Page 1 ZyWALL 1050/ZyWALL USG 300 Support Notes ZyWALL 1050 (ZyWALL USG 300) Internet Security Appliance Support Notes Revision 2.02 September,2007 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 2: Table Of Contents
1.4.2 Star Topology ....................87 1.4.3 Star-Mesh Mixed Topology................96 1.5 Access via Central Site....................112 1.5.1 VPN Tunnel to Central Site (ZyWALL 70 to ZyWALL 1050/ZyWALL USG 300) ..........................112 1.6 Multiple Entry Point (MEP)..................124 1.6.1 Deploying MEP....................124 1.7 Device HA together with VPN HA................
Page 3 A03. What’s difference between “Admin Service Control” and “User Service Control” configuration in GUI menu Configuration > System > WWW? ....307 A04. Why ZyWALL 1050/ZyWALL USG 300 redirects me to the login page when I am performing the management tasks in GUI?............307 A05.
Page 4 E05. Why does the PPP interface dials successfully even its base interface goes down? ......................... 315 E06. What is the port grouping used for in ZyWALL 1050/ZyWALL USG 300? ..316 E07. What's the maximum VLAN interface supported by ZyWALL 1050/ZyWALL USG 300 ? ........................
Page 5 F09. Why the virtual server or port trigger does not work?........323 F10. Why port trigger does not work? ............... 323 F11. How do I use the traffic redirect feature in ZyWALL 1050/ZyWALL USG 300?324 F12. Why can’t ZyWALL learn the route from RIP and/or OSPF? ......324 G.
Page 6 M05. What is AAA?....................340 M06. What are ldap-users and radius-users used for? ..........340 M07. What privileges will be given for ldap-users and radius-users? ....... 340 N. Centralized Log FAQ ....................342 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 7 P02. Does ZyWALL1050 Anti-Virus support compressed file scanning?....344 P03. What is the maximum concurrent session of ZyWALL1050 Anti-Virus engine344 P04. How many type of viruses can be recognized by the ZyWALL 1050/ZyWALL USG 300? ........................344 P05. How frequent the AV signature will be updated? ..........344 P06.
Page 8: Deploying Vpn
Typically, an administrator has to configure many site-to-site VPN connections to allow a truly global VPN network. VPN connection management is made easily using the VPN concentrator. The VPN All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 9 VPN network with less effort but stronger security and management possibilities. For SMB customer, ZyXEL provides a total VPN solution from a personal client to a 500+ people firewall where all of these devices have the VPN connection ability.
Page 10: Extended Intranets
There are two kinds of connection interface. Static IP and dynamic DNS. Configure ZyWALL 1050(USG 300) with Static IP address: ZyWALL 1050(USG 300) uses the static IP address for VPN connection. The topology is shown on the following figure. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 11 167.35.4.3. The Local ID Type and content are IP and 210.110.7.1, Peer ID Type and content are IP and 167.35.4.3. 3) Repeat the step1 & 2 to configure the Remote ZyWALL 1050(USG 300). The Local ID Type & content and Peer ID Type & content are reverse to the Local ZyWALL 1050(USG 300).
Page 12 The Next-Hop type is VPN tunnel. Then choose the corresponding VPN connection rule from the VPN tunnel drop down menu. Now, the VPN tunnel and routing is configured and user can start to test it. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 13 [12] peer-id type ip 167.35.4.3 [13] peer-id type ip 167.35.4.3 [14] xauth type server default deactivate [15] group1 [16] exit Remote Gateway: [0] isakmp policy RemoteSite [1] mode main [2] transform-set des-md5 [3] lifetime 86400 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 14: Site To Site Vpn Solutions (Zywall 1050 Zywall Usg 300)
4. The Local and Peer ID type and content must the opposite and contain the same. 5. Make sure the VPN policy route has been configured in ZyWALL1050. 1.1.2 Site to Site VPN solutions (ZyWALL 1050 ZyWALL USG 300): Site to Site VPN is the basic VPN solution between local and remote gateway. This type of VPN connection is used to extend and join local networks of both sites into a single intranet.
Page 15 ZyWALL 1050/ZyWALL USG 300 Support Notes ZyWALL 1050 uses the static IP address for VPN connection. The topology is shown on the following figure. User needs to configure the static IP address and then apply to the VPN Gateway configuration page. The configuration steps are stated below: 6) Login ZyWALL 1050 GUI, setup the ge2 interface for internet connection and manually assign a static IP.
Page 16 ZyWALL1050 to send the traffic to VPN tunnel when the traffic flows from the local subnet to a destination that is in the remote subnet. Switch to ZyWALL 1050 > Network > Routing > Policy Route and add a new policy route. The source and the destination addresses are the local and remote subnets.
Page 17 [12] peer-id type ip 167.35.4.3 [13] peer-id type ip 167.35.4.3 [14] xauth type server default deactivate [15] group1 [16] exit Remote Gateway: [0] isakmp policy RemoteSite [1] mode main [2] transform-set des-md5 [3] lifetime 86400 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 18 8. Select the correct interface for VPN connection. 9. The Local and Peer ID type and content must the opposite and contain the same. Make sure the VPN policy route has been configured in ZyWALL1050. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 19: Extranet Deployment
Desktop users Check Point VPN-1 The ZyWALL 1050 can be placed as a VPN gateway in the central site. It can communicate with other ZyXEL’s VPN-capable products as well as VPN products from other major vendors in the network device industry, e.g. Cisco PIX/IOS VPN products, Check Point VPN Pro,...
Page 20 The exciting ZyWALL35 or 70 in central office gateway can be replaced by ZyWALL 1050, and the ZyWALL35 or 70 moved to a remote office. The ZyWALL 1050 can provide higher VPN throughput and deal with multiple VPN tunnels at the same time. To show how to build tunnel between ZyWALL5/35/70 and ZyWALL 1050 we used ZyWALL 70 as an example.
Page 21 3) Login to ZyWALL70 and go to Security > VPN > Gateway Policy, add a new gateway policy to connect with central office’s ZyWALL 1050. My Address and Remote Gateway Address are ZyWALL70 and ZyWALL 1050 WAN IP addresses. The Pre-Shared Key configured on both sides must exactly the same Local ID Type &...
Page 22 Route > Policy Route and add a new policy route, the source and destination address are the local and remote subnet and the Next-Hop type is a VPN tunnel. Then choose the corresponding VPN connection rule from the VPN tunnel drop down menu. Now, the VPN All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 23 9) After configuring both sides of the VPN, click the Dial up VPN tunnel icon to test the VPN connectivity. 10) “VPN tunnel establishment successful,” message appears. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 24 [13] xauth type server default deactivate [14] group1 [15] exit ZyWALL 1050 VPN Connection: [0] crypto map RemoteTunnel [1] ipsec-isakmp LocalSite [2] encapsulation tunnel [3] transform-set esp-des-sha [4] set security-association lifetime seconds 86400 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 25 4. The Local and Peer ID type and content must be the opposite and not of the same content. 5. Make sure the VPN policy route had been setup in ZyWALL 1050. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 26: Interoperability - Vpn With Other Vendors
LAN: 192.168.2.X The central office gateway ZyWALL 1050’s interface and VPN setting retain the same setting as in the previous example. If you jumped this section first, please refer to ‘ZyWALL 1050 to ZYWALL70 VPN tunnel setting’ on page 8.
Page 27 4) Fill-in the VPN phase1 setting according to the table listed. We don’t have to setup the ID type and content because the FortiGate accepts any peer ID. Make sure both the pre-shares key and proposal are the same as in the ZyWALL1050. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 28 Advanced… button to edit the phase 2 proposal and source and destination address. Please make sure the phase 2 proposal is the same as in ZyWALL 1050 phase 2. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 29 Using the “Create New” button to create a new address object. 9) Switch to Firewall > Policy and click “Insert Policy Before” icon to add new policy for the VPN traffic from FortiGate to ZyWALL. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 30 Schedule and service type are always and ANY to ensure that all kinds of traffic can pass through the VPN tunnel at any time. Select “ACCEPT” as an action this time All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 31 2. Make sure both IKE and IPSec proposal are the same in both local and remote gateways. 3. Make sure the VPN policy route has been configured in ZyWALL1050. 4. Make sure the Firewall rule has been configured in FortiGate. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 32: Zywall With Netscreen Vpn Tunneling
LAN: 192.168.1.X LAN: 192.168.2.X The central office gateway ZyWALL 1050’s interface and VPN setting retain the same settings as in the previous example. If you jumped to this section first, please refer to ‘ZyWALL1050 to ZYWALL70 VPN tunnel setting’ on the page 8.
Page 33 VPN traffic routing. Refer to the pervious scenario or user guide to find help on setting the ZyWALL 1050 VPN. 2) Using a web browser, login NetScreen by entering the LAN IP address of the NetScreen in the URL field.
Page 34 ZyWALL's WAN IP address. In this example, we select Static IP Address option and enter IP 210.110.7.1 in the text box. Enter the key string 123456789 in Preshared Key text box, and then press Advanced button to edit the advanced settings. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 35 Key, group1, DES for Encryption Algorithm and MD5 for Authentication Algorithm. Select Main (ID Protection) option for Mode (Initiator). Then, press Return button, and press OK button on next page to save your settings. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 36 10) Give a name for the VPN, for example “ToZyWALL IPSec”. In Remote Gateway, choose the Predefined option and select the ToZyWALL rule. Then, press Advanced button to edit the advanced settings. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 37 Encryption Algorithm to DES and Authentication Algorithm to SHA1. Check the VPN Monitor check box so that you can monitor your VPN tunnels. Then, press Return button and OK button on next page to save the settings. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 38 13) Switch to Policies to set up policy rules for VPN traffic. In the field From choose Trust and in the field To choose Untrust (it means from LAN to WAN). Then press the New button to edit the policy rules. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 39 VPN policy for the opposite direction. Then, press OK button to save your settings. 15) After applying the settings, the new policy rules will be displayed in the Policies page. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 40 17) Ping the remote host and switch to VPNs > Monitor Status to check the VPN link status. If the Link status is Up, it means the VPN tunnel between ZyWALL and NetScreen has been successfully built. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 41: Zywall With Sonicwall Vpn Tunneling
LAN: 192.168.1.X LAN: 192.168.2.X The central office gateway ZyWALL 1050’s interface and VPN setting retain the same settings as in the previous example. If you jumped to this section first, please refer to ‘ZyWALL1050 to ZYWALL70 VPN tunnel setting’ on the page 8.
