Page 1 ZyWALL USG 1000 Unified Security Gateway Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com Firmware Version 2.20 Edition 2, 9/2010 www.zyxel.com Copyright © 2010 ZyXEL Communications Corporation...
Page 3: About This User's Guide
• To find specific information in this guide, use the Contents Overview, the Table of Contents, the Index, or search the PDF file. E-mail techwriters@zyxel.com.tw if you cannot find the information you require. Related Documentation • Quick Start Guide The Quick Start Guide is designed to show you how to make the ZyWALL hardware connections and access the Web Configurator wizards.
Page 4 • Knowledge Base If you have a specific question about your product, the answer may be here. This is a collection of answers to previously asked questions about ZyXEL products. • Forum This contains discussions on ZyXEL products. Learn from others who use ZyXEL products and share your experiences as well.
Page 5 About This User's Guide See http://www.zyxel.com/web/contact_us.php for contact information. Please have the following information ready when you contact an office. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it.
Page 6: Document Conventions
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 7 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 1000 User’s Guide...
Page 8: Safety Warnings
Safety Warnings Safety Warnings • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. •...
Page 9: Table Of Contents
Contents Overview Contents Overview User’s Guide ........................... 31 Introducing the ZyWALL ......................33 Features and Applications ......................39 Web Configurator ........................47 Installation Setup Wizard ......................65 Quick Setup ..........................75 Configuration Basics ........................93 Tutorials ...........................117 L2TP VPN Example ......................... 169 Technical Reference ......................
Page 10 Contents Overview Content Filtering ........................627 Content Filter Reports ......................651 Anti-Spam ..........................659 Device HA ..........................677 User/Group ..........................699 Addresses ..........................715 Services ........................... 721 Schedules ..........................727 AAA Server ..........................733 Authentication Method ......................743 Certificates ..........................749 ISP Accounts ...........................
Page 11: Table Of Contents
Table of Contents Table of Contents About This User's Guide ......................3 Document Conventions......................6 Safety Warnings........................8 Contents Overview ........................9 Table of Contents........................11 Part I: User’s Guide................31 Chapter 1 Introducing the ZyWALL ......................33 1.1 Overview and Key Default Settings ..................33 1.2 Rack-mounted Installation ....................
Page 12 Table of Contents 3.3.2 Navigation Panel ......................51 3.3.3 Main Window ......................57 3.3.4 Tables and Lists ......................59 Chapter 4 Installation Setup Wizard ....................... 65 4.1 Installation Setup Wizard Screens ..................65 4.1.1 Internet Access Setup - WAN Interface ..............66 4.1.2 Internet Access: Ethernet ..................
Page 13 Table of Contents 6.3 Terminology in the ZyWALL ....................97 6.4 Packet Flow ......................... 98 6.4.1 ZLD 2.20 Packet Flow Enhancements ............... 98 6.4.2 Routing Table Checking Flow Enhancements ............99 6.4.3 NAT Table Checking Flow ..................100 6.5 Feature Configuration Overview ..................101 6.5.1 Feature ........................
Page 14 Table of Contents 7.1.2 Configure Zones ......................118 7.1.3 Configure Port Grouping ...................119 7.2 How to Configure a Cellular Interface ................120 7.3 How to Configure Load Balancing ..................122 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces ..........122 7.3.2 Configure the WAN Trunk ..................123 7.4 How to Set Up an IPSec VPN Tunnel ................
Page 15 Table of Contents 7.14.2 Configure Device HA on the Master ZyWALL ............164 7.14.3 Configure the Backup ZyWALL ................165 7.14.4 Deploy the Backup ZyWALL .................. 166 7.14.5 Check Your Device HA Setup ................167 Chapter 8 L2TP VPN Example ....................... 169 8.1 L2TP VPN Example ......................
Page 16 Table of Contents 10.8 The Login Users Screen ....................237 10.9 Cellular Status Screen ..................... 238 10.10 USB Storage Screen ....................240 10.11 Application Patrol Statistics .................... 241 10.11.1 Application Patrol Statistics: General Setup ............241 10.11.2 Application Patrol Statistics: Bandwidth Statistics ..........242 10.11.3 Application Patrol Statistics: Protocol Statistics ...........
Page 17 Table of Contents 13.2.1 Port Grouping Overview ..................281 13.2.2 Port Grouping Screen .................... 281 13.3 Ethernet Summary Screen ....................282 13.3.1 Ethernet Edit ......................284 13.3.2 Object References ....................291 13.4 PPP Interfaces ........................ 292 13.4.1 PPP Interface Summary ..................293 13.4.2 PPP Interface Add or Edit ..................
Page 18 Table of Contents Chapter 16 Routing Protocols......................... 363 16.1 Routing Protocols Overview .................... 363 16.1.1 What You Can Do in this Chapter ................363 16.1.2 What You Need to Know ..................363 16.2 The RIP Screen ....................... 364 16.3 The OSPF Screen ......................365 16.3.1 Configuring the OSPF Screen ................
Page 19 Table of Contents 20.2.1 The HTTP Redirect Edit Screen ................400 Chapter 21 ALG ............................403 21.1 ALG Overview ......................... 403 21.1.1 What You Can Do in this Chapter ................403 21.1.2 What You Need to Know ..................404 21.1.3 Before You Begin ....................407 21.2 The ALG Screen ......................
Page 20 Table of Contents Chapter 25 IPSec VPN..........................443 25.1 IPSec VPN Overview ....................... 443 25.1.1 What You Can Do in this Chapter ................443 25.1.2 What You Need to Know ..................444 25.1.3 Before You Begin ....................446 25.2 The VPN Connection Screen ..................446 25.2.1 The VPN Connection Add/Edit (IKE) Screen ............
Page 21 Table of Contents Chapter 29 SSL User File Sharing ......................511 29.1 Overview ...........................511 29.1.1 What You Need to Know ..................511 29.2 The Main File Sharing Screen ..................512 29.3 Opening a File or Folder ....................512 29.3.1 Downloading a File ....................514 29.3.2 Saving a File ......................
Page 22 Table of Contents Chapter 33 Anti-Virus..........................553 33.1 Overview .......................... 553 33.1.1 What You Can Do in this Chapter ................553 33.1.2 What You Need to Know ..................554 33.1.3 Before You Begin ....................556 33.2 Anti-Virus Summary Screen .................... 556 33.2.1 Anti-Virus Policy Add or Edit Screen ..............
Page 23 Table of Contents 35.1 Overview .......................... 605 35.1.1 ADP and IDP Comparison ..................605 35.1.2 What You Can Do in this Chapter ................. 605 35.1.3 What You Need To Know ..................605 35.1.4 Before You Begin ....................606 35.2 The ADP General Screen ....................607 35.3 The Profile Summary Screen ..................
Page 24 Table of Contents 38.4.1 The Anti-Spam Black or White List Add/Edit Screen ..........667 38.4.2 Regular Expressions in Black or White List Entries ..........668 38.5 The Anti-Spam White List Screen ..................669 38.6 The DNSBL Screen ......................670 38.7 Anti-Spam Technical Reference ..................672 Chapter 39 Device HA ..........................
Page 25 Table of Contents Chapter 42 Services ..........................721 42.1 Overview .......................... 721 42.1.1 What You Can Do in this Chapter ................721 42.1.2 What You Need to Know ..................721 42.2 The Service Summary Screen ..................722 42.2.1 The Service Add/Edit Screen ................. 724 42.3 The Service Group Summary Screen ................
Page 26 Table of Contents 46.1 Overview .......................... 749 46.1.1 What You Can Do in this Chapter ................749 46.1.2 What You Need to Know ..................749 46.1.3 Verifying a Certificate ..................... 751 46.2 The My Certificates Screen ..................... 753 46.2.1 The My Certificates Add Screen ................754 46.2.2 The My Certificates Edit Screen ................
Page 27 Table of Contents 50.3 USB Storage ........................795 50.4 Date and Time ........................ 796 50.4.1 Pre-defined NTP Time Servers List ................ 798 50.4.2 Time Server Synchronization ................. 799 50.5 Console Port Speed ......................800 50.6 DNS Overview ......................... 800 50.6.1 DNS Server Address Assignment ................801 50.6.2 Configuring the DNS Screen ..................
Page 28 Table of Contents Chapter 51 Log and Report ........................845 51.1 Overview .......................... 845 51.1.1 What You Can Do In this Chapter ................845 51.2 Email Daily Report ......................845 51.3 Log Setting Screens ....................... 847 51.3.1 Log Setting Summary ..................... 848 51.3.2 Edit System Log Settings ..................
Page 29 Table of Contents 55.1.1 What You Need To Know ..................887 55.2 The Shutdown Screen ..................... 887 Chapter 56 Troubleshooting........................889 56.1 Resetting the ZyWALL ..................... 906 56.2 Getting More Troubleshooting Help ................. 907 Chapter 57 Product Specifications ......................909 57.1 3G PCMCIA Card Installation ..................
Page 30 Table of Contents ZyWALL USG 1000 User’s Guide...
Page 31: User's Guide
User’s Guide...
Page 33: Introducing The Zywall
H A P T E R Introducing the ZyWALL This chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is a comprehensive security device.
Page 34: Rack-Mounted Installation Procedure
Chapter 1 Introducing the ZyWALL 1.2.1 Rack-Mounted Installation Procedure Align one bracket with the holes on one side of the ZyWALL and secure it with the included bracket screws (smaller than the rack-mounting screws). Attach the other bracket in a similar fashion. Figure 1 Attaching Mounting Brackets and Screws After attaching both mounting brackets, position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack.
Page 35: Front Panel
Chapter 1 Introducing the ZyWALL 1.3 Front Panel This section introduces the ZyWALL’s front panel. Figure 3 ZyWALL Front Panel 1.3.1 Front Panel LEDs The following table describes the LEDs. Table 1 Front Panel LEDs COLOR STATUS DESCRIPTION The ZyWALL is turned off. Green The ZyWALL is turned on.
Page 36 Chapter 1 Introducing the ZyWALL Web Configurator The Web Configurator allows easy ZyWALL setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. Figure 4 Managing the ZyWALL: Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port.
Page 37: Starting And Stopping The Zywall
Chapter 1 Introducing the ZyWALL 1.5 Starting and Stopping the ZyWALL Here are some of the ways to start and stop the ZyWALL. Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt.
Page 38 Chapter 1 Introducing the ZyWALL ZyWALL USG 1000 User’s Guide...
Page 39: Features And Applications
H A P T E R Features and Applications This chapter introduces the main features and applications of the ZyWALL. 2.1 Features The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates.
Page 40 Chapter 2 Features and Applications Firewall The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 41: Applications
Chapter 2 Features and Applications Anti-Virus Scanner With the anti-virus packet scanner, your ZyWALL scans files transmitting through the enabled interfaces into the network. The ZyWALL helps stop threats at the network edge before they reach the local host computers. Anti-Spam The anti-spam feature can mark or discard spam.
Page 42: Vpn Connectivity
Chapter 2 Features and Applications 2.2.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service. Figure 5 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote...
Page 43 Chapter 2 Features and Applications You do not have to install additional client software on the remote user computers for access. Figure 6 Network Access Mode: Reverse Proxy LAN (192.168.1.X) https;// Web Mail File Share Web-based Application 2.2.2.2 Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network.
Page 44: User-Aware Access Control
Chapter 2 Features and Applications 2.2.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 8 Applications: User-Aware Access Control 2.2.4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports.
Page 45: Device Ha
Chapter 2 Features and Applications 2.2.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network. Figure 10 Applications: Device HA ZyWALL USG 1000 User’s Guide...
Page 46 Chapter 2 Features and Applications ZyWALL USG 1000 User’s Guide...
Page 47: Web Configurator
H A P T E R Web Configurator The ZyWALL Web Configurator allows easy ZyWALL setup and management using an Internet browser. 3.1 Web Configurator Requirements In order to use the Web Configurator, you must • Use Internet Explorer 7 or later, or Firefox 1.5 or later •...
Page 48 Chapter 3 Web Configurator Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears. Figure 11 Login Screen Type the user name (default: “admin”) and password (default: “1234”).
Page 49: Web Configurator Screens Overview
Chapter 3 Web Configurator The screen above appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore. Follow the directions in this screen. If you change the default password, the Login screen (Figure 11 on page 48) appears after you click Apply.
Page 50: Title Bar
Chapter 3 Web Configurator • C - main window 3.3.1 Title Bar The title bar provides some icons in the upper right corner. Figure 14 Title Bar The icons provide the following functions. Table 4 Title Bar: Web Configurator Icons LABEL DESCRIPTION Logout...
Page 51: Navigation Panel
Chapter 3 Web Configurator The following table describes labels that can appear in this screen. Table 5 About LABEL DESCRIPTION Boot Module This shows the version number of the software that handles the booting process of the ZyWALL. Current This shows the firmware version of the ZyWALL. Version Released Date This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the...
Page 52: Traffic Statistics
Chapter 3 Web Configurator 3.3.2.2 Monitor Menu The monitor menu screens display status and statistics information. Table 6 Monitor Menu Screens Summary FOLDER OR LINK FUNCTION System Status Port Statistics Displays packet statistics for each physical port. Interface Status Displays general interface information and packet statistics.
Page 53: Nat
Chapter 3 Web Configurator 3.3.2.3 Configuration Menu Use the configuration menu screens to configure the ZyWALL’s features. Table 7 Configuration Menu Screens Summary FOLDER OR FUNCTION LINK Quick Setup Quickly configure WAN interfaces or VPN connections. Licensing Registration Registration Register the device and activate trial services. Service View the licensed service status and upgrade licensed services.
Page 54: Apppatrol
Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR FUNCTION LINK IP/MAC Summary Configure IP to MAC address bindings for devices Binding connected to each supported interface. Exempt List Configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding.
Page 55 Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR FUNCTION LINK General Display and manage ADP bindings. Profile Create and manage ADP profiles. Content Filter General Create and manage content filter policies. Filter Profile Create and manage the detailed filtering rules for content filtering policies.
Page 56 Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR FUNCTION LINK ISP Account Create and manage ISP account information for PPPoE/PPTP interfaces. Create SSL web application or file sharing objects. Application Endpoint Create Endpoint Security (EPS) objects. Security System Host Name...
Page 57: Main Window
Chapter 3 Web Configurator 3.3.2.4 Maintenance Menu Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the ZyWALL. Table 8 Maintenance Menu Screens Summary FOLDER OR FUNCTION LINK File Manager Configuration Manage and upload configuration files for the File ZyWALL.
Page 58 Chapter 3 Web Configurator 3.3.3.2 Site Map Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen’s link to go to that screen. Figure 18 Site Map 3.3.3.3 Object Reference Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object.
Page 59: Tables And Lists
Chapter 3 Web Configurator The fields vary with the type of object. The following table describes labels that can appear in this screen. Table 9 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed.
Page 60 Chapter 3 Web Configurator 3.3.4.1 Manipulating Table Display Here are some of the ways you can manipulate the Web Configurator tables. Click a column heading to sort the table’s entries according to that column’s criteria. Figure 21 Sorting Table Entries by a Column’s Criteria Click the down arrow next to a column heading for more options about how to display the entries.
Page 61 Chapter 3 Web Configurator Select a column heading cell’s right border and drag to re-size the column. Figure 23 Resizing a Table Column Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location.
Page 62: Working With Table Entries
Chapter 3 Web Configurator 3.3.4.2 Working with Table Entries The tables have icons for working with table entries. A sample is shown next. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. Figure 26 Common Table Icons Here are descriptions for the most common table icons.
Page 63 Chapter 3 Web Configurator you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 27 Working with Lists ZyWALL USG 1000 User’s Guide...
Page 64 Chapter 3 Web Configurator ZyWALL USG 1000 User’s Guide...
Page 65: Installation Setup Wizard
H A P T E R Installation Setup Wizard 4.1 Installation Setup Wizard Screens If you log into the Web Configurator when the ZyWALL is using its default configuration, the first Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services.
Page 66: Internet Access Setup - Wan Interface
Chapter 4 Installation Setup Wizard 4.1.1 Internet Access Setup - WAN Interface Use this screen to set how many WAN interfaces to configure and the first WAN interface’s type of encapsulation and method of IP address assignment. The screens vary depending on the encapsulation type. Refer to information provided by your ISP to know what to enter in each field.
Page 67 Chapter 4 Installation Setup Wizard Note: Enter the Internet access information exactly as given to you by your ISP. Figure 30 Internet Access: Ethernet Encapsulation • Encapsulation: This displays the type of Internet connection you are configuring. • First WAN Interface: This is the number of the interface that will connect with your ISP.
Page 68: Internet Access: Pppoe
Chapter 4 Installation Setup Wizard 4.1.3 Internet Access: PPPoE Note: Enter the Internet access information exactly as given to you by your ISP. Figure 31 Internet Access: PPPoE Encapsulation 4.1.3.1 ISP Parameters • Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server.
Page 69: Internet Access: Pptp
Chapter 4 Installation Setup Wizard 4.1.3.2 WAN IP Address Assignments • WAN Interface: This is the name of the interface that will connect with your ISP. • Zone: This is the security zone to which this interface and Internet connection will belong.
Page 70 Chapter 4 Installation Setup Wizard • CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by the remote node. • CHAP - Your ZyWALL accepts CHAP only. • PAP - Your ZyWALL accepts PAP only. • MSCHAP - Your ZyWALL accepts MSCHAP only. •...
Page 71: Internet Access Setup - Second Wan Interface
Chapter 4 Installation Setup Wizard 4.1.6 Internet Access Setup - Second WAN Interface If you selected I have two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 4.1.1 on page 66).
Page 72: Device Registration
Chapter 4 Installation Setup Wizard Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Next and use the following screen to perform a basic registration (see Section 4.2 on page 72).
Page 73 Chapter 4 Installation Setup Wizard • Select existing myZyXEL.com account if you already have an account at myZyXEL.com and enter your user name and password in the fields below to register your ZyWALL. • Enter a User Name for your myZyXEL.com account. Use from six to 20 alphanumeric characters (and the underscore).
Page 74 Chapter 4 Installation Setup Wizard ZyWALL USG 1000 User’s Guide...
Page 75: Quick Setup
H A P T E R Quick Setup 5.1 Quick Setup Overview The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information.
Page 76: Wan Interface Quick Setup
Chapter 5 Quick Setup 5.2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to connect to the internet. Click Next. Figure 38 WAN Interface Quick Setup Wizard 5.2.1 Choose an Ethernet Interface Select the Ethernet interface that you want to configure for a WAN connection and...
Page 77: Configure Wan Settings
Chapter 5 Quick Setup Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP. Figure 40 WAN Interface Setup: Step 2 The screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.
Page 78: Wan And Isp Connection Settings
Chapter 5 Quick Setup • IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static If the ISP assigned a fixed IP address. 5.2.4 WAN and ISP Connection Settings Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you set the IP Address Assignment to Static.
Page 79: Password
Chapter 5 Quick Setup Table 11 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION Authentication Use the drop-down list box to select an authentication protocol for Type outgoing calls. Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node.
Page 80: Quick Setup Interface Wizard: Summary
Chapter 5 Quick Setup Table 11 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION First DNS These fields only display for an interface with a static IP address. Server Enter the DNS server IP address(es) in the field(s) to the right. Second DNS Server Leave the field as 0.0.0.0 if you do not want to configure DNS...
Page 81: Vpn Quick Setup
Chapter 5 Quick Setup Table 12 Interface Wizard: Summary WAN LABEL DESCRIPTION Server IP This field only appears for a PPTP interface. It displays the IP address of the PPTP server. User Name This is the user name given to you by your ISP. Nailed-Up If No displays the connection will not time out.
Page 82: Vpn Setup Wizard: Wizard Type
Chapter 5 Quick Setup 5.4 VPN Setup Wizard: Wizard Type A VPN (Virtual Private Network) tunnel is a secure connection to another computer or network. Use this screen to select which type of VPN connection you want to configure. Figure 45 VPN Setup Wizard: Wizard Type Express: Use this wizard to create a VPN connection with another ZLD-based ZyWALL using a pre-shared key and default security settings.
Page 83: Vpn Express Wizard - Scenario
Chapter 5 Quick Setup 5.5 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 45 on page 82 to display the following screen. Figure 46 VPN Express Wizard: Step 2 Rule Name: Type the name used to identify this VPN connection (and VPN gateway).
Page 84: Vpn Express Wizard - Configuration
Chapter 5 Quick Setup 5.5.1 VPN Express Wizard - Configuration Figure 47 VPN Express Wizard: Step 3 • Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario. If this field is configurable, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name.
Page 85: Vpn Express Wizard - Summary
Chapter 5 Quick Setup 5.5.2 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’s configuration and also commands that you can copy and paste into another ZLD-based ZyWALL’s command line interface to configure it. Figure 48 VPN Express Wizard: Step 4 •...
Page 86: Vpn Express Wizard - Finish
Chapter 5 Quick Setup 5.5.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. Figure 49 VPN Express Wizard: Step 6 Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard.
Page 87: Vpn Advanced Wizard - Scenario
Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 45 on page 82 to display the following screen. Figure 50 VPN Advanced Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway).
Page 88: Vpn Advanced Wizard - Phase 1 Settings
Chapter 5 Quick Setup • Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange).
Page 89 Chapter 5 Quick Setup that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses a 256-bit key.
Page 90: Vpn Advanced Wizard - Phase 2
Chapter 5 Quick Setup 5.5.6 VPN Advanced Wizard - Phase 2 Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 52 VPN Advanced Wizard: Step 4 • Active Protocol: ESP is compatible with NAT, AH is not. •...
Page 91: Vpn Advanced Wizard - Summary
Chapter 5 Quick Setup • Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 5.5.7 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings.
Page 92: Vpn Advanced Wizard - Finish
Chapter 5 Quick Setup 5.5.8 VPN Advanced Wizard - Finish Now you can use the VPN tunnel. Figure 54 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard.
Page 93: Configuration Basics
H A P T E R Configuration Basics This information is provided to help you configure the ZyWALL effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you configure various features in the ZyWALL. •...
Page 94: Zones, Interfaces, And Physical Ports
Chapter 6 Configuration Basics objects whenever the interface’s IP address settings change. For example, if you change an Ethernet interface’s IP address, the ZyWALL automatically updates the rules or settings that use the interface-based, LAN subnet address object. You can use the Configuration > Objects screens to create objects before you configure features that use them.
Page 95: Interface Types
Chapter 6 Configuration Basics 6.2.1 Interface Types There are many types of interfaces in the ZyWALL. In addition to being used in various features, interfaces also describe the network that is directly connected to the ZyWALL. • Ethernet interfaces are the foundation for defining other interfaces and network policies.
Page 96: Default Interface And Zone Configuration
Chapter 6 Configuration Basics 6.2.2 Default Interface and Zone Configuration This section introduces the ZyWALL’s default zone member physical interfaces and the default configuration of those interfaces. The following figure uses letters to denote public IP addresses or part of a private IP address. Figure 56 Default Network Topology Table 14 INTERFACE ZONE IP ADDRESS AND DHCP...
Page 97: Terminology In The Zywall
Chapter 6 Configuration Basics 6.3 Terminology in the ZyWALL This section highlights some differences in terminology or organization between the ZLD-based ZyWALL and other routers, particularly ZyNOS routers. Table 15 ZLD ZyWALL Terminology That is Different Than ZyNOS ZYNOS FEATURE / TERM ZLD ZYWALL FEATURE / TERM IP alias Virtual interface...
Page 98: Packet Flow
Chapter 6 Configuration Basics 6.4 Packet Flow Here is the order in which the ZyWALL applies its features and checks. Figure 57 Packet Flow 6.4.1 ZLD 2.20 Packet Flow Enhancements ZLD version 2.20 has been enhanced to simplify configuration. The packet flow has been changed as follows: •...
Page 99: Routing Table Checking Flow Enhancements
Chapter 6 Configuration Basics • You do not need to set up policy routes for 1:1 NAT entries. • You can create Many 1:1 NAT entries to translate a range of private network addresses to a range of public IP addresses •...
Page 100: Nat Table Checking Flow
Chapter 6 Configuration Basics Policy Routes: These are the user-configured policy routes. Configure policy routes to send packets through the appropriate interface or VPN tunnel. See Chapter 15 on page 347 for more on policy routes. 1 to 1 and Many 1 to 1 NAT: These are the 1 to 1 NAT and many 1 to 1 NAT rules.
Page 101: Feature Configuration Overview
Chapter 6 Configuration Basics ZyWALL stops checking the packets against the NAT table and moves on to bandwidth management. Figure 59 NAT Table Checking Flow SNAT defined in the policy routes. This was already in ZLD 2.1x. 1 to 1 SNAT (including Many 1 to 1) is also included in the NAT table. NAT loopback is now included in the NAT table instead of requiring a separate policy route.
Page 102: Feature
Chapter 6 Configuration Basics 6.5.1 Feature This provides a brief description. See the appropriate chapter(s) in this User’s Guide for more information about any feature. This shows you the sequence of menu items and tabs you should click to find the main screen(s) for this feature. See the web help or the MENU ITEM(S) related User’s Guide chapter for information about each screen.
Page 103: Interface
Chapter 6 Configuration Basics subscription to update the anti-virus and IDP/application patrol signatures You must have Internet access to myZyXEL.com. Configuration > Licensing > Update MENU ITEM(S) Registration (for anti-virus and IDP/application patrol), Internet PREREQUISITES access to myZyXEL.com 6.5.4 Interface Section 6.2 on page 94 for background information.
Page 104: Static Routes
Chapter 6 Configuration Basics Criteria: users, user groups, interfaces (incoming), IPSec VPN (incoming), addresses (source, destination), address groups (source, destination), schedules, services, service groups Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks, PREREQUISITES interfaces NAT: addresses (translated address), services and service groups (port triggering) Example: You have an FTP server connected to ge4 (in the DMZ zone).
Page 105: Zones
Chapter 6 Configuration Basics Interfaces PREREQUISITES 6.5.8 Zones Section 6.2 on page 94 for background information. A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security settings, such as firewall rules and remote management. Zones cannot overlap.
Page 106: Http Redirect
Chapter 6 Configuration Basics Click Configuration > Network > NAT to configure the NAT entry. Add an entry. Name the entry. Select the WAN interface that the FTP traffic is to come in through. Specify the public WAN IP address where the ZyWALL will receive the FTP packets. In the Mapped IP field, list the IP address of the FTP server.
Page 107: Alg
Chapter 6 Configuration Basics 6.5.12 ALG The ZyWALL’s Application Layer Gateway (ALG) allows VoIP and FTP applications to go through NAT on the ZyWALL. You can also specify additional signaling port numbers. Configuration > Network > ALG MENU ITEM(S) 6.5.13 Auth. Policy Use authentication policies to control who can access the network.
Page 108: Ipsec Vpn
Chapter 6 Configuration Basics Click Configuration > Firewall to go to the firewall configuration. Select from the DMZ zone to the LAN1 zone, and add a firewall rule using the items you have configured. • You don’t need to specify the schedule or the user. •...
Page 109: L2Tp Vpn
Chapter 6 Configuration Basics 6.5.17 L2TP VPN Use L2TP VPN to let remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL. Configuration > VPN > L2TP VPN MENU ITEM(S) Interfaces, IPSec VPN connection, certificates (authentication), authentication methods (extended authentication), addresses (local...
Page 110: Anti-Virus
Chapter 6 Configuration Basics 6.5.19 Anti-Virus Use anti-virus to detect and take action on viruses. You must subscribe to use anti-virus. You can subscribe using the Licensing > Registration screens or one of the wizards. Configuration > Anti-X > AV MENU ITEM(S) Registration, zones PREREQUISITES...
Page 111: Anti-Spam
Chapter 6 Configuration Basics Create a schedule for the work day (Configuration > Object > Schedule). Click Configuration > Anti-X > Content Filter > Filter Profile. Click the Add icon to go to the screen where you can configure a category-based profile. Name the profile and enable it.
Page 112: Objects
Chapter 6 Configuration Basics 6.6 Objects Objects store information and are referenced by other features. If you update this information in response to changes, the ZyWALL automatically propagates the change through the features that use the object. Move your cursor over a configuration object that has a magnifying-glass icon (such as a user group, address, address group, service, service group, zone, or schedule) to display basic information about the object.
Page 113: System
Chapter 6 Configuration Basics Table 20 User Types TYPE ABILITIES guest Access network services ext-user The same as a user or a guest except the ZyWALL looks for the specific type in an external authentication server. If the type is not available, the ZyWALL applies default settings.
Page 114: Logs And Reports
Chapter 6 Configuration Basics Create an address object for the administrator’s computer (Configuration > Object > Address). Click Configuration > System > WWW to configure the HTTP management access. Enable HTTPS and add an administrator service control entry. • Select the address object for the administrator’s computer. •...
Page 115 Chapter 6 Configuration Basics Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. Maintenance > Shutdown MENU ITEM(S) ZyWALL USG 1000 User’s Guide...
Page 116 Chapter 6 Configuration Basics ZyWALL USG 1000 User’s Guide...
Page 117: Tutorials
H A P T E R Tutorials Here are examples of using the Web Configurator to set up features in the ZyWALL. See also Chapter 8 on page 169 for an example of configuring L2TP VPN. Note: The tutorials featured here require a basic understanding of connecting to and using the Web Configurator, see Chapter 3 on page 47 for details.
Page 118: Configure A Wan Ethernet Interface
Chapter 7 Tutorials • You want to be able to apply security settings specifically for all VPN tunnels so you create a new VPN zone. Figure 60 Ethernet Interface, Port Grouping, and Zone Configuration Example 7.1.1 Configure a WAN Ethernet Interface You need to assign the ZyWALL’s ge2 interface a static IP address of 1.2.3.4.
Page 119: Configure Port Grouping
Chapter 7 Tutorials Click Configuration > Network > Zone and then the Add icon. Enter VPN as the name, select Default_L2TP_VPN_Connection and move it to the Member box and click OK. Figure 62 Configuration > Network > Zone > WAN Edit 7.1.3 Configure Port Grouping Here is how to combine physical ports P4 and P5 into the ge4 interface port group.
Page 120: How To Configure A Cellular Interface
