time, Bytes In (Incoming Data) and Bytes Out (Outgoing Data).
Page 226: What Could Go Wrong
www.zyxel.com PC behind SonicWALL> Window 7 > cmd > ping 192.168.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and SonicWALL must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 227 www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG and SonicWALL Phase 2 Settings. Both ZyWALL/USG and SonicWALL must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR >...
Page 228 www.zyxel.com 228/782...
Page 229: How To Configure Ipsec Vpn Failover
www.zyxel.com How to Configure IPSec VPN Failover This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with failover. The example instructs how to configure the VPN tunnel between each site if one site has multi-WAN. When the multi-WAN VPN failover is configured, IPSec VPN tunnels automatically fail over to a backup WAN interface if the primary WAN interface becomes unavailable.
Page 230: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next.
Page 231 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54).
Page 232 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 233: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Branch)
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Page 234 www.zyxel.com In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key.
Page 235 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG.
Page 236 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 237 www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Go to Configuration > VPN > IPSec VPN > VPN Gateway > Gateway Settings. Set My Address to be Domain Name/IP “0.0.0.0” (ZyWALL/USG will dial-up with the active WAN interface first).
Page 238: Set Up The Wan Trunk (Zywall/Usg_Hq)
www.zyxel.com Set up the WAN Trunk (ZyWALL/USG_HQ) Go to CONFIGURATION > Interface > Trunk > User Configuration > Add. Select wan1 and wan2 into the trunk Member and set wan2 Mode to be Passive. CONFIGURATION > Interface > Trunk > User Configuration > Add Go to CONFIGURATION >...
Page 239: Set Up The Failover Command Line (Zywall/Usg Hq)
www.zyxel.com Set up the Failover Command Line (ZyWALL/USG HQ) Go to CONFIGURATION > Security Policy > Policy Control and add a To ZyWALL rule to allow SSH service. CONFIGURATION > Security Policy > Policy Control > Add corresponding 239/782...
Page 240: Test The Ipsec Vpn Tunnel
www.zyxel.com If the Security Policy is created but still cannot access to ZyWALL, please go to CONFIGURAITON > System > SSH to check do you Enable the General Settings and make sure the Service Port is correct and the same in your terminal program. Then, check the Service Control Action should be Accept.
Page 241 www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic. MONITOR > VPN Monitor > IPSec Go to ZyWALL/USG_Branch MONITOR > Log. Try to disconnect WAN1 interface (172.1.1.30.68) and you will see the VPN tunnel failover to WAN2 interface (172.100.20.78).
Page 242: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre- Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 243 www.zyxel.com 243/782...
Page 244: How To Configure L2Tp Over Ipsec Vpn While The Zywall/Usg Is Behind A Nat Router
www.zyxel.com How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind a NAT router This example shows how to use the VPN Setup Wizard to create a L2TP over IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while the ZyWALL/USG is behind a NAT router.
Page 245: Set Up The L2Tp Vpn Tunnel On The Zywall/Usg_Hq
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG_HQ In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the remote Android Mobile Devices.
Page 246 www.zyxel.com Assign the remote users IP addresses range from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click Next. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) 15 This screen provides a read-only summary of the VPN tunnel.
Page 247 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 248 www.zyxel.com Go to CONFIGURATION > VPN Connection > Policy > Local Policy, select it be to the NAT router’s WAN IP address (in the example, 172.100.20.30). CONFIGURATION > VPN Connection > Policy > Local Policy 248/782...
Page 249: Set Up The Nat Router (Using Zywall Usg Device In This Example)
www.zyxel.com Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example). CONFIGURATION > VPN > L2TP VPN > Create new Object > User Set Up the NAT Router (Using ZyWALL USG device in this example) Go to CONFIGURATION >...
Page 250 www.zyxel.com CONFIGURATION > Network > NAT > Add Go to CONFIGURATION > Object > Address > Add, create an address object as the ZyWALL/USU_HQ’s WAN IP address (in the example, 192.168.1.33). CONFIGURATION > Object > Address Go to CONFIGURATION > Object > Service > Service Group, create a service group for the following UDP ports: UDP Port Number = 1701 →...
Page 251 www.zyxel.com CONFIGURATION > Service > Service Group Go to CONFIGURATION > Security Policy > Policy Control, add corresponding rule to allow L2TP services. CONFIGURATION > Security Policy > Policy Control 251/782...
Page 252: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Test the L2TP over IPSec VPN Tunnel Use a smartphone or a PC to establish a L2TP VPN connection to the ZyWALL/USG. Configure the NAT's public IP address as the L2TP server address on the client. In this example using iOS device to test the result: To configure L2TP VPN in an iOS 8.4 device, go to Menu >...
Page 253 www.zyxel.com After you create a VPN configuration, slide the button right to the on position to initiate L2TP VPN session. Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
Page 254 www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users Go to iOS mobile device Menu > Settings > VPN > ZyXEL_L2TP and verify the Assigned IP Address and Connect Time.
Page 255: What Could Go Wrong
www.zyxel.com Menu > Settings > VPN > ZyXEL_L2TP What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. 255/782...
Page 256 www.zyxel.com If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. iOS Mobile users must use the same Secret as configured in ZyWALL/USG to establish the IKE SA. If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings.
Page 257: How To Configure L2Tp Vpn With Android 5.0 Mobile Devices
www.zyxel.com How to Configure L2TP VPN with Android 5.0 Mobile Devices This example shows how to use the VPN Setup Wizard to create a L2TP VPN between a ZyWALL/USG and an Android 5.0 Mobile Device. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely and allow traffic from L2TP clients to go to the Internet.
Page 258: Set Up The L2Tp Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the remote Android Mobile Devices.
Page 259 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the remote users IP addresses range from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click Next. Quick Setup >...
Page 260 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 261 www.zyxel.com CONFIGURATION > VPN > L2TP VPN > Create new Object > User If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection.
Page 262: Set Up The L2Tp Vpn Tunnel On The Android Device
www.zyxel.com CONFIGURATION > Network > Routing > Policy Route Set Up the L2TP VPN Tunnel on the Android Device To configure L2TP VPN on an Android device, go to Menu > Settings > Wireless & Networks > VPN settings > Add VPN > Add L2TP/IPSec PSK VPN and configure as follows.
Page 263 www.zyxel.com Set VPN server to the ZyWALL/USG’s WAN IP address. Set IPSec pre-shared key to the pre-shared key of the IPSec VPN gateway the ZyWALL/USG uses for L2TP VPN over IPSec (zyx12345 in this example). 263/782...
Page 264 www.zyxel.com Leave Enable L2TP secret disabled as default and turn on DNS search domains if you need to use the internal DNS servers once your connection is made, enter the DNS server address here. Click Save. Click the VPN rule ZyXEL_L2TP to begin the VPN connection. 264/782...
Page 265: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com When dialing the L2TP VPN, the user will have to enter Username/Password. They are the same as Allowed User created in ZyWALL/USG (L2TP_Remote_Users/zyx168 in this example). Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected.
Page 266 www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Hub_HQ > MONITOR > VPN Monitor > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session.
Page 267: What Could Go Wrong
www.zyxel.com Go to Android mobile device Menu > Settings > Wireless & Networks > VPN and verify the connection status. Menu > Settings > Wireless & Networks > VPN What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings.
Page 268 www.zyxel.com If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings. ZyWALL/USG unit must set correct Local Policy to establish the IKE SA. Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use.
Page 269: How To Configure L2Tp Vpn With Ios 8.4 Mobile Devices
www.zyxel.com How to Configure L2TP VPN with iOS 8.4 Mobile Devices This example shows how to use the VPN Setup Wizard to create a L2TP VPN between a ZyWALL/USG and an iOS 8.4 Mobile Device. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely and allow traffic from L2TP clients to go to the Internet.
Page 270 www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the remote users IP addresses range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 271 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN >...
Page 272 www.zyxel.com Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example). 272/782...
Page 273 www.zyxel.com CONFIGURATION > VPN > L2TP VPN > Create new Object > User If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection.
Page 274 www.zyxel.com CONFIGURATION > Network > Routing > Policy Route 274/782...
Page 275: Set Up The L2Tp Vpn Tunnel On The Ios Device
www.zyxel.com Set Up the L2TP VPN Tunnel on the iOS Device To configure L2TP VPN in an iOS 8.4 device, go to Menu > Settings > VPN > Add VPN Configuration and configure as follows. Description is for you to identify the VPN configuration. Set Server to the ZyWALL/USG’s WAN IP address (172.124.163.150 in this example).
Page 276: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com After you create a VPN configuration, slide the button right to the on position to initiate L2TP VPN session. Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected.
Page 277 www.zyxel.com Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users 277/782...
Page 278 www.zyxel.com Go to iOS mobile device Menu > Settings > VPN > ZyXEL_L2TP and verify the Assigned IP Address and Connect Time. Menu > Settings > VPN > ZyXEL_L2TP 278/782...
Page 279: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 280 www.zyxel.com Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Verify that the Zone is set correctly in the Zone object. This should be set to IPSec_VPN Zone so that security policies are applied properly.
Page 281: How To Import Zywall/Usg Certificate For L2Tp Over Ipsec In Windows 10
www.zyxel.com How to Import ZyWALL/USG Certificate for L2TP over IPsec in Windows 10 This is an example of using the L2TP VPN and VPN client software included in Windows 10 operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from a Windows 10 computer.
Page 282 www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 283 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) 283/782...
Page 284 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 285 www.zyxel.com CONFIGURATION > VPN > L2TP VPN > Create new Object > User If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection.
Page 286: 10 Operating System
www.zyxel.com CONFIGURATION > Network > Routing > Policy Route Export a Certificate from ZyWALL/USG and Import it to Windows 10 Operating System Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. CONFIGURATION >...
Page 287 www.zyxel.com Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) CONFIGURATION > Object > Certificate > default > Edit > Export Certificate with Private Key Save default certificate as *.p12 file to Windows 10 computer. default.p12 In Windows 10 Operating System, go to Start Menu > Search Box. Type mmc and press Enter.
Page 288 www.zyxel.com In the Available snap-ins, select Certificates click Add. Then, click Finished. Press OK to close the Snap-ins window. Available snap-ins > Certificates > Add In the mmc console window, go to Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… 288/782...
Page 289 www.zyxel.com Click Next. Click Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. 289/782...
Page 290 www.zyxel.com Type zyx123 in the Password field and click Next. Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. 290/782...
Page 291: Set Up The L2Tp Vpn Tunnel On The Windows 10
www.zyxel.com Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time. Set Up the L2TP VPN Tunnel on the Windows 10 291/782...
Page 292 www.zyxel.com To configure L2TP VPN in Windows 10 operating system, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in). Configure Connection name for you to identify the VPN configuration. Set Server name or address to be the ZyWALL/USG’s WAN IP address (172.124.163.150 in this example).
Page 293 www.zyxel.com Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. 293/782...
Page 294 www.zyxel.com 294/782...
Page 295 www.zyxel.com Network & Internet Settings window, click Connect. Go to 295/782...
Page 296: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 297 www.zyxel.com Go to Window 10 operating system Start > Settings > Network & Internet > VPN and show Connected status. Menu > Settings > VPN > ZyXEL_L2TP 297/782...
Page 298: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 299 www.zyxel.com Verify that the Zone is set correctly in the VPN Connection rule. This should be set to IPSec_VPN Zone so that security policies are applied properly. 299/782...
Page 300: How To Import Zywall/Usg Certificate For L2Tp Over Ipsec In Ios Mobile Phone
www.zyxel.com How to Import ZyWALL/USG Certificate for L2TP over IPsec in IOS mobile phone This is an example of using the L2TP VPN and VPN client software included in Android mobile phone operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from an iOS mobile phone.
Page 301 www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 302 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen.
Page 303 www.zyxel.com Go to CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN, change Authentication method to be Certificate and select the certificate which ZyWALL/USG uses to identify itself to the Android mobile phone. CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN > Authentication > Certificate Go to CONFIGURATION >...
Page 304 www.zyxel.com 304/782...
Page 305: Export A Certificate From Zywall/Usg And Import It To Ios Mobile Phone
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to iOS Mobile Phone Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. CONFIGURATION > Object > Certificate > default Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) CONFIGURATION >...
Page 306 www.zyxel.com Set Server name or address to be the ZyWALL/USG’s WAN IP address (172.124.163.150 in this example). Select VPN type to Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec). Enter User name and Password which the same as Allowed User created in ZyWALL/USG (L2TP_Remote_Users/zyx168 in this example).
Page 307 www.zyxel.com 307/782...
Page 308: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Go to Network & Internet Settings window, click Connect. Test the L2TP over IPSec VPN Tunnel 1. Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION >...
Page 309 www.zyxel.com 2. Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN 3.
Page 310: What Could Go Wrong
www.zyxel.com What Could Go Wrong? 1. If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. 2.
Page 311: How To Import Zywall/Usg Certificate For L2Tp Over Ipsec In Android Mobile Phone
www.zyxel.com 6. Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. 7. Verify that the Zone is set correctly in the VPN Connection rule. This should be set to IPSec_VPN Zone so that security policies are applied properly.
Page 312: Set Up The L2Tp Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the Android mobile phone clients.
Page 313 www.zyxel.com Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click OK. Quick Setup >...
Page 314 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN, change Authentication method to be Certificate and select the certificate which ZyWALL/USG uses to identify itself to the Android mobile phone. CONFIGURATION >...
Page 315 www.zyxel.com 315/782...
Page 316: Export A Certificate From Zywall/Usg And Import It To Android Mobile Phone
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to Android Mobile Phone Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. CONFIGURATION > Object > Certificate > default Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) CONFIGURATION >...
Page 317: Set Up The L2Tp Vpn Tunnel On The Android Mobile Device
www.zyxel.com Set Up the L2TP VPN Tunnel on the Android Mobile Device To configure L2TP VPN in Android, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in). Configure Connection name for you to identify the VPN configuration.
Page 318 www.zyxel.com Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. 318/782...
Page 319 www.zyxel.com 319/782...
Page 320: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Go to Network & Internet Settings window, click Connect. Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION >...
Page 321 www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR >...
Page 322: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Android users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 323 www.zyxel.com If you cannot access devices in the local network, verify that the devices in the local network set the USG’s IP as their default gateway to utilize the L2TP tunnel. Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
Page 324: System
www.zyxel.com How to Configure the L2TP VPN with Apple MAC OS X 10.11 Operating System This is an example of using the L2TP VPN and VPN client software included in Apple MAC OS X 10.11 El Capitan operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from an Apple computer.
Page 325 www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings 325/782...
Page 326 www.zyxel.com Configure the L2TP users’ IP address range from 192.168.30.10 to 192.168.30.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN. Click OK. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Continue to the next page to review your Summary and click Save. Quick Setup >...
Page 327 www.zyxel.com Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example). CONFIGURATION > VPN > L2TP VPN > Create new Object > User 327/782...
Page 328 www.zyxel.com 328/782...
Page 329: Capitan Operating System
www.zyxel.com Set Up the L2TP VPN Tunnel on the Apple MAC OS X 10.11 El Capitan Operating System To configure L2TP VPN in OS X 10.11 operation system, go to System Preferences… > Network, click the "+" button at the bottom left of the connections to add a new connection and configure as follows.
Page 330 www.zyxel.com Configure Server Address to be the ZyWALL/USG’s WAN IP address (172.124.163.150 in this example). Enter Account Name which should be the same as Allowed User created in ZyWALL/USG (L2TP_Remote_Users in this example). Then, click Authentication Settings..In the User Authentication section, enter Password which should be the same as Allowed User created in ZyWALL/USG (zyx123 in this example).
Page 331 www.zyxel.com Go back to Configuration and click Advanced…. Select Send all traffic over VPN connection to allow the L2TP/IPSec VPN traffic between ZyWALL/USG and MAC OS X system. 331/782...
Page 332: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Go back to Configuration and click Connect. Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 333 www.zyxel.com 功能有問題無法截圖 , connectivity check fail Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users Go to MAC OS X System Preferences… > Network and show Connected status, Connect Time and assigned IP Address.
Page 334: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Apple MAC OS X El Capitan operating system users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN.
Page 335 www.zyxel.com If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings. ZyWALL/USG unit must set correct Local Policy to establish the IKE SA. Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use.