Page 42 2) Using a web browser, login SonicWall by entering the LAN IP address of SonicWall in the URL field. The default username and password is admin/password. 3) Switch to menu Network > Interfaces and configure the WAN/LAN IP address to WAN: 167.35.4.3 LAN: 192.168.2.1/24. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 43 4) Switch to VPN > Settings, check Enable VPN check box and press Add button. This will bring the VPN settings. Note: The VPN Policy Wizard is an alternative way to set up the VPN rules. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 44 Address is the ZyWALL's WAN IP Address (IP address of the remote gateway). In this example, we use 210.110.7.1 in IPSec Primary Gateway Name or Address text box. Then, enter the key string 123456789 in the text box Shared Secret. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 45 Therefore, we have to create a new address object in the remote network drop down list. Then a new address object window will pop-up. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 46 Network text box and then type 255.255.255.0 in Subnet Mask text box. Then press OK. Now after the address object successfully configured, the new address object “Remote_Subnet” can be selected from the destination network drop down list. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 47 8) Switch to Proposals tab. In IKE (Phase1) proposal settings, select Main mode, set DH Group to Group1, Encryption to DES and Authentication to MD5. In IPSec (Phase2) proposal settings, select ESP Protocol, Encryption to DES and Authentication to SHA1. Then press the OK button. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 48 9) Switch to Advanced tab. In the setting VPN policy bound to select Interface WAN. Then press the OK button. 10) The VPN status page will show a new VPN rule. Make sure the rule has been enabled. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 49 11) Ping the remote host to dial up the tunnel. We can check the connected VPN status in the VPN status page. The VPN tunnel should appear in the Currently Active VPN Tunnels page. It should show that the tunnel had been successfully built-up. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 50: Remote Access Vpn
ZyWALL 1050/ZyWALL USG 300 incorporates IPSec, SSL VPN and L2TP over IPSec into a single box. The customers can choose the most appropriate application for the remote access application.
Page 51 ZyWALL 1050/ZyWALL USG 300 Support Notes So we are going to complete the following tasks. In ZyWALL 1050/ZyWALL USG 300 create object ‘address’ for both local and remote networks In ZyWALL 1050/ZyWALL USG 300 configure a VPN gateway and the VPN connection...
Page 52 Perfect Forward Secrecy (PFS): None Below is a step by step configuration: 1) Login ZyWALL 1050/ZyWALL USG 300 GUI and go to Configuration > Objects > Address to create an address object (local subnet) for remote access. 2) Create another address object for the remote host. The IP Address of the host should be 0.0.0.0, which means that remote user dials in dynamically.
Page 53 4) To create a VPN rule, go to Configuration > Network > IPSec VPN > VPN Connection. Set Policy as defined in step 1 and step 2. Remote policy should be a dynamic host address. We put VPN Gateway as dynamic as was defined in step 3. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 54 ZyWALL 1050/ZyWALL USG 300 Support Notes 5) Go to remote host to configure ZyXEL VPN Client. We create a Net Connection set remote access subnet to 192.168.2.x. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 55 ZyWALL 1050/ZyWALL USG 300 Support Notes In My Identity, select local ID type as Any. Note: Do not forget to enter Pre-Shared Key by clicking the button Pre-Shared Key. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 56 ZyWALL 1050/ZyWALL USG 300 Support Notes The last step is to go to Security Policy to configure parameters for Phase1 and Phase 2. After saving the configuration, the VPN connection should be initialed from the host site. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 57 [5] dpd [6] local-ip interface ge2 [7] peer-ip 0.0.0.0 0.0.0.0 [8] authentication pre-share [9] keystring 123456789 [10] local-id type ip 0.0.0.0 [11] peer-id type any [12] xauth type server default deactivate [13] group1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 58 4. The Local and Peer ID type and content must the opposite and not of the same content. 5. The Local Policy of ZyWALL 1050/ZyWALL USG 300 should be ‘dynamic single host with the value 0.0.0.0’. The VPN tunnel should be initialed from the remote host site.
Page 59: Ssl Vpn Application - Reverse Proxy
ZyWALL1050 by http://192.168.1.1. Configure the ZyWALL1050’s LAN and WAN interface with proper IP address. 2) Go to menu VPN > SSL VPN, create one access privilege rule by clicking the Add icon. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 60 Then continue to create user or group objects. Here we create one user by click the “Add” button. Then continue to create one application object. Here we create one for reverse proxy rule using web application by click the “Add” button. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 61 Step 2. Enter the ID/password, check the “log into SSL VPN” and click Login button. Step 3. Click the Yes buttons until you see the following page, which is the ZW_http link available in the application list. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 62 Step 1. Connect your NB at ZyWALL1050’s LAN (ge1). Get the IP address by DHCP and login to ZyWALL1050 by http://192.168.1.1. Configure the ZyWALL1050’s LAN and WAN interface with proper IP address. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 63 Switch to menu Objects > Address and click Add icon to add new address. Configure a network subnet 192.168.1.0/24. Step 4. Modify the SSL rule we created for LAB1 by clicking the modify icon. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 64 Config your NB with IP address 10.1.1.33 and connect it to ZyWALL1050’s WAN site (ge2). Initial a browser and try to connect to https://10.1.1.1 Step 2. Enter the ID/password, check the “log into SSL VPN” and click Login button. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 65 Click Yes buttons until you see the following page. You can find a small window is processing about the security extender rule (for network extension). Step 4. After a while, the window will show you the information about network extension. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 66 Still try to connect the ZW_http link. You should be able to access the ZyWALL login page then. Step 7. Try to ftp the device and see if you can access the ZyNOS ZyWALL by FTP tool. If All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 67: Using Two-Factor Authentication To Provide Stronger Password Security
4. Assign users to OTP tokens (on the ASAS server)/ 5. Configure the ASAS as a RADIUS server in the ZyWALL’s Object > AAA Server screens. 6. Give the OTP tokens to (local or remote) users. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 68: Network Topology
LAN1 interface (ge1). Login into the ZyWALL1050 and configure the LAN and WAN interface according to the network topology you plan. STEP2: Create a User Account on the ZyWALL 1050/ZyWALL USG 300 1) Move to Object > User/Group and click “Add” button to create a new user account.
Page 69 1) Navigate to ZyWALL > VPN > SSL VPN and click “Add” to create a SSL VPN Application policy. Select the new created user reflecting to the desired SSL VPN application. 2) Click OK button to finish the configuration. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 70 1) Click ZyWALL > Object > AAA Server from the left panel and then navigate to the RADIUS page. 2) Enter the IP address of ASAS Server in the “Host” and enter the Shared Secret in “Key”. STEP 6: Configure the Authentication Method All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 71 1) Login to the ASAS server and starting to add a new user via. Manage Users > Add User. 2) Fill in the user name in the “Login ID”. 3) Click “Add” button to complete the configuration in this step. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 72 2) Pick up an A-Key which is available from the right panel and click on “Assign” button to complete authentication key assignment. STEP 3: Verify the A-Key is Properly Assigned to the User All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 73 3) Select “PIN Set Mode” from the OPT Mode dropdown list. 4) Enter the password in the “OTP PIN” text field with 4-24 alphanumeric characters length. 5) Re-enter the password in the “Verify OTP PIN” text field. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 74 2) Fill in the ZyWALL’s name, IP Address of the ZyWALL and the shared secret. 3) Click Add button to finish NAS Device configuration. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 75 2) Click on the user account you created in the very first place and the Update User page will come up. 3) Add the ZyWALL device to “Resource(s) Allowed” list. 4) Click the “Update User” button to complete the entire ASAS setting. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 76 1) Open a browser window and connect to the ZyWALL web GUI. 2) In the login page, enter the user name, password and the One-Time Password generated from the token. 3) Select “Log into SSL VPN checkbox” and click on “Login” button. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 77: L2Tp Over Ipsec Application
Once OTP works correctly, you will see the welcome message pop-up as the following example. 1.3.4 L2TP over IPSec Application Create Objects Step 1. Switch to menu Object > Address, create two objects for further VPN connection setting. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 78 Enable the rule by clicking the enable icon. Configure the default L2TP rule in IPSec VPN Connection Step1. Switch to menu VPN > IPSec VPN > VPN Connection, click the Default_L2TP_VPN_GW entry’s Edit icon. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 79 Configure the L2TP rule Step 1. Go to menu VPN > L2TP VPN, configure it as follows. Configure Policy Route for L2TP Step 1. Go to menu Network > Policy Route, configure it as follows. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 80 Click Start > Control Panel > Network Connections > New Connection Wizard. Step 2 Click Next in the Welcome screen. Step 3 Select Connect to the network at my workplace and click Next. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 81 Step 4 Select Virtual Private Network connection and click Next. Step 5 Type L2TP to ZyWALL as the Company Name. Step 6 Select Do not dial the initial connection and click Next. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 82 VPN gateway configuration that the ZyWALL is using for L2TP VPN (10.1.1.1 in this example). Click Next. Step 8 Click Finish. Step 9 The Connect L2TP to ZyWALL screen appears. Click Properties > Security. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 83 Step 11 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 84 VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK. Step 14 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. Step 15 Enter the user name and password of your ZyWALL account. Click Connect. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 85: Large-Scale Vpn Deployment
1.4 Large-scale VPN Deployment With the business growing, network administrator will face the more and more complicated VPN topology and applications. ZyWALL 1050/ZyWALL USG 300 supports various types of VPN topology that can meet the needs of the organizations of any size.
Page 86: Fully Meshed Topology
Tunnel 1: London Madrid Tunnel 2: London Paris Tunnel 3: London Hannover Tunnel 4: London Oslo Tunnel 5: Madrid Paris Tunnel 6: Madrid Hannover Tunnel 7: Madrid Oslo Tunnel 8: Paris Hannover All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 87: Star Topology
The ZyWALL1050 supports Star topology via the VPN concentrator feature. The VPN concentrator can help to reduce the VPN tunnel numbers and allows centralized VPN tunnel management. The topology used for our VPN concentrator guide. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 88 Remote Office WAN: 10.59.1.11 WAN: 10.59.1.17 WAN: 10.59.1.10 LAN: 192.168.101.0/24 LAN: 192.168.100.0/24 LAN: 192.168.119.0/24 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 89 Configure the NL site address object for each remote office subnet Setup NL site address group that includes all the remote office subnets; the address object group is used as a policy route destination criterion. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 90 NL site VPN Connection status page NL site policy route for VPN traffic, this policy route is used to indicate that the ZyWALL 1050/ZyWALL USG 300 sends the packets to the VPN tunnel. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 91 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 92 Perfect Forward Secrecy (PFS): None Perfect Forward Secrecy (PFS): None Setup the remote offices’ subnets address objects for the further VPN configuring. Setup the HQ VPN Gateway for all the remote sites All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 93 The VPN traffic can be routed by HQ once the VPN connection has been added to the concentrator. If this tunnel is already included in the concentrator, user doesn’t need to add any All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 94 Thus, this depends on how customers want to deploy their Global VPN network. We can add the following policy route to allow the HQ subnet to connect with all the concentrator’s remote subnets. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 95 ZyWALL 1050/ZyWALL USG 300 Support Notes All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 96: Star-Mesh Mixed Topology
Asia central site (Singapore) then again routed to the final destination – Tokyo spoke site In a Star-mesh mixed VPN topology, ZyWALL 1050/ZyWALL USG 300 acts as a regional central site (enabling Hub & Spoke VPN) and spoke sites can be any model of ZyWALL series.