Chapter 7 Tutorials Click Dashboard, and look at the Interface Status Summary. Ethernet interface ge4 has a status of Port Group Up if it is connected or Port Group Down if it is not connected. Ethernet interfaces ge5 has a Status of Port Group Inactive.
Page 121 Chapter 7 Tutorials Enable the interface and add it to a zone. It is highly recommended that you set the Zone to WAN to apply your WAN zone security settings to this 3G connection. Leaving Zone set to none has the ZyWALL not apply any security settings to the 3G connection.
Page 122: How To Configure Load Balancing
Chapter 7 Tutorials This way the ZyWALL can automatically balance the traffic load amongst the available WAN connections to enhance overall network throughput. Plus, if a WAN connection goes down, the ZyWALL still sends traffic through the remaining WAN connections. For a simple test, disconnect all of the ZyWALL’s wired WAN connections.
Page 123: Configure The Wan Trunk
Chapter 7 Tutorials Click Configuration > Network > Interface > Ethernet and double-click the ge2 entry. Enter the available bandwidth (1000 kbps) in the Egress Bandwidth field. Click OK. Figure 69 Configuration > Network > Interface > Ethernet > Edit (ge2) Repeat the process to set the egress bandwidth for ge3 to (512 Kbps).
Page 124 Chapter 7 Tutorials Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin. Add ge2 and enter 2 in the Weight column. Add ge3 and enter 1 in the Weight column. Click OK. Figure 70 Configuration > Network > Interface > Trunk > Add ZyWALL USG 1000 User’s Guide...
Page 125: How To Set Up An Ipsec Vpn Tunnel
Chapter 7 Tutorials Select the trunk as the default trunk and click Apply. Figure 71 Configuration > Network > Interface > Trunk 7.4 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 82 for details on the VPN quick...
Page 126: Set Up The Vpn Gateway
Chapter 7 Tutorials In this example, the ZyWALL is router X (1.2.3.4), and the remote IPSec router is router Y (2.2.2.2). Create the VPN tunnel between ZyWALL X’s LAN subnet (192.168.1.0/24) and the LAN subnet behind peer IPSec router Y (172.16.1.0/ 24).
Page 127: Set Up The Vpn Connection
Chapter 7 Tutorials 7.4.2 Set Up the VPN Connection The VPN connection manages the IPSec SA. You have to set up the address objects for the local network and remote network before you can set up the VPN connection. Click Configuration > Object > Address. Click the Add icon. Give the new address object a name (“VPN_REMOTE_SUBNET”), change the Address Type to SUBNET.
Page 128: Configure Security Policies For The Vpn Tunnel
Chapter 7 Tutorials Enable the VPN connection and name it (“VPN_CONN_EXAMPLE”). Under VPN Gateway select Site-to-site and the VPN gateway (VPN_GW_EXAMPLE). Under Policy, select LAN_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote. Click OK. Figure 75 Configuration > VPN > IPSec VPN > VPN Connection > Add Now set up the VPN settings on the peer IPSec router and try to establish the VPN tunnel.
Page 129: How To Configure A Hub-And-Spoke Ipsec Vpn Without A Vpn Concentrator
Chapter 7 Tutorials 7.5 How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator A hub-and-spoke IPSec VPN connects IPSec VPN tunnels to form one secure network. This reduces the number of VPN connections that you have to set up and maintain in the network.
Page 130 Chapter 7 Tutorials • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.2 VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.168.0~192.168.169.255 • Remote Policy:192.168.167.0/255.255.255.0 • Disable Policy Enforcement VPN Gateway (VPN Tunnel2): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.3 VPN Connection (VPN Tunnel 2): •...
Page 131: How To Configure User-Aware Access Control
Chapter 7 Tutorials • To have all Internet access from the spoke routers to go through the VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. • Your firewall rules can still block VPN packets. •...
Page 132: Set Up User Accounts
Chapter 7 Tutorials 7.6.1 Set Up User Accounts Set up one user account for each user account in the RADIUS server. If it is possible to export user names from the RADIUS server to a text file, then you might create a script to create the user accounts instead. This example uses the Web Configurator.
Page 133: Set Up User Authentication Using The Radius Server
Chapter 7 Tutorials Enter the name of the group that is used in Table 21 on page 131. In this example, it is “Finance”. Then, select User/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK. Of course you could add more members later.
Page 134 Chapter 7 Tutorials Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Configure the RADIUS server’s address authentication port (1812 if you were not told otherwise), key, and click Apply. Figure 79 Configuration > Object > AAA Server > RADIUS > Add Click Configuration >...
Page 135: Web Surfing Policies With Bandwidth Restrictions
Chapter 7 Tutorials Note: The users will have to log in using the Web Configurator login screen before they can use HTTP or MSN. Figure 81 Configuration > Object > User/Group > Setting > Add (Force User Authentication Policy) When the users try to browse the web (or use any HTTP/HTTPS application), the Login screen appears.
Page 136 Chapter 7 Tutorials Click Configuration > AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply. Figure 82 Configuration > AppPatrol > General Click the Common tab and double-click the http entry. Figure 83 Configuration > AppPatrol > Common ZyWALL USG 1000 User’s Guide...
Page 137 Chapter 7 Tutorials Double-click the Default policy. Figure 84 Configuration > AppPatrol > Common > http Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. Figure 85 Configuration > AppPatrol > Common > http > Edit Default ZyWALL USG 1000 User’s Guide...
Page 138: Set Up Msn Policies
Chapter 7 Tutorials Click the Add icon in the policy list. In the new policy, select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fields. Click OK. Repeat this process to add exceptions for all the other user groups that are allowed to browse the web.
Page 139: Set Up Firewall Rules
Chapter 7 Tutorials Give the schedule a descriptive name. Set up the days (Monday through Friday) and the times (8:30 - 18:00) when Sales is allowed to use MSN. Click OK. Figure 87 Configuration > Object > Schedule > Add (Recurring) Follow the steps in Section 7.6.4 on page 135 to set up the appropriate policies for...
Page 140: How To Use A Radius Server To Authenticate User Accounts Based On Groups
Chapter 7 Tutorials Click the Add icon again and create a rule for one of the user groups that is allowed to access the DMZ. Figure 89 Configuration > Firewall > Add Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ.
Page 141 Chapter 7 Tutorials Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Besides configuring the RADIUS server’s address, authentication port, and key; set the Group Membership Attribute field to the attribute that the ZyWALL is to check to determine to which group a user belongs. This example uses Class.
Page 142: How To Use Endpoint Security And Authentication Policies
Chapter 7 Tutorials Now you add ext-group-user user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click Configuration > Object > User/Group > User. Click the Add icon.
Page 143 Chapter 7 Tutorials • Select Endpoint must have Personal Firewall installed and move the Kaspersky Internet Security entries to the allowed list (you can double-click an entry to move it). • Select Endpoint must have Anti-Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti-Virus anti-virus software entries to the allowed list.
Page 144: Configure The Authentication Policy
Chapter 7 Tutorials Repeat as needed to create endpoint security objects for other Windows operating system versions. 7.8.2 Configure the Authentication Policy Click Configuration > Auth. Policy > Add to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy to use endpoint security objects.
Page 145: How To Configure Service Control
Chapter 7 Tutorials Turn on authentication policy and click Apply. Figure 94 Configuration > Auth. Policy The following figure shows an error message example when a user’s computer does not meet an endpoint security object’s requirements. Click Close to return to the login screen.
Page 146: Allow Https Administrator Access Only From The Lan
Chapter 7 Tutorials user access (logging into SSL VPN for example). See Chapter 50 on page 793 more on service control. The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to the ZyWALL. They do not distinguish between administrator management access and user access.
Page 147 Chapter 7 Tutorials Select the new rule and click the Add icon. Figure 98 Configuration > System > WWW (First Example Admin Service Rule Configured) In the Zone field select ALL and set the Action to Deny. Click OK. Figure 99 Configuration > System > WWW > Service Control Rule Edit ZyWALL USG 1000 User’s Guide...
Page 148: How To Allow Incoming H.323 Peer-To-Peer Calls
Chapter 7 Tutorials Click Apply. Figure 100 Configuration > System > WWW (Second Example Admin Service Rule Configured) Now administrator access to the Web Configurator can only come from the LAN zone. Non-admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL’s zones (to use SSL VPN for example).
Page 149: Turn On The Alg
Chapter 7 Tutorials for ge2 IP address 10.0.0.8 to a H.323 device located on the LAN and using IP address 192.168.1.56. Figure 101 WAN to LAN H.323 Peer-to-peer Calls Example 192.168.1.56 10.0.0.8 7.10.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable H.323 ALG and Enable H.323 transformations and click Apply.
Page 150 Chapter 7 Tutorials Use Configuration > Object > Address > Add to create an address object for the public WAN IP address (called WAN_IP-for-H323 here). Then use it again to create an address object for the H.323 device’s private LAN IP address (called LAN_H323 here).
Page 151: Set Up A Firewall Rule For H.323
Chapter 7 Tutorials Click Configuration > Network > NAT > Add. Configure a name for the rule (WAN-LAN_H323 here). You want the LAN H.323 device to receive peer-to-peer calls from the WAN and also be able to initiate calls to the WAN so you set the Classification to NAT 1:1. Set the Incoming Interface to ge2.
Page 152: How To Allow Public Access To A Web Server
Chapter 7 Tutorials Click Configuration > Firewall > Add. In the From field select WAN. In the To field select LAN. Configure a name for the rule (WAN-to-LAN_H323 here). Set the Destination to the H.323 device’s LAN IP address object (LAN_H323). LAN_H323 is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule.
Page 153: Create The Address Objects
Chapter 7 Tutorials 7.11.1 Create the Address Objects Use Configuration > Object > Address > Add to create the address objects. Create a host address object named DMZ_HTTP for the HTTP server’s private IP address of 192.168.3.7. Figure 107 Creating the Address Object for the HTTP Server’s Private IP Address Create a host address object named Public_HTTP_Server_IP for the public WAN IP address 1.1.1.1.
Page 154: Set Up A Firewall Rule
Chapter 7 Tutorials • Keep Enable NAT Loopback selected to allow users connected to other interfaces to access the HTTP server (see NAT Loopback on page 393 details). Figure 109 Creating the NAT Entry 7.11.3 Set Up a Firewall Rule The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server.
Page 155: How To Use An Ippbx On The Dmz
Chapter 7 Tutorials Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Set the Destination to the HTTP server’s DMZ IP address object (DMZ_HTTP). DMZ_HTTP is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule.
Page 156 Chapter 7 Tutorials address 1.1.1.2 that you will use on the ge3 interface and map to the IPPBX’s private IP address of 192.168.3.7. The local SIP clients are on the LAN. Figure 111 IPPBX Example Network Topology ZyWALL USG 1000 User’s Guide...
Page 157: Turn On The Alg
Chapter 7 Tutorials 7.12.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable SIP ALG and Enable SIP Transformations and click Apply. Figure 112 Configuration > Network > ALG 7.12.2 Create the Address Objects Use Configuration > Object > Address > Add to create the address objects. Create a host address object named IPPBX-DMZ for the IPPBX’s private DMZ IP address of 192.168.3.9.
Page 158: Setup A Nat Policy For The Ippbx
Chapter 7 Tutorials Create a host address object named IPPBX-Public for the public WAN IP address 1.1.1.2. Figure 114 Creating the Public IP Address Object 7.12.3 Setup a NAT Policy for the IPPBX Click Configuration > Network > NAT > Add. •...
Page 159: Set Up A Wan To Dmz Firewall Rule For Sip
Chapter 7 Tutorials • Click OK. Figure 115 Configuration > Network > NAT > Add 7.12.4 Set Up a WAN to DMZ Firewall Rule for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send SIP traffic to the IPPBX.
Page 160: Set Up A Dmz To Lan Firewall Rule For Sip
Chapter 7 Tutorials Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Set the Destination to the IPPBX’s DMZ IP address object (DMZ_SIP). IPPBX_DMZ is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule.
Page 161: How To Use Multiple Static Public Wan Ip Addresses For Lan To Wan Traffic
Chapter 7 Tutorials Click Configuration > Firewall > Add. Set the From field as DMZ and the To field as LAN. Set the Destination to the IPPBX’s DMZ IP address object (DMZ_SIP). Set the to IPPBX_DMZ. Leave the Access field to allow Source and click OK.
Page 162: Configure The Policy Route
Chapter 7 Tutorials 7.13.2 Configure the Policy Route Now you need to configure a policy route that has the ZyWALL use the range of public IP addresses as the source address for WAN to LAN traffic. Click Configuration > Network > Routing > Add. Although adding a description is optional, it is recommended.
Page 163: Before You Start
Chapter 7 Tutorials An Ethernet switch connects both ZyWALLs’ ge1 interfaces to the LAN. Whichever ZyWALL is functioning as the master uses the default gateway IP address of the LAN computers (192.168.1.1) for its ge1 interface and the static public IP address (1.1.1.1) for its ge2 interface.
Page 164: Configure Device Ha On The Master Zywall
Chapter 7 Tutorials 7.14.2 Configure Device HA on the Master ZyWALL Log into ZyWALL A (the master) and click Configuration > Device HA > Active- Passive Mode. Double-click ge1’s entry. Configure 192.168.1.3 as the Management IP and 255.255.255.0 as the Manage IP Subnet Mask.
Page 165: Configure The Backup Zywall
Chapter 7 Tutorials Click the General tab. Turn on device HA and click Apply. Figure 124 Configuration > Device HA > General: Master ZyWALL Example 7.14.3 Configure the Backup ZyWALL Connect a computer to ZyWALL B’s ge1 interface and log into its Web Configurator.
Page 166: Deploy The Backup Zywall
Chapter 7 Tutorials Set the Device Role to Backup. Activate monitoring for the ge1 and ge2 interfaces. Set the Synchronization Server Address to 192.168.1.1, the Port to 21, and the Password to “mySyncPassword”. Select Auto Synchronize and set the Interval to 60. Click Apply. Figure 126 Configuration >...
Page 167: Check Your Device Ha Setup
Chapter 7 Tutorials hour). If ZyWALL A fails or loses its ge1 or ge2 connection, ZyWALL B functions as the master. 7.14.5 Check Your Device HA Setup To make sure ZyWALL B copied ZyWALL A’s settings, you can log into ZyWALL B’s management IP address (192.168.1.5) and check the configuration.
Page 168 Chapter 7 Tutorials ZyWALL USG 1000 User’s Guide...
Page 169: L2Tp Vpn Example
H A P T E R L2TP VPN Example Here is how to create a basic L2TP VPN tunnel. 8.1 L2TP VPN Example This example uses the following settings in creating a basic L2TP VPN tunnel. Figure 128 L2TP VPN Example 172.16.1.2 L2TP_POOL: 192.168.10.10~192.168.10.20...
Page 170 Chapter 8 L2TP VPN Example • Configure the My Address setting. This example uses interface ge2 with static IP address 172.16.1.2. Note: If it is possible that the remote user’s public IP address could be in the same subnet as the specified My Address, click Configure > Network > Routing > Policy Route >...
Page 171: Configuring The Default L2Tp Vpn Connection Example
Chapter 8 L2TP VPN Example 8.3 Configuring the Default L2TP VPN Connection Example Click Configuration > VPN > Network > IPSec VPN to open the screen that lists the VPN connections. Double-click the Default_L2TP_VPN_Connection entry. Click the Show Advanced Settings button. Configure and enforce the local and remote policies.
Page 172: Configuring The L2Tp Vpn Settings Example
Chapter 8 L2TP VPN Example Select the Default_L2TP_VPN_Connection entry and click Activate and then Apply to turn on the entry. Figure 132 Configuration > VPN > IPSec VPN > VPN Connection (Enable) 8.4 Configuring the L2TP VPN Settings Example Click Configuration > VPN > L2TP VPN and configure the following. •...
Page 173: Configuring L2Tp Vpn In Windows Vista, Xp, Or 2000
Chapter 8 L2TP VPN Example • The other fields are left to the defaults in this example, click Apply. Figure 133 Configuration > VPN > L2TP VPN Example 8.5 Configuring L2TP VPN in Windows Vista, XP, or 2000 The following sections cover how to configure L2TP in remote user computers using Windows Vista, XP, and 2000.
Page 174 Chapter 8 L2TP VPN Example Select Connect to a workplace and click Next. Figure 134 Set up a connection or network: Chose a connection type Select Use my Internet connection (VPN). Figure 135 Connect to a workplace: How do you want to connect? ZyWALL USG 1000 User’s Guide...
Page 175 Chapter 8 L2TP VPN Example Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). For the Destination Name, enter L2TP to ZyWALL. Select Don’t connect now, just set it up so I can connect later and click Next.
Page 176 Chapter 8 L2TP VPN Example Click Close. Figure 138 Connect to a workplace: The connection is ready to use In the Network and Sharing Center screen, click Connect to a network. Right-click the L2TP VPN connection and select Properties. Figure 139 Connect L2TP to ZyWALL ZyWALL USG 1000 User’s Guide...
Page 177 Chapter 8 L2TP VPN Example Click Security, select Advanced (custom settings) and click Settings. Figure 140 Connect L2TP to ZyWALL: Security Set Data encryption to Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes.
Page 178 Chapter 8 L2TP VPN Example inside it. The L2TP tunnel itself does not need encryption since it is inside the encrypted IPSec VPN tunnel. Figure 142 Connect ZyWALL L2TP: Security > Advanced > Warning 11 Click Networking. Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings.
Page 179 Chapter 8 L2TP VPN Example 13 Select the L2TP VPN connection and click Connect. Figure 145 L2TP to ZyWALL Properties: Networking 14 Enter the user name and password of your ZyWALL user account. Click Connect. Figure 146 Connect L2TP to ZyWALL ZyWALL USG 1000 User’s Guide...
Page 180 Chapter 8 L2TP VPN Example 15 A window appears while the user name and password are verified and notifies you when the connection is established. Figure 147 Connecting to L2TP to ZyWALL 16 If a window appears asking you to select a location for the network, you can select Work if you want your computer to be discoverable by computers behind the ZyWALL.
Page 181 Chapter 8 L2TP VPN Example 17 After the network location has been set, click Close. Figure 149 Set Network Location Successful 18 After the connection is up a connection icon displays in your system tray. Click it and then the L2TP connection to open a status screen. Figure 150 Connection System Tray Icon ZyWALL USG 1000 User’s Guide...
Page 182 Chapter 8 L2TP VPN Example 19 Click the L2TP connection’s View status link to open a status screen. Figure 151 Network and Sharing Center 20 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20).
Page 183: Configuring L2Tp In Windows Xp
Chapter 8 L2TP VPN Example 8.5.2 Configuring L2TP in Windows XP In Windows XP do the following to establish an L2TP VPN connection. Click Start > Control Panel > Network Connections > New Connection Wizard. Click Next in the Welcome screen. Select Connect to the network at my workplace and click Next.
Page 184 Chapter 8 L2TP VPN Example Type L2TP to ZyWALL as the Company Name. Figure 155 New Connection Wizard: Connection Name Select Do not dial the initial connection and click Next. Figure 156 New Connection Wizard: Public Network ZyWALL USG 1000 User’s Guide...
Page 185 Chapter 8 L2TP VPN Example Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). Figure 157 New Connection Wizard: VPN Server Selection 172.16.1.2 Click Finish.
Page 186 Chapter 8 L2TP VPN Example 10 Click Security, select Advanced (custom settings) and click Settings. Figure 159 Connect L2TP to ZyWALL: Security 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes.
Page 187 Chapter 8 L2TP VPN Example 12 Click IPSec Settings. Figure 161 L2TP to ZyWALL Properties > Security 13 Select the Use pre-shared key for authentication check box and enter the pre- shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN.
Page 188 Chapter 8 L2TP VPN Example 14 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. Figure 163 L2TP to ZyWALL Properties: Networking 15 Enter the user name and password of your ZyWALL account. Click Connect. Figure 164 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified.
Page 189: Configuring L2Tp In Windows 2000
Chapter 8 L2TP VPN Example 18 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 166 ZyWALL-L2TP Status: Details 19 Access a server or other network resource behind the ZyWALL to make sure your access works.
Page 190 Chapter 8 L2TP VPN Example Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\P arameters. Figure 168 Registry Key Right-click Parameters and select New > DWORD Value. Figure 169 New DWORD Value Enter ProhibitIpSec as the name. And make sure the Data displays as 0’s. Figure 170 ProhibitIpSec DWORD Value Restart the computer and continue with the next section.
Page 191 Chapter 8 L2TP VPN Example 8.5.3.2 Configure the Windows 2000 IPSec Policy After you have created the registry entry and restarted the computer, use these directions to configure an IPSec policy for the computer to use. Click Start > Run. Type mmc and click OK. Figure 171 Run mmc Click Console >...
Page 192 Chapter 8 L2TP VPN Example Click Add > IP Security Policy Management >Add > Finish. Click Close > Figure 173 Add > IP Security Policy Management > Finish Right-click IP Security Policies on Local Machine and click Create IP Security Policy.
Page 193 Chapter 8 L2TP VPN Example Name the IP security policy L2TP to ZyWALL, and click Next. Figure 175 IP Security Policy: Name Clear the Activate the default response rule check box and click Next. Figure 176 IP Security Policy: Request for Secure Communication ZyWALL USG 1000 User’s Guide...
Page 194 Chapter 8 L2TP VPN Example Leave the Edit Properties check box selected and click Finish. Figure 177 IP Security Policy: Completing the IP Security Policy Wizard In the properties dialog box, click Add > Next. Figure 178 IP Security Policy Properties > Add ZyWALL USG 1000 User’s Guide...
Page 195 Chapter 8 L2TP VPN Example Select This rule does not specify a tunnel and click Next. Figure 179 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next. Figure 180 IP Security Policy Properties: Network Type ZyWALL USG 1000 User’s Guide...
Page 196 Chapter 8 L2TP VPN Example 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 181 IP Security Policy Properties: Authentication Method 12 Click Add. Figure 182 IP Security Policy Properties: IP Filter List ZyWALL USG 1000 User’s Guide...
Page 197 Chapter 8 L2TP VPN Example 13 Type ZyWALL WAN_IP in the Name field. Clear the Use Add Wizard check box and click Add. Figure 183 IP Security Policy Properties: IP Filter List > Add 14 Configure the following in the Addressing tab. Select My IP Address in the Source address drop-down list box.
Page 198 Chapter 8 L2TP VPN Example 15 Configure the following in the Filter Properties window’s Protocol tab. Set the protocol type to UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 185 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next.
Page 199 Chapter 8 L2TP VPN Example 17 Select Require Security and click Next. Then click Finish and Close. Figure 187 IP Security Policy Properties: IP Filter List 18 In the Console window, right-click L2TP to ZyWALL and select Assign. Figure 188 Console: L2TP to ZyWALL Assign 8.5.3.3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy, use these directions to create a network connection.
Page 200 Chapter 8 L2TP VPN Example Click Start > Settings > Network and Dial-up connections > Make New Connection. In the wizard welcome screen, click Next. Figure 189 Start New Connection Wizard Select Connect to a private network through the Internet and click Next. Figure 190 New Connection Wizard: Network Connection Type Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN.
Page 201 Chapter 8 L2TP VPN Example Select For all users and click Next. Figure 192 New Connection Wizard: Connection Availability Name the connection L2TP to ZyWALL and click Finish. Figure 193 New Connection Wizard: Naming the Connection Click Properties. Figure 194 Connect L2TP to ZyWALL ZyWALL USG 1000 User’s Guide...
Page 202 Chapter 8 L2TP VPN Example Click Security and select Advanced (custom settings) and click Settings. Figure 195 Connect L2TP to ZyWALL: Security Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes.
Page 203 Chapter 8 L2TP VPN Example Click Networking and select Layer 2 Tunneling Protocol (L2TP) from the drop-down list box. Click OK. Figure 197 Connect L2TP to ZyWALL: Networking 10 Enter your user name and password and click Connect. It may take up to one minute to establish the connection and register on the network.
Page 204 Chapter 8 L2TP VPN Example 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 200 L2TP to ZyWALL Status: Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works.
Page 205 Chapter 8 L2TP VPN Example ZyWALL USG 1000 User’s Guide...
Page 206 Chapter 8 L2TP VPN Example ZyWALL USG 1000 User’s Guide...
Page 207: Technical Reference
Technical Reference...
Page 209: Dashboard
H A P T E R Dashboard 9.1 Overview Use the Dashboard screens to check status information about the ZyWALL. 9.1.1 What You Can Do in this Chapter Use the Dashboard screens for the following. • Use the main Dashboard screen (see Section 9.2 on page 209) to see the ZyWALL’s general device information, system status, system resource usage,...
Page 210 Chapter 9 Dashboard interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. Figure 201 Dashboard The following table describes the labels in this screen. Table 22 Dashboard LABEL DESCRIPTION Widget Setting Use this link to re-open closed widgets.
Page 211: System Name
Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Name This field displays the name of each interface. Slot This field displays the name of each extension slot. Device This field displays the name of the device connected to the extension slot (or none if no device is detected).
Page 212 Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION This field displays the MAC addresses used by the ZyWALL. Each physical Address port has one MAC address. The first MAC address is assigned to physical Range port 1, the second MAC address is assigned to physical port 2, and so Firmware This field displays the version number and date of the firmware the Version...
Page 213 Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface is enabled but not connected.
Page 214: System Uptime
Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Action Use this field to get or to update the IP address for the interface. Click Renew to send a new DHCP request to a DHCP server. Click the Connect icon to have the ZyWALL try to connect a PPPoE/PPTP interface or the auxiliary interface.
Page 215 Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Boot Status This field displays details about the ZyWALL’s startup state. OK - The ZyWALL started up successfully. Firmware update OK - A firmware update was successful. Problematic configuration after firmware update - The application of the configuration failed after a firmware upgrade.
Page 216: The Cpu Usage Screen
Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Signature The signature name identifies a specific intrusion pattern. Name Type This column displays when you display the entries by Signature Name. It shows the categories of intrusions. See Table 156 on page 580 more information.
Page 217: The Memory Usage Screen
Chapter 9 Dashboard 9.2.2 The Memory Usage Screen Use this screen to look at a chart of the ZyWALL’s recent memory (RAM) usage. To access this screen, click Memory Usage in the dashboard. Figure 203 Dashboard > Memory Usage The following table describes the labels in this screen. Table 24 Dashboard >...
Page 218: The Session Usage Screen
Chapter 9 Dashboard 9.2.3 The Session Usage Screen Use this screen to look at a chart of the ZyWALL’s recent traffic session usage. To access this screen, click Session Usage in the dashboard. Figure 204 Dashboard > Session Usage The following table describes the labels in this screen. Table 25 Dashboard >...
Page 219: The Vpn Status Screen
Chapter 9 Dashboard 9.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in the dashboard. Figure 205 Dashboard > VPN Status The following table describes the labels in this screen. Table 26 Dashboard >...
Page 220: The Number Of Login Users Screen
Chapter 9 Dashboard The following table describes the labels in this screen. Table 27 Dashboard > DHCP Table LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific entry. Interface This field identifies the interface that assigned an IP address to a DHCP client.
Page 221 Chapter 9 Dashboard The following table describes the labels in this screen. Table 28 Dashboard > Number of Login Users LABEL DESCRIPTION This field is a sequential value and is not associated with any entry. User ID This field displays the user name of each user who is currently logged in to the ZyWALL.
Page 222 Chapter 9 Dashboard ZyWALL USG 1000 User’s Guide...
Page 223: Monitor
H A P T E R Monitor 10.1 Overview Use the Monitor screens to check status and statistics information. 10.1.1 What You Can Do in this Chapter Use the Monitor screens for the following. • Use the System Status > Port Statistics screen (see Section 10.2.1 on page 226) to look at packet statistics for each physical port.
Page 224: The Port Statistics Screen
Chapter 10 Monitor • Use the VPN Monitor > SSL screen (see Section 10.13 on page 248) to list the users currently logged into the VPN SSL client portal. You can also log out individual users and delete related session information. •...
Page 225 Chapter 10 Monitor The following table describes the labels in this screen. Table 29 Monitor > System Status > Port Statistics LABEL DESCRIPTION Poll Interval Enter how often you want this window to be updated automatically, and click Set Interval. Set Interval Click this to set the Poll Interval the screen uses.
Page 226: The Port Statistics Graph Screen
Chapter 10 Monitor 10.2.1 The Port Statistics Graph Screen Use this screen to look at a line graph of packet statistics for each physical port. To access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button. Figure 209 Monitor >...
Page 227: Interface Status Screen
Chapter 10 Monitor Table 30 Monitor > System Status > Port Statistics > Switch to Graphic View LABEL DESCRIPTION Last Update This field displays the date and time the information in the window was last updated. System Up This field displays how long the ZyWALL has been running since it last Time restarted or was turned on.
Page 228 Chapter 10 Monitor Table 31 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to the name, click this to look at the status of virtual interfaces on top of this interface.
Page 229 Chapter 10 Monitor Table 31 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION IP Addr/ This field displays the current IP address and subnet mask assigned to Netmask the interface. If the IP address and subnet mask are 0.0.0.0, the interface is disabled or did not receive an IP address and subnet mask via DHCP.
Page 230: The Traffic Statistics Screen
Chapter 10 Monitor 10.4 The Traffic Statistics Screen Click Monitor > System Status > Traffic Statistics to display the Traffic Statistics screen. This screen provides basic information about the following for example: • Most-visited Web sites and the number of times each one was visited. This count may not be accurate in some cases because the ZyWALL counts HTTP GET packets.
Page 231 Chapter 10 Monitor There is a limit on the number of records shown in the report. Please see Table 33 on page 232 for more information. The following table describes the labels in this screen. Table 32 Monitor > System Status > Traffic Statistics LABEL DESCRIPTION Data Collection...
Page 232 Chapter 10 Monitor Table 32 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION These fields are available when the Traffic Type is Service/Port. This field is the rank of each record. The protocols and service ports are sorted by the amount of traffic. Service/Port This field displays the service and port in this record.
Page 233: The Session Monitor Screen
Chapter 10 Monitor 10.5 The Session Monitor Screen The Session Monitor screen displays information about active sessions for debugging or statistical analysis. It is not possible to manage sessions in this screen. The following information is displayed. • User who started the session •...
Page 234 Chapter 10 Monitor The following table describes the labels in this screen. Table 34 Monitor > System Status > Session Monitor LABEL DESCRIPTION View Select how you want the information to be displayed. Choices are: sessions by users - display all active sessions grouped by user sessions by services - display all active sessions grouped by service or protocol sessions by source IP - display all active sessions grouped by source...
Page 235: The Ddns Status Screen
Chapter 10 Monitor Table 34 Monitor > System Status > Session Monitor (continued) LABEL DESCRIPTION Service This field displays the protocol used in each active session. If you are looking at the sessions by services report, click + or - to display or hide details about a protocol’s sessions.
Page 236: Ip/Mac Binding Monitor
Chapter 10 Monitor Table 35 Monitor > System Status > DDNS Status (continued) LABEL DESCRIPTION Last Update This shows whether the last attempt to resolve the IP address for the Status domain name was successful or not. Updating means the ZyWALL is currently attempting to resolve the IP address for the domain name.
Page 237: The Login Users Screen
Chapter 10 Monitor Table 36 Monitor > System Status > IP/MAC Binding (continued) LABEL DESCRIPTION Last Access This is when the device last established a session with the ZyWALL through this interface. Refresh Click this button to update the information in the screen. 10.8 The Login Users Screen Use this screen to look at a list of the users currently logged into the ZyWALL.
