Page 1 ZyWALL USG 100/200 Series Unified Security Gateway Default Login Details LAN1 Port IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com Firmware Version 2.20 Edition 1, 2/2010 www.zyxel.com Copyright © 2010 ZyXEL Communications Corporation...
Page 3: About This User's Guide
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to want to configure the ZyWALL using the Web Configurator. How To Use This Guide • Read Chapter 1 on page 33 chapter for an overview of features available on the ZyWALL.
Page 4 Documentation Feedback Send your comments, questions or suggestions to: techwriters@zyxel.com.tw Thank you! The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 30099, Taiwan. Need More Help? More help is available at www.zyxel.com.
Page 5 About This User's Guide See http://www.zyxel.com/web/contact_us.php for contact information. Please have the following information ready when you contact an office. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it. Disclaimer Graphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated...
Page 6: Document Conventions
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 7 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 100/200 Series User’s Guide...
Page 8: Safety Warnings
Safety Warnings Safety Warnings • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. •...
Page 9: Table Of Contents
Contents Overview Contents Overview User’s Guide ........................... 31 Introducing the ZyWALL ......................33 Features and Applications ......................39 Web Configurator ........................47 Installation Setup Wizard ......................63 Quick Setup ..........................73 Configuration Basics ........................91 Tutorials ...........................115 L2TP VPN Example ......................... 185 Technical Reference ......................
Page 10 Contents Overview Content Filtering ........................649 Content Filter Reports ......................673 Anti-Spam ..........................681 Device HA ..........................699 User/Group ..........................721 Addresses ..........................737 Services ........................... 743 Schedules ..........................749 AAA Server ..........................755 Authentication Method ......................765 Certificates ..........................771 ISP Accounts ...........................
Page 11: Table Of Contents
Table of Contents Table of Contents About This User's Guide ......................3 Document Conventions......................6 Safety Warnings........................8 Contents Overview ........................9 Table of Contents........................11 Part I: User’s Guide................31 Chapter 1 Introducing the ZyWALL ......................33 1.1 Overview and Key Default Settings ..................33 1.2 Rack-mounted Installation ....................
Page 12 Table of Contents 3.3.2 Navigation Panel ......................50 3.3.3 Main Window ......................57 3.3.4 Tables and Lists ......................59 Chapter 4 Installation Setup Wizard ....................... 63 4.1 Installation Setup Wizard Screens ..................63 4.1.1 Internet Access Setup - WAN Interface ..............64 4.1.2 Internet Access: Ethernet ..................
Page 13 Table of Contents 6.3 Terminology in the ZyWALL ....................95 6.4 Packet Flow ......................... 97 6.4.1 ZLD 2.20 Packet Flow Enhancements ............... 97 6.4.2 Routing Table Checking Flow Enhancements ............98 6.4.3 NAT Table Checking Flow ..................99 6.5 Feature Configuration Overview ..................100 6.5.1 Feature ........................
Page 14 Table of Contents 7.1.2 Configure the OPT Interface for a Local Network .............117 7.1.3 Configure Zones ......................118 7.1.4 Configure Port Roles ....................119 7.2 How to Configure a Cellular Interface ................120 7.3 How to Configure Load Balancing ..................122 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces ..........122 7.3.2 Configure the WAN Trunk ..................
Page 15 Table of Contents 7.14 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic ....176 7.14.1 Create the Public IP Address Range Object ............176 7.14.2 Configure the Policy Route ..................177 7.15 How to Use Active-Passive Device HA ................177 7.15.1 Before You Start .....................
Page 16 Table of Contents 10.3 Interface Status Screen ....................241 10.4 The Traffic Statistics Screen .................... 244 10.5 The Session Monitor Screen ..................247 10.6 The DDNS Status Screen ....................250 10.7 IP/MAC Binding Monitor ....................250 10.8 The Login Users Screen ....................252 10.9 WLAN Interface Station Monitor Screen ................
Page 17 Table of Contents 13.1 Interface Overview ......................291 13.1.1 What You Can Do in this Chapter ................291 13.1.2 What You Need to Know ..................292 13.2 Port Role ......................... 295 13.3 Ethernet Summary Screen ....................296 13.3.1 Ethernet Edit ......................298 13.3.2 Object References ....................
Page 18 Table of Contents 15.1.1 What You Can Do in this Chapter ................377 15.1.2 What You Need to Know ..................378 15.2 Policy Route Screen ......................380 15.2.1 Policy Route Edit Screen ..................383 15.3 IP Static Route Screen ....................387 15.3.1 Static Route Add/Edit Screen .................
Page 19 Table of Contents 19.3 NAT Technical Reference ....................423 Chapter 20 HTTP Redirect ........................427 20.1 Overview .......................... 427 20.1.1 What You Can Do in this Chapter ................427 20.1.2 What You Need to Know ..................428 20.2 The HTTP Redirect Screen ..................... 429 20.2.1 The HTTP Redirect Edit Screen ................
Page 20 Table of Contents 24.1.4 Firewall Rule Configuration Example ..............459 24.2 The Firewall Screen ......................461 24.2.1 Configuring the Firewall Screen ................462 24.2.2 The Firewall Add/Edit Screen ................. 465 24.3 The Session Limit Screen ....................466 24.3.1 The Session Limit Add/Edit Screen ................ 468 Chapter 25 IPSec VPN..........................
Page 21 Table of Contents Chapter 28 SSL User Application Screens .................... 535 28.1 SSL User Application Screens Overview ................ 535 28.2 The Application Screen ....................535 Chapter 29 SSL User File Sharing ......................537 29.1 Overview .......................... 537 29.1.1 What You Need to Know ..................537 29.2 The Main File Sharing Screen ..................
Page 22 Table of Contents 32.3.2 The Application Patrol Policy Edit Screen ............. 569 32.4 The Other Applications Screen ..................572 32.4.1 The Other Applications Add/Edit Screen ..............575 Chapter 33 Anti-Virus..........................579 33.1 Overview .......................... 579 33.1.1 What You Can Do in this Chapter ................579 33.1.2 What You Need to Know ..................
Page 23 Table of Contents 34.9 IDP Technical Reference ....................626 Chapter 35 ADP ............................629 35.1 Overview .......................... 629 35.1.1 ADP and IDP Comparison ..................629 35.1.2 What You Can Do in this Chapter ................. 629 35.1.3 What You Need To Know ..................629 35.1.4 Before You Begin ....................
Page 24 Table of Contents 38.2 Before You Begin ......................683 38.3 The Anti-Spam General Screen ..................683 38.3.1 The Anti-Spam Policy Add or Edit Screen .............. 685 38.4 The Anti-Spam Black List Screen ..................687 38.4.1 The Anti-Spam Black or White List Add/Edit Screen ..........689 38.4.2 Regular Expressions in Black or White List Entries ..........
Page 25 Table of Contents 41.2 Address Summary Screen ....................737 41.2.1 Address Add/Edit Screen ..................739 41.3 Address Group Summary Screen ..................740 41.3.1 Address Group Add/Edit Screen ................741 Chapter 42 Services ..........................743 42.1 Overview .......................... 743 42.1.1 What You Can Do in this Chapter ................743 42.1.2 What You Need to Know ..................
Page 26 Table of Contents 45.2 Authentication Method Objects ..................766 45.2.1 Creating an Authentication Method Object ............767 Chapter 46 Certificates ..........................771 46.1 Overview .......................... 771 46.1.1 What You Can Do in this Chapter ................771 46.1.2 What You Need to Know ..................771 46.1.3 Verifying a Certificate .....................
Page 27 Table of Contents Chapter 50 System ..........................815 50.1 Overview .......................... 815 50.1.1 What You Can Do in this Chapter ................815 50.2 Host Name ........................816 50.3 Date and Time ........................ 817 50.3.1 Pre-defined NTP Time Servers List ................ 819 50.3.2 Time Server Synchronization .................
Page 28 Table of Contents 50.11.1 Configuring Dial-in Mgmt ..................860 50.12 Vantage CNM ....................... 861 50.12.1 Configuring Vantage CNM ................... 862 50.13 Language Screen ......................864 Chapter 51 Log and Report ........................865 51.1 Overview .......................... 865 51.1.1 What You Can Do In this Chapter ................865 51.2 Email Daily Report ......................
Page 29 Table of Contents 55.1.1 What You Need To Know ..................901 55.2 The Shutdown Screen ..................... 901 Chapter 56 Troubleshooting........................903 56.1 Resetting the ZyWALL ..................... 920 56.2 Getting More Troubleshooting Help ................. 921 Chapter 57 Product Specifications ......................923 57.1 3G or WLAN PCMCIA Card Installation ................
Page 30 Table of Contents ZyWALL USG 100/200 Series User’s Guide...
Page 31: User's Guide
User’s Guide...
Page 33: Introducing The Zywall
H A P T E R Introducing the ZyWALL This chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is a comprehensive security device.
Page 34: Rack-Mounted Installation
Chapter 1 Introducing the ZyWALL 1.2 Rack-mounted Installation The ZyWALL can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment. Follow the steps below to mount your ZyWALL on a standard EIA rack using a rack-mounting kit. Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the ZyWALL does not make the rack unstable or top-heavy.
Page 35: Front Panel
Chapter 1 Introducing the ZyWALL After attaching both mounting brackets, position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack. Secure the ZyWALL to the rack with the rack-mounting screws. Figure 2 Rack Mounting 1.3 Front Panel This section introduces the ZyWALL’s front panel.
Page 36: Front Panel Leds
Chapter 1 Introducing the ZyWALL 1.3.1 Front Panel LEDs The following table describes the LEDs. Table 1 Front Panel LEDs COLOR STATUS DESCRIPTION The ZyWALL is turned off. Green The ZyWALL is turned on. There is a hardware component failure. Shut down the device, wait for a few minutes and then restart the device (see Section 1.5 on page...
Page 37: Starting And Stopping The Zywall
Chapter 1 Introducing the ZyWALL Web Configurator The Web Configurator allows easy ZyWALL setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. Figure 4 Managing the ZyWALL: Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port.
Page 38 Chapter 1 Introducing the ZyWALL Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. Table 3 Starting and Stopping the ZyWALL METHOD DESCRIPTION Turning on the...
Page 39: Features And Applications
H A P T E R Features and Applications This chapter introduces the main features and applications of the ZyWALL. 2.1 Features The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates.
Page 40 Chapter 2 Features and Applications Firewall The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 41: Applications
Chapter 2 Features and Applications Anti-Virus Scanner With the anti-virus packet scanner, your ZyWALL scans files transmitting through the enabled interfaces into the network. The ZyWALL helps stop threats at the network edge before they reach the local host computers. Anti-Spam The anti-spam feature can mark or discard spam.
Page 42: Vpn Connectivity
Chapter 2 Features and Applications 2.2.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service. Figure 5 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote...
Page 43: Full Tunnel Mode
Chapter 2 Features and Applications You do not have to install additional client software on the remote user computers for access. Figure 6 Network Access Mode: Reverse Proxy LAN (192.168.1.X) https;// Web Mail File Share Web-based Application 2.2.2.2 Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network.
Page 44: User-Aware Access Control
Chapter 2 Features and Applications 2.2.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 8 Applications: User-Aware Access Control 2.2.4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports.
Page 45: Device Ha
Chapter 2 Features and Applications 2.2.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network. Figure 10 Applications: Device HA ZyWALL USG 100/200 Series User’s Guide...
Page 46 Chapter 2 Features and Applications ZyWALL USG 100/200 Series User’s Guide...
Page 47: Web Configurator
H A P T E R Web Configurator The ZyWALL Web Configurator allows easy ZyWALL setup and management using an Internet browser. Unless otherwise specified, the ZyWALL USG 200 screens are shown. 3.1 Web Configurator Requirements In order to use the Web Configurator, you must •...
Page 48 Chapter 3 Web Configurator Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears. Figure 11 Login Screen Type the user name (default: “admin”) and password (default: “1234”).
Page 49: Web Configurator Screens Overview
Chapter 3 Web Configurator The screen above appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore. Follow the directions in this screen. If you change the default password, the Login screen (Figure 11 on page 48) appears after you click Apply.
Page 50: Title Bar
Chapter 3 Web Configurator • C - main window 3.3.1 Title Bar The title bar provides some icons in the upper right corner. Figure 14 Title Bar The icons provide the following functions. Table 4 Title Bar: Web Configurator Icons LABEL DESCRIPTION Logout...
Page 51: Monitor Menu
Chapter 3 Web Configurator hide the navigation panel menus or drag it to resize them. The following sections introduce the ZyWALL’s navigation panel menus and their screens. Figure 15 Navigation Panel 3.3.2.1 Dashboard The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs.
Page 52: Idp
Chapter 3 Web Configurator Table 5 Monitor Menu Screens Summary (continued) FOLDER OR LINK FUNCTION Cellular Status Displays details about the ZyWALL’s 3G connection status. AppPatrol Statistics Displays bandwidth and protocol statistics. VPN Monitor IPSec Displays and manages the active IPSec SAs. Lists users currently logged into the VPN SSL client portal.
Page 53 Chapter 3 Web Configurator Table 6 Configuration Menu Screens Summary (continued) FOLDER OR FUNCTION LINK Interface Port Role Use this screen to set the ZyWALL’s flexible ports as LAN1, WLAN, or DMZ. Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces. Create and manage PPPoE and PPTP interfaces.
Page 54: Ssl Vpn
Chapter 3 Web Configurator Table 6 Configuration Menu Screens Summary (continued) FOLDER OR FUNCTION LINK SSL VPN Access Privilege Configure SSL VPN access rights for users and groups. Global Setting Configure the ZyWALL’s SSL VPN settings that apply to all connections. L2TP VPN L2TP VPN Configure L2TP Over IPSec VPN settings.
Page 55 Chapter 3 Web Configurator Table 6 Configuration Menu Screens Summary (continued) FOLDER OR FUNCTION LINK Device HA General Configure device HA global settings, and see the status of each interface monitored by device HA. Active-Passive Configure active-passive mode device HA. Mode Legacy Mode Configure legacy mode device HA for use with...
Page 56 Chapter 3 Web Configurator Table 6 Configuration Menu Screens Summary (continued) FOLDER OR FUNCTION LINK Console Set the console speed. Speed Configure the DNS server and address records for the ZyWALL. Service Control Configure HTTP, HTTPS, and general authentication. Login Page Configure how the login and access user screens look.
Page 57: Main Window
Chapter 3 Web Configurator 3.3.3 Main Window The main window shows the screen you select in the navigation panel. The main window screens are discussed in the rest of this document. Right after you log in, the Dashboard screen is displayed. See Chapter 9 on page for more information about the Dashboard screen.
Page 58 Chapter 3 Web Configurator settings reference the object. The following example shows which configuration settings reference the ldap-users user object (in this case the first firewall rule). Figure 18 Object Reference The fields vary with the type of object. The following table describes labels that can appear in this screen.
Page 59: Tables And Lists
Chapter 3 Web Configurator 3.3.3.4 CLI Messages Click CLI to look at the CLI commands sent by the Web Configurator. These commands appear in a popup window, such as the following. Figure 19 CLI Messages Click Clear to remove the currently displayed information. See the Command Reference Guide for information about the commands.
Page 60 Chapter 3 Web Configurator • Sort in ascending alphabetical order • Sort in descending (reverse) alphabetical order • Select which columns to display • Group entries by field • Show entries in groups • Filter by mathematical operators (<, >, or =) or searching for text Figure 21 Common Table Column Options Select a column heading cell’s right border and drag to re-size the column.
Page 61: Working With Table Entries
Chapter 3 Web Configurator Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location. Figure 23 Changing the Column Order Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time.
Page 62 Chapter 3 Web Configurator Here are descriptions for the most common table icons. Table 9 Common Table Icons LABEL DESCRIPTION Click this to create a new entry. For features where the entry’s position in the numbered list is important (features where the ZyWALL applies the table’s entries in order like the firewall for example), you can select an entry and click Add to create a new entry after the selected entry.
Page 63: Installation Setup Wizard
H A P T E R Installation Setup Wizard 4.1 Installation Setup Wizard Screens If you log into the Web Configurator when the ZyWALL is using its default configuration, the first Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services.
Page 64: Internet Access Setup - Wan Interface
Chapter 4 Installation Setup Wizard 4.1.1 Internet Access Setup - WAN Interface Use this screen to set how many WAN interfaces to configure and the first WAN interface’s type of encapsulation and method of IP address assignment. The screens vary depending on the encapsulation type. Refer to information provided by your ISP to know what to enter in each field.
Page 65 Chapter 4 Installation Setup Wizard Note: Enter the Internet access information exactly as given to you by your ISP. Figure 29 Internet Access: Ethernet Encapsulation • Encapsulation: This displays the type of Internet connection you are configuring. • First WAN Interface: This is the number of the interface that will connect with your ISP.
Page 66: Internet Access: Pppoe
Chapter 4 Installation Setup Wizard 4.1.3 Internet Access: PPPoE Note: Enter the Internet access information exactly as given to you by your ISP. Figure 30 Internet Access: PPPoE Encapsulation 4.1.3.1 ISP Parameters • Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server.
Page 67: Internet Access: Pptp
Chapter 4 Installation Setup Wizard 4.1.3.2 WAN IP Address Assignments • WAN Interface: This is the name of the interface that will connect with your ISP. • Zone: This is the security zone to which this interface and Internet connection will belong.
Page 68: Isp Parameters
Chapter 4 Installation Setup Wizard 4.1.5 ISP Parameters • Authentication Type - Select an authentication protocol for outgoing calls. Options are: • CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by the remote node. • CHAP - Your ZyWALL accepts CHAP only. •...
Page 69: Internet Access Setup - Second Wan Interface
Chapter 4 Installation Setup Wizard 4.1.6 Internet Access Setup - Second WAN Interface If you selected I have two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 4.1.1 on page 64).
Page 70: Internet Access - Finish
Chapter 4 Installation Setup Wizard 4.1.7 Internet Access - Finish You have set up your ZyWALL to access the Internet. After configuring the WAN interface(s), a screen displays with your settings. If they are not correct, click Back. Figure 33 Internet Access: Ethernet Encapsulation Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.
Page 71 Chapter 4 Installation Setup Wizard Use the Registration > Service screen to update your service subscription status. Figure 34 Registration • Select new myZyXEL.com account if you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL.
Page 72 Chapter 4 Installation Setup Wizard • Trial Service Activation: You can try a trial service subscription. The trial period starts the day you activate the trial. After the trial expires, you can buy an iCard and enter the license key in the Registration > Service screen to extend the service.
Page 73: Quick Setup
H A P T E R Quick Setup 5.1 Quick Setup Overview The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information.
Page 74: Wan Interface Quick Setup
Chapter 5 Quick Setup 5.2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to connect to the internet. Click Next. Figure 37 WAN Interface Quick Setup Wizard 5.2.1 Choose an Ethernet Interface Select the Ethernet interface that you want to configure for a WAN connection and...
Page 75: Configure Wan Settings
Chapter 5 Quick Setup Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP. Figure 39 WAN Interface Setup: Step 2 The screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.
Page 76: Wan And Isp Connection Settings
Chapter 5 Quick Setup • IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static If the ISP assigned a fixed IP address. 5.2.4 WAN and ISP Connection Settings Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you set the IP Address Assignment to Static.
Page 77 Chapter 5 Quick Setup Table 10 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION Authentication Use the drop-down list box to select an authentication protocol for Type outgoing calls. Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node.
Page 78: Quick Setup Interface Wizard: Summary
Chapter 5 Quick Setup Table 10 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION First DNS These fields only display for an interface with a static IP address. Server Enter the DNS server IP address(es) in the field(s) to the right. Second DNS Server Leave the field as 0.0.0.0 if you do not want to configure DNS...
Page 79: Vpn Quick Setup
Chapter 5 Quick Setup Table 11 Interface Wizard: Summary WAN LABEL DESCRIPTION User Name This is the user name given to you by your ISP. Nailed-Up If No displays the connection will not time out. Yes means the ZyWALL uses the idle timeout. Idle Timeout This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server.
Page 80: Vpn Setup Wizard: Wizard Type
Chapter 5 Quick Setup 5.4 VPN Setup Wizard: Wizard Type A VPN (Virtual Private Network) tunnel is a secure connection to another computer or network. Use this screen to select which type of VPN connection you want to configure. Figure 44 VPN Setup Wizard: Wizard Type Express: Use this wizard to create a VPN connection with another ZLD-based ZyWALL using a pre-shared key and default security settings.
Page 81: Vpn Express Wizard - Scenario
Chapter 5 Quick Setup 5.5 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 44 on page 80 to display the following screen. Figure 45 VPN Express Wizard: Step 2 Rule Name: Type the name used to identify this VPN connection (and VPN gateway).
Page 82: Vpn Express Wizard - Configuration
Chapter 5 Quick Setup 5.5.1 VPN Express Wizard - Configuration Figure 46 VPN Express Wizard: Step 3 • Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario. If this field is configurable, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name.
Page 83: Vpn Express Wizard - Summary
Chapter 5 Quick Setup 5.5.2 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’s configuration and also commands that you can copy and paste into another ZLD-based ZyWALL’s command line interface to configure it. Figure 47 VPN Express Wizard: Step 4 •...
Page 84: Vpn Express Wizard - Finish
Chapter 5 Quick Setup 5.5.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. Figure 48 VPN Express Wizard: Step 6 Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard.
Page 85: Vpn Advanced Wizard - Scenario
Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 44 on page 80 to display the following screen. Figure 49 VPN Advanced Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway).
Page 86: Vpn Advanced Wizard - Phase 1 Settings
Chapter 5 Quick Setup • Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange).
Page 87 Chapter 5 Quick Setup that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses a 256-bit key.
Page 88: Vpn Advanced Wizard - Phase 2
Chapter 5 Quick Setup 5.5.6 VPN Advanced Wizard - Phase 2 Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 51 VPN Advanced Wizard: Step 4 • Active Protocol: ESP is compatible with NAT, AH is not. •...
Page 89: Vpn Advanced Wizard - Summary
Chapter 5 Quick Setup • Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 5.5.7 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings.
Page 90: Vpn Advanced Wizard - Finish
Chapter 5 Quick Setup 5.5.8 VPN Advanced Wizard - Finish Now you can use the VPN tunnel. Figure 53 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard.
Page 91: Configuration Basics
H A P T E R Configuration Basics This information is provided to help you configure the ZyWALL effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you configure various features in the ZyWALL. •...
Page 92: Zones, Interfaces, And Physical Ports
Chapter 6 Configuration Basics objects whenever the interface’s IP address settings change. For example, if you change an Ethernet interface’s IP address, the ZyWALL automatically updates the rules or settings that use the interface-based, LAN subnet address object. You can use the Configuration > Objects screens to create objects before you configure features that use them.
Page 93: Interface Types
Chapter 6 Configuration Basics Table 12 Zones, Interfaces, and Physical Ethernet Ports Zones A zone is a group of interfaces and VPN tunnels. Use zones to apply security settings such as firewall, IDP, remote management, anti- (WAN, OPT, LAN, virus, and application patrol. You can change the opt interface to be DMZ) part of a different zone.
Page 94: Default Interface And Zone Configuration
Chapter 6 Configuration Basics 6.2.2 Default Interface and Zone Configuration This section introduces the ZyWALL’s default zone member physical interfaces and the default configuration of those interfaces. The following figure uses letters to denote public IP addresses or part of a private IP address. Figure 56 Default Network Topology Table 13 ZyWALL USG 200 Default Port, Interface, and Zone Configuration IP ADDRESS AND DHCP...
Page 95: Terminology In The Zywall
Chapter 6 Configuration Basics Table 14 ZyWALL USG 100 Default Port, Interface, and Zone Configuration IP ADDRESS AND SUGGESTED USE WITH PORT INTERFACE ZONE DHCP SETTINGS DEFAULT SETTINGS P1, P2 wan1, wan2 WAN DHCP clients Connections to the Internet P3, P4 lan1 LAN1 192.168.1.1, DHCP...
Page 96 Chapter 6 Configuration Basics Table 15 ZLD ZyWALL Terminology That is Different Than ZyNOS (continued) ZYNOS FEATURE / TERM ZLD ZYWALL FEATURE / TERM Network policy (IPSec SA) VPN connection Hub-and-spoke VPN (VPN) concentrator Table 16 ZLD ZyWALL Terminology That Might Be Different Than Other Products FEATURE / TERM ZLD ZYWALL FEATURE / TERM Source NAT (SNAT)
Page 97: Packet Flow
Chapter 6 Configuration Basics 6.4 Packet Flow Here is the order in which the ZyWALL applies its features and checks. Figure 57 Packet Flow 6.4.1 ZLD 2.20 Packet Flow Enhancements ZLD version 2.20 has been enhanced to simplify configuration. The packet flow has been changed as follows: •...
Page 98: Routing Table Checking Flow Enhancements
Chapter 6 Configuration Basics • You do not need to set up policy routes for 1:1 NAT entries. • You can create Many 1:1 NAT entries to translate a range of private network addresses to a range of public IP addresses •...
Page 99: Nat Table Checking Flow
Chapter 6 Configuration Basics Policy Routes: These are the user-configured policy routes. Configure policy routes to send packets through the appropriate interface or VPN tunnel. See Chapter 15 on page 377 for more on policy routes. 1 to 1 and Many 1 to 1 NAT: These are the 1 to 1 NAT and many 1 to 1 NAT rules.
Page 100: Feature Configuration Overview
Chapter 6 Configuration Basics ZyWALL stops checking the packets against the NAT table and moves on to bandwidth management. Figure 59 NAT Table Checking Flow SNAT defined in the policy routes. This was already in ZLD 2.1x. 1 to 1 SNAT (including Many 1 to 1) is also included in the NAT table. NAT loopback is now included in the NAT table instead of requiring a separate policy route.
Page 101: Feature
Chapter 6 Configuration Basics 6.5.1 Feature This provides a brief description. See the appropriate chapter(s) in this User’s Guide for more information about any feature. This shows you the sequence of menu items and tabs you should click to find the main screen(s) for this feature. See the web help or the MENU ITEM(S) related User’s Guide chapter for information about each screen.
Page 102: Interface
Chapter 6 Configuration Basics subscription to update the anti-virus and IDP/application patrol signatures You must have Internet access to myZyXEL.com. Configuration > Licensing > Update MENU ITEM(S) Registration (for anti-virus and IDP/application patrol), Internet PREREQUISITES access to myZyXEL.com 6.5.4 Interface Section 6.2 on page 92 for background information.
Page 103 Chapter 6 Configuration Basics and general NAT on the source address. You have to set up the criteria, next-hops, and NAT settings first. Configuration > Network > Routing > Policy Route MENU ITEM(S) Criteria: users, user groups, interfaces (incoming), IPSec VPN (incoming), addresses (source, destination), address groups (source, destination), schedules, services, service groups Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks,...
Page 104: Static Routes
Chapter 6 Configuration Basics 6.5.7 Static Routes Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL. Configuration > Network > Routing > Static Route MENU ITEM(S) Interfaces PREREQUISITES 6.5.8 Zones Section 6.2 on page 92 for background information.
Page 105: Http Redirect
Chapter 6 Configuration Basics The ZyWALL only checks regular (through-ZyWALL) firewall rules for packets that are redirected by NAT, it does not check the to-ZyWALL firewall rules. Configuration > Network > NAT MENU ITEM(S) Interfaces, addresses (HOST) PREREQUISITES Example: Suppose you have an FTP server with a private IP address connected to a DMZ port.
Page 106: Alg
Chapter 6 Configuration Basics Name the entry. Select the interface from which you want to redirect incoming HTTP requests (lan1). Specify the IP address of the HTTP proxy server. Specify the port number to use for the HTTP traffic that you forward to the proxy server.
Page 107: Ipsec Vpn
Chapter 6 Configuration Basics Example: Suppose you have a SIP proxy server connected to the DMZ zone for VoIP calls. You could configure a firewall rule to allow VoIP sessions from the SIP proxy server on DMZ to the LAN so VoIP users on the LAN can receive calls. Create a VoIP service object for UDP port 5060 traffic (Configuration >...
Page 108: L2Tp Vpn
Chapter 6 Configuration Basics Policy routes, zones WHERE USED Example: See Chapter 7 on page 115. 6.5.17 L2TP VPN Use L2TP VPN to let remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL.
Page 109: Anti-Virus
Chapter 6 Configuration Basics Note: With this example, Bob would have to log in using his account. If you do not want him to have to log in, you might create an exception policy with Bob’s computer IP address as the source. 6.5.19 Anti-Virus Use anti-virus to detect and take action on viruses.
Page 110: Anti-Spam
Chapter 6 Configuration Basics Create a user account for Bill if you have not done so already (Configuration > Object > User/Group). Create a schedule for the work day (Configuration > Object > Schedule). Click Configuration > Anti-X > Content Filter > Filter Profile. Click the Add icon to go to the screen where you can configure a category-based profile.
Page 111: Objects
Chapter 6 Configuration Basics 6.6 Objects Objects store information and are referenced by other features. If you update this information in response to changes, the ZyWALL automatically propagates the change through the features that use the object. Move your cursor over a configuration object that has a magnifying-glass icon (such as a user group, address, address group, service, service group, zone, or schedule) to display basic information about the object.
Page 112: System
Chapter 6 Configuration Basics Table 20 User Types TYPE ABILITIES guest Access network services ext-user The same as a user or a guest except the ZyWALL looks for the specific type in an external authentication server. If the type is not available, the ZyWALL applies default settings.
Page 113: Logs And Reports
Chapter 6 Configuration Basics Create an address object for the administrator’s computer (Configuration > Object > Address). Click Configuration > System > WWW to configure the HTTP management access. Enable HTTPS and add an administrator service control entry. • Select the address object for the administrator’s computer. •...
Page 114 Chapter 6 Configuration Basics Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. Maintenance > Shutdown MENU ITEM(S) ZyWALL USG 100/200 Series User’s Guide...
Page 115: Tutorials
H A P T E R Tutorials Here are examples of using the Web Configurator to set up features in the ZyWALL. See also Chapter 8 on page 185 for an example of configuring L2TP VPN. Note: The tutorials featured here require a basic understanding of connecting to and using the Web Configurator, see Chapter 3 on page 47 for details.
Page 116: Configure A Wan Ethernet Interface
Chapter 7 Tutorials • This example does not use the ext-wlan interface (for Ethernet-connected APs) so you remove port P6 from the ext-wlan interface and add it to the dmz interface instead. Figure 60 Ethernet Interface, Port Roles, and Zone Configuration Example 7.1.1 Configure a WAN Ethernet Interface You need to assign the ZyWALL’s wan1 interface a static IP address of 1.2.3.4.
Page 117: Configure The Opt Interface For A Local Network
Chapter 7 Tutorials Click Configuration > Network > Interface > Ethernet and double-click the wan1 interface’s entry. Select Use Fixed IP Address and configure the IP address, subnet mask, and default gateway settings and click OK. Figure 61 Configuration > Network > Interface > Ethernet > Edit wan1 7.1.2 Configure the OPT Interface for a Local Network Here is how to set the opt interface for a separate local network.
