ZyXEL Communications ZYWALL USG 20 Manual

ZyXEL Communications ZYWALL USG 20 Manual

Unified security gateway
Hide thumbs Also See for ZYWALL USG 20:
Table of Contents

Advertisement

ZyWALL USG 20/20W
Unified Security Gateway
Default Login Details
LAN Port
IP Address
https://192.168.1.1
User Name
Password
www.zyxel.com
Version 2.21
Edition 4, 4/2011
www.zyxel.com
P2, P3
admin
1234
Copyright © 2011
ZyXEL Communications Corporation

Advertisement

Table of Contents
loading

Summary of Contents for ZyXEL Communications ZYWALL USG 20

  • Page 1 ZyWALL USG 20/20W Unified Security Gateway Default Login Details LAN Port P2, P3 IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com Version 2.21 Edition 4, 4/2011 www.zyxel.com Copyright © 2011 ZyXEL Communications Corporation...
  • Page 3: About This User's Guide

    • To find specific information in this guide, use the Contents Overview, the Table of Contents, the Index, or search the PDF file. E-mail techwriters@zyxel.com.tw if you cannot find the information you require. Related Documentation • Quick Start Guide The Quick Start Guide is designed to show you how to make the ZyWALL hardware connections and access the Web Configurator wizards.
  • Page 4 • Knowledge Base If you have a specific question about your product, the answer may be here. This is a collection of answers to previously asked questions about ZyXEL products. ZyWALL USG 20/20W User’s Guide...
  • Page 5 About This User's Guide • Forum This contains discussions on ZyXEL products. Learn from others who use ZyXEL products and share your experiences as well. Customer Support Should problems arise that cannot be solved by the methods listed above, you should contact your vendor.
  • Page 6: Document Conventions

    For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000” or “1048576” and so on. • “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”. ZyWALL USG 20/20W User’s Guide...
  • Page 7 Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 20/20W User’s Guide...
  • Page 8: Safety Warnings

    Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately. ZyWALL USG 20/20W User’s Guide...
  • Page 9: Table Of Contents

    SSL User Application Screens ....................447 ZyWALL SecuExtender ......................449 Bandwidth Management ......................453 ADP ............................467 Content Filtering ........................487 Content Filter Reports ......................513 Anti-Spam ..........................521 User/Group ..........................539 Addresses ..........................555 Services ........................... 561 ZyWALL USG 20/20W User’s Guide...
  • Page 10 Endpoint Security ........................621 System ............................. 629 Log and Report ........................679 File Manager ..........................693 Diagnostics ..........................705 Packet Flow Explore ........................ 715 Reboot ............................. 723 Shutdown ..........................725 Troubleshooting ........................727 Product Specifications ......................741 ZyWALL USG 20/20W User’s Guide...
  • Page 11: Table Of Contents

    3.1 Web Configurator Requirements ..................43 3.2 Web Configurator Access ....................43 3.3 Web Configurator Screens Overview .................. 45 3.3.1 Title Bar ........................46 3.3.2 Navigation Panel ......................47 3.3.3 Main Window ......................52 3.3.4 Tables and Lists ......................54 ZyWALL USG 20/20W User’s Guide...
  • Page 12 6.2.2 Default Interface and Zone Configuration ..............90 6.3 Terminology in the ZyWALL ....................91 6.4 Packet Flow ......................... 91 6.4.1 Routing Table Checking Flow ..................92 6.4.2 NAT Table Checking Flow ..................94 6.5 Feature Configuration Overview ..................95 ZyWALL USG 20/20W User’s Guide...
  • Page 13 7.3.2 Configure the WAN Trunk ..................114 7.4 How to Set Up an IPSec VPN Tunnel .................116 7.4.1 Set Up the VPN Gateway ..................117 7.4.2 Set Up the VPN Connection ..................118 7.4.3 Configure Security Policies for the VPN Tunnel ............119 ZyWALL USG 20/20W User’s Guide...
  • Page 14 Dashboard ..........................165 8.1 Overview ..........................165 8.1.1 What You Can Do in this Chapter ................165 8.2 The Dashboard Screen ..................... 165 8.2.1 The CPU Usage Screen ................... 171 8.2.2 The Memory Usage Screen ..................172 ZyWALL USG 20/20W User’s Guide...
  • Page 15 10.2 The Registration Screen ....................212 10.3 The Service Screen ......................214 Chapter 11 Interfaces ..........................217 11.1 Interface Overview ......................217 11.1.1 What You Can Do in this Chapter ................217 11.1.2 What You Need to Know ..................218 ZyWALL USG 20/20W User’s Guide...
  • Page 16 13.1.2 What You Need to Know ..................298 13.2 Policy Route Screen ......................300 13.2.1 Policy Route Edit Screen ..................303 13.3 IP Static Route Screen ....................307 13.3.1 Static Route Add/Edit Screen ................. 308 13.4 Policy Routing Technical Reference ................309 ZyWALL USG 20/20W User’s Guide...
  • Page 17 Chapter 18 HTTP Redirect ........................347 18.1 Overview .......................... 347 18.1.1 What You Can Do in this Chapter ................347 18.1.2 What You Need to Know ..................348 18.2 The HTTP Redirect Screen ..................... 349 ZyWALL USG 20/20W User’s Guide...
  • Page 18 22.2 The Firewall Screen ......................381 22.2.1 Configuring the Firewall Screen ................382 22.2.2 The Firewall Add/Edit Screen ................. 385 22.3 The Session Limit Screen ....................386 22.3.1 The Session Limit Add/Edit Screen ................ 388 Chapter 23 IPSec VPN..........................391 ZyWALL USG 20/20W User’s Guide...
  • Page 19 Chapter 27 ZyWALL SecuExtender......................449 27.1 The ZyWALL SecuExtender Icon ..................449 27.2 Statistics .......................... 450 27.3 View Log .......................... 451 27.4 Suspend and Resume the Connection ................451 27.5 Stop the Connection ......................452 ZyWALL USG 20/20W User’s Guide...
  • Page 20 30.5 Content Filter Categories Screen ................... 494 30.5.1 Content Filter Blocked and Warning Messages ............. 508 30.6 Content Filter Customization Screen ................508 30.7 Content Filter Technical Reference ..................511 Chapter 31 Content Filter Reports ......................513 ZyWALL USG 20/20W User’s Guide...
  • Page 21 34.1.2 What You Need To Know ..................555 34.2 Address Summary Screen ....................555 34.2.1 Address Add/Edit Screen ..................557 34.3 Address Group Summary Screen ..................558 34.3.1 Address Group Add/Edit Screen ................559 Chapter 35 Services ..........................561 ZyWALL USG 20/20W User’s Guide...
  • Page 22 38.1.3 Example: Selecting a VPN Authentication Method ..........583 38.2 Authentication Method Objects ..................584 38.2.1 Creating an Authentication Method Object ............585 Chapter 39 Certificates ..........................589 39.1 Overview .......................... 589 39.1.1 What You Can Do in this Chapter ................589 ZyWALL USG 20/20W User’s Guide...
  • Page 23 43.1 Overview .......................... 629 43.1.1 What You Can Do in this Chapter ................629 43.2 Host Name ........................630 43.3 USB Storage ........................631 43.4 Date and Time ......................... 631 43.4.1 Pre-defined NTP Time Servers List ................ 634 ZyWALL USG 20/20W User’s Guide...
  • Page 24 43.12 Vantage CNM ....................... 674 43.12.1 Configuring Vantage CNM ................... 675 43.13 Language Screen ......................677 Chapter 44 Log and Report ........................679 44.1 Overview .......................... 679 44.1.1 What You Can Do In this Chapter ................679 ZyWALL USG 20/20W User’s Guide...
  • Page 25 47.2 The Routing Status Screen ....................715 47.3 The SNAT Status Screen ....................719 Chapter 48 Reboot............................ 723 48.1 Overview .......................... 723 48.1.1 What You Need To Know ..................723 48.2 The Reboot Screen ......................723 Chapter 49 Shutdown..........................725 ZyWALL USG 20/20W User’s Guide...
  • Page 26 Appendix A Log Descriptions ....................747 Appendix B Common Services..................... 799 Appendix C Wireless LANs ....................803 Appendix D Importing Certificates..................819 Appendix E Open Software Announcements ............... 845 Appendix F Legal Information ....................935 Index............................939 ZyWALL USG 20/20W User’s Guide...
  • Page 27: User's Guide

    User’s Guide...
  • Page 29: Introducing The Zywall

    LAN networks. You can set ports to be part of the LAN1, WLAN, or DMZ. Alternatively, you can deploy the ZyWALL as a transparent firewall in an existing network with minimal configuration. 1.2 Wall-mounting Do the following to attach your ZyWALL to a wall. ZyWALL USG 20/20W User’s Guide...
  • Page 30 Note: Make sure the screws are securely fixed to the wall and strong enough to hold the weight of the ZyWALL with the connection cables. Align the holes on the back of the ZyWALL with the screws on the wall. Hang the ZyWALL on the screws. USG 20 ZyWALL USG 20/20W User’s Guide...
  • Page 31 Chapter 1 Introducing the ZyWALL USG 20W The ZyWALL should be wall-mounted horizontally. The ZyWALL's side panels with ventilation slots should not be facing up or down as this position is less safe. ZyWALL USG 20/20W User’s Guide...
  • Page 32: Front Panel

    Green The ZyWALL is not ready or has failed. The ZyWALL is ready and running. Blinking The ZyWALL is booting. The ZyWALL had an error or has failed. ZyWALL USG 20/20W User’s Guide...
  • Page 33: Management Overview

    Figure 2 Managing the ZyWALL: Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the ZyWALL USG 20/20W User’s Guide...
  • Page 34: Starting And Stopping The Zywall

    Using the RESET If you press the RESET button, the ZyWALL sets the configuration button to its default values and then reboots. ZyWALL USG 20/20W User’s Guide...
  • Page 35 ZyWALL simply turns off. It does not stop the system processes or write cached data to local storage. The ZyWALL does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources. ZyWALL USG 20/20W User’s Guide...
  • Page 36 Chapter 1 Introducing the ZyWALL ZyWALL USG 20/20W User’s Guide...
  • Page 37: Features And Applications

    Many security settings are made by zone, not by interface, port, or network. As a result, it is much simpler to set up and to change security settings in the ZyWALL. You can create your own custom zones. You can add interfaces and VPN tunnels to zones. ZyWALL USG 20/20W User’s Guide...
  • Page 38 Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers. ZyWALL USG 20/20W User’s Guide...
  • Page 39: Applications

    You can also set up additional connections to the Internet to provide better service. Figure 3 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote users. ZyWALL USG 20/20W User’s Guide...
  • Page 40 Figure 4 Network Access Mode: Full Tunnel Mode 192.168.1.100 LAN (192.168.1.X) https;// Web Mail File Share Web-based Application Application Non-Web Server ZyWALL USG 20/20W User’s Guide...
  • Page 41: User-Aware Access Control

    Chapter 2 Features and Applications 2.2.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 5 Applications: User-Aware Access Control ZyWALL USG 20/20W User’s Guide...
  • Page 42 Chapter 2 Features and Applications ZyWALL USG 20/20W User’s Guide...
  • Page 43: Web Configurator

    • Enable Java permissions (enabled by default) • Enable cookies The recommended screen resolution is 1024 x 768 pixels. 3.2 Web Configurator Access Make sure your ZyWALL hardware is properly connected. See the Quick Start Guide. ZyWALL USG 20/20W User’s Guide...
  • Page 44 Click Login. If you logged in using the default user name and password, the Update Admin Info screen (Figure 7 on page 44) appears. Otherwise, the dashboard (Figure 8 on page 45) appears. Figure 7 Update Admin Info Screen ZyWALL USG 20/20W User’s Guide...
  • Page 45: Web Configurator Screens Overview

    3.3 Web Configurator Screens Overview The Web Configurator screen is divided into these parts (as illustrated in Figure 8 on page 45): • A - title bar • B - navigation panel • C - main window ZyWALL USG 20/20W User’s Guide...
  • Page 46: Title Bar

    (CLI). See the CLI Reference Guide for details on the commands. Click this to open a popup window that displays the CLI commands sent by the Web Configurator. 3.3.1.1 About Click this to display basic information about the ZyWALL. Figure 10 Title Bar ZyWALL USG 20/20W User’s Guide...
  • Page 47: Navigation Panel

    The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See Chapter 8 on page 165 for details on the dashboard. ZyWALL USG 20/20W User’s Guide...
  • Page 48: Monitor Menu

    Table 7 Configuration Menu Screens Summary FOLDER OR FUNCTION LINK Quick Setup Quickly configure WAN interfaces or VPN connections. Licensing Registration Registration Register the device and activate trial services. Service View the licensed service status and upgrade licensed services. ZyWALL USG 20/20W User’s Guide...
  • Page 49 VPN Connection Configure IPSec tunnels. VPN Gateway Configure IKE tunnels. SSL VPN Access Privilege Configure SSL VPN access rights for users and groups. Global Setting Configure the ZyWALL’s SSL VPN settings that apply to all connections. ZyWALL USG 20/20W User’s Guide...
  • Page 50 Certificate My Certificates Create and manage the ZyWALL’s certificates. Trusted Import and manage certificates from trusted Certificates sources. ISP Account Create and manage ISP account information for PPPoE/PPTP interfaces. Create SSL web application objects. Application ZyWALL USG 20/20W User’s Guide...
  • Page 51 LINK File Manager Configuration Manage and upload configuration files for the File ZyWALL. Firmware View the current firmware version and to upload Package firmware. Shell Script Manage and run shell script files for the ZyWALL. ZyWALL USG 20/20W User’s Guide...
  • Page 52: Main Window

    Right after you log in, the Dashboard screen is displayed. See Chapter 8 on page for more information about the Dashboard screen. 3.3.3.1 Warning Messages Warning messages, such as those resulting from misconfiguration, display in a popup window. Figure 12 Warning Message ZyWALL USG 20/20W User’s Guide...
  • Page 53 Refresh to show which configuration settings reference the object. The following example shows which configuration settings reference the ldap-users user object (in this case the first firewall rule). Figure 14 Object Reference ZyWALL USG 20/20W User’s Guide...
  • Page 54: Tables And Lists

    Click Clear to remove the currently displayed information. See the Command Reference Guide for information about the commands. 3.3.4 Tables and Lists The Web Configurator tables and lists are quite flexible and provide several options for how to display their entries. ZyWALL USG 20/20W User’s Guide...
  • Page 55 • Select which columns to display • Group entries by field • Show entries in groups • Filter by mathematical operators (<, >, or =) or searching for text Figure 17 Common Table Column Options ZyWALL USG 20/20W User’s Guide...
  • Page 56 Figure 19 Changing the Column Order Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time. Figure 20 Navigating Pages of Table Entries ZyWALL USG 20/20W User’s Guide...
  • Page 57: Working With Table Entries

    3.3.4.3 Working with Lists When a list of available entries displays next to a list of selected entries, you can often just double-click an entry to move it from one list to the other. In some lists ZyWALL USG 20/20W User’s Guide...
  • Page 58 Chapter 3 Web Configurator you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 22 Working with Lists ZyWALL USG 20/20W User’s Guide...
  • Page 59: Installation Setup Wizard

    • Click Go to Dashboard to skip the installation setup wizard or click Next to start configuring for Internet access. 4.1.1 Internet Access Setup - WAN Interface Use this screen to configure the WAN interface’s type of encapsulation and method of IP address assignment. ZyWALL USG 20/20W User’s Guide...
  • Page 60: Internet Access: Ethernet

    • Encapsulation: This displays the type of Internet connection you are configuring. • First WAN Interface: This is the number of the interface that will connect with your ISP. • Zone: This is the security zone to which this interface and Internet connection will belong. ZyWALL USG 20/20W User’s Guide...
  • Page 61: Internet Access: Pppoe