Page 336: How To Configure If I Want User Can Only See Ssl Vpn Login Button In Web Portal Login Page
www.zyxel.com How to configure if I want user can only see SSL VPN Login button in web portal login page This example shows how to strict portal access for SSL VPN clients. The example instructs how to allow end users to only see the SSL VPN Login button in the web portal login screen and the administrator can only manage the device from LAN.
Page 337: Set Up The Dns Service
www.zyxel.com Set Up the DNS Service In this scenario, you need to have a DNS host to fulfill the requirement. In this example, go to https://www.noip.com/ to register an account and create a DNS host. The following mapping IP address is the public IP of the ZyWALL/USG's WAN IP address.
Page 338: Set Up The Zywall/Usg System Setting
www.zyxel.com Set Up the ZyWALL/USG System Setting Go to CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1. Set the address access action as Deny for ALL address in WAN. CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1 338/782...
Page 339: Test The Ssl Vpn
www.zyxel.com Test the SSL VPN Type in the URL (https://sslvpnzyxeltest.ddns.net) and you will only see the SSL VPN Login button in the web portal screen. Type in the URL (https://sslvpnzyxeltest.ddns.net) Login to the device via the WAN interface with the administrator's user name and password.
Page 340 www.zyxel.com Login to the device via the WAN interface Login to the device via the LAN interface with the administrator's user name and password. The management portal will be displayed. 340/782...
Page 341 www.zyxel.com Login to the device via the LAN interface 341/782...
Page 342 www.zyxel.com Go to MONITOR > Log. You can see that the admin login has been denied access from the WAN interface but it is allowed from the LAN interface. MONITOR > 342/782...
Page 343: How To Deploy Ssl Vpn With Apple Mac Os X 10.10 Operating System
www.zyxel.com How to Deploy SSL VPN with Apple Mac OS X 10.10 Operating System This is an example of using the ZyWALL/USG SSL VPN client software in Apple MAC OS X 10.10 Yosemite operating systems for secure connections to the network behind the ZyWALL/USG.
Page 344: Set Up The Ssl Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the SSL VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > VPN > SSL VPN > Access Privilege to add an Access Policy. Configure a Name for you to identify the SSL VPN configuration. CONFIGURATION >...
Page 345 www.zyxel.com Go to Create new Object > Application to add servers you allow SSL_VPN_1_Users to access, click OK. CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Application Go to Create new Object > Address to add the IP address pool for SSL_VPN_1_Users.
Page 346 www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > User/Group & SSL Application Scroll down to Network Extension (Optional) to select Enable Network Extension to allow SSL VPN users to access the resources behind the ZyWALL/USG local network.
Page 347: System
www.zyxel.com Set Up the SSL VPN Tunnel on the Apple MAC OS X 10.10 Operating System Download SSL VPN Client software: ZyWALL SecuExtender for MAC from the ZyXEL Global Website and double-click on the downloaded file to install it. 347/782...
Page 348 www.zyxel.com Go to ZyWALL SecuExtender > Preferences, click the "+" button at the bottom left to add a new SSL VPN connection. 348/782...
Page 349 www.zyxel.com Configure the Connection Name for you to identify the SSL VPN configuration. Then, set the Remote Server Address to be the WAN IP of ZyWALL/USG (172.16.1.33 in this example). Click Save. 349/782...
Page 350 www.zyxel.com Here are two methods to initiate SSL VPN connections: From ZyWALL SecuExtender From a Web Browser From ZyWALL SecuExtender Go to ZyWALL SecuExtender > Connect > SSL_VPN, to display the username and password dialog box. Set Username and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example).
Page 351: Test The Ssl Vpn Tunnel
www.zyxel.com Test the SSL VPN Tunnel Go to ZyWALL/USG MONITOR > VPN Monitor > SSL and verify the tunnel Login Address, Connected Time and the Inbound(Bytes)/Outbound(Bytes) traffic. MONITOR > VPN Monitor > SSL > SSL_VPN_1_Users Go to ZyWALL SecuExtender > Details and check Traffic Graph, Network Traffic Statics and Log Details.
Page 352 www.zyxel.com ZyWALL SecuExtender > Details > Traffic Graph ZyWALL SecuExtender > Details > Network Traffic Statics 352/782...
Page 353 www.zyxel.com ZyWALL SecuExtender > Details > Log Details 353/782...
Page 354: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. MAC OS X 10.10 Yosemite users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
Page 355 www.zyxel.com If you uploaded a logo to show in the SSL VPN user screens but it does not display properly, check that the logo graphic is in GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed. The ZyWALL/USG automatically resizes a graphic of a different resolution to 103 x 29 pixels.
Page 356: How To Configure Ssl Vpn For Remote Access Mobile Devices
www.zyxel.com How To Configure SSL VPN for Remote Access Mobile Devices This is an example of using the ZyWALL/USG SSL VPN for remote access mobile devices to securely connect to the File Sharing Server behind the ZyWALL/USG. ZyWALL/USG SSL VPN for Secure External Access to Network Resources Note: All network IP addresses and subnet masks are used as examples in this article.
Page 357: Set Up The Ssl Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the SSL VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > VPN > SSL VPN > Access Privilege to add an Access Policy. Configure a Name for you to identify the SSL VPN configuration. CONFIGURATION >...
Page 358 www.zyxel.com Go to Create new Object > Application to add servers that you will allow SSL_VPN_1_Users to access. Click OK. 358/782...
Page 359 www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Application Then, move the just created address object to Selected User/Group Objects. Similarly, in SSL Application List (Optional) move the servers you want available to SSL users to Selected Application Objects.
Page 360: Test The Ssl Vpn Tunnel
www.zyxel.com Test the SSL VPN Tunnel Type the ZyWALL/USG’s WAN IP into the browser, then the login screen appears. Enter User Name and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example).
Page 361 www.zyxel.com Click the File Sharing folder you want to access, enter User Name/ Password of your File Sharing server and click Login. Now you can securely access the files. 361/782...
Page 362: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
Page 363: How To Configure An Ssl Vpn Tunnel (With Secuextender Version 4.0.0.1) On The Windows 10 Operating System
www.zyxel.com How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1) on the Windows 10 Operating System Set up the SSL VPN Tunnel with Windows 10 Please download SecuExtender version 4.0.0.1 from the download library of ZyXEL’s official website. Before you start installing the SecuExtender, it is required to install the “Visual C++ 2015 Redistributable”...
Page 364 www.zyxel.com 364/782...
Page 365 www.zyxel.com 365/782...
Page 366 www.zyxel.com 366/782...
Page 367: What Can Go Wrong
www.zyxel.com Double-click the shortcut icon on your desktop. It is the same as the SSL VPN standalone software on MAC OS X. Enter the server’s IP or domain name, user name, and password to connect to the server. The example below shows that the client IP is 7.7.7.1 and you can also check the traffic statistic in the Status screen.
Page 368 www.zyxel.com If you have uploaded a logo to show on the SSL VPN user screens but it does not display properly, check if the logo graphic is in GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed.
Page 369: How To Redirect Multiple Lan Interface Traffic To The Vpn Tunnel
www.zyxel.com How to redirect multiple LAN interface traffic to the VPN tunnel This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with multiple LAN access to the VPN tunnel. The example instructs how to configure the VPN tunnel between each site and redirect multiple LAN interface traffic to the VPN tunnel.
Page 370: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next.
Page 371 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1- 31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54).
Page 372 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 373: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Branch)
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Page 374 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 375 www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG.
Page 376 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Page 377: Set Up The Policy Route (Zywall/Usg_Hq)
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set up the Policy Route (ZyWALL/USG_HQ) Go to ZyWALL/USG_HQ CONFIGURATION > Network > Routing > Add. Set Source Address to be the subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel.
Page 378: Set Up The Policy Route (Zywall/Usg_Branch)
www.zyxel.com CONFIGURATION > Network > Routing > Add Set up the Policy Route (ZyWALL/USG_Branch) Go to ZyWALL/USG_Branch CONFIGURATION > Network > Routing > Add, create Address to be the remote LAN subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. CONFIGURATION >...
Page 379 www.zyxel.com Go to ZyWALL/USG_Branch CONFIGURATION > Network > Routing > Add. Set Source Address to be the local subnet (192.168.10.0/24 in this example). Set Destination Address to be the remote LAN subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. CONFIGURATION >...
Page 380: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZYWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 381: What Could Go Wrong
www.zyxel.com PC at Branch Office > Window 7 > cmd > ping 192.168.2.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre- Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 382 www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR >...
Page 383: How To Create Vti And Configure Vpn Failover With Vti
www.zyxel.com How to Create VTI and Configure VPN Failover with VTI This example illustrates how to create a VTI object and configure a policy route with the VTI. Furthermore, it applies the VTI to the WAN trunk to achieve VPN load balancing.
Page 384: Set Up The Zywall/Usg Vti Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG VTI of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add to create the VPN gateway HQ1 with wan1. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add In the same screen, create the VPN gateway HQ2 with wan2.
Page 385 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add and configure a VPN tunnel for the VPN gateway HQ1. Select VPN Tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add In the same screen, create a VPN tunnel for the VPN gateway HQ2.
Page 386 www.zyxel.com Go to CONFIGURATION > Network > Interface > VTI > Add to create a VTI for the VPN tunnel HQ1. Enable the connectivity check. Enter the IP address of vti1, which is configured on USG2. CONFIGURATION > Network > Interface > VTI > Add CONFIGURATION >...
Page 387 www.zyxel.com CONFIGURATION > Network > Interface > VTI > vti2 > Connectivity Check Go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add to create a new trunk. Add vti1 and vti2 to the new trunk. CONFIGURATION >...
Page 388 www.zyxel.com Connect the VPN tunnels when the VTIs are ready. Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to connect the VPN tunnels. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Connect Go to CONFIGURATION > Network > Interface > VTI. You will see that the status of the VTI is up when the corresponding VPN tunnel is established.
Page 389: Set Up The Zywall/Usg Vti Of Corporate Network (Branch)
www.zyxel.com Set Up the ZyWALL/USG VTI of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add to create the VPN gateway BO1 with wan1. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add In the same screen, create the VPN gateway BO2 with wan2.
Page 390 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add and configure a VPN tunnel for the VPN gateway BO1. Select VPN Tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add 390/782...
Page 391 www.zyxel.com In the same screen, create a VPN tunnel for the VPN gateway BO2. Select VPN tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add Go to CONFIGURATION > Network > Interface > VTI > Add to create a VTI for the VPN tunnel BO1.
Page 392 www.zyxel.com CONFIGURATION > Network > Interface > VTI > vti1 > Connectivity Check In the same screen, create a VTI for the VPN tunnel BO2. Be aware that the IP address of this VTI must be in the same subnet as vti2 on USG1. In this example, the IP address and subnet mask of vti2 on USG1 is 10.10.11.10 and 255.255.255.0 respectively.
Page 393 www.zyxel.com CONFIGURATION > Network > Interface > VTI > vti1 > Connectivity Check Go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add to create a new trunk. Add vti1 and vti2 to the new trunk. CONFIGURATION >...
Page 394 www.zyxel.com Go to CONFIGURATION > Network > Routing > Policy Route > Add to configure a policy route. Source Address: LAN1_SUBNET (192.168.11.0/24) Destination Address: HQ_subnet (192.168.1.0/24) Next-Hop: BO_vti_trunk SNAT: none CONFIGURATION > Network > Routing > Policy Route > Add Connect the VPN tunnels when the VTIs are ready.
Page 395: Test The Ipsec Vpn Tunnel
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Connection > Connect Go to CONFIGURATION > Network > Interface > VTI. You will see that the status of the VTI is up when the corresponding VPN tunnel is established. CONFIGURATION > Network > Interface > VTI Test the IPSec VPN Tunnel To test whether or not a tunnel is working, ping from a PC in LAN1 of USG1 to a PC in LAN1 of USG2 and vice versa.
Page 396 www.zyxel.com PC of USG2 (192.168.11.33) > Window 7 > cmd > ping 192.168.1.34 To test whether or not VPN failover is working, unplug wan1 of USG1. Then ping from a PC in LAN1 of USG1 to a PC in LAN1 of USG2 and vice versa. Check the VPN status of the USG1 in the MONITOR >...
Page 397: What Can Go Wrong
www.zyxel.com Check the VPN status of the USG2 in the MONITOR > VPN Monitor > IPSec screen. PC of USG2 (192.168.11.33) > Window 7 > cmd > ping 192.168.1.34 What Can Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings.
Page 398 www.zyxel.com MONITOR > Log Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
Page 399: How To Configure The Usg When Using A Cloud Based Sip System
www.zyxel.com How to configure the USG when using a Cloud Based SIP system This example shows how to configure USG when there is a Cloud Based SIP system. The IP phones are more and more popular nowadays. USG supports the scenario as IP phones located in LAN and connect to internet to register the SIP server.
Page 400: Set Up The Sip Alg
www.zyxel.com Set Up the SIP ALG Go to CONFIGURATION > Network > ALG, and check “Enable SIP ALG”. Also, check the “Enable SIP Transformations” if the SIP content which is needed to be transform. Then click “Apply”. CONFIGURATION > Network > ALG Direct-media and Direct-signalling are activated after ZLD 4.25.
Page 401: What Could Go Wrong
www.zyxel.com Check the SIP register status on PBX. What could go wrong? SIP phone does not support transform itself, but the “SIP Transformations” does not be checked. SIP phone will contact with outside as not direct-signalling and direct media, but the default setting on USG is on How to block HTTPS websites by Domain Filter without applying SSL Inspection...
Page 402: Set Up The Content Filter On The Zywall/Usg
www.zyxel.com (SNI) extension fields in server FQDN. Using the SNI to query category from Commtouch engine, then take action when it matches the block category in Content Filter profile. ZyWALL/USG Domain Filter Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 403 www.zyxel.com Profile > Test Web Site Category. Type URL to test the category and click Test Against Content Filter Category Server. You will see the category recorded in the external content filter server’s database for both HTTP and HTTPS Domain you specified. Go to CONFIGURATION >...
Page 404 www.zyxel.com Scroll down to the Managed Categories section, select categories in this section to control access to specific types of Internet content. You must have the Content Filtering license to filter these categories. 404/782...
Page 405: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Social_Net_Block in this example). Set Up the System Policy on the ZyWALL/USG Go to CONFIGURATION >...
Page 406 www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. HTTP traffic log matches (Content Filter) and HTTPS traffic log matches (HTTPS Domain Filter) in message field. 406/782...
Page 407 www.zyxel.com Monitor > Log 407/782...
Page 408: How To Configure Content Filter 2.0 With Geo Ip Blocking
www.zyxel.com How to Configure Content Filter 2.0 with Geo IP Blocking The Content Filter 2.0 - Geo IP blocking offers identify the country based on IP address, it allows you to block the client accessing to certain country based on organizational policy.
Page 409: Set Up The Address Objet With Geo Ip On The Zywall/Usg
www.zyxel.com Set Up the Address Objet with Geo IP on the ZyWALL/USG Go to CONFIGURATION > Object > Address/Geo IP > Address > Add Address Rule. Go to CONFIGURATION > Object > Address/Geo IP > Address, you can see the customized GEOGRAPHY address.
Page 410: Test The Result
www.zyxel.com Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Set Geo IP traffic from WAN to LAN allow source from local country (geo_allow_policy in this example). Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile.
Page 411: What Could Go Wrong
www.zyxel.com Type http://csosuppport.ddns.net/ into the browser, and the http can be reached. Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. Traffic matches Geo IP policy will be blocked and shows in message field. What Could Go Wrong? 1.
Page 412: How To Configure Content Filter 2.0 With Https Domain Filter
www.zyxel.com How to Configure Content Filter 2.0 with HTTPs Domain Filter Application Scenario The Content Filter with HTTPs Domain Filter allows you to block HTTPs websites by category service without SSL-Inspection. The filtering feature is based on 64 categories built in ZyWALL/USG such as pornography, gambling, hacking, etc. When user makes HTTPS request, the information contains a Server Name Indication (SNI) extension fields in server FQDN.