Page 97 We can check the status page to confirm the correctness. Please refer to ZyWALL5 user guide for detail interface setting steps. The VPN configuration parameters in Asia Region Regional Remote Sites Regional Center WAN: 179.25.3.24 ZyWALL5 WAN: 179.25.106.124 Local Policy: 192.168.0.0/16 Local Policy: 192.168.12.0/24 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 98 192.168.21.x) and ZyWALL70 (LAN subnet: 192.168.22.x) by building one VPN tunnel with local center ZyWALL 1050/ZyWALL USG 300. Thus a separate VPN tunnel to each remote site is not needed. We will use a class B subnet (192.168.0.0/255.255.0.0) as remote policy in order to include all ranges of the remote policies requirements.
Page 99 VPN setup is done. Please refer to the ZyWALL5 user guide for detail VPN setting steps. There are similar configuration steps for the ZyWALL35 interface and the VPN setup. The ZyWALL35 WAN and LAN interface are set as follow. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 100 Please make sure to activate the “VPN rules skip applying to the overlap range of local and remote IP addresses” option before starting to setup the VPN tunnel. The VPN tunnel status page after configured the local center ZyWALL 1050/ZyWALL USG 300 tunnel.
Page 101 Perfect Forward Secrecy (PFS): None Perfect Forward Secrecy (PFS): None Please refer to the application topology to setup the ZyWALL 1050/ZyWALL USG 300 interface first. We can move to next steps only after setting up the interface. We use ge1 as...
Page 102 ZyWALL70 (192.168.22.0) it will match these two addresses’ object ranges and ZyWALL 1050/ZyWALL USG 300 can do next processing. This ZyWALL 1050/ZyWALL USG 300 is the local center of Asia region. We need to setup the VPN tunnel between local sites ZyWALL5 and ZyWALL35 and Europe region center ZyWALL 1050/ZyWALL USG 300.
Page 103 Follow the VPN parameter tables to setup the three VPN gateways (IKE / IPSec Phase1). For detail steps please refer to the ZyWALL 1050/ZyWALL USG 300 user guide. We have to configure a secondary security gateway for the VPN gateway between both of the regional centers’...
Page 104 Give a name to this concentrator and then click add icon to make the existing VPN connection become a member of this concentrator. The remote regional center ZyWALL 1050/ZyWALL USG 300 VPN connection is also treated as a member of this concentrator and the packets will be sent to the remote center first...
Page 105 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 106 Remember to activate “VPN rules skip applying to the overlap range of local and remote IP addresses” option before configuring the VPN tunnel. Follow the VPN parameter table to configure the VPN tunnel. ZyWALL70 WAN and LAN interface setting. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 107 Remember to activate “VPN rules skip applying to the overlap range of local and remote IP addresses” option before configuring the VPN tunnel. Follow the VPN parameter table to configure the VPN tunnel. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 108 Perfect Forward Secrecy (PFS): None Perfect Forward Secrecy (PFS): None Please refer to the application topology to setup the ZyWALL 1050/ZyWALL USG 300 interface first. Then we can move to setting the VPN. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 109 We have to pre-configure some address objects for the later VPN configuration requirements. The needed address objects list is as follows. This ZyWALL 1050/ZyWALL USG 300 is the local center of Europe region. We need to setup the VPN tunnel between local sites ZyWALL 2 Plus and ZyWALL70 and Asia region center ZyWALL 1050/ZyWALL USG 300.
Page 110 VPN concentrator. Switch to the Concentrator sub menu and click the Add icon to add a new concentrator. Assign a name to this concentrator and then click the add icon to make the existing VPN become the member of this concentrator. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 111 ZyWALL 1050/ZyWALL USG 300 Support Notes The remote regional center ZyWALL 1050/ZyWALL USG 300 VPN connection is also treated as a member of this concentrator and the packets will be sent to the remote center first and then following the remote concentrator setting will be routed to the destination sites where the traffic destination is the site allocated under remote VPN concentrator.
Page 112: Access Via Central Site
ZyWALL 1050/ZyWALL USG 300 Support Notes 1.5 Access via Central Site 1.5.1 VPN Tunnel to Central Site (ZyWALL 70 to ZyWALL 1050/ZyWALL USG 300) The idea of this scenario is to redirect all the outgoing traffic originated from the branch office to the main office via the VPN tunnel so that the network administrator can manage and control the traffic or apply additional secure access control or inspection.
Page 113 ZyWALL1050 B which is the internet connection gateway of main office. Thus, ZyWALL1050 A will route the traffic from the VPN tunnel and send it to the appropriate place of the packet destination. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 114 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 115 1) Login ZyWALL1050 A GUI and go to Configuration > Network > Interface > Ethernet and configure the IP setting as shown in the topology. 2) Go to Configuration > Object >Address to create an address object for all the incoming traffic. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 116 Security Gateway Address and 123456789 as the Pre-Shared Key. For other parameters, we leave them as default. There are no special settings for these parameters and the main concern is to let the VPN peers match each other. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 117 Here, we assume the peer subnet is 192.168.1.x and select the default address object ‘VPN_LAN_SUBNET’ to meet our requirements. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 118 LAN host to internet, thus the next-hop will be ge3 that is connected to the internet gateway ZyWALL 1050/ZyWALL USG 300 B. The third rule is for the traffic coming from the VPN tunnel and the destination is the internet. Then next-hop will be ge3.
Page 119 [0] crypto map zw70tunnel [1] ipsec-isakmp zw70 [2] encapsulation tunnel [3] transform-set esp-des-sha [4] set security-association lifetime seconds 86400 [5] set pfs none [6] no policy-enforcement [7] local-policy wholerange [8] remote-policy VPN_LAN_SUBNET [9] no nail-up All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 120 2) Go to Security >VPN to set the IKE rules. We put 172.23.23.1 as My Address, 172.23.23.2 as the Remote Gateway address and 123456789 as the Pre-Shared Key. For other parameters, we set them to match those set in the ZyWALL1050 A. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 121 ZyWALL 1050/ZyWALL USG 300 Support Notes Go to the Associated Network Policies of this rule to configure the IPSec rule. Please note that the Remote Network should be within 0.0.0.0-255.255.255.255 range. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 122 1) Login the ZyWALL1050 A GUI and go to Configuration > Network > Interface > Ethernet and configure the IP settings as shown in the topology. 2) We have to add one more policy route for the traffic from DMZ (ge4) to internet All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 123 ZyWALL 1050/ZyWALL USG 300 Support Notes (WAN_TRUNK). After we finish the setting in ZyWALL 70 and ZyWALL 1050(ZyWALL USG 300) A and B, the setup is complete. The CLI commands for application: Policy Route: [0] policy 1 [1] no deactivate...
Page 124: Multiple Entry Point (Mep)
1.6 Multiple Entry Point (MEP) To ensure high reliability and high availability of Headquarters’ network access for branch office or teleworker, ZyWALL 1050/ZyWALL USG 300 supports multiple entry points application to bring the following benefits: 1. Ensuring the network path is always available – if the use of the primary network path fails, user can access the same resources via a backup path 2.
Page 125 2 Plus which supports VPN HA and Dial Backup functions. When the primary WAN access to the VPN tunnel is down, ZyWALL1050 will trigger the dialup backup and establish a VPN tunnel with second secure gateway of another ZyWALL1050 located at the branch office. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 126 One ZyWALL 2 Plus Two ZyWALL 1050/ZyWALL USG 300 One ES-4024A One modem connecting to ZyWALL 2 Plus’s AUX port (ex. ZyXEL omni.lite com+) One FTP server One PC behind ZyWALL 2 Plus Now, we are going to complete the following main tasks: 1.
Page 127 Subnet, 192.168.1.0 Subnet, 192.168.3.0 Subnet, 192.168.3.0 SNAT Change Change 192.168.3.0 192.168.3.0 192.168.1.0 192.168.1.0 192.168.30.0 192.168.31.0 192.168.1.0 192.168.1.0 Phase1 Negotiation Main Main Main Mode Pre-share key 123456789 123456789 123456789 Encryption Authentication Key Group All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 128 NONE NONE See the following step-by-step configuration: 1. Configuration on ZyWALL 1050-A(ZyWALL USG 300-A) (1) LAN/WAN Network Setting Login ZyWALL -A’s GUI, go to menu Configuration > Network > Interface. Modify ge2’s IP address to 59.124.163.154 with subnet 255.255.255.224 and gateway 59.124.163.129.