Page 118: Configure Zones
Chapter 7 Tutorials Click Configuration > Network > Interface > Ethernet and double-click the opt interface’s entry. Set the Interface Type to internal. Set the IP Address to 192.168.4. and the Subnet Mask to 255.255.255.0. Set DHCP to DHCP Server and click OK. Figure 62 Configuration >...
Page 119: Configure Port Roles
Chapter 7 Tutorials Enter VPN as the name, select Default_L2TP_VPN_Connection and move it to the Member box and click OK. Figure 63 Configuration > Network > Zone > WAN Edit 7.1.4 Configure Port Roles Here is how to remove port P6 from the ext-wlan interface and add it to the dmz interface.
Page 120: How To Configure A Cellular Interface
Chapter 7 Tutorials 7.2 How to Configure a Cellular Interface Use 3G cards for cellular WAN (Internet) connections. Table 265 on page 923 lists the compatible 3G devices. In this example you install or connect the 3G card before you configure the cellular interfaces but is also possible to reverse the sequence.
Page 121 Chapter 7 Tutorials Enable the interface and add it to a zone. It is highly recommended that you set the Zone to WAN to apply your WAN zone security settings to this 3G connection. Leaving Zone set to none has the ZyWALL not apply any security settings to the 3G connection.
Page 122: How To Configure Load Balancing
Chapter 7 Tutorials The ZyWALL automatically adds the cellular interface to the system default WAN trunk. If the ZyWALL is using a user-configured trunk as its default trunk and you want this cellular interface to be part of it, use the Trunk screens to add it. This way the ZyWALL can automatically balance the traffic load amongst the available WAN connections to enhance overall network throughput.
Page 123: Configure The Wan Trunk
Chapter 7 Tutorials Click Configuration > Network > Interface > Ethernet and double-click the wan1 entry. Enter the available bandwidth (1000 kbps) in the Egress Bandwidth field. Click OK. Figure 69 Configuration > Network > Interface > Ethernet > Edit ( wan1) Repeat the process to set the egress bandwidth for wan2 to (512 Kbps).
Page 124 Chapter 7 Tutorials Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin. Add wan1 and enter 2 in the Weight column. Add wan2 and enter 1 in the Weight column. Click OK. Figure 70 Configuration > Network > Interface > Trunk > Add ZyWALL USG 100/200 Series User’s Guide...
Page 125: How To Set Up A Wireless Lan
Chapter 7 Tutorials Select the trunk as the default trunk and click Apply. Figure 71 Configuration > Network > Interface > Trunk 7.4 How to Set Up a Wireless LAN You can install a wireless LAN card (IEEE 802.11b/g) in the PCIMCIA slot (see Table 265 on page 923 for the supported cards).
Page 126: Create The Wlan Interface
Chapter 7 Tutorials Click Configuration > Object > User/Group > User and the Add icon. Set the User Name to wlan_user. Enter (and re-enter) the user’s password. Click OK. Figure 72 Configuration > Object > User/Group > User > Add Use the Add icon in the Configuration >...
Page 127 Chapter 7 Tutorials Edit this screen as follows. A (internal) name for the WLAN interface displays. You can modify it if you want The ZyWALL’s security settings are configured by zones. Select to which security zone you want the WLAN interface to belong (the WLAN zone in this example). This determines which security settings the ZyWALL applies to the WLAN interface.
Page 128 Chapter 7 Tutorials Figure 73 Configuration > Network > Interface > WLAN > Add ZyWALL USG 100/200 Series User’s Guide...
Page 129: Set Up The Wireless Clients To Use The Wlan Interface
Chapter 7 Tutorials Turn on the wireless LAN and click Apply. Figure 74 Configuration > Network > Interface > WLAN 7.4.3 Set Up the Wireless Clients to Use the WLAN Interface The following sections show you how to have a wireless client (not included with the ZyWALL) use the wireless network.
Page 130 Chapter 7 Tutorials Open the wireless client utility and click Profile. Figure 75 ZyXEL Wireless Client Add a new profile. This example uses “ZYXEL_WPA” as the name. It is also the SSID (name) of the wireless network. Select Infrastructure and click Next. Figure 76 ZyXEL Wireless Client >...
Page 131 Chapter 7 Tutorials Select WPA2 as the security type and click Next. Figure 77 ZyXEL Wireless Client > Profile: Security Type Set the encryption type to TKIP and the EAP type to TTLS. Configure wlan_user as the Login Name and enter the account’s password (also wlan_user in this example.
Page 132 Chapter 7 Tutorials Confirm your settings and click Save. Figure 79 ZyXEL Wireless Client > Profile: Save Click Activate Now. Figure 80 ZyXEL Wireless Client > Profile: Activate ZyWALL USG 100/200 Series User’s Guide...
Page 133 Chapter 7 Tutorials The ZYXEL_WPA profile displays in your list of profiles. Figure 81 ZyXEL Wireless Client > Profile: Activate Since the ZyXEL utility does not have the wireless client validate the ZyWALL’s certificate, you can go to Section 7.4.3.4 on page 141.
Page 134 Chapter 7 Tutorials Name the profile (this example uses ZYXEL_WPA). In the User Info tab, configure wlan_user as the Login name. In the Password sub-tab, select Prompt for long name and password. Figure 83 Odyssey Access Client Manager > Profiles > User Info Click the Authentication tab and select Validate server certificate.
Page 135 Chapter 7 Tutorials Click the TTLS tab and select PAP. Then click OK. Figure 85 Odyssey Access Client Manager > Profiles > Authentication Click Networks > Add. Figure 86 Odyssey Access Client Manager > Networks ZyWALL USG 100/200 Series User’s Guide...
Page 136 Chapter 7 Tutorials Enter the name of the wireless network (“ZYXEL_WPA” in this example) or click Scan to look for it. Then select Authenticate using profile and select the profile you configured (“ZYXEL_WPA” in this example). Click OK. Figure 87 Odyssey Access Client Manager > Networks > Add Use the next section to import the ZyWALL’s certificate into the wireless client.
Page 137 Chapter 7 Tutorials In Internet Explorer, click Tools > Internet Options > Content and click the Certificates button. Figure 88 Internet Explorer: Tools > Internet Options > Content Click Import. Figure 89 Internet Explorer: Tools > Internet Options > Content > Certificates ZyWALL USG 100/200 Series User’s Guide...
Page 138 Chapter 7 Tutorials Use the wizard screens to import the certificate. You may need to change the Files of Type setting to All Files in order to see the certificate file. Figure 90 Internet Explorer Certificate Import Wizard File Open Screen When you get to the Certificate Store screen, select the option to automatically select the certificate store based on the type of certificate.
Page 139 Chapter 7 Tutorials If you get a security warning screen, click Yes to proceed. Figure 92 Internet Explorer Certificate Import Certificate Warning Screen ZyWALL USG 100/200 Series User’s Guide...
Page 140 Chapter 7 Tutorials The Internet Explorer Certificates screen remains open after the import is done. You can see the newly imported certificate listed in the Trusted Root Certification Authorities tab. The values in the Issued To and Issued By fields should match those in the ZyWALL’s My Certificates screen’s Subject and Issuer fields (respectively).
Page 141: How To Set Up An Ipsec Vpn Tunnel
Chapter 7 Tutorials 7.4.3.4 Wireless Clients Use the WLAN Interface A login screen displays when the wireless client attempts to connect to the wireless interface. Enter the username and password and click OK. Figure 95 Funk Odyssey Access Wireless Client Login Example 7.5 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see...
Page 142: Set Up The Vpn Gateway
Chapter 7 Tutorials 7.5.1 Set Up the VPN Gateway The VPN gateway manages the IKE SA. You do not have to set up any other objects before you configure the VPN gateway because this VPN tunnel does not use any certificates or extended authentication. Click Configuration >...
Page 143 Chapter 7 Tutorials Click Configuration > Object > Address. Click the Add icon. Give the new address object a name (“VPN_REMOTE_SUBNET”), change the Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK. Figure 98 Configuration >...
Page 144: Configure Security Policies For The Vpn Tunnel
Chapter 7 Tutorials 7.5.3 Configure Security Policies for the VPN Tunnel You configure security policies based on zones. The new VPN connection was assigned to the IPSec_VPN zone. By default, there are no security restrictions on the IPSec_VPN zone, so, next, you should set up security policies (firewall rules, IDP, and so on) that apply to the IPSec_VPN zone.
Page 145 Chapter 7 Tutorials • My Address: 10.0.0.2 • Primary Remote Gateway: 10.0.0.1 Network Policy (Phase 2) • Local Network: 192.168.167.0/255.255.255.0 • Remote Network: 192.168.168.0~192.168.169.255 Headquarters (ZyWALL USG): VPN Gateway (VPN Tunnel 1): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.2 VPN Connection (VPN Tunnel 1): •...
Page 146: How To Configure User-Aware Access Control
Chapter 7 Tutorials 7.6.0.1 Hub-and-spoke VPN Requirements and Suggestions Consider the following when implementing a hub-and-spoke VPN. • This example uses a wide range for the ZyNOS-based ZyWALL’s remote network, to use a narrower range, see Section 25.4.1 on page 495 for an example of configuring a VPN concentrator.
Page 147: Set Up User Accounts
Chapter 7 Tutorials Table 21 User-aware Access Control Example (continued) LAN-TO-DMZ GROUP (USER) BANDWIDTH MSN SURFING ACCESS Guest (guest) Others The users are authenticated by an external RADIUS server at 192.168.1.200. First, set up the user accounts and user groups in the ZyWALL. Then, set up user authentication using the RADIUS server.
Page 148: Set Up User Groups
Chapter 7 Tutorials 7.7.2 Set Up User Groups Set up the user groups and assign the users to the user groups. Click Configuration > Object > User/Group > Group. Click the Add icon. Enter the name of the group that is used in Table 21 on page 146.
Page 149 Chapter 7 Tutorials Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Configure the RADIUS server’s address authentication port (1812 if you were not told otherwise), key, and click Apply. Figure 103 Configuration > Object > AAA Server > RADIUS > Add Click Configuration >...
Page 150: Web Surfing Policies With Bandwidth Restrictions
Chapter 7 Tutorials Note: The users will have to log in using the Web Configurator login screen before they can use HTTP or MSN. Figure 105 Configuration > Object > User/Group > Setting > Add (Force User Authentication Policy) When the users try to browse the web (or use any HTTP/HTTPS application), the Login screen appears.
Page 151 Chapter 7 Tutorials Click Configuration > AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply. Figure 106 Configuration > AppPatrol > General Click the Common tab and double-click the http entry. Figure 107 Configuration > AppPatrol > Common ZyWALL USG 100/200 Series User’s Guide...
Page 152 Chapter 7 Tutorials Double-click the Default policy. Figure 108 Configuration > AppPatrol > Common > http Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. Figure 109 Configuration > AppPatrol > Common > http > Edit Default ZyWALL USG 100/200 Series User’s Guide...
Page 153: Set Up Msn Policies
Chapter 7 Tutorials Click the Add icon in the policy list. In the new policy, select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fields. Click OK. Repeat this process to add exceptions for all the other user groups that are allowed to browse the web.
Page 154: Set Up Firewall Rules
Chapter 7 Tutorials Give the schedule a descriptive name. Set up the days (Monday through Friday) and the times (8:30 - 18:00) when Sales is allowed to use MSN. Click OK. Figure 111 Configuration > Object > Schedule > Add (Recurring) Follow the steps in Section 7.7.4 on page 150 to set up the appropriate policies for...
Page 155: How To Use A Radius Server To Authenticate User Accounts Based On Groups
Chapter 7 Tutorials Click the Add icon again and create a rule for one of the user groups that is allowed to access the DMZ. Figure 113 Configuration > Firewall > Add Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ.
Page 156 Chapter 7 Tutorials Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Besides configuring the RADIUS server’s address, authentication port, and key; set the Group Membership Attribute field to the attribute that the ZyWALL is to check to determine to which group a user belongs. This example uses Class.
Page 157: How To Use Endpoint Security And Authentication Policies
Chapter 7 Tutorials Now you add ext-group-user user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click Configuration > Object > User/Group > User. Click the Add icon.
Page 158 Chapter 7 Tutorials • Select Endpoint must have Personal Firewall installed and move the Kaspersky Internet Security entries to the allowed list (you can double-click an entry to move it). • Select Endpoint must have Anti-Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti-Virus anti-virus software entries to the allowed list.
Page 159: Configure The Authentication Policy
Chapter 7 Tutorials Repeat as needed to create endpoint security objects for other Windows operating system versions. 7.9.2 Configure the Authentication Policy Click Configuration > Auth. Policy > Add to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy to use endpoint security objects.
Page 160: How To Configure Service Control
Chapter 7 Tutorials Turn on authentication policy and click Apply. Figure 118 Configuration > Auth. Policy The following figure shows an error message example when a user’s computer does not meet an endpoint security object’s requirements. Click Close to return to the login screen.
Page 161: Allow Https Administrator Access Only From The Lan
Chapter 7 Tutorials user access (logging into SSL VPN for example). See Chapter 50 on page 815 more on service control. The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to the ZyWALL. They do not distinguish between administrator management access and user access.
Page 162 Chapter 7 Tutorials Select the new rule and click the Add icon. Figure 122 Configuration > System > WWW (First Example Admin Service Rule Configured) In the Zone field select ALL and set the Action to Deny. Click OK. Figure 123 Configuration > System > WWW > Service Control Rule Edit ZyWALL USG 100/200 Series User’s Guide...
Page 163: How To Allow Incoming H.323 Peer-To-Peer Calls
Chapter 7 Tutorials Click Apply. Figure 124 Configuration > System > WWW (Second Example Admin Service Rule Configured) Now administrator access to the Web Configurator can only come from the LAN1 zone. Non-admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL’s zones (to use SSL VPN for example).
Page 164: Turn On The Alg
Chapter 7 Tutorials for wan1 IP address 10.0.0.8 to a H.323 device located on the LAN and using IP address 192.168.1.56. Figure 125 WAN to LAN H.323 Peer-to-peer Calls Example 192.168.1.56 10.0.0.8 7.11.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable H.323 ALG and Enable H.323 transformations and click Apply.
Page 165 Chapter 7 Tutorials Use Configuration > Object > Address > Add to create an address object for the public WAN IP address (called WAN_IP-for-H323 here). Then use it again to create an address object for the H.323 device’s private LAN1 IP address (called LAN_H323 here).
Page 166: Set Up A Firewall Rule For H.323
Chapter 7 Tutorials Click Configuration > Network > NAT > Add. Configure a name for the rule (WAN-LAN_H323 here). You want the LAN H.323 device to receive peer-to-peer calls from the WAN and also be able to initiate calls to the WAN so you set the Classification to NAT 1:1. Set the Incoming Interface to wan1.
Page 167: How To Allow Public Access To A Web Server
Chapter 7 Tutorials Click Configuration > Firewall > Add. In the From field select WAN. In the To field select LAN1. Configure a name for the rule (WAN-to-LAN_H323 here). Set the Destination to the H.323 device’s LAN1 IP address object (LAN_H323). LAN_H323 is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule.
Page 168: Create The Address Objects
Chapter 7 Tutorials 7.12.1 Create the Address Objects Use Configuration > Object > Address > Add to create the address objects. Create a host address object named DMZ_HTTP for the HTTP server’s private IP address of 192.168.3.7. Figure 131 Creating the Address Object for the HTTP Server’s Private IP Address Create a host address object named Public_HTTP_Server_IP for thepublic WAN IP address 1.1.1.1.
Page 169: Set Up A Firewall Rule
Chapter 7 Tutorials • Keep Enable NAT Loopback selected to allow users connected to other interfaces to access the HTTP server (see NAT Loopback on page 423 details). Figure 133 Creating the NAT Entry 7.12.3 Set Up a Firewall Rule The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server.
Page 170: How To Use An Ippbx On The Dmz
Chapter 7 Tutorials Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Set the Destination to the HTTP server’s DMZ IP address object (DMZ_HTTP). DMZ_HTTP is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule.
Page 171 Chapter 7 Tutorials address 1.1.1.2 that you will use on the wan2 interface and map to the IPPBX’s private IP address of 192.168.3.7. The local SIP clients are on the LAN. Figure 135 IPPBX Example Network Topology ZyWALL USG 100/200 Series User’s Guide...
Page 172: Turn On The Alg
Chapter 7 Tutorials 7.13.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable SIP ALG and Enable SIP Transformations and click Apply. Figure 136 Configuration > Network > ALG 7.13.2 Create the Address Objects Use Configuration > Object > Address > Add to create the address objects. Create a host address object named IPPBX-DMZ for the IPPBX’s private DMZ IP address of 192.168.3.9.
Page 173: Setup A Nat Policy For The Ippbx
Chapter 7 Tutorials Create a host address object named IPPBX-Public for thepublic WAN IP address 1.1.1.2. Figure 138 Creating the Public IP Address Object 7.13.3 Setup a NAT Policy for the IPPBX Click Configuration > Network > NAT > Add. •...
Page 174: Set Up A Wan To Dmz Firewall Rule For Sip
Chapter 7 Tutorials • Click OK. Figure 139 Configuration > Network > NAT > Add 7.13.4 Set Up a WAN to DMZ Firewall Rule for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send SIP traffic to the IPPBX.
Page 175: Set Up A Dmz To Lan Firewall Rule For Sip
Chapter 7 Tutorials Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Set the Destination to the IPPBX’s DMZ IP address object (DMZ_SIP). IPPBX_DMZ is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule.
Page 176: How To Use Multiple Static Public Wan Ip Addresses For Lan To Wan Traffic
Chapter 7 Tutorials Click Configuration > Firewall > Add. Set the From field as DMZ and the To field as LAN. Set the Destination to the IPPBX’s DMZ IP address object (DMZ_SIP). Set the to IPPBX_DMZ. Leave the Access field to allow Source and click OK.
Page 177: Configure The Policy Route
Chapter 7 Tutorials 7.14.2 Configure the Policy Route Now you need to configure a policy route that has the ZyWALL use the range of public IP addresses as the source address for WAN to LAN traffic. Click Configuration > Network > Routing > Add. Although adding a description is optional, it is recommended.
Page 178: Before You Start
Chapter 7 Tutorials An Ethernet switch connects both ZyWALLs’ lan1 interfaces to the LAN. Whichever ZyWALL is functioning as the master uses the default gateway IP address of the LAN computers (192.168.1.1) for its lan1 interface and the static public IP address (1.1.1.1) for its wan1 interface.
Page 179: Configure Device Ha On The Master Zywall
Chapter 7 Tutorials 7.15.2 Configure Device HA on the Master ZyWALL Log into ZyWALL A (the master) and click Configuration > Device HA > Active- Passive Mode. Double-click lan1’s entry. Configure 192.168.1.3 as the Management IP and 255.255.255.0 as the Manage IP Subnet Mask.
Page 180 Chapter 7 Tutorials Set the Device Role to Master. This example focuses on the connection from the LAN (lan1) to the Internet through the wan1 interface, so select the lan1 and wan1 interfaces and click Activate. Enter a Synchronization Password (“mySyncPassword”...
Page 181: Configure The Backup Zywall
Chapter 7 Tutorials 7.15.3 Configure the Backup ZyWALL Connect a computer to ZyWALL B’s lan1 interface and log into its Web Configurator. Connect ZyWALL B to the Internet and subscribe it to the same subscription services (like content filtering and anti-virus) to which ZyWALL A is subscribed.
Page 182 Chapter 7 Tutorials Set the Device Role to Backup. Activate monitoring for the lan1 and wan1 interfaces. Set the Synchronization Server Address to 192.168.1.1, the Port to 21, and the Password to “mySyncPassword”. Select Auto Synchronize and set the Interval to 60. Click Apply. Figure 150 Configuration >...
Page 183: Deploy The Backup Zywall
Chapter 7 Tutorials 7.15.4 Deploy the Backup ZyWALL Connect ZyWALL B’s lan1 interface to the LAN network. Connect ZyWALL B’s wan1 interface to the same router that ZyWALL A’s wan1 interface uses for Internet access. ZyWALL B copies A’s configuration (and re-synchronizes with A every hour).
Page 184 Chapter 7 Tutorials ZyWALL USG 100/200 Series User’s Guide...
Page 185: L2Tp Vpn Example
H A P T E R L2TP VPN Example Here is how to create a basic L2TP VPN tunnel. 8.1 L2TP VPN Example This example uses the following settings in creating a basic L2TP VPN tunnel. Figure 152 L2TP VPN Example 172.16.1.2 L2TP_POOL: 192.168.10.10~192.168.10.20...
Page 186 Chapter 8 L2TP VPN Example • Configure the My Address setting. This example uses interface wan1 with static IP address 172.16.1.2. Note: If it is possible that the remote user’s public IP address could be in the same subnet as the specified My Address, click Configure > Network > Routing > Policy Route >...
Page 187: Configuring The Default L2Tp Vpn Connection Example
Chapter 8 L2TP VPN Example 8.3 Configuring the Default L2TP VPN Connection Example Click Configuration > VPN > Network > IPSec VPN to open the screen that lists the VPN connections. Double-click the Default_L2TP_VPN_Connection entry. Click the Show Advanced Settings button. Configure and enforce the local and remote policies.
Page 188: Configuring The L2Tp Vpn Settings Example
Chapter 8 L2TP VPN Example Select the Default_L2TP_VPN_Connection entry and click Activate and then Apply to turn on the entry. Figure 156 Configuration > VPN > IPSec VPN > VPN Connection (Enable) 8.4 Configuring the L2TP VPN Settings Example Click Configuration > VPN > L2TP VPN and configure the following. •...
Page 189: Configuring L2Tp Vpn In Windows Vista, Xp, Or 2000
Chapter 8 L2TP VPN Example • The other fields are left to the defaults in this example, click Apply. Figure 157 Configuration > VPN > L2TP VPN Example 8.5 Configuring L2TP VPN in Windows Vista, XP, or 2000 The following sections cover how to configure L2TP in remote user computers using Windows Vista, XP, and 2000.
Page 190 Chapter 8 L2TP VPN Example Select Connect to a workplace and click Next. Figure 158 Set up a connection or network: Chose a connection type Select Use my Internet connection (VPN). Figure 159 Connect to a workplace: How do you want to connect? ZyWALL USG 100/200 Series User’s Guide...
Page 191 Chapter 8 L2TP VPN Example Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). For the Destination Name, enter L2TP to ZyWALL. Select Don’t connect now, just set it up so I can connect later and click Next.
Page 192 Chapter 8 L2TP VPN Example Click Close. Figure 162 Connect to a workplace: The connection is ready to use In the Network and Sharing Center screen, click Connect to a network. Right-click the L2TP VPN connection and select Properties. Figure 163 Connect L2TP to ZyWALL ZyWALL USG 100/200 Series User’s Guide...
Page 193 Chapter 8 L2TP VPN Example Click Security, select Advanced (custom settings) and click Settings. Figure 164 Connect L2TP to ZyWALL: Security Set Data encryption to Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes.
Page 194 Chapter 8 L2TP VPN Example inside it. The L2TP tunnel itself does not need encryption since it is inside the encrypted IPSec VPN tunnel. Figure 166 Connect ZyWALL L2TP: Security > Advanced > Warning 11 Click Networking. Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings.
Page 195 Chapter 8 L2TP VPN Example 13 Select the L2TP VPN connection and click Connect. Figure 169 L2TP to ZyWALL Properties: Networking 14 Enter the user name and password of your ZyWALL user account. Click Connect. Figure 170 Connect L2TP to ZyWALL ZyWALL USG 100/200 Series User’s Guide...
Page 196 Chapter 8 L2TP VPN Example 15 A window appears while the user name and password are verified and notifies you when the connection is established. Figure 171 Connecting to L2TP to ZyWALL 16 If a window appears asking you to select a location for the network, you can select Work if you want your computer to be discoverable by computers behind the ZyWALL.
Page 197 Chapter 8 L2TP VPN Example 17 After the network location has been set, click Close. Figure 173 Set Network Location Successful 18 After the connection is up a connection icon displays in your system tray. Click it and then the L2TP connection to open a status screen. Figure 174 Connection System Tray Icon ZyWALL USG 100/200 Series User’s Guide...
Page 198 Chapter 8 L2TP VPN Example 19 Click the L2TP connection’s View status link to open a status screen. Figure 175 Network and Sharing Center 20 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20).
Page 199: Configuring L2Tp In Windows Xp
Chapter 8 L2TP VPN Example 8.5.2 Configuring L2TP in Windows XP In Windows XP do the following to establish an L2TP VPN connection. Click Start > Control Panel > Network Connections > New Connection Wizard. Click Next in the Welcome screen. Select Connect to the network at my workplace and click Next.
Page 200 Chapter 8 L2TP VPN Example Type L2TP to ZyWALL as the Company Name. Figure 179 New Connection Wizard: Connection Name Select Do not dial the initial connection and click Next. Figure 180 New Connection Wizard: Public Network ZyWALL USG 100/200 Series User’s Guide...
Page 201 Chapter 8 L2TP VPN Example Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). Figure 181 New Connection Wizard: VPN Server Selection 172.16.1.2 Click Finish.
Page 202 Chapter 8 L2TP VPN Example 10 Click Security, select Advanced (custom settings) and click Settings. Figure 183 Connect L2TP to ZyWALL: Security 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes.
Page 203 Chapter 8 L2TP VPN Example 12 Click IPSec Settings. Figure 185 L2TP to ZyWALL Properties > Security 13 Select the Use pre-shared key for authentication check box and enter the pre- shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN.
Page 204 Chapter 8 L2TP VPN Example 14 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. Figure 187 L2TP to ZyWALL Properties: Networking 15 Enter the user name and password of your ZyWALL account. Click Connect. Figure 188 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified.
Page 205: Configuring L2Tp In Windows 2000
Chapter 8 L2TP VPN Example 18 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 190 ZyWALL-L2TP Status: Details 19 Access a server or other network resource behind the ZyWALL to make sure your access works.
Page 206 Chapter 8 L2TP VPN Example Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\P arameters. Figure 192 Registry Key Right-click Parameters and select New > DWORD Value. Figure 193 New DWORD Value Enter ProhibitIpSec as the name. And make sure the Data displays as 0’s. Figure 194 ProhibitIpSec DWORD Value Restart the computer and continue with the next section.
Page 207 Chapter 8 L2TP VPN Example 8.5.3.2 Configure the Windows 2000 IPSec Policy After you have created the registry entry and restarted the computer, use these directions to configure an IPSec policy for the computer to use. Click Start > Run. Type mmc and click OK. Figure 195 Run mmc Click Console >...
Page 208 Chapter 8 L2TP VPN Example Click Add > IP Security Policy Management >Add > Finish. Click Close > Figure 197 Add > IP Security Policy Management > Finish Right-click IP Security Policies on Local Machine and click Create IP Security Policy.
Page 209 Chapter 8 L2TP VPN Example Name the IP security policy L2TP to ZyWALL, and click Next. Figure 199 IP Security Policy: Name Clear the Activate the default response rule check box and click Next. Figure 200 IP Security Policy: Request for Secure Communication ZyWALL USG 100/200 Series User’s Guide...
Page 210 Chapter 8 L2TP VPN Example Leave the Edit Properties check box selected and click Finish. Figure 201 IP Security Policy: Completing the IP Security Policy Wizard In the properties dialog box, click Add > Next. Figure 202 IP Security Policy Properties > Add ZyWALL USG 100/200 Series User’s Guide...
Page 211 Chapter 8 L2TP VPN Example Select This rule does not specify a tunnel and click Next. Figure 203 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next. Figure 204 IP Security Policy Properties: Network Type ZyWALL USG 100/200 Series User’s Guide...
Page 212 Chapter 8 L2TP VPN Example 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 205 IP Security Policy Properties: Authentication Method 12 Click Add. Figure 206 IP Security Policy Properties: IP Filter List ZyWALL USG 100/200 Series User’s Guide...
Page 213 Chapter 8 L2TP VPN Example 13 Type ZyWALL WAN_IP in the Name field. Clear the Use Add Wizard check box and click Add. Figure 207 IP Security Policy Properties: IP Filter List > Add 14 Configure the following in the Addressing tab. Select My IP Address in the Source address drop-down list box.
Page 214 Chapter 8 L2TP VPN Example 15 Configure the following in the Filter Properties window’s Protocol tab. Set the protocol type to UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 209 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next.
Page 215 Chapter 8 L2TP VPN Example 17 Select Require Security and click Next. Then click Finish and Close. Figure 211 IP Security Policy Properties: IP Filter List 18 In the Console window, right-click L2TP to ZyWALL and select Assign. Figure 212 Console: L2TP to ZyWALL Assign 8.5.3.3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy, use these directions to create a network connection.
Page 216 Chapter 8 L2TP VPN Example Click Start > Settings > Network and Dial-up connections > Make New Connection. In the wizard welcome screen, click Next. Figure 213 Start New Connection Wizard Select Connect to a private network through the Internet and click Next. Figure 214 New Connection Wizard: Network Connection Type Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN.
Page 217 Chapter 8 L2TP VPN Example Select For all users and click Next. Figure 216 New Connection Wizard: Connection Availability Name the connection L2TP to ZyWALL and click Finish. Figure 217 New Connection Wizard: Naming the Connection Click Properties. Figure 218 Connect L2TP to ZyWALL ZyWALL USG 100/200 Series User’s Guide...
Page 218 Chapter 8 L2TP VPN Example Click Security and select Advanced (custom settings) and click Settings. Figure 219 Connect L2TP to ZyWALL: Security Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes.
Page 219 Chapter 8 L2TP VPN Example Click Networking and select Layer 2 Tunneling Protocol (L2TP) from the drop-down list box. Click OK. Figure 221 Connect L2TP to ZyWALL: Networking 10 Enter your user name and password and click Connect. It may take up to one minute to establish the connection and register on the network.
Page 220 Chapter 8 L2TP VPN Example 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 224 L2TP to ZyWALL Status: Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works.
Page 221: Technical Reference
Technical Reference...
Page 223: Dashboard
H A P T E R Dashboard 9.1 Overview Use the Dashboard screens to check status information about the ZyWALL. 9.1.1 What You Can Do in this Chapter Use the Dashboard screens for the following. • Use the main Dashboard screen (see Section 9.2 on page 223) to see the ZyWALL’s general device information, system status, system resource usage,...
Page 224 Chapter 9 Dashboard interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. Figure 225 Dashboard The following table describes the labels in this screen. Table 22 Dashboard LABEL DESCRIPTION Widget Setting Use this link to re-open closed widgets.
Page 225 Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION The following front and rear panel labels display when you hover your cursor over a connected interface or slot. Name This field displays the name of each interface. Slot This field displays the name of each extension slot. Device This field displays the name of the device connected to the extension slot (or none if no device is detected).
Page 226 Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION System This field displays the name used to identify the ZyWALL on any Name network. Click the icon to open the screen where you can change it. See Section 50.2 on page 816.
Page 227 Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface does not have any physical ports associated with it or the Ethernet interface is enabled but not connected.
Page 228: System Uptime
Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Device This field displays the name of the device connected to the extension slot (or none if no device is detected). Status The status for an installed WLAN card is none. For cellular (3G) interfaces, see Section 10.10 on page 254 for the status that can appear.
Page 229 Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Name This identifies the licensed service. Version This is the version number of the anti-virus or IDP signatures (anti-virus and IDP). Expiration If the service license is valid, this shows when it will expire. N/A displays if the service license does not have a limited period of validity.
Page 230: The Cpu Usage Screen
Chapter 9 Dashboard 9.2.1 The CPU Usage Screen Use this screen to look at a chart of the ZyWALL’s recent CPU usage. To access this screen, click CPU Usage in the dashboard. Figure 226 Dashboard > CPU Usage The following table describes the labels in this screen. Table 23 Dashboard >...
Page 231: The Memory Usage Screen
Chapter 9 Dashboard 9.2.2 The Memory Usage Screen Use this screen to look at a chart of the ZyWALL’s recent memory (RAM) usage. To access this screen, click Memory Usage in the dashboard. Figure 227 Dashboard > Memory Usage The following table describes the labels in this screen. Table 24 Dashboard >...
Page 232: The Session Usage Screen
Chapter 9 Dashboard 9.2.3 The Session Usage Screen Use this screen to look at a chart of the ZyWALL’s recent traffic session usage. To access this screen, click Session Usage in the dashboard. Figure 228 Dashboard > Session Usage The following table describes the labels in this screen. Table 25 Dashboard >...
Page 233: The Vpn Status Screen
Chapter 9 Dashboard 9.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in the dashboard. Figure 229 Dashboard > VPN Status The following table describes the labels in this screen. Table 26 Dashboard >...
Page 234: The Number Of Login Users Screen
Chapter 9 Dashboard The following table describes the labels in this screen. Table 27 Dashboard > DHCP Table LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific entry. Interface This field identifies the interface that assigned an IP address to a DHCP client.