Page 238: Cellular Status Screen
Chapter 10 Monitor 10.9 Cellular Status Screen This screen displays your 3G connection status. click Monitor > System Status > Cellular Status to display this screen. Figure 216 Monitor > System Status > Cellular Status The following table describes the labels in this screen. Table 38 Monitor >...
Page 239 Chapter 10 Monitor Table 38 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Status No device - no 3G device is connected to the ZyWALL. Device detected - displays when you connect a 3G device. Device error - a 3G device is connected but there is an error. Probe device fail - the ZyWALL’s test of the 3G device failed.
Page 240: Usb Storage Screen
Chapter 10 Monitor Table 38 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Signal Quality This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider’s base station. More Info.
Page 241: Application Patrol Statistics
Chapter 10 Monitor Table 39 Monitor > System Status > USB Storage (continued) LABEL DESCRIPTION Status Ready - you can have the ZyWALL use the USB storage device. Click Remove Now to stop the ZyWALL from using the USB storage device so you can remove it.
Page 242: Application Patrol Statistics: Bandwidth Statistics
Chapter 10 Monitor The following table describes the labels in this screen. Table 40 Monitor > AppPatrol Statistics: General Settings LABEL DESCRIPTION Refresh Select how often you want the statistics display to update. Interval Display Select the protocols for which to display statistics. Protocols Select All selects all of the protocols.
Page 243: Application Patrol Statistics: Protocol Statistics
Chapter 10 Monitor 10.11.3 Application Patrol Statistics: Protocol Statistics The bottom of the Monitor > AppPatrol Statistics screen displays statistics for each of the selected protocols. Figure 220 Monitor > AppPatrol Statistics: Protocol Statistics The following table describes the labels in this screen. Table 41 Monitor >...
Page 244: Application Patrol Statistics: Individual Protocol Statistics By Rule
Chapter 10 Monitor Table 41 Monitor > AppPatrol Statistics: Protocol Statistics (continued) LABEL DESCRIPTION Rule This is a protocol’s rule. Inbound This is the incoming bandwidth usage for traffic that matched this Kbps protocol rule, in kilobits per second. This is the protocol’s traffic that the ZyWALL sends to the initiator of the connection.
Page 245: The Ipsec Monitor Screen
Chapter 10 Monitor The following table describes the labels in this screen. Table 42 Monitor > AppPatrol Statistics > Service LABEL DESCRIPTION Service Name This is the application. Rule Statistics This table displays the statistics for each of the service’s application patrol rules.
Page 246 Chapter 10 Monitor screen appears. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 222 Monitor > VPN Monitor > IPSec Each field is described in the following table. Table 43 Monitor >...
Page 247: Regular Expressions In Searching Ipsec Sas
Chapter 10 Monitor Table 43 Monitor > VPN Monitor > IPSec (continued) LABEL DESCRIPTION Encapsulation This field displays how the IPSec SA is encapsulated. Policy This field displays the content of the local and remote policies for this IPSec SA. The IP addresses, not the address objects, are displayed. Algorithm This field displays the encryption and authentication algorithms used in the SA.
Page 248: The Ssl Connection Monitor Screen
Chapter 10 Monitor 10.13 The SSL Connection Monitor Screen The ZyWALL keeps track of the users who are currently logged into the VPN SSL client portal. Click Monitor > VPN Monitor > SSL to display the user list. Use this screen to do the following: •...
Page 249: L2Tp Over Ipsec Session Monitor Screen
Chapter 10 Monitor 10.14 L2TP over IPSec Session Monitor Screen Click Monitor > VPN Monitor > L2TP over IPSec to open the following screen. Use this screen to display and manage the ZyWALL’s connected L2TP VPN sessions. Figure 224 Monitor > VPN Monitor > L2TP over IPSec The following table describes the fields in this screen.
Page 250: The Anti-Virus Statistics Screen
Chapter 10 Monitor 10.15 The Anti-Virus Statistics Screen Click Monitor > Anti-X Statistics > Anti-Virus to display the following screen. This screen displays anti-virus statistics. Figure 225 Monitor > Anti-X Statistics > Anti-Virus: Virus Name The following table describes the labels in this screen. Table 46 Monitor >...
Page 251 Chapter 10 Monitor Table 46 Monitor > Anti-X Statistics > Anti-Virus (continued) LABEL DESCRIPTION Top Entry By Use this field to have the following (read-only) table display the top anti- virus entries by Virus Name, Source IP or Destination IP. Select Virus Name to list the most common viruses that the ZyWALL has detected.
Page 252: The Idp Statistics Screen
Chapter 10 Monitor 10.16 The IDP Statistics Screen Click Monitor > Anti-X Statistics > IDP to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. Figure 228 Monitor > Anti-X Statistics > IDP: Signature Name The following table describes the labels in this screen. Table 47 Monitor >...
Page 253 Chapter 10 Monitor Table 47 Monitor > Anti-X Statistics > IDP (continued) LABEL DESCRIPTION Top Entry By Use this field to have the following (read-only) table display the top IDP entries by Signature Name, Source or Destination. Select Signature Name to list the most common signatures that the ZyWALL has detected.
Page 254: The Content Filter Statistics Screen
Chapter 10 Monitor 10.17 The Content Filter Statistics Screen Click Monitor > Anti-X Statistics > Content Filter to display the following screen. This screen displays content filter statistics. Figure 231 Monitor > Anti-X Statistics > Content Filter The following table describes the labels in this screen. Table 48 Monitor >...
Page 255: Content Filter Cache Screen
Chapter 10 Monitor Table 48 Monitor > Anti-X Statistics > Content Filter (continued) LABEL DESCRIPTION Web Pages This is the number of web pages that matched an external database Warned by content filtering category selected in the ZyWALL and for which the Category ZyWALL displayed a warning before allowing users access.
Page 256 Chapter 10 Monitor You can remove individual entries from the cache. When you do this, the ZyWALL queries the external content filtering database the next time someone tries to access that web site. This allows you to check whether a web site’s category has been changed.
Page 257 Chapter 10 Monitor Table 49 Anti-X > Content Filter > Cache (continued) LABEL DESCRIPTION Category This field shows whether access to the web site’s URL was blocked or allowed. Click the column heading to sort the entries. Point the triangle up to display the blocked URLs before the URLs to which access was allowed.
Page 258: The Anti-Spam Statistics Screen
Chapter 10 Monitor 10.19 The Anti-Spam Statistics Screen Click Monitor > Anti-X Statistics > Anti-Spam to display the following screen. This screen displays spam statistics. Figure 233 Monitor > Anti-X Statistics > Anti-Spam The following table describes the labels in this screen. Table 50 Monitor >...
Page 259 Chapter 10 Monitor Table 50 Monitor > Anti-X Statistics > Anti-Spam (continued) LABEL DESCRIPTION Spam Mails This is the number of e-mails that the ZyWALL has determined to be spam. Spam Mails This is the number of e-mails that matched an entry in the ZyWALL’s anti- Detected by spam black list.
Page 260: The Anti-Spam Status Screen
Chapter 10 Monitor 10.20 The Anti-Spam Status Screen Click Monitor > Anti-X Statistics > Anti-Spam > Status to display the Anti- Spam Status screen. Use the Anti-Spam Status screen to see how many e-mail sessions the anti- spam feature is scanning and statistics for the DNSBLs. Figure 234 Monitor >...
Page 261: Log Screen
Chapter 10 Monitor 10.21 Log Screen Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regular log, you can look at all the log messages by selecting All Logs, or you can select a specific category of log messages (for example, firewall or user).
Page 262 Chapter 10 Monitor The following table describes the labels in this screen. Table 52 Monitor > Log LABEL DESCRIPTION Show Filter / Click this button to show or hide the filter settings. Hide Filter If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear Log fields are available.
Page 263 Chapter 10 Monitor Table 52 Monitor > Log (continued) LABEL DESCRIPTION Priority This field displays the priority of the log message. It has the same range of values as the Priority field above. Category This field displays the log that generated the log message. It is the same value used in the Display and (other) Category fields.
Page 264 Chapter 10 Monitor ZyWALL USG 1000 User’s Guide...
Page 265: Registration
This section introduces the topics covered in this chapter. myZyXEL.com myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. To update signature files or use a subscription service, you have to register the ZyWALL and activate the corresponding service at myZyXEL.com (through the ZyWALL).
Page 266: Ssl Vpn
• After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and enter the PIN number (license key) in the Registration > Service screen. You must use the ZyXEL anti-virus iCard for the ZyXEL anti- virus engine and the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine.
Page 267: The Registration Screen
Chapter 11 Registration 11.2 The Registration Screen Use this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next. Figure 236 Configuration >...
Page 268: Content Filtering
The ZyWALL’s anti-virus packet scanner uses the signature files on Service the ZyWALL to detect virus files. Select ZyXEL’s anti-virus engine or the Kaspersky anti-virus engine. During the trial you can use these fields to change from one anti-virus engine to the other.
Page 269: The Service Screen
Chapter 11 Registration Note: If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated (if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Service screen to update your service subscription status.
Page 270 Chapter 11 Registration The following table describes the labels in this screen. Table 54 Configuration > Licensing > Registration > Service LABEL DESCRIPTION License Status This is the entry’s position in the list. Service This lists the services that available on the ZyWALL. Status This field displays whether a service is activated (Licensed) or not (Not Licensed) or expired (Expired).
Page 271: Signature Update
H A P T E R Signature Update 12.1 Overview This chapter shows you how to update the ZyWALL’s signature packages. 12.1.1 What You Can Do in this Chapter • Use the Configuration > Licensing > Update > Anti-virus screen (Section 12.2 on page 272) to update the anti-virus signatures.
Page 272: The Antivirus Update Screen
The following fields display information on the current signature set that Information the ZyWALL is using. Anti-Virus This field displays whether the ZyWALL is set to use ZyXEL’s anti-virus Engine Type engine or the one powered by Kaspersky. Upgrading the ZyWALL to firmware version 2.11 and updating the anti- virus signatures automatically upgrades the ZyXEL anti-virus engine to v2.0.
Page 273: The Idp/Apppatrol Update Screen
Chapter 12 Signature Update LABEL DESCRIPTION Signature Use these fields to have the ZyWALL check for new signatures at Update myZyXEL.com. If new signatures are found, they are then downloaded to the ZyWALL. Update Now Click this button to have the ZyWALL check for new signatures immediately.
Page 274 Chapter 12 Signature Update signatures from myZyXEL.com (see the Registration screens). Use the Update IDP /AppPatrol screen to schedule or immediately download IDP signatures. Figure 240 Configuration > Licensing > Update > IDP/AppPatrol The following table describes the fields in this screen. Table 55 Configuration >...
Page 275: The System Protect Update Screen
Chapter 12 Signature Update Table 55 Configuration > Licensing > Update > IDP/AppPatrol (continued) LABEL DESCRIPTION Daily Select this option to have the ZyWALL check for new IDP signatures everyday at the specified time. The time format is the 24 hour clock, so ‘23’...
Page 276 Chapter 12 Signature Update The following table describes the fields in this screen. Table 56 Configuration > Licensing > Update > System Protect LABEL DESCRIPTION Signature The following fields display information on the current signature set that Information the ZyWALL is using. Current This field displays the system protect signature and anomaly rule set Version...
Page 277: Interfaces
H A P T E R Interfaces 13.1 Interface Overview Use the Interface screens to configure the ZyWALL’s interfaces. You can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. •...
Page 278: What You Need To Know
Chapter 13 Interfaces 13.1.2 What You Need to Know Interface Characteristics Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface). • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Page 279: Relationships Between Interfaces
Chapter 13 Interfaces characteristics. These characteristics are listed in the following table and discussed in more detail below. Table 57 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics CHARACTERISTICS ETHERNET PPP CELLULAR VLAN BRIDGE VIRTUAL Name* pppx cellularx vlanx IP Address Assignment Static IP address DHCP client...
Page 280: Port Grouping
Chapter 13 Interfaces Table 58 Relationships Between Different Types of Interfaces (continued) REQUIRED PORT / INTERFACE INTERFACE PPP interface Ethernet interface* VLAN interface* bridge interface virtual interface (virtual Ethernet Ethernet interface* interface) VLAN interface* (virtual VLAN interface) bridge interface (virtual bridge interface) trunk Ethernet interface...
Page 281: Port Grouping Overview
Chapter 13 Interfaces 13.2.1 Port Grouping Overview Use port grouping to create port groups and to assign physical ports and port groups to Ethernet interfaces. Each physical port is assigned to one Ethernet interface. In port grouping, the Ethernet interfaces are called representative interfaces. If you assign more than one physical port to a representative interface, you create a port group.
Page 282: Ethernet Summary Screen
Chapter 13 Interfaces Each section in this screen is described below. Table 59 Configuration > Network > Interface > Port Grouping Role LABEL DESCRIPTION Representative These are Ethernet interfaces. To add a physical port to a Interface (ge1, representative interface, drag the physical port onto the ge2, ge3, ...) corresponding representative interface.
Page 283 Chapter 13 Interfaces Figure 243 Configuration > Network > Interface > Ethernet Each field is described in the following table. Table 60 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 284: Ethernet Edit
Chapter 13 Interfaces 13.3.1 Ethernet Edit The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP settings, OSPF settings, DHCP settings, connectivity check, and MAC address settings. To access this screen, click an Edit icon in the Ethernet Summary screen.
Page 285 Chapter 13 Interfaces Figure 244 Configuration > Network > Interface > Ethernet > Edit ZyWALL USG 1000 User’s Guide...
Page 286 Chapter 13 Interfaces This screen’s fields are described in the table below. Table 61 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 287 Chapter 13 Interfaces Table 61 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Use Fixed IP This option appears when Interface Properties is External or Address General. Select this if you want to specify the IP address, subnet mask, and gateway manually.
Page 288 Chapter 13 Interfaces Table 61 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Check Period Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.
Page 289 Chapter 13 Interfaces Table 61 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.
Page 290 Chapter 13 Interfaces Table 61 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION IP Address Enter the IP address to assign to a device with this entry’s MAC address. MAC Address Enter the MAC address to which to assign this entry’s IP address. Description Enter a description to help identify this static DHCP entry.
Page 291: Object References
Chapter 13 Interfaces Table 61 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Text This field is available if the Authentication is Text. Type the Authentication password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to eight characters long.
Page 292: Ppp Interfaces
Chapter 13 Interfaces Figure 245 Object References The following table describes labels that can appear in this screen. Table 62 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window.
Page 293: Ppp Interface Summary
Chapter 13 Interfaces Figure 246 Example: PPPoE/PPTP Interfaces PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available. There are two main differences between PPPoE/PPTP interfaces and other interfaces.
Page 294 Chapter 13 Interfaces Figure 247 Configuration > Network > Interface > PPP Each field is described in the table below. Table 63 Configuration > Network > Interface > PPP LABEL DESCRIPTION User The ZyWALL comes with the (non-removable) System Default PPP Configuration / interfaces pre-configured.
Page 295: Ppp Interface Add Or Edit
Chapter 13 Interfaces Table 63 Configuration > Network > Interface > PPP (continued) LABEL DESCRIPTION Name This field displays the name of the interface. Base Interface This field displays the interface on the top of which the PPPoE/PPTP interface is. Account Profile This field displays the ISP account used by this PPPoE/PPTP interface.
Page 296 Chapter 13 Interfaces Figure 248 Configuration > Network > Interface > PPP > Add Each field is explained in the following table. Table 64 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 297 Chapter 13 Interfaces Table 64 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Enable Select this to enable this interface. Clear this to disable this interface. Interface Interface Properties Interface Specify a name for the interface. It can use alphanumeric characters, Name hyphens, and underscores, and it can be up to 11 characters long.
Page 298 Chapter 13 Interfaces Table 64 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Interface Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the Bandwidth ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576.
Page 299: Cellular Configuration Screen (3G)
Chapter 13 Interfaces Table 64 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 13.5 Cellular Configuration Screen (3G) 3G (Third Generation) is a digital, packet-switched wireless technology.
Page 300 Chapter 13 Interfaces If the signal strength of a 3G network is too low, the 3G card may switch to an available 2.5G or 2.75G network. See the following table for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies. Table 65 2G, 2.5G, 2.75G, 3G and 3.5G Wireless Technologies MOBILE PHONE AND DATA STANDARDS DATA...
Page 301: Cellular Add/Edit Screen
Chapter 13 Interfaces Figure 249 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. Table 66 Configuration > Network > Interface > Cellular LABEL DESCRIPTION Click this to create a new cellular interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 302 Chapter 13 Interfaces Figure 250 Configuration > Network > Interface > Cellular > Add ZyWALL USG 1000 User’s Guide...
Page 303 Chapter 13 Interfaces The following table describes the labels in this screen. Table 67 Configuration > Network > Interface > Cellular > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 304 Chapter 13 Interfaces Table 67 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Dial String Enter the dial string if your ISP provides a string, which would include the APN, to initialize the 3G card. You can enter up to 63 ASCII printable characters. Spaces are allowed.
Page 305 Chapter 13 Interfaces Table 67 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Egress Enter the maximum amount of traffic, in kilobits per second, the Bandwidth ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576.
Page 306 Chapter 13 Interfaces Table 67 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Select this option If your ISP did not assign you a fixed IP address. Automatically This is the default selection. Use Fixed IP Select this option If the ISP assigned a fixed IP address.
Page 307 Chapter 13 Interfaces Table 67 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Data Budget Select this and specify how much downstream and/or upstream data (in Mega bytes) can be transmitted via the 3G connection within one month.
Page 308: Vlan Interfaces
Chapter 13 Interfaces Table 67 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 13.6 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks.
Page 309 Chapter 13 Interfaces Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each VLAN also has a unique identification number (ID). The ID is a 12- bit value that is stored in the MAC header. The VLANs are connected to switches, and the switches are connected to the router.
Page 310: Vlan Summary Screen
Chapter 13 Interfaces They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. 13.6.1 VLAN Summary Screen This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces.
Page 311: Vlan Add/Edit
Chapter 13 Interfaces Table 68 Configuration > Network > Interface > VLAN (continued) LABEL DESCRIPTION IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet. This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP).
Page 312 Chapter 13 Interfaces Figure 254 Configuration > Network > Interface > VLAN > Edit ZyWALL USG 1000 User’s Guide...
Page 313 Chapter 13 Interfaces Each field is explained in the following table. Table 69 Configuration > Network > Interface > VLAN > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 314 Chapter 13 Interfaces Table 69 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority.
Page 315 Chapter 13 Interfaces Table 69 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION DHCP Select what type of DHCP service the ZyWALL provides to the network. Choices are: None - the ZyWALL does not provide any DHCP services. There is already a DHCP server on the network.
Page 316 Chapter 13 Interfaces Table 69 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP...
Page 317 Chapter 13 Interfaces Table 69 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION OSPF Setting Section 16.3 on page 365 for more information about OSPF. Area Select the area in which this interface belongs. Select None to disable OSPF in this interface.
Page 318: Bridge Interfaces
Chapter 13 Interfaces 13.7 Bridge Interfaces This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces. Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments.
Page 319 Chapter 13 Interfaces If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly. Table 71 Example: Bridge Table After Computer B Responds to Computer A MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A...
Page 320: Bridge Summary
Chapter 13 Interfaces 13.7.1 Bridge Summary This screen lists every bridge interface and virtual interface created on top of bridge interfaces. To access this screen, click Configuration > Network > Interface > Bridge. Figure 255 Configuration > Network > Interface > Bridge Each field is described in the following table.
Page 321: Bridge Add/Edit
Chapter 13 Interfaces 13.7.2 Bridge Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen.
Page 322 Chapter 13 Interfaces Figure 256 Configuration > Network > Interface > Bridge > Add ZyWALL USG 1000 User’s Guide...
Page 323 Chapter 13 Interfaces Each field is described in the table below. Table 74 Configuration > Network > Interface > Bridge > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 324 Chapter 13 Interfaces Table 74 Configuration > Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Gateway This field is enabled if you select Use Fixed IP Address. Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination.
Page 325 Chapter 13 Interfaces Table 74 Configuration > Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION IP Pool Start Enter the IP address from which the ZyWALL begins allocating IP Address addresses. If you want to assign a static IP address to a specific computer, click Add Static DHCP.
Page 326 Chapter 13 Interfaces Table 74 Configuration > Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This field is a sequential value, and it is not associated with a specific entry.
Page 327: Auxiliary Interface
Chapter 13 Interfaces 13.8 Auxiliary Interface This section introduces the auxiliary interface and then explains the screen for it. 13.8.1 Auxiliary Interface Overview Use the auxiliary interface to dial out from the ZyWALL’s auxiliary port. For example, you might use this interface as a backup WAN interface. You have to connect an external modem to the ZyWALL’s auxiliary port to use the auxiliary interface.
Page 328 Chapter 13 Interfaces Figure 257 Configuration > Network > Interface > Auxiliary Each field is described in the table below. Table 75 Configuration > Network > Interface > Auxiliary LABEL DESCRIPTION General Settings Enable Select this to turn on the auxiliary dial up interface. The interface Interface does not dial out, however, unless it is part of a trunk and load- balancing conditions are satisfied.
Page 329: Virtual Interfaces
Chapter 13 Interfaces Table 75 Configuration > Network > Interface > Auxiliary (continued) LABEL DESCRIPTION Phone Number Enter the phone number to dial here. You can use 1-20 numbers, commas (,), or plus signs (+). Use a comma to pause during dialing. Use a plus sign to tell the external modem to make an international call.
Page 330: Virtual Interfaces Add/Edit
Chapter 13 Interfaces cannot change the MTU. The virtual interface uses the same MTU that the underlying interface uses. Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not verify that the gateway is available. 13.9.1 Virtual Interfaces Add/Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces.
Page 331: Interface Technical Reference
Chapter 13 Interfaces Table 76 Configuration > Network > Interface > Add (continued) LABEL DESCRIPTION Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first.
Page 332 Chapter 13 Interfaces For example, if the ZyWALL gets a packet with a destination address of 100.100.25.25, it routes the packet to interface ge1. If the ZyWALL gets a packet with a destination address of 200.200.200.200, it routes the packet to interface ge2.
Page 333 Chapter 13 Interfaces • Egress bandwidth sets the amount of traffic the ZyWALL sends out through the interface to the network. • Ingress bandwidth sets the amount of traffic the ZyWALL allows in through the interface from the network. If you set the bandwidth restrictions very high, you effectively remove the restrictions.
Page 334 Chapter 13 Interfaces • IP address - If the DHCP client’s MAC address is in the ZyWALL’s static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size.
Page 335 Chapter 13 Interfaces PPPoE/PPTP Overview Point-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages: •...
Page 336 Chapter 13 Interfaces ZyWALL USG 1000 User’s Guide...
Page 337: Trunks
H A P T E R Trunks 14.1 Overview Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links.
Page 338: What You Need To Know
Chapter 14 Trunks 14.1.2 What You Need to Know • Add WAN interfaces to trunks to have multiple connections share the traffic load. • If one WAN interface’s connection goes down, the ZyWALL sends traffic through another member of the trunk. •...
Page 339 Chapter 14 Trunks The ZyWALL is using active/active load balancing. So when LAN user A tries to access something on the server, the request goes out through ge3. The server finds that the request comes from ge3’s IP address instead of ge2’s IP address and rejects the request.
Page 340 Chapter 14 Trunks Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL will send the subsequent new session traffic through WAN 2. Table 80 Least Load First Example OUTBOUND LOAD BALANCING INDEX INTERFACE (M/A)
Page 341 Chapter 14 Trunks interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoid overloading the interface. In this example figure, the upper threshold of the first interface is set to 800K. The ZyWALL sends network traffic of new sessions that exceed this limit to the secondary WAN interface.
Page 342: The Trunk Summary Screen
Chapter 14 Trunks 14.2 The Trunk Summary Screen Click Configuration > Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 264 Configuration > Network > Interface > Trunk The following table describes the items in this screen.
Page 343: Configuring A Trunk
Chapter 14 Trunks Table 81 Configuration > Network > Interface > Trunk (continued) LABEL DESCRIPTION Enable Default Select this to have the ZyWALL use the IP address of the outgoing SNAT interface as the source IP address of the packets it sends out through its WAN trunks.
Page 344 Chapter 14 Trunks Each field is described in the table below. Table 82 Configuration > Network > Interface > Trunk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editing an existing trunk. When adding a new trunk, enter a descriptive name for this trunk.
Page 345: Trunk Technical Reference
Chapter 14 Trunks Table 82 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Weight This field displays with the weighted round robin load balancing algorithm. Specify the weight (1~10) for the interface. The weights of the different member interfaces form a ratio.
Page 346 Chapter 14 Trunks ZyWALL USG 1000 User’s Guide...
Page 347: Policy And Static Routes
H A P T E R Policy and Static Routes 15.1 Policy and Static Routes Overview Use policy routes and static routes to override the ZyWALL’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the ZyWALL’s LAN interface.
Page 348: What You Need To Know
Chapter 15 Policy and Static Routes • Use the Static Route screens (see Section 15.3 on page 357) to list and configure static routes. 15.1.2 What You Need to Know Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 349 Chapter 15 Policy and Static Routes Policy Routes Versus Static Routes • Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management. • Policy routes are only used within the ZyWALL itself. Static routes can be propagated to other routers using RIP or OSPF.
Page 350: Policy Route Screen
Chapter 15 Policy and Static Routes Finding Out More • See Section 6.5.6 on page 103 for related information on the policy route screens. • See Section 7.13 on page 161 for an example of creating a policy route for using multiple static public WAN IP addresses for LAN to WAN traffic.
Page 351 Chapter 15 Policy and Static Routes The following table describes the labels in this screen. Table 83 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / fields.
Page 352 Chapter 15 Policy and Static Routes Table 83 Configuration > Network > Routing > Policy Route (continued) LABEL DESCRIPTION DSCP Code This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP values or no DSCP marker. default means traffic with a DSCP value of 0.
Page 353: Policy Route Edit Screen
Chapter 15 Policy and Static Routes 15.2.1 Policy Route Edit Screen Click Configuration > Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or edit a policy route. Figure 268 Configuration >...
Page 354 Chapter 15 Policy and Static Routes Table 84 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Incoming Select where the packets are coming from; any, an interface, a tunnel, an SSL VPN, or the ZyWALL itself. For an interface, a tunnel, or an SSL VPN, you also need to select the individual interface, VPN tunnel, or SSL VPN connection.
Page 355 Chapter 15 Policy and Static Routes Table 84 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION VPN Tunnel This field displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the ZyWALL directly.
Page 356 Chapter 15 Policy and Static Routes Table 84 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Source Select none to not use NAT for the route. Network Select outgoing-interface to use the IP address of the outgoing Address interface as the source IP address of the packets that matches this Translation...
Page 357: Ip Static Route Screen
Chapter 15 Policy and Static Routes Table 84 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Maximum Specify the maximum bandwidth (from 1 to 1048576) allowed for the Bandwidth route in kbps. If you enter 0 here, there is no bandwidth limitation for the route.
Page 358: Static Route Add/Edit Screen
Chapter 15 Policy and Static Routes The following table describes the labels in this screen. Table 85 Configuration > Network > Routing > Static Route LABEL DESCRIPTION Click this to create a new static route. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 359: Policy Routing Technical Reference
Chapter 15 Policy and Static Routes Table 86 Configuration > Network > Routing > Static Route > Add (continued) LABEL DESCRIPTION Gateway IP Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your ZyWALL's interface(s).
Page 360: Port Triggering
Chapter 15 Policy and Static Routes following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets. Table 87 Assured Forwarding (AF) Behavior Group Class 1 Class 2 Class 3 Class 4 Low Drop Precedence AF11 (10) AF21 (18) AF31 (26) AF41 (34) Medium Drop Precedence...
Page 361: Maximize Bandwidth Usage
Chapter 15 Policy and Static Routes Computer A and game server 1 are connected to each other until the connection is closed or times out. Any other computers (such as B or C) cannot connect to remote server 1 using the same port triggering rule as computer A unless they are using a different next hop (gateway, outgoing interface, VPN tunnel or trunk) from computer A or until the connection is closed or times out.
Page 362 Chapter 15 Policy and Static Routes ZyWALL USG 1000 User’s Guide...
Page 363: Routing Protocols
H A P T E R Routing Protocols 16.1 Routing Protocols Overview Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL stores this routing information in the routing table it uses to make routing decisions. In turn, the ZyWALL can also use routing protocols to propagate routing information to other routers.
Page 364: The Rip Screen
Chapter 16 Routing Protocols 16.2 The RIP Screen RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other routers. RIP is a vector-space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest.
Page 365: The Ospf Screen
Chapter 16 Routing Protocols The following table describes the labels in this screen. Table 89 Configuration > Network > Routing Protocol > RIP LABEL DESCRIPTION Authentication Authentication Select the authentication method used in the RIP network. This authentication protects the integrity, but not the confidentiality, of routing updates.
Page 366 Chapter 16 Routing Protocols System (AS). OSPF offers some advantages over vector-space routing protocols like RIP. • OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently. • OSPF filters and summarizes routing information, which reduces the size of routing tables throughout the network.