Page 413: Set Up The Content Filter On The Zywall/Usg
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG Go to CONFIGURATION > UTM Profile> Content Filter > Profile > General Settings. Select Enable HTTPS Domain Filter for HTTPS traffic. Go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter Profile >...
Page 414 www.zyxel.com You will see the category recorded in the external content filter server’s database for both HTTP and HTTPS Domain you specified. Go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter File > Custom Service. Configure a Name for you to identify the Content Filter Profile and select Enable Content Filter Category Service.
Page 415: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Social_Net_Block in this example). 415/782...
Page 416: Set Up The System Policy On The Zywall/Usg
www.zyxel.com Set Up the System Policy on the ZyWALL/USG Go to CONFIGURATION > System > WWW > Show Advanced Settings > Other, click Enable Content Filter HTTPS Domain Filter Block/Warn Page. 416/782...
Page 417: Test The Result
www.zyxel.com Test the Result Type http://www.facebook.com/ or https://www.facebook.com/ into the browser, the error message occurs. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. HTTP traffic log matches (Content Filter) and HTTPS traffic log matches (HTTPS Domain Filter) in message field.
Page 418: How To Block The Client Accessing To Certain Country Using Geo Ip And Content Filter
www.zyxel.com HTTPs traffic will pass. How to block the client accessing to certain country using Geo IP and Content Filter The Content Filter with Geo IP offers identify the country based on IP address, it allows you to block the client accessing to certain country based on organizational policy. When user makes HTTP or HTTPS request, ZyWALL/USG query IP address from MaxMind database, then take action when it matches the block country in Content Filter profile.
Page 419: Check Geo Ip License Status On The Zywall/Usg
www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: 4.25) Check Geo IP License Status on the ZyWALL/USG Go to CONFIGURATION >...
Page 420: Set Up The Address Objet With Geo Ip On The Zywall/Usg
www.zyxel.com Set Up the Address Objet with Geo IP on the ZyWALL/USG Go to CONFIGURATION > Object > Address/Geo IP > Address > Add Address Rule. Go to CONFIGURATION > Object > Address/Geo IP > Address, you can see the customized GEOGRAPHY address.
Page 421: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Set deny Geo IP traffic from LAN to WAN (geo_block_policy in this example). 421/782...
Page 422: Test The Result
www.zyxel.com Test the Result Type http://www.pku.edu.cn/ https://www.rwth-aachen.de/ into the browser, sites can’t be reached. 422/782...
Page 423 www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. Traffic matches Geo IP policy will be blocked and shows in message field. 423/782...
Page 424 www.zyxel.com 424/782...
Page 425: How To Restrict Web Portal Access From The Internet
www.zyxel.com How to Restrict Web Portal access from the Internet This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with multiple LAN access to the VPN tunnel. The example instructs how to configure the VPN tunnel between each site and redirect multiple LAN interface traffic to the VPN tunnel.
Page 426: Test The Web Access
www.zyxel.com Test the Web Access Login to the device via the WAN interface with the administrator's user name and password. The screen will show Login denied. Login to the device via the WAN interface 426/782...
Page 427 www.zyxel.com Login to the device via the LAN interface with the administrator's user name and password. The management portal will be displayed. Login to the device via the LAN interface Go to MONITOR > Log. You can see that the admin login has been denied access from the WAN interface but it is allowed from the LAN interface.
Page 428 www.zyxel.com 428/782...
Page 429: How To Setup And Configure Daily Report
www.zyxel.com How to Setup and Configure Daily Report This example shows how to set up the data collection and view various statistics about traffic passing through your ZyWALL/USG. When the Daily Report is configured, you will receive statistics report every day. ZyWALL/USG Setup and Configure Daily Report Note: All network IP addresses and subnet masks are used as examples in this article.
Page 430: Set Up The Zywall/Usg Email Daily Report Setting
www.zyxel.com Set Up the ZyWALL/USG Email Daily Report Setting Go to CONFIGURATION > Log & Report > Email Daily Report > General Settings. Select Enable Email Daily Report to send reports by e-mail every day. CONFIGURATION > Log & Report > Email Daily Report > General Settings Type the SMTP server name or IP address.
Page 431: Test The Daily Log Report
www.zyxel.com Select the information to include in the report. Types of information include System Resource Usage, Wireless Report, Threat Report, and Interface Traffic Statistics. Select Reset counters after sending report successfully if you only want to see statistics for a 24 hour period. CONFIGURATION >...
Page 432 www.zyxel.com You will receive a daily report mail. ZyXEL Daily Report Mail 432/782...
Page 433: What Could Go Wrong
www.zyxel.com What Could Go Wrong? Make sure your Email settings are all correct. CONFIGURATION > Log & Report > Email Daily Report > Email Settings 433/782...
Page 434: How To Setup And Configure Email Logs
www.zyxel.com Make sure your ZyWALL to WAN security policy allow. How to Setup and Configure Email Logs This example shows how to set up the e-mail profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to e-mail, and where and how often to e-mail them.
Page 435: Set Up The Zywall/Usg Email Logs Setting
www.zyxel.com Set Up the ZyWALL/USG Email Logs Setting 1. Go to CONFIGURATION > Log & Report > Log Settings > System Log > Edit > E-mail Server 1. Select Active. Type the SMTP server name or IP address. In Mail From, type the e-mail address from which the outgoing e-mail is delivered.
Page 436: Test The Email Log
www.zyxel.com CONFIGURATION > Log & Report > Log Settings > System Log > Edit > Active Log and Alert. Test the Email Log You will receive a log mail depends on the time you set in the E-mail Server. ZyXEL Log Mail 436/782...
Page 437: What Could Go Wrong
www.zyxel.com What Could Go Wrong? Make sure your Email settings are all correct. CONFIGURATION > Log & Report > Email Daily Report > Email Settings Make sure your ZyWALL to WAN security policy allow. 437/782...
Page 438: How To Setup And Send Logs To A Syslog Server
www.zyxel.com How to Setup and send logs to a Syslog Server This example shows how to set up the syslog server profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to syslog server. When the syslog server is configured, you will receive the real time system logs.
Page 439 www.zyxel.com Go to Dashboard > Add Systems. Dashboard > Add Systems Select Not shown here? and My syslog daemon only sends to port 514. Dashboard > Add Systems > I’m using Select My syslogd only uses the default port, set ZyWALL/USG public IP address (111.250.188.9 in this example) and name the log system.
Page 440 www.zyxel.com Write down the Papertrail-provided domain name (logs.papertrialpp.com in this example). Dashboard > Add Systems > > I’m using > Choose your situation > System Created 440/782...
Page 441: Set Up The Zywall/Usg Remote Server Setting
www.zyxel.com Set Up the ZyWALL/USG Remote Server Setting 1. Go to CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit. Set Log Format to be CEF/Syslog. Type the Server Address to be the Papertrail- provided domain name (logs.papertrialpp.com in this example). 2.
Page 442: Test The Remote Server
www.zyxel.com Test the Remote Server You will receive a log mail depends on the time you set in the E-mail Server. ZyXEL Log Mail 442/782...
Page 443: What Could Go Wrong
www.zyxel.com What Could Go Wrong? Make sure your Log settings for Remote Server are all correct. CONFIGURATION > Log & Report > Log Settings > Remote Server Make sure your ZyWALL to WAN security policy allow traffic to log server. 443/782...
Page 444: How To Setup And Send Logs To A Vantage Reports Server
www.zyxel.com How to Setup and send logs to a Vantage Reports Server This example shows how to set up the Vantage Report Server profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to Vantage Report Server. When the Vantage Report Server is configured, you will receive the real time system logs.
Page 445: Set Up The Vrpt Server
www.zyxel.com Set Up the VRPT Server 1. The Vantage Report server must have register an account in http://www.myZyXEL.com. 2. Install VRPT software: http://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=M- 01339&md=VRPT 4. Unzipped the file and click Vantage Reeport.exe to start installing Vantage Report. Then, the Vantage Report installation wizard appears. Click Next. 445/782...
Page 446 www.zyxel.com 5. Enter the port number you want Vantage Report to use for web services. Make sure this port number does not conflict with the other services in your network. Click Next. Check if any applications also use port 3316 (TCP), 514 (UDP) or 8080 (UDP) by entering “netstat -a”...
Page 447 www.zyxel.com Xxxx is the port number you entered during installation (10.251.30.61:8080/vrpt/ in this example). In the login screen, enter default login User Name and Password: root. Go to Dashboard > License Information > Manage Device, click Add Device, the Add Device screen appears on the left side. Enter the Name of the device you want to add to Vantage Report.
Page 448: Set Up The Zywall/Usg Remote Server Setting
www.zyxel.com Set Up the ZyWALL/USG Remote Server Setting Go to CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit. Set Log Format to be VRPT/Syslog. Type the Server Address to be the Vantage Report server IP address (10.251.30.61 in this example). Use the System Log drop-down list to change the log settings for all of the log categories.
Page 449: Test The Remote Server
www.zyxel.com Test the Remote Server In the VRPT Sever, go to Logs > Log Viewer, click Search. The screen displays the device log information. (It may take 5 - 10 minutes to display the log after just added the device) VRPT Server >...
Page 450: How To Setup And Send Logs To The Usb Storage
www.zyxel.com Make sure your Log settings for Remote Server are all correct. CONFIGURATION > Log & Report > Log Settings > Remote Server Make sure your ZyWALL to WAN security policy allow traffic to log server. How to Setup and send logs to the USB storage This example shows how to use the USB device to store the system log information.
Page 451: Set Up The Usb System Settings
www.zyxel.com ZyWALL/USG enable and send logs to the USB storage Note: Only connect one USB device. It must allow writing (it cannot be read- only) and use the FAT16, FAT32, EXT2, or EXT3 file system. This example was tested using USG110 (Firmware Version: ZLD 4.25). Set Up the USB System Settings Go to CONFIGURATION >...
Page 452: Set Up The Usb Log Storage
www.zyxel.com Set Up the USB Log Storage Go to CONFIGURATION > Log & Report > Log Settings, select USB Storage and click Activate. Click Apply to save your changes. CONFIGURATION > Log & Report > Log Settings Go to CONFIGURATION > Log & Report > Log Settings > USB Storage > Edit. Select Duplicate logs to USB storage (if ready) to have the ZyWALL/USG save a copy of its system logs to a connected USB storage device.
Page 453: Check The Usg Log Files
www.zyxel.com Check the USG Log Files Connect the USB to PC and you can find the files in the following path:\Model Name_dir\centralized_log\YYYY-MM-DD.log 453/782...
Page 454: How To Setup Ipv6 Interfaces For Pure Ipv6 Routing
www.zyxel.com How to Setup IPv6 Interfaces for Pure IPv6 Routing This example shows how to configure your USG Z’s WAN and LAN interfaces which connects two IPv6 networks. USG Z periodically advertises a network prefix of 2006:1111:1111:1111::/64 to the LAN through router advertisements. ZyWALL/USG access the internet via IPv6 Note: Instead of using router advertisement, you can use DHCPv6 to pass the...
Page 455: Setting Up The Ipv6 Interface
www.zyxel.com Setting Up the IPv6 Interface 1. In the CONFIGURATION > Network > Interface > Ethernet screen’s IPv6 Configuration section, double-click the wan1. 2. The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6. Select Enable Auto-Configuration. Click OK. Note: Your ISP or uplink router should enable router advertisement.
Page 456 www.zyxel.com 3. Using command line ipconfig to check. 456/782...
Page 457: Set Up The Prefix Delegation And Router Advertisement
www.zyxel.com Set up the Prefix Delegation and Router Advertisement This example shows how to configure prefix delegation on the ZyWALL’s WAN and router advertisement on the LAN. Apply a network Prefix From Your ISP First of all, you have to apply a network prefix from your ISP or the uplink router’s administrator.
Page 458 www.zyxel.com Click Add in the DHCPv6 Request Options table and select the DHCPv6 request object you just created. You cannot see the prefix your ISP gave you in the Value field until you click OK and then come back to this screen again. It is 2001:b050:2d::/48 in this example. Note: Your ISP or a DHCPv6 server in the same network as the WAN should assign an IPv6 IP address for the WAN interface.
Page 459 www.zyxel.com Setting Up the WAN IPv6 Interface 1. In the Configuration > Network > Interface > Ethernet screen, double-click the lan interface in the IPv6 Configuration section. 2. The Edit Ethernet screen appears. Click Show Advanced Settings to display more settings on this screen.
Page 460 www.zyxel.com 460/782...
Page 461: Test
www.zyxel.com 1. Navigate to IPv6 Router Advertisement Setting, enable Router Advertisement, it would advertise the prefix to the Lan host, also enable Adviertised Hosts Get Other Configuration From DHCPv6, Lan hosts will get the DNS address from USG. 2. Configure Advertised Prefix from DHCPv6 Prefix Delegation, the Lan hosts will get the Prefix from USG, Suffix address can set 0～F Test 1.
Page 462: What Can Go Wrong
www.zyxel.com 4. Open a web browser and type http://www.kame.net. If your IPv6 settings are correct, you can see a dancing turtle in the website. What Can Go Wrong? 1. If you forgot to enable Auto-Configuration on the WAN1 IPv6 interface, you will not have any default route to forward the LAN’s IPv6 packets.
Page 463 www.zyxel.com Select DHCPv6 Lease and DNS server as lease type. For example set the Google DNS IPv6 address 2001:4860:4860::8888 2. Select the drop-down list DHCPv6 as server type, add the DNS server object in DHCPv6 lease options and enable Router Advertisement. 463/782...
Page 464: Test
www.zyxel.com Test You can use command “netsh interface ipv6 show dnsservers” to check the DNS server IP. How to Perform and Use the Packet Capture Feature on the ZyWALL/USG This example shows how to use the Packet Capture feature to capture network traffic going through the ZyWALL/USG’s interfaces.
Page 465: Set Up The Packet Capture Feature
www.zyxel.com ZyWALL/USG Packet Capture Feature Settings Note: New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this. This example was tested using USG110 (Firmware Version: ZLD 4.25). Set Up the Packet Capture Feature Go to MAINTENANCE >...
Page 466 www.zyxel.com Go to MAINTENANCE > Diagnostics > Packet Capture > Capture > Filter. Select IP Version (IPv4 or IPv6) for which to capture packets or select any to capture packets for all IP versions. Select the Protocol Type of traffic for which to capture packets. Select any to capture packets for all types of traffic.
Page 467 www.zyxel.com 11 Click Capture. 12 Click Stop when collection is done. 467/782...
Page 468: Check The Capture Files
www.zyxel.com Check the Capture Files Go to MAINTENANCE > Diagnostics > Packet Capture > Files, select the .cap file and click Download. Open .cap files with Wireshark 468/782...
Page 469: How To Automatically Reboot The Zywall/Usg By Schedule
www.zyxel.com How to Automatically Reboot the ZyWALL/USG by Schedule 469/782...
Page 470: Set Up The Shell Script
www.zyxel.com This example shows how to use shell script and schedule run to reboot device automatically for maintenance purpose. ZyWALL/USG Auto Schedule Reboot Settings Note: This example was tested using USG110 (Firmware Version: ZLD 4.25). Set Up the Shell Script Run Windows Notepad application and input below command: 470/782...
Page 471: Set Up The Schedule Run
www.zyxel.com Save this file as "reboot_device.zysh" In the ZyWALL/USG, go to MAINTENANCE > File Manager > Shell Script. Click Browse... to find the reboot_device.zysh file. Click Upload to begin the upload process. Set Up the Schedule Run Login the device via console/telnet/SSH (using PuTTY in this example) 471/782...
Page 472 www.zyxel.com Issuing below commands based on three different (daily, weekly and monthly) user scenarios: a. Router(config)# schedule-run 1 reboot_device.zysh daily 10:00 (The device will reboot at 10:00 everyday) b. Router(config)# schedule-run 1 reboot_device.zysh weekly 10:00 sun (The device will reboot at 10:00 every Sunday) 472/782...
Page 473: Check The Reboot Status
www.zyxel.com c. Router(config)# schedule-run 1 reboot_device.zysh monthly 10:00 23 (The device will reboot at 10:00 every month on 23th) Check the Reboot Status Login the device via console/telnet/SSH, the reboot runs as scheduled Go to Configuration > System> Date/Time, check Current Date/Time. Figure Configuration >...