    PPPoE server. You can use alphanumeric and - _@$./ characters, and it can be up to 64 characters long. • Authentication Type - Select an authentication protocol for outgoing connection requests. Options are: ZyWALL USG 20/20W User’s Guide...
  • Page 62 Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it. ZyWALL USG 20/20W User’s Guide...
  • Page 63: Internet Access: Pptp

    • Type the Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank. Re-type your password in the next field to confirm it. ZyWALL USG 20/20W User’s Guide...
  • Page 64 The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. ZyWALL USG 20/20W User’s Guide...
  • Page 65: Internet Access - Finish

    ZyWALL is already registered this screen displays your user name and which trial services are activated (if any). You can still activate any un-activated trial services. Note: You must be connected to the Internet to register. ZyWALL USG 20/20W User’s Guide...
  • Page 66 Spaces are not allowed. Type it again in the Confirm Password field. • E-Mail Address: Enter your e-mail address. Use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. • Country Code: Select your country from the drop-down box list. ZyWALL USG 20/20W User’s Guide...
  • Page 67 After the trial expires, you can buy an iCard and enter the license key in the Registration > Service screen to extend the service. Figure 30 Registraton: Registered Device ZyWALL USG 20/20W User’s Guide...
  • Page 68 Chapter 4 Installation Setup Wizard ZyWALL USG 20/20W User’s Guide...
  • Page 69: Quick Setup

    ISP account settings in the ZyWALL if you use PPPoE or PPTP. See Section 5.2 on page • VPN SETUP Use VPN SETUP to configure a VPN (Virtual Private Network) tunnel for a secure connection to another computer or network. See Section 5.4 on page ZyWALL USG 20/20W User’s Guide...
  • Page 70: Wan Interface Quick Setup

    Figure 33 Choose an Ethernet Interface 5.2.2 Select WAN Type WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. ZyWALL USG 20/20W User’s Guide...
  • Page 71: Configure Wan Settings

    Figure 35 WAN Interface Setup: Step 2 • WAN Interface: This is the interface you are configuring for Internet access. • Zone: This is the security zone to which this interface and Internet connection belong. ZyWALL USG 20/20W User’s Guide...
  • Page 72: Wan And Isp Connection Settings

    Table 11 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection. Encapsulation This displays the type of Internet connection you are configuring. ZyWALL USG 20/20W User’s Guide...
  • Page 73 This field displays to which security zone this interface and Internet connection will belong. IP Address This field is read-only when the WAN interface uses a dynamic IP address. If your WAN interface uses a static IP address, enter it in this field. ZyWALL USG 20/20W User’s Guide...
  • Page 74: Quick Setup Interface Wizard: Summary

    This field is read-only and only appears for a PPPoE interface. It displays the PPPoE service name specified in the ISP account. Server IP This field only appears for a PPTP interface. It displays the IP address of the PPTP server. ZyWALL USG 20/20W User’s Guide...
  • Page 75: Vpn Quick Setup

    Wizard Welcome screen. The VPN wizard creates corresponding VPN connection and VPN gateway settings and address objects that you can use later in configuring more VPN connections or other features. Click Next. Figure 38 VPN Quick Setup Wizard ZyWALL USG 20/20W User’s Guide...
  • Page 76: Vpn Setup Wizard: Wizard Type

    ZyWALL using a pre-shared key and default security settings. Advanced: Use this wizard to configure detailed VPN security settings such as using certificates. The VPN connection can be to another ZLD-based ZyWALL or other IPSec device. ZyWALL USG 20/20W User’s Guide...
  • Page 77: Vpn Express Wizard - Scenario

    Only the clients can initiate the VPN tunnel. • Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. ZyWALL USG 20/20W User’s Guide...
  • Page 78: Vpn Express Wizard - Configuration

    If this field is configurable, type the IP address of a computer behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device. ZyWALL USG 20/20W User’s Guide...
  • Page 79: Vpn Express Wizard - Summary

    “.zysh” filename extension. Then you can use the file manager to run the script in order to configure the VPN connection. See the commands reference guide for details on the commands displayed in this list. ZyWALL USG 20/20W User’s Guide...
  • Page 80: Vpn Express Wizard - Finish

    Figure 43 VPN Express Wizard: Step 6 Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard. ZyWALL USG 20/20W User’s Guide...
  • Page 81: Vpn Advanced Wizard - Scenario

    • Remote Access (Server Role) - Choose this to allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. ZyWALL USG 20/20W User’s Guide...
  • Page 82: Vpn Advanced Wizard - Phase 1 Settings

    The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES ZyWALL USG 20/20W User’s Guide...
  • Page 83: Vpn Advanced Wizard - Phase 2

    Certificate to use one of the ZyWALL’s certificates. 5.5.6 VPN Advanced Wizard - Phase 2 Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 46 VPN Advanced Wizard: Step 4 ZyWALL USG 20/20W User’s Guide...
  • Page 84 IP address configured on the remote IPSec device. • Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. ZyWALL USG 20/20W User’s Guide...
  • Page 85: Vpn Advanced Wizard - Summary

    IPSec device that can use the tunnel. • Copy and paste the Configuration for Remote Gateway commands into another ZLD-based ZyWALL’s command line interface. • Click Save to save the VPN rule. ZyWALL USG 20/20W User’s Guide...
  • Page 86: Vpn Advanced Wizard - Finish

    Figure 48 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard. ZyWALL USG 20/20W User’s Guide...
  • Page 87: Configuration Basics

    You can create address objects based on an interface’s IP address, subnet, or gateway. The ZyWALL automatically updates every rule or setting that uses these objects whenever the interface’s IP address settings change. For example, if you ZyWALL USG 20/20W User’s Guide...
  • Page 88: Zones, Interfaces, And Physical Ports

    Port roles combine physical ports into interfaces. The physical port is where you connect a cable. In configuration, you Physical use physical ports when configuring port groups. You use interfaces Ethernet Ports and zones in configuring other features. (P1, P2, ...) ZyWALL USG 20/20W User’s Guide...
  • Page 89: Interface Types

    • Virtual interfaces increase the amount of routing information in the ZyWALL. There are three types: virtual Ethernet interfaces (also known as IP alias), virtual VLAN interfaces, and virtual bridge interfaces. ZyWALL USG 20/20W User’s Guide...
  • Page 90: Default Interface And Zone Configuration

    The following figure uses letters to denote public IP addresses or part of a private IP address. Figure 50 Default Network Topology Table 14 ZyWALL USG 20 Default Port, Interface, and Zone Configuration IP ADDRESS AND DHCP SUGGESTED USE WITH...
  • Page 91: Terminology In The Zywall

    Address mapping Policy route Address mapping (VPN) IPSec VPN Interface bandwidth management Interface (outbound) General bandwidth management Policy route 6.4 Packet Flow Here is the order in which the ZyWALL applies its features and checks. ZyWALL USG 20/20W User’s Guide...
  • Page 92: Routing Table Checking Flow

    When the ZyWALL receives packets it defragments them and applies destination NAT. Then it examines the packets and determines how to route them. The checking flow is from top to bottom. As soon as the packets match an entry in one ZyWALL USG 20/20W User’s Guide...
  • Page 93 A many 1 to 1 NAT entry works like multiple 1 to 1 NAT rules. It maps a range of private network servers that will initiate sessions to the outside clients to a range of public IP addresses. See Section 17.2.1 on page 340 more. ZyWALL USG 20/20W User’s Guide...
  • Page 94: Nat Table Checking Flow

    SNAT defined in the policy routes. 1 to 1 SNAT (including Many 1 to 1) is also included in the NAT table. NAT loopback is now included in the NAT table instead of requiring a separate policy route. ZyWALL USG 20/20W User’s Guide...
  • Page 95: Feature Configuration Overview

    Note: PREQUISITES or WHERE USED does not appear if there are no prerequisites or references in other features to this one. For example, no other features reference DDNS entries, so there is no WHERE USED entry. ZyWALL USG 20/20W User’s Guide...
  • Page 96: Licensing Registration

    Use policy routes to override the ZyWALL’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. You can also use policy routes for bandwidth management (out of the ZyWALL), port triggering, ZyWALL USG 20/20W User’s Guide...
  • Page 97 FTP traffic. Note: The ZyWALL checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that would also match the FTP traffic. ZyWALL USG 20/20W User’s Guide...
  • Page 98: Static Routes

    ZyWALL available outside the private network. The ZyWALL only checks regular (through-ZyWALL) firewall rules for packets that are redirected by NAT, it does not check the to-ZyWALL firewall rules. Configuration > Network > NAT MENU ITEM(S) ZyWALL USG 20/20W User’s Guide...
  • Page 99: Http Redirect

    Example: Suppose you want HTTP requests from your LAN to go to a HTTP proxy server at IP address 192.168.3.80. Click Configuration > Network > HTTP Redirect. Add an entry. Name the entry. Select the interface from which you want to redirect incoming HTTP requests (lan1). ZyWALL USG 20/20W User’s Guide...
  • Page 100: Alg

    Example: Suppose you have a SIP proxy server connected to the DMZ zone for VoIP calls. You could configure a firewall rule to allow VoIP sessions from the SIP proxy server on DMZ to the LAN so VoIP users on the LAN can receive calls. ZyWALL USG 20/20W User’s Guide...
  • Page 101: Ipsec Vpn

    Interfaces, SSL application, users, user groups, addresses (network list, IP pool for assigning to clients, DNS and WINS server addresses), PREREQUISITES to-ZyWALL firewall, firewall Policy routes, zones WHERE USED Example: See Chapter 7 on page 107. ZyWALL USG 20/20W User’s Guide...
  • Page 102: Bandwidth Management

    Example: You can configure a policy that blocks Bill’s access to arts and entertainment web pages during the workday. You must have already subscribed to the content filter service. Create a user account for Bill if you have not done so already (Configuration > Object > User/Group). ZyWALL USG 20/20W User’s Guide...
  • Page 103: Anti-Spam

    Move your cursor over a configuration object that has a magnifying-glass icon (such as a user group, address, address group, service, service group, zone, or schedule) to display basic information about the object. ZyWALL USG 20/20W User’s Guide...
  • Page 104: User/Group

    If you want to force users to log in to the ZyWALL before the ZyWALL routes traffic for them, you might have to configure prerequisites first. Object > User/Group MENU ITEM(S) Addresses, address groups, schedules. The prerequisites are only PREREQUISITES used in policies to force user authentication ZyWALL USG 20/20W User’s Guide...
  • Page 105: System

    The ZyWALL provides a system log, offers two e-mail profiles to which to send log messages, and sends information to four syslog servers. It can also e-mail you statistical reports on a daily basis. Configuration > Log & Report MENU ITEM(S) ZyWALL USG 20/20W User’s Guide...
  • Page 106: File Manager

    Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. Maintenance > Shutdown MENU ITEM(S) ZyWALL USG 20/20W User’s Guide...
  • Page 107: Tutorials

    • You want to be able to apply security settings specifically for all VPN tunnels so you create a new VPN zone. • The wan1 interface uses a static IP address of 1.2.3.4. ZyWALL USG 20/20W User’s Guide...
  • Page 108: Configure A Wan Ethernet Interface

    Add it to the LAN zone so all of the LAN zone’s security policies apply to it. Figure 54 Ethernet Interface, Port Roles, and Zone Configuration Example 7.1.1 Configure a WAN Ethernet Interface You need to assign the ZyWALL’s wan1 interface a static IP address of 1.2.3.4. ZyWALL USG 20/20W User’s Guide...
  • Page 109: Configure Port Roles

    Here is how to set the dmz interface (created in the previous section) for a separate local network. It uses 192.168.4.1 as its IP address and has a DHCP server to distribute IP addresses to connected DHCP clients. ZyWALL USG 20/20W User’s Guide...
  • Page 110: Configure Zones

    Set DHCP to DHCP Server and click OK. Figure 57 Configuration > Network > Interface > Ethernet > Edit lan2 7.1.4 Configure Zones Do the following to create a VPN zone. Click Configuration > Network > Zone and then the Add icon. ZyWALL USG 20/20W User’s Guide...
  • Page 111: How To Configure A Cellular Interface

    Connect the 3G device to one of the ZyWALL’s USB ports. Click Configuration > Network > Interface > Cellular. Select the 3G device’s entry and click Edit. Figure 59 Configuration > Network > Interface > Cellular ZyWALL USG 20/20W User’s Guide...
  • Page 112 ISP. Go to the Dashboard. The Interface Status Summary section should contain a “cellular” entry. When its connection status is Connected you can use the 3G connection to access the Internet. Figure 61 Status ZyWALL USG 20/20W User’s Guide...
  • Page 113: How To Configure Load Balancing

    WAN_TRUNK trunk’s load balancing settings. 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces Here is how to set a limit on how much traffic the ZyWALL tries to send out through each WAN interface. ZyWALL USG 20/20W User’s Guide...
  • Page 114: Configure The Wan Trunk

    Go to Configuration > Network > Interface > Cellular. Double-click the cellular1 entry and set the egress bandwidth for cellular1 to 512 Kbps. 7.3.2 Configure the WAN Trunk Click Configuration > Network > Interface > Trunk. Click the Add icon. ZyWALL USG 20/20W User’s Guide...
  • Page 115 Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin. Add wan1 and enter 2 in the Weight column. Add cellular1 and enter 1 in the Weight column. Click OK. Figure 64 Configuration > Network > Interface > Trunk > Add ZyWALL USG 20/20W User’s Guide...
  • Page 116: How To Set Up An Ipsec Vpn Tunnel

    This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 76 for details on the VPN quick setup wizard. Figure 66 VPN Example 2.2.2.2 1.2.3.4 192.168.1.0/24 172.16.1.0/24 ZyWALL USG 20/20W User’s Guide...
  • Page 117: Set Up The Vpn Gateway

    Interface and wan1. For the Peer Gateway Address, select Static Address and enter 2.2.2.2 in the Primary field. For the Authentication, Select Pre-Shared Key and enter 12345678. Click OK. Figure 67 Configuration > VPN > IPSec VPN > VPN Gateway > Add ZyWALL USG 20/20W User’s Guide...
  • Page 118: Set Up The Vpn Connection

    Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK. Figure 68 Configuration > Object > Address > Add Click Configuration > VPN > IPSec VPN > VPN Connection. Click the Add icon. ZyWALL USG 20/20W User’s Guide...
  • Page 119: Configure Security Policies For The Vpn Tunnel

    ZyWALL and remote IPSec router allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP). If you enable NAT traversal, all firewalls between the ZyWALL and remote IPSec router should also allow UDP port 4500. ZyWALL USG 20/20W User’s Guide...
  • Page 120: How To Configure User-Aware Access Control

    RADIUS server to a text file, then you might create a script to create the user accounts instead. This example uses the Web Configurator. Click Configuration > Object > User/Group > User. Click the Add icon. ZyWALL USG 20/20W User’s Guide...
  • Page 121: Set Up User Groups

    Repeat this process to set up the remaining user accounts. 7.5.2 Set Up User Groups Set up the user groups and assign the users to the user groups. Click Configuration > Object > User/Group > Group. Click the Add icon. ZyWALL USG 20/20W User’s Guide...
  • Page 122: Set Up User Authentication Using The Radius Server

    RADIUS server. Then, set up the authentication method, and configure the ZyWALL to use the authentication method. Finally, force users to log in to the ZyWALL before it routes traffic for them. ZyWALL USG 20/20W User’s Guide...
  • Page 123 Set up a default policy that forces every user to log in to the ZyWALL before the ZyWALL routes traffic for them. Select Enable. Set the Authentication field to required, and make sure Force User Authentication is selected. Keep the rest of the default settings, and click OK. ZyWALL USG 20/20W User’s Guide...
  • Page 124: How To Use A Radius Server To Authenticate User Accounts Based On Groups

    RADIUS server authenticate groups of user accounts defined in the RADIUS server. ZyWALL USG 20/20W User’s Guide...
  • Page 125 Class. This attribute’s value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss. Figure 75 Configuration > Object > AAA Server > RADIUS > Add ZyWALL USG 20/20W User’s Guide...
  • Page 126: How To Use Endpoint Security And Authentication Policies