Page 129 9. Create one more still to indicate ZyWALL -A’s ge2(WAN) IP address for Firewall rule usage which will allow ZyWALL -A’s ge2 to be ping from ZyWALL 2 plus and also can response to the ping. Name: ge2_IP Host, 59.124.163.154/255.255.255.255 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 130 Step2. Create an IKE rule 1. Go to menu Configuration > Network > IPSec VPN, switch to 'VPN Gateway' 2. Create a new IKE by clicking '+' icon 3. Fill out the fields as following. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 131 ZyWALL 1050/ZyWALL USG 300 Support Notes CLI commands for reference: [0] isakmp policy IKE1 [1] mode main [2] transform-set des-md5 [3] lifetime 86400 [4] no natt [5] dpd [6] local-ip interface ge2 [7] peer-ip 0.0.0.0 0.0.0.0 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 132 Step3. Configure the IPSec rule 1. Go to menu Configuration > Network > IPSec VPN, switch to 'VPN Connection' 2. Create a new IPSec by clicking '+' icon 3. Configure the VPN setting as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 133 192.168.1.0 network to 192.168.30.0 network. And we will also configure ZyWALL -B to change the VPN traffic from 192.168.3.0 network which will go to 192.168.2.0 network to 192.168.31.0 network later. CLI commands for reference All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 134 ZyWALL -B to return via original path. Define that all the traffic from 192.168.1.0 network that wants to go to 192.168.31.0 routed by the gateway, the host of 192.168.1.254. The configuration is as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 135 FTP server ZyWALL -A’s ge2 (which will redirect the traffic to another host ) 192.168.1.254 (which is ES-4024A’s VLAN3 route-domain IP address) ZyWALL1050-B ZyWALL 2 Plus to the PC behind ZyWALL 2 Plus. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 136 After the configuration is down, you will see two policy routes as shown below. CLI commands for reference: [0] policy 1 [1] no deactivate [2] no description [3] no user [4] interface ge1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 137 Go to GUI menu Security > Firewall Enable Firewall: On Choose To-ZyWALL rules and click “+” at the right site to add a new rule. Fill out the information as following and click “apply” button then. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 138 ZyWALL 1050/ZyWALL USG 300 Support Notes The new firewall rule is available as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 139 5. Create another one for dynamic remote network. Name: Remote_ANY Subnet, 0.0.0.0/0.0.0.0 6. Create still one more for the IP domain interface on ES-4024A’s VLAN3. Name: HOST_192_168_2_254 Host, 192.168.2.254/255.255.255.255 CLI commands for reference: [0] address-object Local_192_168_2 192.168.2.0 255.255.255.0 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 140 Step2. Create an IKE rule 1. Go to menu Configuration > Network > IPSec VPN, switch to 'VPN Gateway' 2. Create a new IKE by clicking '+' icon 3. Fill out the fields as following. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 141 ZyWALL 1050/ZyWALL USG 300 Support Notes CLI commands for reference: [0] isakmp policy IKE1 [1] mode main [2] transform-set des-md5 [3] lifetime 86400 [4] no natt [5] dpd [6] local-ip interface ge2 [7] peer-ip 0.0.0.0 0.0.0.0 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 142 Step3. Configure the IPSec rule 1. Go to menu Configuration > Network > IPSec VPN, switch to 'VPN Connection' 2. Create a new IPSec by click '+' icon 3. Fill out the fields as following All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 143 Note that we use Source NAT to change the VPN traffic from 192.168.3.0 which will goes to 192.168.1.0 network and to 192.168.31.0 network. CLI commands for reference [0] crypto map IPsec1 [1] ipsec-isakmp IKE1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 144 ZyWALL -A’s LAN network will be routed to. Define that all the traffic that wants to go to 192.168.1.0 network will be routed by the gateway, the host of 192.168.2.254. The configuration is as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 145 ZyWALL 1050/ZyWALL USG 300 Support Notes After the configuration is down, you will see two policy routes as shown below. CLI commands for reference: [0] policy 1 [1] no deactivate All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 146 [3] no user [4] no interface [5] no tunnel [6] source any [7] destination Local_192_168_1 [8] no schedule [9] service any [10] next-hop gateway HOST_192_168_2_254 [11] no snat [12] no bandwidth [13] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 147 2. Telnet or login ZyWALL 2 Plus console and switch to menu 24.8 to enable the pingcheck to detect the WAN connection availability. - Execute the CLI command: sys rn pingcheck 1 3. Add the CLI to autoexec.net to make it always enabled even after device reboot. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 148 (4) VPN Setting 1. Switch to GUI menu Security > VPN, click the ‘+’ icon as following to add a VPN-IKE rule. 2. Configure VPN-IKE setting on ZyWALL 2 Plus as following. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 149 ZyWALL 1050/ZyWALL USG 300 Support Notes 3. At the same page of menu Security > VPN, click the icon to add a VPN-IPSec rule. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 150 ZyWALL 1050/ZyWALL USG 300 Support Notes 4. Configure the IPSec rule as following. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 151 1. Login to ES-4024A’s GUI menu Advanced Application > VLAN > Static VLAN link. 2. Add vlan2 (including port 9-16, Fixed, Untag when Egress process) and vlan3 (including port 17-24, Fixed, Untag when Egress process). Then click the Add button. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 152 ZyWALL 1050/ZyWALL USG 300 Support Notes All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 153 ZyWALL 1050/ZyWALL USG 300 Support Notes All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 154 3. Switch to menu Advanced Application > VLAN > VLAN Port Setting link. Configure PVID equal to 2 for port 9 ~16 and PVID equal to 3 for port 17~24 as shown below. Then click the Apply button. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 155 1. Enter the ES4024A’s GUI, go to menu Routing Protocol > Static Routing. 2. Define that the traffic that wants to go to the 192.168.31.0/24 network will be routed by the gateway, 192.168.2.1. The configuration is as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 156 3 normal "" fixed 17-24 forbidden 1-16,25-28 untagged 1-28 ip address 192.168.2.254 255.255.255.0 exit interface port-channel 9 pvid 2 exit interface port-channel 10 pvid 2 exit interface port-channel 11 pvid 2 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 157 3 exit interface port-channel 19 pvid 3 exit interface port-channel 20 pvid 3 exit interface port-channel 21 pvid 3 exit interface port-channel 22 pvid 3 exit interface port-channel 23 pvid 3 exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 158 Keeping Ping from the PC(ex. IP with 192.168.3.33) behind ZyWALL2 Plus to the FTP server(ex. IP with 192.168.1.33), it will be reachable after the primary VPN tunnel is on. See the screen capture of ZyWALL 2 Plus’s log as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 159 HASH-DEL packet out. (However, since the Internet access is down, so ZyWALL -A won’t receive those HASH-DEL packets.) The dial backup starts right away then. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 160 ZyWALL 1050/ZyWALL USG 300 Support Notes The screen capture below shows you the dial backup gets dynamic IP 218.32.98.40. And the IPSec HA take action after several IKE packets sent without any packet returned. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 161 ZyWALL 1050/ZyWALL USG 300 Support Notes Then ZyWALL 2 Plus tries to establish VPN tunnel with ZyWALL -B (59.124.163.155). All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 162 ZyWALL 1050/ZyWALL USG 300 Support Notes Finally, the VPN tunnel has been successfully established with ZyWALL -B. And the PC behind ZyWALL 2 Plus can ping the FTP server then. See the screen capture shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 163: Device Ha Together With Vpn Ha
‧ Mitigates the impact of Single Point of Failure Below is the Application topology. The L3 switch is configured to three VLANs to simulate the internet environment, and the traffic can be routed between each VLAN. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 164: Device Ha
The default LAN subnet is combined with ge1 and default IP is 192.168.1.1. Please connect to ge1 and ZyWALL will dispatch an IP for your PC. Then we can start to setup the basic interface and routing setting. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 165 Step1. Login to device and check the device status Step2. We can check all the interface information on the Status display page. Step3. Setup WAN1, WAN2, LAN and DMZ interface IP parameters as in the demo topology. WAN1 WAN2 Reserved All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 166 The default interface configuration is as follows. We will configure ge2, ge3, ge4 and ge1 in turn. User needs to click the “Edit” icon to modify the setting. ge2 Fix IP: 220.123.123.2/255.255.255.0 Gateway: 220.123.123.1(ZyWALL > Network > Interface > Edit >ge2) All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 167 ZyWALL 1050/ZyWALL USG 300 Support Notes ge3 Fix IP: 220.123.133.2/255.255.255.0 Gateway: 220.123.133.1(ZyWALL > Network > Interface > Edit >ge3) ge4 Fix IP: 192.168.20.254/255.255.255.0 DHCP server(ZyWALL > Network > Interface > Edit >ge4) All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 168 ZyWALL 1050/ZyWALL USG 300 Support Notes ge1 Fix IP: 192.168.10.254/255.255.255.0 DHCP server(ZyWALL > Network > Interface > Edit >ge1) All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 169 WAN zone is binding with ge2 and ge3, DMZ zone is binding ge4 and ge5. Thus, we need to modify the DMZ zone to bind the ge4 only. This is an optional setting that won’t affect the whole application. Click the “Remove” icon to delete ge5 under the DMZ zone. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 170 Step1. Switch to ZyWALL > Objects > Address > Address and you will find there is one default LAN_SUBNET address object. Change the address from 192.168.1.0 to 192.168.10.0 to configure the new LAN IP. The All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 171 There is one default policy route form LAN for the traffic outgoing to the network behind WAN. Switch to ZyWALL > Network > Routing > Policy Route or Static Route to check the routing settings. User can click the “Edit” icon to check the detail settings All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 172 Backup ZyWALL cables to L3 and L2 switch and then synchronize the configuration from Master. The Device HA will be ready after this and Backup ZyWALL would take over when Master ZyWALL fails. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 173 Device HA status of the reset of not-failed interface will turn into “fault”. This design will guarantees the backup ZyWALL can correctly detect the failure event from the master ZyWALL. Secondly, click the “add” icon to add a new VRRP GROUP. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 174 ZyWALL 1050/ZyWALL USG 300 Support Notes Setup the ge1 (LAN) VRRP group. Setup the ge2 (WAN1) VRRP group. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 175 ZyWALL 1050/ZyWALL USG 300 Support Notes Setup the ge3 (WAN2) VRRP group. Setup the ge4 (DMZ) VRRP group. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 176 Between Master and Backup Role, the difference in settings is the Management IP configuration. The Backup ZyWALL will copy all the settings from the Master ZyWALL so we need a management IP to access and configure the Backup ZyWALL. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 177 Switch to ZyWALL > Device HA > Synchronize and enter the Master ZyWALL admin account password. Input the LAN IP address of the Master ZyWALL in the “Synchronize from” option and set the auto synchronize interval. Then click the “Apply” button to save the configuration. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 178 ZyWALL 1050/ZyWALL USG 300 Support Notes All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 179 Step5. Switch to “Synchronize” page again and click the “Sync. NOW” button to start configuration synchronization from the Master ZyWALL to the Backup ZyWALL immediately. Sync process in action Sync successful notification window All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 180 Step6. Check the system status page. You will see that the Master ZyWALL ‘s configuration has been synchronized to Backup ZyWALL and we can continue to setup the remaining three VRRP groups. Setup the ge2 (WAN1) VRRP group. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 181 ZyWALL 1050/ZyWALL USG 300 Support Notes Setup the ge3 (WAN2) VRRP group. Setup the ge4 (DMZ) VRRP group. After these steps, the Device HA configuration is done. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 182: Vpn Ha
As My Address, we use Domain Name 0.0.0.0 defining a dynamic source as this VPN gateway will be accepting the traffic from ge2 (WAN1) and ge3 (WAN2). All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 183 ZyWALL 1050/ZyWALL USG 300 Support Notes Setup the DNS ”ZyWALL 1050” and “ZyWALL 2”as Local and Peer ID type. Step3. We have to add the local and remote address policy in the address object first. Then we can configure these address objects in VPN connection settings. We will use the LAN subnet and the DMZ subnet as a VPN local policy and we also need to add the address object for a remote subnet.