Page 474 www.zyxel.com 474/782...
Page 475: How To Schedule Youtube Access
www.zyxel.com How To Schedule YouTube Access This is an example of using the ZyWALL/USG UTM Profile and Security Policy to control access to the network. If an application should not have network access during certain hours, you can use Application Patrol, SSL Inspection and Schedule settings to make sure that these applications cannot access the Internet.
Page 476: Create The Application Objects On The Zywall/Usg
www.zyxel.com Create the Application Objects on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > Application > Add Application Rule. Configure a Name for you to identify the Application Profile. Then, click Add to create an Application Object. CONFIGURATION >...
Page 477: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Then, select the CA Certificate to be the certificate used in this profile. Select Block to select Log type to be log alert. Leave Action for Connection with SSL v3 and other actions as default settings. CONFIGURATION > UTM Profile > SSL Inspection > Add rule Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 478: Export Certificate From Zywall/Usg And Import It To Windows 7
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 479 www.zyxel.com CONFIGURATION > Object > Certificate > default CONFIGURATION > Object > Certificate > default > Edit > Export Certificate with Private Key Save default certificate as *.p12 file to Windows 7 Operation System. default.p12 In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter.
Page 480 www.zyxel.com In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window.
Page 481 www.zyxel.com Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Click Next, Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next.
Page 482 www.zyxel.com Click Next, type zyx123 in the Password field and click Next again Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. 482/782...
Page 483 www.zyxel.com Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to the default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time. 483/782...
Page 484: Test The Result
www.zyxel.com Test the Result Type http://www.youtube.com/ or https://www.youtube.com/ into the browser. An error message occurs. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. What Could Go Wrong? If you are not be able to configure any Application Patrol policies or it’s not working, there are two possible reasons: You have not subscribed for the Application Patrol service.
Page 485 www.zyxel.com the portal page (https://portal.myzyxel.com/) to register or extend your Application Patrol license. After you apply the Application Patrol service, the running session will continue till it’s finished. 485/782...
Page 486: How To Continuously Run A Zysh Script
www.zyxel.com How to continuously run a ZySH script This example shows how to use shell script and continuously run a ZySH script automatically for maintenance purpose. ZyWALL/USG continuously run a ZySH script Settings Note: This example was tested using USG110 (Firmware Version: ZLD 4.25). Set Up the Shell Script Run Windows Notepad application and input below command: 486/782...
Page 487 www.zyxel.com Save this file as "disable_firewall.zysh" Run Windows Notepad application and input below command: Save this file as "enable_firewall.zysh" In the ZyWALL/USG, go to MAINTENANCE > File Manager > Shell Script. Click Browse... to find the disable_firewall.zysh and enable_firewall.zysh file. Click Upload to begin the upload process.
Page 488: Set Up The Schedule Run
www.zyxel.com Set Up the Schedule Run Issuing below commands: Router> configure terminal Router(config)# schedule-run 1 disable_firewall.zysh daily 15:15 Check the Result In the ZyWALL/USG, go to DASHBOARD. DASHBOARD 488/782...
Page 489: How To Register Your Device And Services At Myzyxel.com
www.zyxel.com How To Register Your Device and Services at myZyXEL.com myZyXEL.com is ZyXEL’s online services center where you can register your ZyXEL device and manage subscription services available for the device. To update signature files or use a subscription service, you have to register the device and activate the corresponding service at myZyXEL.com.
Page 490: Account Creation
www.zyxel.com Account Creation After you click the link from the Registration screen of your ZyXEL device’s Web Configurator or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/), the Sign In screen displays. CONFIGURATION > Licensing > Registration 490/782...
Page 491 www.zyxel.com Click Not a Member Yet to open the Sign Up screen where you can create an account. myZyXEL.com > Not a Member Yet Select Registration Type to create an Individual account or a Business account. Individual account is for non-commercial, end user of ZyXEL products. Business account is for commercial users;...
Page 492: Device Registration
www.zyxel.com After you click Submit, myZyXEL.com 2.0 will send you an account activation notification e-mail. Click the URL link from the e-mail to activate your account and log into myZyXEL.com 2.0. After E-mail activate, sign in myZyXEL.com 2.0 to register or mange your devices and services.
Page 493: Service Registration (In The Case Of Standard License)
www.zyxel.com Service Registration (In the Case of Standard License) Click Service Registration in the navigation panel to open the screen. Fill in the License Key as shown on E-iCard License. Go to the Service Management page and click the Link button. Select the device then click the Activate button to initiate the services license.
Page 494: Device Management (In The Case Of Registering Bundled Licenses)
www.zyxel.com Device Management (In the Case of Registering Bundled Licenses) Go to Device Management and click on the MAC Address hyper link of your device. In the Linked Services page, click the Activate button to initiate the services license. You will get a Service Activation Notice Email when you activate a new service.
Page 495: Refresh Service
www.zyxel.com Refresh Service After service activated, please go to the ZyWALL/USG CONFIGURATION > Licensing > Registration > Service and click the Service License Refresh button to update the Status. What Could Go Wrong? If you can’t activate your device’s service license, please check if you entered a correct license key.
Page 496 www.zyxel.com If you forget your registered email address on myZyXEL.com, please go to the link below and submit a request to ZyXEL support team for further support: http://www.zyxel.com/form/Support_Feedback.shtml 496/782...
Page 497: How To Exempt Specific Users From Security Control
www.zyxel.com How To Exempt Specific Users From Security Control This is an example of using a ZyWALL/USG Security Policy to exempt three corporate executives from security control, while controlling Internet access for other employees’ accounts. Exempt Specific Users from Security Control Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 498: Set Up The Security Policy On The Zywall/Usg For Employees
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Employees In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address range for employees. CONFIGURATION > Object > Address > Add Address Rule Set up Security Policy for employees, go to CONFIGURATION >...
Page 499 www.zyxel.com Scroll down to UTM Profile, select the general policy that allows employees to access the Internet. (Using built-in Office profile in this example blocks the non- productive services, such as Advertisement & Pop-Ups, Gambling and Peer to Peer services…etc.). CONFIGURATION >...
Page 500: Set Up The Security Policy On The Zywall/Usg For Executives
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Executives In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > Add A User to create User Name/Password for each executive. CONFIGURATION > Object > User/Group > Add A User 500/782...
Page 501 www.zyxel.com Then, go to CONFIGURATION > Object > User/Group > Group > Add Group to create a Group Members’ Name and move the just created executives user object to Member. CONFIGURATION > Object > Address Group > Add Address Group Rule Set up Security Policy for executives, go to CONFIGURATION >...
Page 502: Test The Result
www.zyxel.com Leave all UTM Profiles disabled. CONFIGURATION > Security Policy > Policy Control > Add corresponding > Employees_Security Test the Result Connect to the Internet from two computers: one from executive_1 and one from an employee address (192.168.30.9). Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below.
Page 503: What Could Go Wrong
www.zyxel.com Monitor > Log What Could Go Wrong? If you are not be able to configure any UTM policies or it’s not working, there are two possible reasons: You have not subscribed for the UTM service. You have subscribed for the UTM service but the license is expired. You can click the link from the CONFIGURATION >...
Page 504: How To Detect And Prevent Tcp Port Scanning With Adp
www.zyxel.com How To Detect and Prevent TCP Port Scanning with ADP This is an example of using a ZyWALL/USG ADP (Anomaly Detection and Prevention) Profile to protect against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal traffic flows such as port scans.
Page 505: Set Up The Adp Profile On The Zywall/Usg
www.zyxel.com Set Up the ADP Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > ADP > Profile, click the Add icon. A pop-up screen will appear allowing you to choose a base profile. Select a base profile to go to the profile details screen. CONFIGURATION >...
Page 506 www.zyxel.com In the Flood Detection section, set Block Period for the duration applies blocking to the destination IP address. Set a Threshold number (the number of packets per second that match the flood detection criteria) for your network. Click OK. CONFIGURATION >...
Page 507 www.zyxel.com Go to CONFIGURATION > Security Policy > ADP > General, select Enable Anomaly 507/782...
Page 508: Test The Result
www.zyxel.com Detection and Prevention. Then, select the just created Anomaly Profile and click Apply. CONFIGURATION > Security Policy > ADP > General Test the Result Download Nmap free security scanner for testing the result: https://nmap.org/download.html Open the Nmap GUI, set the Target to be the WAN IP of ZyWALL/USG (172.124.163.150 in this example) and set Profile to be Intense Scan.
Page 509: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [warn] log message such as below. Monitor > Log What Could Go Wrong? You may find that certain rules are triggering too many false positives or false negatives. A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the ZyWALL/USG.
Page 510: How To Block Facebook
www.zyxel.com How To Block Facebook This is an example of using a ZyWALL/USG UTM Profile in a Security Policy to block access to a specific social network service. You can use Content Filter, SSL Inspection and Policy Control to make sure that a certain web page cannot be accessed through both HTTP and HTTPS protocols.
Page 511: Set Up The Content Filter On The Zywall/Usg
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter File > Custom Service. Configure a Name for you to identify the Content Filter Profile and select Enable Custom Service. CONFIGURATION >...
Page 512 www.zyxel.com Block to Action for Connection with SSL v3 and select Log type to be log alert. Leave other actions as default settings. CONFIGURATION > UTM Profile > SSL Inspection > Add rule 512/782...
Page 513: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Select the Schedule that defines when the policy applies (Facebook_Block in this example).
Page 514: Export Certificate From Zywall/Usg And Import It To Windows 7
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 515 www.zyxel.com Save default certificate as *.p12 file to Windows 7 Operation System. default.p12 In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter. Start Menu > Search Box > mmc 515/782...
Page 516 www.zyxel.com In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window.
Page 517 www.zyxel.com In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Click Next. Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. 517/782...
Page 518 www.zyxel.com Click Next, type zyx123 in the Password field and click Next again Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 519: Test The Result
www.zyxel.com Test the Result Type http://www.facebook.com/ or https://www.facebook.com/ into the browser, the error message occurs. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log 519/782...
Page 520: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you are not be able to configure any Content Filter policies or it’s not working, there are two possible reasons: You have not subscribed for the Content Filter service. You have subscribed for the Content Filter service but the license is expired.
Page 521: How To Exempt Specific Users From A Blocked Website
www.zyxel.com How To Exempt Specific Users From a Blocked Website This is an example of using a ZyWALL/USG Security Policy to exempt three corporate executives from a blocked Website, while controlling Internet access for other employees’ accounts. With executives connect to a blocked Website using PCs with static IP addresses, you could set up address group to allow their traffic.
Page 522: Set Up The Security Policy On The Zywall/Usg For Employees
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Employees In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address range for employees. CONFIGURATION > Object > Address > Add Address Rule Set up Security Policy for employees, go to CONFIGURATION >...
Page 523 www.zyxel.com Scroll down to UTM Profile, select the general policy that allows employees to access the Internet. (Using built-in Office profile in this example blocks the non- productive services, such as Advertisement & Pop-Ups, Gambling and Peer to Peer services…etc.). CONFIGURATION >...
Page 524: Set Up The Security Policy On The Zywall/Usg For Executives
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Executives In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address for each executives. CONFIGURATION > Object > Address > Add Address Rule Then, go to CONFIGURATION >...
Page 525 www.zyxel.com address object to Member. CONFIGURATION > Object > Address Group > Add Address Group Rule Set up Security Policy for executives, go to CONFIGURATION > Security Policy > Policy Control > Add corresponding, configure a Name for you to identify the executives’...
Page 526 www.zyxel.com Leave all UTM Profiles disabled. CONFIGURATION > Security Policy > Policy Control > Add corresponding > Executives_Security 526/782...
Page 527: Test The Result
www.zyxel.com Test the Result Connect to the Internet from two computers: one from executive_2 address (192.168.10.2) and one from an employee address (192.168.20.1) and both access to https://hangouts.google.com/. Go to the ZyWALL/USG Monitor > Log, you will see [notice] and [info] log message such as below.
Page 528: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you are not be able to configure any UTM policies or it’s not working, there are two possible reasons: You have not subscribed for the UTM service. You have subscribed for the UTM service but the license is expired. You can click the link from the CONFIGURATION >...
Page 529: How To Control Access To Google Drive
www.zyxel.com How To Control Access To Google Drive This is an example of using a ZyWALL/USG UTM Profile in a Security Policy to block access to a specific file transfer service. You can use Application Patrol and Policy Control to make sure that a certain file transfer service cannot be accessed through both HTTP and HTTPS protocols.
Page 530: Set Up The Ssl Inspection On The Zywall/Usg
www.zyxel.com Set Up the SSL Inspection on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > SSL Inspection > Add rule, configure a Name for you to identify the SSL Inspection profile. Then, select the CA Certificate to be the certificate used in this profile. Select Block to select Log type to be log alert.
Page 531: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Facebook_Block in this example).
Page 532: Operation System
www.zyxel.com Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 533 www.zyxel.com default.p12 In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter. Start Menu > Search Box > mmc In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... 533/782...
Page 534 www.zyxel.com In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window. Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate >...
Page 535 www.zyxel.com Click Next. Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. Click Next, type zyx123 in the Password field and click Next again 535/782...
Page 536 www.zyxel.com Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 537: Test The Result
www.zyxel.com Test the Result Type http://drive.google.com/ https://drive.google.com/ into the browser, the error message occurs. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log 537/782...
Page 538: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you are not be able to configure any Application Patrol policies or it’s not working, there are two possible reasons: You have not subscribed for the Application Patrol service. You have subscribed for the Application Patrol service but the license is expired.
Page 539: How To Block Https Websites Using Content Filtering And Ssl Inspection
www.zyxel.com How To Block HTTPS Websites Using Content Filtering and SSL Inspection This is an example of using a ZyWALL/USG Content Filtering, SSL Inspection and Security Policy to block access to malicious or not business-related websites. ZyWALL/USG with Block HTTPS Websites Using Content Filtering and SSL Inspection Settings Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 540: Set Up The Content Filter On The Zywall/Usg
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter File > Category Service. Configure a Name for you to identify the Content Filter Profile and select Enable Custom Service. CONFIGURATION >...
Page 541: Set Up Ssl Inspection On The Zywall/Usg
www.zyxel.com CONFIGURATION > UTM Profile> Content Filter > Profile > Profile Management > Add Filter File > Category Service > Managed Categories If you are not sure which category a web page belongs to, you can enter a web site URL in the text box of Test Web Site Category. CONFIGURATION >...
Page 542 www.zyxel.com traffic bound to this policy here. Select desired Log type whether to have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches this policy. CONFIGURATION > UTM Profile > SSL Inspection > Add rule 542/782...
Page 543: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Office_profile in this example).
Page 544: Export Certificate From Zywall/Usg And Import It To Windows 7
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 545 www.zyxel.com Save default certificate as *.p12 file to Windows 7 Operation System. default.p12 In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter. Start Menu > Search Box > mmc In the mmc console window, click File > Add/Remove Snap-in... File >...
Page 546 www.zyxel.com In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window. Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate >...
Page 547 www.zyxel.com Click Next. Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. Click Next, type zyx123 in the Password field and click Next again 547/782...
Page 548 www.zyxel.com Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 549: Test The Result
www.zyxel.com Test the Result Type http://www.bittorrent.com/ or http://us.battle.net/d3/en/ into the browser. The error message occurs. Go to the ZyWALL/USG Monitor > Log to see [alert] log message such as below. Monitor > Log 549/782...
Page 550: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you are not be able to configure any Content Filter policies or it’s not working, there are two possible reasons: You have not subscribed for the Content Filter service. You have subscribed for the Content Filter service but the license is expired.
Page 551: How To Block The Spotify Music Streaming Service
www.zyxel.com How To Block the Spotify Music Streaming Service This is an example of using a ZyWALL/USG IDP Profile to block DNS query packet. When the Spotify software launches, it will send a DNS query for Spofity's public server. In this example, you can create a custom IDP to block DNS query packet if this packet includes the Spotify signature.
Page 552: Set Up Idp Profile On The Zywall/Usg
www.zyxel.com Set Up IDP Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > IDP > Custom Signatures > Add Custom Signatures, configure a Name for you to identify the IDP Profile. Select medium as the Severity level. Select all Platform. Select Policy Type to be Access-Control here to limit access network resources such as servers.