    Click Configuration > Object > Endpoint Security > Add to open the Endpoint Security Edit screen. • Select Endpoint must comply with all checking items. • Set the Endpoint Operating System to Windows and the Window Version to Windows 7. ZyWALL USG 20/20W User’s Guide...
  • Page 127 • Select Endpoint must have Anti-Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti-Virus anti-virus software entries to the allowed list. The following figure shows the configuration screen example. Figure 77 Configuration > Object > Endpoint Security > Add ZyWALL USG 20/20W User’s Guide...
  • Page 128: Configure The Authentication Policy

    ZyWALL’s login screen. • Enable EPS checking and move the EPS objects you created to the selected list. • Click OK. Figure 78 Configuration > Auth. Policy > Add ZyWALL USG 20/20W User’s Guide...
  • Page 129: How To Configure Service Control

    Figure 80 Example: Endpoint Security Error Message 7.8 How to Configure Service Control Service control lets you configure rules that control HTTP and HTTPS management access (to the Web Configurator) and separate rules that control HTTP and HTTPS ZyWALL USG 20/20W User’s Guide...
  • Page 130: Allow Https Administrator Access Only From The Lan

    In HTTPS Admin Service Control, click the Add icon. Figure 81 Configuration > System > WWW In the Zone field select LAN1 and click OK. Figure 82 Configuration > System > WWW > Service Control Rule Edit ZyWALL USG 20/20W User’s Guide...
  • Page 131 Figure 83 Configuration > System > WWW (First Example Admin Service Rule Configured) In the Zone field select ALL and set the Action to Deny. Click OK. Figure 84 Configuration > System > WWW > Service Control Rule Edit ZyWALL USG 20/20W User’s Guide...
  • Page 132: How To Allow Incoming H.323 Peer-To-Peer Calls

    Suppose you have a H.323 device on the LAN1 for VoIP calls and you want it to be able to receive peer-to-peer calls from the WAN. Here is an example of how to configure NAT and the firewall to have the ZyWALL forward H.323 traffic destined ZyWALL USG 20/20W User’s Guide...
  • Page 133: Turn On The Alg

    7.9.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720) traffic received on the ZyWALL’s 10.0.0.8 WAN IP address to LAN1 IP address 192.168.1.56. ZyWALL USG 20/20W User’s Guide...
  • Page 134 Use Configuration > Object > Address > Add to create an address object for the public WAN IP address (called WAN_IP-for-H323 here). Then use it again to create an address object for the H.323 device’s private LAN1 IP address (called LAN_H323 here). Figure 88 Create Address Objects ZyWALL USG 20/20W User’s Guide...
  • Page 135: Set Up A Firewall Rule For H.323

    The default firewall rule for WAN-to-LAN traffic drops all traffic. Here is how to configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN1 IP address 192.168.1.56. ZyWALL USG 20/20W User’s Guide...
  • Page 136: How To Allow Public Access To A Web Server

    Internet (the WAN zone). In this example you have public IP address 1.1.1.1 that you will use on the wan1 interface and map to the HTTP server’s private IP address of 192.168.3.7. Figure 91 Public Server Example Network Topology 192.168.3.7 1.1.1.1 ZyWALL USG 20/20W User’s Guide...
  • Page 137: Create The Address Objects

    • HTTP traffic and the HTTP server in this example both use TCP port 80. So you set the Port Mapping Type to Port, the Protocol Type to TCP, and the original and mapped ports to 80. ZyWALL USG 20/20W User’s Guide...
  • Page 138: Set Up A Firewall Rule

    HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server. If a domain name is registered for IP address 1.1.1.1, users can just go to the domain name to access the web server. ZyWALL USG 20/20W User’s Guide...
  • Page 139: How To Use An Ippbx On The Dmz

    7.11 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet (the WAN zone). In this example you have public IP ZyWALL USG 20/20W User’s Guide...
  • Page 140 Chapter 7 Tutorials address 1.1.1.2 that you will use on the wan1 interface and map to the IPPBX’s private IP address of 192.168.3.7. The local SIP clients are on the LAN. Figure 96 IPPBX Example Network Topology ZyWALL USG 20/20W User’s Guide...
  • Page 141: Turn On The Alg

    Use Configuration > Object > Address > Add to create the address objects. Create a host address object named IPPBX-DMZ for the IPPBX’s private DMZ IP address of 192.168.3.9. Figure 98 Creating the Address Object for the IPPBX’s Private IP Address ZyWALL USG 20/20W User’s Guide...
  • Page 142: Setup A Nat Policy For The Ippbx

    • Set the Port Mapping Type to Port, the Protocol Type to UDP and the original and mapped ports to 5060. • Keep Enable NAT Loopback selected to allow the LAN users to use the IPPBX (see NAT Loopback on page 343 for details). ZyWALL USG 20/20W User’s Guide...
  • Page 143: Set Up A Wan To Dmz Firewall Rule For Sip

    SIP traffic to the IPPBX. If a domain name is registered for IP address 1.1.1.2, users can use it to connect to for making SIP calls. ZyWALL USG 20/20W User’s Guide...
  • Page 144: Set Up A Dmz To Lan Firewall Rule For Sip

    The firewall blocks traffic from the DMZ zone to the LAN zone by default so you need to create a firewall rule to allow the IPPBX to send SIP traffic to the SIP clients on the LAN. ZyWALL USG 20/20W User’s Guide...
  • Page 145: How To Use Multiple Static Public Wan Ip Addresses For Lan To Wan Traffic

    Click Configuration > Object > Address > Add to create the address object that represents the range of static public IP addresses. In this example you name it Public-IPs and it goes from 1.1.1.10 to 1.1.1.17. Figure 103 Creating the Public IP Address Range Object ZyWALL USG 20/20W User’s Guide...
  • Page 146: Configure The Policy Route

    7.13 How to Set Up a Wireless LAN This tutorial applies only to USG 20W. You can configure different interfaces to use on the wireless LAN card. This lets you have different wireless LAN networks using different SSIDs. You can configure ZyWALL USG 20/20W User’s Guide...
  • Page 147: Set Up User Accounts

    Use the Add icon in the Configuration > Object > User/Group > User screen to set up the remaining user accounts in similar fashion. 7.13.2 Create the WLAN Interface Click Configuration > Network > Interface > WLAN > Add to open the WLAN Add screen. ZyWALL USG 20/20W User’s Guide...
  • Page 148 Authentication Type to Auth Method. The ZyWALL can use its default authentication method (the local user database) and its default certificate to authenticate the users. Configure the interface’s IP address and set it to DHCP Server. Click OK. ZyWALL USG 20/20W User’s Guide...
  • Page 149 Chapter 7 Tutorials Figure 106 Configuration > Network > Interface > WLAN > Add ZyWALL USG 20/20W User’s Guide...
  • Page 150: Set Up The Wireless Clients To Use The Wlan Interface

    The following sections show you how to have a wireless client (not included with the ZyWALL) use the wireless network. 7.13.3.1 Configure the ZyXEL Wireless Client Utility This example covers how to configure ZyXEL’s wireless client utility (not included with the ZyWALL) to use the WLAN interface. See Section 7.13.3.2 on page 154 instead for how to use Funk Odyssey’s wireless client software if you want the...
  • Page 151 Figure 108 ZyXEL Wireless Client Add a new profile. This example uses “ZYXEL_WPA” as the name. It is also the SSID (name) of the wireless network. Select Infrastructure and click Next. Figure 109 ZyXEL Wireless Client > Profile ZyWALL USG 20/20W User’s Guide...
  • Page 152 Chapter 7 Tutorials Select WPA2 as the security type and click Next. Figure 110 ZyXEL Wireless Client > Profile: Security Type Set the encryption type to TKIP and the EAP type to TTLS. Configure wlan_user as the Login Name and enter the account’s password (also wlan_user in this example.
  • Page 153 Chapter 7 Tutorials Confirm your settings and click Save. Figure 112 ZyXEL Wireless Client > Profile: Save Click Activate Now. Figure 113 ZyXEL Wireless Client > Profile: Activate ZyWALL USG 20/20W User’s Guide...
  • Page 154 Chapter 7 Tutorials The ZYXEL_WPA profile displays in your list of profiles. Figure 114 ZyXEL Wireless Client > Profile: Activate Since the ZyXEL utility does not have the wireless client validate the ZyWALL’s certificate, you can go to Section 7.13.3.4 on page 162.
  • Page 155 Prompt for long name and password. Figure 116 Odyssey Access Client Manager > Profiles > User Info Click the Authentication tab and select Validate server certificate. Figure 117 Odyssey Access Client Manager > Profiles > Authentication ZyWALL USG 20/20W User’s Guide...
  • Page 156 Chapter 7 Tutorials Click the TTLS tab and select PAP. Then click OK. Figure 118 Odyssey Access Client Manager > Profiles > Authentication Click Networks > Add. Figure 119 Odyssey Access Client Manager > Networks ZyWALL USG 20/20W User’s Guide...
  • Page 157 ZyWALL’s certificate. Use the Configuration > Object > Certificate > Edit screen (see Section 39.2.2 on page 599) to export the certificate the ZyWALL is using for the WLAN interface. Then do the following to import the certificate into each wireless client computer. ZyWALL USG 20/20W User’s Guide...
  • Page 158 In Internet Explorer, click Tools > Internet Options > Content and click the Certificates button. Figure 121 Internet Explorer: Tools > Internet Options > Content Click Import. Figure 122 Internet Explorer: Tools > Internet Options > Content > Certificates ZyWALL USG 20/20W User’s Guide...
  • Page 159 Figure 123 Internet Explorer Certificate Import Wizard File Open Screen When you get to the Certificate Store screen, select the option to automatically select the certificate store based on the type of certificate. Figure 124 Internet Explorer Certificate Import Wizard Certificate Store Screen ZyWALL USG 20/20W User’s Guide...
  • Page 160 Chapter 7 Tutorials If you get a security warning screen, click Yes to proceed. Figure 125 Internet Explorer Certificate Import Certificate Warning Screen ZyWALL USG 20/20W User’s Guide...
  • Page 161 Country (C). Figure 127 Configuration > Object > Certificate > My Certificates Repeat the steps to import the certificate into each wireless client computer that is to validate the ZyWALL’s certificate when using the WLAN interface. ZyWALL USG 20/20W User’s Guide...
  • Page 162 7.13.3.4 Wireless Clients Use the WLAN Interface A login screen displays when the wireless client attempts to connect to the wireless interface. Enter the username and password and click OK. Funk Odyssey Access Wireless Client Login Example ZyWALL USG 20/20W User’s Guide...
  • Page 163: Technical Reference

    Technical Reference...
  • Page 165: Dashboard

    8.2 The Dashboard Screen The Dashboard screen displays when you log into the ZyWALL or click Dashboard in the navigation panel. The dashboard displays general device information, system status, system resource usage, licensed service status, and ZyWALL USG 20/20W User’s Guide...
  • Page 166 Chapter 8 Dashboard interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. Figure 128 Dashboard USG 20 ZyWALL USG 20/20W User’s Guide...
  • Page 167 The following front and rear panel labels display when you hover your cursor over a connected interface or slot. Name This field displays the name of each interface. Slot This field displays the name of each extension slot. ZyWALL USG 20/20W User’s Guide...
  • Page 168 This field displays the current date and time in the ZyWALL. The format Date/Time is yyyy-mm-dd hh:mm:ss. VPN Status Click this to look at the VPN tunnels that are currently established. See Section 8.2.1 on page 171. ZyWALL USG 20/20W User’s Guide...
  • Page 169 Click the Detail icon to go to the Session Monitor screen to see details about the active sessions. Click the Show Active Sessions icon to display a chart of ZyWALL’s recent session usage. ZyWALL USG 20/20W User’s Guide...
  • Page 170 Section 9.11 on page 195 for the status that can appear. Licensed Service Status This shows how many licensed services there are. Status This is the current status of the license. Name This identifies the licensed service. ZyWALL USG 20/20W User’s Guide...
  • Page 171: The Cpu Usage Screen

    8.2.1 The CPU Usage Screen Use this screen to look at a chart of the ZyWALL’s recent CPU usage. To access this screen, click CPU Usage in the dashboard. Figure 129 Dashboard > CPU Usage ZyWALL USG 20/20W User’s Guide...
  • Page 172: The Memory Usage Screen

    The x-axis shows the time period over which the RAM usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Click this to update the information in the window right away. ZyWALL USG 20/20W User’s Guide...
  • Page 173: The Active Sessions Screen

    The x-axis shows the time period over which the session usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Click this to update the information in the window right away. ZyWALL USG 20/20W User’s Guide...
  • Page 174: The Vpn Status Screen

    Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click the icon beside DHCP Table in the dashboard. Figure 133 Dashboard > DHCP Table ZyWALL USG 20/20W User’s Guide...
  • Page 175: The Number Of Login Users Screen

    Use this screen to look at a list of the users currently logged into the ZyWALL. To access this screen, click the dashboard’s Number of Login Users icon. Figure 134 Dashboard > Number of Login Users ZyWALL USG 20/20W User’s Guide...
  • Page 176 This field displays the way the user logged in to the ZyWALL. IP address This field displays the IP address of the computer used to log in to the ZyWALL. Force Logout Click this icon to end a user’s session. ZyWALL USG 20/20W User’s Guide...
  • Page 177: Monitor

    • Use the System Status > Cellular Status screen (Section 9.9 on page 191) to check your 3G connection status. • Use the System Status > USB Storage screen (Section 9.11 on page 195) to view information about a connected USB storage device. ZyWALL USG 20/20W User’s Guide...
  • Page 178: The Port Statistics Screen

    9.2 The Port Statistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen, click Monitor > System Status > Port Statistics. Figure 135 Monitor > System Status > Port Statistics ZyWALL USG 20/20W User’s Guide...
  • Page 179 Up Time This field displays how long the physical port has been connected. System Up This field displays how long the ZyWALL has been running since it last Time restarted or was turned on. ZyWALL USG 20/20W User’s Guide...
  • Page 180: The Port Statistics Graph Screen

    This line represents traffic transmitted from the ZyWALL on the physical port since it was last connected. This line represents the traffic received by the ZyWALL on the physical port since it was last connected. ZyWALL USG 20/20W User’s Guide...
  • Page 181: Interface Status Screen

    Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to the name, click this to look at the status of virtual interfaces on top of this interface. ZyWALL USG 20/20W User’s Guide...
  • Page 182 This field lists which services the interface provides to the network. Examples include DHCP relay, DHCP server, DDNS, RIP, and OSPF. This field displays n/a if the interface does not provide any services to the network. ZyWALL USG 20/20W User’s Guide...
  • Page 183: The Traffic Statistics Screen

    • Most-used protocols or service ports and the amount of traffic on each one • LAN IP with heaviest traffic and how much traffic has been sent to and from each one ZyWALL USG 20/20W User’s Guide...
  • Page 184 Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. Statistics Interface Select the interface from which to collect information. You can collect information from Ethernet, VLAN, bridge and PPPoE/PPTP interfaces. ZyWALL USG 20/20W User’s Guide...
  • Page 185 This field indicates whether the indicated protocol or service port is sending or receiving traffic. Ingress - traffic is coming into the router through the interface Egress - traffic is going out from the router through the interface ZyWALL USG 20/20W User’s Guide...
  • Page 186: The Session Monitor Screen

    It is not possible to manage sessions in this screen. The following information is displayed. • User who started the session • Protocol or service port used • Source address • Destination address • Number of bytes received (so far) ZyWALL USG 20/20W User’s Guide...
  • Page 187 The User, Service, Source Address, and Destination Address fields display if you view all sessions. Select your desired filter criteria and click the Search button to filter the list of sessions. ZyWALL USG 20/20W User’s Guide...
  • Page 188 This field displays the amount of information received by the source in the active session. This field displays the amount of information transmitted by the source in the active session. Duration This field displays the length of the active session in seconds. ZyWALL USG 20/20W User’s Guide...
  • Page 189: The Ddns Status Screen