Page 235 Chapter 9 Dashboard The following table describes the labels in this screen. Table 28 Dashboard > Number of Login Users LABEL DESCRIPTION This field is a sequential value and is not associated with any entry. User ID This field displays the user name of each user who is currently logged in to the ZyWALL.
Page 236 Chapter 9 Dashboard ZyWALL USG 100/200 Series User’s Guide...
Page 237: Monitor
H A P T E R Monitor 10.1 Overview Use the Monitor screens to check status and statistics information. 10.1.1 What You Can Do in this Chapter Use the Monitor screens for the following. • Use the System Status > Port Statistics screen (see Section 10.2 on page 238) to look at packet statistics for each physical port.
Page 238: The Port Statistics Screen
Chapter 10 Monitor • Use the VPN Monitor > SSL screen (see Section 10.13 on page 263) to list the users currently logged into the VPN SSL client portal. You can also log out individual users and delete related session information. •...
Page 239 Chapter 10 Monitor The following table describes the labels in this screen. Table 29 Monitor > System Status > Port Statistics LABEL DESCRIPTION Poll Interval Enter how often you want this window to be updated automatically, and click Set Interval. Set Interval Click this to set the Poll Interval the screen uses.
Page 240: The Port Statistics Graph Screen
Chapter 10 Monitor 10.2.1 The Port Statistics Graph Screen Use this screen to look at a line graph of packet statistics for each physical port. To access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button. Figure 233 Monitor >...
Page 241: Interface Status Screen
Chapter 10 Monitor Table 30 Monitor > System Status > Port Statistics > Switch to Graphic View LABEL DESCRIPTION Last Update This field displays the date and time the information in the window was last updated. System Up This field displays how long the ZyWALL has been running since it last Time restarted or was turned on.
Page 242 Chapter 10 Monitor Each field is described in the following table. Table 31 Monitor > System Status > Interface Status LABEL DESCRIPTION Interface If an Ethernet interface does not have any physical ports associated with Status it, its entry is displayed in light gray text. Expand/Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces.
Page 243 Chapter 10 Monitor Table 31 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION HA Status This field displays the status of the interface in the virtual router. Active - This interface is the master interface in the virtual router. Stand-By - This interface is a backup interface in the virtual router.
Page 244: The Traffic Statistics Screen
Chapter 10 Monitor Table 31 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION RxPkts This field displays the number of packets received by the ZyWALL on the interface since it was last connected. Tx B/s This field displays the transmission speed, in bytes per second, on the interface in the one-second interval before the screen updated.
Page 245 Chapter 10 Monitor You use the Traffic Statistics screen to tell the ZyWALL when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually in the Traffic Statistics screen. Figure 235 Monitor >...
Page 246 Chapter 10 Monitor Table 32 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION Traffic Type Select the type of report to display. Choices are: Host IP Address/User - displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one. Service/Port - displays the most-used protocols or service ports and the amount of traffic for each one.
Page 247: The Session Monitor Screen
Chapter 10 Monitor Table 32 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION Amount This field displays how much traffic was sent or received from the indicated service / port. If the Direction is Ingress, a red bar is displayed;...
Page 248 Chapter 10 Monitor • Number of bytes transmitted (so far) • Duration (so far) You can look at all the active sessions by user, service, source IP address, or destination IP address. You can also filter the information by user, protocol / service or service group, source address, and/or destination address and view it by user.
Page 249 Chapter 10 Monitor Table 34 Monitor > System Status > Session Monitor (continued) LABEL DESCRIPTION User This field displays when View is set to all sessions. Type the user whose sessions you want to view. It is not possible to type part of the user name or use wildcards in this field;...
Page 250: The Ddns Status Screen
Chapter 10 Monitor 10.6 The DDNS Status Screen The DDNS Status screen shows the status of the ZyWALL’s DDNS domain names. Click Monitor > System Status > DDNS Status to open the following screen. Figure 237 Monitor > System Status > DDNS Status The following table describes the labels in this screen.
Page 251 Chapter 10 Monitor session with the ZyWALL. Devices that have never established a session with the ZyWALL do not display in the list. Figure 238 Monitor > System Status > IP/MAC Binding The following table describes the labels in this screen. Table 36 Monitor >...
Page 252: The Login Users Screen
Chapter 10 Monitor 10.8 The Login Users Screen Use this screen to look at a list of the users currently logged into the ZyWALL. To access this screen, click Login Users. Monitor > System Status > Figure 239 Monitor > System Status > Login Users The following table describes the labels in this screen.
Page 253 Chapter 10 Monitor To open the station monitor, click Monitor > System Status > WLAN Status. The screen appears as shown. Figure 240 Monitor > System Status > WLAN Status The following table describes the labels in this menu. Table 38 Monitor > System Status > WLAN Status LABEL DESCRIPTION Station...
Page 254: Cellular Status Screen
Chapter 10 Monitor 10.10 Cellular Status Screen This screen displays your 3G connection status. click Monitor > System Status > Cellular Status to display this screen. Figure 241 Monitor > System Status > Cellular Status The following table describes the labels in this screen. Table 39 Monitor >...
Page 255 Chapter 10 Monitor Table 39 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Status No device - no 3G device is connected to the ZyWALL. Device detected - displays when you connect a 3G device. Device error - a 3G device is connected but there is an error. Probe device fail - the ZyWALL’s test of the 3G device failed.
Page 256: Application Patrol Statistics
Chapter 10 Monitor Table 39 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Signal Quality This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider’s base station. More Info.
Page 257: Application Patrol Statistics: Bandwidth Statistics
Chapter 10 Monitor 10.11.2 Application Patrol Statistics: Bandwidth Statistics The middle of the screen displays a bandwidth Monitor > AppPatrol Statistics usage line graph for the selected protocols. Figure 243 Monitor > AppPatrol Statistics: Bandwidth Statistics • The y-axis represents the amount of bandwidth used. •...
Page 258: Application Patrol Statistics: Protocol Statistics
Chapter 10 Monitor 10.11.3 Application Patrol Statistics: Protocol Statistics The bottom of the Monitor > AppPatrol Statistics screen displays statistics for each of the selected protocols. Figure 244 Monitor > AppPatrol Statistics: Protocol Statistics The following table describes the labels in this screen. Table 41 Monitor >...
Page 259: Application Patrol Statistics: Individual Protocol Statistics By Rule
Chapter 10 Monitor Table 41 Monitor > AppPatrol Statistics: Protocol Statistics (continued) LABEL DESCRIPTION Rule This is a protocol’s rule. Inbound This is the incoming bandwidth usage for traffic that matched this Kbps protocol rule, in kilobits per second. This is the protocol’s traffic that the ZyWALL sends to the initiator of the connection.
Page 260: The Ipsec Monitor Screen
Chapter 10 Monitor The following table describes the labels in this screen. Table 42 Monitor > AppPatrol Statistics > Service LABEL DESCRIPTION Service Name This is the application. Rule Statistics This table displays the statistics for each of the service’s application patrol rules.
Page 261 Chapter 10 Monitor screen appears. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 246 Monitor > VPN Monitor > IPSec Each field is described in the following table. Table 43 Monitor >...
Page 262: Regular Expressions In Searching Ipsec Sas
Chapter 10 Monitor Table 43 Monitor > VPN Monitor > IPSec (continued) LABEL DESCRIPTION Encapsulation This field displays how the IPSec SA is encapsulated. Policy This field displays the content of the local and remote policies for this IPSec SA. The IP addresses, not the address objects, are displayed. Algorithm This field displays the encryption and authentication algorithms used in the SA.
Page 263: The Ssl Connection Monitor Screen
Chapter 10 Monitor 10.13 The SSL Connection Monitor Screen The ZyWALL keeps track of the users who are currently logged into the VPN SSL client portal. Click Monitor > VPN Monitor > SSL to display the user list. Use this screen to do the following: •...
Page 264: L2Tp Over Ipsec Session Monitor Screen
Chapter 10 Monitor 10.14 L2TP over IPSec Session Monitor Screen Click Monitor > VPN Monitor > L2TP over IPSec to open the following screen. Use this screen to display and manage the ZyWALL’s connected L2TP VPN sessions. Figure 248 Monitor > VPN Monitor > L2TP over IPSec The following table describes the fields in this screen.
Page 265: The Anti-Virus Statistics Screen
Chapter 10 Monitor 10.15 The Anti-Virus Statistics Screen Click Monitor > Anti-X Statistics > Anti-Virus to display the following screen. This screen displays anti-virus statistics. Figure 249 Monitor > Anti-X Statistics > Anti-Virus: Virus Name The following table describes the labels in this screen. Table 46 Monitor >...
Page 266 Chapter 10 Monitor Table 46 Monitor > Anti-X Statistics > Anti-Virus (continued) LABEL DESCRIPTION Top Entry By Use this field to have the following (read-only) table display the top anti- virus entries by Virus Name, Source IP or Destination IP. Select Virus Name to list the most common viruses that the ZyWALL has detected.
Page 267: The Idp Statistics Screen
Chapter 10 Monitor 10.16 The IDP Statistics Screen Click Monitor > Anti-X Statistics > IDP to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. Figure 252 Monitor > Anti-X Statistics > IDP: Signature Name The following table describes the labels in this screen. Table 47 Monitor >...
Page 268 Chapter 10 Monitor Table 47 Monitor > Anti-X Statistics > IDP (continued) LABEL DESCRIPTION Top Entry By Use this field to have the following (read-only) table display the top IDP entries by Signature Name, Source or Destination. Select Signature Name to list the most common signatures that the ZyWALL has detected.
Page 269: The Content Filter Statistics Screen
Chapter 10 Monitor 10.17 The Content Filter Statistics Screen Click Monitor > Anti-X Statistics > Content Filter to display the following screen. This screen displays content filter statistics. Figure 255 Monitor > Anti-X Statistics > Content Filter The following table describes the labels in this screen. Table 48 Monitor >...
Page 270: Content Filter Cache Screen
Chapter 10 Monitor Table 48 Monitor > Anti-X Statistics > Content Filter (continued) LABEL DESCRIPTION Web Pages This is the number of web pages that matched an external database Warned by content filtering category selected in the ZyWALL and for which the Category ZyWALL displayed a warning before allowing users access.
Page 271 Chapter 10 Monitor You can remove individual entries from the cache. When you do this, the ZyWALL queries the external content filtering database the next time someone tries to access that web site. This allows you to check whether a web site’s category has been changed.
Page 272 Chapter 10 Monitor Table 49 Anti-X > Content Filter > Cache (continued) LABEL DESCRIPTION Category This field shows whether access to the web site’s URL was blocked or allowed. Click the column heading to sort the entries. Point the triangle up to display the blocked URLs before the URLs to which access was allowed.
Page 273: The Anti-Spam Statistics Screen
Chapter 10 Monitor 10.19 The Anti-Spam Statistics Screen Click Monitor > Anti-X Statistics > Anti-Spam to display the following screen. This screen displays spam statistics. Figure 257 Monitor > Anti-X Statistics > Anti-Spam The following table describes the labels in this screen. Table 50 Monitor >...
Page 274 Chapter 10 Monitor Table 50 Monitor > Anti-X Statistics > Anti-Spam (continued) LABEL DESCRIPTION Spam Mails This is the number of e-mails that the ZyWALL has determined to be spam. Spam Mails This is the number of e-mails that matched an entry in the ZyWALL’s anti- Detected by spam black list.
Page 275: The Anti-Spam Status Screen
Chapter 10 Monitor 10.20 The Anti-Spam Status Screen Click Monitor > Anti-X Statistics > Anti-Spam > Status to display the Anti- Spam Status screen. Use the Anti-Spam Status screen to see how many e-mail sessions the anti- spam feature is scanning and statistics for the DNSBLs. Figure 258 Monitor >...
Page 276: Log Screen
Chapter 10 Monitor 10.21 Log Screen Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regular log, you can look at all the log messages by selecting All Logs, or you can select a specific category of log messages (for example, firewall or user).
Page 277 Chapter 10 Monitor The following table describes the labels in this screen. Table 52 Monitor > Log LABEL DESCRIPTION Show Filter / Click this button to show or hide the filter settings. Hide Filter If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear Log fields are available.
Page 278 Chapter 10 Monitor Table 52 Monitor > Log (continued) LABEL DESCRIPTION Priority This field displays the priority of the log message. It has the same range of values as the Priority field above. Category This field displays the log that generated the log message. It is the same value used in the Display and (other) Category fields.
Page 279: Registration
H A P T E R Registration 11.1 Overview Use the Configuration > Licensing > Registration screens to register your ZyWALL and manage its service subscriptions. 11.1.1 What You Can Do in this Chapter • Use the Registration screen (see Section 11.2 on page 281) to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering.
Page 280 Chapter 11 Registration Subscription Services Available on the ZyWALL You can have the ZyWALL use anti-virus, IDP/AppPatrol (Intrusion Detection and Prevention and application patrol), and content filtering subscription services. You can also purchase and enter a license key to have the ZyWALL use more SSL VPN tunnels.
Page 281: The Registration Screen
Chapter 11 Registration 11.2 The Registration Screen Use this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next. Figure 260 Configuration >...
Page 282 Chapter 11 Registration Table 53 Configuration > Licensing > Registration (continued) LABEL DESCRIPTION Confirm Password Enter the password again for confirmation. E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces.
Page 283: The Service Screen
Chapter 11 Registration Note: If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated (if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Service screen to update your service subscription status.
Page 284 Chapter 11 Registration The following table describes the labels in this screen. Table 54 Configuration > Licensing > Registration > Service LABEL DESCRIPTION License Status This is the entry’s position in the list. Service This lists the services that available on the ZyWALL. Status This field displays whether a service is activated (Licensed) or not (Not Licensed) or expired (Expired).
Page 285: Signature Update
H A P T E R Signature Update 12.1 Overview This chapter shows you how to update the ZyWALL’s signature packages. 12.1.1 What You Can Do in this Chapter • Use the Configuration > Licensing > Update > Anti-virus screen (Section 12.2 on page 286) to update the anti-virus signatures.
Page 286: The Antivirus Update Screen
Chapter 12 Signature Update 12.2 The Antivirus Update Screen Click Configuration > Licensing > Update > Anti-Virus to display the following screen. Figure 263 Configuration > Licensing > Update >Anti-Virus The following table describes the labels in this screen. LABEL DESCRIPTION Signature The following fields display information on the current signature set that...
Page 287: The Idp/Apppatrol Update Screen
Chapter 12 Signature Update LABEL DESCRIPTION Signature Use these fields to have the ZyWALL check for new signatures at Update myZyXEL.com. If new signatures are found, they are then downloaded to the ZyWALL. Update Now Click this button to have the ZyWALL check for new signatures immediately.
Page 288 Chapter 12 Signature Update signatures from myZyXEL.com (see the Registration screens). Use the Update IDP /AppPatrol screen to schedule or immediately download IDP signatures. Figure 264 Configuration > Licensing > Update > IDP/AppPatrol The following table describes the fields in this screen. Table 55 Configuration >...
Page 289: The System Protect Update Screen
Chapter 12 Signature Update Table 55 Configuration > Licensing > Update > IDP/AppPatrol (continued) LABEL DESCRIPTION Daily Select this option to have the ZyWALL check for new IDP signatures everyday at the specified time. The time format is the 24 hour clock, so ‘23’...
Page 290 Chapter 12 Signature Update The following table describes the fields in this screen. Table 56 Configuration > Licensing > Update > System Protect LABEL DESCRIPTION Signature The following fields display information on the current signature set that Information the ZyWALL is using. Current This field displays the system protect signature and anomaly rule set Version...
Page 291: Interfaces
H A P T E R Interfaces 13.1 Interface Overview Use the Interface screens to configure the ZyWALL’s interfaces. You can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. •...
Page 292: What You Need To Know
Chapter 13 Interfaces • Use the Virtual Interface screen (Section 13.11 on page 359) to create virtual interfaces on top of Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces.
Page 293 Chapter 13 Interfaces • The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the AUX port. •...
Page 294 Chapter 13 Interfaces Relationships Between Interfaces In the ZyWALL, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports or port groups. The relationships between interfaces are explained in the following table. Table 58 Relationships Between Different Types of Interfaces REQUIRED PORT / INTERFACE...
Page 295: Port Role
Chapter 13 Interfaces • See Section 7.1 on page 115 for an example of configuring Ethernet interfaces, port role, and zones. • See Section 7.2 on page 120 for an example of configuring a cellular (3G) interface. • See Section 7.4 on page 125 for an example of setting up a wireless LAN.
Page 296: Ethernet Summary Screen
Chapter 13 Interfaces Each section in this screen is described below. Table 59 Configuration > Network > Interface > Port Role LABEL DESCRIPTION LAN1/WLAN/DMZ These are physical Ethernet ports. PX~P7 lan1 (LAN1) These are Ethernet interfaces and the zone to which each belongs. Use the radio buttons to select for which interface (network) you want lan2 (LAN2) to use each physical port.
Page 297 Chapter 13 Interfaces Chapter 16 on page 393 for background information about these routing protocols. Figure 267 Configuration > Network > Interface > Ethernet ZyWALL USG 100/200 Series User’s Guide...
Page 298: Ethernet Edit
Chapter 13 Interfaces Each field is described in the following table. Table 60 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove a virtual interface, select it and click Remove.
Page 299 Chapter 13 Interfaces With RIP, you can use Ethernet interfaces to do the following things. • Enable and disable RIP in the underlying physical port or port group. • Select which direction(s) routing information is exchanged - The ZyWALL can receive routing information, send routing information, or do both.
Page 300 Chapter 13 Interfaces Figure 268 Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL USG 100/200 Series User’s Guide...
Page 301 Chapter 13 Interfaces This screen’s fields are described in the table below. Table 61 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 302 Chapter 13 Interfaces Table 61 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION This option appears when Interface Properties is External or Automatically General. Select this to make the interface a DHCP client and automatically get the IP address, subnet mask, and gateway address from a DHCP server.
Page 303 Chapter 13 Interfaces Table 61 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Enable Select this to turn on the connection check. Connectivity Check Check Method Select the method that the gateway allows. Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available.
Page 304 Chapter 13 Interfaces Table 61 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.
Page 305 Chapter 13 Interfaces Table 61 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION IP Address Enter the IP address to assign to a device with this entry’s MAC address. MAC Address Enter the MAC address to which to assign this entry’s IP address. Description Enter a description to help identify this static DHCP entry.
Page 306: Object References
Chapter 13 Interfaces Table 61 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Text This field is available if the Authentication is Text. Type the Authentication password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to eight characters long.
Page 307: Ppp Interfaces
Chapter 13 Interfaces Figure 269 Object References The following table describes labels that can appear in this screen. Table 62 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window.
Page 308: Ppp Interface Summary
Chapter 13 Interfaces Figure 270 Example: PPPoE/PPTP Interfaces PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available. There are two main differences between PPPoE/PPTP interfaces and other interfaces.
Page 309 Chapter 13 Interfaces Figure 271 Configuration > Network > Interface > PPP Each field is described in the table below. Table 63 Configuration > Network > Interface > PPP LABEL DESCRIPTION User The ZyWALL comes with the (non-removable) System Default PPP Configuration / interfaces pre-configured.
Page 310: Ppp Interface Add Or Edit
Chapter 13 Interfaces Table 63 Configuration > Network > Interface > PPP (continued) LABEL DESCRIPTION Base Interface This field displays the interface on the top of which the PPPoE/PPTP interface is. Account Profile This field displays the ISP account used by this PPPoE/PPTP interface. Apply Click Apply to save your changes back to the ZyWALL.
Page 311 Chapter 13 Interfaces Figure 272 Configuration > Network > Interface > PPP > Add Each field is explained in the following table. Table 64 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 312 Chapter 13 Interfaces Table 64 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Enable Select this to enable this interface. Clear this to disable this interface. Interface Interface Properties Interface Specify a name for the interface. It can use alphanumeric characters, Name hyphens, and underscores, and it can be up to 11 characters long.
Page 313 Chapter 13 Interfaces Table 64 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Interface Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the Bandwidth ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576.
Page 314: Cellular Configuration Screen (3G)
Chapter 13 Interfaces Table 64 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 13.5 Cellular Configuration Screen (3G) 3G (Third Generation) is a digital, packet-switched wireless technology.
Page 315 Chapter 13 Interfaces If the signal strength of a 3G network is too low, the 3G card may switch to an available 2.5G or 2.75G network. See the following table for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies. Table 65 2G, 2.5G, 2.75G, 3G and 3.5G Wireless Technologies MOBILE PHONE AND DATA STANDARDS DATA...
Page 316: Cellular Add/Edit Screen
Chapter 13 Interfaces Figure 273 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. Table 66 Configuration > Network > Interface > Cellular LABEL DESCRIPTION Click this to create a new cellular interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 317 Chapter 13 Interfaces Figure 274 Configuration > Network > Interface > Cellular > Add ZyWALL USG 100/200 Series User’s Guide...
Page 318 Chapter 13 Interfaces The following table describes the labels in this screen. Table 67 Configuration > Network > Interface > Cellular > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 319 Chapter 13 Interfaces Table 67 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Dial String Enter the dial string if your ISP provides a string, which would include the APN, to initialize the 3G card. You can enter up to 63 ASCII printable characters. Spaces are allowed.
Page 320 Chapter 13 Interfaces Table 67 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Egress Enter the maximum amount of traffic, in kilobits per second, the Bandwidth ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576.
Page 321 Chapter 13 Interfaces Table 67 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Select this option If your ISP did not assign you a fixed IP address. Automatically This is the default selection. Use Fixed IP Select this option If the ISP assigned a fixed IP address.
Page 322 Chapter 13 Interfaces Table 67 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Data Budget Select this and specify how much downstream and/or upstream data (in Mega bytes) can be transmitted via the 3G connection within one month.
Page 323: Wlan Interface General Screen
Chapter 13 Interfaces Table 67 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 13.6 WLAN Interface General Screen The following figure provides an example of a wireless network.
Page 324 Chapter 13 Interfaces Click Configuration > Network > Interface > WLAN to open the following screen. See Appendix E on page 1031 for more details on wireless LANs. Figure 276 Configuration > Network > Interface > WLAN The following table describes the labels in this screen. Table 68 Configuration >...
Page 325 Chapter 13 Interfaces Table 68 Configuration > Network > Interface > WLAN LABEL DESCRIPTION 802.11 Band Select whether you will let wireless clients connect to the ZyWALL using IEEE 802.11b, IEEE 802.11g, or both. Select b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the ZyWALL.
Page 326: Wlan Add/Edit Screen
Chapter 13 Interfaces Table 68 Configuration > Network > Interface > WLAN LABEL DESCRIPTION IP Address This field displays the current IP address of the WLAN interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet. This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP).
Page 327 Chapter 13 Interfaces Figure 277 Configuration > Network > Interface > WLAN > Add (No Security) ZyWALL USG 100/200 Series User’s Guide...
Page 328 Chapter 13 Interfaces The following table describes the general wireless LAN labels in this screen. Table 70 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 329 Chapter 13 Interfaces Table 70 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.
Page 330: Add
Chapter 13 Interfaces Table 70 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.
Page 331 Chapter 13 Interfaces Table 70 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information.
Page 332: Wlan Add/Edit: Wep Security
Chapter 13 Interfaces Table 70 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 13.6.2 WLAN Add/Edit: WEP Security WEP provides a mechanism for encrypting data using encryption keys.
Page 333: Wlan Add/Edit: Wpa-Psk/Wpa2-Psk Security
Chapter 13 Interfaces The following table describes the WEP-related wireless LAN security labels. See Table 70 on page 328 for information on the 802.1x fields. Table 71 Configuration > Network > Interface > WLAN > Add (WEP Security) LABEL DESCRIPTION WEP (Wired Equivalent Privacy) provides data encryption to prevent Encryption unauthorized wireless stations from accessing data transmitted over the...
Page 334: Wlan Add/Edit: Wpa/Wpa2 Security
Chapter 13 Interfaces The following table describes the WPA-PSK/WPA2-PSK-related wireless LAN security labels. Table 72 Configuration > Network > Interface > WLAN > Add (WPA-PSK, WPA2- PSK, or WPA/WPA2-PSK Security) LABEL DESCRIPTION Pre Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same.
Page 335 Chapter 13 Interfaces Figure 280 Configuration > Network > Interface > WLAN > Add (WPA/WPA2 Security) The following table describes the WPA/WPA2-related wireless LAN security labels. Table 73 Configuration > Network > Interface > WLAN > Add (WPA/WPA2 Security) LABEL DESCRIPTION Authentication Select what the ZyWALL uses to authenticate the wireless clients.
Page 336: Wlan Interface Mac Filter
Chapter 13 Interfaces Table 73 Configuration > Network > Interface > WLAN > Add (WPA/WPA2 Security) LABEL DESCRIPTION Radius Server Enter the RADIUS server’s listening port number (the default is 1812). Port Radius Server Enter a password (up to 31 alphanumeric characters) as the key to be Secret shared between the external authentication server and the ZyWALL.
Page 337 Chapter 13 Interfaces Figure 281 Network > Interface > WLAN > MAC Filter The following table describes the labels in this screen. Table 74 Configuration > Network > Interface > WLAN > MAC Filter LABEL DESCRIPTION Enable MAC Select or clear the check box to enable or disable MAC address filtering. Filter Enable MAC address filtering to have the router allow or deny access to wireless stations based on MAC addresses.
Page 338: Vlan Interfaces
Chapter 13 Interfaces 13.8 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 282 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C.
Page 339 Chapter 13 Interfaces • Traffic inside each VLAN is layer-2 communication (data link layer, MAC addresses). It is handled by the switches. As a result, the new switch is required to handle traffic inside VLAN 2. Traffic is only broadcast inside each VLAN, not each physical network.
Page 340: Vlan Summary Screen
Chapter 13 Interfaces 13.8.1 VLAN Summary Screen This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces. To access this screen, click Configuration > Network > Interface > VLAN. Figure 284 Configuration > Network > Interface > VLAN Each field is explained in the following table.
Page 341: Vlan Add/Edit
Chapter 13 Interfaces Table 75 Configuration > Network > Interface > VLAN (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 13.8.2 VLAN Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface.
Page 342 Chapter 13 Interfaces Figure 285 Configuration > Network > Interface > VLAN > Edit ZyWALL USG 100/200 Series User’s Guide...
Page 343 Chapter 13 Interfaces Each field is explained in the following table. Table 76 Configuration > Network > Interface > VLAN > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 344 Chapter 13 Interfaces Table 76 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority.
Page 345 Chapter 13 Interfaces Table 76 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION DHCP Select what type of DHCP service the ZyWALL provides to the network. Choices are: None - the ZyWALL does not provide any DHCP services. There is already a DHCP server on the network.
Page 346 Chapter 13 Interfaces Table 76 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP...
Page 347 Chapter 13 Interfaces Table 76 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION OSPF Setting Section 16.3 on page 395 for more information about OSPF. Area Select the area in which this interface belongs. Select None to disable OSPF in this interface.
Page 348: Bridge Interfaces
Chapter 13 Interfaces 13.9 Bridge Interfaces This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces. Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments.
Page 349 Chapter 13 Interfaces If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly. Table 78 Example: Bridge Table After Computer B Responds to Computer A MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A...
Page 350: Bridge Summary
Chapter 13 Interfaces remove from a bridge interface when the underlying interface is added or removed. 13.9.1 Bridge Summary This screen lists every bridge interface and virtual interface created on top of bridge interfaces. To access this screen, click Configuration > Network > Interface >...
Page 351: Bridge Add/Edit
Chapter 13 Interfaces Table 80 Configuration > Network > Interface > Bridge (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 13.9.2 Bridge Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface.
Page 352 Chapter 13 Interfaces Figure 287 Configuration > Network > Interface > Bridge > Add ZyWALL USG 100/200 Series User’s Guide...
Page 353 Chapter 13 Interfaces Each field is described in the table below. Table 81 Configuration > Network > Interface > Bridge > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 354 Chapter 13 Interfaces Table 81 Configuration > Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Gateway This field is enabled if you select Use Fixed IP Address. Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination.
Page 355 Chapter 13 Interfaces Table 81 Configuration > Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION IP Pool Start Enter the IP address from which the ZyWALL begins allocating IP Address addresses. If you want to assign a static IP address to a specific computer, click Add Static DHCP.
Page 356 Chapter 13 Interfaces Table 81 Configuration > Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This field is a sequential value, and it is not associated with a specific entry.
Page 357: Auxiliary Interface
Chapter 13 Interfaces 13.10 Auxiliary Interface This section introduces the auxiliary interface and then explains the screen for it. 13.10.1 Auxiliary Interface Overview Use the auxiliary interface to dial out from the ZyWALL’s auxiliary port. For example, you might use this interface as a backup WAN interface. You have to connect an external modem to the ZyWALL’s auxiliary port to use the auxiliary interface.
Page 358 Chapter 13 Interfaces Figure 288 Configuration > Network > Interface > Auxiliary Each field is described in the table below. Table 82 Configuration > Network > Interface > Auxiliary LABEL DESCRIPTION General Settings Enable Select this to turn on the auxiliary dial up interface. The interface Interface does not dial out, however, unless it is part of a trunk and load- balancing conditions are satisfied.
Page 359: Virtual Interfaces
Chapter 13 Interfaces Table 82 Configuration > Network > Interface > Auxiliary (continued) LABEL DESCRIPTION Phone Number Enter the phone number to dial here. You can use 1-20 numbers, commas (,), or plus signs (+). Use a comma to pause during dialing. Use a plus sign to tell the external modem to make an international call.
Page 360: Virtual Interfaces Add/Edit
Chapter 13 Interfaces cannot change the MTU. The virtual interface uses the same MTU that the underlying interface uses. Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not verify that the gateway is available. 13.11.1 Virtual Interfaces Add/Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces.
Page 361: Interface Technical Reference
Chapter 13 Interfaces Table 83 Configuration > Network > Interface > Add (continued) LABEL DESCRIPTION Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first.
Page 362 Chapter 13 Interfaces For example, if the ZyWALL gets a packet with a destination address of 100.100.25.25, it routes the packet to interface lan1. If the ZyWALL gets a packet with a destination address of 200.200.200.200, it routes the packet to interface wan1.