Page 184 Set the 192.168.1.0/24 subnet as the remote address object and name it as “VPN_REMOTE_SUBNET”. Get back to the overview of the address object page (ZyWALL > Object > Address > Address) and confirm that the address objects have been correctly set up. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 185 Setup the VPN connection for RANGE (LAN and DMZ) subnet access. Step5. Add Policy Route for VPN traffic We have to setup the policy route for the VPN traffic routing to LAN and DMZ. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 186 Step6. Connect the PC to ZyWALL 2 Plus and set the VPN settings. In this step, we have to configure two VPN policies for remote ZyWALL 1050/ZyWALL USG 300 LAN subnet and DMZ subnet. Login ZyWALL 2 Plus and switch to the VPN configuration page.
Page 187 Click the Add icon to edit the VPN Network Policy. Setup the VPN policy for local LAN subnet (192.168.1.0/24) and set Remote address type to “Range Address” and its IP from 192.168.10.0 to 192.168.20.255. Click Apply to save the configuration. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 188 ZyWALL 1050/ZyWALL USG 300 Support Notes We will see the new VPN tunnel listed on the VPN status page after configuring the VPN tunnel. Ping the remote subnet to trigger the VPN tunnel. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 189: Voip Over Vpn
VoIP ATA VoIP ATA ZyWALL 70 ZyWALL VoIP calls can be protected by VPN Server farm deployment to provide The VoIP line deployment between different offices is more and more popular. This All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 190 ‧ Prevent from identity theft (VoIP over VPN) ‧ Mitigate impact of denial of service We use a simple topology to illustrate and show how ZyWALL 1050/ZyWALL USG 300 can protect the VoIP line step by step in the following notes.
Page 191 Switch to the Maintenance menu and check what IP address was granted from ZyWALL 1050/ZyWALL USG 300. Connect to the other P2002 GUI and repeat the same steps to find out the IP address. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 192 ZyWALL 1050/ZyWALL USG 300 Support Notes 1. Setup the SIP Number in the Branch Office. 2. Setup the SIP Number in the Main Office. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 193 ATA and then click the Add button to add this record in the Speed Dial Phone Book. 4. Setup the Main Office SIP number and the IP address in the Branch Office’s P2002’s PHONEBOOK menu. The remote office SIP info will show up in Speed Dial Phone Book All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 194 Main Office ZyWALL 1050/ZyWALL USG 300 Configuration: 1. Login to the ZyWALL 1050/ZyWALL USG 300 Web GUI and setup the WAN and LAN interface as shown on the previous topology diagram.
Page 195 4. Switch to ZyWALL > Configuration > Network > IPSec VPN > VPN Connection and add a new VPN connection. The local and remote policy are the Address objects LAN_SUBNET and zw70VPN_LAN. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 196 5. Switch to ZyWALL > Configuration > Policy > Route > Policy Route to add a policy route for routing the local subnet traffic to the remote branch office subnet via the tunnel - zw70VPN. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 197 7. First, we can configure the firewall rule to prevent the unauthorized access from other zones and we also can add more granular access control rules. Criteria can be different users, sources or services. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 198 [7] show idp profiles [8] show service-register status idp [9] show idp activation Branch Office ZyWALL70 Configuration: 1. Login to the ZyWALL70 Web GUI and setup the ZyWALL70 WAN and LAN interface as All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 199 ZyWALL 1050/ZyWALL USG 300 Support Notes shown in the previous topology diagram. 2. Configure the VPN tunnel for connecting with ZyWALL 1050/ZyWALL USG 300. We can start to enjoy the VoIP Phone Line convenience and cost saving without security issues after the VPN connection and security policy enforcement have been deployed in the network environment.
Page 200: Security Policy Enforcement
Besides, restricting access to IM/P2P applications can help employees focusing on his/her job to increase productivity and reduce misuse of network resources, e.g. bandwidth. 2.1.2 What does ZyWALL 1050/ZyWALL USG 300 provide for managing IM/P2P All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 201: Applications
For example, both the malicious/suspicious packets from WAN to LAN (known as a attack) and the traffic coming from DMZ to LAN (normal traffic) will be treated as an attack. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 202 Sales: Can use instant messaging application (MSN) for text message and file transfer purpose. Application allowed during certain period of time between 8:00~18:00 with bandwidth limitation 500K bps. RD: Allows instant messaging chat but file transfer within period 8:00~20:00. Bandwidth All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 203 Bandwidth Victor Manager Unlimited Peter Sales 08:00-18:00 500k John 08:00-20:00 Guest Guest 2. Navigate to ZyWALL > Object > User/Group > User tab and add the user ‘Victor’ as the screen dump. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 204 [0] groupname Manager-Group [1] description Manager group [2] user Victor [3] exit 4. Create three more groups called ‘Sales-Group’, ‘RD-Group’ and ‘Guest-Group’. Add ‘Peter’ into the Sales group and add ‘John’ into RD group. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 205 Go to menu ZyWALL > Object > Schedule, click Add button from the Recurring schedule to create a new schedule as following. Click ’OK’ button to complete this settings and repeat the above steps to create a new schedule for RD-Group. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 206 STEP 3: AppPatrol Configuration 1. Navigate to ZyWALL > AppPatrol and check ‘Enable Application Patrol’. 2. Go to Instant Messenger tab and click ‘Modify’ button on MSN for further configuration. 3. Enable the service. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 207 2. Change the default access to ‘Reject’ and then click ‘OK’ 3. Create a new application policy rule by clicking ‘+’ icon and fill out the setting as the figure shown below. Application Policy for Manager-Group All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 208 ZyWALL 1050/ZyWALL USG 300 Support Notes Application Policy for Sales-Group Application Policy for RD-Group All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 209 ZyWALL 1050/ZyWALL USG 300 Support Notes 4. Press ‘OK’ button to complete the setting. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 210: Zone-Based Anti-Virus Protection
ZyWALL 1050/ZyWALL USG 300 Support Notes 2.2 Zone-based Anti-Virus Protection 2.2.1 Applying Zone-Based Anti-Virus to ZyWALL 1050/ZyWALL USG 300 Priority From Protocol HTTP FTP SMTP POP3 IMAP4 SMTP Don’t need to check Don’t need to check SMTP In this example, there are 3 zones in total as WAN, LAN and DMZ.
Page 211 ZyWALL 1050/ZyWALL USG 300 Support Notes 1) Login the GUI in the ZyWALL 1050/ZyWALL USG 300 and navigate to Configuration > Network > Interface > Ethernet. Assign GE1 as LAN, GE2 as WAN, and GE5 as DMZ. Click “edit” to configure GE2.
Page 212 ZyWALL 1050/ZyWALL USG 300 Support Notes 2) The final summary of the Ethernet Interfaces should looks like the example below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 213 DMZ. 4) Create 3 policies as WAN to LAN, WAN to DMZ, and LAN to DMZ. Navigate to Anti-X > Anti-Virus. In the Policies section, click “Add” button. WAN to LAN All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 214 ZyWALL 1050/ZyWALL USG 300 Support Notes WAN to DMZ LAN to DMZ All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 215 6) Send an email contains virus from LAN to the mail server in DMZ. 7) Check the log file again from Maintenance > Log. Sort the log by selecting Anti-Virus form Display drop-down list. We can see the viruses have been destroyed correctly. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 216: Enabling Black And White List
2) Check the Enable checkbox and enter the file name in File Pattern field. In this example, we try to destroy a file that named “Virus.exe” so we enter it in the field. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 217 3) Check “Enable the Black List” on the Setting page and press “Apply” button. 4) Send an email with attached file “Virus.exe” to examinant the functionality of Back List. 5) Check the system log from Maintenance > Log and select Anti-Virus form Display drop-down list. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 218: Enabling Anti-Virus Statistics Report
1) Navigate to Maintenance > Report, click the Anti-Virus tab and check the Collect Statistics checkbox. 2) Click Apply button. 3) Send an email to from the LAN. 4) Check the Anti-Virus statistics report from Anti-Virus tab by navigate to Maintenance > Report. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 219: Managing Wlan
We recommend that Wireless AP must be isolated from your Intranet. Also, there must be a mechanism to centrally manage access privileges and access credentials regardless of whether the clients are wired or wireless. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 220 Interface name is vlan10 (same as the vlan tag id for its not being confusing). Choose ‘ge5’ for physical port interface that we want to bind with. Virtual VLAN Tag is 10. Give it a clear description. Use the fixed IP address with 192.168.10.1/24. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 221 ZyWALL 1050/ZyWALL USG 300 Support Notes Leave other fields as default and press ‘ok’ button Step2. Define WLAN zones Go to menu Network > Zone. Define a zone for wireless and bind it to interface “vlan10”. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 222 2. Go to menu User/Group > Setting > Force User Authentication Policy, click ‘+’ to force all the packets from wireless network to be redirected to the authentication page. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 223 ZyWALL 1050/ZyWALL USG 300 Support Notes Step4. Configure the LDAP server information. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 224 2. Co-work with LDAP server admin to create user/groups with lease time / re-authentication time attributes configured. 3. Go to menu User/Group > User, configure user “ldap-users” for “non-employees” by clicking the modify icon. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 225 [3] username ldap-users logon-re-auth-time 30 Corresponding CLI commends for your reference [0] username ldap-employee user-type ext-user [1] username ldap-employee description External User [2] username ldap-employee logon-lease-time 1440 [3] username ldap-employee logon-re-auth-time 1440 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 226 3. Go to menu System > WWW, make sure the authentication method is the profile we just modified. (That is, if I just have created another profile which is not named as ‘default’, then here we have to choose it.) All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 227 1. Go to menu Network > Firewall 2. Enable firewall and choose from the zone “Wireless_Zone” that we just created and to each zone. Here we configure to zone “WAN” first. 3. Click ‘+’ to add rules. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 228 4. Configure a rule to allow employee access from the source “wireless network” to “any” in WAN. Corresponding CLI commands for your reference [0] firewall 8 [1] no schedule [2] user ldap-employee [3] sourceip Wireless [4] no destinationip All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 229 6. After this, you will see the results as on the figure below. Click Apply button. Corresponding CLI commands for your reference [0] firewall activate [1] no firewall asymmetrical-route activate [2] firewall 8 [3] activate [4] exit [5] firewall 9 [6] activate [7] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 230 ZyWALL 1050/ZyWALL USG 300 Support Notes 7. Continue to configure WLAN-to-LAN, WLAN-to-DMZ, WLAN-to-WLAN. Those are accessible for employees only. See the following figures. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 231: Employee Internet Management (Eim)
Regulatory compliance–get rid of porn/violent web contents that may bring legal issues 2.4.2 EIM on ZyWALL 1050/ZyWALL USG 300 ZyWALL 1050/ZyWALL USG 300 supports EIM through the following features. Flexible access policy: provides the Enforce Access policy with granularity Always up to date: query dynamically updated URL database...