    Click Monitor > System Status > IP/MAC Binding to open the IP/MAC Binding Monitor screen. This screen lists the devices that have received an IP address from ZyWALL interfaces with IP/MAC binding enabled and have ever ZyWALL USG 20/20W User’s Guide...
  • Page 190: The Login Users Screen

    Use this screen to look at a list of the users currently logged into the ZyWALL. To access this screen, click Monitor > System Status > Login Users. Figure 142 Monitor > System Status > Login Users ZyWALL USG 20/20W User’s Guide...
  • Page 191: Wlan Status Screen

    (or trying to connect to) a IEEE 802.11b/g card installed in the ZyWALL. To open the station monitor, click Monitor > System Status > WLAN Status. The screen appears as shown. Figure 143 Monitor > System Status > WLAN Status ZyWALL USG 20/20W User’s Guide...
  • Page 192: The Following Table Describes The Labels In This Menu.cellular Status Screen

    This field is a sequential value, and it is not associated with any interface. Extension Slot This field displays where the entry’s cellular card is located. Connected This field displays the model name of the cellular card. Device ZyWALL USG 20/20W User’s Guide...
  • Page 193 This displays the name of your network service provider. This shows Limited Service if the service provider has stopped service to the 3G SIM card. For example if the bill has not been paid or the account has expired. ZyWALL USG 20/20W User’s Guide...
  • Page 194: More Information

    Monitor > System Status > More Information to display this screen. Note: This screen is only available when the 3G device is attached to and activated on the ZyWALL. Figure 145 Monitor > System Status > More Information ZyWALL USG 20/20W User’s Guide...
  • Page 195: Usb Storage Screen

    9.11 USB Storage Screen This screen displays information about a connected USB storage device. Click Monitor > System Status > USB Storage to display this screen. Figure 146 Monitor > System Status > USB Storage ZyWALL USG 20/20W User’s Guide...
  • Page 196: The Ipsec Monitor Screen

    - the USB device is operating normally or not connected. 9.12 The IPSec Monitor Screen You can use the IPSec Monitor screen to display and to manage active IPSec SAs. To access this screen, click Monitor > VPN Monitor > IPSec. The following ZyWALL USG 20/20W User’s Guide...
  • Page 197 This field displays the encryption and authentication algorithms used in the SA. Up Time This field displays how many seconds the IPSec SA has been active. This field displays N/A if the IPSec SA uses manual keys. ZyWALL USG 20/20W User’s Guide...
  • Page 198: Regular Expressions In Searching Ipsec Sas

    Click Monitor > VPN Monitor > SSL to display the user list. Use this screen to do the following: • View a list of active SSL VPN connections. • Log out individual users and delete related session information. ZyWALL USG 20/20W User’s Guide...
  • Page 199 This field displays the number of bytes received by the ZyWALL on this (Bytes) connection. Outbound This field displays the number of bytes transmitted by the ZyWALL on (Bytes) this connection. Refresh Click Refresh to update this screen. ZyWALL USG 20/20W User’s Guide...
  • Page 200: The Content Filter Statistics Screen

    Data. Collecting starts over and a new collection start time displays. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. Refresh Click this button to update the report display. ZyWALL USG 20/20W User’s Guide...
  • Page 201 Without Policy filtering service. Report Server Click this link to go to http://www.myZyXEL.com where you can view content filtering reports after you have activated the category-based content filtering subscription service. ZyWALL USG 20/20W User’s Guide...
  • Page 202: Content Filter Cache Screen

    This allows you to check whether a web site’s category has been changed. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 150 Anti-X > Content Filter > Cache ZyWALL USG 20/20W User’s Guide...
  • Page 203 ZyWALL to reflect changes in the external content filtering database. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 20/20W User’s Guide...
  • Page 204: The Anti-Spam Statistics Screen

    Total Mails This field displays the number of e-mails that the ZyWALL’s anti-spam Scanned feature has checked. Clear Mails This is the number of e-mails that the ZyWALL has determined to not be spam. ZyWALL USG 20/20W User’s Guide...
  • Page 205 This column displays when you display the entries by Sender Mail Address Address. This column displays the e-mail addresses from which the ZyWALL has detected the most spam. Occurrence This field displays how many spam e-mails the ZyWALL detected from the sender. ZyWALL USG 20/20W User’s Guide...
  • Page 206: The Anti-Spam Status Screen

    This is the average for how long it takes to receive a reply from this Time (sec) DNSBL. No Response This is how many DNS queries the ZyWALL sent to this DNSBL without receiving a reply. ZyWALL USG 20/20W User’s Guide...
  • Page 207: Log Screen

    Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 153 Monitor > Log ZyWALL USG 20/20W User’s Guide...
  • Page 208 Click this button to clear the whole log, regardless of what is currently displayed on the screen. This field is a sequential value, and it is not associated with a specific log message. Time This field displays the time the log message was recorded. ZyWALL USG 20/20W User’s Guide...
  • Page 209 Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. ZyWALL USG 20/20W User’s Guide...
  • Page 210 Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide...
  • Page 211: Registration

    This section introduces the topics covered in this chapter. myZyXEL.com myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. To update signature files or use a subscription service, you have to register the ZyWALL and activate the corresponding service at myZyXEL.com (through the ZyWALL).
  • Page 212: The Registration Screen

    Use this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next. Figure 154 Configuration > Licensing > Registration ZyWALL USG 20/20W User’s Guide...
  • Page 213 You can have the ZyWALL block, block and/or log access to web sites based on these categories. Apply Click Apply to save your changes back to the ZyWALL. ZyWALL USG 20/20W User’s Guide...
  • Page 214: The Service Screen

    PIN number (license key) in this screen. Click Configuration > Licensing > Registration > Service to open the screen as shown next. Figure 156 Configuration > Licensing > Registration > Service ZyWALL USG 20/20W User’s Guide...
  • Page 215 (specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Click this button to renew service license information (such as the Refresh registration status and expiration day). ZyWALL USG 20/20W User’s Guide...
  • Page 216 Chapter 10 Registration ZyWALL USG 20/20W User’s Guide...
  • Page 217: Interfaces

    Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • Use the Trunk screens (Chapter 12 on page 289) to configure load balancing. ZyWALL USG 20/20W User’s Guide...
  • Page 218: What You Need To Know

    Port groups and trunks have a lot of characteristics that are specific to each type of interface. See Section 11.2 on page 220 Chapter 12 on page 289 details. The other types of interfaces--Ethernet, PPP, cellular, VLAN, bridge, and ZyWALL USG 20/20W User’s Guide...
  • Page 219: Relationships Between Interfaces

    The relationships between interfaces are explained in the following table. Table 48 Relationships Between Different Types of Interfaces REQUIRED PORT / INTERFACE INTERFACE port group physical port Ethernet interface physical port port group VLAN interface Ethernet interface ZyWALL USG 20/20W User’s Guide...
  • Page 220: Port Role

    To access this screen, click Configuration > Network > Interface > Port Role. Use the Port Role screen to set the ZyWALL’s flexible ports as part of the lan1, lan2 or dmz interfaces. This creates a hardware connection between the physical ZyWALL USG 20/20W User’s Guide...
  • Page 221 The port group uses a single MAC address. Apply Click this button to save your changes and apply them to the ZyWALL. Reset Click this button to change the port groups to their current configuration (last-saved values). ZyWALL USG 20/20W User’s Guide...
  • Page 222: Ethernet Summary Screen

    The ZyWALL supports two routing protocols, RIP and OSPF. See Chapter 14 on page 313 for background information about these routing protocols. Figure 158 Configuration > Network > Interface > Ethernet (USG 20W) ZyWALL USG 20/20W User’s Guide...
  • Page 223: Ethernet Edit

    IP address settings change. For example, if you change LAN1’s IP address, the ZyWALL automatically updates the corresponding interface-based, LAN1 subnet address object. With RIP, you can use Ethernet interfaces to do the following things. ZyWALL USG 20/20W User’s Guide...
  • Page 224 • Select in which direction(s) routing information is exchanged - The ZyWALL can receive routing information, send routing information, or do both. • Set the priority used to identify the DR or BDR if one does not exist. ZyWALL USG 20/20W User’s Guide...
  • Page 225 Chapter 11 Interfaces Figure 159 Configuration > Network > Interface > Ethernet > Edit (WAN) ZyWALL USG 20/20W User’s Guide...
  • Page 226 Click this button to display a greater or lesser number of configuration Settings / Hide fields. Advance Settings General Settings Enable Select this to enable this interface. Clear this to disable this interface. Interface Interface Properties ZyWALL USG 20/20W User’s Guide...
  • Page 227 General. Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. ZyWALL USG 20/20W User’s Guide...
  • Page 228 Select this to use the default gateway for the connectivity check. Gateway Check this Select this to specify a domain name or IP address for the address connectivity check. Enter that domain name or IP address in the field next to it. ZyWALL USG 20/20W User’s Guide...
  • Page 229 From ISP - select the DNS server that another interface received from its DHCP server. ZyWALL - the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay. ZyWALL USG 20/20W User’s Guide...
  • Page 230 RIP packets. Choices are 1, 2, and 1 and 2. Receive This field is effective when RIP is enabled. Select the RIP version(s) Version used for receiving RIP packets. Choices are 1, 2, and 1 and 2. ZyWALL USG 20/20W User’s Guide...
  • Page 231 Use Default Select this option to have the interface use the factory assigned MAC Address default MAC address. By default, the ZyWALL uses the factory assigned MAC address to identify itself. ZyWALL USG 20/20W User’s Guide...
  • Page 232: Object References

    This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window. This field is a sequential value, and it is not associated with any entry. ZyWALL USG 20/20W User’s Guide...
  • Page 233: Ppp Interfaces

    ZyWALL always treats the ISP as a gateway. At the time of writing, it is possible to set up the IP address of the gateway (ISP) using CLI commands but not in the Web Configurator. ZyWALL USG 20/20W User’s Guide...
  • Page 234: Ppp Interface Summary

    Object References Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 11.3.2 on page 232 for an example. This field is a sequential value, and it is not associated with any interface. ZyWALL USG 20/20W User’s Guide...
  • Page 235: Ppp Interface Add Or Edit

    Note: You have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lets you configure a PPPoE or PPTP interface. To access this screen, click the Add icon or an Edit icon in the PPP Interface screen. ZyWALL USG 20/20W User’s Guide...
  • Page 236 Chapter 11 Interfaces Figure 164 Configuration > Network > Interface > PPP > Add ZyWALL USG 20/20W User’s Guide...
  • Page 237 Select this if this interface is a DHCP client. In this case, the DHCP Automatically server configures the IP address automatically. The subnet mask and gateway are always defined automatically in PPPoE/PPTP interfaces. Use Fixed IP Select this if you want to specify the IP address manually. Address ZyWALL USG 20/20W User’s Guide...
  • Page 238 Enter that domain name or IP address in the field next to it. Check Port This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. ZyWALL USG 20/20W User’s Guide...
  • Page 239: Cellular Configuration Screen (3G)

    • (refer to Section 11.5.1 on page 241). • You can set the 3G device to connect to other networks if the signal strength of the home network is too low or it is unavailable. ZyWALL USG 20/20W User’s Guide...
  • Page 240 Note: Install (or connect) a compatible 3G USB to use a cellular connection. See Chapter 51 on page 741 for details. Note: The WAN IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets. ZyWALL USG 20/20W User’s Guide...
  • Page 241: Cellular Add/Edit Screen

    To change your 3G settings, click Configuration > Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that you want to configure. The following screen displays. ZyWALL USG 20/20W User’s Guide...
  • Page 242 Chapter 11 Interfaces Figure 166 Configuration > Network > Interface > Cellular > Add ZyWALL USG 20/20W User’s Guide...
  • Page 243 GSM or HSDPA 3G card. Enter the APN from your service provider. Connections with different APNs may provide different services (such as Internet access or MMS (Multi-Media Messaging Service)) and charge method. You can enter up to 63 ASCII printable characters. Spaces are allowed. ZyWALL USG 20/20W User’s Guide...
  • Page 244 PIN code incorrectly, the 3G card may be blocked by your ISP and you cannot use the account to access the Internet. If your ISP disabled PIN code authentication, enter an arbitrary number. Interface Parameters ZyWALL USG 20/20W User’s Guide...
  • Page 245 Configure Click Policy Route to go to the policy route summary screen where Policy Route you can configure a policy route to override the default routing and SNAT behavior for the interface. IP Address Assignment ZyWALL USG 20/20W User’s Guide...
  • Page 246 Select this to set a monthly limit for the user account of the installed Control 3G card. You can set a limit on the total traffic and/or call time. The ZyWALL takes the actions you specified when a limit is exceeded during the month. ZyWALL USG 20/20W User’s Guide...
  • Page 247 If you set New 3G connection to Disallow and Current 3G connection to Keep, the ZyWALL allows you to transmit data using the current connection, but you cannot build a new connection if the existing connection is disconnected. ZyWALL USG 20/20W User’s Guide...
  • Page 248: Wlan Interface General Screen

    Wireless clients (A and B) connect to an access point (AP) to access other devices (such as the printer) or the Internet. Your ZyWALL works as an AP when you install a compatible WLAN card. Figure 167 Example of a Wireless Network ZyWALL USG 20/20W User’s Guide...
  • Page 249 Click Configuration > Network > Interface > WLAN to open the following screen. See Appendix C on page 803 for more details on wireless LANs. Figure 168 Configuration > Network > Interface > WLAN ZyWALL USG 20/20W User’s Guide...
  • Page 250 APs in the area, decrease the output power of the ZyWALL to reduce interference with other APs. See the product specifications for more information on your ZyWALL’s output power. ZyWALL USG 20/20W User’s Guide...
  • Page 251 This icon is lit when the entry is active and dimmed when the entry is inactive. Name This field displays the name of the WLAN interface. SSID This is the SSID (Service Set IDentity) of the WLAN interface. ZyWALL USG 20/20W User’s Guide...
  • Page 252: Wlan Add/Edit Screen

    Click Configuration > Network > Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. The screen varies according to the security features you select. It displays as shown next when you set the Security Type to none. ZyWALL USG 20/20W User’s Guide...
  • Page 253 Chapter 11 Interfaces Figure 169 Configuration > Network > Interface > WLAN > Add (No Security) ZyWALL USG 20/20W User’s Guide...
  • Page 254 Enter a password (up to 31 alphanumeric characters) as the key to be Secret shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and ZyWALL. IP Address Assignment ZyWALL USG 20/20W User’s Guide...
  • Page 255 If this field is blank, the ZyWALL assigns every IP address allowed by the interface’s IP address, subnet mask, and pool size; except for the first address (network address), last address (broadcast address) and the interface’s IP address. ZyWALL USG 20/20W User’s Guide...
  • Page 256 ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. RIP Setting Section 14.2 on page 314 for more information about RIP. Enable RIP Select this to enable RIP in this interface. ZyWALL USG 20/20W User’s Guide...
  • Page 257 This field is available if the Authentication is MD5. Type the Authentication password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. ZyWALL USG 20/20W User’s Guide...
  • Page 258: Wlan Add/Edit: Wep Security

    Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. Select WEP as the Security Type. The following screen shows the WEP security fields. Figure 170 Configuration > Network > Interface > WLAN > Add (WEP Security) ZyWALL USG 20/20W User’s Guide...
  • Page 259: Wlan Add/Edit: Wpa-Psk/Wpa2-Psk Security

    WPA/WPA2-PSK means wireless clients can use either WPA-PSK or WPA2-PSK to connect to the WLAN interface. The following screen shows the security fields. Figure 171 Configuration > Network > Interface > WLAN > Add (WPA-PSK, WPA2- PSK, or WPA/WPA2-PSK Security) ZyWALL USG 20/20W User’s Guide...
  • Page 260: Wlan Add/Edit: Wpa/Wpa2 Security

    > Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. Select WPA-Enterprise, WPA2-Enterprise, or WPA/WPA2-Enterprise as the Security Type. WPA/WPA2-Enterprise means wireless clients can use either WPA or WPA2 to connect to the WLAN interface. The following figure shows the security fields. ZyWALL USG 20/20W User’s Guide...
  • Page 261 TTLS secure tunnel. The RADIUS fields display if you set the Authentication Type field to Auth Server. Radius Server IP Enter the IP address of the external authentication server in dotted Address decimal notation. ZyWALL USG 20/20W User’s Guide...
  • Page 262: Wlan Interface Mac Filter