Page 363 Chapter 13 Interfaces • Egress bandwidth sets the amount of traffic the ZyWALL sends out through the interface to the network. • Ingress bandwidth sets the amount of traffic the ZyWALL allows in through the interface from the network. If you set the bandwidth restrictions very high, you effectively remove the restrictions.
Page 364 Chapter 13 Interfaces • IP address - If the DHCP client’s MAC address is in the ZyWALL’s static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size.
Page 365 Chapter 13 Interfaces PPPoE/PPTP Overview Point-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages: •...
Page 366 Chapter 13 Interfaces ZyWALL USG 100/200 Series User’s Guide...
Page 367: Trunks
H A P T E R Trunks 14.1 Overview Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links.
Page 368: What You Need To Know
Chapter 14 Trunks 14.1.2 What You Need to Know • Add WAN interfaces to trunks to have multiple connections share the traffic load. • If one WAN interface’s connection goes down, the ZyWALL sends traffic through another member of the trunk. •...
Page 369 Chapter 14 Trunks The ZyWALL is using active/active load balancing. So when LAN user A tries to access something on the server, the request goes out through wan2. The server finds that the request comes from wan2’s IP address instead of wan1’s IP address and rejects the request.
Page 370 Chapter 14 Trunks Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL will send the subsequent new session traffic through WAN 2. Table 87 Least Load First Example OUTBOUND LOAD BALANCING INDEX INTERFACE (M/A)
Page 371 Chapter 14 Trunks interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoid overloading the interface. In this example figure, the upper threshold of the first interface is set to 800K. The ZyWALL sends network traffic of new sessions that exceed this limit to the secondary WAN interface.
Page 372: The Trunk Summary Screen
Chapter 14 Trunks 14.2 The Trunk Summary Screen Click Configuration > Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 295 Configuration > Network > Interface > Trunk The following table describes the items in this screen.
Page 373: Configuring A Trunk
Chapter 14 Trunks Table 88 Configuration > Network > Interface > Trunk (continued) LABEL DESCRIPTION Enable Default Select this to have the ZyWALL use the IP address of the outgoing SNAT interface as the source IP address of the packets it sends out through its WAN trunks.
Page 374 Chapter 14 Trunks Each field is described in the table below. Table 89 Configuration > Network > Interface > Trunk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editing an existing trunk. When adding a new trunk, enter a descriptive name for this trunk.
Page 375: Trunk Technical Reference
Chapter 14 Trunks Table 89 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Egress This field displays with the least load first or spillover load balancing Bandwidth algorithm.It displays the maximum number of kilobits of data the ZyWALL is to send out through the interface per second.
Page 376 Chapter 14 Trunks ZyWALL USG 100/200 Series User’s Guide...
Page 377: Policy And Static Routes
H A P T E R Policy and Static Routes 15.1 Policy and Static Routes Overview Use policy routes and static routes to override the ZyWALL’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the ZyWALL’s LAN interface.
Page 378: What You Need To Know
Chapter 15 Policy and Static Routes • Use the Static Route screens (see Section 15.3 on page 387) to list and configure static routes. 15.1.2 What You Need to Know Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 379 Chapter 15 Policy and Static Routes Policy Routes Versus Static Routes • Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management. • Policy routes are only used within the ZyWALL itself. Static routes can be propagated to other routers using RIP or OSPF.
Page 380: Policy Route Screen
Chapter 15 Policy and Static Routes Finding Out More • See Section 6.5.6 on page 102 for related information on the policy route screens. • See Section 7.14 on page 176 for an example of creating a policy route for using multiple static public WAN IP addresses for LAN to WAN traffic.
Page 381 Chapter 15 Policy and Static Routes The following table describes the labels in this screen. Table 90 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / fields.
Page 382 Chapter 15 Policy and Static Routes Table 90 Configuration > Network > Routing > Policy Route (continued) LABEL DESCRIPTION DSCP Code This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP values or no DSCP marker. default means traffic with a DSCP value of 0.
Page 383: Policy Route Edit Screen
Chapter 15 Policy and Static Routes 15.2.1 Policy Route Edit Screen Click Configuration > Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or edit a policy route. Figure 299 Configuration >...
Page 384 Chapter 15 Policy and Static Routes Table 91 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Incoming Select where the packets are coming from; any, an interface, a tunnel, an SSL VPN, or the ZyWALL itself. For an interface, a tunnel, or an SSL VPN, you also need to select the individual interface, VPN tunnel, or SSL VPN connection.
Page 385 Chapter 15 Policy and Static Routes Table 91 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION VPN Tunnel This field displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the ZyWALL directly.
Page 386 Chapter 15 Policy and Static Routes Table 91 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Source Select none to not use NAT for the route. Network Select outgoing-interface to use the IP address of the outgoing Address interface as the source IP address of the packets that matches this Translation...
Page 387: Ip Static Route Screen
Chapter 15 Policy and Static Routes Table 91 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Maximum Specify the maximum bandwidth (from 1 to 1048576) allowed for the Bandwidth route in kbps. If you enter 0 here, there is no bandwidth limitation for the route.
Page 388: Static Route Add/Edit Screen
Chapter 15 Policy and Static Routes The following table describes the labels in this screen. Table 92 Configuration > Network > Routing > Static Route LABEL DESCRIPTION Click this to create a new static route. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 389: Policy Routing Technical Reference
Chapter 15 Policy and Static Routes Table 93 Configuration > Network > Routing > Static Route > Add (continued) LABEL DESCRIPTION Gateway IP Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your ZyWALL's interface(s).
Page 390: Port Triggering
Chapter 15 Policy and Static Routes following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets. Table 94 Assured Forwarding (AF) Behavior Group Class 1 Class 2 Class 3 Class 4 Low Drop Precedence AF11 (10) AF21 (18) AF31 (26) AF41 (34) Medium Drop Precedence...
Page 391: Maximize Bandwidth Usage
Chapter 15 Policy and Static Routes Computer A and game server 1 are connected to each other until the connection is closed or times out. Any other computers (such as B or C) cannot connect to remote server 1 using the same port triggering rule as computer A unless they are using a different next hop (gateway, outgoing interface, VPN tunnel or trunk) from computer A or until the connection is closed or times out.
Page 392 Chapter 15 Policy and Static Routes ZyWALL USG 100/200 Series User’s Guide...
Page 393: Routing Protocols
H A P T E R Routing Protocols 16.1 Routing Protocols Overview Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL stores this routing information in the routing table it uses to make routing decisions. In turn, the ZyWALL can also use routing protocols to propagate routing information to other routers.
Page 394: The Rip Screen
Chapter 16 Routing Protocols 16.2 The RIP Screen RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other routers. RIP is a vector-space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest.
Page 395: The Ospf Screen
Chapter 16 Routing Protocols The following table describes the labels in this screen. Table 96 Configuration > Network > Routing Protocol > RIP LABEL DESCRIPTION Authentication Authentication Select the authentication method used in the RIP network. This authentication protects the integrity, but not the confidentiality, of routing updates.
Page 396 Chapter 16 Routing Protocols System (AS). OSPF offers some advantages over vector-space routing protocols like RIP. • OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently. • OSPF filters and summarizes routing information, which reduces the size of routing tables throughout the network.
Page 397 Chapter 16 Routing Protocols Each type of area is illustrated in the following figure. Figure 304 OSPF: Types of Areas This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y.
Page 398 Chapter 16 Routing Protocols • An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF. Table 97 OSPF: Redistribution from Other Sources to Each Type of Area SOURCE \ TYPE OF AREA NORMAL NSSA STUB...
Page 399: Configuring The Ospf Screen
Chapter 16 Routing Protocols to logically connect the area to the backbone. This is illustrated in the following example. Figure 306 OSPF: Virtual Link In this example, area 100 does not have a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10.
Page 400 Chapter 16 Routing Protocols Click Configuration > Network > Routing > OSPF to open the following screen. Figure 307 Configuration > Network > Routing > OSPF The following table describes the labels in this screen. See Section 16.3.2 on page for more information as well.
Page 401 Chapter 16 Routing Protocols Table 98 Configuration > Network > Routing Protocol > OSPF (continued) LABEL DESCRIPTION Type Select how OSPF calculates the cost associated with routing information from static routes. Choices are: Type 1 and Type 2. Type 1 - cost = OSPF AS cost + external cost (Metric) Type 2 - cost = external cost (Metric);...
Page 402: Ospf Area Add/Edit Screen
Chapter 16 Routing Protocols 16.3.2 OSPF Area Add/Edit Screen The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see Section 16.3 on page 395), and click either the Add icon or an Edit icon.
Page 403: Virtual Link Add/Edit Screen
Chapter 16 Routing Protocols Table 99 Configuration > Network > Routing > OSPF > Add (continued) LABEL DESCRIPTION Text This field is available if the Authentication is Text. Type the password Authentication for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 8 characters long.
Page 404: Routing Protocol Technical Reference
Chapter 16 Routing Protocols 402) has the Type set to Normal, a Virtual Link table displays. Click either the Add icon or an entry and the Edit icon to display a screen like the following. Figure 309 Configuration > Network > Routing > OSPF > Add > Add The following table describes the labels in this screen.
Page 405 Chapter 16 Routing Protocols Authentication Types Authentication is used to guarantee the integrity, but not the confidentiality, of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original message.
Page 406 Chapter 16 Routing Protocols ZyWALL USG 100/200 Series User’s Guide...
Page 407: Zones
H A P T E R Zones 17.1 Zones Overview Set up zones to configure network security and network policies in the ZyWALL. A zone is a group of interfaces and/or VPN tunnels. The ZyWALL uses zones instead of interfaces in many security and policy settings, such as firewall rules, Anti-X, and remote management.
Page 408: What You Need To Know
Chapter 17 Zones 17.1.2 What You Need to Know Effects of Zones on Different Types of Traffic Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic--which are affected differently by zone-based security and policy settings. Intra-zone Traffic •...
Page 409: The Zone Screen
Chapter 17 Zones 17.2 The Zone Screen The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and remove zones. To access this screen, click Configuration > Network > Zone. Figure 311 Configuration > Network > Zone The following table describes the labels in this screen.
Page 410: Zone Edit
Chapter 17 Zones 17.3 Zone Edit The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 17.2 on page 409), and click the Add icon or an Edit icon.
Page 411: Ddns
H A P T E R DDNS 18.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 18.1.1 What You Can Do in this Chapter • Use the DDNS screen (see Section 18.2 on page 412) to view a list of the configured DDNS domain names and their details.
Page 412: The Ddns Screen
Chapter 18 DDNS Note: Record your DDNS account’s user name, password, and domain name to use to configure the ZyWALL. After, you configure the ZyWALL, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. Finding Out More Section 6.5.9 on page 104 for related information on these screens.
Page 413 Chapter 18 DDNS Table 104 Configuration > Network > DDNS (continued) LABEL DESCRIPTION Primary This field displays the interface to use for updating the IP address Interface/IP mapped to the domain name followed by how the ZyWALL determines the IP address for the domain name. from interface - The IP address comes from the specified interface.
Page 414: The Dynamic Dns Add/Edit Screen
Chapter 18 DDNS 18.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen. Figure 314 Configuration >...
Page 415 Chapter 18 DDNS Table 105 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Username Type the user name used when you registered your domain name. You can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed. For a Dynu DDNS entry, this user name is the one you use for logging into the service, not the name recorded in your personal information in the Dynu website.
Page 416 Chapter 18 DDNS Table 105 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION IP Address The options available in this field vary by DDNS provider. Interface -The ZyWALL uses the IP address of the specified interface. This option appears when you select a specific interface in the Backup Binding Address Interface field.
Page 417: Nat
H A P T E R 19.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.
Page 418: What You Need To Know
Chapter 19 NAT 19.1.2 What You Need to Know NAT is also known as virtual server, port forwarding, or port translation. Finding Out More • See Section 6.5.10 on page 104 for related information on these screens. • See Section 19.3 on page 423 for technical background information related to these screens.
Page 419 Chapter 19 NAT Table 106 Configuration > Network > NAT (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate.
Page 420: The Nat Add/Edit Screen
Chapter 19 NAT 19.2.1 The NAT Add/Edit Screen The NAT Add/Edit screen lets you create new NAT rules and edit existing ones. To open this window, open the NAT summary screen. (See Section 19.2 on page 418.) Then, click on an Add icon or Edit icon to open the following screen. Figure 317 Configuration >...
Page 421 Chapter 19 NAT Table 107 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Classification Select what kind of NAT this rule is to perform. Virtual Server - This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL (like the Internet).
Page 422 Chapter 19 NAT Table 107 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Mapped IP This field displays for Many 1:1 NAT. Select to which translated Subnet/Range destination IP address subnet or IP address range this NAT rule forwards packets.
Page 423: Nat Technical Reference
Chapter 19 NAT Table 107 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Firewall By default the firewall blocks incoming connections from external addresses. After you configure your NAT rule settings, click the Firewall link to configure a firewall rule to allow the NAT rule’s traffic to come in. The ZyWALL checks NAT rules before it applies To-ZyWALL firewall rules, so To-ZyWALL firewall rules do not apply to traffic that is forwarded by NAT rules.
Page 424 Chapter 19 NAT For example, a LAN user’s computer at IP address 192.168.1.89 queries a public DNS server to resolve the SMTP server’s domain name (xxx.LAN-SMTP.com in this example) and gets the SMTP server’s mapped public IP address of 1.1.1.1. Figure 318 LAN Computer Queries a Public DNS Server xxx.LAN-SMTP.com = 1.1.1.1 xxx.LAN-SMTP.com = ?
Page 425 Chapter 19 NAT SMTP server replied directly to the LAN user without the traffic going through NAT, the source would not match the original destination address which would cause the LAN user’s computer to shut down the session. Figure 320 LAN to LAN Return Traffic Source 192.168.1.21 Source 1.1.1.1 SMTP...
Page 426 Chapter 19 NAT ZyWALL USG 100/200 Series User’s Guide...
Page 427: Http Redirect
H A P T E R HTTP Redirect 20.1 Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN1 zone wants to open a web page, its HTTP request is redirected to proxy server A first.
Page 428: What You Need To Know
Chapter 20 HTTP Redirect 20.1.2 What You Need to Know Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services. A proxy server can act as a firewall or an ALG (application layer gateway) between the private network and the Internet or other networks.
Page 429: The Http Redirect Screen
Chapter 20 HTTP Redirect • a application patrol rule to allow HTTP traffic between dmz and wan1. • a policy route to forward HTTP traffic from proxy server A to the Internet. Finding Out More Section 6.5.11 on page 105 for related information on these screens.
Page 430: The Http Redirect Edit Screen
Chapter 20 HTTP Redirect Table 108 Configuration > Network > HTTP Redirect (continued) LABEL DESCRIPTION Port This is the service port number used by the proxy server. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 20.2.1 The HTTP Redirect Edit Screen Click Network >...
Page 431: Alg
H A P T E R 21.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyWALL’s NAT. • SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice and multimedia sessions over Internet. •...
Page 432: What You Need To Know
Chapter 21 ALG 21.1.2 What You Need to Know Application Layer Gateway (ALG), NAT and Firewall The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT and firewall.
Page 433 Chapter 21 ALG • There should be only one SIP server (total) on the ZyWALL’s private networks. Any other SIP servers must be on the WAN. So for example you could have a Back-to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN but not on both.
Page 434 Chapter 21 ALG can receive incoming calls from the Internet, LAN IP addresses B and C can still make calls out to the Internet. Figure 326 VoIP Calls from the WAN with Multiple Outgoing Calls VoIP with Multiple WAN IP Addresses With multiple WAN IP addresses on the ZyWALL, you can configure different firewall and NAT (port forwarding) rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN (or DMZ).
Page 435: Before You Begin
Chapter 21 ALG • See Section 21.3 on page 437 for ALG background/technical information. 21.1.3 Before You Begin You must also configure the firewall and enable NAT in the ZyWALL to allow sessions initiated from the WAN. 21.2 The ALG Screen Click Configuration >...
Page 436 Chapter 21 ALG The following table describes the labels in this screen. Table 110 Configuration > Network > ALG LABEL DESCRIPTION Enable SIP ALG Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the ZyWALL’s NAT. Enabling the SIP ALG also allows you to use the application patrol to detect SIP traffic and manage the SIP traffic’s bandwidth (see Chapter 32 on page...
Page 437: Alg Technical Reference
Chapter 21 ALG Table 110 Configuration > Network > ALG (continued) LABEL DESCRIPTION Enable FTP ALG Turn on the FTP ALG to detect FTP (File Transfer Program) traffic and help build FTP sessions through the ZyWALL’s NAT. Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic and manage the FTP traffic’s bandwidth (see Chapter 32 on page...
Page 438 Chapter 21 ALG connections to the second (passive) interface when the active interface’s connection goes down. When the active interface’s connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface. VoIP clients usually re-register automatically at set intervals or the users can manually force them to re-register.
Page 439: Ip/Mac Binding
H A P T E R IP/MAC Binding 22.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The ZyWALL uses DHCP to assign IP addresses and records to MAC address it assigned each IP address.
Page 440: What You Need To Know
Chapter 22 IP/MAC Binding 22.1.2 What You Need to Know DHCP IP/MAC address bindings are based on the ZyWALL’s dynamic and static DHCP entries. Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN, and WLAN interfaces.
Page 441: Ip/Mac Binding Edit
Chapter 22 IP/MAC Binding Table 111 Configuration > Network > IP/MAC Binding > Summary (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific entry. Status This icon is lit when the entry is active and dimmed when the entry is inactive.
Page 442: Static Dhcp Edit
Chapter 22 IP/MAC Binding Table 112 Configuration > Network > IP/MAC Binding > Edit (continued) LABEL DESCRIPTION Enable Select this option to have the ZyWALL generate a log if a device Logs for IP/ connected to this interface attempts to use an IP address not assigned by the ZyWALL.
Page 443: Ip/Mac Binding Exempt List
Chapter 22 IP/MAC Binding The following table describes the labels in this screen. Table 113 Configuration > Network > IP/MAC Binding > Edit > Add LABEL DESCRIPTION Interface This field displays the name of the interface within the ZyWALL and the Name interface’s IP address and subnet mask.
Page 444 Chapter 22 IP/MAC Binding Table 114 Configuration > Network > IP/MAC Binding > Exempt List (continued) LABEL DESCRIPTION End IP Enter the last IP address in a range of IP addresses for which the ZyWALL does not apply IP/MAC binding. Add icon Click the Add icon to add a new entry.
Page 445: Authentication Policy
H A P T E R Authentication Policy 23.1 Overview Use authentication policies to control who can access the network. You can authenticate users (require them to log in) and even perform Endpoint Security (EPS) checking to make sure users’ computers comply with defined corporate policies before they can access the network.
Page 446: What You Need To Know
Chapter 23 Authentication Policy 23.1.2 What You Need to Know Authentication Policy and VPN Authentication policies are applied based on a traffic flow’s source and destination IP addresses. If VPN traffic matches an authentication policy’s source and destination IP addresses, the user must pass authentication. Multiple Endpoint Security Objects You can set an authentication policy to use multiple endpoint security objects.
Page 447 Chapter 23 Authentication Policy Click Configuration > Auth. Policy to display the screen. Figure 335 Configuration > Auth. Policy ZyWALL USG 100/200 Series User’s Guide...
Page 448 Chapter 23 Authentication Policy The following table gives an overview of the objects you can configure. Table 115 Configuration > Auth. Policy LABEL DESCRIPTION Enable Select this to turn on the authentication policy feature. Authentication Policy Exceptional Use this table to list services that users can access without logging in. Services Click Add to change the list’s membership.
Page 449: Creating/Editing An Authentication Policy
Chapter 23 Authentication Policy Table 115 Configuration > Auth. Policy (continued) LABEL DESCRIPTION Status This icon is lit when the entry is active and dimmed when the entry is inactive. Priority This is the position of the authentication policy in the list. The priority is important as the policies are applied in order of priority.
Page 450 Chapter 23 Authentication Policy Figure 337 Configuration > Auth. Policy > Add The following table gives an overview of the objects you can configure. Table 116 Configuration > Auth. Policy > Add LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this Object screen.
Page 451 Chapter 23 Authentication Policy Table 116 Configuration > Auth. Policy > Add (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies. Otherwise, select none and the rule is always effective. This is none and not configurable for the default policy.
Page 452 Chapter 23 Authentication Policy ZyWALL USG 100/200 Series User’s Guide...
Page 453: Firewall
H A P T E R Firewall 24.1 Overview Use the firewall to block or allow services that use static port numbers. Use application patrol (see Chapter 32 on page 553) to control services using flexible/ dynamic port numbers. The firewall can also limit the number of user sessions. This figure shows the ZyWALL’s default firewall rules in action and demonstrates how stateful inspection works.
Page 454: What You Need To Know
Chapter 24 Firewall 24.1.2 What You Need to Know Stateful Inspection The ZyWALL has a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 455 Chapter 24 Firewall To-ZyWALL Rules Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default: • The firewall allows only LAN, WLAN, or WAN computers to access or manage the ZyWALL. • The ZyWALL drops most packets from the WAN zone to the ZyWALL itself, except for VRRP traffic for Device HA and ESP/AH/IKE/NATT/HTTPS services for VPN tunnels, and generates a log.
Page 456: Firewall Rule Example Applications
Chapter 24 Firewall Firewall and Application Patrol To use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. The ZyWALL checks the firewall rules before the application patrol rules for traffic going through the ZyWALL. Firewall and VPN Traffic After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN traffic.
Page 457 Chapter 24 Firewall the firewall rule to always be in effect. The following figure shows the results of this rule. Figure 339 Blocking All LAN to WAN IRC Traffic Example Your firewall would have the following rules. Table 118 Blocking All LAN to WAN IRC Traffic Example USER SOURCE DESTINATION...
Page 458 Chapter 24 Firewall Now you configure a LAN1 to WAN firewall rule that allows IRC traffic from the IP address of the CEO’s computer (192.168.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the firewall rule to always be in effect.
Page 459: Firewall Rule Configuration Example
Chapter 24 Firewall • The first row allows any LAN1 computer to access the IRC service on the WAN by logging into the ZyWALL with the CEO’s user name. • The second row blocks LAN1 access to the IRC service on the WAN. •...
Page 460 Chapter 24 Firewall The screen for configuring a service object opens. Configure it as follows and click Figure 343 Firewall Example: Create a Service Object Select From WAN and To LAN1. Enter the name of the firewall rule. Select Dest_1 is selected for the Destination and Doom is selected as the Service.
Page 461: The Firewall Screen
Chapter 24 Firewall The firewall rule appears in the firewall rule summary. Figure 345 Firewall Example: Doom Rule in Summary 24.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL.
Page 462: Configuring The Firewall Screen
Chapter 24 Firewall The ZyWALL then sends it to the computer on the LAN1 in Subnet 1. Figure 346 Using Virtual Interfaces to Avoid Asymmetrical Routes LAN1 24.2.1 Configuring the Firewall Screen Click Configuration > Firewall to open the Firewall screen. Use this screen to enable or disable the firewall and asymmetrical routes, set a maximum number of sessions per host, and display the configured firewall rules.
Page 463 Chapter 24 Firewall • The ordering of your rules is very important as rules are applied in sequence. Figure 347 Configuration > Firewall The following table describes the labels in this screen. Table 121 Configuration > Firewall LABEL DESCRIPTION General Settings Enable Select this check box to activate the firewall.
Page 464 Chapter 24 Firewall Table 121 Configuration > Firewall (continued) LABEL DESCRIPTION From Zone / This is the direction of travel of packets. Select from which zone the To Zone packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of packets to which they apply.
Page 465: The Firewall Add/Edit Screen
Chapter 24 Firewall Table 121 Configuration > Firewall (continued) LABEL DESCRIPTION Service This displays the service object to which this firewall rule applies. Access This field displays whether the firewall silently discards packets (deny), discards packets and sends a TCP reset packet to the sender (reject) or permits the passage of packets (allow).
Page 466: The Session Limit Screen
Chapter 24 Firewall Table 122 Configuration > Firewall > Add (continued) LABEL DESCRIPTION Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. Schedule Select a schedule that defines when the rule applies. Otherwise, select none and the rule is always effective.
Page 467 Chapter 24 Firewall individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. Figure 349 Configuration > Firewall > Session Limit The following table describes the labels in this screen. Table 123 Configuration > Firewall > Session Limit LABEL DESCRIPTION General...
Page 468: The Session Limit Add/Edit Screen
Chapter 24 Firewall Table 123 Configuration > Firewall > Session Limit (continued) LABEL DESCRIPTION This is the index number of a session limit rule. It is not associated with a specific rule. User This is the user name or user group name to which this session limit rule applies.
Page 469 Chapter 24 Firewall Table 124 Configuration > Firewall > Session Limit > Edit (continued) LABEL DESCRIPTION User Select a user name or user group to which to apply the rule. The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out.
Page 470 Chapter 24 Firewall ZyWALL USG 100/200 Series User’s Guide...
Page 471: Ipsec Vpn
H A P T E R IPSec VPN 25.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Page 472: What You Need To Know
Chapter 25 IPSec VPN • Use the VPN Gateway screens (see Section 25.2.1 on page 476) to manage the ZyWALL’s VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway.
Page 473 Chapter 25 IPSec VPN Application Scenarios The ZyWALL’s application scenarios make it easier to configure your VPN connection settings. Table 125 IPSec VPN Application Scenarios SITE-TO-SITE WITH REMOTE ACCESS REMOTE ACCESS SITE-TO-SITE DYNAMIC PEER (SERVER ROLE) (CLIENT ROLE) Choose this if the Choose this if the Choose this to allow Choose this to...
Page 474: Before You Begin
Chapter 25 IPSec VPN • See Section 25.5 on page 499 for IPSec VPN background information. • See Section 5.3 on page 79 for the IPSec VPN quick setup wizard. • See Section 7.5 on page 141 for an example of configuring IPSec VPN. •...
Page 475 Chapter 25 IPSec VPN SA). Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 353 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following table.
Page 476: The Vpn Connection Add/Edit (Ike) Screen
Chapter 25 IPSec VPN Table 126 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific connection. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Page 477 Chapter 25 IPSec VPN Figure 354 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 100/200 Series User’s Guide...
Page 478 Chapter 25 IPSec VPN Each field is described in the following table. Table 127 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of Settings / Hide configuration fields.
Page 479 Chapter 25 IPSec VPN Table 127 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Policy Local Policy Select the address corresponding to the local network. Use Create new Object if you need to configure a new one. Remote Policy Select the address corresponding to the remote network.
Page 480 Chapter 25 IPSec VPN Table 127 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Encryption This field is applicable when the Active Protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA. Choices are: NULL - no encryption key or algorithm DES - a 56-bit key with the DES encryption algorithm...
Page 481 Chapter 25 IPSec VPN Table 127 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Check Method Select how the ZyWALL checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the ZyWALL regularly ping the address you specify to make sure traffic can still go through the connection.
Page 482 Chapter 25 IPSec VPN Table 127 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Inbound Traffic Source NAT This translation hides the source address of computers in the remote network. Source Select the address object that represents the original source address (or select Create Object to configure a new one).
Page 483: The Vpn Connection Add/Edit Manual Key Screen
Chapter 25 IPSec VPN 25.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one using a manual key. This is useful if you have problems with IKE key management.
Page 484 Chapter 25 IPSec VPN Table 128 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Secure Type the IP address of the remote IPSec router in the IPSec SA. Gateway Address Type a unique SPI (Security Parameter Index) between 256 and 4095. The SPI is used to identify the ZyWALL during authentication.
Page 485 Chapter 25 IPSec VPN Table 128 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Encryption Key This field is applicable when you select an Encryption Algorithm. Enter the encryption key, which depends on the encryption algorithm. DES - type a unique key 8-32 characters long 3DES - type a unique key 24-32 characters long AES128 - type a unique key 16-32 characters long...
Page 486: The Vpn Gateway Screen
Chapter 25 IPSec VPN 25.3 The VPN Gateway Screen The VPN Gateway summary screen displays the IPSec VPN gateway policies in the ZyWALL, as well as the ZyWALL’s address, remote IPSec router’s address, and associated VPN connections for each one. In addition, it also lets you activate and deactivate each VPN gateway.
Page 487: The Vpn Gateway Add/Edit Screen
Chapter 25 IPSec VPN Table 129 Configuration > VPN > IPSec VPN > VPN Gateway (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 25.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one.
Page 488 Chapter 25 IPSec VPN Figure 357 Configuration > VPN > IPSec VPN > VPN Gateway > Edit ZyWALL USG 100/200 Series User’s Guide...
Page 489 Chapter 25 IPSec VPN Each field is described in the following table. Table 130 Configuration > VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of Settings / Hide configuration fields.
Page 490 Chapter 25 IPSec VPN Table 130 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Pre-Shared Select this to have the ZyWALL and remote IPSec router use a pre- shared key (password) to identify each other when they negotiate the IKE SA.
Page 491 Chapter 25 IPSec VPN Table 130 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Content This field is read-only if the ZyWALL and remote IPSec router use certificates to identify each other. Type the identity of the ZyWALL during authentication.
Page 492 Chapter 25 IPSec VPN Table 130 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Content This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec router during authentication. The identity depends on the Peer ID Type.
Page 493 Chapter 25 IPSec VPN Table 130 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Negotiation Select the negotiation mode to use to negotiate the IKE SA. Choices Mode Main - this encrypts the ZyWALL’s and remote IPSec router’s identities but takes more time to establish the IKE SA Aggressive - this is faster but does not encrypt the identities The ZyWALL and the remote IPSec router must use the same...
Page 494 Chapter 25 IPSec VPN Table 130 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION NAT Traversal Select this if any of these conditions are satisfied. • This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol.
Page 495: Vpn Concentrator