Page 553: Test The Result
www.zyxel.com CONFIGURATION > UTM Profile > IDP > Profile > Base Profile Configure a Name for you to identify the IDP Profile. Activate the newly created IDP Profile and select Action to be drop. Select Log type to be log alert in order to view the result later.
Page 554: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [crit] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to configure any IDP policies or it’s not working, there are two possible reasons: You have not subscribed for the IDP service.
Page 555: How Does Anti-Malware Work
www.zyxel.com How does Anti-Malware work There are many virus exist on the internet. And it may auto-downloaded on unexpected situation when you surfing between websites. The Anti- Malware is a good choose to protecting your computer to downloads unsafe application or files. After you enabled Anti-Malware function, it will enabled “Cloud Threat Database”...
Page 556: Enable Anti-Malware Function To Protecting Your Traffic
www.zyxel.com Enable Anti-Malware function to protecting your traffic Go to CONFIGURATION > Security Service > Anti-Malware > Tick in enable checkbox to enable Anti-Malware function. Configuration > Security Service > Anti-Malware > Tick in enable checkbox Note: The Anti-Malware license is required. So you must enabled Anti-Malware function on your myzyxel.com account.
Page 557: Test The Result
www.zyxel.com Test the result After you enabled Anti-Malware function and your PC downloaded the virus file from internet. You device will detected it and drop the file directly. Then your file is unable opened or replaced by “0”. Additional configuration White List: You can use wildcard to allowing specific type files.
Page 558: What Can Go Wrong
www.zyxel.com What can go wrong The Anti-Malware service license is required The Anti-Malware is able decompress the file. But it is not support multi- layer zip files. In the default setting, could thread batabase is enabled. You can use the CLI command to activate/deactivate cloud base service. It means the scanning priority will been changed.
Page 559: Set Up The Email Security On Atp Series
www.zyxel.com How to Configure an Email Security Policy with Mail Scan and DNSBL This is an example of using ATP Series’ UTM Profile to mark or discard spam (unsolicited commercial or junk e-mail). Use the Email Security white list to identify legitimate e-mail. Use the Email Security black list to identify spam e-mail.
Page 560 www.zyxel.com CONFIGURATION > Security Service > Email Security 1. Register the device to myZyxel.com. 2. Activate Application Security. 560/782...
Page 561 www.zyxel.com 3. Go to CONFIGURATION > Security Service> Email Security>Enable Check Black List to have the ATP Series treat e-mail that matches (an active) black list entry as spam. 4. Continue to Rule Summary on Black/White List, click the Add icon. A pop-up screen will appear allowing you to configure Content (Subject, IP/IPv6 Address, E-Mail Address and Mail Header), Use wildcards (*) to configure Mail Subject Keyword.
Page 562: Test The Result
www.zyxel.com Test the result 1. Send the mail subject with “sell”. 2. You will receive the mail subject with [Spam] tag. 562/782...
Page 563: What Can Go Wrong
www.zyxel.com What can go wrong 1. If Email Security is not working, there are two possible reasons: You have not subscribed for the Email Security service. You have subscribed for the Email Security service but the license (Application Security) is expired. 2.
Page 564: How To Configure Botnet Filter On Atp Series
www.zyxel.com How to Configure Botnet Filter on ATP series? Botnets are organized groups of infected computers. Those infected PCs will try to connect to the command-and-control server and ask for commands. When the attacker sends command to the command-and-control server, it will relay those commands to the clients (infected computers) and perform attacks on particular targets.
Page 565: Prerequisites Before Setting Up Botnet Filter Function
www.zyxel.com Prerequisites before setting up Botnet Filter function 1. License status check 2. Update the Botnet Filter signature License activation Before setting up the Botnet Filter function, users need to make sure their licenses are purchased and activated. To check the license activation status: Go to configuration >...
Page 566 www.zyxel.com Then the device will redirect users to the “Service Status” page. Click on the cloud icon and the device will start signature downloading process Once the signature updating process was done. The GUI will pop up the following message to notify users. Now the Botnet Filtering function is ready to go.
Page 567: Set Up The Ip Blocking On The Atp Series
www.zyxel.com Set Up the IP Blocking on the ATP series Go to Configuration > Security Service > Botnet Filter. Select the Enable IP Blocking check box. There’re some actions can be selected “reject-both”, user can decide if they’d like to “forward”, “reject-sender” or “reject- receiver”...
Page 568: Set Up The Url Blocking On The Atp Series
www.zyxel.com Set up the URL Blocking on the ATP series Go to Configuration > Security Service > Botnet Filter. Select the Enable URL Blocking check box, check the categories that need to be blocked. Users can only check those categories as their requirement. Choose the Action the device will take (In this example we select “block”...
Page 569 www.zyxel.com 569/782...
Page 570: How To Use Sandboxing To Detect Unknown Malware
www.zyxel.com How to Use Sandboxing to Detect Unknown Malware The traditional security service such as Anti-Virus and IDP are signature- based solution, so they have no chance to detect unknown threats. ZyWALL ATP enhances UTM service and integrates Sandbox solution as a second layer of defense to detect and mitigate advanced threats.
Page 571: Set Up Sandboxing On Atp
www.zyxel.com Set Up Sandboxing on ATP 1. Register the device to myZyxel.com. 2. Activate Sandboxing license. 3. In the ATP, go to CONFIGURATION > Security Service > Sandboxing > File Submission Options, the default supported file types are listed. Use the command to check the status of each file type. If the status is “no”, the file type is not scanned by Sandboxing.
Page 572 www.zyxel.com Use the following commands to make Sandboxing access and check a certain file type. Router> configure terminal Router(config)# sandbox file-type eicar Router(config)# write 4. Go to CONFIGURATION > Security Service > Sandboxing > General, enable Sandboxing and select action and log for malicious and suspicious files to monitor the result.
Page 573: Test The Result
www.zyxel.com 5. Enable Collect Statistics to monitor the scan results and statistics. MONITOR > Security Statistics > Sandboxing Test the Result Go to http://www.eicar.org/85-0-Download.html to download eicar_com.zip file. 573/782...
Page 574 www.zyxel.com When you download eicar_com.zip for the first time, it is considered to be an unknown malware. The file is allowed to pass and a copy of eicar_com.zip will be sent to Sandbox for further scan. MONITOR > Log > View Log > Sandboxing The eicar_com.zip file is detected by Sandbox as a malicious file.
Page 575 www.zyxel.com Note: Disable anti-virus software on your laptop in order to test Sandbox. Download eicar_com.zip file again. ZyWALL ATP destroyed the eicar_com.zip file at the second time when you download the file and generate the log. MONITOR > Log > View Log > Sandboxing MONITOR >...
Page 576: What Can Go Wrong
www.zyxel.com What Can Go Wrong? SSL inspection needs to be enabled and applied to the corresponding security policy rule for HTTPS traffic. Only Windows (Win XP, Win 7, Win 10) and Mac OSX operating system are supported. The local cache of the analysis result will be deleted when the device reboots.
Page 577: How To Configure Bandwidth Management For Ftp And Http Traffic
www.zyxel.com How to Configure Bandwidth Management for FTP and HTTP Traffic This is an example of using ZyWALL/USG Bandwidth Management (BWM) to control the bandwidth allocation for FTP and HTTP traffic. You can use source interface, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions to allocate bandwidth for the matching packets.
Page 578: Set Up The Bandwidth Management For Ftp On The Zywall/Usg
www.zyxel.com Set Up the Bandwidth Management for FTP on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type FTP Any-to-WAN as the policy’s Description. Leave the Incoming Interface to any and select the Outgoing Interface to be wan1.
Page 579: Set Up The Bandwidth Management For Http On The Zywall/Usg
www.zyxel.com CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). Set Up the Bandwidth Management for HTTP on the 579/782...
Page 580 www.zyxel.com ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type HTTP Any-to-WAN as the policy’s Description (Optional). Leave the Incoming Interface to any and select the Outgoing Interface to be wan1. Select Service Type to be the Service Object and select HTTP from the list box.
Page 581: Set Up The Bandwidth Management Global Setting On The
www.zyxel.com Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). Set Up the Bandwidth Management Global Setting on the 581/782...
Page 582: Zywall/Usg
www.zyxel.com ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > BWM Global Setting, select Enable. CONFIGURATION > BWM > BWM Global Setting Test the Result Access the Internet to generate FTP traffic and HTTP traffic. In this example, a 123 MB file is downloading from an FTP server.
Page 583: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log What Could Go Wrong? If the “outbound” in the guaranteed bandwidth settings apply to traffic going from the connection initiator to the outgoing interface. “Inbound” refers to the reverse direction.
Page 584: How To Limit Bittorrent Or Other Peer-To-Peer Traffic
www.zyxel.com How to Limit BitTorrent or Other Peer-to-Peer Traffic This is an example of using ZyWALL/USG Bandwidth Management (BWM) to control the bandwidth allocation for peer-to-peer traffic. You can use source interface, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions to allocate bandwidth for the matching packets.
Page 585: Set Up The Application Patrol Profile On The Zywall/Usg
www.zyxel.com Set Up the Application Patrol Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > Application > Add Application Rule. Configure a Name for you to identify the Application Profile. Then, click Add to create an Application Object. CONFIGURATION >...
Page 586: Set Up The Bandwidth Management For Bittorrent On The
www.zyxel.com Set Up the Bandwidth Management for BitTorrent on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type BitTorrent Any-to-Any as the policy’s Description. Leave the Incoming Interface to any and select the Outgoing Interface to be wan1.
Page 587 www.zyxel.com CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). 587/782...
Page 588: Set Up The Bandwidth Management Global Setting On The
www.zyxel.com Set Up the Bandwidth Management Global Setting on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > BWM Global Setting, select Enable. CONFIGURATION > BWM > BWM Global Setting Test the Result Download BitTorrent application for testing the result: http://www.bittorrent.com/downloads In this example, an 826 MB file is downloading, the Down Speed limited to maximum 65 kB/s.
Page 589: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If the “outbound” in the guaranteed bandwidth settings apply to traffic going from the connection initiator to the outgoing interface. “Inbound” refers to the reverse direction. Make sure you have registered the Application Patrol service on the ZyWALL/USG to use Application Object as the Service Type in the bandwidth management rules.
Page 590: How To Configure A Trunk For Wan Load Balancing With A Static Or Dynamic Ip Address
www.zyxel.com How to Configure a Trunk for WAN Load Balancing with a Static or Dynamic IP Address This is an example of using ZyWALL/USG Trunk for two WAN connections to the Internet. The available bandwidth for the connections is 1000 kbps (wan1 with static IP address) and 512 Kbps (wan2 with dynamic IP address) respectively.
Page 591: Set Up The Available Bandwidth On Wan1 Interfaces On The
www.zyxel.com Set Up the Available Bandwidth on WAN1 Interfaces on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Interface > Ethernet > WAN1 > Egress Bandwidth and enter the available bandwidth (1000 kbps) in the Egress Bandwidth field. Click OK. CONFIGURATION >...
Page 592: Set Up The Available Bandwidth On Wan2 Interfaces On The
www.zyxel.com Set Up the Available Bandwidth on WAN2 Interfaces on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Interface > Ethernet > WAN2 > Egress Bandwidth and enter the available bandwidth (512 kbps) in the Egress Bandwidth field. Click OK. CONFIGURATION >...
Page 593: Test The Result
www.zyxel.com CONFIGURATION > Interface > Trunk > User Configuration > Add Trunk In the Configuration screen, go to Default WAN Trunk section, select User Configured Trunk and select the newly created Trunk from the list box. Click Apply. CONFIGURATION > Interface > Trunk > Default WAN Trunk Test the Result Browse any website to test the result.
Page 594: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If there is no traffic passing through either WAN1 or WAN2 interfaces, check that the Mode of both WAN1 & WAN2 should be Active. If a trunk is in Passive mode, the ZyWALL/USG will use this connection only when all of the connections set to Active mode are down.
Page 595: How To Configure Dns Inbound Load Balancing To Balance Dns Queries Among Interfaces
www.zyxel.com How to Configure DNS Inbound Load Balancing to balance DNS Queries Among Interfaces This is an example of using the ZyWALL/USG dynamically responding to DNS query messages with its least loaded interface’s IP address. The DNS query senders will then transmit packets to that interface instead of an interface that has a heavy load.
Page 596: Set Up The Dns Inbound Load Balancing On The Zywall/Usg
www.zyxel.com Set Up the DNS Inbound Load Balancing on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > DNS Inbound LB. Edit the Query Domain Name, set the Load Balancing Algorithm field to be the Least Load - Total. Click Add to create a new Load Balancing Member. CONFIGURATION >...
Page 597: Set Up The Nat Rule On The Zywall/Usg
www.zyxel.com CONFIGURATION > Network > DNS Inbound LB Go to the Global Setting page to select Enable DNS Load Balancing. CONFIGURATION > Network > DNS Inbound LB Set Up the NAT Rule on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > NAT. Configure the Virtual 597/782...
Page 598: Test The Result
www.zyxel.com Server to forward the traffic from WAN to Internal Server (192.168.1.33). Click OK. CONFIGURATION > Network > NAT Test the Result Open the browser and query http://zyxel.for-our.info/. 598/782...
Page 599: What Could Go Wrong
www.zyxel.com Create a Security Policy in order to view the testing result. Set Destination to be the Internal Server IP address (192.168.1.33 in this example) and set Log type to be the Log Alert. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below.
Page 600: How To Manage Voice Traffic
www.zyxel.com How to Manage Voice Traffic This is an example of using Application Layer Gateway (ALG) to allow the SIP (Session Initiation Protocol) voice traffic through the ZyWALL/USG. To achieve high-quality voice transmissions, use ZyWALL/USG provides Bandwidth Management (BWM) function to effectively manage bandwidth according to flexible criteria.
Page 601: Set Up The Sip Alg On The Zywall/Usg
www.zyxel.com Set Up the SIP ALG on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > SIP > SIP Settings, select Enable SIP ALG, Enable SIP Transformations (optional), Restrict Peer to Peer Signaling Connection and Restrict Peer to Peer Media Connection. Make sure the SIP Signaling Port is configured the same as your VoIP phone SIP signaling port.
Page 602: Set Up The Bandwidth Management For P2P On The Zywall/Usg
www.zyxel.com Enable BWM and Enable Highest Bandwidth Priority for SIP Traffic. CONFIGURATION > BWM > BWM Global Settings > Enable BWM Set Up the Bandwidth Management for P2P on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type P2P Any-to-WAN as the policy’s Description.
Page 603: Set Up The Bandwidth Management For Ftp On The Zywall/Usg
www.zyxel.com CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Shaping, the highest priority is (1) the lowest priority is (7). Set Up the Bandwidth Management for FTP on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type FTP Any-to-Any as the policy’s Description.
Page 604 www.zyxel.com Leave the Incoming Interface to any and select the Outgoing Interface to be WAN1. Select Service Type to be the Service Object and select FTP from the list box. Set the Guaranteed Bandwidth Inbound to 150 (kbps) and set Priority 5. Set the Maximum to 200 (kbps).
Page 605: Test The Result
www.zyxel.com Test the Result Add a Security Policy rule to view the SIP log: CONFIGURATION > BWM > Configuration > Add Policy Dial Phone Number 1001 (192.168.10.2 in this example) from Phone Number 1002 (192.168.100.2 in this example), go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below.
Page 606: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, the voice traffic is blocked by the priority 1 Security Policy. The ZyWALL/USG checks the security policy in order and applies the first security policy the traffic matches. If the voice traffic matches a policy that comes earlier in the list, it may be unexpectedly blocked.
Page 607: How To Manage Zywall/Usg Configuration Files
www.zyxel.com How to Manage ZyWALL/USG Configuration Files This is an example of how to rename, download, copy, apply and upload configuration files. Once your ZyWALL/USG is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes.
Page 608: Rename The Configuration Files From The Zywall/Usg
www.zyxel.com Note: This example was using USG310 (Firmware Version: ZLD 4.25). Rename the Configuration Files from the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select the configuration file and click Rename. A pop-up screen will appear allowing you to edit the Target file name.