Page 232 Step1. Make sure the Internet access has been configured well from PC behind ZyWALL 1050/ZyWALL USG 300. By default, ge2 and ge3 of ZyWALL 1050/ZyWALL USG 300 WAN ports will get the IP address from the ISP or the DHCP server in front of ZyWALL 1050/ZyWALL USG 300.
Page 233 ZyWALL 1050/ZyWALL USG 300 Support Notes Connect an Ethernet cable to ZyWALL 1050/ZyWALL USG 300 ge2 or ge3 and on the GUI Home page check whether ZyWALL 1050/ZyWALL USG 300 gets the IP address. Make sure ZyWALL 1050/ZyWALL USG 300 can access the Internet using CLI commands via console or telnet.
Page 234 ZyWALL 1050/ZyWALL USG 300 Support Notes Step2. Login the ZyWALL 1050/ZyWALL USG 300 GUI, Go to menu Registration. Complete the user, product, and Content Filter service registration on myZyXEL.com. Here the Content Filter service enabling by activating the trial period is shown. If you are new to myZyXEL.com registration, choose ‘Create a new user’.
Page 235 Define all matched and unrated web pages that should be blocked and logged. Here, we choose to apply the block action to Pornography category. Click the OK button. Click the modify icon to configure the trusted website list. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 236 Switch to Customization tab, enable the web site customization. Add the website, www.zyxel.com for example, to the trusted websites. Click OK button. Then follow the similar configuration to create another filtering profile for Sales department. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 237 For example, we add an extra access restriction to the websites with ActiveX and Cookies features as configured on the figure below. Click OK button. After it’s done, you will see two profiles as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 238 [13] content-filter profile Sales-profile custom trust www.zyxel.com Step4. Switch to menu Configuration > Object > Address, create two Address Objects to define the IP address range for the Engineer and the Sales department. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 239 Step5. Switch to Content Filter > General tab, enable the Content Filter. Add two filtering profiles as shown below. CLI commands for reference: [0] content-filter block message The web access is restricted. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 240 [2] content-filter policy insert 1 none any Sales-IP-range Sales-profile [3] content-filter activate Then when Engineers try to surf Interface behind ZyWALL 1050/ZyWALL USG 300, the HTTP requests will be inspected by the Engineer filter profile whereas Sales’ Internet access will be inspected by the Sales filter profile.
Page 241: Seamless Incorporation
With transparent firewall, you do not need to change the IP addressing scheme of your existing network topology. What you need to do is to insert ZyWALL 1050/ZyWALL USG 300 into your existing network environment. Bridge the ports you think that need to be included in this bridge interface.
Page 242 To make this scenario works the follow the configuration steps as stated below: 1) Login the ZyWALL 1050/ZyWALL USG 300 GUI and setup the ge2 interface for internet connection and manually assign a static IP. The configuration path is ZyWALL >...
Page 243 3) Switch to Configuration > Policy > Route > Policy Route, to modify the default rule there. The default rule is for the Router Mode (NAT Mode). Since we have two different modes co-existing here, we need to make some adjustments to this rule. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 244 [1] no deactivate [2] no description [3] user admin [4] interface ge1 [5] source LAN_SUBNET [6] destination any [7] no schedule [8] service any [9] next-hop interface br1 [10] snat outgoing-interface [11] no bandwidth All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 245 ZyWALL 1050/ZyWALL USG 300 Support Notes [12] exit Tips for application: Disable the Firewall to test the connectivity. Every time you make a change, don’t forget to click the “apply” button All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 246 DMZ zone. To make this scenario work; follow the configuration steps stated below: 1) Login ZyWALL 1050/ZyWALL USG 300 GUI and setup the ge2 interface for internet connection and manually assign a static IP. Login ZyWALL 1050/ZyWALL USG 300 GUI and go to Configuration >...
Page 247 192.168.1.55 map-type port protocol tcp original-port 80 mapped-port 80 3)Switch to Configuration > Objects > Address, and add a new address object for your Web server. CLI to create an address object [0] address-object WebServer 192.168.1.55 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 248 [8] to LAN [9] log [10] activate [11] description WebServerFW [12] exit Tips for application: Do not forget to place your rule before the default “Deny all” Rule in the WAN-to-LAN direction. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 249 ZyWALL 1050/ZyWALL USG 300 Support Notes All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 250: Zone-Based Idp Protection
ZyWALL 1050/ZyWALL USG 300 Support Notes 3.2 Zone-based IDP Protection ZyWALL 1050/ZyWALL USG 300 comes with a state of art Intrusion Detection Protection System (IDP) which can provide comprehensive and easy to use protection against current and emerging threats at both the application and network layer. Using industry recognized state of art detection and prevention techniques;...
Page 251 IDP profiles to them. Here are the steps: 1) Login the ZyWALL 1050/ZyWALL USG 300 GUI and go to Configuration > Network > Interface > Ethernet. Since we are going to have three intra-networks in our scenario, we will make GE4 and GE5 another two networks for DMZ and LAN2.
Page 252 ZyWALL 1050/ZyWALL USG 300 Support Notes Tips: You do not need a Gateway here since this interface is directly connected to ZyWALL 1050/ZyWALL USG 300. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 253 Since we need GE5 for our LAN2 Zone, we will need to remove the interface GE5 from the DMZ Zone. Click the “edit” icon of DMZ Zone and then click on the “remove” icon of the GE5 interface. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 254 13) Put the name “LAN2” and click the “+” icon again to bind the interface to this Zone. Now we only have one interface in this Zone. It is not necessary to care about any Intra-zone traffic. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 255 14) Since GE5 is the only interface left, GE5 will be automatically selected. Finally click “OK” to apply the new setting. 15) Before you apply the IDP profiles, you need to make sure that the IDP Service on your ZyWALL 1050/ZyWALL USG 300 is licensed. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 256 16) If your IDP is not licensed, go to the Registration page. You can either login using your existing myZyXEL.com account or apply for a new one. Each ZyWALL 1050/ZyWALL USG 300 comes with a 30 days free trial on IDP Service. Just register your ZyWALL 1050/ZyWALL USG 300 and your ZyWALL will receive the license automatically.
Page 257 [1] ip address 192.168.2.1 255.255.255.0 [2] ping-check default-gateway [3] ping-check default-gateway period 30 [4] ping-check default-gateway timeout 5 [5] ping-check default-gateway fail-tolerance 5 [6] no ping-check activate [7] exit [8] router rip [9] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 258 CLI commands for removing GE5 from the DMZ Zone: [0] zone DMZ [1] block [2] no interface ge4 [3] no interface ge5 [4] interface ge4 [5] exit CLI commands for creating the LAN2 Zone: [0] zone LAN2 [1] no block All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 259 CLI commands for activating the IDP service: [0] idp activate [1] idp zone LAN activate [2] no idp zone WAN activate [3] idp zone DMZ activate [4] no idp zone LAN2 activate All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 260: Networking Partitioning Using Vlan
With ZyWALL 1050/ZyWALL USG 300, you can run a maximum number of thirty two VLANs. As a result, it makes networking partitioning very easy. However, a VLAN-capable L2 switch is required to create the VLAN tags in front of ZyWALL 1050/ZyWALL USG 300.
Page 261 To make this scenario work; please follow the configuration steps as stated below: 1) Login ZyWALL GUI and go to Configuration > Network > Interface > VLAN. Then click on “+” to add a new VLAN interface. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 262 2) Fill in the information like Interface name, port, VLAN tag and Description. Also, you can choose either getting an IP automatically for this interface or assigning a static one to it. ZyWALL 1050/ZyWALL USG 300 also supports DHCP Server or Relay per VLAN interface. You can change it in the DHCP Setting section.
Page 263 [7] mtu 1500 [8] ip address 192.168.169.1 255.255.255.0 [9] ping-check default-gateway [10] ping-check default-gateway period 30 [11] ping-check default-gateway timeout 5 [12] ping-check default-gateway fail-tolerance 5 [13] no ping-check activate [14] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 264: Adding Vlan Virtual Interfaces To The Zone
VLANs. To create these zones, please follow the configuration steps as below: 1) Login ZyWALL 1050/ZyWALL USG 300 GUI and go to Configuration > Network > Zone. Then click the “+” to create a new zone.
Page 265 4) Finally, click “OK” to apply your settings. 4) Repeat the above steps to create the other two Zones for VLAN20 and VLAN30. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 266: Applying Firewall Policy To The Zone Of Vlans
To create those two rules, please follow the configuration steps as stated below: 1) Login the ZyWALL 1050/ZyWALL USG 300 GUI and go to Configuration > Policy > Firewall. Check “Enable Firewall” to activate your Firewall. Then pick your Zone pairs and click the “+”...
Page 267 19) It is optional to give this rule a description. If you want to allow anything or block anything, just simply choose “allow” or “deny” as the option of “Access”. Option “Reject” means dropping the packets that match with this rule silently. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 268 Zone to “LAN_VLAN20” Zone. The CLI commands for the above actions: [0] firewall Finance Secret insert 1 [1] no schedule [2] no user [3] no sourceip [4] no destinationip [5] no service [6] action deny All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 269 ZyWALL 1050/ZyWALL USG 300 Support Notes [7] from Finance [8] to Secret [9] no log [10] activate [11] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 270: Connecting Multiple Isp Links
However, usually this option will come at a high price in both time and money. And sometimes it may not be available at all. Thus, ZyWALL 1050/ZyWALL USG 300 comes with another solution which gives more flexibility on upgrading your WAN Link.