Chapter 25 IPSec VPN 25.4 VPN Concentrator A VPN concentrator combines several IPSec VPN connections into one secure network. Figure 358 VPN Topologies (Fully Meshed and Hub and Spoke) In a fully-meshed VPN topology (1 in the figure), there is a VPN connection between every pair of routers.
Page 496 Chapter 25 IPSec VPN • Branch office A’s ZyWALL uses one VPN rule to access both the headquarters (HQ) network and branch office B’s network. • Branch office B’s ZyWALL uses one VPN rule to access branch office A’s network only.
Page 497 Chapter 25 IPSec VPN VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.1.0/255.255.255.0 • Remote Policy:192.168.11.0/255.255.255.0 • Disable Policy Enforcement VPN Gateway (VPN Tunnel 2): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.3 VPN Connection (VPN Tunnel 2): • Local Policy: 192.168.1.0/255.255.255.0 •...
Page 498: Vpn Concentrator Screen
Chapter 25 IPSec VPN • The local IP addresses configured in the VPN rules should not overlap. • The concentrator must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel.
Page 499: Ipsec Vpn Background Information
Chapter 25 IPSec VPN Concentrator summary screen (see Section 25.4 on page 495), and click either the Add icon or an Edit icon. Figure 361 Configuration > VPN > IPSec VPN > Concentrator > Edit Each field is described in the following table. Table 132 VPN >...
Page 500: Ike Sa Overview
Chapter 25 IPSec VPN IKE SA Overview The IKE SA provides a secure connection between the ZyWALL and remote IPSec router. It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.
Page 501 Chapter 25 IPSec VPN The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you can only set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA.
Page 502 Chapter 25 IPSec VPN the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt. Authentication Before the ZyWALL and remote IPSec router establish an IKE SA, they have to verify each other’s identity.
Page 503 Chapter 25 IPSec VPN Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you enter does not have to actually exist.
Page 504 Chapter 25 IPSec VPN Negotiation Mode There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Main mode takes six steps to establish an IKE SA. Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL.
Page 505 Chapter 25 IPSec VPN feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Active Protocol on page 506 for more information about active protocols.) If router A does not have an IPSec pass-thru or if the active protocol is AH, you can solve this problem by enabling NAT traversal.
Page 506: Ipsec Sa Overview
Chapter 25 IPSec VPN • The local and peer ID type and content come from the certificates. Note: You must set up the certificates for the ZyWALL and remote IPSec router first. IPSec SA Overview Once the ZyWALL and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks.
Page 507 Chapter 25 IPSec VPN These modes are illustrated below. Figure 366 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Data Header Transport Mode Packet IP Header AH/ESP Data Header Header Tunnel Mode Packet IP Header AH/ESP IP Header TCP Data Header Header...
Page 508 Chapter 25 IPSec VPN Additional Topics for IPSec SA This section provides more information about IPSec SA in your ZyWALL. IPSec SA using Manual Keys You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting.
Page 509 Chapter 25 IPSec VPN Each kind of translation is explained below. The following example is used to help explain each one. Figure 367 VPN Example: NAT for Inbound and Outbound Traffic Source Address in Outbound Packets (Outbound Traffic, Source NAT) This translation lets the ZyWALL route packets from computers that are not part of the specified local network (local policy) through the IPSec SA.
Page 510 Chapter 25 IPSec VPN • SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address. Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) You can set up this translation if you want the ZyWALL to forward some packets from the remote network to a specific computer in the local network.
Page 511: Ssl Vpn
H A P T E R SSL VPN 26.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VPN router or VPN client software. 26.1.1 What You Can Do in this Chapter •...
Page 512 Chapter 26 SSL VPN You do not have to install additional client software on the remote user computers for access. Figure 368 Network Access Mode: Reverse Proxy Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network.
Page 513 Chapter 26 SSL VPN changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects are not removed. Table 135 Objects OBJECT OBJECT DESCRIPTION TYPE SCREEN User Accounts User Configure a user account or user group to which you want Account/ to apply this SSL access policy.
Page 514: The Ssl Access Privilege Screen
Chapter 26 SSL VPN 26.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. Figure 370 VPN > SSL VPN > Access Privilege The following table describes the labels in this screen. Table 136 VPN >...
Page 515 Chapter 26 SSL VPN Table 136 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Apply Click Apply to save the settings. Reset Click Reset to discard all changes. ZyWALL USG 100/200 Series User’s Guide...
Page 516: The Ssl Access Policy Add/Edit Screen
Chapter 26 SSL VPN 26.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. ZyWALL USG 100/200 Series User’s Guide...
Page 517 Chapter 26 SSL VPN Figure 371 VPN > SSL VPN > Access Privilege > Add/Edit ZyWALL USG 100/200 Series User’s Guide...
Page 518 Chapter 26 SSL VPN The following table describes the labels in this screen. Table 137 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this Object screen.
Page 519: The Ssl Global Setting Screen
Chapter 26 SSL VPN Table 137 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION SSL Application The Selectable Application Objects list displays the name(s) of the List (Optional) SSL application(s) you can select for this SSL access policy. To associate an SSL application to this SSL access policy, select a name and click >>...
Page 520 Chapter 26 SSL VPN on your network for full tunnel mode access, enter access messages or upload a custom logo to be displayed on the remote user screen. Figure 372 VPN > SSL VPN > Global Setting The following table describes the labels in this screen. Table 138 VPN >...
Page 521: How To Upload A Custom Logo
Chapter 26 SSL VPN Table 138 VPN > SSL VPN > Global Setting (continued) LABEL DESCRIPTION Logout Message Specify a message to display on the screen when a user logs out and the SSL VPN connection is terminated successfully. You can enter up to 60 characters (“a-z”, A-Z”, “0-9”) with spaces allowed.
Page 522: Establishing An Ssl Vpn Connection
Chapter 26 SSL VPN The following shows an example logo on the remote user screen. Figure 373 Example Logo Graphic Display 26.4 Establishing an SSL VPN Connection After you have configured the SSL VPN settings on the ZyWALL, use the ZyWALL login screen’s SSL VPN button to establish an SSL VPN connection.
Page 523 Chapter 26 SSL VPN SSL VPN connection starts. This may take several minutes depending on your network connection. Once the connection is up, you should see the client portal screen. The following shows an example. Figure 375 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated”...
Page 524 Chapter 26 SSL VPN ZyWALL USG 100/200 Series User’s Guide...
Page 525: Ssl User Screens
H A P T E R SSL User Screens 27.1 Overview This chapter introduces the remote user SSL VPN screens. The following figure shows a network example where a remote user (A) logs into the ZyWALL from the Internet to access the web server (WWW) on the local network. Figure 376 Network Example Internet 27.1.1 What You Need to Know...
Page 526: Remote User Login
Chapter 27 SSL User Screens System Requirements Here are the browser and computer system requirements for remote user access. • Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit) • Internet Explorer 7 and above or Firefox 1.5 and above •...
Page 527 Chapter 27 SSL User Screens Open a web browser and enter the web site address or IP address of the ZyWALL. For example, “http://sslvpn.mycompany.com”. Figure 377 Enter the Address in a Web Browser Click OK or Yes if a security screen displays. Figure 378 Login Security Screen A login screen displays.
Page 528 Chapter 27 SSL User Screens Your computer starts establishing a secure connection to the ZyWALL after a successful login. This may take up to two minutes. If you get a message about needing Java, download and install it and restart your browser and re-login. If a certificate warning screen displays, click OK, Yes or Continue.
Page 529 Chapter 27 SSL User Screens The ZyWALL tries to install the SecuExtender client. You may need to click a pop- up to get your browser to allow this. In Internet Explorer, click Install. Figure 382 SecuExtender Blocked by Internet Explorer The ZyWALL tries to run the “ssltun”...
Page 530 Chapter 27 SSL User Screens 10 If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender client on your computer. Figure 385 Hardware Installation Warning 11 The Application screen displays showing the list of resources available to you. Figure 386 on page 531 for a screen example.
Page 531: The Ssl Vpn User Screens
Chapter 27 SSL User Screens 27.3 The SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 386 Remote User Screen The following table describes the various parts of a remote user screen. Table 139 Remote User Screen Overview DESCRIPTION Click on a menu tab to go to the Application or File Sharing screen.
Page 532: Bookmarking The Zywall
Chapter 27 SSL User Screens 27.4 Bookmarking the ZyWALL You can create a bookmark of the ZyWALL by clicking the Add to Favorite icon. This allows you to access the ZyWALL using the bookmark without having to enter the address every time. In any remote user screen, click the Add to Favorite icon.
Page 533 Chapter 27 SSL User Screens An information screen displays to indicate that the SSL VPN connection is about to terminate. Figure 389 Logout: Connection Termination Progress ZyWALL USG 100/200 Series User’s Guide...
Page 534 Chapter 27 SSL User Screens ZyWALL USG 100/200 Series User’s Guide...
Page 535: Ssl User Application Screens
H A P T E R SSL User Application Screens 28.1 SSL User Application Screens Overview Use the Application screen to access web-based applications (such as web sites and e-mail) on the network through the SSL VPN connection. Which applications you can access depends on the ZyWALL’s configuration.
Page 536 Chapter 28 SSL User Application Screens ZyWALL USG 100/200 Series User’s Guide...
Page 537: Ssl User File Sharing
H A P T E R SSL User File Sharing 29.1 Overview The File Sharing screen lets you access files on a file server through the SSL VPN connection. 29.1.1 What You Need to Know Use the File Sharing screen to display and access shared files/folders on a file server.
Page 538: The Main File Sharing Screen
Chapter 29 SSL User File Sharing 29.2 The Main File Sharing Screen The first File Sharing screen displays the name(s) of the shared folder(s) available. The following figure shows an example with one file share. Figure 391 File Sharing 29.3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer.
Page 539 Chapter 29 SSL User File Sharing If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue. Figure 392 File Sharing: Enter Access User Name and Password ZyWALL USG 100/200 Series User’s Guide...
Page 540: Downloading A File
Chapter 29 SSL User File Sharing A list of files/folders displays. Click on a file to open it in a separate browser window. You can also click a folder to access it. For this example, click on a .doc file to open the Word document. Figure 393 File Sharing: Open a Word File 29.3.1 Downloading a File You are prompted to download a file which cannot be opened using a web browser.
Page 541: Saving A File
Chapter 29 SSL User File Sharing 29.3.2 Saving a File After you have opened a file in a web browser, you can save a copy of the file by clicking File > Save As and following the on-screen instructions. Figure 394 File Sharing: Save a Word File 29.4 Creating a New Folder To create a new folder in the file share location, click the New Folder icon.
Page 542: Renaming A File Or Folder
Chapter 29 SSL User File Sharing 29.5 Renaming a File or Folder To rename a file or folder, click the Rename icon next to the file/folder. Figure 396 File Sharing: Rename A popup window displays. Specify the new name and/or file extension in the field provided.
Page 543: Uploading A File
Chapter 29 SSL User File Sharing 29.7 Uploading a File Follow the steps below to upload a file to the file server. Log into the remote user screen and click the File Sharing tab. Specify the location and/or name of the file you want to upload. Or click Browse to locate it.
Page 544 Chapter 29 SSL User File Sharing ZyWALL USG 100/200 Series User’s Guide...
Page 545: Zywall Secuextender
H A P T E R ZyWALL SecuExtender The ZyWALL automatically loads the ZyWALL SecuExtender client program to your computer after a successful login. The ZyWALL SecuExtender lets you: • Access servers, remote desktops and manage files as if you were on the local network.
Page 546: Statistics
Chapter 30 ZyWALL SecuExtender 30.2 Statistics Right-click the ZyWALL SecuExtender icon in the system tray and select Status to open the Status screen. Use this screen to view the ZyWALL SecuExtender’s statistics. Figure 400 ZyWALL SecuExtender Status The following table describes the labels in this screen. Table 140 ZyWALL SecuExtender Statistics LABEL DESCRIPTION...
Page 547: View Log
Chapter 30 ZyWALL SecuExtender Table 140 ZyWALL SecuExtender Statistics LABEL DESCRIPTION Transmitted This is how many bytes and packets the computer has sent through the SSL VPN connection. Received This is how many bytes and packets the computer has received through the SSL VPN connection.
Page 548: Stop The Connection
Chapter 30 ZyWALL SecuExtender connected but not send any traffic through it until you right-click the icon and resume the connection. 30.5 Stop the Connection Right-click the icon and select Stop Connection to disconnect the SSL VPN tunnel. 30.6 Uninstalling the ZyWALL SecuExtender Do the following if you need to remove the ZyWALL SecuExtender.
Page 549: L2Tp Vpn
H A P T E R L2TP VPN 31.1 Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL. The remote users do not need their own IPSec gateways or VPN client software.
Page 550 Chapter 31 L2TP VPN • Use transport mode. • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN.
Page 551: L2Tp Vpn Screen
Chapter 31 L2TP VPN Finding Out More • See Section 6.5.17 on page 108 for related information on these screens. • See Chapter 8 on page 185 for an example of how to create a basic L2TP VPN tunnel. 31.2 L2TP VPN Screen Click Configuration >...
Page 552 Chapter 31 L2TP VPN Table 141 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION VPN Connection Select the IPSec VPN connection the ZyWALL uses for L2TP VPN. All of the configured VPN connections display here, but the one you use must meet the requirements listed in IPSec Configuration Required for L2TP VPN on page...
Page 553: Application Patrol
H A P T E R Application Patrol 32.1 Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Page 554: What You Need To Know
Chapter 32 Application Patrol 32.1.2 What You Need to Know If you want to use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. Note: The ZyWALL checks firewall rules before it checks application patrol rules for traffic going through the ZyWALL.
Page 555 Chapter 32 Application Patrol numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP traffic. DiffServ and DSCP Marking QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority.
Page 556 Chapter 32 Application Patrol • The outbound traffic flows from the connection initiator to the connection responder. • The inbound traffic flows from the connection responder to the connection initiator. For example, a LAN1 to WAN connection is initiated from LAN1 and goes to the WAN.
Page 557 Chapter 32 Application Patrol • Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1. Figure 408 LAN1 to WAN, Outbound 200 kbps, Inbound 500 kbps Inbound Outbound Outbound...
Page 558 Chapter 32 Application Patrol outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and policy B for server B’s traffic. Figure 409 Bandwidth Management Behavior 1000 kbps 1000 kbps 1000 kbps Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate.
Page 559: Application Patrol Bandwidth Management Examples
Chapter 32 Application Patrol So server A gets its configured rate of 300 kbps plus 250 kbps for a total of 550 kbps. Server B gets its configured rate of 200 kbps plus 250 kbps for a total of 450 kbps. Table 144 Maximize Bandwidth Usage Effect POLICY CONFIGURED RATE...
Page 560: Sip Any To Wan Bandwidth Management Example
Chapter 32 Application Patrol • HTTP traffic needs to be given priority over FTP traffic. • FTP traffic from the WAN to the DMZ must be limited so it does not interfere with SIP and HTTP traffic. • FTP traffic from the LAN1 to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but it must be the lowest priority and limited so it does not interfere with SIP and HTTP traffic.
Page 561: Sip Wan To Any Bandwidth Management Example
Chapter 32 Application Patrol • Enable maximize bandwidth usage so the SIP traffic can borrow unused bandwidth. Figure 411 SIP Any to WAN Bandwidth Management Example Outbound: 200 kbps Inbound: 200 kbps 32.1.3.3 SIP WAN to Any Bandwidth Management Example You also create a policy for calls coming in from the SIP server on the WAN.
Page 562: Ftp Wan To Dmz Bandwidth Management Example
Chapter 32 Application Patrol 32.1.3.5 FTP WAN to DMZ Bandwidth Management Example • ADSL supports more downstream than upstream so you allow remote users 300 kbps for uploads to the DMZ FTP server (outbound) but only 100 kbps for downloads (inbound). •...
Page 563: Application Patrol General Screen
Chapter 32 Application Patrol 32.2 Application Patrol General Screen Use this screen to enable and disable application patrol. It also lists the registration status and details about the signature set the ZyWALL is using. Note: You must register for the IDP/AppPatrol signature service (at least the trial) before you can use it.
Page 564: Application Patrol Applications
Chapter 32 Application Patrol Table 146 Configuration > App Patrol > General (continued) LABEL DESCRIPTION Enable Select this to maximize the throughput of SIP traffic to improve SIP- Highest based VoIP call sound quality. This has the ZyWALL immediately send Bandwidth SIP traffic upon identifying it.
Page 565: The Application Patrol Edit Screen
Chapter 32 Application Patrol Click Configuration > App Patrol > Common to open the following screen. Figure 416 Configuration > App Patrol > Common The following table describes the labels in this screen. See Section 32.3.1 on page for more information as well. Table 147 Configuration >...
Page 566 Chapter 32 Application Patrol Streaming screen and click an application’s Edit icon. The screen displayed here is for the MSN instant messenger service. Figure 417 Application Edit The following table describes the labels in this screen. Table 148 Application Edit LABEL DESCRIPTION Service...
Page 567 Chapter 32 Application Patrol Table 148 Application Edit (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific entry. Note: The ZyWALL checks ports in the order they appear in the list. While this sequence does not affect the functionality, you might improve the performance of the ZyWALL by putting more commonly used ports at the top of the list.
Page 568 Chapter 32 Application Patrol Table 148 Application Edit (continued) LABEL DESCRIPTION Access This field displays what the ZyWALL does with packets for this application that match this policy. forward - the ZyWALL routes the packets for this application. Drop - the ZyWALL does not route the packets for this application and does not notify the client of its decision.
Page 569: The Application Patrol Policy Edit Screen
Chapter 32 Application Patrol Table 148 Application Edit (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 32.3.2 The Application Patrol Policy Edit Screen The Application Policy Edit screen allows you to edit a group of settings for an application.
Page 570 Chapter 32 Application Patrol Table 149 Application Policy Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 43 on page 749 for details). Otherwise, select none to make the policy always effective. User Select a user name or user group to which to apply the policy.
Page 571 Chapter 32 Application Patrol Table 149 Application Policy Edit (continued) LABEL DESCRIPTION Action Block For some applications, you can select individual uses of the application that the policy will have the ZyWALL block. These fields only apply when Access is set to forward. Login - Select this option to block users from logging in to a server for this application.
Page 572: The Other Applications Screen
Chapter 32 Application Patrol Table 149 Application Policy Edit (continued) LABEL DESCRIPTION Priority This field displays when the inbound or outbound bandwidth management is not set to 0. Enter a number between 1 and 7 to set the priority for this application’s traffic that matches this policy. The smaller the number, the higher the priority.
Page 573 Chapter 32 Application Patrol Click AppPatrol > Other to open the Other (applications) screen. Figure 419 AppPatrol > Other The following table describes the labels in this screen. See Section 32.4.1 on page for more information as well. Table 150 AppPatrol > Other LABEL DESCRIPTION Click this to create a new entry.
Page 574 Chapter 32 Application Patrol Table 150 AppPatrol > Other (continued) LABEL DESCRIPTION Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. Protocol This is the protocol of the traffic to which this policy applies. Access This field displays what the ZyWALL does with packets that match this policy.
Page 575: The Other Applications Add/Edit Screen
Chapter 32 Application Patrol Table 150 AppPatrol > Other (continued) LABEL DESCRIPTION Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this policy. See Chapter 51 on page 865 for more on logs.
Page 576 Chapter 32 Application Patrol Table 151 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 43 on page 749 for details). Otherwise, select any to make the policy always effective.
Page 577 Chapter 32 Application Patrol Table 151 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Inbound Type how much inbound bandwidth, in kilobits per second, this policy kbps allows the traffic to use. Inbound refers to the traffic the ZyWALL sends to a connection’s initiator.
Page 578 Chapter 32 Application Patrol Table 151 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 100/200 Series User’s Guide...
Page 579: Anti-Virus
H A P T E R Anti-Virus 33.1 Overview Use the ZyWALL’s anti-virus feature to protect your connected network from virus/ spyware infection. The ZyWALL checks traffic going in the direction(s) you specify for signature matches. In the following figure the ZyWALL is set to check traffic coming from the WAN zone (which includes two interfaces) to the LAN zone.
Page 580: What You Need To Know
Chapter 33 Anti-Virus 33.1.2 What You Need to Know Anti-Virus Engines Subscribe to signature files for ZyXEL’s anti-virus engine or one powered by Kaspersky. When using the trial, you can switch from one engine to the other in the Registration screen. After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and register it in the Registration >...
Page 581 Chapter 33 Anti-Virus If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets. The scanning engine checks the contents of the packets for virus. If a virus pattern is matched, the ZyWALL removes the infected portion of the file along with the rest of the file.
Page 582: Before You Begin
Chapter 33 Anti-Virus 33.1.3 Before You Begin • Before using anti-virus, see Chapter 11 on page 279 for how to register for the anti-virus service. • You may need to customize the zones (in the Network > Zone) used for the anti-virus scanning direction.
Page 583 Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 152 Configuration > Anti-X > Anti-Virus > General LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 584 Chapter 33 Anti-Virus Table 152 Configuration > Anti-X > Anti-Virus > General (continued) LABEL DESCRIPTION Protocol These are the protocols of traffic to scan for viruses. FTP applies to traffic using the TCP port number specified for FTP in the ALG screen.
Page 585: Anti-Virus Policy Add Or Edit Screen
Chapter 33 Anti-Virus 33.2.1 Anti-Virus Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Virus > General screen to display the configuration screen as shown next. Figure 423 Configuration > Anti-X > Anti-Virus > General > Add The following table describes the labels in this screen.
Page 586 Chapter 33 Anti-Virus Table 153 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Actions When Matched Destroy infected When you select this check box, if a virus pattern is matched, the file ZyWALL overwrites the infected portion of the file (and the rest of the file) with zeros.
Page 587: Anti-Virus Black List
Chapter 33 Anti-Virus Table 153 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Destroy Note: When you select this option, the ZyWALL deletes ZIP files compressed files that could that use password encryption. not be decompressed Select this check box to have the ZyWALL delete any ZIP files that it is not able to unzip.
Page 588: Anti-Virus Black List Or White List Add/Edit
Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 154 Configuration > Anti-X > Anti-Virus > Black/White List > Black List LABEL DESCRIPTION Enable Black Select this check box to log and delete files with names that match the List black list patterns.
Page 589: Anti-Virus White List
Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 155 Configuration > Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION Enable If this is a black list entry, select this option to have the ZyWALL apply this entry when using the black list.
Page 590: Signature Searching
Chapter 33 Anti-Virus column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 426 Configuration > Anti-X > Anti-Virus > Black/White List > White List The following table describes the labels in this screen. Table 156 Configuration >...
Page 591 Chapter 33 Anti-Virus If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria.
Page 592 Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 157 Configuration > Anti-X > Anti-Virus > Signature LABEL DESCRIPTION Signatures Select the criteria on which to perform the search. Search Select By Name from the drop down list box and type the name or part of the name of the signature(s) you want to find.
Page 593: Anti-Virus Technical Reference
Chapter 33 Anti-Virus 33.7 Anti-Virus Technical Reference Types of Computer Viruses The following table describes some of the common computer viruses. Table 158 Common Computer Virus Types TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program. A file infector is able to copy and attach itself to other programs that are executed on an infected computer.
Page 594 Chapter 33 Anti-Virus A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in the network. It inspects files for virus patterns as they are moved in and out of the hard drive. However, host-based anti-virus scanners cannot eliminate all viruses for a number of reasons: •...
Page 595: Idp
H A P T E R 34.1 Overview This chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic flow, custom signatures and updating signatures. An IDP system can detect malicious or suspicious packets and respond instantaneously.
Page 596: Before You Begin
Chapter 34 IDP IDP Profiles An IDP profile is a set of related IDP signatures that you can activate as a set and configure common log and action settings. You can apply IDP profiles to traffic flowing from one zone to another. For example, apply the default LAN_IDP profile to any traffic going to the LAN zone in order to protect your LAN computers.
Page 597: The Idp General Screen
Chapter 34 IDP 34.2 The IDP General Screen Click Configuration > Anti-X > IDP > General to open this screen. Use this screen to turn IDP on or off, bind IDP profiles to traffic directions, and view registration and signature information. Note: You must register in order to use packet inspection signatures.
Page 598 Chapter 34 IDP Table 159 Configuration > Anti-X > IDP > General (continued) LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it.
Page 599: Introducing Idp Profiles
Chapter 34 IDP Table 159 Configuration > Anti-X > IDP > General (continued) LABEL DESCRIPTION Apply new This link appears if you have not registered for the service or only Registration have the trial registration. Click this link to go to the screen where you can register for the service.
Page 600: Base Profiles
Chapter 34 IDP 34.3.1 Base Profiles The ZyWALL comes with several base profiles. You use base profiles to create new profiles. In the Configuration > Anti-X > IDP > Profile screen, click Add to display the following screen. Figure 429 Base Profiles The following table describes this screen.
Page 601: The Profile Summary Screen
Chapter 34 IDP Table 160 Base Profiles (continued) BASE DESCRIPTION PROFILE This profile is most suitable for networks containing your servers. Signatures for common services such as DNS, FTP, HTTP, ICMP, IMAP, MISC, NETBIOS, POP3, RPC, RSERVICE, SMTP, SNMP, SQL, TELNET, Oracle, MySQL are enabled.
Page 602: Creating New Profiles
Chapter 34 IDP Table 161 Configuration > Anti-X > IDP > Profile (continued) LABEL DESCRIPTION Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created. 34.5 Creating New Profiles You may want to create a new profile if not all signatures in a base profile are applicable to your network.
Page 603: Profiles: Packet Inspection
Chapter 34 IDP 34.6 Profiles: Packet Inspection Select Configuration > Anti-X > IDP > Profile and then add a new or edit an existing profile select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer-4 to layer-7. 34.6.1 Profile >...
Page 604 Chapter 34 IDP The following table describes the fields in this screen. Table 162 Configuration > Anti-X > IDP > Profile > Group View LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 605 Chapter 34 IDP Table 162 Configuration > Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL takes when a packet matches a signature, select the signature and use the Action icon. none: Select this action on an individual signature or a complete service group to have the ZyWALL take no action when a packet matches the signature(s).
Page 606: Policy Types
Chapter 34 IDP Table 162 Configuration > Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION These are the log options. To edit this, select an item and use the Log icon. Action This is the action the ZyWALL should take when a packet matches a signature here.
Page 607: Idp Service Groups
Chapter 34 IDP Table 163 Policy Types (continued) POLICY TYPE DESCRIPTION Scan A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels. A network scan occurs at layer-3.
Page 608: Profile > Query View Screen
Chapter 34 IDP Table 164 IDP Service Groups (continued) SNMP SMTP RSERVICES POP3 POP2 ORACLE NNTP NETBIOS MYSQL MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC IMAP ICMP FINGER The following figure shows the WEB_PHP service group that contains signatures related to attacks on web servers using PHP exploits. PHP (PHP: Hypertext Preprocessor) is a server-side HTML embedded scripting language that allows web developers to build dynamic websites.
Page 609 Chapter 34 IDP signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions. Figure 433 Configuration > Anti-X > IDP > Profile: Query View The following table describes the fields specific to this screen’s query view. Table 165 Configuration >...
Page 610 Chapter 34 IDP Table 165 Configuration > Anti-X > IDP > Profile: Query View (continued) LABEL DESCRIPTION Severity Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections. These are the severities as defined in the ZyWALL. The number in brackets is the number you use if using commands.
Page 611: Query Example
Chapter 34 IDP 34.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attack Type: DDoS • Platform: Windows 2000 and Windows XP computers • Service: Any ZyWALL USG 100/200 Series User’s Guide...
Page 612 Chapter 34 IDP • Actions: Any Figure 434 Query Example Search Criteria Figure 435 Query Example Search Results ZyWALL USG 100/200 Series User’s Guide...
Page 613: Introducing Idp Custom Signatures
Chapter 34 IDP 34.7 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures.
Page 614: Configuring Custom Signatures
Chapter 34 IDP Table 166 IP v4 Packet Headers (continued) HEADER DESCRIPTION Time To Live This is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. It is used to prevent accidental routing loops. Protocol The protocol indicates the type of transport packet being carried, for example, 1 = ICMP;...
Page 615 Chapter 34 IDP Note: The ZyWALL checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the ZyWALL applies the more restrictive action (reject-both, reject-receiver or reject-sender, drop, none in this order).
Page 616: Creating Or Editing A Custom Signature
Chapter 34 IDP Table 167 Configuration > Anti-X > IDP > Custom Signatures (continued) LABEL DESCRIPTION Customer Use this part of the screen to import custom signatures (previously saved Signature Rule to your computer) to the ZyWALL. Importing Note: The name of the complete custom signature file on the ZyWALL is ‘custom.rules’.
Page 617 Chapter 34 IDP Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. Figure 438 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit ZyWALL USG 100/200 Series User’s Guide...
Page 618 Chapter 34 IDP The following table describes the fields in this screen. Table 168 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 619 Chapter 34 IDP Table 168 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Fragmentation A fragmentation flag identifies whether the IP datagram should be fragmented, not fragmented or is a reserved bit. Some intrusions can be identified by this flag.
Page 620 Chapter 34 IDP Table 168 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Flow If selected, the signature only applies to certain directions of the traffic flow and only to clients or servers. Select Flow and then select the identifying options.
Page 621 Chapter 34 IDP Table 168 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overflows Select the check box, then select Equal, Smaller or Greater and then type the payload size.
Page 622: Custom Signature Example
Chapter 34 IDP Table 168 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Click this button to save your changes to the ZyWALL and return to the summary screen. Cancel Click this button to return to the summary screen without saving any changes.
Page 623 Chapter 34 IDP 34.8.2.2 Analyze Packets Use the packet capture screen (see Section 53.3 on page 892) and a packet analyzer (also known as a network or protocol analyzer) such as Wireshark or Ethereal to investigate some more. Figure 439 DNS Query Packet Details From the details about DNS query you see that the protocol is UDP and the port is 53.
Page 624: Applying Custom Signatures
Chapter 34 IDP The final custom signature should look like as shown in the following figure. Figure 440 Example Custom Signature 34.8.3 Applying Custom Signatures After you create your custom signature, it becomes available in the IDP service group category in the Configuration > Anti-X > IDP > Profile > Edit screen. Custom signatures have an SID from 9000000 to 9999999.
Page 625: Verifying Custom Signatures