Page 367 Chapter 16 Routing Protocols Each type of area is illustrated in the following figure. Figure 273 OSPF: Types of Areas This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y.
Page 368 Chapter 16 Routing Protocols • An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF. Table 90 OSPF: Redistribution from Other Sources to Each Type of Area SOURCE \ TYPE OF AREA NORMAL NSSA STUB...
Page 369: Configuring The Ospf Screen
Chapter 16 Routing Protocols to logically connect the area to the backbone. This is illustrated in the following example. Figure 275 OSPF: Virtual Link In this example, area 100 does not have a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10.
Page 370 Chapter 16 Routing Protocols Click Configuration > Network > Routing > OSPF to open the following screen. Figure 276 Configuration > Network > Routing > OSPF The following table describes the labels in this screen. See Section 16.3.2 on page for more information as well.
Page 371 Chapter 16 Routing Protocols Table 91 Configuration > Network > Routing Protocol > OSPF (continued) LABEL DESCRIPTION Type Select how OSPF calculates the cost associated with routing information from static routes. Choices are: Type 1 and Type 2. Type 1 - cost = OSPF AS cost + external cost (Metric) Type 2 - cost = external cost (Metric);...
Page 372: Ospf Area Add/Edit Screen
Chapter 16 Routing Protocols 16.3.2 OSPF Area Add/Edit Screen The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see Section 16.3 on page 365), and click either the Add icon or an Edit icon.
Page 373: Virtual Link Add/Edit Screen
Chapter 16 Routing Protocols Table 92 Configuration > Network > Routing > OSPF > Add (continued) LABEL DESCRIPTION Text This field is available if the Authentication is Text. Type the password Authentication for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 8 characters long.
Page 374: Routing Protocol Technical Reference
Chapter 16 Routing Protocols 372) has the Type set to Normal, a Virtual Link table displays. Click either the Add icon or an entry and the Edit icon to display a screen like the following. Figure 278 Configuration > Network > Routing > OSPF > Add > Add The following table describes the labels in this screen.
Page 375 Chapter 16 Routing Protocols Authentication Types Authentication is used to guarantee the integrity, but not the confidentiality, of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original message.
Page 376 Chapter 16 Routing Protocols ZyWALL USG 1000 User’s Guide...
Page 377: Zones
H A P T E R Zones 17.1 Zones Overview Set up zones to configure network security and network policies in the ZyWALL. A zone is a group of interfaces and/or VPN tunnels. The ZyWALL uses zones instead of interfaces in many security and policy settings, such as firewall rules, Anti-X, and remote management.
Page 378: What You Need To Know
Chapter 17 Zones 17.1.2 What You Need to Know Effects of Zones on Different Types of Traffic Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic--which are affected differently by zone-based security and policy settings. Intra-zone Traffic •...
Page 379: The Zone Screen
Chapter 17 Zones 17.2 The Zone Screen The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and remove zones. To access this screen, click Configuration > Network > Zone. Figure 280 Configuration > Network > Zone The following table describes the labels in this screen.
Page 380: Zone Edit
Chapter 17 Zones 17.3 Zone Edit The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 17.2 on page 379), and click the Add icon or an Edit icon.
Page 381: Ddns
H A P T E R DDNS 18.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 18.1.1 What You Can Do in this Chapter • Use the DDNS screen (see Section 18.2 on page 382) to view a list of the configured DDNS domain names and their details.
Page 382: The Ddns Screen
Chapter 18 DDNS Note: Record your DDNS account’s user name, password, and domain name to use to configure the ZyWALL. After, you configure the ZyWALL, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. Finding Out More Section 6.5.9 on page 105 for related information on these screens.
Page 383 Chapter 18 DDNS Table 97 Configuration > Network > DDNS (continued) LABEL DESCRIPTION Primary This field displays the interface to use for updating the IP address Interface/IP mapped to the domain name followed by how the ZyWALL determines the IP address for the domain name. from interface - The IP address comes from the specified interface.
Page 384: The Dynamic Dns Add/Edit Screen
Chapter 18 DDNS 18.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen. Figure 283 Configuration >...
Page 385 Chapter 18 DDNS Table 98 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Username Type the user name used when you registered your domain name. You can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed. For a Dynu DDNS entry, this user name is the one you use for logging into the service, not the name recorded in your personal information in the Dynu website.
Page 386 Chapter 18 DDNS Table 98 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION IP Address The options available in this field vary by DDNS provider. Interface -The ZyWALL uses the IP address of the specified interface. This option appears when you select a specific interface in the Backup Binding Address Interface field.
Page 387: Nat
H A P T E R 19.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.
Page 388: What You Need To Know
Chapter 19 NAT 19.1.2 What You Need to Know NAT is also known as virtual server, port forwarding, or port translation. Finding Out More • See Section 6.5.10 on page 105 for related information on these screens. • See Section 19.3 on page 393 for technical background information related to these screens.
Page 389 Chapter 19 NAT Table 99 Configuration > Network > NAT (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate.
Page 390: The Nat Add/Edit Screen
Chapter 19 NAT 19.2.1 The NAT Add/Edit Screen The NAT Add/Edit screen lets you create new NAT rules and edit existing ones. To open this window, open the NAT summary screen. (See Section 19.2 on page 388.) Then, click on an Add icon or Edit icon to open the following screen. Figure 286 Configuration >...
Page 391 Chapter 19 NAT Table 100 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Classification Select what kind of NAT this rule is to perform. Virtual Server - This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL (like the Internet).
Page 392 Chapter 19 NAT Table 100 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Mapped IP This field displays for Many 1:1 NAT. Select to which translated Subnet/Range destination IP address subnet or IP address range this NAT rule forwards packets.
Page 393: Nat Technical Reference
Chapter 19 NAT Table 100 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Firewall By default the firewall blocks incoming connections from external addresses. After you configure your NAT rule settings, click the Firewall link to configure a firewall rule to allow the NAT rule’s traffic to come in. The ZyWALL checks NAT rules before it applies To-ZyWALL firewall rules, so To-ZyWALL firewall rules do not apply to traffic that is forwarded by NAT rules.
Page 394 Chapter 19 NAT For example, a LAN user’s computer at IP address 192.168.1.89 queries a public DNS server to resolve the SMTP server’s domain name (xxx.LAN-SMTP.com in this example) and gets the SMTP server’s mapped public IP address of 1.1.1.1. Figure 287 LAN Computer Queries a Public DNS Server xxx.LAN-SMTP.com = 1.1.1.1 xxx.LAN-SMTP.com = ?
Page 395 Chapter 19 NAT SMTP server replied directly to the LAN user without the traffic going through NAT, the source would not match the original destination address which would cause the LAN user’s computer to shut down the session. Figure 289 LAN to LAN Return Traffic Source 192.168.1.21 Source 1.1.1.1 SMTP...
Page 396 Chapter 19 NAT ZyWALL USG 1000 User’s Guide...
Page 397: Http Redirect
H A P T E R HTTP Redirect 20.1 Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN zone wants to open a web page, its HTTP request is redirected to proxy server A first.
Page 398: What You Need To Know
Chapter 20 HTTP Redirect 20.1.2 What You Need to Know Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services. A proxy server can act as a firewall or an ALG (application layer gateway) between the private network and the Internet or other networks.
Page 399: The Http Redirect Screen
Chapter 20 HTTP Redirect • a application patrol rule to allow HTTP traffic between ge4 and ge2. • a policy route to forward HTTP traffic from proxy server A to the Internet. Finding Out More Section 6.5.11 on page 106 for related information on these screens.
Page 400: The Http Redirect Edit Screen
Chapter 20 HTTP Redirect Table 101 Configuration > Network > HTTP Redirect (continued) LABEL DESCRIPTION Port This is the service port number used by the proxy server. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 20.2.1 The HTTP Redirect Edit Screen Click Network >...
Page 401 Chapter 20 HTTP Redirect ZyWALL USG 1000 User’s Guide...
Page 402 Chapter 20 HTTP Redirect ZyWALL USG 1000 User’s Guide...
Page 403: Alg
H A P T E R 21.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyWALL’s NAT. • SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice and multimedia sessions over Internet. •...
Page 404: What You Need To Know
Chapter 21 ALG 21.1.2 What You Need to Know Application Layer Gateway (ALG), NAT and Firewall The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT and firewall.
Page 405 Chapter 21 ALG • There should be only one SIP server (total) on the ZyWALL’s private networks. Any other SIP servers must be on the WAN. So for example you could have a Back-to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN but not on both.
Page 406 Chapter 21 ALG can receive incoming calls from the Internet, LAN IP addresses B and C can still make calls out to the Internet. Figure 295 VoIP Calls from the WAN with Multiple Outgoing Calls VoIP with Multiple WAN IP Addresses With multiple WAN IP addresses on the ZyWALL, you can configure different firewall and NAT (port forwarding) rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN (or DMZ).
Page 407: Before You Begin
Chapter 21 ALG • See Section 21.3 on page 409 for ALG background/technical information. 21.1.3 Before You Begin You must also configure the firewall and enable NAT in the ZyWALL to allow sessions initiated from the WAN. 21.2 The ALG Screen Click Configuration >...
Page 408 Chapter 21 ALG The following table describes the labels in this screen. Table 103 Configuration > Network > ALG LABEL DESCRIPTION Enable SIP ALG Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the ZyWALL’s NAT. Enabling the SIP ALG also allows you to use the application patrol to detect SIP traffic and manage the SIP traffic’s bandwidth (see Chapter 32 on page...
Page 409: Alg Technical Reference
Chapter 21 ALG Table 103 Configuration > Network > ALG (continued) LABEL DESCRIPTION Enable FTP ALG Turn on the FTP ALG to detect FTP (File Transfer Program) traffic and help build FTP sessions through the ZyWALL’s NAT. Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic and manage the FTP traffic’s bandwidth (see Chapter 32 on page...
Page 410 Chapter 21 ALG connections to the second (passive) interface when the active interface’s connection goes down. When the active interface’s connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface. VoIP clients usually re-register automatically at set intervals or the users can manually force them to re-register.
Page 411: Ip/Mac Binding
H A P T E R IP/MAC Binding 22.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The ZyWALL uses DHCP to assign IP addresses and records to MAC address it assigned each IP address.
Page 412: What You Need To Know
Chapter 22 IP/MAC Binding 22.1.2 What You Need to Know DHCP IP/MAC address bindings are based on the ZyWALL’s dynamic and static DHCP entries. Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, and VLAN interfaces.
Page 413: Ip/Mac Binding Edit
Chapter 22 IP/MAC Binding Table 104 Configuration > Network > IP/MAC Binding > Summary (continued) LABEL DESCRIPTION Status This icon is lit when the entry is active and dimmed when the entry is inactive. Interface This is the name of an interface that supports IP/MAC binding. Number of This field displays the interface’s total number of IP/MAC bindings and IP Binding...
Page 414: Static Dhcp Edit
Chapter 22 IP/MAC Binding Table 105 Configuration > Network > IP/MAC Binding > Edit (continued) LABEL DESCRIPTION Enable Select this option to have the ZyWALL generate a log if a device Logs for IP/ connected to this interface attempts to use an IP address not assigned by the ZyWALL.
Page 415: Ip/Mac Binding Exempt List
Chapter 22 IP/MAC Binding The following table describes the labels in this screen. Table 106 Configuration > Network > IP/MAC Binding > Edit > Add LABEL DESCRIPTION Interface This field displays the name of the interface within the ZyWALL and the Name interface’s IP address and subnet mask.
Page 416 Chapter 22 IP/MAC Binding Table 107 Configuration > Network > IP/MAC Binding > Exempt List (continued) LABEL DESCRIPTION End IP Enter the last IP address in a range of IP addresses for which the ZyWALL does not apply IP/MAC binding. Add icon Click the Add icon to add a new entry.
Page 417: Authentication Policy
H A P T E R Authentication Policy 23.1 Overview Use authentication policies to control who can access the network. You can authenticate users (require them to log in) and even perform Endpoint Security (EPS) checking to make sure users’ computers comply with defined corporate policies before they can access the network.
Page 418: What You Need To Know
Chapter 23 Authentication Policy 23.1.2 What You Need to Know Authentication Policy and VPN Authentication policies are applied based on a traffic flow’s source and destination IP addresses. If VPN traffic matches an authentication policy’s source and destination IP addresses, the user must pass authentication. Multiple Endpoint Security Objects You can set an authentication policy to use multiple endpoint security objects.
Page 419 Chapter 23 Authentication Policy Click Configuration > Auth. Policy to display the screen. Figure 304 Configuration > Auth. Policy The following table gives an overview of the objects you can configure. Table 108 Configuration > Auth. Policy LABEL DESCRIPTION Enable Select this to turn on the authentication policy feature.
Page 420: Adding Exceptional Services
Chapter 23 Authentication Policy Table 108 Configuration > Auth. Policy (continued) LABEL DESCRIPTION Status This icon is lit when the entry is active and dimmed when the entry is inactive. Priority This is the position of the authentication policy in the list. The priority is important as the policies are applied in order of priority.
Page 421: Creating/Editing An Authentication Policy
Chapter 23 Authentication Policy member services are the right. Select any service that you want to remove from the member list, and click the left arrow button to remove them. Figure 305 Configuration > Auth. Policy > Add Exceptional Service 23.2.2 Creating/Editing an Authentication Policy Click Configuration >...
Page 422 Chapter 23 Authentication Policy Figure 306 Configuration > Auth. Policy > Add The following table gives an overview of the objects you can configure. Table 109 Configuration > Auth. Policy > Add LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this Object screen.
Page 423 Chapter 23 Authentication Policy Table 109 Configuration > Auth. Policy > Add (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies. Otherwise, select none and the rule is always effective. This is none and not configurable for the default policy.
Page 424 Chapter 23 Authentication Policy ZyWALL USG 1000 User’s Guide...
Page 425: Firewall
H A P T E R Firewall 24.1 Overview Use the firewall to block or allow services that use static port numbers. Use application patrol (see Chapter 32 on page 527) to control services using flexible/ dynamic port numbers. The firewall can also limit the number of user sessions. This figure shows the ZyWALL’s default firewall rules in action and demonstrates how stateful inspection works.
Page 426: What You Need To Know
Chapter 24 Firewall 24.1.2 What You Need to Know Stateful Inspection The ZyWALL has a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 427 Chapter 24 Firewall • The ZyWALL drops most packets from the DMZ zone to the ZyWALL itself, except for DNS and NetBIOS traffic, and generates a log. When you configure a firewall rule for packets destined for the ZyWALL itself, make sure it does not conflict with your service control rule.
Page 428: Firewall Rule Example Applications
Chapter 24 Firewall traffic blocking to allow or block VPN traffic transmitting between the VPN tunnel and other interfaces in the LAN zone. If you add the VPN tunnel to a new zone (the VPN zone for example), you can configure rules for VPN traffic between the VPN zone and other zones or From VPN To-ZyWALL rules for VPN traffic destined for the ZyWALL.
Page 429 Chapter 24 Firewall the firewall rule to always be in effect. The following figure shows the results of this rule. Figure 308 Blocking All LAN to WAN IRC Traffic Example Your firewall would have the following rules. Table 111 Blocking All LAN to WAN IRC Traffic Example USER SOURCE DESTINATION...
Page 430 Chapter 24 Firewall Now you configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO’s computer (192.168.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the firewall rule to always be in effect.
Page 431: Firewall Rule Configuration Example
Chapter 24 Firewall • The first row allows any LAN computer to access the IRC service on the WAN by logging into the ZyWALL with the CEO’s user name. • The second row blocks LAN access to the IRC service on the WAN. •...
Page 432 Chapter 24 Firewall The screen for configuring a service object opens. Configure it as follows and click Figure 312 Firewall Example: Create a Service Object Select From WAN and To LAN1. Enter the name of the firewall rule. Select Dest_1 is selected for the Destination and Doom is selected as the Service.
Page 433: The Firewall Screen
Chapter 24 Firewall The firewall rule appears in the firewall rule summary. Figure 314 Firewall Example: Doom Rule in Summary 24.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL.
Page 434: Configuring The Firewall Screen
Chapter 24 Firewall The ZyWALL then sends it to the computer on the LAN in Subnet 1. Figure 315 Using Virtual Interfaces to Avoid Asymmetrical Routes 24.2.1 Configuring the Firewall Screen Click Configuration > Firewall to open the Firewall screen. Use this screen to enable or disable the firewall and asymmetrical routes, set a maximum number of sessions per host, and display the configured firewall rules.
Page 435 Chapter 24 Firewall • The ordering of your rules is very important as rules are applied in sequence. Figure 316 Configuration > Firewall The following table describes the labels in this screen. Table 114 Configuration > Firewall LABEL DESCRIPTION General Settings Enable Select this check box to activate the firewall.
Page 436 Chapter 24 Firewall Table 114 Configuration > Firewall (continued) LABEL DESCRIPTION From Zone / This is the direction of travel of packets. Select from which zone the To Zone packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of packets to which they apply.
Page 437: The Firewall Add/Edit Screen
Chapter 24 Firewall Table 114 Configuration > Firewall (continued) LABEL DESCRIPTION Service This displays the service object to which this firewall rule applies. Access This field displays whether the firewall silently discards packets (deny), discards packets and sends a TCP reset packet to the sender (reject) or permits the passage of packets (allow).
Page 438: The Session Limit Screen
Chapter 24 Firewall Table 115 Configuration > Firewall > Add (continued) LABEL DESCRIPTION Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. Schedule Select a schedule that defines when the rule applies. Otherwise, select none and the rule is always effective.
Page 439 Chapter 24 Firewall individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. Figure 318 Configuration > Firewall > Session Limit The following table describes the labels in this screen. Table 116 Configuration > Firewall > Session Limit LABEL DESCRIPTION General...
Page 440: The Session Limit Add/Edit Screen
Chapter 24 Firewall Table 116 Configuration > Firewall > Session Limit (continued) LABEL DESCRIPTION This is the index number of a session limit rule. It is not associated with a specific rule. User This is the user name or user group name to which this session limit rule applies.
Page 441 Chapter 24 Firewall Table 117 Configuration > Firewall > Session Limit > Edit (continued) LABEL DESCRIPTION User Select a user name or user group to which to apply the rule. The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out.
Page 442 Chapter 24 Firewall ZyWALL USG 1000 User’s Guide...
Page 443: Ipsec Vpn
H A P T E R IPSec VPN 25.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Page 444: What You Need To Know
Chapter 25 IPSec VPN • Use the VPN Gateway screens (see Section 25.2.1 on page 448) to manage the ZyWALL’s VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway.
Page 445 Chapter 25 IPSec VPN Application Scenarios The ZyWALL’s application scenarios make it easier to configure your VPN connection settings. Table 118 IPSec VPN Application Scenarios SITE-TO-SITE WITH REMOTE ACCESS REMOTE ACCESS SITE-TO-SITE DYNAMIC PEER (SERVER ROLE) (CLIENT ROLE) Choose this if the Choose this if the Choose this to allow Choose this to...
Page 446: Before You Begin
Chapter 25 IPSec VPN • See Section 25.5 on page 471 for IPSec VPN background information. • See Section 5.3 on page 81 for the IPSec VPN quick setup wizard. • See Section 7.4 on page 125 for an example of configuring IPSec VPN. •...
Page 447 Chapter 25 IPSec VPN SA). Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 322 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following table.
Page 448: The Vpn Connection Add/Edit (Ike) Screen
Chapter 25 IPSec VPN Table 119 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific connection. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Page 449 Chapter 25 IPSec VPN Figure 323 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 1000 User’s Guide...
Page 450 Chapter 25 IPSec VPN Each field is described in the following table. Table 120 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of Settings / Hide configuration fields.
Page 451 Chapter 25 IPSec VPN Table 120 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Policy Local Policy Select the address corresponding to the local network. Use Create new Object if you need to configure a new one. Remote Policy Select the address corresponding to the remote network.
Page 452 Chapter 25 IPSec VPN Table 120 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Encryption This field is applicable when the Active Protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA. Choices are: NULL - no encryption key or algorithm DES - a 56-bit key with the DES encryption algorithm...
Page 453 Chapter 25 IPSec VPN Table 120 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Check Method Select how the ZyWALL checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the ZyWALL regularly ping the address you specify to make sure traffic can still go through the connection.
Page 454 Chapter 25 IPSec VPN Table 120 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Inbound Traffic Source NAT This translation hides the source address of computers in the remote network. Source Select the address object that represents the original source address (or select Create Object to configure a new one).
Page 455: The Vpn Connection Add/Edit Manual Key Screen
Chapter 25 IPSec VPN 25.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one using a manual key. This is useful if you have problems with IKE key management.
Page 456 Chapter 25 IPSec VPN Table 121 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Secure Type the IP address of the remote IPSec router in the IPSec SA. Gateway Address Type a unique SPI (Security Parameter Index) between 256 and 4095. The SPI is used to identify the ZyWALL during authentication.
Page 457 Chapter 25 IPSec VPN Table 121 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Encryption Key This field is applicable when you select an Encryption Algorithm. Enter the encryption key, which depends on the encryption algorithm. DES - type a unique key 8-32 characters long 3DES - type a unique key 24-32 characters long AES128 - type a unique key 16-32 characters long...
Page 458: The Vpn Gateway Screen
Chapter 25 IPSec VPN 25.3 The VPN Gateway Screen The VPN Gateway summary screen displays the IPSec VPN gateway policies in the ZyWALL, as well as the ZyWALL’s address, remote IPSec router’s address, and associated VPN connections for each one. In addition, it also lets you activate and deactivate each VPN gateway.
Page 459: The Vpn Gateway Add/Edit Screen
Chapter 25 IPSec VPN Table 122 Configuration > VPN > IPSec VPN > VPN Gateway (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 25.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one.
Page 460 Chapter 25 IPSec VPN Figure 326 Configuration > VPN > IPSec VPN > VPN Gateway > Edit ZyWALL USG 1000 User’s Guide...
Page 461 Chapter 25 IPSec VPN Each field is described in the following table. Table 123 Configuration > VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of Settings / Hide configuration fields.
Page 462 Chapter 25 IPSec VPN Table 123 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Pre-Shared Select this to have the ZyWALL and remote IPSec router use a pre- shared key (password) to identify each other when they negotiate the IKE SA.
Page 463 Chapter 25 IPSec VPN Table 123 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Content This field is read-only if the ZyWALL and remote IPSec router use certificates to identify each other. Type the identity of the ZyWALL during authentication.
Page 464 Chapter 25 IPSec VPN Table 123 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Content This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec router during authentication. The identity depends on the Peer ID Type.
Page 465 Chapter 25 IPSec VPN Table 123 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Negotiation Select the negotiation mode to use to negotiate the IKE SA. Choices Mode Main - this encrypts the ZyWALL’s and remote IPSec router’s identities but takes more time to establish the IKE SA Aggressive - this is faster but does not encrypt the identities The ZyWALL and the remote IPSec router must use the same...
Page 466 Chapter 25 IPSec VPN Table 123 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION NAT Traversal Select this if any of these conditions are satisfied. • This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol.
Page 467: Vpn Concentrator
Chapter 25 IPSec VPN 25.4 VPN Concentrator A VPN concentrator combines several IPSec VPN connections into one secure network. Figure 327 VPN Topologies (Fully Meshed and Hub and Spoke) In a fully-meshed VPN topology (1 in the figure), there is a VPN connection between every pair of routers.
Page 468 Chapter 25 IPSec VPN • Branch office A’s ZyWALL uses one VPN rule to access both the headquarters (HQ) network and branch office B’s network. • Branch office B’s ZyWALL uses one VPN rule to access branch office A’s network only.
Page 469 Chapter 25 IPSec VPN VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.1.0/255.255.255.0 • Remote Policy:192.168.11.0/255.255.255.0 • Disable Policy Enforcement VPN Gateway (VPN Tunnel 2): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.3 VPN Connection (VPN Tunnel 2): • Local Policy: 192.168.1.0/255.255.255.0 •...
Page 470: Vpn Concentrator Screen
Chapter 25 IPSec VPN • The local IP addresses configured in the VPN rules should not overlap. • The concentrator must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel.
Page 471: Ipsec Vpn Background Information
Chapter 25 IPSec VPN Concentrator summary screen (see Section 25.4 on page 467), and click either the Add icon or an Edit icon. Figure 330 Configuration > VPN > IPSec VPN > Concentrator > Edit Each field is described in the following table. Table 125 VPN >...
Page 472: Ike Sa Overview
Chapter 25 IPSec VPN IKE SA Overview The IKE SA provides a secure connection between the ZyWALL and remote IPSec router. It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.
Page 473 Chapter 25 IPSec VPN The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you can only set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA.
Page 474 Chapter 25 IPSec VPN the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt. Authentication Before the ZyWALL and remote IPSec router establish an IKE SA, they have to verify each other’s identity.
Page 475 Chapter 25 IPSec VPN Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you enter does not have to actually exist.
Page 476 Chapter 25 IPSec VPN Negotiation Mode There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Main mode takes six steps to establish an IKE SA. Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL.
Page 477 Chapter 25 IPSec VPN feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Active Protocol on page 478 for more information about active protocols.) If router A does not have an IPSec pass-thru or if the active protocol is AH, you can solve this problem by enabling NAT traversal.
Page 478: Ipsec Sa Overview
Chapter 25 IPSec VPN • The local and peer ID type and content come from the certificates. Note: You must set up the certificates for the ZyWALL and remote IPSec router first. IPSec SA Overview Once the ZyWALL and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks.
Page 479 Chapter 25 IPSec VPN These modes are illustrated below. Figure 335 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Data Header Transport Mode Packet IP Header AH/ESP Data Header Header Tunnel Mode Packet IP Header AH/ESP IP Header TCP Data Header Header...
Page 480 Chapter 25 IPSec VPN Additional Topics for IPSec SA This section provides more information about IPSec SA in your ZyWALL. IPSec SA using Manual Keys You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting.
Page 481 Chapter 25 IPSec VPN Each kind of translation is explained below. The following example is used to help explain each one. Figure 336 VPN Example: NAT for Inbound and Outbound Traffic Source Address in Outbound Packets (Outbound Traffic, Source NAT) This translation lets the ZyWALL route packets from computers that are not part of the specified local network (local policy) through the IPSec SA.
Page 482 Chapter 25 IPSec VPN • SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address. Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) You can set up this translation if you want the ZyWALL to forward some packets from the remote network to a specific computer in the local network.
Page 483 Chapter 25 IPSec VPN ZyWALL USG 1000 User’s Guide...
Page 484 Chapter 25 IPSec VPN ZyWALL USG 1000 User’s Guide...
Page 485: Ssl Vpn
H A P T E R SSL VPN 26.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VPN router or VPN client software. 26.1.1 What You Can Do in this Chapter •...
Page 486 Chapter 26 SSL VPN You do not have to install additional client software on the remote user computers for access. Figure 337 Network Access Mode: Reverse Proxy Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network.
Page 487 Chapter 26 SSL VPN changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects are not removed. Table 128 Objects OBJECT OBJECT DESCRIPTION TYPE SCREEN User Accounts User Configure a user account or user group to which you want Account/ to apply this SSL access policy.
Page 488: The Ssl Access Privilege Screen
Chapter 26 SSL VPN 26.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. Figure 339 VPN > SSL VPN > Access Privilege The following table describes the labels in this screen. Table 129 VPN >...
Page 489 Chapter 26 SSL VPN Table 129 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Apply Click Apply to save the settings. Reset Click Reset to discard all changes. ZyWALL USG 1000 User’s Guide...
Page 490: The Ssl Access Policy Add/Edit Screen
Chapter 26 SSL VPN 26.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. Figure 340 VPN > SSL VPN > Access Privilege > Add/Edit ZyWALL USG 1000 User’s Guide...
Page 491 Chapter 26 SSL VPN The following table describes the labels in this screen. Table 130 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this Object screen.
Page 492: The Ssl Global Setting Screen
Chapter 26 SSL VPN Table 130 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION SSL Application The Selectable Application Objects list displays the name(s) of the List (Optional) SSL application(s) you can select for this SSL access policy. To associate an SSL application to this SSL access policy, select a name and click >>...
Page 493 ZyWALL’s DDNS entries. You can specify up to two domain names so you could use one domain name for each of two WAN ports. Do not include the host. For example, www.zyxel.com is a fully qualified domain name where “www” is the host; so you would just use “zyxel.com”.
Page 494: How To Upload A Custom Logo
Upload Click Upload to transfer the specified graphic file from your computer to the ZyWALL. Reset Logo to Click Reset Logo to Default to display the ZyXEL company logo on the Default remote user’s web browser. Apply Click Apply to save the changes and/or start the logo file upload process.
Page 495: Establishing An Ssl Vpn Connection
Chapter 26 SSL VPN The following shows an example logo on the remote user screen. Figure 342 Example Logo Graphic Display 26.4 Establishing an SSL VPN Connection After you have configured the SSL VPN settings on the ZyWALL, use the ZyWALL login screen’s SSL VPN button to establish an SSL VPN connection.
Page 496 Chapter 26 SSL VPN SSL VPN connection starts. This may take several minutes depending on your network connection. Once the connection is up, you should see the client portal screen. The following shows an example. Figure 344 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated”...
Page 497 Chapter 26 SSL VPN ZyWALL USG 1000 User’s Guide...
Page 498 Chapter 26 SSL VPN ZyWALL USG 1000 User’s Guide...
Page 499: Ssl User Screens
H A P T E R SSL User Screens 27.1 Overview This chapter introduces the remote user SSL VPN screens. The following figure shows a network example where a remote user (A) logs into the ZyWALL from the Internet to access the web server (WWW) on the local network. Figure 345 Network Example Internet 27.1.1 What You Need to Know...