Page 271 ZyWALL 1050/ZyWALL USG 300 Support Notes 1) Login ZyWALL 1050/ZyWALL USG 300 GUI and go to Configuration > Network > ISP Account. Then click the “+” to create a new account for a PPPoE connection. 2) Now, on the screen, you can give a name to this profile. Select the protocol as PPPoE.
Page 272 PPPoE connections are coming from GE2. Thus, we pick GE2 as our base interface. Pick the account profile that you want to apply for this PPPoE interface. All other remaining settings are either optional or depending on the requirements of your ISP. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 273 7) Now all the PPPoE interfaces are created. And all of them are desired to be added to the WAN Zone as well. Go to Configuration > Network > Zone to click on the modify icon All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 274 9) Now check the box below to pick PPP1 as the Interface to join the WAN Zone. Repeat the above steps to add PPP2 and PPP3 into the WAN Zone as well. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 275 10) Second, we will need to add all three of our PPPoE Interfaces into the WAN Trunk interface. Please go to Configuration > Network > Interface > Trunk 11) Click on the “+” icon to add a new interface into this WAN_Trunk interface. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 276 Bandwidth” here are the values used for reference of the Load Balancing Algorithm. 13) Repeat the above steps until all three PPPoE interfaces are added into this WAN_Trunk interface. Remove the fixed links on GE2 and/GE3 if you want. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 277 [4] compression no [5] idle 0 [6] exit CLI commands to create a PPPoE interface [0] interface ppp1 [1] no shutdown [2] description ISP1 [3] mtu 1492 [4] upstream 1048576 [5] downstream 1048576 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 278 [7] interface ge2 [8] interface ge3 [9] exit CLI commands to add those three PPPoE interfaces into the WAN_Trunk interface [0] interface-group WAN_TRUNK [1] mode trunk [2] algorithm llf [3] no interface ge2 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 279 [4] no interface ge3 [5] no interface aux [6] interface 1 ppp3 [7] interface 2 ppp2 [8] interface 3 ppp1 [9] interface 4 ge2 [10] interface 5 ge3 [11] interface 6 aux passive [12] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 280: Multiple Fixed Wan Links
Besides multiple PPPoE links, fixed links are also supported on ZyWALL 1050/ZyWALL USG 300. With ZyWALL 1050, you can have at most 4 fixed links for a WAN. Here is an example with 2 fixed links on GE2, GE3 and GE4.
Page 281 3) Now since GE4 is in the DMZ Zone by default, we will need to release it for us to use. Go to Configuration > Network > Zone and click on the modify icon of DMZ. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 282 5) Next, we will need GE4 to join the WAN Zone in order for us to be able to apply a single WAN policy on ZyWALL 1050/ZyWALL USG 300. Go to Configuration > Network > Zone and click on the modify icon of WAN Zone.
Page 283 ZyWALL 1050/ZyWALL USG 300 Support Notes 6) Click the “+” icon again to make the new interface to join this Zone. 7) Since GE4 is the only free interface here, it will be selected automatically. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 284 Configuration > Network > Interface > Trunk and click on to modify the settings of the WAN_Trunk. 9) Click on the “+” icon to add a new interface into this WAN_Trunk interface. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 285 10) Click the box below to switch the interface from GE1 to GE4. Click OK and to complete the setup of this scenario. CLI commands to configure the IP information on GE4: [0] interface ge4 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 286 [4] interface ge5 [5] exit CLI commands to join GE4 to the WAN Zone: [0] zone WAN [1] block [2] no interface ge2 [3] no interface ge3 [4] interface ge4 [5] interface ge2 All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 287 [2] algorithm llf [3] no interface ge2 [4] no interface ge3 [5] no interface aux [6] interface 1 ge4 [7] interface 2 ge2 [8] interface 3 ge3 [9] interface 4 aux passive [10] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 288 ZyWALL. Here is an example. Asdfasdf First of all, we are going to configure three PPPoE links on ZyWALL 1050. Also, we will assign GE2 to connect with the enabled DHCP Client as a Fix link, since DHCP Server is enabled on the E1 Router.
Page 289 3) Since we have three PPPoE links in our scenario, you will need two additional PPPoE accounts here as well. Repeat the above steps to create all the other accounts. Your final PPPoE account summary screen should look like this. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 290 PPPoE connections are coming from GE2. Thus, we pick GE2 as our base interface. Pick the account profile that you want to apply for this PPPoE interface; all other remaining settings are either optional or depending on the requirements of your ISP. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 291 6) Repeat the above steps to create the other two PPPoE Interfaces. Then you should get a screen that looks like this. If you want to connect your PPPoE interface manually, click on the icon below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 292 9) Now check the box below to pick PPP1 as the Interface to join the WAN Zone. Repeat the above steps to add PPP2 and PPP3 into the WAN Zone as well. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 293 10) Second, we will need to add all three of our PPPoE Interfaces into the WAN Trunk interface. Please go to Configuration > Network > Interface > Trunk 11) Click on the “+” icon to add a new interface into this WAN_Trunk interface. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 294 “Passive” here. The “Downstream Bandwidth” and the “Upstream Bandwidth” are the values used for reference of the Load Balancing Algorithm. 13) Repeat the above steps until all the three PPPoE interfaces are added into this WAN_Trunk interface. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 295 [0] account pppoe ISP1 [1] user test1@isp1.com [2] password abcdefg [3] authentication chap-pap [4] compression no [5] idle 0 [6] exit CLI commands to create a PPPoE interface [0] interface ppp1 [1] no shutdown All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 296 CLI commands to add all the PPPoE interfaces into the WAN Zone: [0] zone WAN [1] block [2] no interface ge2 [3] no interface ge3 [4] interface ppp3 [5] interface ppp2 [6] interface ppp1 [7] interface ge2 [8] interface ge3 [9] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 297 [4] no interface ge3 [5] no interface aux [6] interface 1 ppp3 [7] interface 2 ppp2 [8] interface 3 ppp1 [9] interface 4 ge2 [10] interface 5 ge3 [11] interface 6 aux passive [12] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 298: Guaranteed Quality Of Service
ZyWALL 1050/ZyWALL USG 300 supports both prioritizing and bandwidth management for outgoing traffic. IT administrator can define bandwidth management policies to ensure quality of running services in their network environment. ZyWALL 1050/ZyWALL USG 300 supports bandwidth management policy based on the type of service, origin of the traffic, user/group to ensure optimized bandwidth utilization.
Page 299 To fulfill this scenario; please follow the configuration steps as below: 1) By default, ZyWALL 1050/ZyWALL USG 300 created a WAN Trunk interface for you. Thus, you don’t need to worry about WAN Trunk in this scenario. Now, we will need to create those Bandwidth Management policies for our application.
Page 300: Zywall 1050 (Zywall Usg
We can assign this policy a relatively high priority (like 100) just in case the bandwidth is not enough at all but SMTP service can still get more bandwidth than the other type of network services. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 301 3) Repeat the above steps to create two more policy routes for “WWW” and “FTP” services. In the policy route you can set their Maximum Bandwidth to 800Kbps and 100Kbps along with a priority value. Below is what you should get so far: All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 302 WAN is 1.5Mbps. Now we already spent 400kbps for SMTP, 800kbps for HTTP, and 100kbps for SMTP. What left over is 200kbps available to us; thus, we can apply it for the remaining traffic, which is our default route. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 303 ZyWALL 1050/ZyWALL USG 300 Support Notes 5) Modify the values of bandwidth and priority here in the default policy route. Click “OK” to apply. 11) Now the final list should look like the one below: All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 304 [9] next-hop trunk WAN_TRUNK [10] snat outgoing-interface [11] bandwidth 400 priority 100 [12] exit CLI commands for applying bandwidth and priority to the default policy route: [0] policy 4 (the number of your default policy) All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 305 [3] no user [4] interface ge1 [5] source LAN_SUBNET [6] destination any [7] no schedule [8] service any [9] next-hop trunk WAN_TRUNK [10] snat outgoing-interface [11] bandwidth 200 priority 1024 [12] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 306: A. Device Management Faq
A01. How can I connect to ZyWALL 1050/ZyWALL USG 300 to perform administrator’s tasks? You can connect your PC to ZyWALL 1050/ZyWALL USG 300 port 1 interface with Ethernet cable, which is most left Ethernet port. You will get the IP address automatically from DHCP by default.
Page 307 ZyWALL 1050/ZyWALL USG 300 Support Notes 6. You can be connecting to ZyWALL 1050/ZyWALL USG 300 from a WAN interface which is blocked by default. If you don’t want this block rule, go to GUI menu Configuration > System > WWW to set to accept the access from ‘WAN’ or from ‘All’.
Page 308: A05. Why Do I Lose My Configuration Setting After Zywall 1050/Zywall Usg 300 Restarts
A06. How can I do if the system is keeping at booting up stage for a long time? There are two reasons if your ZyWALL 1050/ZyWALL USG 300 boots up for a long time as below. 1. It might because you have many configuration on ZyWALL 1050/ZyWALL USG 300. For example, you configured over 500 VPN settings.
Page 309 If you do see the message, please start the firmware recovery procedure as following steps. 1. Connect a PC with ZyWALL 1050/ZyWALL USG 300’s ge1 port via an Ethernet cable. ftp 192.168.1.1 from your FTP client or MS-DOS mode Set the transfer mode to binary (use “bin”...
Page 310: B. Registration Faq
B. Registration FAQ B01. Why do I need to do the Device Registration? You must first register ZyWALL 1050/ZyWALL USG 300 device with myZyXEL.com server, before you activate and use IDP and Content filter external rating service. B02. Why do I need to activate services? It’s mandatory to activate these security services before you enable and use these services.
Page 311: C. File Manager Faq
C01. How can ZyWALL 1050/ZyWALL USG 300 manage multiple configuration files? From ZyWALL 1050/ZyWALL USG 300 GUI menu File Manager > Configuration File, it allows admin to save multiple configuration files. Besides, Admin could “manipulate” files, such as to upload, delete, copy, rename, download the files, and apply a certain file to hot-switching the configuration without hardware reboot.
Page 312: C05. How To Write A Shell Script
Other settings do not change. C05. How to write a shell script? You can edit shell scripts in a text editor and upload them to the ZyWALL 1050/ZyWALL USG 300 through GUI menu File manager > Shell Script tab. Some notes as followings.
Page 313: D. Object Faq
D. Object FAQ D01. Why does ZyWALL 1050/ZyWALL USG 300 use objects? ZyWALL 1050/ZyWALL USG 300 objects include address, service, schedule, authentication method, certificate, zone, interface group and ISP account objects. The ZyWALL 1050/ZyWALL USG 300 uses objects as a basic configuration block. It can simplify the configuration change once your have some change in the network topology.