Chapter 34 IDP You can activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile. Then bind the profile to a zone. Figure 441 Example: Custom Signature in IDP Profile 34.8.4 Verifying Custom Signatures Configure the signature to create a log when traffic matches the signature.
Page 626: Idp Technical Reference
Chapter 34 IDP destination port is the service port (53 for DNS in this case) that the attack tries to exploit. Figure 442 Custom Signature Log 34.9 IDP Technical Reference This section contains some background information on IDP. Host Intrusions The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer.
Page 627 Chapter 34 IDP Network Intrusions Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/ server.
Page 628 Chapter 34 IDP Table 169 ZyWALL - Snort Equivalent Terms (continued) ZYWALL TERM SNORT EQUIVALENT TERM Same IP sameip Transport Protocol Transport Protocol: TCP Port (In Snort rule header) Flow flow Flags flags Sequence Number Ack Number Window Size window Transport Protocol: UDP (In Snort rule header) Port...
Page 629: Adp
H A P T E R 35.1 Overview This chapter introduces ADP (Anomaly Detection and Prevention), anomaly profiles and applying an ADP profile to a traffic direction. ADP protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans.
Page 630: Before You Begin
Chapter 35 ADP Protocol Anomalies Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated when you upload new firmware. ADP Profile An ADP profile is a set of traffic anomaly rules and protocol anomaly rules that you can activate as a set and configure common log and action settings.
Page 631: The Adp General Screen
Chapter 35 ADP 35.2 The ADP General Screen Click Configuration > Anti-X > ADP > General. Use this screen to turn anomaly detection on or off and apply anomaly profiles to traffic directions. Figure 443 Configuration > Anti-X > ADP > General The following table describes the screens in this screen.
Page 632: The Profile Summary Screen
Chapter 35 ADP Table 170 Configuration > Anti-X > ADP > General (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. From, To This is the direction of travel of packets to which an anomaly profile is bound.
Page 633: Base Profiles
Chapter 35 ADP 35.3.1 Base Profiles The ZyWALL comes with base profiles. You use base profiles to create new profiles. In the Configuration > Anti-X > ADP > Profile screen, click Add to display the following screen. Figure 444 Base Profiles These are the default base profiles at the time of writing.
Page 634: Creating New Adp Profiles
Chapter 35 ADP The following table describes the fields in this screen. Table 172 Anti-X > ADP > Profile LABEL DESCRIPTION Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it.
Page 635 Chapter 35 ADP belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 446 Profiles: Traffic Anomaly ZyWALL USG 100/200 Series User’s Guide...
Page 636 Chapter 35 ADP The following table describes the fields in this screen. Table 173 Configuration > ADP > Profile > Traffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 637: Protocol Anomaly Profiles
Chapter 35 ADP Table 173 Configuration > ADP > Profile > Traffic Anomaly (continued) LABEL DESCRIPTION Name This is the name of the traffic anomaly rule. Click the Name column heading to sort in ascending or descending order according to the rule name.
Page 638 Chapter 35 ADP Figure 447 Profiles: Protocol Anomaly ZyWALL USG 100/200 Series User’s Guide...
Page 639 Chapter 35 ADP The following table describes the fields in this screen. Table 174 Configuration > ADP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 640 Chapter 35 ADP Table 174 Configuration > ADP > Profile > Protocol Anomaly (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL takes when a packet matches a signature, select the signature and use the Action icon. original setting: Select this action to return each signature in a service group to its previously saved configuration.
Page 641: Adp Technical Reference
Chapter 35 ADP Table 174 Configuration > ADP > Profile > Protocol Anomaly (continued) LABEL DESCRIPTION Click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page. Cancel Click Cancel to return to the profile summary page without saving any changes.
Page 642 Chapter 35 ADP Decoy Port Scans Decoy port scans are scans where the attacker has spoofed the source address. These are some decoy scan types: • TCP Decoy Portscan • UDP Decoy Portscan • IP Decoy Portscan Distributed Port Scans Distributed port scans are many-to-one port scans.
Page 643 Chapter 35 ADP • ICMP Filtered • TCP Filtered Distributed • UDP Filtered Portsweep Portscan Distributed Portscan • IP Filtered Distributed Portscan Flood Detection Flood attacks saturate a network with useless data, use up all available bandwidth, and therefore make communications in the network impossible. ICMP Flood Attack An ICMP flood is broadcasting many pings or UDP packets so that so much data is sent to the system, that it slows it down or locks it up.
Page 644 Chapter 35 ADP the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. Figure 449 TCP Three-Way Handshake A SYN flood attack is when an attacker sends a series of SYN packets. Each packet causes the receiver to reply with a SYN-ACK response. The receiver then waits for the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses on a backlog queue.
Page 645 Chapter 35 ADP UDP Flood Attack UDP is a connection-less protocol and it does not require any connection setup procedure to transfer data. A UDP flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port.
Page 646 Chapter 35 ADP Table 175 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION DOUBLE-ENCODING This rule is IIS specific. IIS does two passes through the ATTACK request URI, doing decodes in each one. In the first pass, IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is done.
Page 647 Chapter 35 ADP Table 175 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION WEBROOT-DIRECTORY- This is when a directory traversal traverses past the web TRAVERSAL ATTACK server root directory. This generates much fewer false positives than the directory option, because it doesn’t alert on directory traversals that stay within the web server directory structure.
Page 648 Chapter 35 ADP Table 175 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION TRUNCATED-HEADER This is when an ICMP packet is sent which has an ICMP ATTACK datagram length of less than the ICMP header length. This may cause some applications to crash. TRUNCATED- This is when an ICMP packet is sent which has an ICMP TIMESTAMP-HEADER...
Page 649: Content Filtering
H A P T E R Content Filtering 36.1 Overview Use the content filtering feature to control access to specific web sites or web content. 36.1.1 What You Can Do in this Chapter • Use the General screens (Section 36.2 on page 651) to configure global content filtering settings, configure content filtering policies, and check the content filtering license status.
Page 650 Chapter 36 Content Filtering Content Filtering Profiles A content filtering profile conveniently stores your custom settings for the following features. • Category-based Blocking The ZyWALL can block access to particular categories of web site content, such as pornography or racial intolerance. •...
Page 651: Before You Begin
Chapter 36 Content Filtering Since the ZyWALL checks the URL’s domain name (or IP address) and file path separately, it will not find items that go across the two. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the ZyWALL would find “tw” in the domain name (www.zyxel.com.tw).
Page 652: Content Filtering
Chapter 36 Content Filtering your list of content filter policies, create a denial of access message or specify a redirect URL and check your external web filtering service registration status. Figure 451 Configuration > Anti-X > Content Filter > General The following table describes the labels in this screen.
Page 653: Content Filtering
Chapter 36 Content Filtering Table 176 Configuration > Anti-X > Content Filter > General (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed.
Page 654: Content Filter Policy Add Or Edit Screen
Chapter 36 Content Filtering Table 176 Configuration > Anti-X > Content Filter > General (continued) LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration. Not Licensed displays if you have not successfully registered and activated the service.
Page 655 Chapter 36 Content Filtering filter policy. A content filter policy defines which content filter profile should be applied, when it should be applied, and to whose web access it should be applied. Figure 452 Configuration > Anti-X > Content Filter > General > Add l The following table describes the labels in this screen.
Page 656: Content Filter Profile Screen
Chapter 36 Content Filtering 36.4 Content Filter Profile Screen Click Configuration > Anti-X > Content Filter > Filter Profile to open the Filter Profile screen. A content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied. Figure 453 Configuration >...
Page 657 Chapter 36 Content Filtering Chapter 37 on page 673 for how to view content filtering reports. Figure 454 Configuration > Anti-X > Content Filter > Filter Profile > Add ZyWALL USG 100/200 Series User’s Guide...
Page 658 Chapter 36 Content Filtering The following table describes the labels in this screen. Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Add LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration. Not Licensed displays if you have not successfully registered and activated the service.
Page 659 Chapter 36 Content Filtering Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Action for Unsafe Web Select Pass to allow users to access web pages that match the Pages unsafe categories that you select below. Select Block to prevent users from accessing web pages that match the unsafe categories that you select below.
Page 660 Chapter 36 Content Filtering Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Action When Category Select Pass to allow users to access any requested web page if Server Is Unavailable the external content filtering database is unavailable. Select Block to block access to any requested web page if the external content filtering database is unavailable.
Page 661 Chapter 36 Content Filtering Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Spyware/Malware This category includes pages which distribute spyware and other Sources malware. Spyware and malware are defined as software which takes control of your computer, modifies computer settings, collects or reports personal information, or misrepresents itself by tricking users to install, download, or enter personal...
Page 662 Chapter 36 Content Filtering Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Nudity This category includes pages containing nude or seminude depictions of the human body. These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature.
Page 663 Chapter 36 Content Filtering Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Arts/Entertainment This category includes pages that promote and provide information about motion pictures, videos, television, music and programming guides, books, comics, movie theatres, galleries, artists or reviews on entertainment.
Page 664 Chapter 36 Content Filtering Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Government/Legal This category includes pages sponsored by or which provide information on government, government agencies and government services such as taxation and emergency services. It also includes pages that discuss or explain laws of various governmental entities.
Page 665 Chapter 36 Content Filtering Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Religion This category includes pages that promote and provide information on conventional or unconventional religious or quasi-religious subjects, as well as churches, synagogues, or other houses of worship.
Page 666 Chapter 36 Content Filtering Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Sports/Recreation/ This category includes pages that promote or provide Hobbies information about spectator sports, recreational activities, or hobbies. This includes pages that discuss or promote camping, gardening, and collecting.
Page 667 Chapter 36 Content Filtering Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Alcohol Sites that promote, offer for sale, glorify, review, or in any way advocate the use or creation of alcoholic beverages, including but not limited to beer, wine, and hard liquors.
Page 668: Content Filter Blocked And Warning Messages
Chapter 36 Content Filtering Table 179 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Placeholders This category includes pages that are under construction, parked domains, search-bait or otherwise generally having no useful value. Test Web Site Category URL to test You can check which category a web page belongs to.
Page 669: Content Filter Customization Screen
Chapter 36 Content Filtering 36.6 Content Filter Customization Screen Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword.
Page 670 Chapter 36 Content Filtering Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Customization LABEL DESCRIPTION Allow Web traffic for When this box is selected, the ZyWALL blocks Web access to trusted web sites only sites that are not on the Trusted Web Sites list. If they are chosen carefully, this is the most effective way to block objectionable material.
Page 671: Content Filter Technical Reference
Chapter 36 Content Filtering Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Customization LABEL DESCRIPTION Forbidden Web Sites This list displays the forbidden web sites already added. Enter host names such as www.bad-site.com into this text field.
Page 672 Chapter 36 Content Filtering External Content Filter Server Lookup Procedure The content filter lookup process is described below. Figure 457 Content Filter Lookup Procedure A computer behind the ZyWALL tries to access a web site. The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache.
Page 673: Content Filter Reports
H A P T E R Content Filter Reports 37.1 Overview You can view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 11 on page 279 on how to create a myZyXEL.com account, register your device and activate the subscription services.
Page 674 Chapter 37 Content Filter Reports Fill in your myZyXEL.com account information and click Login. Figure 458 myZyXEL.com: Login ZyWALL USG 100/200 Series User’s Guide...
Page 675 Chapter 37 Content Filter Reports A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 460 on page 676).
Page 676 Chapter 37 Content Filter Reports In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 460 myZyXEL.com: Service Management In the Web Filter Home screen, click the Reports tab. Figure 461 Content Filter Reports Main Screen ZyWALL USG 100/200 Series User’s Guide...
Page 677 Chapter 37 Content Filter Reports Select items under Global Reports to view the corresponding reports. Figure 462 Content Filter Reports: Report Home Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Page 678 Chapter 37 Content Filter Reports A chart and/or list of requested web site categories display in the lower half of the screen. Figure 463 Global Report Screen Example ZyWALL USG 100/200 Series User’s Guide...
Page 679 Chapter 37 Content Filter Reports You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 464 Requested URLs Example ZyWALL USG 100/200 Series User’s Guide...
Page 680 Chapter 37 Content Filter Reports ZyWALL USG 100/200 Series User’s Guide...
Page 681: Anti-Spam
H A P T E R Anti-Spam 38.1 Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
Page 682 Chapter 38 Anti-Spam Black List Configure black list entries to identify spam. The black list entries have the ZyWALL classify any e-mail that is from or forwarded by a specified IP address or uses a specified header field and header value as being spam. If an e-mail does not match any of the white list entries, the ZyWALL checks it against the black list entries.
Page 683: Before You Begin
Chapter 38 Anti-Spam E-mail Header Buffer Size The ZyWALL has a 5 K buffer for an individual e-mail header. If an e-mail’s header is longer than 5 K, the ZyWALL only checks up to the first 5 K. DNSBL A DNS Black List (DNSBL) is a server that hosts a list of IP addresses known or suspected of having sent or forwarded spam.
Page 684 Chapter 38 Anti-Spam spam policies. You can also select the action the ZyWALL takes when the mail sessions threshold is reached. Figure 465 Configuration > Anti-X > Anti-Spam > General The following table describes the labels in this screen. Table 181 Configuration > Anti-X > Anti-Spam > General LABEL DESCRIPTION Show Advance...
Page 685: The Anti-Spam Policy Add Or Edit Screen
Chapter 38 Anti-Spam Table 181 Configuration > Anti-X > Anti-Spam > General LABEL DESCRIPTION Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that...
Page 686 Chapter 38 Anti-Spam check, which e-mail protocols to scan, the scanning options, and the action to take on spam traffic. Figure 466 Configuration > Anti-X > Anti-Spam > General > Add The following table describes the labels in this screen. Table 182 Configuration >...
Page 687: The Anti-Spam Black List Screen
Chapter 38 Anti-Spam Table 182 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Check White Select this check box to check e-mail against the white list. The ZyWALL List classifies e-mail that matches a white list entry as legitimate (not spam).
Page 688: Edit
Chapter 38 Anti-Spam specific subject text. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 467 Configuration > Anti-X > Anti-Spam > Black/White List > Black List The following table describes the labels in this screen.
Page 689: The Anti-Spam Black Or White List Add/Edit Screen
Chapter 38 Anti-Spam 38.4.1 The Anti-Spam Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the following screen. Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create entries based on specific subject text, or the sender’s or relay’s IP address or e-mail address.
Page 690: Regular Expressions In Black Or White List Entries
Chapter 38 Anti-Spam Table 184 Configuration > Anti-X > Anti-Spam > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION Sender or Mail This field displays when you select the IP type. Enter an IP address in Relay IP dotted decimal notation.
Page 691: The Anti-Spam White List Screen
Chapter 38 Anti-Spam 38.5 The Anti-Spam White List Screen Click Configuration > Anti-X > Anti-Spam > Black/White List and then the White List tab to display the Anti-Spam White List screen. Configure the white list to identify legitimate e-mail. You can create white list entries based on the sender’s or relay’s IP address or e-mail address.
Page 692: The Dnsbl Screen
Chapter 38 Anti-Spam Table 185 Configuration > Anti-X > Anti-Spam > Black/White List > White List LABEL DESCRIPTION Type This field displays whether the entry is based on the e-mail’s subject, source or relay IP address, source e-mail address, or a header. Content This field displays the subject content, source or relay IP address, source e-mail address, or header value for which the entry checks.
Page 693 Chapter 38 Anti-Spam The following table describes the labels in this screen. Table 186 Configuration > Anti-X > Anti-Spam > DNSBL LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 694: Anti-Spam Technical Reference
Chapter 38 Anti-Spam Table 186 Configuration > Anti-X > Anti-Spam > DNSBL (continued) LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate.
Page 695 Chapter 38 Anti-Spam Here is an example of an e-mail classified as spam based on DNSBL replies. Figure 471 DNSBL Spam Detection Example DNSBL A IPs: a.a.a.a b.b.b.b a.a.a.a? DNSBL B b.b.b.b? DNSBL C The ZyWALL receives an e-mail that was sent from IP address a.a.a.a and relayed by an e-mail server at IP address b.b.b.b.
Page 696 Chapter 38 Anti-Spam Here is an example of an e-mail classified as legitimate based on DNSBL replies. Figure 472 DNSBL Legitimate E-mail Detection Example DNSBL A IPs: c.c.c.c d.d.d.d c.c.c.c? DNSBL B d.d.d.d? d.d.d.d Not spam DNSBL C The ZyWALL receives an e-mail that was sent from IP address c.c.c.c and relayed by an e-mail server at IP address d.d.d.d.
Page 697 Chapter 38 Anti-Spam If the ZyWALL receives conflicting DNSBL replies for an e-mail routing IP address, the ZyWALL classifies the e-mail as spam. Here is an example. Figure 473 Conflicting DNSBL Replies Example DNSBL A IPs: a.b.c.d w.x.y.z a.b.c.d? DNSBL B w.x.y.z? a.b.c.d Spam! DNSBL C...
Page 698 Chapter 38 Anti-Spam ZyWALL USG 100/200 Series User’s Guide...
Page 699: Device Ha
H A P T E R Device HA 39.1 Overview Device HA lets a backup ZyWALL (B) automatically take over if the master ZyWALL (A) fails. Figure 474 Device HA Backup Taking Over for the Master 39.1.1 What You Can Do in this Chapter •...
Page 700: Before You Begin
Chapter 39 Device HA • Legacy mode allows for more complex relationships between the master and backup ZyWALLs, such as active-active or using different ZyWALLs as the master ZyWALL for individual interfaces. Legacy mode configuration involves a greater degree of complexity. Active-passive mode is recommended for general failover deployments.
Page 701: Device Ha General
Chapter 39 Device HA 39.2 Device HA General The Configuration > Device HA General screen lets you enable or disable device HA, and displays which device HA mode the ZyWALL is set to use along with a summary of the monitored interfaces. Figure 475 Configuration >...
Page 702: The Active-Passive Mode Screen
Chapter 39 Device HA Table 187 Configuration > Device HA > General (continued) LABEL DESCRIPTION HA Status The text before the slash shows whether the device is configured as the master or the backup role. This text after the slash displays the monitored interface’s status in the virtual router.
Page 703 Chapter 39 Device HA B form a virtual router that uses cluster ID 1. ZyWALLs C and D form a virtual router that uses cluster ID 2. Figure 477 Cluster IDs for Multiple Virtual Routers Monitored Interfaces in Active-Passive Mode Device HA You can select which interfaces device HA monitors.
Page 704: Configuring Active-Passive Mode Device Ha
Chapter 39 Device HA 192.168.1.5 and ZyWALL B has its own LAN management IP address of 192.168.1.6. These do not change when ZyWALL B becomes the master. Figure 478 Management IP Addresses 192.168.1.1 192.168.1.5 192.168.1.1 192.168.1.6 39.3.1 Configuring Active-Passive Mode Device HA The Device HA Active-Passive Mode screen lets you configure general active- passive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup ZyWALLs.
Page 705 Chapter 39 Device HA The following table describes the labels in this screen. See Section 39.4 on page for more information as well. Table 188 Configuration > Device HA > Active-Passive Mode LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 706 Chapter 39 Device HA Table 188 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Monitored This table shows the status of the device HA settings and status of the Interface ZyWALL’s interfaces. Summary Edit Select an entry and click this to be able to modify it. Activate To turn on an entry, select it and click Activate.
Page 707: Configuring An Active-Passive Mode Monitored Interface
Chapter 39 Device HA Table 188 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Password Enter the password used for verification during synchronization. Every ZyWALL in the virtual router must use the same password. If you leave this field blank in the master ZyWALL, no backup ZyWALLs can synchronize from it.
Page 708 Chapter 39 Device HA A bridge interface’s device HA settings are not retained if you delete the bridge interface. Figure 480 Configuration > Device HA > Active-Passive Mode > Edit The following table describes the labels in this screen. Table 189 Configuration > Device HA > Active-Passive Mode > Edit LABEL DESCRIPTION Enable...
Page 709: The Legacy Mode Screen
Chapter 39 Device HA 39.5 The Legacy Mode Screen Virtual Router Redundancy Protocol (VRRP) Legacy mode device HA uses Virtual Router Redundancy Protocol (VRRP) to create redundant backup gateways to ensure that a default gateway is always available. The ZyWALL uses a custom VRRP implementation and is not compatible with standard VRRP.
Page 710: Configuring The Legacy Mode Screen
Chapter 39 Device HA 39.6 Configuring the Legacy Mode Screen The Device HA Legacy Mode screen lets you configure general legacy mode HA settings including link monitoring, configure the VRRP group and synchronize backup ZyWALLs. To access this screen, click Configuration > Device HA > Legacy Mode.
Page 711 Chapter 39 Device HA Table 190 Configuration > Device HA > Legacy Mode (continued) LABEL DESCRIPTION Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Activating a VRRP group has the ZyWALL monitor the connection of the group’s interface.
Page 712 Chapter 39 Device HA Table 190 Configuration > Device HA > Legacy Mode (continued) LABEL DESCRIPTION Auto Select this to get configuration and subscription service updates Synchronize automatically from the specified ZyWALL according to the specified Interval. The first synchronization begins after the specified Interval; the ZyWALL does not synchronize immediately.
Page 713 Chapter 39 Device HA The following table describes the labels in this screen. Table 191 Configuration > Device HA > Legacy Mode > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 714: Device Ha Technical Reference
Chapter 39 Device HA Table 191 Configuration > Device HA > Legacy Mode > Add (continued) LABEL DESCRIPTION VRID Type the virtual router ID number. Virtual Router This is the interface’s IP address and subnet mask in the virtual router. IP (VRIP) / Subnet Mask Authentication...
Page 715 Chapter 39 Device HA Make sure the bridge interfaces of the master ZyWALL (A) and the backup ZyWALL (B) are not connected. Configure the bridge interface on the master ZyWALL, set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Configure the bridge interface on the backup ZyWALL, set the bridge interface as a monitored interface, and activate device HA.
Page 716 Chapter 39 Device HA Connect the ZyWALLs. Br0 {ge4, ge5} Br0 {ge4, ge5} Second Option for Connecting the Bridge Interfaces on Two ZyWALLs Another option is to disable the bridge interfaces, connect the bridge interfaces, activate device HA, and finally reactivate the bridge interfaces as shown in the following example.
Page 717 Chapter 39 Device HA Configure a corresponding disabled bridge interface on the backup ZyWALL. Then set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Disabled Br0 {ge4, ge5} Disabled Enable the bridge interface on the master ZyWALL and then on the backup ZyWALL.
Page 718 Chapter 39 Device HA Legacy Mode ZyWALL VRRP Application In VRRP, a virtual router represents a number of ZyWALLs associated with one IP address, the IP address of the default gateway. Each virtual router is identified by a unique 8-bit identification number called a Virtual Router ID (VR ID). In the example below, ZyWALL A and ZyWALL B are part of virtual router 10 with IP address 192.168.10.254.
Page 719 Chapter 39 Device HA If ZyWALL A becomes available again, ZyWALL A preempts ZyWALL B and becomes the master again (the network returns to the state shown in Figure 483 on page 718). Synchronization During synchronization, the master ZyWALL sends the following information to the backup ZyWALL.
Page 720 Chapter 39 Device HA ZyWALL USG 100/200 Series User’s Guide...
Page 721: User/Group
H A P T E R User/Group 40.1 Overview This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 722 Chapter 40 User/Group Table 192 Types of User Accounts (continued) TYPE ABILITIES LOGIN METHOD(S) limited-admin Look at ZyWALL configuration (web, CLI) WWW, TELNET, SSH, Console, Dial-in Perform basic diagnostics (CLI) Access Users user Access network services WWW, TELNET, SSH Browse user-mode commands (CLI) guest Access network services ext-user...
Page 723 Chapter 40 User/Group Setting up User Attributes in an External Server on page 735 for a list of attributes and how to set up the attributes in an external server. Ext-Group-User Accounts Ext-Group-User accounts work are similar to ext-user accounts but allow you to group users by the value of the group membership attribute configured for the AD or LDAP server.
Page 724: User Summary Screen
Chapter 40 User/Group 40.2 User Summary Screen The User screen provides a summary of all user accounts. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group. Figure 485 Configuration > Object > User/Group The following table describes the labels in this screen.
Page 725 Chapter 40 User/Group • - [dashes] The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (- ). Other limitations on user names are: • User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP, it will use the account settings used for 'BOB' not ‘bob’.
Page 726 Chapter 40 User/Group The following table describes the labels in this screen. Table 194 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 727: User Group Summary Screen
Chapter 40 User/Group Table 194 Configuration > User/Group > User > Add (continued) LABEL DESCRIPTION Reauthentication This field is not available if you select the ext-group-user type. Time Type the number of minutes this user can be logged into the ZyWALL in one session before the user has to log in again.
Page 728: Group Add/Edit Screen
Chapter 40 User/Group Table 195 Configuration > Object > User/Group > Group (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific user group. Group Name This field displays the name of each user group. Description This field displays the description for each user group.
Page 729: Setting Screen
Chapter 40 User/Group Table 196 Configuration > User/Group > Group > Add (continued) LABEL DESCRIPTION Member List The Member list displays the names of the users and user groups that have been added to the user group. The order of members is not important.
Page 730 Chapter 40 User/Group To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Setting. Figure 489 Configuration > Object > User/Group > Setting The following table describes the labels in this screen. Table 197 Configuration > Object > User/Group > Setting LABEL DESCRIPTION User Authentication...
Page 731 Chapter 40 User/Group Table 197 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION User Type These are the kinds of user account the ZyWALL supports. • admin - this user can look at and change the configuration of the ZyWALL •...
Page 732: Default User Authentication Timeout Settings Edit Screens
Chapter 40 User/Group Table 197 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION Limit the number of Select this check box if you want to set a limit on the number simultaneous logons of simultaneous logins by admin users. If you do not select for administration this, admin users can login as many times as they want at the account...
Page 733 Chapter 40 User/Group To access this screen, go to the Configuration > Object > User/Group > Setting screen (see Section 40.4 on page 729), and click one of the Default Authentication Timeout Settings section’s Edit icons. Figure 490 Configuration > Object > User/Group > Setting > Edit The following table describes the labels in this screen.
Page 734: User Aware Login Example
Chapter 40 User/Group 40.4.2 User Aware Login Example Access users cannot use the Web Configurator to browse the configuration of the ZyWALL. Instead, after access users log into the ZyWALL, the following screen appears. Figure 491 Web Configurator for Non-Admin Users The following table describes the labels in this screen.
Page 735: User /Group Technical Reference
Chapter 40 User/Group 40.5 User /Group Technical Reference This section provides some information on users who use an external authentication server in order to log in. Setting up User Attributes in an External Server To set up user attributes, such as reauthentication time, in LDAP or RADIUS servers, use the following keywords in the user configuration file.
Page 736 Chapter 40 User/Group ZyWALL USG 100/200 Series User’s Guide...
Page 737: Addresses
H A P T E R Addresses 41.1 Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. 41.1.1 What You Can Do in this Chapter •...
Page 738 Chapter 41 Addresses • RANGE - a range address is defined by a Starting IP Address and an Ending IP Address. • SUBNET - a network address is defined by a Network IP address and Netmask subnet mask. The Address screen provides a summary of all addresses in the ZyWALL. To access this screen, click Configuration >...
Page 739: Address Add/Edit Screen
Chapter 41 Addresses 41.2.1 Address Add/Edit Screen The Configuration > Address Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 41.2 on page 737), and click either the Add icon or an Edit icon. Figure 495 Configuration >...
Page 740: Address Group Summary Screen
Chapter 41 Addresses Table 202 Configuration > Object > Address > Address > Edit (continued) LABEL DESCRIPTION Interface If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the Address Type, use this field to select the interface of the network that this address object represents.
Page 741: Address Group Add/Edit Screen
Chapter 41 Addresses 41.3.1 Address Group Add/Edit Screen The Address Group Add/Edit screen allows you to create a new address group or edit an existing one. To access this screen, go to the Address Group screen (see Section 41.3 on page 740), and click either the Add icon or an Edit icon.
Page 742 Chapter 41 Addresses ZyWALL USG 100/200 Series User’s Guide...
Page 743: Services
H A P T E R Services 42.1 Overview Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 42.1.1 What You Can Do in this Chapter •...
Page 744: The Service Summary Screen
Chapter 42 Services Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number. Some port numbers have been standardized and are used by low- level system processes; many others have no particular meaning. Unlike TCP and UDP, Internet Control Message Protocol (ICMP, IP protocol 1) is mainly used to send error messages or to investigate problems.
Page 745 Chapter 42 Services entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 498 Configuration > Object > Service > Service The following table describes the labels in this screen. Table 205 Configuration > Object > Service > Service LABEL DESCRIPTION Click this to create a new entry.
Page 746: The Service Add/Edit Screen
Chapter 42 Services 42.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. To access this screen, go to the Service screen (see Section 42.2 on page 744), and click either the Add icon or an Edit icon. Figure 499 Configuration >...
Page 747 Chapter 42 Services To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service Group. Figure 500 Configuration > Object > Service > Service Group The following table describes the labels in this screen. See Section 42.3.1 on page for more information as well.
Page 748: The Service Group Add/Edit Screen
Chapter 42 Services 42.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. To access this screen, go to the Service Group screen (see Section 42.3 on page 746), and click either the Add icon or an Edit icon.
Page 749: Schedules
H A P T E R Schedules 43.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. The ZyWALL supports one- time and recurring schedules. One-time schedules are effective only once, while recurring schedules usually repeat.
Page 750: The Schedule Summary Screen
Chapter 43 Schedules Finding Out More • See Section 6.6 on page 111 for related information on these screens. • See Section 50.3 on page 817 for information about the ZyWALL’s current date and time. 43.2 The Schedule Summary Screen The Schedule summary screen provides a summary of all schedules in the ZyWALL.