Page 609: Copy The Configuration Files On The Zywall/Usg
www.zyxel.com MAINTENANCE > File Manager > Configuration File Copy the Configuration Files on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select the configuration file and click Copy. A pop-up screen will appear allowing you to edit the Target file name.
Page 610: Apply The Configuration Files On The Zywall/Usg
www.zyxel.com Apply the Configuration Files on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select a specific configuration file to have ZyWALL/USG use it. For example, select the system-default.conf file and click Apply to reset all of the ZyWALL/USG settings to the factory defaults.
Page 611: Upload The Configuration Files From The Zywall/Usg
www.zyxel.com Note: Do not shut down the ZyWALL/USG while the configuration file is being applied. Upload the Configuration Files from the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File > Upload Configuration File, select Browse to upload a new or previously saved configuration file from your computer to your ZyWALL/USG.
Page 612: How To Manage Zywall/Usg Firmware
www.zyxel.com configuration file. In this example, the [alert] log message shows the configuration file has an incomplete static DHCP address so that the device can't apply it. MAINTENANCE > File Manager > Configuration File > Apply Configuration File Monitor > Log How to Manage ZyWALL/USG Firmware This is an example of using ZyWALL/USG to check your current firmware version and upload firmware to the ZyWALL/USG.
Page 613: Download The Current Firmware Version From Zyxel.com
www.zyxel.com Note: The firmware update can take up to five minutes. Do not turn off or reset the ZyWALL/USG while the firmware update is in progress. This example was using USG110 (Firmware Version: ZLD 4.25). Download the Current Firmware Version from ZyXEL.com Go to www.zyxel.com/support/download_landing.shtml and download the...
Page 614: Upload The Firmware On The Zywall/Usg
www.zyxel.com Extract firmware zip file. Upload the Firmware on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Firmware Package > Upload File. Click the To upload image file in system space pull-down menu and select (1) or (2). The default Standby system space is (2), so if you want to upload new firmware to be the Running firmware, then select the Running system space 614/782...
Page 615 www.zyxel.com (1). The ZyWALL/USG will reboot automatically. If you upload firmware to the Standby system space (2), you have the option to select Reboot now or Don’t Reboot. MAINTENANCE > File Manager > Firmware Package > Upload File > (1) MAINTENANCE >...
Page 616 www.zyxel.com Note: The default Running system space is (1), the Standby system space is (2). If you select the Standby firmware and click Reboot now or you upload file to Standby system space (2) and select Boot Options to be Reboot now. After reboot process complete, the Running system space will be (2).
Page 617: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you cannot download the firmware, please check if you enable the Destroy compressed files that could not be decompressed function in Anti-Virus. ZyWALL/USG firmware package is ZIP file, the ZyWALL/USG classifies the firmware package as not being able to decompress will delete it. Please disable this option while downloading the firmware package.
Page 618: How To Get Started Using The Wizards
www.zyxel.com How to Get Started Using the Wizards When you log into the Web Configurator for the first time or when you reset the ZyWALL/USG to its default configuration, the Installation Setup Wizard screen displays. This is an example of using ZyWALL/USG Wizards to configure Internet connection settings, wireless settings and device registration services.
Page 619 www.zyxel.com ) or hide (≫) the help. Installation Setup Wizard > Welcome In the Internet Access page, you can configure Internet connections from two 619/782...
Page 620 www.zyxel.com Internet service providers (ISPs). Connect your ISP devices to your ZyWALL/USG WAN port, select I have two ISPs if you want to configure two Internet connections or leave it cleared to configure just one. Choose the Encapsulation option to be Ethernet, leave Zone as default setting Internet connection belongs to the WAN zone.
Page 621 www.zyxel.com your ISP or network administrator. First/Second DNS Servers are optional. Click Next. Installation Setup Wizard > Welcome > Internet Access The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface or continue to the Wireless Settings page.
Page 622: Set Up The Internet Access (Pppoe) Wizard On The Zywall/Usg
www.zyxel.com Set Up the Internet Access (PPPoE) Wizard on the ZyWALL/USG In the ZyWALL/USG Installation Setup Wizard Welcome page, click Next to start configuring for Internet. Click the double arrow in the upper right corner to display (≪) or hide (≫) the help. Installation Setup Wizard >...
Page 623 www.zyxel.com Assignment section to be the Auto and click Next. Installation Setup Wizard > Welcome > Internet Access Select the Authentication Type to be the authentication method by the remote node. Enter the User Name and Password exactly as given by your ISP or network administrator.
Page 624 www.zyxel.com The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed 624/782...
Page 625: Set Up The Internet Access (Pptp) Wizard On The Zywall/Usg
www.zyxel.com Set Up the Internet Access (PPTP) Wizard on the ZyWALL/USG In the ZyWALL/USG Installation Setup Wizard Welcome page, click Next to start configuring for Internet. Click the double arrow in the upper right corner to display (≪) or hide (≫) the help. Installation Setup Wizard >...
Page 626 www.zyxel.com In the Internet Access page, you can configure Internet connections from two Internet service providers (ISPs). Connect your ISP devices to your ZyWALL/USG WAN port, select I have two ISPs if you want to configure two Internet connections or leave it cleared to configure just one. Choose the Encapsulation option to be the PPTP, leave Zone as default setting Internet connection belongs to the WAN zone.
Page 627 www.zyxel.com Select the Authentication Type to be the authentication method by the remote node. Enter the User Name and Password exactly as given by your ISP or network administrator. Select Nailed-UP if you want to keep the connection always up or type the desired Idle Timeout value in seconds. Click Next. Enter the Base IP Address, IP Subnet Mask, Gateway IP Address assigned to you by your ISP.
Page 628 www.zyxel.com The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed 628/782...
Page 629: Set Up The Wireless Settings Wizard On The Zywall/Usg
www.zyxel.com Set Up the Wireless Settings Wizard on the ZyWALL/USG In the Wireless Settings page, select Yes if you want the ZyWALL/USG to enable AP Controller feature in your network; select No if you want to skip this setting. Click Next.
Page 630 www.zyxel.com Configure descriptive SSID name (1-32 characters) for the wireless LAN. Select Pre- Shared Key (8-63 characters) to add security on this wireless network. Otherwise, select None to allow any wireless client to associate this network without authentication. Select Hidden SSID to hide the SSID from site tool scanning. Select Enable Intra-BSS Traffic blocking if you want to prevent crossover traffic from within the same wireless network.
Page 631: Set Up The Device Registration On The Zywall/Usg
www.zyxel.com in the AP wireless network. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed > Wireless Settings Set Up the Device Registration on the ZyWALL/USG The ZyWALL/USG must be connected to the Internet in order to register. Click portal.myzyxel.com to register the device, you need the ZyWALL/USG’s serial number and LAN MAC address to register it.
Page 632 www.zyxel.com Services at myZyXEL.com for more details. Use the Configuration > Licensing > Registration > Service screen to update your service subscription status. Click Finish. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed > Wireless Settings > Device Registration 632/782...
Page 633: How To Configure The 3G/Lte Interface On The Zywall/Usg As A Wan Backup
www.zyxel.com How to Configure the 3G/LTE Interface on the ZyWALL/USG as a WAN Backup This is an example of using ZyWALL/USG to configure 3G/LTE interface as a WAN backup that ensures the ZyWALL/USG provides the continuously Internet connections when the primary WAN interface is down. After configuration, it can provide additional mobile broadband WAN connectivity or a redundant link for maximum reliability.
Page 634: Set Up The 3G/Lte Interface On The Zywall/Usg
www.zyxel.com Set Up the 3G/LTE Interface on the ZyWALL/USG Connect a compatible mobile broadband USB device to use a cellular connection. In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Cellular, the connected device will automatically display in the Cellular Interface Summary. Click Activate and then the Apply button at the bottom of this page.
Page 635: Set Up The Trunk On The Zywall/Usg
www.zyxel.com Set Up the Trunk on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add Trunk, configure a Name for you to identify the Trunk profile and set the Load Balancing Algorithm field to be the Weighted Round Robin. Add wan1 and enter 3 in the Weight column.
Page 636: Test The Result
www.zyxel.com Test the Result Check the Interface Statistics when wan1 and wan2 connections are up. You can see both wan1 and wan2 Status are up, Tx B/s displays the transmission speed and Rx B/s displays the reception speed; cellular1 Status is connected but there is no traffic going through this interface.
Page 637: What Could Go Wrong
www.zyxel.com After disconnecting both wan1 and wan2, you can see both wan1 and wan2 Status are Down and no traffic goes through these two interfaces. The backup cellular1 Status is connected and all the traffic is going through this interface. MONITOR >...
Page 638: How To Configure Two Different Wan Interfaces With Different Ip Addresses In The Same Vlan
www.zyxel.com How to Configure Two Different WAN Interfaces with Different IP Addresses in the Same VLAN This is an example of using ZyWALL/USG to configure two different WAN interfaces with different IP addresses in the same VLAN. After configuration, you can have the same VLAN ID for two different WAN interfaces.
Page 639: Set Up The Port Grouping On The Zywall/Usg
www.zyxel.com Set Up the Port Grouping on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Port Grouping, select the ports that you want to assign to a representative Interface (in this example, Port 4 and Port 5 are configured as ge5). CONFIGURATION >...
Page 640 www.zyxel.com In the Configuration page, select the vlan1 entry and click Create Virtual Interface on the upper bar. Configure the Fixed IP address (192.168.15.33/24 in this example). Click OK. CONFIGURATION > Network > Interface > VLAN > vlan1 CONFIGURATION > Network > Interface > VLAN > vlan1:1 640/782...
Page 641: Set Up The Routing On The Zywall/Usg
www.zyxel.com Set Up the Routing on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Routing, set Next-Hop Type to be Interface and set Interface to be the vlan1. CONFIGURATION > Network > Routing Test the Result Check the Interface Statistics, you can see vlan1 Status is up, Tx B/s displays the transmission speed and Rx B/s displays the reception speed.
Page 642: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you cannot configure a particular VLAN interface on top of an Ethernet interface, please whether this VLAN has just been created on top of other Ethernet interface. How to Let a Server Use the Same Public IP Address as the WAN Interface Using the Bridge Interface This is an example of using ZyWALL/USG to configure an internal server in bridge mode without applying network address translation (NAT).
Page 643: Set Up The Bridge Interface On The Zywall/Usg
www.zyxel.com reach this server directly by its public IP address. ZyWALL/USG with Bridge Interface Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.25).
Page 644 www.zyxel.com Bridge, select Interface Type to be the general type, select Zone to be the LAN zone. In the Member Configuration, select internal server (IntServer1 interface in this example) and public IP address (Public WAN interface in this example) to be in the same member group.
Page 645: Test The Result
www.zyxel.com Test the Result Check the Interface Statistics, you can see br1 Status is up, Tx B/s displays the transmission speed and Rx B/s displays the reception speed. IntServer1 and PublicWAN are configured in the same vlan1 but using different IP address. MONITOR >...
Page 646: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you cannot configure a particular bridge IP address, please check is this IP address already created on other Ethernet interface. How to Allow Public Access to a Server Behind ZyWALL/USG This is an example of using ZyWALL/USG to configure a securely access to internal server behind ZyWALL/USG with network address translation (NAT).
Page 647: Set Up The Nat On The Zywall/Usg
www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.25). Set Up the NAT on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 648: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control > add corresponding, select Enable. Configure a Name for your to identify the security policy (http_server_access in this example). Set From: WAN and To: LAN1. Set Destination to the lan subnet where your server is (LAN_SUBNET_GE3 in this example).
Page 649: Test The Result
www.zyxel.com Test the Result Type http://172.251.31.90/ into the browser, it displays the HTTP service page. What Could Go Wrong? If you cannot access your server via public IP address, please make sure all your public IP addresses are routing properly. To do one by one assign them to the ZyWALL’s WAN port.
Page 650 www.zyxel.com routing for the public IPs. If you see [notice] log message as below, the HTTPS traffic is blocked by the priority 1 Security Policy. The ZyWALL/USG checks the security policy in order and applies the first security policy the traffic matches. If the HTTPS traffic matches a policy that comes earlier in the list, it may be unexpectedly blocked.
Page 651: How To Set Up A Wifi Network With Zyxel Aps
www.zyxel.com How to Set Up a WiFi Network with ZyXEL APs This is an example of using ZyWALL/USG to manage the Access Points (APs) and allow wireless access to the network. ZyWALL/USG as AP Controller Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
Page 652: Set Up The Ap Management On The Zywall/Usg
www.zyxel.com Set Up the AP Management on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Wireless > Controller > Configuration, set Registration Type to Manual. This is recommended as the registration mechanism cannot automatically differentiate between friendly and rogue APs. CONFIGURATION >...
Page 653 www.zyxel.com Go to CONFIGURATION > Object > AP Profile > SSID > Security List to select the Security Mode to be the wpa2. Then, set a Pre-Shared Key (8-63 characters) and select the Cipher Type to be the auto to have ZyWALL/USG automatically chooses the best available cipher based on the cipher currently in use by the wireless network.
Page 654: Test The Result
www.zyxel.com Test the Result Go to the ZyWALL/USG Monitor > Wireless > AP Information > AP List, you can check the list of APs which are currently connected to it and the details information such as Registration type, Model and Recent On-line Time /Last Off- line Time.
Page 655: What Could Go Wrong
www.zyxel.com the mobile device and the mobile device can access the Internet. MONITOR > Log What Could Go Wrong? If you can’t see AP information in the AP List, please check the number of APs connected to the ZyWALL/USG has exceeded the maximum Managed AP number it can support.
Page 656: How To Set Up Guest Wifi Network Accounts
www.zyxel.com How to Set Up Guest WiFi Network Accounts This is an example of using ZyWALL/USG to configure guest WiFi accounts to allow limited wireless access to the Internet using only HTTP, HTTPS, and DNS protocols. For the wireless network setup, please see the tutorial about How to Set Up WiFi with ZyXEL AP.
Page 657: Set Up The Wifi Guest Account, Address Range And Service Rule On The Zywall/Usg
www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.25). Set Up the WiFi Guest Account, Address Range and Service Rule on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 658 www.zyxel.com Set the Authentication Timeout Settings to be Use Manual Settings to enter the number of minutes this user has to renew the current session before the user is logged out. CONFIGURATION > Object > User/Group > User > Add A User In the ZyWALL/USG, go to CONFIGURATION >...
Page 659: Set Up The Web Authentication On The Zywall/Usg
www.zyxel.com Add Service Group Rule to create the allowed protocols for guest Wi-Fi user. Configure the Name for you to identify the Service Group. Set HTTP, HTTPS and DNS to be in the same member group and click OK. CONFIGURATION > Object > Service > Service Group > Add Service Group Rule Set Up the Web Authentication on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 660: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com In the ZyWALL/USG, go to CONFIGURATION > Web Authentication > General Settings and select Enable Web Authentication. CONFIGURATION > Web Authentication > General Settings Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy > Add corresponding.
Page 661: Test The Result
www.zyxel.com Test the Result Using a mobile device to connect to the AP which is connected to the ZyWALL/USG. When you try to access the Internet, it will redirect to the user login screen. 661/782...
Page 662 www.zyxel.com Type the Wi-Fi guest User Name and Password, click Login. 662/782...
Page 663 www.zyxel.com The access session page will appear. Go to the ZyWALL/USG Monitor > System Status > Login Users, you will see current login user list shown as below. Monitor > System Status > Login Users Attempt to access FTP server (prohibited service in this example) and it gets an error message.
Page 664: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message shown as below. The access to FTP service port 21 is blocked in this example. Monitor > Log What Could Go Wrong? If you see [notice] log shown as below, the Wi-Fi guest traffic is blocked by the priority 1 Security Policy.
Page 665 www.zyxel.com Note: The default setting of Security Policy is without log notification (except PolicyDefault), if you want to check which policy may potentially block the traffic, please select this policy and set the Log matched traffic to be log or log alert. 665/782...
Page 666: Guest Network
www.zyxel.com How to create a Wi-Fi VLAN interfaces to separate staff network and Guest network This example shows how to create Wi-Fi VLAN interfaces to separate staff network and Guest network. Suppose there should be no limitation for the staff network, but restrict the guests not access the USG.