    MAC addresses, the ZyWALL does not immediately disconnect all connected wireless clients. To display your ZyWALL’s MAC filter settings, click Configuration > Network > Interface > WLAN > MAC Filter. The screen appears as shown. ZyWALL USG 20/20W User’s Guide...
  • Page 263 This field displays a descriptive name for the MAC address entry. Enter a descriptive name for the MAC address entry. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 20/20W User’s Guide...
  • Page 264: Vlan Interfaces

    MAC header. The VLANs are connected to switches, and the switches are connected to the router. (If one switch has enough connections for the entire network, the network does not need switches A and B.) ZyWALL USG 20/20W User’s Guide...
  • Page 265 Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. ZyWALL USG 20/20W User’s Guide...
  • Page 266: Vlan Summary Screen

    This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces. Mask This field displays the interface’s subnet mask in dot decimal notation. ZyWALL USG 20/20W User’s Guide...
  • Page 267: Vlan Add/Edit

    DHCP settings, and connectivity check for each VLAN interface. To access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen. The following screen appears. ZyWALL USG 20/20W User’s Guide...
  • Page 268 Chapter 11 Interfaces Figure 177 Configuration > Network > Interface > VLAN > Edit ZyWALL USG 20/20W User’s Guide...
  • Page 269 Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. ZyWALL USG 20/20W User’s Guide...
  • Page 270 This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. DHCP Setting The DHCP settings are available for the OPT, LAN and DMZ interfaces. ZyWALL USG 20/20W User’s Guide...
  • Page 271 DHCP clients. The WINS server WINS Server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. ZyWALL USG 20/20W User’s Guide...
  • Page 272 RIP packets. Choices are 1, 2, and 1 and 2. V2-Broadcast This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the ZyWALL uses multicasting. ZyWALL USG 20/20W User’s Guide...
  • Page 273 Click Policy Route to go to the screen where you can manually Policy Route configure a policy route to associate traffic with this VLAN. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User’s Guide...
  • Page 274: Bridge Interfaces

    0B:0B:0B:0B:0B:0B in the table. There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4. Table 67 Example: Bridge Table After Computer A Sends a Packet to Computer B MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A ZyWALL USG 20/20W User’s Guide...
  • Page 275 241.241.241.241/32 222.222.222.0/24 vlan1 242.242.242.242/32 230.230.230.192/26 250.250.250.0/23 241.241.241.241/32 242.242.242.242/32 In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1 is added to br0. Virtual interfaces are automatically added to or ZyWALL USG 20/20W User’s Guide...
  • Page 276: Bridge Summary

    This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces. Member This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface. It is blank for virtual interfaces. ZyWALL USG 20/20W User’s Guide...
  • Page 277: Bridge Add/Edit

    DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears. ZyWALL USG 20/20W User’s Guide...
  • Page 278 Chapter 11 Interfaces Figure 179 Configuration > Network > Interface > Bridge > Add ZyWALL USG 20/20W User’s Guide...
  • Page 279 This field is enabled if you select Use Fixed IP Address. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. ZyWALL USG 20/20W User’s Guide...
  • Page 280 Relay Server 1 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the ZyWALL is a DHCP Server. ZyWALL USG 20/20W User’s Guide...
  • Page 281 Configure a list of static IP addresses the ZyWALL assigns to Table computers connected to the interface. Otherwise, the ZyWALL assigns an IP address dynamically using the interface’s IP Pool Start Address and Pool Size. ZyWALL USG 20/20W User’s Guide...
  • Page 282: Virtual Interfaces Add/Edit

    Click Cancel to exit this screen without saving. 11.9.3 Virtual Interfaces Add/Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces. To access this screen, click an Add icon next to an Ethernet ZyWALL USG 20/20W User’s Guide...
  • Page 283 ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first. Interface Parameters ZyWALL USG 20/20W User’s Guide...
  • Page 284: Interface Technical Reference

    200.200.200.200, it routes the packet to interface wan1. In most interfaces, you can enter the IP address and subnet mask manually. In PPPoE/PPTP interfaces, however, the subnet mask is always 255.255.255.255 ZyWALL USG 20/20W User’s Guide...
  • Page 285 • Ingress bandwidth sets the amount of traffic the ZyWALL allows in through the interface from the network. At the time of writing, the ZyWALL does not support ingress bandwidth management. ZyWALL USG 20/20W User’s Guide...
  • Page 286 DHCP requests to all of them. It is possible for an interface to be a DHCP relay and a DHCP client simultaneously. As a DHCP server, the interface provides the following information to DHCP clients. ZyWALL USG 20/20W User’s Guide...
  • Page 287 IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server. ZyWALL USG 20/20W User’s Guide...
  • Page 288 The first one runs on TCP port 1723. It is used to start and manage the second one. The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. ZyWALL USG 20/20W User’s Guide...
  • Page 289: Trunks

    • Use the Trunk Edit screen (Section 12.3 on page 293) to configure which interfaces belong to each trunk and the load balancing algorithm each trunk uses. ZyWALL USG 20/20W User’s Guide...
  • Page 290: What You Need To Know

    An interface with a larger weight gets more of the traffic than an interface with a smaller weight. In the load balancing section, a session may refer to normal connection-oriented, UDP or SNMP2 traffic. ZyWALL USG 20/20W User’s Guide...
  • Page 291 Trunk screens. • See Section 7.3 on page 113 for an example of how to configure load balancing. • See Section 12.4 on page 295 for more background information on trunks. ZyWALL USG 20/20W User’s Guide...
  • Page 292: The Trunk Summary Screen

    This setting applies when you use load balancing and have multiple WAN interfaces set to active mode. Timeout Specify the time period during which sessions from one source to the same destination are to use the same link. ZyWALL USG 20/20W User’s Guide...
  • Page 293: Configuring A Trunk

    Click Configuration > Network > Interface > Trunk and then the Add (or Edit) icon to open the Trunk Edit screen. Use this screen to create or edit a WAN trunk entry. Figure 183 Configuration > Network > Interface > Trunk > Add (or Edit) ZyWALL USG 20/20W User’s Guide...
  • Page 294 Select Active to have the ZyWALL always attempt to use this connection. Select Passive to have the ZyWALL only use this connection when all of the connections set to active are down. You can only set one of a group’s interfaces to passive mode. ZyWALL USG 20/20W User’s Guide...
  • Page 295: Trunk Technical Reference

    The next queue is given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty. ZyWALL USG 20/20W User’s Guide...
  • Page 296 Chapter 12 Trunks ZyWALL USG 20/20W User’s Guide...
  • Page 297: Policy And Static Routes

    RIP or OSPF to propagate routing information to other routers. 13.1.1 What You Can Do in this Chapter • Use the Policy Route screens (see Section 13.2 on page 300) to list and configure policy routes. ZyWALL USG 20/20W User’s Guide...
  • Page 298: What You Need To Know

    RIP and OSPF. Policy Routes Versus Static Routes • Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management. ZyWALL USG 20/20W User’s Guide...
  • Page 299 • See Section 7.12 on page 145 for an example of creating a policy route for using multiple static public WAN IP addresses for LAN to WAN traffic. ZyWALL USG 20/20W User’s Guide...
  • Page 300: Policy Route Screen

    • Limiting the amount of bandwidth available and setting a priority for traffic. IPPR follows the existing packet filtering facility of RAS in style and in implementation. Figure 185 Configuration > Network > Routing > Policy Route ZyWALL USG 20/20W User’s Guide...
  • Page 301 This is the interface on which the packets are received. Source This is the name of the source IP address (group) object. any means all IP addresses. Destination This is the name of the destination IP address (group) object. any means all IP addresses. ZyWALL USG 20/20W User’s Guide...
  • Page 302 This is the maximum bandwidth allotted to the policy. 0 means there is no bandwidth limitation for this route. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 20/20W User’s Guide...
  • Page 303: Policy Route Edit Screen

    Select this to activate the policy. Description Enter a descriptive name of up to 31 printable ASCII characters for the policy. Criteria User Select a user name or user group from which the packets are sent. ZyWALL USG 20/20W User’s Guide...
  • Page 304 HOST address object. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. The gateway must be a router or switch on the same segment as your ZyWALL's interface(s). ZyWALL USG 20/20W User’s Guide...
  • Page 305 Use this field to specify a custom DSCP value. Defined DSCP Code Address Use this section to configure NAT for the policy route. This section does Translation not apply to policy routes that use a VPN tunnel as the next hop. ZyWALL USG 20/20W User’s Guide...
  • Page 306 This allows you to allocate bandwidth to a route and prioritize traffic that Shaping matches the routing policy. You must also enable bandwidth management in the main policy route screen (Network > Routing > Policy Route) in order to apply bandwidth shaping. ZyWALL USG 20/20W User’s Guide...
  • Page 307: Ip Static Route Screen

    Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. Figure 187 Configuration > Network > Routing > Static Route ZyWALL USG 20/20W User’s Guide...
  • Page 308: Static Route Add/Edit Screen

    255.255.255.255 in the subnet mask field to force the network number to be identical to the host Subnet Mask Enter the IP subnet mask here. ZyWALL USG 20/20W User’s Guide...
  • Page 309: Policy Routing Technical Reference

    If congestion occurs between classes, the traffic in the higher class (smaller numbered class) is generally given priority. Combining the classes and drop precedence produces the ZyWALL USG 20/20W User’s Guide...
  • Page 310: Port Triggering

    1 using port 1234. The ZyWALL records the IP address of computer A when the packets match a policy with SNAT configured. Game server 1 responds using a port number ranging between 5670 - 5678. The ZyWALL allows and forwards the traffic to computer A. ZyWALL USG 20/20W User’s Guide...
  • Page 311: Maximize Bandwidth Usage

    The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level. ZyWALL USG 20/20W User’s Guide...
  • Page 312 Chapter 13 Policy and Static Routes ZyWALL USG 20/20W User’s Guide...
  • Page 313: Routing Protocols

    Network Size Small (with up to 15 routers) Large Metric Hop count Bandwidth, hop count, throughput, round trip time and reliability. Convergence Slow Fast Finding Out More Section 14.4 on page 324 for background information on routing protocols. ZyWALL USG 20/20W User’s Guide...
  • Page 314: The Rip Screen

    Use the RIP screen to specify the authentication method and maintain the policies for redistribution. Click Configuration > Network > Routing > RIP to open the following screen. Figure 190 Configuration > Network > Routing > RIP ZyWALL USG 20/20W User’s Guide...
  • Page 315: The Ospf Screen

    Click this button to return the screen to its last-saved settings. 14.3 The OSPF Screen OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous ZyWALL USG 20/20W User’s Guide...
  • Page 316 • A Not So Stubby Area (NSSA, RFC 1587) has routing information about the OSPF AS and networks outside the OSPF AS to which the NSSA is directly connected. It does not have any routing information about other networks outside the OSPF AS. ZyWALL USG 20/20W User’s Guide...
  • Page 317 • An Area Border Router (ABR) connects two or more areas. It is a member of all the areas to which it is connected, and it filters, summarizes, and exchanges routing information between them. ZyWALL USG 20/20W User’s Guide...
  • Page 318 BDR in another group, and neither in a third group all at the same time. Virtual Links In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area ZyWALL USG 20/20W User’s Guide...
  • Page 319: Configuring The Ospf Screen

    Use the first OSPF screen to specify the OSPF router the ZyWALL uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them. ZyWALL USG 20/20W User’s Guide...
  • Page 320 OSPF AS, and it can be between 1 and 16777214. Active Static Select this to advertise routes that were learned from static routes. Route The ZyWALL advertises routes learned from static routes to all types of areas. ZyWALL USG 20/20W User’s Guide...
  • Page 321 Type field above. Authentication This field displays the default authentication method in the area. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 20/20W User’s Guide...
  • Page 322: Ospf Area Add/Edit Screen

    None uses no authentication. Text uses a plain text password that is sent over the network (not very secure). MD5 uses an MD5 password and authentication ID (most secure). ZyWALL USG 20/20W User’s Guide...
  • Page 323: Virtual Link Add/Edit Screen

    14.3.3 Virtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one. When the OSPF add or edit screen (see Section 14.3.2 on page ZyWALL USG 20/20W User’s Guide...
  • Page 324: Routing Protocol Technical Reference

    Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 14.4 Routing Protocol Technical Reference Here is more detailed information about RIP and OSPF. ZyWALL USG 20/20W User’s Guide...
  • Page 325 Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. ZyWALL USG 20/20W User’s Guide...
  • Page 326 Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide...
  • Page 327: Zones

    Figure 197 Example: Zones 15.1.1 What You Can Do in this Chapter Use the Zone screens (see Section 15.2 on page 329) to manage the ZyWALL’s zones. ZyWALL USG 20/20W User’s Guide...
  • Page 328: What You Need To Know

    Finding Out More • See Section 6.5.7 on page 98 for related information on these screens. • See Section 7.1 on page 107 for an example of configuring Ethernet interfaces, port groups, and zones. ZyWALL USG 20/20W User’s Guide...
  • Page 329: The Zone Screen

    This field displays the name of the zone. Block Intra- This field indicates whether or not the ZyWALL blocks network traffic zone between members in the zone. Member This field displays the names of the interfaces that belong to each zone. ZyWALL USG 20/20W User’s Guide...
  • Page 330: Zone Edit

    Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User’s Guide...
  • Page 331: Ddns

    Table 91 DDNS Service Providers PROVIDER SERVICE TYPES SUPPORTED WEBSITE DynDNS Dynamic DNS, Static DNS, and Custom DNS www.dyndns.com Dynu Basic, Premium www.dynu.com No-IP No-IP www.no-ip.com Peanut Hull Peanut Hull www.oray.cn 3322 3322 Dynamic DNS, 3322 Static DNS www.3322.org ZyWALL USG 20/20W User’s Guide...
  • Page 332: The Ddns Screen

    Profile Name This field displays the descriptive profile name for this entry. DDNS Type This field displays which DDNS service you are using. Domain Name This field displays each domain name the ZyWALL can route. ZyWALL USG 20/20W User’s Guide...
  • Page 333 ZyWALL for the IP address to use for the domain name. custom - The IP address is static. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 20/20W User’s Guide...
  • Page 334: The Dynamic Dns Add/Edit Screen

    ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is read-only when you are editing an entry. DDNS Type Select the type of DDNS service you are using. ZyWALL USG 20/20W User’s Guide...
  • Page 335 Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select None to not use a backup address. ZyWALL USG 20/20W User’s Guide...
  • Page 336 Once your mail server is available again, the DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User’s Guide...
  • Page 337: Nat

    Use the NAT screens (see Section 17.2 on page 338) to view and manage the list of NAT rules and see their configuration details. You can also create new NAT rules and edit or delete existing ones. ZyWALL USG 20/20W User’s Guide...
  • Page 338: What You Need To Know

    Table 94 Configuration > Network > NAT LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. ZyWALL USG 20/20W User’s Guide...
  • Page 339 This field displays the new destination port(s) for the pack et. This field is blank if there is no restriction on the original destination port. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 20/20W User’s Guide...
  • Page 340: The Nat Add/Edit Screen

    Type in the name of the NAT rule. The name is used to refer to the NAT rule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL USG 20/20W User’s Guide...
  • Page 341 ZyWALL. If you select one of them, this NAT rule supports the IP address specified by the address object. User Defined This field is available if Mapped IP is User Defined. Type the translated Original IP destination IP address that this NAT rule supports. ZyWALL USG 20/20W User’s Guide...
  • Page 342 LAN interface’s IP address as the source address for the traffic it sends to the LAN server. See NAT Loopback on page 343 for more details. If you do not enable NAT loopback, this NAT rule only applies to packets received on the rule’s specified incoming interface. ZyWALL USG 20/20W User’s Guide...
  • Page 343: Nat Technical Reference