Page 500: Remote User Login
Chapter 27 SSL User Screens System Requirements Here are the browser and computer system requirements for remote user access. • Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit) • Internet Explorer 7 and above or Firefox 1.5 and above •...
Page 501 Chapter 27 SSL User Screens Open a web browser and enter the web site address or IP address of the ZyWALL. For example, “http://sslvpn.mycompany.com”. Figure 346 Enter the Address in a Web Browser Click OK or Yes if a security screen displays. Figure 347 Login Security Screen A login screen displays.
Page 502 Chapter 27 SSL User Screens Your computer starts establishing a secure connection to the ZyWALL after a successful login. This may take up to two minutes. If you get a message about needing Java, download and install it and restart your browser and re-login. If a certificate warning screen displays, click OK, Yes or Continue.
Page 503 Chapter 27 SSL User Screens The ZyWALL tries to install the SecuExtender client. You may need to click a pop- up to get your browser to allow this. In Internet Explorer, click Install. Figure 351 SecuExtender Blocked by Internet Explorer The ZyWALL tries to run the “ssltun”...
Page 504 Chapter 27 SSL User Screens 10 If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender client on your computer. Figure 354 Hardware Installation Warning 11 The Application screen displays showing the list of resources available to you. Figure 355 on page 505 for a screen example.
Page 505: The Ssl Vpn User Screens
Chapter 27 SSL User Screens 27.3 The SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 355 Remote User Screen The following table describes the various parts of a remote user screen. Table 132 Remote User Screen Overview DESCRIPTION Click on a menu tab to go to the Application or File Sharing screen.
Page 506: Bookmarking The Zywall
Chapter 27 SSL User Screens 27.4 Bookmarking the ZyWALL You can create a bookmark of the ZyWALL by clicking the Add to Favorite icon. This allows you to access the ZyWALL using the bookmark without having to enter the address every time. In any remote user screen, click the Add to Favorite icon.
Page 507 Chapter 27 SSL User Screens An information screen displays to indicate that the SSL VPN connection is about to terminate. Figure 358 Logout: Connection Termination Progress ZyWALL USG 1000 User’s Guide...
Page 508 Chapter 27 SSL User Screens ZyWALL USG 1000 User’s Guide...
Page 509: Ssl User Application Screens
H A P T E R SSL User Application Screens 28.1 SSL User Application Screens Overview Use the Application screen to access web-based applications (such as web sites and e-mail) on the network through the SSL VPN connection. Which applications you can access depends on the ZyWALL’s configuration.
Page 510 Chapter 28 SSL User Application Screens ZyWALL USG 1000 User’s Guide...
Page 511: Ssl User File Sharing
H A P T E R SSL User File Sharing 29.1 Overview The File Sharing screen lets you access files on a file server through the SSL VPN connection. 29.1.1 What You Need to Know Use the File Sharing screen to display and access shared files/folders on a file server.
Page 512: The Main File Sharing Screen
Chapter 29 SSL User File Sharing 29.2 The Main File Sharing Screen The first File Sharing screen displays the name(s) of the shared folder(s) available. The following figure shows an example with one file share. Figure 360 File Sharing 29.3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer.
Page 513 Chapter 29 SSL User File Sharing If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue. Figure 361 File Sharing: Enter Access User Name and Password ZyWALL USG 1000 User’s Guide...
Page 514: Downloading A File
Chapter 29 SSL User File Sharing A list of files/folders displays. Click on a file to open it in a separate browser window. You can also click a folder to access it. For this example, click on a .doc file to open the Word document. Figure 362 File Sharing: Open a Word File 29.3.1 Downloading a File You are prompted to download a file which cannot be opened using a web browser.
Page 515: Saving A File
Chapter 29 SSL User File Sharing 29.3.2 Saving a File After you have opened a file in a web browser, you can save a copy of the file by clicking File > Save As and following the on-screen instructions. Figure 363 File Sharing: Save a Word File 29.4 Creating a New Folder To create a new folder in the file share location, click the New Folder icon.
Page 516: Renaming A File Or Folder
Chapter 29 SSL User File Sharing 29.5 Renaming a File or Folder To rename a file or folder, click the Rename icon next to the file/folder. Figure 365 File Sharing: Rename A popup window displays. Specify the new name and/or file extension in the field provided.
Page 517: Uploading A File
Chapter 29 SSL User File Sharing 29.7 Uploading a File Follow the steps below to upload a file to the file server. Log into the remote user screen and click the File Sharing tab. Specify the location and/or name of the file you want to upload. Or click Browse to locate it.
Page 518 Chapter 29 SSL User File Sharing ZyWALL USG 1000 User’s Guide...
Page 519: Zywall Secuextender
H A P T E R ZyWALL SecuExtender The ZyWALL automatically loads the ZyWALL SecuExtender client program to your computer after a successful login. The ZyWALL SecuExtender lets you: • Access servers, remote desktops and manage files as if you were on the local network.
Page 520: Statistics
Chapter 30 ZyWALL SecuExtender 30.2 Statistics Right-click the ZyWALL SecuExtender icon in the system tray and select Status to open the Status screen. Use this screen to view the ZyWALL SecuExtender’s statistics. Figure 369 ZyWALL SecuExtender Status The following table describes the labels in this screen. Table 133 ZyWALL SecuExtender Statistics LABEL DESCRIPTION...
Page 521: View Log
Chapter 30 ZyWALL SecuExtender Table 133 ZyWALL SecuExtender Statistics LABEL DESCRIPTION Transmitted This is how many bytes and packets the computer has sent through the SSL VPN connection. Received This is how many bytes and packets the computer has received through the SSL VPN connection.
Page 522: Stop The Connection
30.6 Uninstalling the ZyWALL SecuExtender Do the following if you need to remove the ZyWALL SecuExtender. Click start > All Programs > ZyXEL > ZyWALL SecuExtender > Uninstall. In the confirmation screen, click Yes. Figure 371 Uninstalling the ZyWALL SecuExtender Confirmation Windows uninstalls the ZyWALL SecuExtender.
Page 523: L2Tp Vpn
H A P T E R L2TP VPN 31.1 Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL. The remote users do not need their own IPSec gateways or VPN client software.
Page 524 Chapter 31 L2TP VPN • Use transport mode. • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN.
Page 525: L2Tp Vpn Screen
Chapter 31 L2TP VPN Finding Out More • See Section 6.5.17 on page 109 for related information on these screens. • See Chapter 8 on page 169 for an example of how to create a basic L2TP VPN tunnel. 31.2 L2TP VPN Screen Click Configuration >...
Page 526 Chapter 31 L2TP VPN Table 134 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION VPN Connection Select the IPSec VPN connection the ZyWALL uses for L2TP VPN. All of the configured VPN connections display here, but the one you use must meet the requirements listed in IPSec Configuration Required for L2TP VPN on page...
Page 527: Application Patrol
H A P T E R Application Patrol 32.1 Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Page 528: What You Need To Know
Chapter 32 Application Patrol 32.1.2 What You Need to Know If you want to use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. Note: The ZyWALL checks firewall rules before it checks application patrol rules for traffic going through the ZyWALL.
Page 529 Chapter 32 Application Patrol numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP traffic. DiffServ and DSCP Marking QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority.
Page 530 Chapter 32 Application Patrol • The outbound traffic flows from the connection initiator to the connection responder. • The inbound traffic flows from the connection responder to the connection initiator. For example, a LAN to WAN connection is initiated from LAN and goes to the WAN. •...
Page 531 Chapter 32 Application Patrol • Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN so inbound means the traffic traveling from the WAN to the LAN. Figure 377 LAN to WAN, Outbound 200 kbps, Inbound 500 kbps Inbound Outbound Outbound...
Page 532 Chapter 32 Application Patrol outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and policy B for server B’s traffic. Figure 378 Bandwidth Management Behavior 1000 kbps 1000 kbps 1000 kbps Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate.
Page 533: Application Patrol Bandwidth Management Examples
Chapter 32 Application Patrol So server A gets its configured rate of 300 kbps plus 250 kbps for a total of 550 kbps. Server B gets its configured rate of 200 kbps plus 250 kbps for a total of 450 kbps. Table 137 Maximize Bandwidth Usage Effect POLICY CONFIGURED RATE...
Page 534: Sip Any To Wan Bandwidth Management Example
Chapter 32 Application Patrol • HTTP traffic needs to be given priority over FTP traffic. • FTP traffic from the WAN to the DMZ must be limited so it does not interfere with SIP and HTTP traffic. • FTP traffic from the LAN to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but it must be the lowest priority and limited so it does not interfere with SIP and HTTP traffic.
Page 535: Sip Wan To Any Bandwidth Management Example
Chapter 32 Application Patrol • Enable maximize bandwidth usage so the SIP traffic can borrow unused bandwidth. Figure 380 SIP Any to WAN Bandwidth Management Example Outbound: 200 kbps Inbound: 200 kbps 32.1.3.3 SIP WAN to Any Bandwidth Management Example You also create a policy for calls coming in from the SIP server on the WAN.
Page 536: Ftp Wan To Dmz Bandwidth Management Example
Chapter 32 Application Patrol 32.1.3.5 FTP WAN to DMZ Bandwidth Management Example • ADSL supports more downstream than upstream so you allow remote users 300 kbps for uploads to the DMZ FTP server (outbound) but only 100 kbps for downloads (inbound). •...
Page 537: Application Patrol General Screen
Chapter 32 Application Patrol 32.2 Application Patrol General Screen Use this screen to enable and disable application patrol. It also lists the registration status and details about the signature set the ZyWALL is using. Note: You must register for the IDP/AppPatrol signature service (at least the trial) before you can use it.
Page 538: Application Patrol Applications
Chapter 32 Application Patrol Table 139 Configuration > App Patrol > General (continued) LABEL DESCRIPTION Enable Select this to maximize the throughput of SIP traffic to improve SIP- Highest based VoIP call sound quality. This has the ZyWALL immediately send Bandwidth SIP traffic upon identifying it.
Page 539: The Application Patrol Edit Screen
Chapter 32 Application Patrol Click Configuration > App Patrol > Common to open the following screen. Figure 385 Configuration > App Patrol > Common The following table describes the labels in this screen. See Section 32.3.1 on page for more information as well. Table 140 Configuration >...
Page 540 Chapter 32 Application Patrol Streaming screen and click an application’s Edit icon. The screen displayed here is for the MSN instant messenger service. Figure 386 Application Edit The following table describes the labels in this screen. Table 141 Application Edit LABEL DESCRIPTION Service...
Page 541 Chapter 32 Application Patrol Table 141 Application Edit (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific entry. Note: The ZyWALL checks ports in the order they appear in the list. While this sequence does not affect the functionality, you might improve the performance of the ZyWALL by putting more commonly used ports at the top of the list.
Page 542 Chapter 32 Application Patrol Table 141 Application Edit (continued) LABEL DESCRIPTION Access This field displays what the ZyWALL does with packets for this application that match this policy. forward - the ZyWALL routes the packets for this application. Drop - the ZyWALL does not route the packets for this application and does not notify the client of its decision.
Page 543: The Application Patrol Policy Edit Screen
Chapter 32 Application Patrol Table 141 Application Edit (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 32.3.2 The Application Patrol Policy Edit Screen The Application Policy Edit screen allows you to edit a group of settings for an application.
Page 544 Chapter 32 Application Patrol Table 142 Application Policy Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 43 on page 727 for details). Otherwise, select none to make the policy always effective. User Select a user name or user group to which to apply the policy.
Page 545 Chapter 32 Application Patrol Table 142 Application Policy Edit (continued) LABEL DESCRIPTION Action Block For some applications, you can select individual uses of the application that the policy will have the ZyWALL block. These fields only apply when Access is set to forward. Login - Select this option to block users from logging in to a server for this application.
Page 546: The Other Applications Screen
Chapter 32 Application Patrol Table 142 Application Policy Edit (continued) LABEL DESCRIPTION Priority This field displays when the inbound or outbound bandwidth management is not set to 0. Enter a number between 1 and 7 to set the priority for this application’s traffic that matches this policy. The smaller the number, the higher the priority.
Page 547 Chapter 32 Application Patrol Click AppPatrol > Other to open the Other (applications) screen. Figure 388 AppPatrol > Other The following table describes the labels in this screen. See Section 32.4.1 on page for more information as well. Table 143 AppPatrol > Other LABEL DESCRIPTION Click this to create a new entry.
Page 548 Chapter 32 Application Patrol Table 143 AppPatrol > Other (continued) LABEL DESCRIPTION Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. Protocol This is the protocol of the traffic to which this policy applies. Access This field displays what the ZyWALL does with packets that match this policy.
Page 549: The Other Applications Add/Edit Screen
Chapter 32 Application Patrol Table 143 AppPatrol > Other (continued) LABEL DESCRIPTION Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this policy. See Chapter 51 on page 845 for more on logs.
Page 550 Chapter 32 Application Patrol Table 144 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 43 on page 727 for details). Otherwise, select any to make the policy always effective.
Page 551 Chapter 32 Application Patrol Table 144 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Inbound Type how much inbound bandwidth, in kilobits per second, this policy kbps allows the traffic to use. Inbound refers to the traffic the ZyWALL sends to a connection’s initiator.
Page 552 Chapter 32 Application Patrol Table 144 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 1000 User’s Guide...
Page 553: Anti-Virus
H A P T E R Anti-Virus 33.1 Overview Use the ZyWALL’s anti-virus feature to protect your connected network from virus/ spyware infection. The ZyWALL checks traffic going in the direction(s) you specify for signature matches. In the following figure the ZyWALL is set to check traffic coming from the WAN zone (which includes two interfaces) to the LAN zone.
Page 554: What You Need To Know
Registration screen. After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and register it in the Registration > Service screen. You must use the ZyXEL anti-virus iCard for the ZyXEL anti-virus engine and the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine. See Chapter 11 on page 265 for details.
Page 555 Chapter 33 Anti-Virus If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets. The scanning engine checks the contents of the packets for virus. If a virus pattern is matched, the ZyWALL removes the infected portion of the file along with the rest of the file.
Page 556: Before You Begin
Chapter 33 Anti-Virus 33.1.3 Before You Begin • Before using anti-virus, see Chapter 11 on page 265 for how to register for the anti-virus service. • You may need to customize the zones (in the Network > Zone) used for the anti-virus scanning direction.
Page 557 Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 145 Configuration > Anti-X > Anti-Virus > General LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 558 The following fields display information on the current signature set that Information the ZyWALL is using. Anti-Virus This field displays whether the ZyWALL is set to use ZyXEL’s anti-virus Engine Type engine or the one powered by Kaspersky. Upgrading the ZyWALL to firmware version 2.11 and updating the anti- virus signatures automatically upgrades the ZyXEL anti-virus engine to v2.0.
Page 559: Anti-Virus Policy Add Or Edit Screen
Chapter 33 Anti-Virus 33.2.1 Anti-Virus Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Virus > General screen to display the configuration screen as shown next. Figure 392 Configuration > Anti-X > Anti-Virus > General > Add The following table describes the labels in this screen.
Page 560 Chapter 33 Anti-Virus Table 146 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Actions When Matched Destroy infected When you select this check box, if a virus pattern is matched, the file ZyWALL overwrites the infected portion of the file (and the rest of the file) with zeros.
Page 561: Anti-Virus Black List
Chapter 33 Anti-Virus Table 146 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Destroy Note: When you select this option, the ZyWALL deletes ZIP files compressed files that could that use password encryption. not be decompressed Select this check box to have the ZyWALL delete any ZIP files that it is not able to unzip.
Page 562: Anti-Virus Black List Or White List Add/Edit
Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 147 Configuration > Anti-X > Anti-Virus > Black/White List > Black List LABEL DESCRIPTION Enable Black Select this check box to log and delete files with names that match the List black list patterns.
Page 563: Anti-Virus White List
Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 148 Configuration > Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION Enable If this is a black list entry, select this option to have the ZyWALL apply this entry when using the black list.
Page 564: Signature Searching
Chapter 33 Anti-Virus column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 395 Configuration > Anti-X > Anti-Virus > Black/White List > White List The following table describes the labels in this screen. Table 149 Configuration >...
Page 565 Chapter 33 Anti-Virus If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria.
Page 566 Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 150 Configuration > Anti-X > Anti-Virus > Signature LABEL DESCRIPTION Signatures Select the criteria on which to perform the search. Search Select By Name from the drop down list box and type the name or part of the name of the signature(s) you want to find.
Page 567: Anti-Virus Technical Reference
Chapter 33 Anti-Virus 33.7 Anti-Virus Technical Reference Types of Computer Viruses The following table describes some of the common computer viruses. Table 151 Common Computer Virus Types TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program. A file infector is able to copy and attach itself to other programs that are executed on an infected computer.
Page 568 Chapter 33 Anti-Virus A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in the network. It inspects files for virus patterns as they are moved in and out of the hard drive. However, host-based anti-virus scanners cannot eliminate all viruses for a number of reasons: •...
Page 569: Idp
H A P T E R 34.1 Overview This chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic flow, custom signatures and updating signatures. An IDP system can detect malicious or suspicious packets and respond instantaneously.
Page 570: Before You Begin
Chapter 34 IDP IDP Profiles An IDP profile is a set of related IDP signatures that you can activate as a set and configure common log and action settings. You can apply IDP profiles to traffic flowing from one zone to another. For example, apply the default LAN_IDP profile to any traffic going to the LAN zone in order to protect your LAN computers.
Page 571: The Idp General Screen
Chapter 34 IDP 34.2 The IDP General Screen Click Configuration > Anti-X > IDP > General to open this screen. Use this screen to turn IDP on or off, bind IDP profiles to traffic directions, and view registration and signature information. Note: You must register in order to use packet inspection signatures.
Page 572 Chapter 34 IDP Table 152 Configuration > Anti-X > IDP > General (continued) LABEL DESCRIPTION Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put...
Page 573: Introducing Idp Profiles
Chapter 34 IDP Table 152 Configuration > Anti-X > IDP > General (continued) LABEL DESCRIPTION Current Version This field displays the IDP signature set version number. This number gets larger as the set is enhanced. Signature This field displays the number of IDP signatures in this set. This Number number usually gets larger as the set is enhanced.
Page 574: Base Profiles
Chapter 34 IDP 34.3.1 Base Profiles The ZyWALL comes with several base profiles. You use base profiles to create new profiles. In the Configuration > Anti-X > IDP > Profile screen, click Add to display the following screen. Figure 398 Base Profiles The following table describes this screen.
Page 575: The Profile Summary Screen
Chapter 34 IDP Table 153 Base Profiles (continued) BASE DESCRIPTION PROFILE This profile is most suitable for networks containing your servers. Signatures for common services such as DNS, FTP, HTTP, ICMP, IMAP, MISC, NETBIOS, POP3, RPC, RSERVICE, SMTP, SNMP, SQL, TELNET, Oracle, MySQL are enabled.
Page 576: Creating New Profiles
Chapter 34 IDP Table 154 Configuration > Anti-X > IDP > Profile (continued) LABEL DESCRIPTION Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created. 34.5 Creating New Profiles You may want to create a new profile if not all signatures in a base profile are applicable to your network.
Page 577: Profiles: Packet Inspection
Chapter 34 IDP 34.6 Profiles: Packet Inspection Select Configuration > Anti-X > IDP > Profile and then add a new or edit an existing profile select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer-4 to layer-7. 34.6.1 Profile >...
Page 578 Chapter 34 IDP The following table describes the fields in this screen. Table 155 Configuration > Anti-X > IDP > Profile > Group View LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 579 Chapter 34 IDP Table 155 Configuration > Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL takes when a packet matches a signature, select the signature and use the Action icon. none: Select this action on an individual signature or a complete service group to have the ZyWALL take no action when a packet matches the signature(s).
Page 580: Policy Types
Chapter 34 IDP Table 155 Configuration > Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION These are the log options. To edit this, select an item and use the Log icon. Action This is the action the ZyWALL should take when a packet matches a signature here.
Page 581: Idp Service Groups
Chapter 34 IDP Table 156 Policy Types (continued) POLICY TYPE DESCRIPTION Scan A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels. A network scan occurs at layer-3.
Page 582: Profile > Query View Screen
Chapter 34 IDP Table 157 IDP Service Groups (continued) SNMP SMTP RSERVICES POP3 POP2 ORACLE NNTP NETBIOS MYSQL MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC IMAP ICMP FINGER The following figure shows the WEB_PHP service group that contains signatures related to attacks on web servers using PHP exploits. PHP (PHP: Hypertext Preprocessor) is a server-side HTML embedded scripting language that allows web developers to build dynamic websites.
Page 583 Chapter 34 IDP signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions. Figure 402 Configuration > Anti-X > IDP > Profile: Query View The following table describes the fields specific to this screen’s query view. Table 158 Configuration >...
Page 584 Chapter 34 IDP Table 158 Configuration > Anti-X > IDP > Profile: Query View (continued) LABEL DESCRIPTION Severity Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections. These are the severities as defined in the ZyWALL. The number in brackets is the number you use if using commands.
Page 585: Query Example
Chapter 34 IDP 34.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attack Type: DDoS • Platform: Windows 2000 and Windows XP computers • Service: Any ZyWALL USG 1000 User’s Guide...
Page 586 Chapter 34 IDP • Actions: Any Figure 403 Query Example Search Criteria Figure 404 Query Example Search Results ZyWALL USG 1000 User’s Guide...
Page 587: Introducing Idp Custom Signatures
Chapter 34 IDP 34.7 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures.
Page 588: Configuring Custom Signatures
Chapter 34 IDP Table 159 IP v4 Packet Headers (continued) HEADER DESCRIPTION Time To Live This is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. It is used to prevent accidental routing loops. Protocol The protocol indicates the type of transport packet being carried, for example, 1 = ICMP;...
Page 589 Chapter 34 IDP Note: The ZyWALL checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the ZyWALL applies the more restrictive action (reject-both, reject-receiver or reject-sender, drop, none in this order).
Page 590: Creating Or Editing A Custom Signature
Chapter 34 IDP Table 160 Configuration > Anti-X > IDP > Custom Signatures (continued) LABEL DESCRIPTION Customer Use this part of the screen to import custom signatures (previously saved Signature Rule to your computer) to the ZyWALL. Importing Note: The name of the complete custom signature file on the ZyWALL is ‘custom.rules’.
Page 591 Chapter 34 IDP Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. Figure 407 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit ZyWALL USG 1000 User’s Guide...
Page 592 Chapter 34 IDP The following table describes the fields in this screen. Table 161 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 593 Chapter 34 IDP Table 161 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Fragmentation A fragmentation flag identifies whether the IP datagram should be fragmented, not fragmented or is a reserved bit. Some intrusions can be identified by this flag.
Page 594 Chapter 34 IDP Table 161 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Flow If selected, the signature only applies to certain directions of the traffic flow and only to clients or servers. Select Flow and then select the identifying options.
Page 595: Telnet
Chapter 34 IDP Table 161 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overflows Select the check box, then select Equal, Smaller or Greater and then type the payload size.
Page 596: Custom Signature Example
Chapter 34 IDP Table 161 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Click this button to save your changes to the ZyWALL and return to the summary screen. Cancel Click this button to return to the summary screen without saving any changes.
Page 597 Chapter 34 IDP 34.8.2.2 Analyze Packets Use the packet capture screen (see Section 53.3 on page 877) and a packet analyzer (also known as a network or protocol analyzer) such as Wireshark or Ethereal to investigate some more. Figure 408 DNS Query Packet Details From the details about DNS query you see that the protocol is UDP and the port is 53.
Page 598: Applying Custom Signatures
Chapter 34 IDP The final custom signature should look like as shown in the following figure. Figure 409 Example Custom Signature 34.8.3 Applying Custom Signatures After you create your custom signature, it becomes available in the IDP service group category in the Configuration > Anti-X > IDP > Profile > Edit screen. Custom signatures have an SID from 9000000 to 9999999.
Page 599: Verifying Custom Signatures
Chapter 34 IDP You can activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile. Then bind the profile to a zone. Figure 410 Example: Custom Signature in IDP Profile 34.8.4 Verifying Custom Signatures Configure the signature to create a log when traffic matches the signature.
Page 600: Idp Technical Reference
Chapter 34 IDP destination port is the service port (53 for DNS in this case) that the attack tries to exploit. Figure 411 Custom Signature Log 34.9 IDP Technical Reference This section contains some background information on IDP. Host Intrusions The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer.
Page 601 Chapter 34 IDP Network Intrusions Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/ server.
Page 602: Ack Number
Chapter 34 IDP Table 162 ZyWALL - Snort Equivalent Terms (continued) ZYWALL TERM SNORT EQUIVALENT TERM Same IP sameip Transport Protocol Transport Protocol: TCP Port (In Snort rule header) Flow flow Flags flags Sequence Number Ack Number Window Size window Transport Protocol: UDP (In Snort rule header) Port...
Page 603 Chapter 34 IDP ZyWALL USG 1000 User’s Guide...
Page 604 Chapter 34 IDP ZyWALL USG 1000 User’s Guide...
Page 605: Adp
H A P T E R 35.1 Overview This chapter introduces ADP (Anomaly Detection and Prevention), anomaly profiles and applying an ADP profile to a traffic direction. ADP protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans.
Page 606: Before You Begin
Chapter 35 ADP Protocol Anomalies Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated when you upload new firmware. ADP Profile An ADP profile is a set of traffic anomaly rules and protocol anomaly rules that you can activate as a set and configure common log and action settings.
Page 607: The Adp General Screen
Chapter 35 ADP 35.2 The ADP General Screen Click Configuration > Anti-X > ADP > General. Use this screen to turn anomaly detection on or off and apply anomaly profiles to traffic directions. Figure 412 Configuration > Anti-X > ADP > General The following table describes the screens in this screen.
Page 608: The Profile Summary Screen
Chapter 35 ADP Table 163 Configuration > Anti-X > ADP > General (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. From, To This is the direction of travel of packets to which an anomaly profile is bound.
Page 609: Base Profiles
Chapter 35 ADP 35.3.1 Base Profiles The ZyWALL comes with base profiles. You use base profiles to create new profiles. In the Configuration > Anti-X > ADP > Profile screen, click Add to display the following screen. Figure 413 Base Profiles These are the default base profiles at the time of writing.
Page 610: Creating New Adp Profiles
Chapter 35 ADP The following table describes the fields in this screen. Table 165 Anti-X > ADP > Profile LABEL DESCRIPTION Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it.
Page 611 Chapter 35 ADP belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 415 Profiles: Traffic Anomaly ZyWALL USG 1000 User’s Guide...
Page 612 Chapter 35 ADP The following table describes the fields in this screen. Table 166 Configuration > ADP > Profile > Traffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 613: Protocol Anomaly Profiles
Chapter 35 ADP Table 166 Configuration > ADP > Profile > Traffic Anomaly (continued) LABEL DESCRIPTION Name This is the name of the traffic anomaly rule. Click the Name column heading to sort in ascending or descending order according to the rule name.
Page 614 Chapter 35 ADP Figure 416 Profiles: Protocol Anomaly ZyWALL USG 1000 User’s Guide...
Page 615 Chapter 35 ADP The following table describes the fields in this screen. Table 167 Configuration > ADP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 616 Chapter 35 ADP Table 167 Configuration > ADP > Profile > Protocol Anomaly (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL takes when a packet matches a signature, select the signature and use the Action icon. original setting: Select this action to return each signature in a service group to its previously saved configuration.
Page 617: Adp Technical Reference
Chapter 35 ADP Table 167 Configuration > ADP > Profile > Protocol Anomaly (continued) LABEL DESCRIPTION Click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page. Cancel Click Cancel to return to the profile summary page without saving any changes.
Page 618 Chapter 35 ADP Decoy Port Scans Decoy port scans are scans where the attacker has spoofed the source address. These are some decoy scan types: • TCP Decoy Portscan • UDP Decoy Portscan • IP Decoy Portscan Distributed Port Scans Distributed port scans are many-to-one port scans.
Page 619 Chapter 35 ADP • ICMP Filtered • TCP Filtered Distributed • UDP Filtered Portsweep Portscan Distributed Portscan • IP Filtered Distributed Portscan Flood Detection Flood attacks saturate a network with useless data, use up all available bandwidth, and therefore make communications in the network impossible. ICMP Flood Attack An ICMP flood is broadcasting many pings or UDP packets so that so much data is sent to the system, that it slows it down or locks it up.
Page 620: Syn Flood
Chapter 35 ADP the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. Figure 418 TCP Three-Way Handshake A SYN flood attack is when an attacker sends a series of SYN packets. Each packet causes the receiver to reply with a SYN-ACK response. The receiver then waits for the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses on a backlog queue.
Page 621 Chapter 35 ADP UDP Flood Attack UDP is a connection-less protocol and it does not require any connection setup procedure to transfer data. A UDP flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port.
Page 622 Chapter 35 ADP Table 168 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION DOUBLE-ENCODING This rule is IIS specific. IIS does two passes through the ATTACK request URI, doing decodes in each one. In the first pass, IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is done.
Page 623 Chapter 35 ADP Table 168 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION WEBROOT-DIRECTORY- This is when a directory traversal traverses past the web TRAVERSAL ATTACK server root directory. This generates much fewer false positives than the directory option, because it doesn’t alert on directory traversals that stay within the web server directory structure.
Page 624 Chapter 35 ADP Table 168 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION TRUNCATED-HEADER This is when an ICMP packet is sent which has an ICMP ATTACK datagram length of less than the ICMP header length. This may cause some applications to crash. TRUNCATED- This is when an ICMP packet is sent which has an ICMP TIMESTAMP-HEADER...