Page 667: Set Up Wi-Fi Vlan Interfaces
www.zyxel.com Set up Wi-Fi VLAN interfaces Create VLAN interfaces Go to CONFIGURATION > Object > Zone. Create a zone for the guest. CONFIGURATION > Object > Zone Go to CONFIGURATION > Network > Interface > VLAN. Create VLAN16 for Staff_WiFi and VLAN17 for Guest_WiF CONFIGURATION >...
Page 668 www.zyxel.com CONFIGURATION > Network > Interface > VLAN > VLAN17 668/782...
Page 669 www.zyxel.com There will be two VLAN interfaces. CONFIGURATION > Network > Interface > VLAN Set Up the User Go to Configuration > Object > User/Group > User, and create users for the staff and the guest Configuration > Object > User/Group > User > staff 669/782...
Page 670 www.zyxel.com Configuration > Object > User/Group > User > guest There will be two users. 670/782...
Page 671 www.zyxel.com Set Up the AP Profile Go to CONFIGURATION > Object > AP Profile > SSID > Security List, and create two security profiles. CONFIGURATION > Object > AP Profile > SSID > Security List > Guest_WPA2 CONFIGURATION > Object > AP Profile > SSID > Security List > Staff_WPA2 671/782...
Page 672 www.zyxel.com Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, and create two SSID profiles. CONFIGURATION > Object > AP Profile > SSID > SSID List > Staff_Wifi 672/782...
Page 673 www.zyxel.com CONFIGURATION > Object > AP Profile > SSID > SSID List > Guest_Wifi 673/782...
Page 674 www.zyxel.com Go to CONFIGURATION > Wireless > AP Management > AP Group, and add an AP Group as WiFi. CONFIGURATION > Wireless > AP Management > AP Group 674/782...
Page 675 www.zyxel.com Go to CONFIGURATION > Wireless > AP Management > Mgnt. AP List, and Edit the AP List. Change the Group setting as WiFi CONFIGURATION > Wireless > AP Management > Mgnt. AP List, Set Up the Security policy rule 675/782...
Page 676 www.zyxel.com Go to CONFIGURATION > Security Policy > Policy Control > Policy. Add one rule to restrict Guest access USG, and another one to allow to access internet. CONFIGURATION > Security Policy > Policy Control > Policy > Guest_ZyWALL CONFIGURATION > Security Policy > Policy Control > Policy > Guest_Internet 676/782...
Page 677: Test Result
www.zyxel.com Test result Connect to the SSID Staff_WiFi, and ping the USG interface. 677/782...
Page 678 www.zyxel.com Connect to the SSID Guest_WiFi, and ping the USG interface 678/782...
Page 679: What Could Go Wrong
www.zyxel.com What could go wrong Choose the wrong zone for the Guest VLAN interface. Not change the AP to the correct group 679/782...
Page 680 www.zyxel.com 680/782...
Page 681: How To Set Up Wifi Networks With Microsoft Active Directory Authentication
www.zyxel.com How to Set Up WiFi Networks with Microsoft Active Directory Authentication This is an example of using ZyWALL/USG to configure guest WiFi accounts with Microsoft Active Directory (AD) to authenticate your WiFi guests. For the wireless network setup, please go to How to Set Up WiFi with ZyXEL AP. ZyWALL/USG with AD Guest WiFi Accounts Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 682: Set Up The Wi-Fi Guest Account And Authentication Method On The Zywall/Usg
www.zyxel.com Set Up the Wi-Fi Guest Account and Authentication Method on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > User > ad- users, set the Authentication Timeout Settings to Use Manual Settings and enter the number of minutes this user has to renew the current session before the user is logged out.
Page 683: Set Up The Active Directory Server Account On The Zywall/Usg
www.zyxel.com In the ZyWALL/USG, go to CONFIGURATION > Web Authentication > General Settings and select Enable Web Authentication. CONFIGURATION > Web Authentication > General Settings Set Up the Active Directory Server Account on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > AAA Server > Active Directory >...
Page 684: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com user name (wifi_guest in this example) in the Username field and click Test. A pop- up screen will appear allowing you to view the test result. Click OK to save the configuration. CONFIGURATION > Object > AAA Server > Active Directory > Add Active Directory Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 685: Test The Result
www.zyxel.com Test the Result Using a mobile device to connect to the AP which is connected to the ZyWALL/USG. When you try to access the Internet, it will redirect to the user login screen. 685/782...
Page 686 www.zyxel.com Type the Wi-Fi guest User Name and Password, click Login. The access session page will appear. 686/782...
Page 687: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > System Status > Login Users, you will see current login user list as below. Monitor > System Status > Login Users What Could Go Wrong? If you see [notice] log shown as below, the Wi-Fi guest traffic is blocked by the priority 1 Security Policy.
Page 688: How To Set Up Ipv6 Interfaces For Pure Ipv6 Routing
www.zyxel.com If you see [alert] log message shown as below, the Wi-Fi guest traffic failed. Please make sure you enable Web Authentication and check your AD server is working properly. Monitor > Log Note: The default setting of Security Policy is without log notification (except PolicyDefault), if you want to check which policy may potentially block the traffic, please select this policy and set the Log matched traffic to be log or log alert.
Page 689: Enable The Ipv6 On The Zywall/Usg
www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.25). Enable the IPv6 on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 690: Set Up The Wan Ipv6 Interface On The Zywall/Usg
www.zyxel.com Set Up the WAN IPv6 Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Ethernet > wan1. Select Enable Interface and Enable IPv6. Select Enable Stateless Address Auto-configuration (SLAAC). Click OK. CONFIGURATION > Network > Interface > Ethernet > wan1 Note: Your ISP or uplink router should enable router advertisement.
Page 691: Test The Result
www.zyxel.com Click OK. CONFIGURATION > Network > Interface > Ethernet > lan1 > General Settings CONFIGURATION > Network > Interface > Ethernet > lan1 > IPv6 Router Advertisement Setting Test the Result Connect a computer to the ZyWALL/USG’s LAN1. 691/782...
Page 692 www.zyxel.com Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection screen Your computer should get an IPv6 IP address (starting with 2002:1111:1111:1111: for this example) from the ZyWALL/USG.
Page 693: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If your IPv6 connection is not working, please make sure you enable Auto- Configuration on the WAN1 IPv6 interface. If not, you will not have any default route to forward the LAN’s IPv6 packets. In Windows, some IPv6 related tunnels may be enabled by default such as Teredo and 6to4 tunnels.
Page 694: Set Up The Lan Ipv6 Interface On The Zywall/Usg
www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.25). Set Up the LAN IPv6 Interface on the ZyWALL/USG The second and third sets of 16-bit IP address from the left must be converted from wan1 IP (122.100.220.238 in this example).
Page 695 www.zyxel.com 2002:7a64:dcee:1::111/128. In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Ethernet > lan1, Select Enable Interface and Enable IPv6. Type 2002:7a64:dcee:1::111/128 in the IPv6 Address/Prefix Length field for the LAN1’s IP address. Enable Router Advertisement. Then click Add in the Advertised Prefix Table to add 2002:7a64:dcee:1::/64.
Page 696: Set Up The 6To4 Tunnel On The Zywall/Usg
www.zyxel.com Set Up the 6to4 Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Tunnel > Add, Select Enable. Enter tunnel0 as the Interface Name and select 6to4 as the Tunnel Mode. In the 6to4 Tunnel Parameter section, this example just simply uses the default 6to4 Prefix, 2002:://16.
Page 697: Test The Result
www.zyxel.com Test the Result Connect a computer to the ZyWALL/USG’s LAN1. Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection screen.
Page 698: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If your IPv6 connection is not working, please make sure you disable Auto- Configuration on the LAN1 IPv6 interface. Enabling it will cause two default routes, however, the ZyWALL/USG only needs a default route generated by your relay router setting.
Page 699: Set Up The Lan Ipv6 Interface On The Zywall/Usg
www.zyxel.com Set Up the LAN IPv6 Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Ethernet > lan1. Select Enable Interface and Enable IPv6. Type 2002:7a64:dcee:1::111/128 in the IPv6 Address/Prefix Length field for the LAN1’s IP address. Enable Router Advertisement.
Page 700: Set Up The 6To4 Tunnel On The Zywall/Usg
www.zyxel.com CONFIGURATION > Network > Interface > Ethernet > lan1 > General Settings CONFIGURATION > Network > Interface > Ethernet > lan1 > IPv6 Router Advertisement Setting Set Up the 6to4 Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Tunnel > Add and select Enable.
Page 701: Set Up The Policy Route On The Zywall/Usg
www.zyxel.com CONFIGURATION > Network > Interface > Tunnel Set Up the Policy Route on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Routing > IPv6 Configuration > Add, click Create New Object to create an IPv6 address object with the address prefix of 2002:7a64:dcee:1::/64.
Page 702: Test The Result
www.zyxel.com Test the Result Connect a computer to the ZyWALL/USG’s LAN1. Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection screen.
Page 703: What Could Go Wrong
www.zyxel.com Use the ping -6 [IPv6 IP address] command in a Command Prompt to test whether you can ping a computer behind ZyWALL/USG_Y. You should get a response. Window 7 > cmd > ping -6 2001:b020:0:71::46 What Could Go Wrong? If your IPv6 connection is not working, please make sure you enable the WAN1 IPv4 interface.
Page 704: How To Update Firmware Automatically From A Usb Storage
www.zyxel.com How to Update Firmware Automatically from a USB Storage This example illustrates how to update the ZyWALL/USG’s firmware automatically from a USB storage. With this feature, it is more efficient for users to upgrade the firmware for numerous devices without Internet or GUI access. The user can also downgrade the firmware by using this feature.
Page 705: Enable The Usb Firmware Upgrade Function By Cli Command
www.zyxel.com Enable the USB Firmware Upgrade Function by CLI Command For security concerns, the function is disabled by default. The administrator needs to enable the function by the following CLI command: Router(config)# usb-storage update-firmware enable Save the Firmware on the USB There are two ways to create the firmware folder on the USB storage.
Page 706: Plug The Usb Into The Device
www.zyxel.com Firmware Folder is Created Automatically Plug the USB into the Device Once the .bin file in the firmware folder is detected, the device will copy it to the RAM. Plug the USB storage into the USB port The following message shows on the console if the device fails to copy the .bin file. Router>...
Page 707: Check Firmware Status
www.zyxel.com Check model ID: If incompatible, the device deletes the firmware in the RAM. If compatible, the device checks the firmware version. Check firmware version: If it is the same as the running firmware, the device deletes the firmware in the RAM.
Page 708: What Can Go Wrong
www.zyxel.com MONITOR > Log > View log What Can Go Wrong? The USB storage must use the FAT16, FAT32, EXT2, or EXT3 file system. Otherwise, it may not be detected by the ZyWALL/USG. The device only checks the firmware under the specific folder. Therefore, make sure the firmware is saved in the correct folder under the root directory: \ProductName_dir\firmware.
Page 709 www.zyxel.com Console Message MONITOR > Log > View log Make sure the version of the USB firmware is different from that of the running partition. The device writes logs on the console and device log if the firmware version is the same as the running firmware. Console Message MONITOR >...
Page 710: How To Configure Dhcp Option 60 - Vendor Class Identifier
www.zyxel.com Device HA Pro function activated. When using USB firmware upgrade on a device HA or in a device HA Pro scenario, make sure you plug the USB storage to the passive device for firmware upgrade first. After the passive device has finished firmware upgrading through the USB, plug the USB storage to the active device for firmware upgrade.
Page 711: Dhcp Option 60 Deployment Flow
www.zyxel.com Figure 1 DHCP Option 60 Vendor Class Identifier DHCP Option 60 Deployment Flow Enable the WAN ports as DHCP clients (enabled by default). Navigate to the WAN interface configuration screen. Type in user defined option 60 string in the Advance setting section. Setting Up DHCP Option 60 on the Web GUI In the ZyWALL/USG’s navigation panel, go to Configuration >...
Page 712: Setting Up Dhcp Option 60 On The Cli
www.zyxel.com Click the Ethernet tab, go to WAN > Edit. Enter the VCI string in the Advance section of DHCP Option 60. Setting Up DHCP Option 60 on the CLI Under the specific interface path, use these commands to: Enable option 60 Router(config-if-wan1)# ip address dhcp option-60 {VCI_STRING} 712/782...
Page 713: Test Dhcp Option 60
www.zyxel.com Disable option 60 Router(config-if-wan1)# no ip address dhcp option-60 Test DHCP Option 60 To test the DHCP option 60 function, use a packet capture software to check if option 60 string exists in the DHCP discover message sent from the ZyWALL/USG WAN port. What Can Go Wrong? Avoid using the same option 60 string on two or more DHCP servers.
Page 714: How To Configure Device Ha Pro
www.zyxel.com How to Configure Device HA Pro The Device HA feature acts as a failover when one of the devices in the network is dead or can’t access the Internet. Therefore, this is a popular feature for network environments. In the previous firmware version, the USG supports AP (Activate- Passive/Master-Backup) mode.
Page 715: Device Ha Pro License
www.zyxel.com Device HA Pro License The Device HA Pro feature is license required. You must register both of your devices on the myZyXEL.com server first. Then make sure the Device HA Pro license is available on both of your devices. Behavior of the Device HA Pro The behavior of the Device HA Pro includes a heartbeat link to monitor the “activate”...
Page 716 www.zyxel.com This function is for the secondary device. If you are configuring the primary device, this function is unnecessary. B. Serial number of the licensed device for license synchronization Entering the serial number of license from the myZyXEL.com server. C. Configure the Device HA Pro interface Enter the management IP address of the active and passive devices.
Page 717: Suggestions
www.zyxel.com The Main Function of the Device HA Pro Heartbeat Link The heartbeat port is a new physical port on the device. After you have enabled Device HA Pro, the devices will transmit multicast packets (UDP 694) to check each device’s status. When the passive device is working properly, the system LED light will be on.
Page 718: How Do I Configure Device Ha Pro In My Current Environment
www.zyxel.com How do I Configure Device HA Pro in My Current Environment? License The Device HA Pro feature is license required. Please go to register both of your devices on myZyXEL.com and make sure the devices have the license after syncing with the myZyXEL.com server.
Page 719 www.zyxel.com Configurations on the Primary Device 1. Go to the Configuration > Device HA > Device HA Pro screen. 2. Enter the device’s license serial number from the myZyXEL.com server. 3. Enter the management IP address after enabling the Device HA Pro feature. 4.
Page 720 www.zyxel.com Configurations on the Secondary Device Go to the Configuration > Device HA > Device-HA Pro screen. Select Enable Configuration Provisioning from Active Device. Click Apply. 720/782...
Page 721 www.zyxel.com Go to the Configuration > Device HA > General screen. Select Enable Device HA and click Apply. Before the Device HA Pro feature is enabled on the secondary device, a warning message will pop-up for you to confirm. Click OK to enable it. 不會顯示這個訊息...
Page 722: What Can Go Wrong
www.zyxel.com What can go wrong? Why I can’t see correct license status from myzyxel.com server? On the Device-HA Pro setting, there is a function “Serial number of the licensed device for license synchronization”. You should entering device’s S/N which with licenses.
Page 723: How To Upgrade Firmware On Ha Pro Synchronized Devices
www.zyxel.com How to Upgrade Firmware on HA Pro Synchronized Devices? This example illustrates how to upgrade firmware from 4.35(ABFU.0) to 4.35(ABFU.2) on device HA Pro. Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses.
Page 724: Firmware Upgrade Flow
www.zyxel.com Firmware Upgrade Flow 1. Make sure the running firmware version of active and passive are the same. 2. Make sure the running firmware of active and passive are in the same partition. 3. Make sure the heartbeat port link is well connected and passive device is fully synchronized with the active device.
Page 725: Synchronization Status
www.zyxel.com For example, The running firmware of the active device is in partition 1. Then the running firmware of the passive device must also be in partition 1. Active (Device 1)- Running Firmware in partition 1 Passive (Device 2)- Running Firmware in partition 1 Synchronization Status Go to CONFIGURATION >...
Page 726: Upload The Firmware To The Active Device
www.zyxel.com Upload the Firmware to the Active Device On the Active (Device 1) device, go to MAINTENANCE > File Manager > Firmware Management and upload the firmware to the Standby partition. Click Yes to reboot device immediately after the firmware if uploaded successfully.