    Suppose a NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP e-mail server to give WAN users access. NAT loopback allows other users to also use the rule’s original IP to access the mail server. ZyWALL USG 20/20W User’s Guide...
  • Page 344 The LAN SMTP server replies to the ZyWALL’s LAN IP address and the ZyWALL changes the source address to 1.1.1.1 before sending it to the LAN user. The return traffic’s source matches the original destination address (1.1.1.1). If the ZyWALL USG 20/20W User’s Guide...
  • Page 345 LAN user’s computer to shut down the session. Figure 207 LAN to LAN Return Traffic Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 ZyWALL USG 20/20W User’s Guide...
  • Page 346 Chapter 17 NAT ZyWALL USG 20/20W User’s Guide...
  • Page 347: Http Redirect

    Figure 208 HTTP Redirect Example LAN1 18.1.1 What You Can Do in this Chapter Use the HTTP Redirect screens (see Section 18.2 on page 349) to display and edit the HTTP redirect rules. ZyWALL USG 20/20W User’s Guide...
  • Page 348: What You Need To Know

    • a from DMZ to WAN firewall rule (default) to allow HTTP requests from dmz to wan1. Responses to these requests are allowed automatically. • a policy route to forward HTTP traffic from proxy server A to the Internet. ZyWALL USG 20/20W User’s Guide...
  • Page 349: The Http Redirect Screen

    This is the IP address of the proxy server. Port This is the service port number used by the proxy server. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 20/20W User’s Guide...
  • Page 350: The Http Redirect Edit Screen

    Enter the IP address of the proxy server. Port Enter the port number that the proxy server uses. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User’s Guide...
  • Page 351: Alg

    The ALG feature is only needed for traffic that goes through the ZyWALL’s NAT. 19.1.1 What You Can Do in this Chapter Use the ALG screen (Section 19.2 on page 355) to set up SIP, H.323, and FTP ALG settings. ZyWALL USG 20/20W User’s Guide...
  • Page 352: What You Need To Know

    Figure 212 H.323 ALG Example SIP ALG • SIP phones can be in any zone (including LAN, DMZ, WAN), and the SIP server and SIP clients can be in the same network or different networks. ZyWALL USG 20/20W User’s Guide...
  • Page 353 LAN IP address A make calls out through WAN IP address 1. Configure another policy route to have H.323 (or SIP) calls from LAN IP addresses B and C go out through WAN IP address 2. Even though only LAN IP address A ZyWALL USG 20/20W User’s Guide...
  • Page 354 ALG for peer- to-peer H.323 traffic. • See Section 7.11 on page 139 for an example of making an IPPBX using SIP or a SIP server in the DMZ zone accessible from the Internet (the WAN zone). ZyWALL USG 20/20W User’s Guide...
  • Page 355: Before You Begin

    SIP data payload. You do not need to use this if you have a SIP device or server that will modify IP addresses and port numbers embedded in the SIP data payload. ZyWALL USG 20/20W User’s Guide...
  • Page 356 FTP data payload to match the ZyWALL’s NAT environment. FTP Signaling If you are using a custom TCP port number (not 21) for FTP traffic, Port enter it here. ZyWALL USG 20/20W User’s Guide...
  • Page 357: Alg Technical Reference

    File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts ZyWALL USG 20/20W User’s Guide...
  • Page 358 SIP handles telephone calls and can interface with traditional circuit- switched telephone networks. When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL USG 20/20W User’s Guide...
  • Page 359: Ip/Mac Binding

    (Section 20.2 on page 360) to bind IP addresses to MAC addresses. • Use the Exempt List screen (Section 20.3 on page 363) to configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. ZyWALL USG 20/20W User’s Guide...
  • Page 360: What You Need To Know

    To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. This field is a sequential value, and it is not associated with a specific entry. ZyWALL USG 20/20W User’s Guide...
  • Page 361: Ip/Mac Binding Edit

    IP addresses. Enable Select this option to have the ZyWALL generate a log if a device Logs for IP/ connected to this interface attempts to use an IP address not assigned by the ZyWALL. Binding Violation ZyWALL USG 20/20W User’s Guide...
  • Page 362: Static Dhcp Edit

    This field displays the name of the interface within the ZyWALL and the Name interface’s IP address and subnet mask. IP Address Enter the IP address that the ZyWALL is to assign to a device with the entry’s MAC address. ZyWALL USG 20/20W User’s Guide...
  • Page 363: Ip/Mac Binding Exempt List

    Click the Add icon to add a new entry. Click the Remove icon to delete an entry. A window displays asking you to confirm that you want to delete it. Apply Click Apply to save your changes back to the ZyWALL. ZyWALL USG 20/20W User’s Guide...
  • Page 364 Chapter 20 IP/MAC Binding ZyWALL USG 20/20W User’s Guide...
  • Page 365: Authentication Policy

    Figure 221 Authentication Policy Using Endpoint Security 21.1.1 What You Can Do in this Chapter Use the Configuration > Auth. Policy screens (Section 21.2 on page 366) to create and manage authentication policies. ZyWALL USG 20/20W User’s Guide...
  • Page 366: What You Need To Know

    Section 7.7 on page 126 for an example of how to use endpoint security and authentication policies. 21.2 Authentication Policy Screen The Authentication Policy screen displays the authentication policies you have configured on the ZyWALL. ZyWALL USG 20/20W User’s Guide...
  • Page 367 Chapter 21 Authentication Policy Click Configuration > Auth. Policy to display the screen. Figure 222 Configuration > Auth. Policy ZyWALL USG 20/20W User’s Guide...
  • Page 368 To turn off an entry, select it and click Inactivate. Move To move an entry to a different number in the list, click the Move icon. In the field that appears, specify the number to which you want to move the interface. ZyWALL USG 20/20W User’s Guide...
  • Page 369: Creating/Editing An Authentication Policy

    Click this button to return the screen to its last-saved settings. 21.2.1 Creating/Editing an Authentication Policy Click Configuration > Auth. Policy and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy. ZyWALL USG 20/20W User’s Guide...
  • Page 370 Destination Select a destination address or address group for whom this policy Address applies. Select any if the policy is effective for every destination. This is any and not configurable for the default policy. ZyWALL USG 20/20W User’s Guide...
  • Page 371 Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User’s Guide...
  • Page 372 Chapter 21 Authentication Policy ZyWALL USG 20/20W User’s Guide...
  • Page 373: Firewall

    381) to enable or disable the firewall and asymmetrical routes, and manage and configure firewall rules. • Use the Session Limit screens (see Section 22.3 on page 386) to limit the number of concurrent NAT/firewall sessions a client can use. ZyWALL USG 20/20W User’s Guide...
  • Page 374: What You Need To Know

    Traffic that does not match any firewall rule is allowed. So for example, LAN to WAN, LAN to DMZ, and LAN to WLAN traffic is allowed. This also includes traffic to or from interfaces or VPN tunnels that are not assigned to a zone (extra-zone traffic). ZyWALL USG 20/20W User’s Guide...
  • Page 375 A user- aware firewall rule is activated whenever the user logs in to the ZyWALL and will be disabled after the user logs out of the ZyWALL. ZyWALL USG 20/20W User’s Guide...
  • Page 376: Firewall Rule Example Applications

    (Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need ZyWALL USG 20/20W User’s Guide...
  • Page 377 • Has a static IP address, • You configure a static DHCP entry for it so the ZyWALL always assigns it the same IP address (see DHCP Settings on page 286 for information on DHCP). ZyWALL USG 20/20W User’s Guide...
  • Page 378 CEO) to allow IRC traffic from any source IP address to go to any destination address. Your firewall would have the following configuration. Table 108 Limited LAN1 to WAN IRC Traffic Example 2 USER SOURCE DESTINATION SCHEDULE SERVICE ACTION Allow Deny Allow ZyWALL USG 20/20W User’s Guide...
  • Page 379: Firewall Rule Configuration Example

    At the top of the screen, click Create new Object > Address. The screen for configuring an address object opens. Configure it as follows and click OK. Figure 229 Firewall Example: Create an Address Object Click Create new Object > Service. ZyWALL USG 20/20W User’s Guide...
  • Page 380 Select Dest_1 is selected for the Destination and Doom is selected as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done. Figure 231 Firewall Example: Edit a Firewall Rule ZyWALL USG 20/20W User’s Guide...
  • Page 381: The Firewall Screen

    A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the WAN. The ZyWALL reroutes the packet to gateway A, which is in Subnet 2. The reply from the WAN goes to the ZyWALL. ZyWALL USG 20/20W User’s Guide...
  • Page 382: Configuring The Firewall Screen

    So for example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you configure a corresponding firewall rule to allow the traffic, you need to set the LAN IP address as the destination. See Section 7.9 on page 132 for an example. ZyWALL USG 20/20W User’s Guide...
  • Page 383 Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets. Firewall Rule Summary ZyWALL USG 20/20W User’s Guide...
  • Page 384 This is the user name or user group name to which this firewall rule applies. Source This displays the source address object to which this firewall rule applies. Destination This displays the destination address object to which this firewall rule applies. ZyWALL USG 20/20W User’s Guide...
  • Page 385: The Firewall Add/Edit Screen

    Select this check box to activate the firewall rule. From For through-ZyWALL rules, select the direction of travel of packets to which the rule applies. any means all interfaces or VPN tunnels. ZyWALL means packets destined for the ZyWALL itself. ZyWALL USG 20/20W User’s Guide...
  • Page 386: The Session Limit Screen

    Click Configuration > Firewall > Session Limit to display the Firewall Session Limit screen. Use this screen to limit the number of concurrent NAT/ firewall sessions a client can use. You can apply a default limit for all users and ZyWALL USG 20/20W User’s Guide...
  • Page 387 [ENTER] to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. Status This icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL USG 20/20W User’s Guide...
  • Page 388: The Session Limit Add/Edit Screen

    Use to configure any new settings objects that you need to use in this Object screen. Enable Rule Select this check box to turn on this session limit rule. Description Enter information to help you identify this rule. Use up to 64 printable ASCII characters. Spaces are allowed. ZyWALL USG 20/20W User’s Guide...
  • Page 389 For this rule’s users and addresses, this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User’s Guide...
  • Page 390 Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide...
  • Page 391: Ipsec Vpn

    VPN gateway a VPN connection policy uses and which devices (behind the IPSec routers) can use the VPN tunnel and the IPSec SA settings (phase 2 settings). You can also activate / deactivate and connect / disconnect each VPN connection (each IPSec SA). ZyWALL USG 20/20W User’s Guide...
  • Page 392: What You Need To Know

    Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. ZyWALL USG 20/20W User’s Guide...
  • Page 393 Only the clients can initiate the VPN Only this ZyWALL initiate the VPN tunnel. can initiate the VPN tunnel. tunnel. Finding Out More • See Section 6.5.14 on page 101 for related information on these screens. ZyWALL USG 20/20W User’s Guide...
  • Page 394: Before You Begin

    The VPN Connection screen lists the VPN connection policies and their associated VPN gateway(s), and various settings. In addition, it also lets you activate / deactivate and connect / disconnect each VPN connection (each IPSec ZyWALL USG 20/20W User’s Guide...
  • Page 395 To connect an IPSec SA, select it and click Connect. Disconnect To disconnect an IPSec SA, select it and click Disconnect. This field is a sequential value, and it is not associated with a specific connection. ZyWALL USG 20/20W User’s Guide...
  • Page 396: The Vpn Connection Add/Edit (Ike) Screen

    394), and click either the Add icon or an Edit icon. If you click the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the following screen appears. ZyWALL USG 20/20W User’s Guide...
  • Page 397 Chapter 23 IPSec VPN Figure 241 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 20/20W User’s Guide...
  • Page 398 This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. VPN Gateway Select the VPN gateway this VPN connection is to use or select Create Object to add another VPN gateway for this VPN connection to use. ZyWALL USG 20/20W User’s Guide...
  • Page 399 Transport - this mode only encrypts the data. The ZyWALL and remote IPSec router must use the same encapsulation. Proposal Click this to create a new entry. Edit Select an entry and click this to be able to modify it. ZyWALL USG 20/20W User’s Guide...
  • Page 400 VPN connection policy. Connectivity The ZyWALL can regularly check the VPN connection to the gateway Check you specified to make sure it is still available. Enable Select this to turn on the VPN connection check. Connectivity Check ZyWALL USG 20/20W User’s Guide...
  • Page 401 (or select Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). ZyWALL USG 20/20W User’s Guide...
  • Page 402 The size of the original port range must be the same size as the size of the mapped port range. Click OK to save the changes. Cancel Click Cancel to discard all changes and return to the main VPN screen. ZyWALL USG 20/20W User’s Guide...
  • Page 403: The Vpn Connection Add/Edit Manual Key Screen

    Table 116 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual LABEL DESCRIPTION Manual Key My Address Type the IP address of the ZyWALL in the IPSec SA. 0.0.0.0 is invalid. ZyWALL USG 20/20W User’s Guide...
  • Page 404 Select which hash algorithm to use to authenticate packet data in the Algorithm IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. The ZyWALL and remote IPSec router must use the same algorithm. ZyWALL USG 20/20W User’s Guide...
  • Page 405 12345678901234567890 for a MD5 authentication key, the ZyWALL only uses 1234567890123456. The ZyWALL still stores the longer key. Click OK to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User’s Guide...
  • Page 406: The Vpn Gateway Screen

    This field displays the interface or a domain name the Z yWALL uses for the VPN gateway. Secure Gateway This field displays the IP address(es) of the remote IPSec routers. VPN Connection This field displays VPN connections that use this VPN gateway. ZyWALL USG 20/20W User’s Guide...
  • Page 407: The Vpn Gateway Add/Edit Screen

    The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 23.3 on page 406), and click either the Add icon or an Edit icon. ZyWALL USG 20/20W User’s Guide...
  • Page 408 Type the name used to identify this VPN gateway. You may use 1-31 Name alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Gateway Settings ZyWALL USG 20/20W User’s Guide...
  • Page 409 “0123456789ABCDEF” is in ASCII format. If you use hexadecimal, you must enter twice as many characters since you need to enter pairs. The ZyWALL and remote IPSec router must use the same pre-shared key. ZyWALL USG 20/20W User’s Guide...
  • Page 410 E-mail - the ZyWALL is identified by an e-mail address; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. ZyWALL USG 20/20W User’s Guide...
  • Page 411 Any - the ZyWALL does not check the identity of the remote IPSec router If the ZyWALL and remote IPSec router use certificates, there is one more choice. Subject Name - the remote IPSec router is identified by the subject name in the certificate ZyWALL USG 20/20W User’s Guide...
  • Page 412 Type the maximum number of seconds the IKE SA can last. When (Seconds) this time has passed, the ZyWALL and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however. ZyWALL USG 20/20W User’s Guide...
  • Page 413 DH5 - use a 1536-bit random number The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. ZyWALL USG 20/20W User’s Guide...
  • Page 414 IPSec router. The password can be 1-31 ASCII characters. It is case- sensitive, but spaces are not allowed. Click OK to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User’s Guide...
  • Page 415: Ipsec Vpn Background Information

    IKE SA. In main mode, this is done in steps 1 and 2, as illustrated next. Figure 245 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal One or more proposals, each one consisting of: - encryption algorithm - authentication algorithm - Diffie-Hellman key group ZyWALL USG 20/20W User’s Guide...
  • Page 416 DH key groups. Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use DH public-key cryptography to establish a shared secret. The shared secret is then used to generate encryption ZyWALL USG 20/20W User’s Guide...
  • Page 417 You have to create (and distribute) a pre-shared key. The ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. Note: The ZyWALL and the remote IPSec router must use the same pre-shared key. ZyWALL USG 20/20W User’s Guide...
  • Page 418 It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router. In this case, you usually set the peer ID type to Any. This is less secure, so you should only use this if your ZyWALL provides another way to check ZyWALL USG 20/20W User’s Guide...
  • Page 419 For example, the remote IPSec router may be a telecommuter who does not have a static IP address. VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Figure 248 VPN/NAT Example ZyWALL USG 20/20W User’s Guide...
  • Page 420 If you use extended authentication, it takes four more steps to establish an IKE SA. These steps occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in aggressive mode). ZyWALL USG 20/20W User’s Guide...
  • Page 421: Ipsec Sa Overview