Page 751: The One-Time Schedule Add/Edit Screen
Chapter 43 Schedules Table 209 Configuration > Object > Schedule (continued) LABEL DESCRIPTION Recurring Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Page 752: The Recurring Schedule Add/Edit Screen
Chapter 43 Schedules Table 210 Configuration > Object > Schedule > Edit (One Time) (continued) LABEL DESCRIPTION Date Time StartDate Specify the year, month, and day when the schedule begins. Year - 1900 - 2999 Month - 1 - 12 Day - 1 - 31 (it is not possible to specify illegal dates, such as February 31.) Hour - 0 - 23...
Page 753 Chapter 43 Schedules (see Section 43.2 on page 750), and click either the Add icon or an Edit icon in the Recurring section. Figure 504 Configuration > Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen.
Page 754 Chapter 43 Schedules ZyWALL USG 100/200 Series User’s Guide...
Page 755: Aaa Server
H A P T E R AAA Server 44.1 Overview You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory, LDAP, or RADIUS server. Use the AAA Server screens to create and manage objects that contain settings for using AAA servers.
Page 756: Radius Server
Chapter 44 AAA Server 44.1.2 RADIUS Server RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device.
Page 757: What You Need To Know
Chapter 44 AAA Server • Use the Configuration > Object > AAA Server > RADIUS screen (Section 44.3 on page 761) to configure the default external RADIUS server to use for user authentication. 44.1.5 What You Need To Know AAA Servers Supported by the ZyWALL The following lists the types of authentication server the ZyWALL supports.
Page 758 Chapter 44 AAA Server organizational boundaries. The following figure shows a basic directory structure branching from countries to organizations to organizational units to individuals. Figure 507 Basic Directory Structure Sales Sprint Root Sales Japan Countries Organizations Organization Units Unique Common Name (cn) Distinguished Name (DN) A DN uniquely identifies an entry in a directory.
Page 759: Active Directory Or Ldap Server Summary
Chapter 44 AAA Server • See Section 7.8 on page 155 for an example of how to use a RADIUS server to authenticate user accounts based on groups. 44.2 Active Directory or LDAP Server Summary Use the Active Directory or LDAP screen to manage the list of AD or LDAP servers the ZyWALL can use in authenticating users.
Page 760 Chapter 44 AAA Server following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 509 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add The following table describes the labels in this screen. Table 213 Configuration >...
Page 761: Radius Server Summary
Chapter 44 AAA Server Table 213 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add LABEL DESCRIPTION Base DN Specify the directory (up to 127 alphanumerical characters). For example, o=ZyXEL, c=US Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server(s).
Page 762 Chapter 44 AAA Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Figure 510 Configuration > Object > AAA Server > RADIUS The following table describes the labels in this screen. Table 214 Configuration > Object > AAA Server > RADIUS LABEL DESCRIPTION Click this to create a new entry.
Page 763: Adding A Radius Server
Chapter 44 AAA Server 44.3.1 Adding a RADIUS Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 511 Configuration >...
Page 764 Chapter 44 AAA Server Table 215 Configuration > Object > AAA Server > RADIUS > Add (continued) LABEL DESCRIPTION Timeout Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the RADIUS server. In this case, user authentication fails.
Page 765: Authentication Method
H A P T E R Authentication Method 45.1 Overview Authentication method objects set how the ZyWALL authenticates wireless, HTTP/ HTTPS clients, peer IPSec routers (extended authentication), and L2TP VPN clients. Configure authentication method objects to have the ZyWALL use the local user database, and/or the authentication servers and authentication server groups specified by AAA server objects.
Page 766: Authentication Method Objects
Chapter 45 Authentication Method Select Server Mode and select an authentication method object from the drop- down list box. Click OK to save the settings. Figure 512 Example: Using Authentication Method in VPN 45.2 Authentication Method Objects Click Configuration > Object > Auth. Method to display the screen as shown. Note: You can create up to 16 authentication method objects.
Page 767: Creating An Authentication Method Object
Chapter 45 Authentication Method Table 216 Configuration > Object > Auth. Method (continued) LABEL DESCRIPTION Method List This field displays the authentication method(s) for this entry. Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to remove an entry.
Page 768 Chapter 45 Authentication Method Click OK to save the settings or click Cancel to discard all changes and return to the previous screen. Figure 514 Configuration > Object > Auth. Method > Add The following table describes the labels in this screen. Table 217 Configuration >...
Page 769 Chapter 45 Authentication Method Table 217 Configuration > Object > Auth. Method > Add (continued) LABEL DESCRIPTION Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. Click OK to save the changes.
Page 770 Chapter 45 Authentication Method ZyWALL USG 100/200 Series User’s Guide...
Page 771: Certificates
H A P T E R Certificates 46.1 Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
Page 772 Chapter 46 Certificates Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. Tim uses his private key to sign the message and sends it to Jenny.
Page 773: Verifying A Certificate
Chapter 46 Certificates Factory Default Certificate The ZyWALL generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. Certificate File Formats Any certificate that you want to import has to be in one of these file formats: •...
Page 774 Chapter 46 Certificates Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 515 Remote Host Certificates Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.
Page 775: The My Certificates Screen
Chapter 46 Certificates 46.2 The My Certificates Screen Click Configuration > Object > Certificate > My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Figure 517 Configuration > Object > Certificate > My Certificates The following table describes the labels in this screen.
Page 776: The My Certificates Add Screen
Chapter 46 Certificates Table 218 Configuration > Object > Certificate > My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate.
Page 777 Chapter 46 Certificates ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 518 Configuration > Object > Certificate > My Certificates > Add ZyWALL USG 100/200 Series User’s Guide...
Page 778 Chapter 46 Certificates The following table describes the labels in this screen. Table 219 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 779 Chapter 46 Certificates Table 219 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Create a Select this to have the ZyWALL generate and store a request for a certification certificate. Use the My Certificate Details screen to view the request and save it certification request and copy it to send to the certification authority.
Page 780 Chapter 46 Certificates Table 219 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Request When you select Create a certification request and enroll for a Authentication certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request.
Page 781: The My Certificates Edit Screen
Chapter 46 Certificates 46.2.2 The My Certificates Edit Screen Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. Figure 519 Configuration >...
Page 782 Chapter 46 Certificates The following table describes the labels in this screen. Table 220 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Certification Path This field displays for a certificate, not a certification request.
Page 783 Chapter 46 Certificates Table 220 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Page 784: The My Certificates Import Screen
Chapter 46 Certificates Table 220 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. You can only change the name. Cancel Click Cancel to quit and return to the My Certificates screen. 46.2.3 The My Certificates Import Screen Click Configuration >...
Page 785: The Trusted Certificates Screen
Chapter 46 Certificates Table 221 Configuration > Object > Certificate > My Certificates > Import (continued) LABEL DESCRIPTION Password This field only applies when you import a binary PKCS#12 format file. Type the file’s password that was created when the PKCS #12 file was exported. Click OK to save the certificate on the ZyWALL.
Page 786: The Trusted Certificates Edit Screen
Chapter 46 Certificates Table 222 Configuration > Object > Certificate > Trusted Certificates (continued) LABEL DESCRIPTION Object You cannot delete certificates that any of the ZyWALL’s features are References configured to use. Select an entry and click Object References to open a screen that shows which settings use the entry.
Page 787 Chapter 46 Certificates authority’s list of revoked certificates before trusting a certificate issued by the certification authority. Figure 522 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL USG 100/200 Series User’s Guide...
Page 788 Chapter 46 Certificates The following table describes the labels in this screen. Table 223 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 789 Chapter 46 Certificates Table 223 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority).
Page 790: The Trusted Certificates Import Screen
Chapter 46 Certificates Table 223 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.
Page 791: Certificates Technical Reference
Chapter 46 Certificates The following table describes the labels in this screen. Table 224 Configuration > Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 792 Chapter 46 Certificates ZyWALL USG 100/200 Series User’s Guide...
Page 793: Isp Accounts
H A P T E R ISP Accounts 47.1 Overview Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/PPTP interfaces. An ISP account is a profile of settings for Internet access using PPPoE or PPTP. Finding Out More •...
Page 794: Isp Account Edit
Chapter 47 ISP Accounts The following table describes the labels in this screen. See the ISP Account Edit section below for more information as well. Table 225 Configuration > Object > ISP Account LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Page 795 Chapter 47 ISP Accounts The following table describes the labels in this screen. Table 226 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you are editing an existing account. Type in the profile name of the ISP account.
Page 796: Stac Compression
Chapter 47 ISP Accounts Table 226 Configuration > Object > ISP Account > Edit (continued) LABEL DESCRIPTION Compression Select On button to turn on stac compression, and select Off to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about four.
Page 797: Ssl Application
H A P T E R SSL Application 48.1 Overview You use SSL application objects in SSL VPN. Configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access. You can apply one or more SSL application objects in the VPN >...
Page 798: Example: Specifying A Web Site For Access
Chapter 48 SSL Application Remote Desktop Connections Use SSL VPN to allow remote users to manage LAN computers. Depending on the functions supported by the remote desktop software, they can install or remove software, run programs, change settings, and open, copy, create, and delete files. This is useful for troubleshooting, support, administration, and remote access to files and programs.
Page 799: The Ssl Application Screen
Chapter 48 SSL Application Click the Add button and select Web Application in the Type field. In the Server Type field, select Web Server. Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”. In the Address field, enter “http://info”. Select Web Page Encryption to prevent users from saving the web content.
Page 800: Creating/Editing A Web-Based Ssl Application Object
Chapter 48 SSL Application The following table describes the labels in this screen. Table 227 Configuration > Object > SSL Application LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Page 801 Chapter 48 SSL Application The following table describes the labels in this screen. Table 228 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Show Advance This displays for VNC or RDP type web application objects. Click this Settings / Hide button to display a greater or lesser number of configuration fields.
Page 802: Creating/Editing A File Sharing Ssl Application Object
Chapter 48 SSL Application Table 228 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Server This field displays if the Server Type is set to RDP or VNC. Address(es) Specify the IP address or Fully-Qualified Domain Name (FQDN) of the computer(s) that you want to allow the remote users to manage.
Page 803 Chapter 48 SSL Application The following table describes the labels in this screen. Table 229 Configuration > Object > SSL Application > Add/Edit: File Sharing LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this Object screen.
Page 804 Chapter 48 SSL Application ZyWALL USG 100/200 Series User’s Guide...
Page 805: Endpoint Security
H A P T E R Endpoint Security 49.1 Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel. After a successful user authentication, a user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access.
Page 806: What You Can Do In This Chapter
Chapter 49 Endpoint Security 49.1.1 What You Can Do in this Chapter Use the Configuration > Object > Endpoint Security screens (Section 49.2 on page 807) to create and manage endpoint security objects. 49.1.2 What You Need to Know What Endpoint Security Can Check The settings endpoint security can check vary depending on the OS of the user’s computer.
Page 807: Endpoint Security Screen
Chapter 49 Endpoint Security 49.2 Endpoint Security Screen The Endpoint Security screen displays the endpoint security objects you have configured on the ZyWALL. Click Configuration > Object > Endpoint Security to display the screen. Figure 532 Configuration > Object > Endpoint Security The following table gives an overview of the objects you can configure.
Page 808 Chapter 49 Endpoint Security Table 230 Configuration > Object > Endpoint Security (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 100/200 Series User’s Guide...
Page 809: Endpoint Security Add/Edit
Chapter 49 Endpoint Security 49.3 Endpoint Security Add/Edit Click Configuration > Object > Endpoint Security and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint security object. ZyWALL USG 100/200 Series User’s Guide...
Page 810 Chapter 49 Endpoint Security Figure 533 Configuration > Object > Endpoint Security > Add ZyWALL USG 100/200 Series User’s Guide...
Page 811 Chapter 49 Endpoint Security The following table gives an overview of the objects you can configure. Table 231 Configuration > Object > Endpoint Security > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 812 Chapter 49 Endpoint Security Table 231 Configuration > Object > Endpoint Security > Add (continued) LABEL DESCRIPTION Checking Item If you selected Windows as the operating system, you can select whether - Personal or not the user’s computer is required to have personal firewall software Firewall installed.
Page 813 Chapter 49 Endpoint Security Table 231 Configuration > Object > Endpoint Security > Add (continued) LABEL DESCRIPTION Checking Item If you selected Windows or Linux as the operating system, you can use - File this table to check details of specific files on the user’s computer. Information Use the Operation field to set whether the size or version of the file on the user’s computer has to be equal to (==), greater than (>), less than...
Page 814 Chapter 49 Endpoint Security ZyWALL USG 100/200 Series User’s Guide...
Page 815: System
H A P T E R System 50.1 Overview Use the system screens to configure general ZyWALL settings. 50.1.1 What You Can Do in this Chapter • Use the System > Host Name screen (see Section 50.2 on page 816) to configure a unique name for the ZyWALL in your network.
Page 816: Host Name
Chapter 50 System • Connect an external serial modem to the AUX port to provide a management connection in case the ZyWALL’s other WAN connections are down. Use the System > Dial-in Mgmt. screen (see Section 50.11 on page 859) to configure the external serial modem.
Page 817: Date And Time
Chapter 50 System 50.3 Date and Time For effective scheduling and logging, the ZyWALL system time must be accurate. The ZyWALL’s Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server.
Page 818 Chapter 50 System Table 233 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Manual Select this radio button to enter the time and date manually. If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered.
Page 819: Pre-Defined Ntp Time Servers List
Chapter 50 System Table 233 Configuration > System > Date and Time (continued) LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The at field uses the 24 hour format.
Page 820: Time Server Synchronization
Chapter 50 System 50.3.2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field. When the Please Wait... screen appears, you may have to wait up to one minute. Figure 536 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful.
Page 821: Console Port Speed
Chapter 50 System Under Time and Date Setup, enter a Time Server Address (Table 234 on page 819). Click Apply. 50.4 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program.
Page 822: Dns Server Address Assignment
Chapter 50 System 50.5.1 DNS Server Address Assignment The ZyWALL can get the DNS server addresses in the following ways. • The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.
Page 823 Chapter 50 System The following table describes the labels in this screen. Table 236 Configuration > System > DNS LABEL DESCRIPTION Address/PTR This record specifies the mapping of a Fully-Qualified Domain Name Record (FQDN) to an IP address. An FQDN consists of a host and domain name.
Page 824 Chapter 50 System Table 236 Configuration > System > DNS (continued) LABEL DESCRIPTION DNS Server This is the IP address of a DNS server. This field displays N/A if you have the ZyWALL get a DNS server IP address from the ISP dynamically but the specified interface is not active.
Page 825: Address Record
Chapter 50 System 50.5.3 Address Record An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com”...
Page 826: Domain Zone Forwarder
Chapter 50 System The following table describes the labels in this screen. Table 237 Configuration > System > DNS > Address/PTR Record Edit LABEL DESCRIPTION FQDN Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name.
Page 827: Mx Record
Chapter 50 System The following table describes the labels in this screen. Table 238 Configuration > System > DNS > Domain Zone Forwarder Add LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Page 828: Adding A Mx Record
Chapter 50 System 50.5.9 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 541 Configuration > System > DNS > MX Record Add The following table describes the labels in this screen. Table 239 Configuration >...
Page 829: Www Overview
Chapter 50 System The following table describes the labels in this screen. Table 240 Configuration > System > DNS > Service Control Rule Add LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in Object this screen.
Page 830: Service Access Limitations
Chapter 50 System • See To-ZyWALL Rules on page 455 for more on To-ZyWALL firewall rules. • See Section 7.10 on page 160 for an example of configuring service control to block administrator HTTPS access from all zones except the LAN. To stop a service from accessing the ZyWALL, clear Enable in the corresponding service screen.
Page 831: Configuring Www Service Control
Chapter 50 System It relies upon certificates, public keys, and private keys (see Chapter 46 on page for more information). HTTPS on the ZyWALL is used so that you can securely access the ZyWALL using the Web Configurator. The SSL protocol specifies that the HTTPS server (the ZyWALL) must always authenticate itself to the HTTPS client (the computer which requests the HTTPS connection with the ZyWALL), whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select...
Page 832 Chapter 50 System Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the ZyWALL (logging into SSL VPN for example). Figure 545 Configuration > System > WWW > Service Control The following table describes the labels in this screen.
Page 833 Chapter 50 System Table 241 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Server Port The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the ZyWALL, for example 8443, then you must notify people who need to access the ZyWALL Web Configurator to use “https://ZyWALL IP Address:8443”...
Page 834 Chapter 50 System Table 241 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION HTTP Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using HTTP connections.
Page 835: Service Control Rules
Chapter 50 System Table 241 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 50.6.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule.
Page 836 Chapter 50 System also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet. See Chapter 40 on page for more on access user accounts. Figure 547 Configuration > System > WWW > Login Page ZyWALL USG 100/200 Series User’s Guide...
Page 837 Chapter 50 System The following figures identify the parts you can customize in the login and access pages. Figure 548 Login Page Customization Title Logo Message (color of all text) Background Note Message (last line of text) Figure 549 Access Page Customization Logo Title Message...
Page 838 Chapter 50 System • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color. • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. •...
Page 839: Https Example
Chapter 50 System Table 243 Configuration > System > WWW > Login Page LABEL DESCRIPTION Note Message Enter a note to display below the title. Use up to 64 printable ASCII characters. Spaces are allowed. Window Set how the window’s background looks. Background To use a graphic, select Picture and upload a graphic.
Page 840: Netscape Navigator Warning Messages
Chapter 50 System 50.6.7.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL.
Page 841: Login Screen
Chapter 50 System • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities. The issuing certificate authority of the ZyWALL's factory default certificate is the ZyWALL itself since the certificate is a self-signed certificate. •...
Page 842 Chapter 50 System Apply for a certificate from a Certification Authority (CA) that is trusted by the ZyWALL (see the ZyWALL’s Trusted CA Web Configurator screen). Figure 554 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s).
Page 843 Chapter 50 System 50.6.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next Click Next to begin the wizard.
Page 844 Chapter 50 System Enter the password given to you by the CA. Figure 558 Personal Certificate Import Wizard 3 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.
Page 845: Using A Certificate When Accessing The Zywall Example
Chapter 50 System Click Finish to complete the wizard and begin the import process. Figure 560 Personal Certificate Import Wizard 5 You should see the following screen when the certificate is correctly installed on your computer. Figure 561 Personal Certificate Import Wizard 6 50.6.7.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS.
Page 846: Ssh
Chapter 50 System When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example. Figure 563 SSL Client Authentication You next see the Web Configurator login screen.
Page 847: How Ssh Works
Chapter 50 System SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session. Figure 565 SSH Communication Over the WAN Example 50.7.1 How SSH Works The following figure is an example of how a secure connection is established...
Page 848: Ssh Implementation On The Zywall
Chapter 50 System Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server.
Page 849 Chapter 50 System Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 567 Configuration > System > SSH The following table describes the labels in this screen. Table 244 Configuration > System > SSH LABEL DESCRIPTION Enable...
Page 850: Secure Telnet Using Ssh Examples
Chapter 50 System Table 244 Configuration > System > SSH (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
Page 851: Telnet
Chapter 50 System Enter the password to log in to the ZyWALL. The CLI screen displays next. 50.7.5.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions. Test whether the SSH service is available on the ZyWALL.
Page 852: Configuring Telnet
Chapter 50 System 50.8.1 Configuring Telnet Click Configuration > System > TELNET to configure your ZyWALL for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come.
Page 853: Ftp
Chapter 50 System Table 245 Configuration > System > TELNET (continued) LABEL DESCRIPTION This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the ZyWALL’s (non- configurable) default policy. The ZyWALL applies this to traffic that does not match any other configured rule.
Page 854 Chapter 50 System be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 572 Configuration > System > FTP The following table describes the labels in this screen. Table 246 Configuration > System > FTP LABEL DESCRIPTION Enable...
Page 855: Snmp
Chapter 50 System Table 246 Configuration > System > FTP (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
Page 856 Chapter 50 System and version two (SNMPv2c). The next figure illustrates an SNMP management operation. Figure 573 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL).
Page 857: Supported Mibs
Chapter 50 System • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
Page 858 Chapter 50 System settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 574 Configuration > System > SNMP The following table describes the labels in this screen. Table 248 Configuration >...
Page 859: Dial-In Management
Chapter 50 System Table 248 Configuration > System > SNMP (continued) LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 242 on page 835 details on the screen that opens.
Page 860: Configuring Dial-In Mgmt
Chapter 50 System Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH. Response Strings The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the serial modem.
Page 861: Vantage Cnm
Chapter 50 System Table 249 Configuration > System > Dial-in Mgmt (continued) LABEL DESCRIPTION Port Speed Use the drop-down list box to select the speed of the connection between the ZyWALL’s auxiliary port and the external modem. Available speeds are: 9600, 19200, 38400, 57600, or 115200 bps. Initial String Type the AT command string that the ZyWALL returns to the external serial modem connected to the ZyWALL’s auxiliary port during...
Page 862: Configuring Vantage Cnm
Chapter 50 System 50.12.1 Configuring Vantage CNM Vantage CNM is disabled on the device by default. Click Configuration > System > Vantage CNM to configure your device’s Vantage CNM settings. Figure 576 Configuration > System > Vantage CNM The following table describes the labels in this screen. Table 250 Configuration >...
Page 863 Chapter 50 System Table 250 Configuration > System > Vantage CNM (continued) LABEL DESCRIPTION Transfer Select whether the Vantage CNM sessions should use regular HTTP Protocol connections or secure HTTPS connections. Note: HTTPS is recommended. The Vantage CNM server must use the same setting. Device Select Auto to have the ZyWALL allow Vantage CNM sessions to connect Management...
Page 864: Language Screen
Chapter 50 System 50.13 Language Screen Click Configuration > System > Language to open the following screen. Use this screen to select a display language for the ZyWALL’s Web Configurator screens. Figure 577 Configuration > System > Language The following table describes the labels in this screen. Table 251 Configuration >...
Page 865: Log And Report
H A P T E R Log and Report 51.1 Overview Use these screens to configure daily reporting and log settings. 51.1.1 What You Can Do In this Chapter • Use the Email Daily Report screen (Section 51.2 on page 865) to configure where and how to send daily reports and what reports to send.
Page 866 Chapter 51 Log and Report Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day. Figure 578 Configuration > Log & Report > Email Daily Report ZyWALL USG 100/200 Series User’s Guide...
Page 867: Log Setting Screens
Chapter 51 Log and Report The following table describes the labels in this screen. Table 252 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Select this to send reports by e-mail every day. Daily Report Mail Server Type the name or IP address of the outgoing SMTP server.
Page 868: Log Setting Summary
Chapter 51 Log and Report The Log Setting tab also controls what information is saved in each log. For the system log, you can also specify which log messages are e-mailed, where they are e-mailed, and how often they are e-mailed. For alerts, the Log Settings tab controls which events generate alerts and where alerts are e-mailed.
Page 869: Edit System Log Settings
Chapter 51 Log and Report Table 253 Configuration > Log & Report > Log Setting (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific log. Name This field displays the name of the log (system log or one of the remote servers).
Page 870 Chapter 51 Log and Report Figure 580 Configuration > Log & Report > Log Setting > Edit (System Log) ZyWALL USG 100/200 Series User’s Guide...
Page 871 Chapter 51 Log and Report The following table describes the labels in this screen. Table 254 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section.
Page 872 Chapter 51 Log and Report Table 254 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-mail Server 1 Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories. Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings.
Page 873 Chapter 51 Log and Report Table 254 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION Active Select this to activate log consolidation. Log consolidation aggregates multiple log messages that arrive within the specified Log Consolidation Interval. In the View Log tab, the text “[count=x]”, where x is the number of original log messages, is appended at the end of the Message field, when multiple log messages were aggregated.
Page 874: Edit Remote Server Log Settings
Chapter 51 Log and Report 51.3.3 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 51.3.1 on page 868), and click a remote server Edit icon.
Page 875 Chapter 51 Log and Report The following table describes the labels in this screen. Table 255 Configuration > Log & Report > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for Remote Server Active Select this check box to send log information according to the information in this section.
Page 876: Active Log Summary Screen
Chapter 51 Log and Report 51.3.4 Active Log Summary Screen The Active Log Summary screen allows you to view and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let you change other log settings (for example, where and how often log information is e-mailed or remote server names).To access this screen, go to the Log Settings Summary screen (see Section 51.3.1 on page...
Page 877 Chapter 51 Log and Report The following table describes the fields in this screen. Table 256 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION System log Use the System Log drop-down list to change the log settings for all of the log categories.
Page 878 Chapter 51 Log and Report Table 256 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION System log Select which events you want to log by Log Category. There are three choices: disable all logs (red X) - do not log any information from this category enable normal logs (green checkmark) - create log messages and alerts from this category enable normal logs and debug logs (yellow check mark) - create log...
Page 879: File Manager
H A P T E R File Manager 52.1 Overview Configuration files define the ZyWALL’s settings. Shell scripts are files of commands that you can store on the ZyWALL and run when you need them. You can apply a configuration file or run a shell script without the ZyWALL restarting. You can store multiple configuration files and shell script files on the ZyWALL.
Page 880: Comments In Configuration Files Or Shell Scripts
Chapter 52 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 583 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...
Page 881 Chapter 52 File Manager Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode. Note: “exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode.
Page 882: The Configuration File Screen
Chapter 52 File Manager 52.2 The Configuration File Screen Click Maintenance > File Manager > Configuration File to open the Configuration File screen. Use the Configuration File screen to store, run, and name configuration files. You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL.
Page 883 Chapter 52 File Manager The following table describes the labels in this screen. Table 258 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the ZyWALL. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and startup- config.conf files.
Page 884 Chapter 52 File Manager Table 258 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a configuration file on the ZyWALL. Click a configuration file’s row to select it and click Copy to open the Copy File screen.
Page 885 Chapter 52 File Manager Table 258 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Apply Use this button to have the ZyWALL use a specific configuration file. Click a configuration file’s row to select it and click Apply to have the ZyWALL use that configuration file.
Page 886: The Firmware Package Screen
Chapter 52 File Manager Table 258 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION File Name This column displays the label that identifies a configuration file. You cannot delete the following configuration files or change their file names. The system-default.conf file contains the ZyWALL’s default settings.
Page 887 Chapter 52 File Manager Note: The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.
Page 888: The Shell Script Screen
Chapter 52 File Manager After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 589 Firmware Upload In Process Note: The ZyWALL automatically reboots after a successful upload. The ZyWALL automatically restarts causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Page 889 Chapter 52 File Manager Note: You should include commands in your scripts. If you do not use the write command, the changes will be lost when the ZyWALL restarts. You could write use multiple commands in a long script. write Figure 592 Maintenance >...
Page 890 Chapter 52 File Manager Table 260 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a shell script file on the ZyWALL. Click a shell script file’s row to select it and click Copy to open the Copy File screen.
Page 891: Diagnostics
H A P T E R Diagnostics 53.1 Overview Use the diagnostics screens for troubleshooting. 53.1.1 What You Can Do in this Chapter • Use the screen (see Section 53.2 on page 891) to Maintenance > Diagnostics generate a file containing the ZyWALL’s configuration and diagnostic information if you need to provide it to customer support during troubleshooting.
Page 892: The Packet Capture Screen