Page 727: Test The Result
www.zyxel.com Test the Result The firmware will be uploaded in the Passive device (Device 2) first. After the firmware is successfully uploaded to the Passive device (Device 2), the Passive device (Device 2) becomes active mode. Then the original Active device (Device 1) starts firmware upgrading.
Page 728: How To Downgrade Firmware On Ha Pro Synchronized Devices
www.zyxel.com How to Downgrade Firmware on HA Pro Synchronized Devices? This example illustrates how to downgrade firmware from 4.35(ABFU.2) to 4.33(ABFU.1) on device HA Pro. Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses.
Page 729: Firmware Downgrade Flow
www.zyxel.com Firmware Downgrade Flow 1. Back up the latest startup-config.conf of the Active device (Device 1). 2. Switch the passive device (Device 2) to active mode. 3. Disconnect all Ethernet cables and heartbeat port link on Device 1. 4. Downgrade the firmware to Device 1 and apply the backup configuration file startup-config.conf to Device 1.
Page 730: Ethernet Cable And Heartbeat Port Disconnection
www.zyxel.com are selected as monitor interface. Disconnect one of monitor interfaces to make Device 2 switch to active role. CONFIGURATION > Device HA > Device HA Pro > Monitor Interface Ethernet Cable and Heartbeat Port Disconnection After Device 2 enters active mode, disconnect all Ethernet cables and the heartbeat port link on Device 1.
Page 731: Backup Configuration Apply
www.zyxel.com Go to MAINTENANCE > File Manager > Firmware Management and upload the old firmware to the standby partition. After the old firmware 4.33(ABFU.1) is uploaded and device reboots, you may get the error message “Failed to apply startup configuration file and failover to previous firmware ...”...
Page 732: Connect All Ethernet Cables Back On Device 1
www.zyxel.com different. Hence, you need to edit the password manually before applying the configuration file to Device 1 with firmware 4.33(ABFU.1). You might need to refer to Appendix of this document to edit the configuration file. 2. Upload the edited configuration file to Device 1 and apply the configuration on console by entering the command.
Page 733: Enable Device Ha Pro On Device 2
www.zyxel.com Note: On Device 2, upload the old firmware to the same firmware partition as Device 1. For example, the old firmware is uploaded to partition 1 on Device 1. Then the old firmware must also be uploaded to partition 1 on Device 2.
Page 734: Appendix. Edit The Configuration File
www.zyxel.com Passive (Device 2)- Running Firmware 4.33(ABFU.1) Appendix. Edit the Configuration File Open the backup configuration file and search for the following CLI. username admin encrypted password xxxxxx user type admin Set a new password and replace the following CLI with the original one. In this example, 12345 is the password for admin.
Page 735 www.zyxel.com Note: Remember to set password for every user because the hash method for all local users are different between two different ZLD version. 735/782...
Page 736: How To Replace One Defect Device Of Ha Pro
www.zyxel.com How to replace one defect device of HA Pro In case, one of HA Device is broke down or out of service; client needs to purchase the new one and deploy back on the live Device HA-Pro environment. This guide will lead user on how to swap one of the HA Pro synchronized devices when the device was RMAed.
Page 737: Before Redeploy The Ha-Pro Environment
www.zyxel.com Before redeploy the HA-Pro environment Make sure all licenses of Device 2 are transferred to Device 1 from myzyxel.com before Device 2 deliver to RMA 2. Confirm the Serial Number of Device 1 is entered on HA-Pro page. Go to Configuration> Device HA>Device HA-Pro 3.
Page 738: After Received The New Device (Device 3)
www.zyxel.com Go to Configuration>Licensing>Registration>Service>Press Service License Refresh Note: If RMA device which was initial active role (S/N was filled on HA-PRO page), user needs to modify the S/N to another Device (On Serial Number of Licensed Device for License Synchronization) After received the New device (Device 3) 1.
Page 739: Configuration On Device 1
www.zyxel.com Configuration on Device 1 Go to Configuration >Device HA>Device HA Pro, Enable Device HA Make sure the configuration on each field are correct. (Management IP of active, and passive device, password…) Next, Press Apply button. Configuration on Device 3 Go to Configuration >Device HA>Device HA Pro>...
Page 740 www.zyxel.com Press OK to complete passive configuration Next, connect the heartbeat port (the last Copper Ethernet port) link and waiting for the full sync. In this example, ATP800 heartbeat port is Port 12. Note: Before sync completely, do not change any configuration It takes time (around 10 minutes) for the first time full configuration synchronizes The sync status also can be check from Console To type CLI:...
Page 741: Verification
www.zyxel.com Then go back to console of the passive device to type CLI # show device-ha2 sync summary Verification After the above configuration complete, Go to Configuration>Device HA> check Device HA status and View Log Device 1 (Active Role) 741/782...
Page 742 www.zyxel.com Device 3 (Passive Role) 742/782...
Page 743: How To Reboot The Active Device To The Standby Partition When Two Partitions Has Different Firmware Version
www.zyxel.com How to reboot the Active device to the standby partition when two partitions has different firmware version In some of situation the new firmware with stability issue after upgraded, and user must to rollback to stable version. In this scenario user has running Device-HA on partion#1 with 4.33 firmware for a few months, and upgraded 4.35 firmware to partion#2.
Page 744: Change Partition Flow
www.zyxel.com Change Partition Flow 1. Make sure the running and standby firmware version of active and passive devices are the same. 2. Reboot passive device(Device 2) by standby partition 3. Reboot active device(Device 1) by standby partition 4. Make sure passive device(Device 1) sync process completed successfully. 5.
Page 745: Reboot Passive Device(Device 1) By Standby Partition
www.zyxel.com Reboot passive device(Device 1) by standby partition Device 2- Reboot device by standby partition Access device by Device-HA management IP address. Go to Maintenance > File Manager > Firmware Management. Select standby partition, and click Reboot button. After device boots up successfully, the device 2 role will stay as Passive. All of traffic will pass by Active device continually.
Page 746: Make Sure Passive Device(Device 1) Sync Process Successfully
www.zyxel.com After device 1 boot up, device 1 role will become to “Passive”. Make sure passive device(Device 1) sync process successfully After passive device boots up successfully, it will start to Device-HA Sync process. You can use CLI command on passive device to make sure sync status. Router>...
Page 747 www.zyxel.com (1) Access to device FTP server by admin & password to download configurations. A. Download running(4.33) partition configuration. Go to “/conf” folder and download startup-config.conf B. Download standby(4.35) partition configuration. Go to “/standby_conf” folder and download startup-config.conf (2) Open both of configuration by text and use any compare tool to check what difference between your configurations.
Page 748: How To Restore Configuration File In Device Ha Mode
www.zyxel.com How to restore configuration file in Device HA mode? For some maintenance and troubleshooting purpose, user may need to restore configuration file in device HA mode. Assuming HA had been setting ready and works perfect for a while, below steps are to guide the user on how to restore configuration file in device HA mode.
Page 749: Configuration File Restore Flow
www.zyxel.com Configuration file restore flow 1. Unplug all active device network link (Device 1). Let network service runs on passive device. 2. Upload configuration file to active device (Device 1). 3. Apply configuration file on active device (Device 1). 4. Connect all network cables on Device 1. Network service is running on Device 1 from now on.
Page 750: Apply Configuration File On Active Device (Device 1)
www.zyxel.com It supposed to be same as original active device (Device 1). We can check by CLI Router > psm Router(psm)# atsh If virtual mac and serial are correct, then proceed to upload configuration file on active device (Device 1). On device 1, go to MAINTENANCE >...
Page 751: Connect All Network Cables On Device 1
www.zyxel.com Router# apply /conf/Backup_0305.conf After completed configuration restore, we need to save the running configuration to startup configuration file. Router(config)# write Connect all network cables on Device 1. Disconnect all network cables on Device 2, and then connect all network cables on Device 1(Excluding heartbeat link).
Page 752: Make Sure That Passive Device (Device 2) Sync Process Successfully
www.zyxel.com Make sure that passive device (Device 2) sync process successfully it starts to Device-HA Sync process. You can use CLI on passive device to check sync status. When it has done, you can see status indicated that "Device HA Sync has succeeded from X.X.X.X at YYYY-MM-DD HH:MM:SS" Router>...
Page 753: How To Check Ha Pro Synchronization Status
www.zyxel.com How to Check HA Pro Synchronization Status There are two types to check HA Pro synchronization, one is using web gui to check, the other one is using console or Secure Shell (SSH), below is the step to check the HA Pro synchronization status. Check the sync status on web GUI To check status with GUI, go to Configuration >...
Page 754: Check The Sync Status On Console
www.zyxel.com Check the sync status on console Using CLI may help you do a quick check, and can get more information A. Check the synchronization status on Active device 4. Type command: show device-ha2 status To check the basic information on active device 754/782...
Page 755: Check The Synchronization Status On Passive Device
www.zyxel.com 5. Type the command below to check the status. Router> show device-ha2 device-status Type command: show device-ha2 passive device-status B. Check the synchronization status on Passive device 1. Check the sync status of the device Type command: show device-ha2 sync summary 755/782...
Page 756 www.zyxel.com 756/782...
Page 757: Fail Cases
www.zyxel.com It’s very important that the last line the status of the Device HA Sync need to be success. C. Fail cases please disconnect all the links. Then reset device If Device HA sync failed, to factory default and try again. 757/782...
Page 758: Exception Case
www.zyxel.com D. Exception case Note: After device upgrade the firmware, on active device type command “Router>show device-ha2 sync summary” will display fail. It need to type below command on active device to sync again. Router> debug device-ha2 passive sync now, after Device HA sync from passive, the status of the Device HA Sync will display success.
Page 759: What Can Go Wrong
www.zyxel.com What Can Go Wrong? 1. For device HA or HA Pro, signature synchronization is required. 2. Cloud query is not supported. 3. It doesn't support for IPv6. Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses.
Page 760: How To Setup Two-Factor Authentication For Admin Login
www.zyxel.com How to setup Two-Factor Authentication for admin login 2 Factor Authentication is a function can prevent your device login by hacker. It needs additional verification code after logged into WebGUI/SSH/Telnet You can follow these steps to setup 2 factor authentication when logging to system.
Page 761: Create Admin Type User On Device
www.zyxel.com Note: Must make sure SMTP Server configuration is correct otherwise user will unable receive mail successfully. Create admin type user on device Go to Configuration > Object > User/Group > User Click Add button to create an user and user type is admin. And also entered email address of this user.
Page 762: Setup Two-Factor Authentication For Admin On Your Device
www.zyxel.com Setup Two-Factor Authentication for admin on your device Go to Configuration > Object > Auth Method > Two-Factor Authentication > Admin Access Enable the function and add admin user which you added in step2 in the rule, and you can select what services are 2 Factor authentication needed. 762/782...
Page 763: Test The Result
www.zyxel.com Test the Result After setup these steps and login to device by admin user, the verification code is required. Web Service: SSH Service: 763/782...
Page 764 www.zyxel.com You will receive verification code by Email. 764/782...
Page 765: What Can Go Wrong
www.zyxel.com What Can Go Wrong? Must make sure SMTP server configuration is correct. If you would like to add “admin” into the 2FA rule, you must do verify admin email first 2-1 Enter Email address and click “send code” button 2.2 After clicked “Send Code”, you will receive code by Email.
Page 766 www.zyxel.com 766/782...
Page 767: How To Configure Email Security For Phishing Mail
www.zyxel.com How to configure Email Security for Phishing mail? (This feature is only supported on ATP series) The following depicts a sample configuration of Email security for Phishing mail. Phishing is a type of online scam where criminals send an email with a fake website and asking you to provide sensitive information.
Page 768: Set Up Phishing On Atp
www.zyxel.com embedded URLs. Figure 2 Phishing mail example Set up Phishing on ATP In the ATP, Go to Configuration > Security Service > Email Security to enable Check Mail Phishing that allows gateway inspects the embed URLs in the email 768/782...
Page 769: Test The Result
www.zyxel.com Test the Result Go to Monitor > Security Statistics > Email Security to observe mail phishing logs Monitor > Security Statistics > Email Security Go to Monitor > Security Statistics > Email Security to collect Email security statistics What Can Go Wrong? Make sure the Anti-Spam default service port is SMTP or POP3 by CLI Router# show utm-manager anti-spam defaultport 769/782...
Page 770 www.zyxel.com It does not support SSL inspection. The ATP can inspect email up to 50KB. If the mail size greater than 50KB, gateway will inspect the first 50KB from the header 770/782...
Page 771: How To Setup Email To Sms
www.zyxel.com How to setup Email to SMS The Email to SMS function can help to send the SMS to client. The SMS message is initialed from device to SMS provider, and then SMS provider send the SMS to client. This function can help to make sure user receives SMS if client without Internet connection.
Page 772: Setup Email To Sms Provider Configuration
www.zyxel.com Note: Must make sure SMTP Server configuration is correct otherwise message will unable send to SMS provider successfully. Setup Email to SMS Provider configuration Go to “Configuration > system > Notification > SMS Select “SMS Provider” as Email to SMS Provider. Enter SMS Provider Email server domain name. And configuring sender mail address in “Mail From”...
Page 773: Create Admin Type User On Device
www.zyxel.com Create admin type user on device Go to Configuration > Object > User/Group > User Click Add button to create an user and user type is admin. And also entered phone number of this user. Setup Two-Factor Authentication for admin on your device Go to Configuration >...
Page 774: Test The Result
www.zyxel.com Test the Result After setup these steps and login to device by admin user, the verification code is required. Web Service: SSH Service: 774/782...
Page 775 www.zyxel.com You will receive verification code by SMS. 775/782...
Page 776: What Can Go Wrong
www.zyxel.com What Can Go Wrong? Must make sure SMTP server configuration is correct. Must make sure your SMS provider is supported Mail to SMS function. Make sure your email address is allowed by your SMS provider. 776/782...
Page 777: How To Use Ip Reputation To Detect Threats
www.zyxel.com How to Use IP Reputation to Detect Threats (This feature is only supported on ATP series) As cyber threats such as scanners, botnets, phishing, etc. grow increasingly, how to identify suspect IP addresses of threats efficiently becomes a crucial task. With regularly updated IP database, ATP prevents threats by blocking connection to/from known IP addresses based on signature database.
Page 778: Activating Reputation Filter Service
www.zyxel.com Activating Reputation Filter Service Register ATP gateway to myZyxel.com. Activate Reputation Filter license. On ATP, go to CONFIGURATION > Licensing > Signature Update. Click the Update icon to check for new signatures. Enabling IP Blocking on ATP Go to CONFIGURATION > Security Service > Reputation Filter > IP Reputation > General.
Page 779: Selecting Specific Type Of Ip Addresses To Block
www.zyxel.com Selecting specific type of IP addresses to block In Types of Cyber Threats Coming From The Internet, select the type of threats that are known to pose a security threat for incoming traffic. In Types of Cyber Threats Coming From The Internet And Local Networks, select the type of threats that are known to pose a security threat for both incoming and outgoing traffic.
Page 780: Monitoring Statistics For Ip Detection
www.zyxel.com Monitoring statistics for IP detection Enable Collect Statistics to monitor the scanned result and detected IP. MONITOR > Security Statistics > Reputation Filter Test the Result Select Anonymous Proxies for detecting incoming traffic and Botnet for outgoing traffic. 780/782...
Page 781 www.zyxel.com For incoming traffic, set a NAT rule and add a security policy rule for allowing traffic from WAN to LAN. For outgoing traffic, ping an IP address in the threat category "Botnets" from LAN. Check statistics for detected IPs. MONITOR >...
Page 782: What Can Go Wrong
www.zyxel.com On dashboard, you can find top 5 countries that are detected the most by IP Reputation. Dashboard > Advanced Threat Protection What Can Go Wrong? 4. For device HA or HA Pro, signature synchronization is required. 5. Cloud query is not supported. 6.

ZyXEL Communications ZyWALL ATP Series Handbook

Quick Links

Related Manuals for ZyXEL Communications ZyWALL ATP Series

Summary of Contents for ZyXEL Communications ZyWALL ATP Series