    (Encapsulating Security Payload, RFC 2406). Note: The ZyWALL and remote IPSec router must use the same active protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. ZyWALL USG 20/20W User’s Guide...
  • Page 422 415), except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS). ZyWALL USG 20/20W User’s Guide...
  • Page 423 For authentication, the ZyWALL and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number. Note: The ZyWALL and remote IPSec router must use the same SPI. ZyWALL USG 20/20W User’s Guide...
  • Page 424 M through the IPSec SA because computer M’s IP address is not part of its local policy. To set up this NAT, you have to specify the following information: • Source - the original source address; most likely, computer M’s network. ZyWALL USG 20/20W User’s Guide...
  • Page 425 IP address of the mail server in the local network (A). • Mapped Port - the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size. ZyWALL USG 20/20W User’s Guide...
  • Page 426 Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide...
  • Page 427: Ssl Vpn

    Figure 251 Network Access Mode: Full Tunnel Mode SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: ZyWALL USG 20/20W User’s Guide...
  • Page 428 ZyWALL (after you have configured the SSL VPN settings on the ZyWALL). • See Chapter 42 on page 621 for details on endpoint security objects. • See Chapter 41 on page 615 for details on SSL application objects. ZyWALL USG 20/20W User’s Guide...
  • Page 429: The Ssl Access Privilege Screen

    This field displays the user account or user group name(s) associated to an SSL access policy. This field displays up to three names. Access Policy This field displays details about the SSL application object this policy Summary uses including its name, type, and address. ZyWALL USG 20/20W User’s Guide...
  • Page 430: The Ssl Access Policy Add/Edit Screen

    24.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. Figure 253 VPN > SSL VPN > Access Privilege > Add/Edit ZyWALL USG 20/20W User’s Guide...
  • Page 431 Operating System (OS) and security requirements of one of the SSL access policy’s selected endpoint security objects before granting access. Periodical Select this and specify a number of minutes to have the ZyWALL repeat checking time the endpoint security check at a regular interval. ZyWALL USG 20/20W User’s Guide...
  • Page 432 Address Objects list and click <<. Click Ok to save the changes and return to the main Access Privilege screen. Cancel Click Cancel to discard all changes and return to the main Access Privilege screen. ZyWALL USG 20/20W User’s Guide...
  • Page 433: The Ssl Global Setting Screen

    ZyWALL’s DDNS entries. You can specify up to two domain names so you could use one domain name for each of two WAN ports. Do not include the host. For example, www.zyxel.com is a fully qualified domain name where “www” is the host; so you would just use “zyxel.com”.
  • Page 434: How To Upload A Custom Logo

    Upload Click Upload to transfer the specified graphic file from your computer to the ZyWALL. Reset Logo to Click Reset Logo to Default to display the ZyXEL company logo on the Default remote user’s web browser. Apply Click Apply to save the changes and/or start the logo file upload process.
  • Page 435: Establishing An Ssl Vpn Connection

    SSL VPN button to establish an SSL VPN connection. See Section 25.2 on page 438 for details. Display the ZyWALL’s login screen and enter your user account information (the user name and password). Click SSL VPN. Figure 256 Login Screen ZyWALL USG 20/20W User’s Guide...
  • Page 436 Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal screens, refer to Chapter 25 on page 437. ZyWALL USG 20/20W User’s Guide...
  • Page 437: Ssl User Screens

    ZyWALL SecuExtender client program to your computer. With the ZyWALL SecuExtender, you can access network resources, remote desktops and manage files as if you were on the local network. See Chapter 27 on page 449 for more on the ZyWALL SecuExtender. ZyWALL USG 20/20W User’s Guide...
  • Page 438: Remote User Login

    SSL VPN on the ZyWALL. 25.2 Remote User Login This section shows you how to access and log into the network through the ZyWALL. Example screens for Internet Explorer are shown. ZyWALL USG 20/20W User’s Guide...
  • Page 439 If a token password is also required, enter it in the One-Time Password field. Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources. Figure 261 Login Screen ZyWALL USG 20/20W User’s Guide...
  • Page 440 Figure 262 Java Needed Message The ZyWALL tries to install the SecuExtender client. As shown next, you may have to click some pop-ups to get your browser to allow the installation. Figure 263 ActiveX Object Installation Blocked by Browser ZyWALL USG 20/20W User’s Guide...
  • Page 441 In Internet Explorer, click Run. Figure 265 SecuExtender Progress Click Next to use the setup wizard to install the SecuExtender client on your computer. Figure 266 SecuExtender Progress ZyWALL USG 20/20W User’s Guide...
  • Page 442 11 The Application screen displays showing the list of resources available to you. Figure 268 on page 443 for a screen example. Note: Available resource links vary depending on the configuration your network administrator made. ZyWALL USG 20/20W User’s Guide...
  • Page 443: The Ssl Vpn User Screens

    Select your preferred language for the interface. This part of the screen displays a list of the resources available to you. In the Application screen, click on a link to access or display the access method. ZyWALL USG 20/20W User’s Guide...
  • Page 444: Bookmarking The Zywall

    To properly terminate a connection, click on the Logout icon in any remote user screen. Click the Logout icon in any remote user screen. A prompt window displays. Click OK to continue. Figure 270 Logout: Prompt ZyWALL USG 20/20W User’s Guide...
  • Page 445 Chapter 25 SSL User Screens An information screen displays to indicate that the SSL VPN connection is about to terminate. Figure 271 Logout: Connection Termination Progress ZyWALL USG 20/20W User’s Guide...
  • Page 446 Chapter 25 SSL User Screens ZyWALL USG 20/20W User’s Guide...
  • Page 447: Ssl User Application Screens

    Virtual Network Computing (VNC) or Remote Desktop Protocol (RDP). To access a web-based application, simply click a link in the Application screen to display the web screen in a separate browser window. Figure 272 Application ZyWALL USG 20/20W User’s Guide...
  • Page 448 Chapter 26 SSL User Application Screens ZyWALL USG 20/20W User’s Guide...
  • Page 449: Zywall Secuextender

    • Gray: the SSL VPN tunnel’s connection is suspended. This means the SSL VPN tunnel is connected, but the ZyWALL SecuExtender will not send any traffic through it until you right-click the icon and resume the connection. ZyWALL USG 20/20W User’s Guide...
  • Page 450: Statistics

    IP addresses that they are currently using. Network 1~4 These are the networks (including netmask) that you can access through the SSL VPN connection. Activity Connected Time This is how long the computer has been connected to the SSL VPN tunnel. ZyWALL USG 20/20W User’s Guide...
  • Page 451: View Log

    27.4 Suspend and Resume the Connection When the ZyWALL SecuExtender icon in the system tray is green, you can right- click the icon and select Suspend Connection to keep the SSL VPN tunnel ZyWALL USG 20/20W User’s Guide...
  • Page 452: Stop The Connection

    27.6 Uninstalling the ZyWALL SecuExtender Do the following if you need to remove the ZyWALL SecuExtender. Click start > All Programs > ZyXEL > ZyWALL SecuExtender > Uninstall. In the confirmation screen, click Yes. Figure 276 Uninstalling the ZyWALL SecuExtender Confirmation Windows uninstalls the ZyWALL SecuExtender.
  • Page 453: Bandwidth Management

    DiffServ and DSCP Marking QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic ZyWALL USG 20/20W User’s Guide...
  • Page 454 • Inbound traffic comes back from the WAN zone device to the LAN1 zone device. Bandwidth management is applied before sending the traffic out a LAN1 zone interface. LAN1 Figure 278 to WAN Connection and Packet Directions Connection LAN1 Outbound Inbound ZyWALL USG 20/20W User’s Guide...
  • Page 455 After each application gets its configured bandwidth rate, the ZyWALL uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications that need more bandwidth and have maximize bandwidth usage enabled. ZyWALL USG 20/20W User’s Guide...
  • Page 456 A has higher priority, it gets up to it’s configured rate (800 kbps), leaving only 200 kbps for server B. Table 128 Priority Effect POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE 800 kbps 800 kbps 1000 kbps 200 kbps ZyWALL USG 20/20W User’s Guide...
  • Page 457: Bandwidth Management Examples

    Bandwidth management is very useful when applications are competing for limited bandwidth. For example, say you have a WAN zone interface connected to an ADSL device with a 8 Mbps downstream and 1 Mbps upstream ADSL connection. ZyWALL USG 20/20W User’s Guide...
  • Page 458: Sip Any To Wan Bandwidth Management Example

    ZyWALL applies this limit before sending the traffic to the WAN. • Inbound traffic (to the LAN and DMZ from the WAN) is also limited to 200 kbps. The ZyWALL applies this limit before sending the traffic to LAN or DMZ. ZyWALL USG 20/20W User’s Guide...
  • Page 459: Sip Wan To Any Bandwidth Management Example

    HTTP traffic gets sent before non-SIP traffic. • Enable maximize bandwidth usage so the HTTP traffic can borrow unused bandwidth. Figure 283 HTTP Any to WAN Bandwidth Management Example Outbound: 200 kbps Inbound: 500 kbps ZyWALL USG 20/20W User’s Guide...
  • Page 460: Ftp Wan To Dmz Bandwidth Management Example

    • Fourth highest priority (4). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. Figure 285 FTP LAN to DMZ Bandwidth Management Example Inbound: 50 Mbps Outbound: 50 Mbps ZyWALL USG 20/20W User’s Guide...
  • Page 461: Configuration > Bandwidth Management

    Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL USG 20/20W User’s Guide...
  • Page 462 The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. Assured Forwarding (AF) PHB for DiffServ on page 309 for more details. ZyWALL USG 20/20W User’s Guide...
  • Page 463: The Bandwidth Management Add/Edit Screen

    To access this screen, go to the Configuration > Bandwidth Management screen (see Section 28.2 on page 461), and click either the Add icon or an Edit icon. Figure 287 Configuration > Bandwidth Management > Edit ZyWALL USG 20/20W User’s Guide...
  • Page 464 Select preserve to have the ZyWALL keep the packets’ original DSCP value. Select default to have the ZyWALL set the DSCP value of the packets to Bandwidth Configure these fields to set the amount of bandwidth the application Management can use. ZyWALL USG 20/20W User’s Guide...
  • Page 465 Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User’s Guide...
  • Page 466 Chapter 28 Bandwidth Management ZyWALL USG 20/20W User’s Guide...
  • Page 467: Adp

    Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder . Protocol anomaly rules may be updated when you upload new firmware. ZyWALL USG 20/20W User’s Guide...
  • Page 468: Before You Begin

    Section 6.5.17 on page 102 for ADP prerequisites. • See Section 29.4 on page 479 for background information on these screens. 29.1.4 Before You Begin Configure the ZyWALL’s zones - see Chapter 15 on page 327 for more information. ZyWALL USG 20/20W User’s Guide...
  • Page 469: The Adp General Screen

    [ENTER] to move the entry to the number that you typed. This is the entry’s index number in the list. Priority This is the rank in the list of anomaly profile policies. The list is applied in order of priority. ZyWALL USG 20/20W User’s Guide...
  • Page 470: The Profile Summary Screen

    Click Reset to return the screen to its last-saved settings. 29.3 The Profile Summary Screen Use this screen to: • Create a new profile using an existing base profile • Edit an existing profile • Delete an existing profile ZyWALL USG 20/20W User’s Guide...
  • Page 471: Base Profiles

    Cancel Click Cancel to exit this screen without saving your changes. 29.3.2 Configuring The ADP Profile Summary Screen Select Configuration > Anti-X > ADP > Profile. Figure 290 Configuration > Anti-X > ADP > Profile ZyWALL USG 20/20W User’s Guide...
  • Page 472: Creating New Adp Profiles

    In the Configuration > Anti-X > ADP > Profile screen, click the Edit icon or click the Add icon and choose a base profile. If you made changes to other screens ZyWALL USG 20/20W User’s Guide...
  • Page 473 Chapter 29 ADP belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 291 Profiles: Traffic Anomaly ZyWALL USG 20/20W User’s Guide...
  • Page 474 The ZyWALL silently drops packets that matches the rule. Neither sender nor receiver are notified. This is the entry’s index number in the list. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL USG 20/20W User’s Guide...
  • Page 475: Protocol Anomaly Profiles

    Add icon and choose a base profile, then select the Protocol Anomaly tab. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab. ZyWALL USG 20/20W User’s Guide...
  • Page 476 Chapter 29 ADP Figure 292 Profiles: Protocol Anomaly ZyWALL USG 20/20W User’s Guide...
  • Page 477 To edit an item’s log option, select it and use the Log icon. Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly rule. See Chapter 44 on page 679 for more on logs. ZyWALL USG 20/20W User’s Guide...
  • Page 478 Select what the ZyWALL should do when a packet matches a rule. none: The ZyWALL takes no action when a packet matches the signature(s). block: The ZyWALL silently drops packets that matches the rule. Neither sender nor receiver are notified. ZyWALL USG 20/20W User’s Guide...
  • Page 479: Adp Technical Reference

    IP protocols such as EGP (Exterior Gateway Protocol) or IGP (Interior Gateway Protocol). Determining these additional protocols can help reveal if the destination device is a workstation, a printer, or a router. ZyWALL USG 20/20W User’s Guide...
  • Page 480 • UDP Filtered Portscan • IP Filtered Portscan Portscan • TCP Filtered Decoy • UDP Filtered Decoy • IP Filtered Decoy Portscan Portscan Portscan • TCP Filtered • UDP Filtered Portsweep • IP Filtered Portsweep Portsweep ZyWALL USG 20/20W User’s Guide...
  • Page 481 Figure 293 Smurf Attack TCP SYN Flood Attack Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then ZyWALL USG 20/20W User’s Guide...
  • Page 482 In a LAND attack, hackers flood SYN packets into a network with a spoofed source IP address of the network itself. This makes it appear as if the computers in the network sent the packets to themselves, so the network is unavailable while they try to respond to themselves. ZyWALL USG 20/20W User’s Guide...
  • Page 483 “/abc/xyz”. Also, “/abc/./xyz” gets normalized to “/abc/xyz”. If a user wants to configure an alert, then specify “yes”, otherwise “no”. This alert may give false positives since some web sites refer to files using directory traversals. ZyWALL USG 20/20W User’s Guide...
  • Page 484 % encoding. Apache uses this standard, so for any Apache servers, make sure you have this option turned on. When this rule is enabled, ASCII decoding is also enabled to enforce correct functioning. ZyWALL USG 20/20W User’s Guide...
  • Page 485 ICMP Decoder TRUNCATED-ADDRESS- This is when an ICMP packet is sent which has an ICMP HEADER ATTACK datagram length of less than the ICMP address header length. This may cause some applications to crash. ZyWALL USG 20/20W User’s Guide...
  • Page 486 TRUNCATED- This is when an ICMP packet is sent which has an ICMP TIMESTAMP-HEADER datagram length of less than the ICMP Time Stamp header ATTACK length. This may cause some applications to crash. ZyWALL USG 20/20W User’s Guide...
  • Page 487: Content Filtering

    • Use schedule objects to define when to apply a content filter profile. • Use address and/or user/group objects to define to whose web access to apply the content filter profile. • Apply a content filter profile that you have custom-tailored. ZyWALL USG 20/20W User’s Guide...
  • Page 488 URL. For example, with the URL www.zyxel.com.tw/news/ pressroom.php, the domain name is www.zyxel.com.tw. The file path is the characters that come after the first slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the file path is news/pressroom.php. ZyWALL USG 20/20W User’s Guide...
  • Page 489: Before You Begin