Chapter 53 Diagnostics The following table describes the labels in this screen. Table 261 Maintenance > Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file. Last modified This is the date and time that the last diagnostic file was created. The format is yyyy-mm-dd hh:mm:ss.
Page 893 Chapter 53 Diagnostics Note: New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this. Figure 596 Maintenance > Diagnostics > Packet Capture ZyWALL USG 100/200 Series User’s Guide...
Page 894 Chapter 53 Diagnostics The following table describes the labels in this screen. Table 262 Maintenance > Diagnostics > Packet Capture LABEL DESCRIPTION Interfaces Enabled interfaces (except for virtual interfaces) appear under Available Interfaces. Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list.
Page 895: The Packet Capture Files Screen
Chapter 53 Diagnostics Table 262 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Capture Click this button to have the ZyWALL capture packets according to the settings configured in this screen. You can configure the ZyWALL while a packet capture is in progress although you cannot modify the packet capture settings.
Page 896: Example Of Viewing A Packet Capture File
Chapter 53 Diagnostics The following table describes the labels in this screen. Table 263 Maintenance > Diagnostics > Packet Capture > Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete.
Page 897 Chapter 53 Diagnostics capture screen’s Number Of Bytes To Capture (Per Packet) field was set to 1500 bytes. Figure 598 Packet Capture File Example ZyWALL USG 100/200 Series User’s Guide...
Page 898 Chapter 53 Diagnostics ZyWALL USG 100/200 Series User’s Guide...
Page 899: Reboot
H A P T E R Reboot 54.1 Overview Use this to restart the device (for example, if the device begins behaving erratically). See also Section 1.5 on page 37 for information on different ways to start and stop the ZyWALL. 54.1.1 What You Need To Know If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot.
Page 900 Chapter 54 Reboot ZyWALL USG 100/200 Series User’s Guide...
Page 901: Shutdown
H A P T E R Shutdown 55.1 Overview Use this to shutdown the device in preparation for disconnecting the power. See also Section 1.5 on page 37 for information on different ways to start and stop the ZyWALL. Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power.
Page 902 Chapter 55 Shutdown ZyWALL USG 100/200 Series User’s Guide...
Page 903: Troubleshooting
H A P T E R Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Chapter 10 on page 276). For individual log descriptions, Appendix A on page 935.
Page 904 Chapter 56 Troubleshooting • If you’ve forgotten the ZyWALL’s IP address, you can use the commands through the console port to check it. Connect your computer to the CONSOLE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed.
Page 905 Chapter 56 Troubleshooting I downloaded updated anti-virus or IDP/application patrol signatures. Why has the ZyWALL not re-booted yet? The ZyWALL does not have to reboot when you upload new signatures. The content filter category service is not working. • Make sure your ZyWALL has the content filter category service registered and that the license is not expired.
Page 906 Chapter 56 Troubleshooting • The format of interface names other than the Ethernet interface names is very strict. Each name consists of 2-4 letters (interface type), followed by a number (x, limited by the maximum number of each type of interface). For example, VLAN interfaces are vlan0, vlan1, vlan2, ...;...
Page 907 Chapter 56 Troubleshooting created a cellular interface but cannot connect through it. • Make sure you have a compatible 3G device installed or connected. See Chapter 57 on page 923 for details. • Make sure you have the cellular interface enabled. •...
Page 908 Chapter 56 Troubleshooting The ZyWALL is not applying an interface’s configured ingress bandwidth limit. At the time of writing, the ZyWALL does not support ingress bandwidth management. The ZyWALL is not applying my application patrol bandwidth management settings. Bandwidth management in policy routes has priority over application patrol bandwidth management.
Page 909 Chapter 56 Troubleshooting The ZyWALL is deleting some zipped files. The anti-virus policy may be set to delete zipped files that the ZyWALL cannot unzip. The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip.
Page 910 Chapter 56 Troubleshooting The ZyWALL’s performance seems slower after configuring ADP. Depending on your network topology and traffic load, applying an anomaly profile to each and every packet direction may affect the ZyWALL’s performance. The ZyWALL routes and applies SNAT for traffic from some interfaces but not from others.
Page 911 Chapter 56 Troubleshooting I cannot get the application patrol to manage SIP traffic. Make sure you have the SIP ALG enabled. I cannot get the application patrol to manage H.323 traffic. Make sure you have the H.323 ALG enabled. I cannot get the application patrol to manage FTP traffic. Make sure you have the FTP ALG enabled.
Page 912 Chapter 56 Troubleshooting Here are some general suggestions. See also Chapter 25 on page 471. • The system log can often help to identify a configuration problem. • If you enable NAT traversal, the remote IPSec device must also have NAT traversal enabled.
Page 913 Chapter 56 Troubleshooting • If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you are using). • If you have the ZyWALL and remote IPSec router use certificates to authenticate each other, You must set up the certificates for the ZyWALL and remote IPSec router first and make sure they trust each other’s certificates.
Page 914 Chapter 56 Troubleshooting If you have the Configuration > VPN > IPSec VPN > VPN Connection screen’s Use Policy Route to control dynamic IPSec rules option enabled, check the routing policies to see if they are sending traffic elsewhere instead of through the VPN tunnels.
Page 915 Chapter 56 Troubleshooting option. The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it. You can upload the firmware package to the ZyWALL with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package.
Page 916 Chapter 56 Troubleshooting Device HA is not working. • You may need to disable STP (Spanning Tree Protocol). • The master and its backups must all use the same device HA mode (either active-passive or legacy). • Configure a static IP address for each interface that you will have device HA monitor.
Page 917 Chapter 56 Troubleshooting user, the authentication attempt will always fail. (This is related to AAA servers and authentication methods, which are discussed in Chapter 44 on page 755 Chapter 45 on page 765, respectively.) I cannot add the admin users to a user group with access users. You cannot put access users and admin users in the same user group.
Page 918 Chapter 56 Troubleshooting For My Certificates, you can import a certificate that matches a corresponding certification request that was generated by the ZyWALL. You can also import a certificate in PKCS#12 format, including the certificate’s public and private keys. You must remove any spaces from the certificate’s filename before you can import the certificate.
Page 919 Chapter 56 Troubleshooting I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. I uploaded a logo to use as the screen or window background but it does not display properly.
Page 920: Resetting The Zywall
Chapter 56 Troubleshooting I cannot get the firmware uploaded using the commands. The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.
Page 921: Getting More Troubleshooting Help
Chapter 56 Troubleshooting If you want to reboot the device without changing the current configuration, see Chapter 54 on page 899. Make sure the SYS LED is on and not blinking. Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.) Release the RESET button, and wait for the ZyWALL to restart.
Page 922 Chapter 56 Troubleshooting ZyWALL USG 100/200 Series User’s Guide...
Page 923: Product Specifications
H A P T E R Product Specifications The following specifications are subject to change without notice. See Chapter 2 on page 39 for a general overview of key features. This table provides basic device specifications. Table 264 Default Login Information ATTRIBUTE SPECIFICATION Default IP Address...
Page 924 Chapter 57 Product Specifications Table 265 Hardware Specifications (continued) FEATURE SPECIFICATION Storage Environment Temperature: -30 C to 60 C Humidity: 5% to 95% (non-condensing) MTBF Mean Time Between Failures: 323,823 hours Dimensions 242 (W) x 175 (D) x 35.5 (H) mm Weight 1.2 kg Rack-mounting...
Page 925 Chapter 57 Product Specifications Table 266 ZyWALL USG 200 Feature Specifications (continued) VERSION # V2.12 V2.20 FEATURE New Session Rate (sessions per second) 1400 1400 FIREWALL Firewall ACL Rules 1000 1000 Maximum Session Limit per Host Rules 1000 1000 APPLICATION PATROL Maximum Rules for Other Protocols Maximum Rules for Each Protocol Allowed Ports...
Page 926 Chapter 57 Product Specifications Table 266 ZyWALL USG 200 Feature Specifications (continued) VERSION # V2.12 V2.20 FEATURE Maximum Number of IPSec VPN Tunnels Maximum Number of IPSec VPN Concentrators CERTIFICATES Certificate Buffer Size 128 K 128 K BUILT-IN SERVICES A record NS record MX record Maximum Number of Service Control Entries...
Page 927 Chapter 57 Product Specifications Table 266 ZyWALL USG 200 Feature Specifications (continued) VERSION # V2.12 V2.20 FEATURE Maximum Number of Concurrent Mail Sessions Maximum Number of Anti-Spam Rules Maximum Number of White List Entries Maximum Number of Black List Entries Maximum Number of DNSBLs Maximum Number of Anti-Spam Statistics Maximum Anti-Spam Statistics Ranking...
Page 928: Static Routes
Chapter 57 Product Specifications Table 267 ZyWALL USG 100 Feature Specifications (continued) VERSION # V2.12 V2.20 FEATURE ROUTING Static Routes Policy Routes Sessions 20,000 20,000 ARP Table Size 1024 1024 MAC Table Size (For Bridge Mode only) NAT Entries up to 256 up to 256 Trigger Port Rules up to 8 per PR...
Page 929 Chapter 57 Product Specifications Table 267 ZyWALL USG 100 Feature Specifications (continued) VERSION # V2.12 V2.20 FEATURE Maximum Number of LDAP Servers for Each LDAP Group Maximum Number of RADIUS Groups Maximum Number of RADIUS Servers for Each RADIUS Group Maximum AD server for each AD group Maximum AD group number Maximum Number of Authentication Methods...
Page 930 Chapter 57 Product Specifications Table 267 ZyWALL USG 100 Feature Specifications (continued) VERSION # V2.12 V2.20 FEATURE Maximum Number of ADP Rules Maximum Block Host Number 1000 1000 Maximum Block Period 3600 3600 CONTENT FILTER Maximum Number of Content Filter Policies Maximum Number of Content Filter Profiles Maximum Number of Forbidden Domain Entries 128 per profile...
Page 931 Chapter 57 Product Specifications The following table, which is not exhaustive, lists standards referenced by ZyWALL features. Table 268 Standards Referenced by Features FEATURE STANDARDS REFERENCED Interface-Bridge A subset of the ANSI/IEEE 802.1d standard Interface RFCs 2131, 2132, 1541 Interface-PPP RFCs 1144, 1321, 1332, 1334, 1661, 1662, 2472 Interface-PPTP RFCs 2637, 3078...
Page 932: Or Wlan Pcmcia Card Installation
Chapter 57 Product Specifications 57.1 3G or WLAN PCMCIA Card Installation Only insert a compatible 802.11b/g-compliant wireless LAN PCMCIA or CardBus card or 3G card. Slide the connector end of the card into the slot. Note: Do not force, bend or twist the card. Figure 601 WLAN Card Installation 57.2 Power Adaptor Specifications Table 269 North American Plug Standards...
Page 933 Chapter 57 Product Specifications Table 270 European Plug Standards POWER CONSUMPTION 20 W MAX. SAFETY STANDARDS TUV, CE (EN 60950-1) Table 271 United Kingdom Plug Standards AC POWER ADAPTOR MODEL PSA18R-120P (ZK)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 3.5A POWER CONSUMPTION 20 W MAX.
Page 934 Chapter 57 Product Specifications ZyWALL USG 100/200 Series User’s Guide...
Page 935: Appendix A Log Descriptions
P P E N D I X Log Descriptions This appendix provides descriptions of example log messages for the ZLD-based ZyWALLs. The logs do not all apply to all of the ZLD-based ZyWALLs. You will not necessecarily see all of these logs in your device. Table 275 Content Filter Logs LOG MESSAGE DESCRIPTION...
Page 936 Appendix A Log Descriptions Table 277 Blocked Web Site Logs LOG MESSAGE DESCRIPTION The rating server responded that the web site is in a specified %s :%s category and access was blocked according to a content filter profile. 1st %s: website host 2nd %s: website category The rating server responded that the web site cannot be %s: Unrated...
Page 937 Appendix A Log Descriptions Table 277 Blocked Web Site Logs (continued) LOG MESSAGE DESCRIPTION The system detected a proxy connection and blocked access %s: Proxy mode is according to a profile. detected %s: website host %s: Forbidden Web site The web site is in forbidden web site list. %s: website host The web content matched a user defined keyword.
Page 938 Appendix A Log Descriptions Table 278 Anti-Spam Logs (continued) LOG MESSAGE DESCRIPTION The anti-spam black list has been turned on. Black List checking has been activated. The anti-spam black list has been turned off. Black List checking has been deactivated. The anti-spam black list rule with the specified index number Black List rule %d has (%d) has been added.
Page 939 Appendix A Log Descriptions Table 279 SSL VPN Logs LOG MESSAGE DESCRIPTION A user has logged into SSL VPN. %s %s from %s has logged in SSLVPN The first %s is the type of user account. The second %s is the user’s user name. The third %s is the name of the service the user is using (HTTP or HTTPS).
Page 940 Appendix A Log Descriptions Table 279 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION The listed address object (first %s) is not the right kind to be The %s address-object specified as a network in the listed SSL VPN policy (second is wrong type for %s).
Page 941 Appendix A Log Descriptions Table 279 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION The listed SSL VPN access was used to send and receive the %s %s is accessed. listed numbers of bytes. sent=<bytes> rcvd=<bytes> The first %s is the type of SSL VPN access (web application, file sharing, or network extension).
Page 942 Appendix A Log Descriptions Table 280 L2TP Over IPSec Logs LOG MESSAGE DESCRIPTION The L2TP over IPSec configuration has been modified. The configuration of L2TP over IPSec has been changed. L2TP over IPSec does not support manual key management. L2TP over IPSec may not L2TP over IPSec may not work because the IPSec VPN work since Crypto Map connection it uses (Crypto Map %s) has been set to use...
Page 943 Appendix A Log Descriptions The ZySH logs deal with internal system errors. Table 281 ZySH Logs LOG MESSAGE DESCRIPTION Invalid message queue. Maybe someone starts another zysh daemon. 1st:pid num ZySH daemon is instructed to reset by System integrity error! Group OPS cannot close property group...
Page 944 Appendix A Log Descriptions Table 281 ZySH Logs (continued) LOG MESSAGE DESCRIPTION 1st:zysh list name Can't remove %s Table OPS 1st:zysh table name %s: cannot retrieve entries from table! 1st:zysh table name %s: index is out of range! 1st:zysh table name,2st: zysh entry num %s: cannot set entry 1st:zysh table name %s: table is full!
Page 945 Appendix A Log Descriptions Table 282 ADP Logs LOG MESSAGE DESCRIPTION The ZyWALL detected an anomaly in traffic traveling from <zone> to <zone> between the specified zones. [type=<type>] <message> , Action: <action>, The <type> = {scan-detection(<attack>) | flood- Severity: <severity> detection(<attack>) | http-inspection(<attack>) | tcp- decoder(<attack>)}.
Page 946 Appendix A Log Descriptions Table 283 Anti-Virus Logs LOG MESSAGE DESCRIPTION The ZyWALL failed to initialize the anti-virus signatures due Initializing Anti-Virus to an internal error. signature reference table has failed. The ZyWALL failed to reload the anti-virus signatures due to Reloading Anti-Virus an internal error.
Page 947 Appendix A Log Descriptions Table 283 Anti-Virus Logs (continued) LOG MESSAGE DESCRIPTION The anti-virus signatures update did not succeed. AV signature update has failed. Can not update last update time. Anti-virus signatures update failed because the ZyWALL was AV signature update has not able to replace the old set of anti-virus signatures with failed.
Page 948 Appendix A Log Descriptions Table 283 Anti-Virus Logs (continued) LOG MESSAGE DESCRIPTION The anti-virus rule of the specified number has been Anti-Virus rule %d has changed. been modified. An anti-virus rule has been inserted. %d is the number of Anti-Virus rule %d has the new rule.
Page 949 Appendix A Log Descriptions Table 284 User Logs LOG MESSAGE DESCRIPTION A user logged into the ZyWALL. %s %s from %s has logged in ZyWALL 1st %s: The type of user account. 2nd %s: The user’s user name. 3rd %s: The name of the service the user is using (HTTP, HTTPS, FTP, Telnet, SSH, or console).
Page 950 Appendix A Log Descriptions Table 284 User Logs (continued) LOG MESSAGE DESCRIPTION A login attempt came from an IP address that the ZyWALL Failed login attempt to has locked out. ZyWALL from %s (login on a lockout address) %u.%u.%u.%u: the source address of the user’s login attempt The ZyWALL blocked a login because the maximum login Failed login attempt to...
Page 951 Appendix A Log Descriptions Table 285 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device received an incomplete response from the Registration has myZyXEL.com server and it caused a parsing error for the failed. Because of device. lack must fields. Trail service activation failed for the specified service, an error %s:Trial service message returned by the MyZyXEL.com server will be activation has...
Page 952 Appendix A Log Descriptions Table 285 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device started device registration. Do device register. The device started trail service activation. Do trial service activation. The device started standard service activation. Do standard service activation. The device started the service expiration day check.
Page 953 Appendix A Log Descriptions Table 285 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device already has the latest version of the signature file Device has latest so no update is needed. signature file; no need to update The device cannot connect to the update server. Connect to update server has failed.
Page 954 Appendix A Log Descriptions Table 285 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device sent packets to the server, but did not receive a Get server response response. The root cause may be that the connection is has failed. abnormal. The daily check for service expiration failed, an error message Expiration daily- returned by the MyZyXEL.com server will be appended to this...
Page 955 Appendix A Log Descriptions Table 285 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Verification of a server’s certificate failed because it is self- Self signed signed. certificate. Verification of a server’s certificate failed because there is a Self signed self-signed certificate in the server’s certificate chain. certificate in certificate chain.
Page 956 Appendix A Log Descriptions Table 286 IDP Logs (continued) LOG MESSAGE DESCRIPTION The device turned on the IDP engine. Enable IDP engine succeeded. The device turned off the IDP engine. Disable IDP engine succeeded. The IDP service could has not been turned on and the IDP IDP service is not signatures will not be updated because the IDP service is registered.
Page 957 Appendix A Log Descriptions Table 286 IDP Logs (continued) LOG MESSAGE DESCRIPTION An attempt to add a custom IDP signature failed because Add custom signature the signature’s contents were too long. error: signature <sid> is over length. An attempt to edit a custom IDP signature failed because Edit custom signature the signature’s contents were too long.
Page 958 Appendix A Log Descriptions Table 286 IDP Logs (continued) LOG MESSAGE DESCRIPTION The ZyWALL detected an intrusion in traffic traveling from <zone> to <zone> between the specified zones. [type=<type>] <message> , Action: <action>, The <type> = {scan-detection(<attack>) | flood- Severity: <severity> detection(<attack>) | http-inspection(<attack>) | tcp- decoder(<attack>)}.
Page 959 Appendix A Log Descriptions Table 286 IDP Logs (continued) LOG MESSAGE DESCRIPTION The listed signature ID is duplicated at the listed line Duplicate sid <sid> in number in the signature file. import file at line <linenum>. The listed IDP rule has been removed. IDP rule <num>...
Page 960 Appendix A Log Descriptions Table 287 Application Patrol (continued) MESSAGE EXPLANATION The listed protocol has been turned on in the application Protocol %s has been patrol. enabled. The listed protocol has been turned off in the application Protocol %s has been patrol.
Page 961 Appendix A Log Descriptions Table 288 IKE Logs LOG MESSAGE DESCRIPTION The remote IPSec router has not announced its dead peer Peer has not announced detection (DPD) capability to this device. DPD capability Cannot find SA according to the cookie. [COOKIE] Invalid cookie, no sa found The device’s DPD feature has not detected a response from...
Page 962 Appendix A Log Descriptions Table 288 IKE Logs (continued) LOG MESSAGE DESCRIPTION %s is the tunnel name. When negotiating Phase-1, the packet [SA] : Tunnel [%s] was not a ISKAMP packet in the protocol field. Phase 1 invalid protocol %s is the tunnel name. When negotiating Phase-1, the [SA] : Tunnel [%s] transform ID was invalid.
Page 963 Appendix A Log Descriptions Table 288 IKE Logs (continued) LOG MESSAGE DESCRIPTION %s is the tunnel name. The manual key tunnel cannot be Could not dial manual dialed. key tunnel "%s" When receiving a DPD response with invalid ID ignored. DPD response with invalid ID When receiving a DPD response with no active query.
Page 964 Appendix A Log Descriptions Table 288 IKE Logs (continued) LOG MESSAGE DESCRIPTION %s is the gateway name. An administrator enabled the VPN VPN gateway %s was gateway. enabled %s is the my xauth name. This indicates that my name is XAUTH fail! My name: invalid.
Page 965 Appendix A Log Descriptions Table 289 IPSec Logs (continued) LOG MESSAGE DESCRIPTION When outgoing packet need to be transformed, the engine Get outbound transform cannot obtain the transform context. fail After encryption or hardware accelerated processing, the Inbound transform hardware accelerator dropped a packet (resource shortage, operation fail corrupt packet, invalid MAC, and so on).
Page 966 Appendix A Log Descriptions Table 290 Firewall Logs (continued) LOG MESSAGE DESCRIPTION 1st %s is from zone, 2nd %s is to zone, %d is the index of Firewall %s %s rule %d the rule was %s. 3rd %s is appended/inserted/modified 1st %s is from zone, 2nd %s is to zone, 1st %d is the old Firewall %s %s rule %d index of the rule...
Page 967 Appendix A Log Descriptions Table 292 Policy Route Logs (continued) LOG MESSAGE DESCRIPTION Use an empty object group. The policy route %d uses empty user group! %d: the policy route rule number Use an empty object group. The policy route %d uses empty source %d: the policy route rule number address group!
Page 968 Appendix A Log Descriptions Table 293 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An administrator changed the port number for HTTPS. HTTPS port has been changed to port %s. %s is port number An administrator changed the port number for HTTPS back to HTTPS port has been the default (443).
Page 969 Appendix A Log Descriptions Table 293 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An administrator changed the console port baud rate back to Console baud has been the default (115200). reset to %d. %d is default baud rate If interface is stand-by mode for device HA, DHCP server can't DHCP Server on be run.
Page 970 Appendix A Log Descriptions Table 293 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An administrator moved the rule %u to index %d. DNS access control rule %u has been moved %u is previous index to %d. %d variable is current index The default record DNS servers is more than 128.
Page 971 Appendix A Log Descriptions Table 293 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An access control rule was modified successfully. Access control rule %u of %s was modified. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. An access control rule was removed successfully.
Page 972 Appendix A Log Descriptions Table 294 System Logs (continued) LOG MESSAGE DESCRIPTION DHCP Server executed with cautious mode disabled. DHCP Server executed with cautious mode disabled A packet was received but it is not an ARP response packet. Received packet is not an ARP response packet The device received an ARP response.
Page 973 Appendix A Log Descriptions Table 294 System Logs (continued) LOG MESSAGE DESCRIPTION An administrator restarted the device. Device is rebooted by administrator! Cannot allocate system memory. Insufficient memory. Cannot connect to members.dyndns.org to update DDNS. Connect to dyndns server has failed. Update profile failed because the response was strange, %s is Update the profile %s the profile name.
Page 974 Appendix A Log Descriptions Table 294 System Logs (continued) LOG MESSAGE DESCRIPTION Update profile failed because the feature requested is only Update the profile %s available to donators, %s is the profile name. has failed because the feature requested is only available to donators.
Page 975 Appendix A Log Descriptions Table 294 System Logs (continued) LOG MESSAGE DESCRIPTION The profile is paused by Device-HA, because the VRRP status The profile %s has of that HA iface is standby, %s is the profile name. been paused because the HA interface of VRRP status was standby.
Page 976 Appendix A Log Descriptions Table 295 Connectivity Check Logs LOG MESSAGE DESCRIPTION Cannot recover routing status which is link-down. Can't open link_up2 Cannot open connectivity check process ID file. Can not open %s.pid %s: interface name Cannot open configuration file for connectivity check process. Can not open %s.arg %s: interface name The link status of interface is still activate after check of...
Page 977 Appendix A Log Descriptions Table 295 Connectivity Check Logs (continued) LOG MESSAGE DESCRIPTION The connectivity check process can't use multicast address to Can't use MULTICAST IP check link-status. for destination The connectivity check process can't use broadcast address to The destination is check link-status.
Page 978 Appendix A Log Descriptions Table 296 Device HA Logs (continued) LOG MESSAGE DESCRIPTION There is no file to be synchronized from the Master when %s file not existed, syncing a object (AV/AS/IDP/Certificate/System Skip syncing it for %s Configuration), But in fact, there should be something in the Master for the device to synchronize with, 1st %s: The syncing object, 2ed %s: The feature name for the syncing object.
Page 979 Appendix A Log Descriptions Table 296 Device HA Logs (continued) LOG MESSAGE DESCRIPTION A VRRP group’s Authentication Type (Md5 or IPSec AH) Device HA configuration may not match between the Backup and the authentication type Master. %s: The name of the VRRP group. for VRRP group %s maybe wrong.
Page 980 Appendix A Log Descriptions Table 297 Routing Protocol Logs LOG MESSAGE DESCRIPTION Device-HA is currently running on the interface %s, so all the RIP on interface %s local service have to be stopped including RIP. %s: Interface has been stopped Name because Device-HA binds this interface.
Page 981 Appendix A Log Descriptions Table 297 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION RIP md5 authentication id and key have been deleted. RIP md5 authentication id and key have been deleted. RIP global version has been deleted. RIP global version has been deleted.
Page 982 Appendix A Log Descriptions Table 297 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION Virtual-link %s authentication has been set to same-as-area Invalid OSPF virtual- but the area has invalid authentication configuration. %s: link %s authentication Virtual-Link ID of area %s. Invalid OSPF md5 authentication is set on interface %s.
Page 983 Appendix A Log Descriptions Table 298 NAT Logs (continued) LOG MESSAGE DESCRIPTION SIP ALG apply signal port failed. Register SIP ALG signal port=%d failed. %d: Port number H323 ALG apply additional signal port failed. Register H.323 ALG extra port=%d failed. %d: Port number H323 ALG apply signal port failed.
Page 984 Appendix A Log Descriptions Table 299 PKI Logs (continued) LOG MESSAGE DESCRIPTION The device used SCEP to enroll a certificate. 1st %s is a SCEP enrollment "%s" request name, 2nd %s is the CA name, 3rd %s is the URL . successfully, CA "%s", URL "%s"...
Page 985 Appendix A Log Descriptions Table 299 PKI Logs (continued) LOG MESSAGE DESCRIPTION The device exported a x509 format certificate from Trusted Export X509 Certificates. %s is the certificate request name. certificate "%s" from "Trusted Certificate" successfully The device was not able to export a x509 format certificate Export X509 from My Certificates.
Page 986 Appendix A Log Descriptions CODE DESCRIPTION Database method failed due to timeout. Database method failed. Path was not verified. Maximum path length reached. Table 300 Interface Logs LOG MESSAGE DESCRIPTION An administrator deleted an interface. %s is the interface Interface %s has been name.
Page 987 Appendix A Log Descriptions Table 300 Interface Logs (continued) LOG MESSAGE DESCRIPTION An administrator enabled an interface. %s: interface name. Interface %s is enabled. An administrator disabled an interface. %s: interface name. Interface %s is disabled. An administrator configured a PPP interface, PPP interface %s MTU >...
Page 988 Appendix A Log Descriptions Table 300 Interface Logs (continued) LOG MESSAGE DESCRIPTION MS-CHAP authentication failed (the server must support MS- Interface %s connect CHAP and verify that the authentication failed, this does not failed: MS-CHAP include cases where the server does not support MS-CHAP). authentication %s: interface name.
Page 989 Appendix A Log Descriptions Table 300 Interface Logs (continued) LOG MESSAGE DESCRIPTION You entered the correct PUK code and unlocked the SIM card "SIM card has been for the cellular device associated with the listed cellular successfully unlocked interface (%d). by PUK code on interface cellular%d.
Page 990 Appendix A Log Descriptions Table 300 Interface Logs (continued) LOG MESSAGE DESCRIPTION The cellular device (identified by its manufacturer and model) "Cellular device [%s has been removed from the specified slot. %s] has been removed from %s. You need to manually enter the password for the listed Interface cellular%d cellular interface (%d).
Page 991 Appendix A Log Descriptions Table 301 WLAN Logs (continued) LOG MESSAGE DESCRIPTION A wireless client with the specified MAC address (second %s) Station association failed to connect to the specified WLAN interface (first %s) has failed. Maximum because the WLAN interface already has its maximum associations have number of wireless clients.
Page 992 Appendix A Log Descriptions Table 303 Port Grouping Logs LOG MESSAGE DESCRIPTION An administrator used port-grouping to assign a port to a Interface %s links up representative Interface and this representative interface is because of changing set to DHCP client and only has one member. In this case the Port Group.
Page 993 Appendix A Log Descriptions Table 305 File Manager Logs (continued) LOG MESSAGE DESCRIPTION Run script failed, this log will be what wrong CLI command is ERROR:#%s, %s and what error message is. 1st %s is CLI command. 2nd %s is error message when apply CLI command. Run script failed, this log will be what wrong CLI command is WARNING:#%s, %s and what warning message is.
Page 994 Appendix A Log Descriptions Table 307 E-mail Daily Report Logs LOG MESSAGE DESCRIPTION The daily e-mail report function has been turned on. The Email Daily Report has ZyWALL will e-mail a daily report about the selected items at been activated. the scheduled time if the required settings are configured correctly.
Page 995: Appendix B Common Services
P P E N D I X Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/ code numbers and services, visit the IANA (Internet Assigned Number Authority) web site.
Page 996 Appendix B Common Services Table 310 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION User-Defined The IPSEC ESP (Encapsulation (IPSEC_TUNNEL) Security Protocol) tunneling protocol uses this service. FINGER Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.
Page 997 Appendix B Common Services Table 310 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION PPTP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel. PPTP_TUNNEL User-Defined PPTP (Point-to-Point Tunneling (GRE) Protocol) enables secure transfer of data over public networks.
Page 998 Appendix B Common Services Table 310 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution.
Page 999: Appendix C Displaying Anti-Virus Alert Messages In Windows
P P E N D I X Displaying Anti-Virus Alert Messages in Windows With the anti-virus packet scan, when a virus is detected, you can have the ZyWALL display an alert message on Miscrosoft Windows-based computers. If the log shows that virus files are being detected but your Miscrosoft Windows-based computer is not displaying an alert message, use one of the following procedures to make sure your computer is set to display the messages.
Page 1000 Appendix C Displaying Anti-Virus Alert Messages in Windows Select the Messenger service and click Start. Figure 603 Windows XP: Starting the Messenger Service Close the window when you are done. Windows 2000 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 604 Windows 2000: Opening the Services Window 1000 ZyWALL USG 100/200 Series User’s Guide...
Page 1001 Appendix C Displaying Anti-Virus Alert Messages in Windows Select the Messenger service and click Start Service. Figure 605 Windows 2000: Starting the Messenger Service Close the window when you are done. Windows 98 SE/Me For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages.
Page 1002 Appendix C Displaying Anti-Virus Alert Messages in Windows Right-click on the program task bar and click Properties. Figure 607 WIndows 98 SE: Program Task Bar Click the Start Menu Programs tab and click Advanced ... Figure 608 Windows 98 SE: Task Bar Properties Double-click Programs and click StartUp.
Page 1003 Appendix C Displaying Anti-Virus Alert Messages in Windows Right-click in the StartUp pane and click New, Shortcut. Figure 609 Windows 98 SE: StartUp A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. Figure 610 Windows 98 SE: Startup: Create Shortcut 1003 ZyWALL USG 100/200 Series User’s Guide...

This manual is also suitable for:

Zywall usg 100 series

ZyXEL Communications ZyWALL USG 200 Series User Manual

About this User's Guide

Document Conventions

Safety Warnings

Contents Overview

Table of Contents

User's Guide

PART I User's Guide

Chapter 1 Introducing the Zywall

Chapter 2 Features and Applications

Chapter 3 Web Configurator

Idp

Ssl Vpn

Chapter 4 Installation Setup Wizard

Chapter 5 Quick Setup

Chapter 6 Configuration Basics

Chapter 7 Tutorials

Chapter 8 L2TP VPN Example

Technical Reference

Part II: Technical Reference

Chapter 9 Dashboard

Chapter 10 Monitor

Chapter 11 Registration

Chapter 12 Signature Update

Chapter 13 Interfaces

Add

Chapter 14 Trunks

Chapter 15 Policy and Static Routes

Chapter 16 Routing Protocols

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWALL USG 200 Series

Summary of Contents for ZyXEL Communications ZyWALL USG 200 Series