Page 625 Chapter 35 ADP ZyWALL USG 1000 User’s Guide...
Page 626 Chapter 35 ADP ZyWALL USG 1000 User’s Guide...
Page 627: Content Filtering
H A P T E R Content Filtering 36.1 Overview Use the content filtering feature to control access to specific web sites or web content. 36.1.1 What You Can Do in this Chapter • Use the General screens (Section 36.2 on page 629) to configure global content filtering settings, configure content filtering policies, and check the content filtering license status.
Page 628 URL. For example, with the URL www.zyxel.com.tw/news/ pressroom.php, the domain name is www.zyxel.com.tw. The file path is the characters that come after the first slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the file path is news/pressroom.php. ZyWALL USG 1000 User’s Guide...
Page 629: Before You Begin
For example, with the URL www.zyxel.com.tw/news/pressroom.php, the ZyWALL would find “tw” in the domain name (www.zyxel.com.tw). It would also find “news” in the file path (news/pressroom.php) but it would not find “tw/news”.
Page 630 Chapter 36 Content Filtering your list of content filter policies, create a denial of access message or specify a redirect URL and check your external web filtering service registration status. Figure 420 Configuration > Anti-X > Content Filter > General The following table describes the labels in this screen.
Page 631 Chapter 36 Content Filtering Table 169 Configuration > Anti-X > Content Filter > General (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed.
Page 632: Content Filter Policy Add Or Edit Screen
Chapter 36 Content Filtering Table 169 Configuration > Anti-X > Content Filter > General (continued) LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration. Not Licensed displays if you have not successfully registered and activated the service.
Page 633 Chapter 36 Content Filtering filter policy. A content filter policy defines which content filter profile should be applied, when it should be applied, and to whose web access it should be applied. Figure 421 Configuration > Anti-X > Content Filter > General > Add l The following table describes the labels in this screen.
Page 634: Content Filter Profile Screen
Chapter 36 Content Filtering 36.4 Content Filter Profile Screen Click Configuration > Anti-X > Content Filter > Filter Profile to open the Filter Profile screen. A content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied. Figure 422 Configuration >...
Page 635 Chapter 36 Content Filtering Chapter 37 on page 651 for how to view content filtering reports. Figure 423 Configuration > Anti-X > Content Filter > Filter Profile > Add ZyWALL USG 1000 User’s Guide...
Page 636 Chapter 36 Content Filtering The following table describes the labels in this screen. Table 172 Configuration > Anti-X > Content Filter > Filter Profile > Add LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration. Not Licensed displays if you have not successfully registered and activated the service.
Page 637 Chapter 36 Content Filtering Table 172 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Action for Unsafe Web Select Pass to allow users to access web pages that match the Pages unsafe categories that you select below. Select Block to prevent users from accessing web pages that match the unsafe categories that you select below.
Page 638 Chapter 36 Content Filtering Table 172 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Action When Category Select Pass to allow users to access any requested web page if Server Is Unavailable the external content filtering database is unavailable. Select Block to block access to any requested web page if the external content filtering database is unavailable.
Page 639 Chapter 36 Content Filtering Table 172 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Spyware/Malware This category includes pages which distribute spyware and other Sources malware. Spyware and malware are defined as software which takes control of your computer, modifies computer settings, collects or reports personal information, or misrepresents itself by tricking users to install, download, or enter personal...
Page 640 Chapter 36 Content Filtering Table 172 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Nudity This category includes pages containing nude or seminude depictions of the human body. These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature.
Page 641 Chapter 36 Content Filtering Table 172 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Arts/Entertainment This category includes pages that promote and provide information about motion pictures, videos, television, music and programming guides, books, comics, movie theatres, galleries, artists or reviews on entertainment.
Page 642 Chapter 36 Content Filtering Table 172 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Government/Legal This category includes pages sponsored by or which provide information on government, government agencies and government services such as taxation and emergency services. It also includes pages that discuss or explain laws of various governmental entities.
Page 643 Chapter 36 Content Filtering Table 172 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Religion This category includes pages that promote and provide information on conventional or unconventional religious or quasi-religious subjects, as well as churches, synagogues, or other houses of worship.
Page 644 Chapter 36 Content Filtering Table 172 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Sports/Recreation/ This category includes pages that promote or provide Hobbies information about spectator sports, recreational activities, or hobbies. This includes pages that discuss or promote camping, gardening, and collecting.
Page 645 Chapter 36 Content Filtering Table 172 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Alcohol Sites that promote, offer for sale, glorify, review, or in any way advocate the use or creation of alcoholic beverages, including but not limited to beer, wine, and hard liquors.
Page 646: Content Filter Blocked And Warning Messages
Chapter 36 Content Filtering Table 172 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Placeholders This category includes pages that are under construction, parked domains, search-bait or otherwise generally having no useful value. Test Web Site Category URL to test You can check which category a web page belongs to.
Page 647: Content Filter Customization Screen
Chapter 36 Content Filtering 36.6 Content Filter Customization Screen Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword.
Page 648 Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, and so on. You can also enter just a top level domain. For example, enter .com to allow all .com domains.
Page 649: Content Filter Technical Reference
Chapter 36 Content Filtering Table 173 Configuration > Anti-X > Content Filter > Filter Profile > Customization LABEL DESCRIPTION Forbidden Web Sites This list displays the forbidden web sites already added. Enter host names such as www.bad-site.com into this text field.
Page 650 Chapter 36 Content Filtering External Content Filter Server Lookup Procedure The content filter lookup process is described below. Figure 426 Content Filter Lookup Procedure A computer behind the ZyWALL tries to access a web site. The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache.
Page 651: Content Filter Reports
H A P T E R Content Filter Reports 37.1 Overview You can view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 11 on page 265 on how to create a myZyXEL.com account, register your device and activate the subscription services.
Page 652 Chapter 37 Content Filter Reports Fill in your myZyXEL.com account information and click Login. Figure 427 myZyXEL.com: Login ZyWALL USG 1000 User’s Guide...
Page 653 Chapter 37 Content Filter Reports A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename...
Page 654 Chapter 37 Content Filter Reports In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 429 myZyXEL.com: Service Management In the Web Filter Home screen, click the Reports tab. Figure 430 Content Filter Reports Main Screen ZyWALL USG 1000 User’s Guide...
Page 655 Chapter 37 Content Filter Reports Select items under Global Reports to view the corresponding reports. Figure 431 Content Filter Reports: Report Home Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Page 656 Chapter 37 Content Filter Reports A chart and/or list of requested web site categories display in the lower half of the screen. Figure 432 Global Report Screen Example ZyWALL USG 1000 User’s Guide...
Page 657 Chapter 37 Content Filter Reports You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 433 Requested URLs Example ZyWALL USG 1000 User’s Guide...
Page 658 Chapter 37 Content Filter Reports ZyWALL USG 1000 User’s Guide...
Page 659: Anti-Spam
H A P T E R Anti-Spam 38.1 Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
Page 660 Chapter 38 Anti-Spam Black List Configure black list entries to identify spam. The black list entries have the ZyWALL classify any e-mail that is from or forwarded by a specified IP address or uses a specified header field and header value as being spam. If an e-mail does not match any of the white list entries, the ZyWALL checks it against the black list entries.
Page 661: Before You Begin
Chapter 38 Anti-Spam E-mail Header Buffer Size The ZyWALL has a 5 K buffer for an individual e-mail header. If an e-mail’s header is longer than 5 K, the ZyWALL only checks up to the first 5 K. DNSBL A DNS Black List (DNSBL) is a server that hosts a list of IP addresses known or suspected of having sent or forwarded spam.
Page 662 Chapter 38 Anti-Spam spam policies. You can also select the action the ZyWALL takes when the mail sessions threshold is reached. Figure 434 Configuration > Anti-X > Anti-Spam > General The following table describes the labels in this screen. Table 174 Configuration > Anti-X > Anti-Spam > General LABEL DESCRIPTION Show Advance...
Page 663: The Anti-Spam Policy Add Or Edit Screen
Chapter 38 Anti-Spam Table 174 Configuration > Anti-X > Anti-Spam > General LABEL DESCRIPTION Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that...
Page 664 Chapter 38 Anti-Spam check, which e-mail protocols to scan, the scanning options, and the action to take on spam traffic. Figure 435 Configuration > Anti-X > Anti-Spam > General > Add The following table describes the labels in this screen. Table 175 Configuration >...
Page 665: The Anti-Spam Black List Screen
Chapter 38 Anti-Spam Table 175 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Check White Select this check box to check e-mail against the white list. The ZyWALL List classifies e-mail that matches a white list entry as legitimate (not spam).
Page 666 Chapter 38 Anti-Spam specific subject text. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 436 Configuration > Anti-X > Anti-Spam > Black/White List > Black List The following table describes the labels in this screen.
Page 667: The Anti-Spam Black Or White List Add/Edit Screen
Chapter 38 Anti-Spam 38.4.1 The Anti-Spam Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the following screen. Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create entries based on specific subject text, or the sender’s or relay’s IP address or e-mail address.
Page 668: Regular Expressions In Black Or White List Entries
Chapter 38 Anti-Spam Table 177 Configuration > Anti-X > Anti-Spam > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION Sender or Mail This field displays when you select the IP type. Enter an IP address in Relay IP dotted decimal notation.
Page 669: The Anti-Spam White List Screen
Chapter 38 Anti-Spam 38.5 The Anti-Spam White List Screen Click Configuration > Anti-X > Anti-Spam > Black/White List and then the White List tab to display the Anti-Spam White List screen. Configure the white list to identify legitimate e-mail. You can create white list entries based on the sender’s or relay’s IP address or e-mail address.
Page 670: The Dnsbl Screen
Chapter 38 Anti-Spam Table 178 Configuration > Anti-X > Anti-Spam > Black/White List > White List LABEL DESCRIPTION Type This field displays whether the entry is based on the e-mail’s subject, source or relay IP address, source e-mail address, or a header. Content This field displays the subject content, source or relay IP address, source e-mail address, or header value for which the entry checks.
Page 671 Chapter 38 Anti-Spam The following table describes the labels in this screen. Table 179 Configuration > Anti-X > Anti-Spam > DNSBL LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 672: Anti-Spam Technical Reference
Chapter 38 Anti-Spam Table 179 Configuration > Anti-X > Anti-Spam > DNSBL (continued) LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate.
Page 673 Chapter 38 Anti-Spam Here is an example of an e-mail classified as spam based on DNSBL replies. Figure 440 DNSBL Spam Detection Example DNSBL A IPs: a.a.a.a b.b.b.b a.a.a.a? DNSBL B b.b.b.b? DNSBL C The ZyWALL receives an e-mail that was sent from IP address a.a.a.a and relayed by an e-mail server at IP address b.b.b.b.
Page 674 Chapter 38 Anti-Spam Here is an example of an e-mail classified as legitimate based on DNSBL replies. Figure 441 DNSBL Legitimate E-mail Detection Example DNSBL A IPs: c.c.c.c d.d.d.d c.c.c.c? DNSBL B d.d.d.d? d.d.d.d Not spam DNSBL C The ZyWALL receives an e-mail that was sent from IP address c.c.c.c and relayed by an e-mail server at IP address d.d.d.d.
Page 675 Chapter 38 Anti-Spam If the ZyWALL receives conflicting DNSBL replies for an e-mail routing IP address, the ZyWALL classifies the e-mail as spam. Here is an example. Figure 442 Conflicting DNSBL Replies Example DNSBL A IPs: a.b.c.d w.x.y.z a.b.c.d? DNSBL B w.x.y.z? a.b.c.d Spam! DNSBL C...
Page 676 Chapter 38 Anti-Spam ZyWALL USG 1000 User’s Guide...
Page 677: Device Ha
H A P T E R Device HA 39.1 Overview Device HA lets a backup ZyWALL (B) automatically take over if the master ZyWALL (A) fails. Figure 443 Device HA Backup Taking Over for the Master 39.1.1 What You Can Do in this Chapter •...
Page 678: Before You Begin
Chapter 39 Device HA • Legacy mode allows for more complex relationships between the master and backup ZyWALLs, such as active-active or using different ZyWALLs as the master ZyWALL for individual interfaces. Legacy mode configuration involves a greater degree of complexity. Active-passive mode is recommended for general failover deployments.
Page 679: Device Ha General
Chapter 39 Device HA 39.2 Device HA General The Configuration > Device HA General screen lets you enable or disable device HA, and displays which device HA mode the ZyWALL is set to use along with a summary of the monitored interfaces. Figure 444 Configuration >...
Page 680: The Active-Passive Mode Screen
Chapter 39 Device HA Table 180 Configuration > Device HA > General (continued) LABEL DESCRIPTION HA Status The text before the slash shows whether the device is configured as the master or the backup role. This text after the slash displays the monitored interface’s status in the virtual router.
Page 681 Chapter 39 Device HA B form a virtual router that uses cluster ID 1. ZyWALLs C and D form a virtual router that uses cluster ID 2. Figure 446 Cluster IDs for Multiple Virtual Routers Monitored Interfaces in Active-Passive Mode Device HA You can select which interfaces device HA monitors.
Page 682: Configuring Active-Passive Mode Device Ha
Chapter 39 Device HA 192.168.1.5 and ZyWALL B has its own LAN management IP address of 192.168.1.6. These do not change when ZyWALL B becomes the master. Figure 447 Management IP Addresses 192.168.1.1 192.168.1.5 192.168.1.1 192.168.1.6 39.3.1 Configuring Active-Passive Mode Device HA The Device HA Active-Passive Mode screen lets you configure general active- passive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup ZyWALLs.
Page 683 Chapter 39 Device HA The following table describes the labels in this screen. See Section 39.4 on page for more information as well. Table 181 Configuration > Device HA > Active-Passive Mode LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 684: Synchronization
Chapter 39 Device HA Table 181 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Monitored This table shows the status of the device HA settings and status of the Interface ZyWALL’s interfaces. Summary Edit Select an entry and click this to be able to modify it. Activate To turn on an entry, select it and click Activate.
Page 685: Configuring An Active-Passive Mode Monitored Interface
Chapter 39 Device HA Table 181 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Password Enter the password used for verification during synchronization. Every ZyWALL in the virtual router must use the same password. If you leave this field blank in the master ZyWALL, no backup ZyWALLs can synchronize from it.
Page 686 Chapter 39 Device HA A bridge interface’s device HA settings are not retained if you delete the bridge interface. Figure 449 Configuration > Device HA > Active-Passive Mode > Edit The following table describes the labels in this screen. Table 182 Configuration > Device HA > Active-Passive Mode > Edit LABEL DESCRIPTION Enable...
Page 687: The Legacy Mode Screen
Chapter 39 Device HA 39.5 The Legacy Mode Screen Virtual Router Redundancy Protocol (VRRP) Legacy mode device HA uses Virtual Router Redundancy Protocol (VRRP) to create redundant backup gateways to ensure that a default gateway is always available. The ZyWALL uses a custom VRRP implementation and is not compatible with standard VRRP.
Page 688: Configuring The Legacy Mode Screen
Chapter 39 Device HA 39.6 Configuring the Legacy Mode Screen The Device HA Legacy Mode screen lets you configure general legacy mode HA settings including link monitoring, configure the VRRP group and synchronize backup ZyWALLs. To access this screen, click Configuration > Device HA > Legacy Mode.
Page 689 Chapter 39 Device HA Table 183 Configuration > Device HA > Legacy Mode (continued) LABEL DESCRIPTION Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Activating a VRRP group has the ZyWALL monitor the connection of the group’s interface.
Page 690 Chapter 39 Device HA Table 183 Configuration > Device HA > Legacy Mode (continued) LABEL DESCRIPTION Auto Select this to get configuration and subscription service updates Synchronize automatically from the specified ZyWALL according to the specified Interval. The first synchronization begins after the specified Interval; the ZyWALL does not synchronize immediately.
Page 691 Chapter 39 Device HA The following table describes the labels in this screen. Table 184 Configuration > Device HA > Legacy Mode > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 692: Device Ha Technical Reference
Chapter 39 Device HA Table 184 Configuration > Device HA > Legacy Mode > Add (continued) LABEL DESCRIPTION VRID Type the virtual router ID number. Virtual Router This is the interface’s IP address and subnet mask in the virtual router. IP (VRIP) / Subnet Mask Authentication...
Page 693 Chapter 39 Device HA Make sure the bridge interfaces of the master ZyWALL (A) and the backup ZyWALL (B) are not connected. Configure the bridge interface on the master ZyWALL, set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Configure the bridge interface on the backup ZyWALL, set the bridge interface as a monitored interface, and activate device HA.
Page 694 Chapter 39 Device HA Connect the ZyWALLs. Br0 {ge4, ge5} Br0 {ge4, ge5} Second Option for Connecting the Bridge Interfaces on Two ZyWALLs Another option is to disable the bridge interfaces, connect the bridge interfaces, activate device HA, and finally reactivate the bridge interfaces as shown in the following example.
Page 695 Chapter 39 Device HA Configure a corresponding disabled bridge interface on the backup ZyWALL. Then set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Disabled Br0 {ge4, ge5} Disabled Enable the bridge interface on the master ZyWALL and then on the backup ZyWALL.
Page 696 Chapter 39 Device HA Legacy Mode ZyWALL VRRP Application In VRRP, a virtual router represents a number of ZyWALLs associated with one IP address, the IP address of the default gateway. Each virtual router is identified by a unique 8-bit identification number called a Virtual Router ID (VR ID). In the example below, ZyWALL A and ZyWALL B are part of virtual router 10 with IP address 192.168.10.254.
Page 697 Chapter 39 Device HA If ZyWALL A becomes available again, ZyWALL A preempts ZyWALL B and becomes the master again (the network returns to the state shown in Figure 452 on page 696). Synchronization During synchronization, the master ZyWALL sends the following information to the backup ZyWALL.
Page 698 Chapter 39 Device HA ZyWALL USG 1000 User’s Guide...
Page 699: User/Group
H A P T E R User/Group 40.1 Overview This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 700 Chapter 40 User/Group Table 185 Types of User Accounts (continued) TYPE ABILITIES LOGIN METHOD(S) limited-admin Look at ZyWALL configuration (web, CLI) WWW, TELNET, SSH, Console, Dial-in Perform basic diagnostics (CLI) Access Users user Access network services WWW, TELNET, SSH Browse user-mode commands (CLI) guest Access network services ext-user...
Page 701 Chapter 40 User/Group Setting up User Attributes in an External Server on page 713 for a list of attributes and how to set up the attributes in an external server. Ext-Group-User Accounts Ext-Group-User accounts work are similar to ext-user accounts but allow you to group users by the value of the group membership attribute configured for the AD or LDAP server.
Page 702: User Summary Screen
Chapter 40 User/Group 40.2 User Summary Screen The User screen provides a summary of all user accounts. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group. Figure 454 Configuration > Object > User/Group The following table describes the labels in this screen.
Page 703 • sync • uucp • zyxel To access this screen, go to the User screen (see Section 40.2 on page 702), and click either the Add icon or an Edit icon. Figure 455 Configuration > User/Group > User > Add...
Page 704 Chapter 40 User/Group The following table describes the labels in this screen. Table 187 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 705: User Group Summary Screen
Chapter 40 User/Group Table 187 Configuration > User/Group > User > Add (continued) LABEL DESCRIPTION Reauthentication This field is not available if you select the ext-group-user type. Time Type the number of minutes this user can be logged into the ZyWALL in one session before the user has to log in again.
Page 706: Group Add/Edit Screen
Chapter 40 User/Group Table 188 Configuration > Object > User/Group > Group (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific user group. Group Name This field displays the name of each user group. Description This field displays the description for each user group.
Page 707: Setting Screen
Chapter 40 User/Group Table 189 Configuration > User/Group > Group > Add (continued) LABEL DESCRIPTION Member List The Member list displays the names of the users and user groups that have been added to the user group. The order of members is not important.
Page 708 Chapter 40 User/Group To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Setting. Figure 458 Configuration > Object > User/Group > Setting The following table describes the labels in this screen. Table 190 Configuration > Object > User/Group > Setting LABEL DESCRIPTION User Authentication...
Page 709 Chapter 40 User/Group Table 190 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION User Type These are the kinds of user account the ZyWALL supports. • admin - this user can look at and change the configuration of the ZyWALL •...
Page 710: Default User Authentication Timeout Settings Edit Screens
Chapter 40 User/Group Table 190 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION Limit the number of Select this check box if you want to set a limit on the number simultaneous logons of simultaneous logins by admin users. If you do not select for administration this, admin users can login as many times as they want at the account...
Page 711 Chapter 40 User/Group To access this screen, go to the Configuration > Object > User/Group > Setting screen (see Section 40.4 on page 707), and click one of the Default Authentication Timeout Settings section’s Edit icons. Figure 459 Configuration > Object > User/Group > Setting > Edit The following table describes the labels in this screen.
Page 712: User Aware Login Example
Chapter 40 User/Group 40.4.2 User Aware Login Example Access users cannot use the Web Configurator to browse the configuration of the ZyWALL. Instead, after access users log into the ZyWALL, the following screen appears. Figure 460 Web Configurator for Non-Admin Users The following table describes the labels in this screen.
Page 713: User /Group Technical Reference
Chapter 40 User/Group 40.5 User /Group Technical Reference This section provides some information on users who use an external authentication server in order to log in. Setting up User Attributes in an External Server To set up user attributes, such as reauthentication time, in LDAP or RADIUS servers, use the following keywords in the user configuration file.
Page 714 Chapter 40 User/Group ZyWALL USG 1000 User’s Guide...
Page 715: Addresses
H A P T E R Addresses 41.1 Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. 41.1.1 What You Can Do in this Chapter •...
Page 716 Chapter 41 Addresses • RANGE - a range address is defined by a Starting IP Address and an Ending IP Address. • SUBNET - a network address is defined by a Network IP address and Netmask subnet mask. The Address screen provides a summary of all addresses in the ZyWALL. To access this screen, click Configuration >...
Page 717: Address Add/Edit Screen
Chapter 41 Addresses 41.2.1 Address Add/Edit Screen The Configuration > Address Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 41.2 on page 715), and click either the Add icon or an Edit icon. Figure 464 Configuration >...
Page 718: Address Group Summary Screen
Chapter 41 Addresses Table 195 Configuration > Object > Address > Address > Edit (continued) LABEL DESCRIPTION Interface If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the Address Type, use this field to select the interface of the network that this address object represents.
Page 719: Address Group Add/Edit Screen
Chapter 41 Addresses 41.3.1 Address Group Add/Edit Screen The Address Group Add/Edit screen allows you to create a new address group or edit an existing one. To access this screen, go to the Address Group screen (see Section 41.3 on page 718), and click either the Add icon or an Edit icon.
Page 720 Chapter 41 Addresses ZyWALL USG 1000 User’s Guide...
Page 721: Services
H A P T E R Services 42.1 Overview Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 42.1.1 What You Can Do in this Chapter •...
Page 722: The Service Summary Screen
Chapter 42 Services Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number. Some port numbers have been standardized and are used by low- level system processes; many others have no particular meaning. Unlike TCP and UDP, Internet Control Message Protocol (ICMP, IP protocol 1) is mainly used to send error messages or to investigate problems.
Page 723 Chapter 42 Services entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 467 Configuration > Object > Service > Service The following table describes the labels in this screen. Table 198 Configuration > Object > Service > Service LABEL DESCRIPTION Click this to create a new entry.
Page 724: The Service Add/Edit Screen
Chapter 42 Services 42.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. To access this screen, go to the Service screen (see Section 42.2 on page 722), and click either the Add icon or an Edit icon. Figure 468 Configuration >...
Page 725 Chapter 42 Services To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service Group. Figure 469 Configuration > Object > Service > Service Group The following table describes the labels in this screen. See Section 42.3.1 on page for more information as well.
Page 726: The Service Group Add/Edit Screen
Chapter 42 Services 42.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. To access this screen, go to the Service Group screen (see Section 42.3 on page 724), and click either the Add icon or an Edit icon.
Page 727: Schedules
H A P T E R Schedules 43.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. The ZyWALL supports one- time and recurring schedules. One-time schedules are effective only once, while recurring schedules usually repeat.
Page 728: The Schedule Summary Screen
Chapter 43 Schedules Finding Out More • See Section 6.6 on page 112 for related information on these screens. • See Section 50.4 on page 796 for information about the ZyWALL’s current date and time. 43.2 The Schedule Summary Screen The Schedule summary screen provides a summary of all schedules in the ZyWALL.
Page 729: The One-Time Schedule Add/Edit Screen
Chapter 43 Schedules Table 202 Configuration > Object > Schedule (continued) LABEL DESCRIPTION Recurring Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Page 730: The Recurring Schedule Add/Edit Screen
Chapter 43 Schedules Table 203 Configuration > Object > Schedule > Edit (One Time) (continued) LABEL DESCRIPTION Date Time StartDate Specify the year, month, and day when the schedule begins. Year - 1900 - 2999 Month - 1 - 12 Day - 1 - 31 (it is not possible to specify illegal dates, such as February 31.) Hour - 0 - 23...
Page 731 Chapter 43 Schedules (see Section 43.2 on page 728), and click either the Add icon or an Edit icon in the Recurring section. Figure 473 Configuration > Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen.
Page 732 Chapter 43 Schedules ZyWALL USG 1000 User’s Guide...
Page 733: Aaa Server
H A P T E R AAA Server 44.1 Overview You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory, LDAP, or RADIUS server. Use the AAA Server screens to create and manage objects that contain settings for using AAA servers.
Page 734: Radius Server
Chapter 44 AAA Server 44.1.2 RADIUS Server RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device.
Page 735: What You Need To Know
Chapter 44 AAA Server • Use the Configuration > Object > AAA Server > RADIUS screen (Section 44.3 on page 739) to configure the default external RADIUS server to use for user authentication. 44.1.5 What You Need To Know AAA Servers Supported by the ZyWALL The following lists the types of authentication server the ZyWALL supports.
Page 736 Chapter 44 AAA Server organizational boundaries. The following figure shows a basic directory structure branching from countries to organizations to organizational units to individuals. Figure 476 Basic Directory Structure Sales Sprint Root Sales Japan Countries Organizations Organization Units Unique Common Name (cn) Distinguished Name (DN) A DN uniquely identifies an entry in a directory.
Page 737: Active Directory Or Ldap Server Summary
Address Base DN This specifies a directory. For example, o=ZyXEL, c=US 44.2.1 Adding an Active Directory or LDAP Server Click Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. Click the Add icon or an Edit icon to display the...
Page 738 Chapter 44 AAA Server following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 478 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add The following table describes the labels in this screen. Table 206 Configuration >...
Page 739: Radius Server Summary
LABEL DESCRIPTION Base DN Specify the directory (up to 127 alphanumerical characters). For example, o=ZyXEL, c=US Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server(s). Search time Specify the timeout period (between 1 and 300 seconds) before the limit ZyWALL disconnects from the AD or LDAP server.
Page 740 This is the address of the AD or LDAP server. Address Base DN This specifies a directory. For example, o=ZyXEL, c=US Host Enter the IP address (in dotted decimal notation) or the domain name (up to 63 alphanumeric characters) of a RADIUS server.
Page 741: Adding A Radius Server
Chapter 44 AAA Server 44.3.1 Adding a RADIUS Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 480 Configuration >...
Page 742 Chapter 44 AAA Server Table 208 Configuration > Object > AAA Server > RADIUS > Add (continued) LABEL DESCRIPTION Timeout Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the RADIUS server. In this case, user authentication fails.
Page 743: Authentication Method
H A P T E R Authentication Method 45.1 Overview Authentication method objects set how the ZyWALL authenticates HTTP/HTTPS clients, peer IPSec routers (extended authentication), and L2TP VPN clients. Configure authentication method objects to have the ZyWALL use the local user database, and/or the authentication servers and authentication server groups specified by AAA server objects.
Page 744: Authentication Method Objects
Chapter 45 Authentication Method Click Show Advance Setting and select Enable Extended Authentication. Select Server Mode and select an authentication method object from the drop- down list box. Click OK to save the settings. Figure 481 Example: Using Authentication Method in VPN 45.2 Authentication Method Objects Click Configuration >...
Page 745: Creating An Authentication Method Object
Chapter 45 Authentication Method Table 209 Configuration > Object > Auth. Method (continued) LABEL DESCRIPTION This field displays the index number. Method Name This field displays a descriptive name for identification purposes. Method List This field displays the authentication method(s) for this entry. Add icon Click Add to add a new entry.
Page 746 Chapter 45 Authentication Method Click OK to save the settings or click Cancel to discard all changes and return to the previous screen. Figure 483 Configuration > Object > Auth. Method > Add The following table describes the labels in this screen. Table 210 Configuration >...
Page 747 Chapter 45 Authentication Method Table 210 Configuration > Object > Auth. Method > Add (continued) LABEL DESCRIPTION Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. Click OK to save the changes.
Page 748 Chapter 45 Authentication Method ZyWALL USG 1000 User’s Guide...
Page 749: Certificates
H A P T E R Certificates 46.1 Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
Page 750 Chapter 46 Certificates Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. Tim uses his private key to sign the message and sends it to Jenny.
Page 751: Verifying A Certificate
Chapter 46 Certificates Factory Default Certificate The ZyWALL generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. Certificate File Formats Any certificate that you want to import has to be in one of these file formats: •...