Page 314: D02. What's The Difference Between Trunk And The Zone Object
If you have several redundant LDAP/RADIUS servers, you may need to create your own LDAP/RADIUS server groups. But don’t forget selecting the LDAP/RADIUS server groups in the authentication method chosen for authenticating. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 315: E. Interface Faq
LAN PCs. So make sure all the interfaces that provide DNS server don’t go down because of link down, ping-check or becoming disabled. E05. Why does the PPP interface dials successfully even its base interface goes All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 316: E07. What's The Maximum Vlan Interface Supported By Zywall 1050/Zywall Usg 300
ZyWALL will try to maintain connectivity. E06. What is the port grouping used for in ZyWALL 1050/ZyWALL USG 300? We can group two or more ports (up to five) together to form up a port grouping. For example, we group port1 and port2 together and the representative port is port1.
Page 317: F. Routing And Nat Faq
IPsec tunnel, you need to select “VPN tunnel”. Please note that the policy routes will be matched in order. If the first route matches the criteria, ZyWALL 1050/ZyWALL USG 300 will use the route setting to direct the traffic to the next hop.
Page 318 ZyWALL 1050/ZyWALL USG 300 Support Notes mapping public IP address- 192.168.35.100. 2. From the Virtual Server setting, ZyWALL 1050/ZyWALL USG 300 forwards it to the internal IP 192.168.105.37. 3. The Web server receives a request from the same subnet and replies it directly to PC through L2 switch dispatching.
Page 319 ZyWALL 1050/ZyWALL USG 300 Support Notes NAT loopback Configuration In order to run the NAT loopback on ZyWALL 1050/ZyWALL USG 300, please add these rules after you finish the 1-1 NAT mapping. Firstly, add one Virtual Server rule for LAN usage. All the parameters are the same as those set on 1-1 NAT mapping, except the Interface item.
Page 320 Policy Route rule to realize it. This Policy Route rule makes all the internal access must do the SNAT translation. This will force all the traffic to go back to the ZyWALL 1050/ZyWALL USG 300 and avoid the triangle route problem.
Page 321: F03. How To Configure A Nat
FQDN. F03. How to configure a NAT? Unlike ZyNOS ZyWALL, the NAT setting in ZyWALL 1050/ZyWALL USG 300 is in Policy Route and port forwarding setting is Virtual Server as the configuration page is shown below. Configure NAT setting in Configuration > Policy > Route Configure port forwarding setting in Configuration >...
Page 322: F04. After I Installed A Http Proxy Server And Set A Http Redirect Rule, I Still Can't Access Web. Why
DMZ/LAN IP. For example, if you want to forward HTTP traffic with 8080 port to the ZyWALL5 in ZyWALL 1050/ZyWALL USG 300’s DMZ zone, you need to configure virtual server to forward <Original IP(ex. ge2’s IP):8080> to <Internal server IP:8080>.
Page 323: F07. Why Zywall 1050/Zywall Usg 300 Cannot Ping The Internet Host, But Pc From Lan Side Can Browse Internet Www
IP address configured, the default route will have two entries added in ZyWALL 1050/ZyWALL USG 300. If one of the WAN interfaces can’t connect to the internet (for example, ppp interface don’t dialup successfully), and this interface has smaller metric than the other WAN interface, ZyWALL 1050/ZyWALL USG 300 will select this as default route and traffic can’t go out from the ZyWALL 1050/ZyWALL USG 300.
Page 324 F11. How do I use the traffic redirect feature in ZyWALL 1050/ZyWALL USG 300? If you have a router located in LAN, you could regard the router as a gateway and fill its address in a gateway field of the LAN interface which connects to the LAN router.
Page 325: G. Vpn And Certificate
VPN connection status is connected but the traffic still can not reach the remote VPN subnet? ZyWALL 1050/ZyWALL USG 300 VPN traffic is the route base VPN, this means we need to configure a policy route rule to guide the ZyWALL 1050/ZyWALL USG 300 how to route the VPN traffic to the VPN remote subnet.
Page 326: G04. Vpn Connections Are Dialed Successfully, And The Policy Route Is Set. But The Traffic Is Lost Or There Is No Response From Remote Site
ZyWALL 1050/ZyWALL USG 300 Support Notes ZyWALL 1050/ZyWALL USG 300 GUI > Configuration > Policy > Route > Policy Route and check if there is a rule that direct the traffic to VPN tunnel. The VPN tunnel candidates must be preconfigured in VPN connection menu.
Page 327: H. Firewall Faq
H03. Can I have access control rules to the device in firewall? If your ZYWALL 1050/ZYWALL USG 300 image is older than b6, the answer is No. Firewall only affects the forwarded traffic. You need to set the access control rules in system for each service such as DNS, ICMP, WWW, SSH, TELNET, FTP and SNMP.
Page 328: I. Application Patrol Faq
OSI layer 7, regardless of the port numbers. I02. What applications can the Application Patrol function inspect? AppPatrol on ZyWALL 1050/ZyWALL USG 300 supports four categories of application protocols at the time of writing. 1. General protocols -- HTTP, FTP, SMTP, POP3 and IRC.
Page 329 Protocol detect VoIP H323 Netmeeting 3.01 Protocol detect VoIP Windows Messenger 5.1 Protocol detect VoIP Gizmo 3.0 Protocol detect I03. Why does the application patrol fail to drop/reject invalid access for some All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 330 “Auto” will be selected once an AppPatrol rule is enabled. Please refer to the following information in advance to use “Service Ports” option: (1) Defines the port used in ZyWALL 1050/ZyWALL USG 300. For easy configuration purpose, the ZyWLL has been pre-configured for the frequent use service port. For example: eDonkey service is pre-defined to take action on port 4661 ~ 4665 as shown below.
Page 331: I05. What Is The Difference Between Bwm (Bandwidth Management) In Policy Route And App. Patrol
2. App. Patrol – App. Patrol supports both Outbound BWM and Inbound BWM. If a traffic matches the BWM rules of both Policy Route and App. Patrol, Policy route will be applied on the traffic. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 332: I06. Do I Have To Purchase Icards Specifically For Using Apppatrol Feature
No, as the new ZLD platform 2.0x enhances zone-to-zone mechanism which is not capable to migrate into new AppPatrol. Therefore, the user will be required to reconfigure the related setting after complete firmware upgrade. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 333: J01. Why Doesn't The Idp Work? Why Has The Signature Updating Failed
For current release, when you configure IDP and enable all the IDP rules at the same time, you may see the GUI showing “wait data timeout”. This is because GUI can’t get the IDP module setting result for a period of time, even if the configuration of ZyWALL 1050/ZyWALL USG 300 is correct.
Page 334: J07. Does Idp Subscription Have Anything To Do With Apppatrol
System Protection System Protection System offers the ZyWALL ability to protect itself against host-based intrusions. ZyXEL can prevent not only network intrusions but also host-based instructions. Zone to Zone Protection A zone is a combination of ZyWALL interfaces for security. Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to.
Page 335: J08. How To Get A Detailed Description Of An Idp Signature
J09. After an IDP signature updated, does it require ZyWALL to reboot to make new signatures take effect? No, it is not necessary to reboot the device to make new signatures take effect. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 336: K. Content Filtering Faq
MSN messenger wants to access are not in the trusted website, access would be blocked. If you really want this option enabled, you have to add these websites in the trusted websites list. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 337: L. Device Ha Faq
VRRP group cannot detect the faulty event encountered on the master router. You can click on Device HA from the left panel and check the “Enable” checkbox to enable the link monitor. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 338: L04. Can Link Monitor Of Device Ha Be Used In Backup Vrrp Interfaces
MUST forward the VRRP multicast to the backup ZW1050. Otherwise the backup ZyWALL will never receive VRPT announcement. Please ensure the switch forwards the multicast VRRP announcement (224.0.0.18) by enabling the "Unkown multicast flodding" option in the switch setting. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 339: M. User Management Faq
M01. What is the difference between user and guest account? Both “user” and “guest” are accounts for network access. But the difference is that “user” account can login ZyWALL 1050/ZyWALL USG 300 via telnet/SSH to view limited personal information. M02. What is the “re-authentication time” and “lease time”? For security reasons, administrators and accessing users are required to authenticate themselves after a period of time.
Page 340: M05. What Is Aaa
AAA stands for Authentication/Authorization/Accounting. AAA is a model for access control and also a basis for user-aware device. A user-aware device like ZyWALL 1050/ZyWALL USG 300 could use authentication method to authenticate a user (to prove who the user is) and give the user proper authority (defining what the user is allowed and not allowed to do) by authorization method.
Page 341 ZyWALL 1050/ZyWALL USG 300 Support Notes See the flow as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 342: N. Centralized Log Faq
N02. After I have the entire required field filled, why can’t I receive the log mail? E-mail server may reject the event/alert mail delivering due to many reasons. Please enable system debug log and find out why the e-mail server refused to receive the mail. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 343: O. Traffic Statistics Faq
O04. Why cannot I see the connections from/to ZyWALL itself? In Session module, only the forwarding traffic will be listed The forwarding traffic means the traffic going through ZyWALL. Therefore, the broadcast traffic in the bridge interface will be listed. All contents copyright (c) 2007 ZyXEL Communications Corporation.
Page 344: P. Anti-Virus Faq
Due to ZyWALL1050 Anti-Virus engine is in stream-based; therefore, there is no limitations in concurrent session. P04. How many type of viruses can be recognized by the ZyWALL 1050/ZyWALL USG 300? Anti-Virus engine can detect over 3000 common viruses, including worms and Trojans. The amount of virus can be detected is depend on amount of virus signature stored in the ZyWALL.
Page 345: P06. How To Retrieve The Virus Information In Detail
P10. If the Anti-Virus engine detects a virus, what action it may take? Can it cure the file? The ZyWALL 1050/ZyWALL USG 300 will destroy the infected file, log this event and send alert to system administrator. Anti-Virus engine cannot cure the infected file.

This manual is also suitable for:

Zywall usg 300

ZyXEL Communications ZYWALL 1050 Support Notes

1 Deploying VPN

2 Security Policy Enforcement

3 Seamless Incorporation

Quick Links

Related Manuals for ZyXEL Communications ZYWALL 1050

Summary of Contents for ZyXEL Communications ZYWALL 1050

This manual is also suitable for:

Table of Contents