Page 752 Chapter 46 Certificates Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 484 Remote Host Certificates Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.
Page 753: The My Certificates Screen
Chapter 46 Certificates 46.2 The My Certificates Screen Click Configuration > Object > Certificate > My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Figure 486 Configuration > Object > Certificate > My Certificates The following table describes the labels in this screen.
Page 754: The My Certificates Add Screen
Chapter 46 Certificates Table 211 Configuration > Object > Certificate > My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate.
Page 755 Chapter 46 Certificates ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 487 Configuration > Object > Certificate > My Certificates > Add ZyWALL USG 1000 User’s Guide...
Page 756 Chapter 46 Certificates The following table describes the labels in this screen. Table 212 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 757 Chapter 46 Certificates Table 212 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Create a Select this to have the ZyWALL generate and store a request for a certification certificate. Use the My Certificate Details screen to view the request and save it certification request and copy it to send to the certification authority.
Page 758 Chapter 46 Certificates Table 212 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Request When you select Create a certification request and enroll for a Authentication certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request.
Page 759: The My Certificates Edit Screen
Chapter 46 Certificates 46.2.2 The My Certificates Edit Screen Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. Figure 488 Configuration >...
Page 760 Chapter 46 Certificates The following table describes the labels in this screen. Table 213 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Certification Path This field displays for a certificate, not a certification request.
Page 761 Chapter 46 Certificates Table 213 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Page 762: The My Certificates Import Screen
Chapter 46 Certificates Table 213 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. You can only change the name. Cancel Click Cancel to quit and return to the My Certificates screen. 46.2.3 The My Certificates Import Screen Click Configuration >...
Page 763: The Trusted Certificates Screen
Chapter 46 Certificates Table 214 Configuration > Object > Certificate > My Certificates > Import (continued) LABEL DESCRIPTION Password This field only applies when you import a binary PKCS#12 format file. Type the file’s password that was created when the PKCS #12 file was exported. Click OK to save the certificate on the ZyWALL.
Page 764: The Trusted Certificates Edit Screen
Chapter 46 Certificates Table 215 Configuration > Object > Certificate > Trusted Certificates (continued) LABEL DESCRIPTION Object You cannot delete certificates that any of the ZyWALL’s features are References configured to use. Select an entry and click Object References to open a screen that shows which settings use the entry.
Page 765 Chapter 46 Certificates authority’s list of revoked certificates before trusting a certificate issued by the certification authority. Figure 491 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL USG 1000 User’s Guide...
Page 766 Chapter 46 Certificates The following table describes the labels in this screen. Table 216 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 767 Chapter 46 Certificates Table 216 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority).
Page 768: The Trusted Certificates Import Screen
Chapter 46 Certificates Table 216 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.
Page 769: Certificates Technical Reference
Chapter 46 Certificates The following table describes the labels in this screen. Table 217 Configuration > Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 770 Chapter 46 Certificates ZyWALL USG 1000 User’s Guide...
Page 771: Isp Accounts
H A P T E R ISP Accounts 47.1 Overview Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/PPTP interfaces. An ISP account is a profile of settings for Internet access using PPPoE or PPTP. Finding Out More •...
Page 772: Isp Account Edit
Chapter 47 ISP Accounts The following table describes the labels in this screen. See the ISP Account Edit section below for more information as well. Table 218 Configuration > Object > ISP Account LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Page 773 Chapter 47 ISP Accounts The following table describes the labels in this screen. Table 219 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you are editing an existing account. Type in the profile name of the ISP account.
Page 774 Chapter 47 ISP Accounts Table 219 Configuration > Object > ISP Account > Edit (continued) LABEL DESCRIPTION Compression Select On button to turn on stac compression, and select Off to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about four.
Page 775: Ssl Application
H A P T E R SSL Application 48.1 Overview You use SSL application objects in SSL VPN. Configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access. You can apply one or more SSL application objects in the VPN >...
Page 776: Example: Specifying A Web Site For Access
Chapter 48 SSL Application Remote Desktop Connections Use SSL VPN to allow remote users to manage LAN computers. Depending on the functions supported by the remote desktop software, they can install or remove software, run programs, change settings, and open, copy, create, and delete files. This is useful for troubleshooting, support, administration, and remote access to files and programs.
Page 777: The Ssl Application Screen
Chapter 48 SSL Application Click the Add button and select Web Application in the Type field. In the Server Type field, select Web Server. Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”. In the Address field, enter “http://info”. Select Web Page Encryption to prevent users from saving the web content.
Page 778: Creating/Editing A Web-Based Ssl Application Object
Chapter 48 SSL Application The following table describes the labels in this screen. Table 220 Configuration > Object > SSL Application LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Page 779 Chapter 48 SSL Application The following table describes the labels in this screen. Table 221 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Show Advance This displays for VNC or RDP type web application objects. Click this Settings / Hide button to display a greater or lesser number of configuration fields.
Page 780: Creating/Editing A File Sharing Ssl Application Object
Chapter 48 SSL Application Table 221 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Server This field displays if the Server Type is set to RDP or VNC. Address(es) Specify the IP address or Fully-Qualified Domain Name (FQDN) of the computer(s) that you want to allow the remote users to manage.
Page 781 Chapter 48 SSL Application The following table describes the labels in this screen. Table 222 Configuration > Object > SSL Application > Add/Edit: File Sharing LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this Object screen.
Page 782 Chapter 48 SSL Application ZyWALL USG 1000 User’s Guide...
Page 783: Endpoint Security
H A P T E R Endpoint Security 49.1 Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel. After a successful user authentication, a user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access.
Page 784: What You Can Do In This Chapter
Chapter 49 Endpoint Security 49.1.1 What You Can Do in this Chapter Use the Configuration > Object > Endpoint Security screens (Section 49.2 on page 785) to create and manage endpoint security objects. 49.1.2 What You Need to Know What Endpoint Security Can Check The settings endpoint security can check vary depending on the OS of the user’s computer.
Page 785: Endpoint Security Screen
Chapter 49 Endpoint Security 49.2 Endpoint Security Screen The Endpoint Security screen displays the endpoint security objects you have configured on the ZyWALL. Click Configuration > Object > Endpoint Security to display the screen. Figure 501 Configuration > Object > Endpoint Security The following table gives an overview of the objects you can configure.
Page 786 Chapter 49 Endpoint Security Table 223 Configuration > Object > Endpoint Security (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 787: Endpoint Security Add/Edit
Chapter 49 Endpoint Security 49.3 Endpoint Security Add/Edit Click Configuration > Object > Endpoint Security and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint security object. ZyWALL USG 1000 User’s Guide...
Page 788 Chapter 49 Endpoint Security Figure 502 Configuration > Object > Endpoint Security > Add ZyWALL USG 1000 User’s Guide...
Page 789 Chapter 49 Endpoint Security The following table gives an overview of the objects you can configure. Table 224 Configuration > Object > Endpoint Security > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 790 Chapter 49 Endpoint Security Table 224 Configuration > Object > Endpoint Security > Add (continued) LABEL DESCRIPTION Checking Item If you selected Windows as the operating system, you can select whether - Personal or not the user’s computer is required to have personal firewall software Firewall installed.
Page 791 Chapter 49 Endpoint Security Table 224 Configuration > Object > Endpoint Security > Add (continued) LABEL DESCRIPTION Checking Item If you selected Windows or Linux as the operating system, you can use - File this table to check details of specific files on the user’s computer. Information Use the Operation field to set whether the size or version of the file on the user’s computer has to be equal to (==), greater than (>), less than...
Page 792 Chapter 49 Endpoint Security ZyWALL USG 1000 User’s Guide...
Page 793: System
H A P T E R System 50.1 Overview Use the system screens to configure general ZyWALL settings. 50.1.1 What You Can Do in this Chapter • Use the System > Host Name screen (see Section 50.2 on page 794) to configure a unique name for the ZyWALL in your network.
Page 794: Host Name
838) to configure the external serial modem. • Vantage CNM (Centralized Network Management) is a browser-based global management tool that allows an administrator to manage ZyXEL devices. Use the System > Vantage CNM screen (see Section 50.13 on page 840) to allow your ZyWALL to be managed by the Vantage CNM server.
Page 795: Usb Storage
Chapter 50 System Table 225 Configuration > System > Host Name (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 50.3 USB Storage The ZyWALL can use a connected USB device to store the system log and other diagnostic information.
Page 796: Date And Time
Chapter 50 System 50.4 Date and Time For effective scheduling and logging, the ZyWALL system time must be accurate. The ZyWALL’s Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server.
Page 797 Chapter 50 System Table 227 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Manual Select this radio button to enter the time and date manually. If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered.
Page 798: Pre-Defined Ntp Time Servers List
Chapter 50 System Table 227 Configuration > System > Date and Time (continued) LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The at field uses the 24 hour format.
Page 799: Time Server Synchronization
Chapter 50 System 50.4.2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field. When the Please Wait... screen appears, you may have to wait up to one minute. Figure 506 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful.
Page 800: Console Port Speed
Chapter 50 System Under Time and Date Setup, enter a Time Server Address (Table 228 on page 798). Click Apply. 50.5 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program.
Page 801: Dns Server Address Assignment
Chapter 50 System 50.6.1 DNS Server Address Assignment The ZyWALL can get the DNS server addresses in the following ways. • The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.
Page 802 (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Page 803 Chapter 50 System Table 230 Configuration > System > DNS (continued) LABEL DESCRIPTION DNS Server This is the IP address of a DNS server. This field displays N/A if you have the ZyWALL get a DNS server IP address from the ISP dynamically but the specified interface is not active.
Page 804: Address Record
An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com” is the top level domain.
Page 805: Domain Zone Forwarder
For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Page 806: Mx Record
For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address. Enter * if all domain zones are served by the specified DNS server(s).
Page 807: Adding A Mx Record
Chapter 50 System 50.6.9 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 511 Configuration > System > DNS > MX Record Add The following table describes the labels in this screen. Table 233 Configuration >...
Page 808: Www Overview
Chapter 50 System The following table describes the labels in this screen. Table 234 Configuration > System > DNS > Service Control Rule Add LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in Object this screen.
Page 809: Service Access Limitations
Chapter 50 System • See To-ZyWALL Rules on page 426 for more on To-ZyWALL firewall rules. • See Section 7.9 on page 145 for an example of configuring service control to block administrator HTTPS access from all zones except the LAN. To stop a service from accessing the ZyWALL, clear Enable in the corresponding service screen.
Page 810: Configuring Www Service Control
Chapter 50 System It relies upon certificates, public keys, and private keys (see Chapter 46 on page for more information). HTTPS on the ZyWALL is used so that you can securely access the ZyWALL using the Web Configurator. The SSL protocol specifies that the HTTPS server (the ZyWALL) must always authenticate itself to the HTTPS client (the computer which requests the HTTPS connection with the ZyWALL), whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select...
Page 811 Chapter 50 System Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the ZyWALL (logging into SSL VPN for example). Figure 515 Configuration > System > WWW > Service Control The following table describes the labels in this screen.
Page 812 Chapter 50 System Table 235 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Server Port The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the ZyWALL, for example 8443, then you must notify people who need to access the ZyWALL Web Configurator to use “https://ZyWALL IP Address:8443”...
Page 813 Chapter 50 System Table 235 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION HTTP Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using HTTP connections.
Page 814: Service Control Rules
Chapter 50 System Table 235 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 50.7.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule.
Page 815 Chapter 50 System also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet. See Chapter 40 on page for more on access user accounts. Figure 517 Configuration > System > WWW > Login Page ZyWALL USG 1000 User’s Guide...
Page 816 Chapter 50 System The following figures identify the parts you can customize in the login and access pages. Figure 518 Login Page Customization Title Logo Message (color of all text) Background Note Message (last line of text) Figure 519 Access Page Customization Logo Title Message...
Page 817 Chapter 50 System • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color. • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. •...
Page 818: Https Example
Chapter 50 System Table 237 Configuration > System > WWW > Login Page LABEL DESCRIPTION Note Message Enter a note to display below the title. Use up to 64 printable ASCII characters. Spaces are allowed. Window Set how the window’s background looks. Background To use a graphic, select Picture and upload a graphic.
Page 819: Netscape Navigator Warning Messages
Chapter 50 System 50.7.7.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL.
Page 820: Login Screen
Chapter 50 System • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities. The issuing certificate authority of the ZyWALL's factory default certificate is the ZyWALL itself since the certificate is a self-signed certificate. •...
Page 821 Chapter 50 System Apply for a certificate from a Certification Authority (CA) that is trusted by the ZyWALL (see the ZyWALL’s Trusted CA Web Configurator screen). Figure 524 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s).
Page 822 Chapter 50 System 50.7.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next Click Next to begin the wizard.
Page 823 Chapter 50 System Enter the password given to you by the CA. Figure 528 Personal Certificate Import Wizard 3 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.
Page 824: Using A Certificate When Accessing The Zywall Example
Chapter 50 System Click Finish to complete the wizard and begin the import process. Figure 530 Personal Certificate Import Wizard 5 You should see the following screen when the certificate is correctly installed on your computer. Figure 531 Personal Certificate Import Wizard 6 50.7.7.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS.
Page 825: Ssh
Chapter 50 System When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example. Figure 533 SSL Client Authentication You next see the Web Configurator login screen.
Page 826: How Ssh Works
Chapter 50 System SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session. Figure 535 SSH Communication Over the WAN Example 50.8.1 How SSH Works The following figure is an example of how a secure connection is established...
Page 827: Ssh Implementation On The Zywall
Chapter 50 System Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server.
Page 828 Chapter 50 System Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 537 Configuration > System > SSH The following table describes the labels in this screen. Table 238 Configuration > System > SSH LABEL DESCRIPTION Enable...
Page 829: Secure Telnet Using Ssh Examples
Chapter 50 System Table 238 Configuration > System > SSH (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
Page 830: Telnet
Chapter 50 System Enter the password to log in to the ZyWALL. The CLI screen displays next. 50.8.5.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions. Test whether the SSH service is available on the ZyWALL.
Page 831: Configuring Telnet
Chapter 50 System 50.9.1 Configuring Telnet Click Configuration > System > TELNET to configure your ZyWALL for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come.
Page 832: Ftp
Chapter 50 System Table 239 Configuration > System > TELNET (continued) LABEL DESCRIPTION This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the ZyWALL’s (non- configurable) default policy. The ZyWALL applies this to traffic that does not match any other configured rule.
Page 833 Chapter 50 System be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 542 Configuration > System > FTP The following table describes the labels in this screen. Table 240 Configuration > System > FTP LABEL DESCRIPTION Enable...
Page 834: Snmp
Chapter 50 System Table 240 Configuration > System > FTP (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
Page 835 Chapter 50 System and version two (SNMPv2c). The next figure illustrates an SNMP management operation. Figure 543 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL).
Page 836: Supported Mibs
50.11.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The ZyWALL also supports private MIBs (zywall.mib and zyxel-zywall-ZLD- Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
Page 837 Chapter 50 System settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 544 Configuration > System > SNMP The following table describes the labels in this screen. Table 242 Configuration >...
Page 838: Dial-In Management
Chapter 50 System Table 242 Configuration > System > SNMP (continued) LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 236 on page 814 details on the screen that opens.
Page 839: Configuring Dial-In Mgmt
Chapter 50 System Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH. Response Strings The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the serial modem.
Page 840: Vantage Cnm
Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the Web Configurator or commands) without notifying the Vantage CNM administrator.
Page 841: Configuring Vantage Cnm
If the Vantage CNM server is behind a firewall, you may have to create a rule on the firewall to allow UDP port 11864 traffic through to the Vantage CNM server (most (new) ZyXEL firewalls automatically allow this). ZyWALL USG 1000 User’s Guide...
Page 842 Chapter 50 System Table 244 Configuration > System > Vantage CNM (continued) LABEL DESCRIPTION Transfer Select whether the Vantage CNM sessions should use regular HTTP Protocol connections or secure HTTPS connections. Note: HTTPS is recommended. The Vantage CNM server must use the same setting. Device Select Auto to have the ZyWALL allow Vantage CNM sessions to connect Management...
Page 843: Language Screen
Chapter 50 System 50.14 Language Screen Click Configuration > System > Language to open the following screen. Use this screen to select a display language for the ZyWALL’s Web Configurator screens. Figure 547 Configuration > System > Language The following table describes the labels in this screen. Table 245 Configuration >...
Page 844 Chapter 50 System ZyWALL USG 1000 User’s Guide...
Page 845: Log And Report
H A P T E R Log and Report 51.1 Overview Use these screens to configure daily reporting and log settings. 51.1.1 What You Can Do In this Chapter • Use the Email Daily Report screen (Section 51.2 on page 845) to configure where and how to send daily reports and what reports to send.
Page 846 Chapter 51 Log and Report Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day. Figure 548 Configuration > Log & Report > Email Daily Report ZyWALL USG 1000 User’s Guide...
Page 847: Log Setting Screens
Chapter 51 Log and Report The following table describes the labels in this screen. Table 246 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Select this to send reports by e-mail every day. Daily Report Mail Server Type the name or IP address of the outgoing SMTP server.
Page 848: Log Setting Summary
Chapter 51 Log and Report ZyWALL store system logs on a connected USB storage device. The other four logs are stored on specified syslog servers. The Log Setting tab also controls what information is saved in each log. For the system log, you can also specify which log messages are e-mailed, where they are e-mailed, and how often they are e-mailed.
Page 849: Edit System Log Settings
Log Format This field displays the format of the log. Internal - system log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. Summary This field is a summary of the settings for each log. Please see Section 51.3.2 on page 849...
Page 850 Chapter 51 Log and Report Figure 550 Configuration > Log & Report > Log Setting > Edit (System Log) ZyWALL USG 1000 User’s Guide...
Page 851 Chapter 51 Log and Report The following table describes the labels in this screen. Table 248 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section.
Page 852 Chapter 51 Log and Report Table 248 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-mail Server 1 Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories. Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings.
Page 853 Chapter 51 Log and Report Table 248 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION Active Select this to activate log consolidation. Log consolidation aggregates multiple log messages that arrive within the specified Log Consolidation Interval. In the View Log tab, the text “[count=x]”, where x is the number of original log messages, is appended at the end of the Message field, when multiple log messages were aggregated.
Page 854: Edit Log On Usb Storage Setting
Chapter 51 Log and Report 51.3.3 Edit Log on USB Storage Setting The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device. Go to the Log Setting Summary screen (see Section 51.3.1 on page 848), and click the USB storage Edit icon.
Page 855 Chapter 51 Log and Report The following table describes the labels in this screen. Table 249 Configuration > Log & Report > Log Setting > Edit (USB Storage) LABEL DESCRIPTION Duplicate logs Select this to have the ZyWALL save a copy of its system logs to a to USB storage connected USB storage device.
Page 856: Edit Remote Server Log Settings
Chapter 51 Log and Report 51.3.4 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 51.3.1 on page 848), and click a remote server Edit icon.
Page 857 Active Log section. Log Format This field displays the format of the log information. It is read-only. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. Server Type the server name or the IP address of the syslog server to which to Address send log information.
Page 858: Active Log Summary Screen
Chapter 51 Log and Report 51.3.5 Active Log Summary Screen The Active Log Summary screen allows you to view and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let you change other log settings (for example, where and how often log information is e-mailed or remote server names).To access this screen, go to the Log Settings Summary screen (see Section 51.3.1 on page...
Page 859 Chapter 51 Log and Report The following table describes the fields in this screen. Table 251 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION System Log Use the System Log drop-down list to change the log settings for all of the log categories.
Page 860 Chapter 51 Log and Report Table 251 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION Remote Server For each remote server, use the Selection drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not send the remote server logs for any log category.
Page 861 Chapter 51 Log and Report ZyWALL USG 1000 User’s Guide...
Page 862 Chapter 51 Log and Report ZyWALL USG 1000 User’s Guide...
Page 863: File Manager
H A P T E R File Manager 52.1 Overview Configuration files define the ZyWALL’s settings. Shell scripts are files of commands that you can store on the ZyWALL and run when you need them. You can apply a configuration file or run a shell script without the ZyWALL restarting. You can store multiple configuration files and shell script files on the ZyWALL.
Page 864: Comments In Configuration Files Or Shell Scripts
Chapter 52 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 554 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...
Page 865 Chapter 52 File Manager Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode. Note: “exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode.
Page 866: The Configuration File Screen
Chapter 52 File Manager 52.2 The Configuration File Screen Click Maintenance > File Manager > Configuration File to open the Configuration File screen. Use the Configuration File screen to store, run, and name configuration files. You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL.
Page 867 Chapter 52 File Manager The following table describes the labels in this screen. Table 253 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the ZyWALL. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and startup- config.conf files.
Page 868 Chapter 52 File Manager Table 253 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a configuration file on the ZyWALL. Click a configuration file’s row to select it and click Copy to open the Copy File screen.
Page 869 Chapter 52 File Manager Table 253 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Apply Use this button to have the ZyWALL use a specific configuration file. Click a configuration file’s row to select it and click Apply to have the ZyWALL use that configuration file.
Page 870: The Firmware Package Screen
Chapter 52 File Manager Table 253 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION File Name This column displays the label that identifies a configuration file. You cannot delete the following configuration files or change their file names. The system-default.conf file contains the ZyWALL’s default settings.
Page 871 See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”.
Page 872: The Shell Script Screen
Chapter 52 File Manager After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 560 Firmware Upload In Process Note: The ZyWALL automatically reboots after a successful upload. The ZyWALL automatically restarts causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Page 873 Chapter 52 File Manager Note: You should include commands in your scripts. If you do not use the write command, the changes will be lost when the ZyWALL restarts. You could write use multiple commands in a long script. write Figure 563 Maintenance >...
Page 874 Chapter 52 File Manager Table 255 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a shell script file on the ZyWALL. Click a shell script file’s row to select it and click Copy to open the Copy File screen.
Page 875: Diagnostics
H A P T E R Diagnostics 53.1 Overview Use the diagnostics screens for troubleshooting. 53.1.1 What You Can Do in this Chapter • Use the screens (see Section 53.2 on page 875) to Maintenance > Diagnostics generate files containing the ZyWALL’s configuration and diagnostic information if you need to provide it to customer support for troubleshooting.
Page 876: The Diagnostics Files Screen
Chapter 53 Diagnostics Click Maintenance > Diagnostics to open the Diagnostic screen. Figure 566 Maintenance > Diagnostics The following table describes the labels in this screen. Table 256 Maintenance > Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file. Last modified This is the date and time that the last diagnostic file was created.
Page 877: The Packet Capture Screen
Chapter 53 Diagnostics The following table describes the labels in this screen. Table 257 Maintenance > Diagnostics > Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete.
Page 878 Chapter 53 Diagnostics Note: New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this. Figure 568 Maintenance > Diagnostics > Packet Capture The following table describes the labels in this screen. Table 258 Maintenance >...
Page 879 Chapter 53 Diagnostics Table 258 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Save data to Select this to have the ZyWALL only store packet capture entries onboard storage on the ZyWALL. only Save data to USB Select this to have the ZyWALL store packet capture entries only storage on a USB storage device connected to the ZyWALL.
Page 880: The Packet Capture Files Screen
Chapter 53 Diagnostics Table 258 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Capture Click this button to have the ZyWALL capture packets according to the settings configured in this screen. You can configure the ZyWALL while a packet capture is in progress although you cannot modify the packet capture settings.
Page 881: Example Of Viewing A Packet Capture File
Chapter 53 Diagnostics Table 259 Maintenance > Diagnostics > Packet Capture > Files (continued) LABEL DESCRIPTION This column displays the number for each packet capture file entry. The total number of packet capture files that you can save depends on the file sizes and the available flash storage space.
Page 882: Core Dump Screen
Chapter 53 Diagnostics 53.4 Core Dump Screen Use the Core Dump screen to have the ZyWALL save a process’s core dump to an attached USB storage device if the process terminates abnormally (crashes). You may need to send this file to customer support for troubleshooting. Click Maintenance >...
Page 883: The System Log Screen
Chapter 53 Diagnostics connected USB storage device. You may need to send these files to customer support for troubleshooting. Figure 572 Maintenance > Diagnostics > Core Dump > Files The following table describes the labels in this screen. Table 261 Maintenance > Diagnostics > Core Dump > Files LABEL DESCRIPTION Remove...
Page 884 Chapter 53 Diagnostics storage device. The files are in comma separated value (csv) format. You can download them to your computer and open them in a tool like Microsoft’s Excel. Figure 573 Maintenance > Diagnostics > System Log The following table describes the labels in this screen. Table 262 Maintenance >...
Page 885: Reboot
H A P T E R Reboot 54.1 Overview Use this to restart the device (for example, if the device begins behaving erratically). See also Section 1.5 on page 37 for information on different ways to start and stop the ZyWALL. 54.1.1 What You Need To Know If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot.
Page 886 Chapter 54 Reboot ZyWALL USG 1000 User’s Guide...
Page 887: Shutdown
H A P T E R Shutdown 55.1 Overview Use this to shutdown the device in preparation for disconnecting the power. See also Section 1.5 on page 37 for information on different ways to start and stop the ZyWALL. Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power.
Page 888 Chapter 55 Shutdown ZyWALL USG 1000 User’s Guide...
Page 889: Troubleshooting
H A P T E R Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Chapter 10 on page 261). For individual log descriptions, Appendix A on page 917.
Page 890 Chapter 56 Troubleshooting • If you’ve forgotten the ZyWALL’s IP address, you can use the commands through the console port to check it. Connect your computer to the CONSOLE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed.
Page 891: Troubleshooting
Chapter 56 Troubleshooting I downloaded updated anti-virus or IDP/application patrol signatures. Why has the ZyWALL not re-booted yet? The ZyWALL does not have to reboot when you upload new signatures. The content filter category service is not working. • Make sure your ZyWALL has the content filter category service registered and that the license is not expired.
Page 892 Chapter 56 Troubleshooting • The format of interface names other than the Ethernet interface names is very strict. Each name consists of 2-4 letters (interface type), followed by a number (x, limited by the maximum number of each type of interface). For example, VLAN interfaces are vlan0, vlan1, vlan2, ...;...
Page 893 Chapter 56 Troubleshooting created a cellular interface but cannot connect through it. • Make sure you have a compatible 3G device installed or connected. See Chapter 57 on page 909 for details. • Make sure you have the cellular interface enabled. •...
Page 894 Chapter 56 Troubleshooting The ZyWALL’s performance slowed down after I configured many new application patrol entries. The ZyWALL checks the ports and conditions configured in application patrol entries in the order they appear in the list. While this sequence does not affect the functionality, you might improve the performance of the ZyWALL by putting more commonly used ports at the top of the list.
Page 895 Chapter 56 Troubleshooting IDP is dropping traffic that matches a rule that says no action should be taken. The ZyWALL checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the ZyWALL applies the more restrictive action (reject-both, reject-receiver or reject-sender, drop, none in this order).
Page 896 Chapter 56 Troubleshooting the default routing and SNAT behavior for an interface with the Interface Type set to Internal or External. The ZyWALL is not applying a policy route’s port triggering settings. You also need to create a firewall rule to allow an incoming service. I cannot get Dynamic DNS to work.
Page 897 If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both ZyXEL IPSec routers and check the settings in each field methodically and slowly. Make sure both the ZyWALL and remote IPSec router have the same security settings for the VPN tunnel.
Page 898 Chapter 56 Troubleshooting • The ZyWALL and remote IPSec router must use the same active protocol. • The ZyWALL and remote IPSec router must use the same encapsulation. • The ZyWALL and remote IPSec router must use the same SPI. •...
Page 899 Chapter 56 Troubleshooting • Make sure you have configured L2TP correctly on the remote user computers. Section 8.5 on page 173 for examples. • Make sure you configured an appropriate policy route on the ZyWALL. • Make sure there is not a firewall between the ZyWALL and the remote users. •...
Page 900 Chapter 56 Troubleshooting I logged into the SSL VPN but cannot see some of the resource links. Available resource links vary depending on the SSL application object’s configuration. I logged into the SSL VPN but cannot perform some actions in the File Sharing screen.
Page 901 Chapter 56 Troubleshooting However, you need to manually edit any address objects for your LAN that are not based on the interface. I configured application patrol to allow and manage access to a specific service but access is blocked. • If you want to use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL.
Page 902 Chapter 56 Troubleshooting • Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL. • If you have multiple ZyWALL virtual routers on your network, use a different cluster ID to identify each virtual router.
Page 903 Chapter 56 Troubleshooting You cannot put the default admin account into any user group. I cannot get the device HA synchronization to work. Only ZyWALLs of the same model and firmware version can synchronize. Device HA synchronization is not working for subscription services. Subscribe to services on the backup ZyWALL before synchronizing it with the master Synchronization includes updates for services to which the master and ZyWALL.
Page 904 Chapter 56 Troubleshooting • Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The ZyWALL currently allows the importation of a PKS#7 file that contains a single certificate.
Page 905: Packet Capture Captured Less/Failed
Chapter 56 Troubleshooting The ZyWALL’s traffic throughput rate decreased after I started collecting traffic statistics. Data collection may decrease the ZyWALL’s traffic throughput rate. I can only see newer logs. Older logs are missing. When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.
Page 906: Resetting The Zywall
Chapter 56 Troubleshooting The packet capture screen’s File Size sets a maximum size limit for the total combined size of all the capture files on the ZyWALL, including any existing capture files and any new capture files you generate. If you have existing capture files you may need to set this size larger or delete existing capture files.
Page 907: Getting More Troubleshooting Help
Chapter 56 Troubleshooting 56.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL USG 1000 User’s Guide...
Page 908 Chapter 56 Troubleshooting ZyWALL USG 1000 User’s Guide...
Page 909: Product Specifications
H A P T E R Product Specifications The following specifications are subject to change without notice. See Chapter 2 on page 39 for a general overview of key features. This table provides basic device specifications. Table 263 Default Login Information ATTRIBUTE SPECIFICATION Default IP Address...
Page 910 Chapter 57 Product Specifications Table 264 Hardware Specifications (continued) FEATURE SPECIFICATION Operating Environment Temperature: 0 C to 40 C Humidity: 5% to 90% (non-condensing) Storage Environment Temperature: -30 C to 60 C Humidity: 5% to 90% (non-condensing) MTBF Mean Time Between Failures: 51,611 hours Dimensions 430.7 (W) x 292.0 (D) x 43.5 (H) mm Weight...
Page 911 Chapter 57 Product Specifications Table 265 ZyWALL USG 1000 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.20 FEATURE Firewall ACL Rules 5,000 5000 5000 Maximum Session Limit per Host 1000 1000 Rules APPLICATION PATROL Maximum Rules for Other Protocols Maximum Rules for Each Protocol Allowed Ports Default Ports...
Page 912: Syslog
Chapter 57 Product Specifications Table 265 ZyWALL USG 1000 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.20 FEATURE Number of Trunks (system default) Maximum Number of Trunks (user created) Maximum Number of VPN Tunnels 1000 1000 1000 Maximum Number of VPN Concentrators CERTIFICATES Certificate Buffer Size...
Page 913 Chapter 57 Product Specifications Table 265 ZyWALL USG 1000 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.20 FEATURE Maximum Number of Content Filter Profiles Maximum Number of Forbidden 256 per profile 256 per profile 256 per profile Domain Entries Maximum Number of Trusted 256 per profile 256 per profile...
Page 914 Chapter 57 Product Specifications Table 265 ZyWALL USG 1000 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.20 FEATURE Maximum SSL VPN Connections 5 without a 5 without a 5 without a license license license 50 with license Licenses come Licenses come in 25, 50 or 250 in 25, 50 or 250...
Page 915: Pcmcia Card Installation
Chapter 57 Product Specifications Table 266 Standards Referenced by Features (continued) FEATURE STANDARDS REFERENCED Used by Time service RFCs 3339 Used by Telnet service RFCs 318, 854, 1413 Used by SIP ALG RFCs 3261, 3264 DHCP relay RFC 1541 ZySH W3C XML standard RFC 826 IP/IPv4...
Page 916 Chapter 57 Product Specifications ZyWALL USG 1000 User’s Guide...
Page 917: Appendix A Log Descriptions
P P E N D I X Log Descriptions This appendix provides descriptions of example log messages for the ZLD-based ZyWALLs. The logs do not all apply to all of the ZLD-based ZyWALLs. You will not unnecessarily see all of these logs in your device. Table 267 Content Filter Logs LOG MESSAGE DESCRIPTION...
Page 918 Appendix A Log Descriptions Table 269 Blocked Web Site Logs LOG MESSAGE DESCRIPTION The rating server responded that the web site is in a specified %s :%s category and access was blocked according to a content filter profile. 1st %s: website host 2nd %s: website category The rating server responded that the web site cannot be %s: Unrated...
Page 919 Appendix A Log Descriptions Table 269 Blocked Web Site Logs (continued) LOG MESSAGE DESCRIPTION The system detected a proxy connection and blocked access %s: Proxy mode is according to a profile. detected %s: website host %s: Forbidden Web site The web site is in forbidden web site list. %s: website host The web content matched a user defined keyword.
Page 920 Appendix A Log Descriptions Table 270 Anti-Spam Logs (continued) LOG MESSAGE DESCRIPTION The anti-spam black list has been turned on. Black List checking has been activated. The anti-spam black list has been turned off. Black List checking has been deactivated. The anti-spam black list rule with the specified index number Black List rule %d has (%d) has been added.
Page 921 Appendix A Log Descriptions Table 271 SSL VPN Logs LOG MESSAGE DESCRIPTION A user has logged into SSL VPN. %s %s from %s has logged in SSLVPN The first %s is the type of user account. The second %s is the user’s user name. The third %s is the name of the service the user is using (HTTP or HTTPS).
Page 922 Appendix A Log Descriptions Table 271 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION The listed address object (first %s) is not the right kind to be The %s address-object specified as a network in the listed SSL VPN policy (second is wrong type for %s).
Page 923 Appendix A Log Descriptions Table 271 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION The listed SSL VPN access was used to send and receive the %s %s is accessed. listed numbers of bytes. sent=<bytes> rcvd=<bytes> The first %s is the type of SSL VPN access (web application, file sharing, or network extension).
Page 924 Appendix A Log Descriptions Table 272 L2TP Over IPSec Logs LOG MESSAGE DESCRIPTION The L2TP over IPSec configuration has been modified. The configuration of L2TP over IPSec has been changed. L2TP over IPSec does not support manual key management. L2TP over IPSec may not L2TP over IPSec may not work because the IPSec VPN work since Crypto Map connection it uses (Crypto Map %s) has been set to use...
Page 925 Appendix A Log Descriptions The ZySH logs deal with internal system errors. Table 273 ZySH Logs LOG MESSAGE DESCRIPTION Invalid message queue. Maybe someone starts another zysh daemon. 1st:pid num ZySH daemon is instructed to reset by System integrity error! Group OPS cannot close property group...
Page 926 Appendix A Log Descriptions Table 273 ZySH Logs (continued) LOG MESSAGE DESCRIPTION 1st:zysh list name Can't remove %s Table OPS 1st:zysh table name %s: cannot retrieve entries from table! 1st:zysh table name %s: index is out of range! 1st:zysh table name,2st: zysh entry num %s: cannot set entry 1st:zysh table name %s: table is full!
Page 927 Appendix A Log Descriptions Table 274 ADP Logs LOG MESSAGE DESCRIPTION The ZyWALL detected an anomaly in traffic traveling from <zone> to <zone> between the specified zones. [type=<type>] <message> , Action: <action>, The <type> = {scan-detection(<attack>) | flood- Severity: <severity> detection(<attack>) | http-inspection(<attack>) | tcp- decoder(<attack>)}.
Page 928 Appendix A Log Descriptions Table 275 Anti-Virus Logs LOG MESSAGE DESCRIPTION The ZyWALL failed to initialize the anti-virus signatures due Initializing Anti-Virus to an internal error. signature reference table has failed. The ZyWALL failed to reload the anti-virus signatures due to Reloading Anti-Virus an internal error.
Page 929 Appendix A Log Descriptions Table 275 Anti-Virus Logs (continued) LOG MESSAGE DESCRIPTION The anti-virus signatures update did not succeed. AV signature update has failed. Can not update last update time. Anti-virus signatures update failed because the ZyWALL was AV signature update has not able to replace the old set of anti-virus signatures with failed.
Page 930 Appendix A Log Descriptions Table 275 Anti-Virus Logs (continued) LOG MESSAGE DESCRIPTION The anti-virus rule of the specified number has been Anti-Virus rule %d has changed. been modified. An anti-virus rule has been inserted. %d is the number of Anti-Virus rule %d has the new rule.
Page 931 Appendix A Log Descriptions Table 276 User Logs LOG MESSAGE DESCRIPTION A user logged into the ZyWALL. %s %s from %s has logged in ZyWALL 1st %s: The type of user account. 2nd %s: The user’s user name. 3rd %s: The name of the service the user is using (HTTP, HTTPS, FTP, Telnet, SSH, or console).
Page 932 Appendix A Log Descriptions Table 276 User Logs (continued) LOG MESSAGE DESCRIPTION A login attempt came from an IP address that the ZyWALL Failed login attempt to has locked out. ZyWALL from %s (login on a lockout address) %u.%u.%u.%u: the source address of the user’s login attempt The ZyWALL blocked a login because the maximum login Failed login attempt to...
Page 933 Appendix A Log Descriptions Table 277 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device received an incomplete response from the Registration has myZyXEL.com server and it caused a parsing error for the failed. Because of device. lack must fields. Trail service activation failed for the specified service, an error %s:Trial service message returned by the MyZyXEL.com server will be activation has...
Page 934 Appendix A Log Descriptions Table 277 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device started device registration. Do device register. The device started trail service activation. Do trial service activation. The device started standard service activation. Do standard service activation. The device started the service expiration day check.
Page 935 Appendix A Log Descriptions Table 277 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device already has the latest version of the signature file Device has latest so no update is needed. signature file; no need to update The device cannot connect to the update server. Connect to update server has failed.
Page 936 Appendix A Log Descriptions Table 277 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device sent packets to the server, but did not receive a Get server response response. The root cause may be that the connection is has failed. abnormal. The daily check for service expiration failed, an error message Expiration daily- returned by the MyZyXEL.com server will be appended to this...
Page 937 Appendix A Log Descriptions Table 277 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Verification of a server’s certificate failed because it is self- Self signed signed. certificate. Verification of a server’s certificate failed because there is a Self signed self-signed certificate in the server’s certificate chain. certificate in certificate chain.
Page 938 Appendix A Log Descriptions Table 278 IDP Logs (continued) LOG MESSAGE DESCRIPTION The device turned on the IDP engine. Enable IDP engine succeeded. The device turned off the IDP engine. Disable IDP engine succeeded. The IDP service could has not been turned on and the IDP IDP service is not signatures will not be updated because the IDP service is registered.
Page 939 Appendix A Log Descriptions Table 278 IDP Logs (continued) LOG MESSAGE DESCRIPTION An attempt to add a custom IDP signature failed because Add custom signature the signature’s contents were too long. error: signature <sid> is over length. An attempt to edit a custom IDP signature failed because Edit custom signature the signature’s contents were too long.
Page 940 Appendix A Log Descriptions Table 278 IDP Logs (continued) LOG MESSAGE DESCRIPTION The ZyWALL detected an intrusion in traffic traveling from <zone> to <zone> between the specified zones. [type=<type>] <message> , Action: <action>, The <type> = {scan-detection(<attack>) | flood- Severity: <severity> detection(<attack>) | http-inspection(<attack>) | tcp- decoder(<attack>)}.
Page 941 Appendix A Log Descriptions Table 278 IDP Logs (continued) LOG MESSAGE DESCRIPTION The listed signature ID is duplicated at the listed line Duplicate sid <sid> in number in the signature file. import file at line <linenum>. The listed IDP rule has been removed. IDP rule <num>...
Page 942 Appendix A Log Descriptions Table 279 Application Patrol (continued) MESSAGE EXPLANATION The listed protocol has been turned on in the application Protocol %s has been patrol. enabled. The listed protocol has been turned off in the application Protocol %s has been patrol.
Page 943 Appendix A Log Descriptions Table 280 IKE Logs LOG MESSAGE DESCRIPTION The remote IPSec router has not announced its dead peer Peer has not announced detection (DPD) capability to this device. DPD capability Cannot find SA according to the cookie. [COOKIE] Invalid cookie, no sa found The device’s DPD feature has not detected a response from...
Page 944 Appendix A Log Descriptions Table 280 IKE Logs (continued) LOG MESSAGE DESCRIPTION %s is the tunnel name. When negotiating Phase-1, the packet [SA] : Tunnel [%s] was not a ISKAMP packet in the protocol field. Phase 1 invalid protocol %s is the tunnel name. When negotiating Phase-1, the [SA] : Tunnel [%s] transform ID was invalid.
Page 945 Appendix A Log Descriptions Table 280 IKE Logs (continued) LOG MESSAGE DESCRIPTION %s is the tunnel name. The manual key tunnel cannot be Could not dial manual dialed. key tunnel "%s" When receiving a DPD response with invalid ID ignored. DPD response with invalid ID When receiving a DPD response with no active query.
Page 946: Ipsec Logs
Appendix A Log Descriptions Table 280 IKE Logs (continued) LOG MESSAGE DESCRIPTION %s is the gateway name. An administrator enabled the VPN VPN gateway %s was gateway. enabled %s is the my xauth name. This indicates that my name is XAUTH fail! My name: invalid.
Page 947: Firewall Logs
Appendix A Log Descriptions Table 281 IPSec Logs (continued) LOG MESSAGE DESCRIPTION When outgoing packet need to be transformed, the engine Get outbound transform cannot obtain the transform context. fail After encryption or hardware accelerated processing, the Inbound transform hardware accelerator dropped a packet (resource shortage, operation fail corrupt packet, invalid MAC, and so on).
Page 948 Appendix A Log Descriptions Table 282 Firewall Logs (continued) LOG MESSAGE DESCRIPTION 1st %s is from zone, 2nd %s is to zone, %d is the index of Firewall %s %s rule %d the rule was %s. 3rd %s is appended/inserted/modified 1st %s is from zone, 2nd %s is to zone, 1st %d is the old Firewall %s %s rule %d index of the rule...
Page 949 Appendix A Log Descriptions Table 284 Policy Route Logs (continued) LOG MESSAGE DESCRIPTION Use an empty object group. The policy route %d uses empty user group! %d: the policy route rule number Use an empty object group. The policy route %d uses empty source %d: the policy route rule number address group!
Page 950 Appendix A Log Descriptions Table 285 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An administrator changed the port number for HTTPS. HTTPS port has been changed to port %s. %s is port number An administrator changed the port number for HTTPS back to HTTPS port has been the default (443).
Page 951 Appendix A Log Descriptions Table 285 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An administrator changed the console port baud rate back to Console baud has been the default (115200). reset to %d. %d is default baud rate If interface is stand-by mode for device HA, DHCP server can't DHCP Server on be run.
Page 952 Appendix A Log Descriptions Table 285 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An administrator moved the rule %u to index %d. DNS access control rule %u has been moved %u is previous index to %d. %d variable is current index The default record DNS servers is more than 128.
Page 953 Appendix A Log Descriptions Table 285 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An access control rule was modified successfully. Access control rule %u of %s was modified. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. An access control rule was removed successfully.
Page 954 Appendix A Log Descriptions Table 286 System Logs (continued) LOG MESSAGE DESCRIPTION DHCP Server executed with cautious mode disabled. DHCP Server executed with cautious mode disabled A packet was received but it is not an ARP response packet. Received packet is not an ARP response packet The device received an ARP response.
Page 955 Appendix A Log Descriptions Table 286 System Logs (continued) LOG MESSAGE DESCRIPTION An administrator restarted the device. Device is rebooted by administrator! Cannot allocate system memory. Insufficient memory. Cannot connect to members.dyndns.org to update DDNS. Connect to dyndns server has failed. Update profile failed because the response was strange, %s is Update the profile %s the profile name.
Page 956 Appendix A Log Descriptions Table 286 System Logs (continued) LOG MESSAGE DESCRIPTION Update profile failed because the feature requested is only Update the profile %s available to donators, %s is the profile name. has failed because the feature requested is only available to donators.
Page 957 Appendix A Log Descriptions Table 286 System Logs (continued) LOG MESSAGE DESCRIPTION The profile is paused by Device-HA, because the VRRP status The profile %s has of that HA iface is standby, %s is the profile name. been paused because the HA interface of VRRP status was standby.
Page 958 Appendix A Log Descriptions Table 287 Connectivity Check Logs LOG MESSAGE DESCRIPTION Cannot recover routing status which is link-down. Can't open link_up2 Cannot open connectivity check process ID file. Can not open %s.pid %s: interface name Cannot open configuration file for connectivity check process. Can not open %s.arg %s: interface name The link status of interface is still activate after check of...
Page 959 Appendix A Log Descriptions Table 287 Connectivity Check Logs (continued) LOG MESSAGE DESCRIPTION The connectivity check process can't use multicast address to Can't use MULTICAST IP check link-status. for destination The connectivity check process can't use broadcast address to The destination is check link-status.
Page 960 Appendix A Log Descriptions Table 288 Device HA Logs (continued) LOG MESSAGE DESCRIPTION There is no file to be synchronized from the Master when %s file not existed, syncing a object (AV/AS/IDP/Certificate/System Skip syncing it for %s Configuration), But in fact, there should be something in the Master for the device to synchronize with, 1st %s: The syncing object, 2ed %s: The feature name for the syncing object.
Page 961 Appendix A Log Descriptions Table 288 Device HA Logs (continued) LOG MESSAGE DESCRIPTION A VRRP group’s Authentication Type (Md5 or IPSec AH) Device HA configuration may not match between the Backup and the authentication type Master. %s: The name of the VRRP group. for VRRP group %s maybe wrong.
Page 962 Appendix A Log Descriptions Table 289 Routing Protocol Logs LOG MESSAGE DESCRIPTION Device-HA is currently running on the interface %s, so all the RIP on interface %s local service have to be stopped including RIP. %s: Interface has been stopped Name because Device-HA binds this interface.
Page 963 Appendix A Log Descriptions Table 289 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION RIP md5 authentication id and key have been deleted. RIP md5 authentication id and key have been deleted. RIP global version has been deleted. RIP global version has been deleted.
Page 964 Appendix A Log Descriptions Table 289 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION Virtual-link %s authentication has been set to same-as-area Invalid OSPF virtual- but the area has invalid authentication configuration. %s: link %s authentication Virtual-Link ID of area %s. Invalid OSPF md5 authentication is set on interface %s.
Page 965 Appendix A Log Descriptions Table 290 NAT Logs (continued) LOG MESSAGE DESCRIPTION SIP ALG apply signal port failed. Register SIP ALG signal port=%d failed. %d: Port number H323 ALG apply additional signal port failed. Register H.323 ALG extra port=%d failed. %d: Port number H323 ALG apply signal port failed.
Page 966 Appendix A Log Descriptions Table 291 PKI Logs (continued) LOG MESSAGE DESCRIPTION The device used SCEP to enroll a certificate. 1st %s is a SCEP enrollment "%s" request name, 2nd %s is the CA name, 3rd %s is the URL . successfully, CA "%s", URL "%s"...
Page 967 Appendix A Log Descriptions Table 291 PKI Logs (continued) LOG MESSAGE DESCRIPTION The device exported a x509 format certificate from Trusted Export X509 Certificates. %s is the certificate request name. certificate "%s" from "Trusted Certificate" successfully The device was not able to export a x509 format certificate Export X509 from My Certificates.
Page 968 Appendix A Log Descriptions CODE DESCRIPTION Database method failed due to timeout. Database method failed. Path was not verified. Maximum path length reached. Table 292 Interface Logs LOG MESSAGE DESCRIPTION An administrator deleted an interface. %s is the interface Interface %s has been name.
Page 969 Appendix A Log Descriptions Table 292 Interface Logs (continued) LOG MESSAGE DESCRIPTION An administrator enabled an interface. %s: interface name. Interface %s is enabled. An administrator disabled an interface. %s: interface name. Interface %s is disabled. An administrator configured a PPP interface, PPP interface %s MTU >...
Page 970 Appendix A Log Descriptions Table 292 Interface Logs (continued) LOG MESSAGE DESCRIPTION MS-CHAP authentication failed (the server must support MS- Interface %s connect CHAP and verify that the authentication failed, this does not failed: MS-CHAP include cases where the server does not support MS-CHAP). authentication %s: interface name.
Page 971 Appendix A Log Descriptions Table 292 Interface Logs (continued) LOG MESSAGE DESCRIPTION You entered the correct PUK code and unlocked the SIM card "SIM card has been for the cellular device associated with the listed cellular successfully unlocked interface (%d). by PUK code on interface cellular%d.
Page 972 Appendix A Log Descriptions Table 292 Interface Logs (continued) LOG MESSAGE DESCRIPTION The cellular device (identified by its manufacturer and model) "Cellular device [%s has been removed from the specified slot. %s] has been removed from %s. You need to manually enter the password for the listed Interface cellular%d cellular interface (%d).
Page 973 Appendix A Log Descriptions Table 295 Force Authentication Logs LOG MESSAGE DESCRIPTION Force user authentication will be turned on because HTTP Force User server was turned on. Authentication will be enabled due to http server is enabled. Force user authentication will be turned off because HTTP Force User server was turned off.
Page 974 Appendix A Log Descriptions Table 297 DHCP Logs LOG MESSAGE DESCRIPTION Can't find any lease for All of the IP addresses in the DHCP pool are already assigned this client - %s, DHCP to DHCP clients, so there is no IP address to give to the listed pool full! DHCP client.
Page 975 Appendix A Log Descriptions Table 299 IP-MAC Binding Logs LOG MESSAGE DESCRIPTION Drop packet %s- The IP-MAC binding feature dropped an Ethernet packet. The %u.%u.%u.%u- interface the packet came in through and the sender’s IP %02X:%02X:%02X:%02 address and MAC address are also shown. X:%02X:%02X Cannot bind ip-mac from The IP-MAC binding feature could not create an IP-MAC...
Page 976 Appendix A Log Descriptions Table 301 EPS Logs LOG MESSAGE DESCRIPTION The Windows security patch on a user’s computer did not match Windows security the specified EPS object. patch check fail in %s A user’s computer did not match the anti-virus software check in Antivirus check the specified EPS object.
Page 977: Appendix B Common Services
Border Gateway Protocol. BOOTP_CLIENT DHCP Client. BOOTP_SERVER DHCP Server. CU-SEEME 7648 A popular videoconferencing solution from White Pines Software. 24032 TCP/UDP Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers. ZyWALL USG 1000 User’s Guide...
Page 978: Tcp
Appendix B Common Services Table 302 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION User-Defined The IPSEC ESP (Encapsulation (IPSEC_TUNNEL) Security Protocol) tunneling protocol uses this service. FINGER Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.
Page 979 Appendix B Common Services Table 302 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION PPTP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel. PPTP_TUNNEL User-Defined PPTP (Point-to-Point Tunneling (GRE) Protocol) enables secure transfer of data over public networks.
Page 980 Appendix B Common Services Table 302 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution.
Page 981: Appendix C Displaying Anti-Virus Alert Messages In Windows
P P E N D I X Displaying Anti-Virus Alert Messages in Windows With the anti-virus packet scan, when a virus is detected, you can have the ZyWALL display an alert message on Miscrosoft Windows-based computers. If the log shows that virus files are being detected but your Miscrosoft Windows-based computer is not displaying an alert message, use one of the following procedures to make sure your computer is set to display the messages.
Page 982: Windows 2000
Appendix C Displaying Anti-Virus Alert Messages in Windows Select the Messenger service and click Start. Figure 577 Windows XP: Starting the Messenger Service Close the window when you are done. Windows 2000 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 578 Windows 2000: Opening the Services Window ZyWALL USG 1000 User’s Guide...
Page 983 Appendix C Displaying Anti-Virus Alert Messages in Windows Select the Messenger service and click Start Service. Figure 579 Windows 2000: Starting the Messenger Service Close the window when you are done. Windows 98 SE/Me For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages.
Page 984 Appendix C Displaying Anti-Virus Alert Messages in Windows Right-click on the program task bar and click Properties. Figure 581 WIndows 98 SE: Program Task Bar Click the Start Menu Programs tab and click Advanced ... Figure 582 Windows 98 SE: Task Bar Properties Double-click Programs and click StartUp.
Page 985 Appendix C Displaying Anti-Virus Alert Messages in Windows Right-click in the StartUp pane and click New, Shortcut. Figure 583 Windows 98 SE: StartUp A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. Figure 584 Windows 98 SE: Startup: Create Shortcut ZyWALL USG 1000 User’s Guide...
Page 986 Appendix C Displaying Anti-Virus Alert Messages in Windows Specify a name for the shortcut or accept the default and click Finish. Figure 585 Windows 98 SE: Startup: Select a Title for the Program A shortcut is created in the StartUp pane. Restart the computer when prompted. Figure 586 Windows 98 SE: Startup: Shortcut Note: The WinPopup window displays after the computer finishes the startup process (see...
Page 987: Appendix D Importing Certificates
Many ZyXEL products, such as the ZyWALL, issue their own public key certificates. These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it.
Page 988 Appendix D Importing Certificates If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Figure 587 Internet Explorer 7: Certification Error Click Continue to this website (not recommended). Figure 588 Internet Explorer 7: Certification Error In the Address Bar, click Certificate Error >...
Page 989 Appendix D Importing Certificates In the Certificate dialog box, click Install Certificate. Figure 590 Internet Explorer 7: Certificate In the Certificate Import Wizard, click Next. Figure 591 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 1000 User’s Guide...
Page 990 Appendix D Importing Certificates If you want Internet Explorer to Automatically select certificate store based on the type of certificate, click Next again and then go to step 9. Figure 592 Internet Explorer 7: Certificate Import Wizard Otherwise, select Place all certificates in the following store and then click Browse.
Page 991 Appendix D Importing Certificates In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 594 Internet Explorer 7: Select Certificate Store In the Completing the Certificate Import Wizard screen, click Finish. Figure 595 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 1000 User’s Guide...
Page 992 Figure 597 Internet Explorer 7: Certificate Import Wizard 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information.
Page 993 Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.
Page 994 Appendix D Importing Certificates Open Internet Explorer and click Tools > Internet Options. Figure 601 Internet Explorer 7: Tools Menu In the Internet Options dialog box, click Content > Certificates. Figure 602 Internet Explorer 7: Internet Options ZyWALL USG 1000 User’s Guide...
Page 995 Appendix D Importing Certificates In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificate that you want to delete, and then click Remove. Figure 603 Internet Explorer 7: Certificates In the Certificates confirmation, click Yes. Figure 604 Internet Explorer 7: Certificates In the Root Certificate Store dialog box, click Yes.
Page 996 Appendix D Importing Certificates The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Firefox The following example uses Mozilla Firefox 2 on Windows XP Professional; however, the screens can also apply to Firefox 2 on all platforms. If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.
Page 997 Figure 607 Firefox 2: Page Info Installing a Stand-Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.
Page 998 Appendix D Importing Certificates Open Firefox and click Tools > Options. Figure 608 Firefox 2: Tools Menu In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 609 Firefox 2: Options ZyWALL USG 1000 User’s Guide...
Page 999 Appendix D Importing Certificates In the Certificate Manager dialog box, click Web Sites > Import. Figure 610 Firefox 2: Certificate Manager Use the Select File dialog box to locate the certificate and then click Open. Figure 611 Firefox 2: Select File The next time you visit the web site, click the padlock in the address bar to open the Page Info >...
Page 1000 Appendix D Importing Certificates Removing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2. Open Firefox and click Tools > Options. Figure 612 Firefox 2: Tools Menu In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 613 Firefox 2: Options 1000 ZyWALL USG 1000 User’s Guide...
Page 1001 Appendix D Importing Certificates In the Certificate Manager dialog box, select the Web Sites tab, select the certificate that you want to remove, and then click Delete. Figure 614 Firefox 2: Certificate Manager In the Delete Web Site Certificates dialog box, click OK. Figure 615 Firefox 2: Delete Web Site Certificates The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
Page 1002 Appendix D Importing Certificates If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Click Install to accept the certificate. Figure 616 Opera 9: Certificate signer not found The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details.
Page 1003 Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Opera Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.

This manual is also suitable for:

Zywall 1050

ZyXEL Communications ZYWALL USG 1000 - EDITION 2 Manual

About this User's Guide

Document Conventions

Safety Warnings

Contents Overview

Table of Contents

User's Guide

PART I User's Guide

Chapter 1 Introducing the Zywall

Chapter 2 Features and Applications

Chapter 3 Web Configurator

Nat

Chapter 4 Installation Setup Wizard

Chapter 5 Quick Setup

Password

Chapter 6 Configuration Basics

Chapter 7 Tutorials

Chapter 8 L2TP VPN Example

Technical Reference

Part II: Technical Reference

Chapter 9 Dashboard

System Name

Chapter 10 Monitor

Chapter 11 Registration

Ssl Vpn

Idp

Chapter 12 Signature Update

Chapter 13 Interfaces

Chapter 14 Trunks

Chapter 15 Policy and Static Routes

Chapter 16 Routing Protocols

Chapter 17 Zones

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZYWALL USG 1000 - EDITION 2

Summary of Contents for ZyXEL Communications ZYWALL USG 1000 - EDITION 2