    For example, with the URL www.zyxel.com.tw/news/pressroom.php, the ZyWALL would find “tw” in the domain name (www.zyxel.com.tw). It would also find “news” in the file path (news/pressroom.php) but it would not find “tw/news”.
  • Page 490 Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. ZyWALL USG 20/20W User’s Guide...
  • Page 491 The web page you specify here opens in a new frame below the denied access message. Use “http://” or “https://” followed by up to 262 characters (0-9a- zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/ blocked access. ZyWALL USG 20/20W User’s Guide...
  • Page 492: Content Filter Policy Add Or Edit Screen

    30.3 Content Filter Policy Add or Edit Screen Click Configuration > Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen. Use this screen to configure a content ZyWALL USG 20/20W User’s Guide...
  • Page 493 Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any user. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User’s Guide...
  • Page 494: Content Filter Profile Screen

    Note: You must register for external content filtering before you can use it. See Section 10.2 on page 212 for how to register. ZyWALL USG 20/20W User’s Guide...
  • Page 495 Chapter 30 Content Filtering Chapter 31 on page 513 for how to view content filtering reports. Figure 299 Configuration > Anti-X > Content Filter > Filter Profile > Add ZyWALL USG 20/20W User’s Guide...
  • Page 496 Chapter 30 Content Filtering Figure 300 Configuration > Anti-X > Content Filter > Filter Profile > Add (Continue) ZyWALL USG 20/20W User’s Guide...
  • Page 497 The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page. ZyWALL USG 20/20W User’s Guide...
  • Page 498 Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized. Select Log to record attempts to access web pages that are not categorized. ZyWALL USG 20/20W User’s Guide...
  • Page 499 (that is, it alerts that it will send personal information, be installed, or that it will log keystrokes). Note: Sites rated as spyware should have a second category assigned with them. ZyWALL USG 20/20W User’s Guide...
  • Page 500 This category includes pages that contain images or offer the Swimsuit sale of swimsuits or intimate apparel or other types of suggestive clothing. It does not include pages selling undergarments as a subsection of other products offered. ZyWALL USG 20/20W User’s Guide...
  • Page 501 It does not include pages that promote collecting weapons, or groups that either support or oppose weapons use. ZyWALL USG 20/20W User’s Guide...
  • Page 502 Software Downloads This category includes pages that are dedicated to the electronic download of software packages, whether for payment or at no charge. Society/Government ZyWALL USG 20/20W User’s Guide...
  • Page 503 This category includes pages that offer access to Usenet news Pages groups or other messaging or bulletin board systems. Also, blog specific sites or an individual with his own blog. This does not include social networking communities with blogs. ZyWALL USG 20/20W User’s Guide...
  • Page 504 Internet Telephony This category includes pages that facilitate Internet telephony or provide Internet telephony services such as voice over IP (VoIP). Health Related ZyWALL USG 20/20W User’s Guide...
  • Page 505 It also includes pages dedicated to selling board games as well as journals and magazines dedicated to game playing. It includes pages that support or host online sweepstakes and giveaways. ZyWALL USG 20/20W User’s Guide...
  • Page 506 Web Advertisements This category includes pages that provide online advertisements or banners. This does not include advertising servers that serve adult-oriented advertisements. Technology Computers/Internet This category includes pages that sponsor or provide information on computers, technology, the Internet and technology-related organizations and companies. ZyWALL USG 20/20W User’s Guide...
  • Page 507 Click this button to see the category recorded in the external Filter Category Server content filter server’s database for the web page you specified. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User’s Guide...
  • Page 508: Content Filter Blocked And Warning Messages

    > Customization to open the Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a ZyWALL USG 20/20W User’s Guide...
  • Page 509 Restricted Web Features Select the check box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. ZyWALL USG 20/20W User’s Guide...
  • Page 510 Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, and so on. You can also enter just a top level domain. For example, enter .com to allow all .com domains.
  • Page 511: Content Filter Technical Reference

    (such as Bad for example). Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 30.7 Content Filter Technical Reference This section provides content filtering background information. ZyWALL USG 20/20W User’s Guide...
  • Page 512 ZyWALL, which then blocks and/or logs access to the web site based on the settings in the content filter profile. The web site’s address and category are then stored in the ZyWALL’s content filter cache. ZyWALL USG 20/20W User’s Guide...
  • Page 513: Content Filter Reports

    You need to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days). Go to http://www.myZyXEL.com. ZyWALL USG 20/20W User’s Guide...
  • Page 514 Chapter 31 Content Filter Reports Fill in your myZyXEL.com account information and click Login. Figure 303 myZyXEL.com: Login ZyWALL USG 20/20W User’s Guide...
  • Page 515 Chapter 31 Content Filter Reports A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename...
  • Page 516 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 305 myZyXEL.com: Service Management In the Web Filter Home screen, click the Reports tab. Figure 306 Content Filter Reports Main Screen ZyWALL USG 20/20W User’s Guide...
  • Page 517 Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen. ZyWALL USG 20/20W User’s Guide...
  • Page 518 Chapter 31 Content Filter Reports A chart and/or list of requested web site categories display in the lower half of the screen. Figure 308 Global Report Screen Example ZyWALL USG 20/20W User’s Guide...
  • Page 519 Chapter 31 Content Filter Reports You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 309 Requested URLs Example ZyWALL USG 20/20W User’s Guide...
  • Page 520 Chapter 31 Content Filter Reports ZyWALL USG 20/20W User’s Guide...
  • Page 521: Anti-Spam

    The white list can also increases the ZyWALL’s anti-spam speed and efficiency by not having the ZyWALL perform the full anti-spam checking process on legitimate e-mail. ZyWALL USG 20/20W User’s Guide...
  • Page 522 For example, in Microsoft’s Outlook Express, select a mail and click File > Properties > Details. This displays the e-mail’s header. Click Message Source to see the source for the entire mail including both the header and the body. ZyWALL USG 20/20W User’s Guide...
  • Page 523: Before You Begin

    Configure your zones before you configure anti-spam. 32.3 The Anti-Spam General Screen Click Configuration > Anti-X > Anti-Spam to open the Anti-Spam General screen. Use this screen to turn the anti-spam feature on or off and manage anti- ZyWALL USG 20/20W User’s Guide...
  • Page 524 Click this to create a new entry . Select an entry and click Add to create a new entry after the selected entry. Edit Select an entry and click this to be able to modify it. ZyWALL USG 20/20W User’s Guide...
  • Page 525: The Anti-Spam Policy Add Or Edit Screen

    Click the Add or Edit icon in the Configuration > Anti-X > Anti-Spam > General screen to display the configuration screen as shown next. Use this screen to configure an anti-spam policy that controls what traffic direction of e-mail to ZyWALL USG 20/20W User’s Guide...
  • Page 526 To zone. Protocols to Select which protocols of traffic to scan for spam. Scan SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. ZyWALL USG 20/20W User’s Guide...
  • Page 527: The Anti-Spam Black List Screen

    Configure the black list to identify spam e-mail. You can create black list entries based on the sender’s or relay server’s IP address or e-mail address. You can also create entries that check for particular e-mail header fields with specific values or ZyWALL USG 20/20W User’s Guide...
  • Page 528 This field displays the subject content, source or relay IP address, source e-mail address, or header value for which the entry checks. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 20/20W User’s Guide...
  • Page 529: The Anti-Spam Black Or White List Add/Edit Screen

    This field displays when you select the Subject type. Enter up to 63 Keyword ASCII characters of text to check for in e-mail headers. Spaces are not allowed, although you could substitute a question mark (?). See Section 32.4.2 on page 530 for more details. ZyWALL USG 20/20W User’s Guide...
  • Page 530: Regular Expressions In Black Or White List Entries

    You cannot use two wildcards side by side, there must be other characters between them. • The ZyWALL checks the first header with the name you specified in the entry. So if the e-mail has more than one “Received” header, the ZyWALL checks the first one. ZyWALL USG 20/20W User’s Guide...
  • Page 531: The Anti-Spam White List Screen

    To turn off an entry, select it and click Inactivate. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. This is the entry’s index number in the list. ZyWALL USG 20/20W User’s Guide...
  • Page 532: The Dnsbl Screen

    DNSBL screen. Use this screen to configure the ZyWALL to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). Figure 315 Configuration > Anti-X > Anti-Spam > DNSBL ZyWALL USG 20/20W User’s Guide...
  • Page 533 Enter a message or label (up to 15 ASCII characters) to add to the mail subject of e-mails that the ZyWALL forwards if queries to the DNSBL domains time out. DNSBL Domain List Click this to create a new entry. ZyWALL USG 20/20W User’s Guide...
  • Page 534: Anti-Spam Technical Reference

    • The ZyWALL records DNSBL responses for IP addresses in a cache for up to 72 hours. The ZyWALL checks an e-mail’s sender and relay IP addresses against the cache first and only sends DNSBL queries for IP addresses that are not in the cache. ZyWALL USG 20/20W User’s Guide...
  • Page 535 In this example it was an SMTP mail and the defined action was to drop the mail. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 20/20W User’s Guide...
  • Page 536 Now that the ZyWALL has received at least one non-spam reply for each of the e- mail’s routing IP addresses, the ZyWALL immediately classifies the e-mail as legitimate and forwards it. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 20/20W User’s Guide...
  • Page 537 In this example it was an SMTP mail and the defined action was to drop the mail. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 20/20W User’s Guide...
  • Page 538 Chapter 32 Anti-Spam ZyWALL USG 20/20W User’s Guide...
  • Page 539: User/Group

    User Types These are the types of user accounts the ZyWALL uses. Table 151 Types of User Accounts TYPE ABILITIES LOGIN METHOD(S) Admin Users admin Change ZyWALL configuration (web, CLI) WWW, TELNET, SSH, FTP, Console ZyWALL USG 20/20W User’s Guide...
  • Page 540 User account in the remote server. User account (Ext-User) in the ZyWALL. Default user account for AD users (ad-users), LDAP users (ldap-users) or RADIUS users (radius-users) in the ZyWALL. ZyWALL USG 20/20W User’s Guide...
  • Page 541 • See Section 7.6 on page 124 for an example of how to use a RADIUS server to authenticate user accounts based on groups. ZyWALL USG 20/20W User’s Guide...
  • Page 542: User Summary Screen

    33.2.1.1 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only contain the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] ZyWALL USG 20/20W User’s Guide...
  • Page 543 To access this screen, go to the User screen (see Section 33.2 on page 542), and click either the Add icon or an Edit icon. Figure 320 Configuration > User/Group > User > Add ZyWALL USG 20/20W User’s Guide...
  • Page 544 (see Section 33.4 on page 547), the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires. ZyWALL USG 20/20W User’s Guide...
  • Page 545: User Group Summary Screen

    Object Select an entry and click Object References to open a screen that References shows which settings use the entry. See Section 11.3.2 on page 232 an example. ZyWALL USG 20/20W User’s Guide...
  • Page 546: Group Add/Edit Screen

    This value is case-sensitive. User group names have to be different than user names. Description Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces. ZyWALL USG 20/20W User’s Guide...
  • Page 547: Setting Screen

    The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. ZyWALL USG 20/20W User’s Guide...
  • Page 548 Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. This field is a sequential value, and it is not associated with a specific entry. ZyWALL USG 20/20W User’s Guide...
  • Page 549 This field is effective when Enable user idle detection is checked. Type the number of minutes each access user can be logged in and idle before the ZyWALL automatically logs out the access user. User Logon Settings ZyWALL USG 20/20W User’s Guide...
  • Page 550: Default User Authentication Timeout Settings Edit Screens

    These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings. ZyWALL USG 20/20W User’s Guide...
  • Page 551 Unlike Lease Time, the user has no opportunity to renew the session without logging out. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User’s Guide...
  • Page 552: User Aware Login Example

    Remaining This field displays the amount of time that remains before the ZyWALL time before automatically logs the access user out, regardless of the lease time. auth. timeout ZyWALL USG 20/20W User’s Guide...
  • Page 553: User /Group Technical Reference

    Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 45 on page 693 for more information about shell scripts. ZyWALL USG 20/20W User’s Guide...
  • Page 554 Chapter 33 User/Group ZyWALL USG 20/20W User’s Guide...
  • Page 555: Addresses

    WAN IP addresses for LAN to WAN traffic. 34.2 Address Summary Screen The address screens are used to create, maintain, and remove addresses. There are the types of address objects. • HOST - a host address is defined by an IP Address. ZyWALL USG 20/20W User’s Guide...
  • Page 556 This field displays the IP addresses represented by each address object. If the object’s settings are based on one of the ZyWALL’s interfaces, the name of the interface displays first followed by the object’s current address settings. ZyWALL USG 20/20W User’s Guide...
  • Page 557: Address Add/Edit Screen

    This field is only available if the Address Type is SUBNET, in which case this field cannot be blank. Enter the subnet mask of the network that this address object represents. Use dotted decimal format. ZyWALL USG 20/20W User’s Guide...
  • Page 558: Address Group Summary Screen

    This field is a sequential value, and it is not associated with a specific address group. Name This field displays the name of each address group. Description This field displays the description of each address group, if any. ZyWALL USG 20/20W User’s Guide...
  • Page 559: Address Group Add/Edit Screen

    Move any members you do not want included to the Available list. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User’s Guide...
  • Page 560 Chapter 34 Addresses ZyWALL USG 20/20W User’s Guide...
  • Page 561: Services

    Then, the connection is terminated. In contrast, computers use UDP to send short messages to each other. There is no guarantee that the messages arrive in sequence or that the messages arrive at all. ZyWALL USG 20/20W User’s Guide...
  • Page 562: The Service Summary Screen

    In addition, this screen allows you to add, edit, and remove services. To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column’s heading cell to sort the table ZyWALL USG 20/20W User’s Guide...
  • Page 563 This field is a sequential value, and it is not associated with a specific service. Name This field displays the name of each service. Content This field displays a description of each service. ZyWALL USG 20/20W User’s Guide...
  • Page 564: The Service Add/Edit Screen

    Click Cancel to exit this screen without saving your changes. 35.3 The Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. ZyWALL USG 20/20W User’s Guide...
  • Page 565 This field displays the name of each service group. By default, the ZyWALL uses services starting with “Default_Allow_” in the firewall rules to allow certain services to connect to the ZyWALL. Description This field displays the description of each service group, if any. ZyWALL USG 20/20W User’s Guide...
  • Page 566: The Service Group Add/Edit Screen

    Move any members you do not want included to the Available list. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User’s Guide...
  • Page 567: Schedules

    (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday). Recurring schedules always begin and end in the same day. Recurring schedules are useful for defining the workday and off-work hours. ZyWALL USG 20/20W User’s Guide...
  • Page 568: The Schedule Summary Screen

    This field displays the name of the schedule, which is used to refer to the schedule. Start Day / This field displays the date and time at which the schedule begins. Time Stop Day / This field displays the date and time at which the schedule ends. Time ZyWALL USG 20/20W User’s Guide...
  • Page 569: The One-Time Schedule Add/Edit Screen

    Name Type the name used to refer to the one-time schedule. You may use 1- 31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL USG 20/20W User’s Guide...
  • Page 570: The Recurring Schedule Add/Edit Screen

    Click Cancel to exit this screen without saving your changes. 36.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to define a recurring schedule or edit an existing one. To access this screen, go to the Schedule screen ZyWALL USG 20/20W User’s Guide...
  • Page 571 Weekly Week Days Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User’s Guide...
  • Page 572 Chapter 36 Schedules ZyWALL USG 20/20W User’s Guide...
  • Page 573: Aaa Server

    The ZyWALL tries to bind (or log in) to the LDAP/AD server. When the binding process is successful, the ZyWALL checks the user information in the directory against the user name and password pair. If it matches, the user is allowed access. Otherwise, access is blocked. ZyWALL USG 20/20W User’s Guide...
  • Page 574: Radius Server

    37.1.4 What You Can Do in this Chapter • Use the Configuration > Object > AAA Server > Active Directory (or LDAP) screens (Section 37.2 on page 577) to configure Active Directory or LDAP server objects. ZyWALL USG 20/20W User’s Guide...
  • Page 575: What You Need To Know

    RADIUS server. RADIUS authentication allows you to validate a large number of users from a central location. Directory Structure The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the directory structure reflects the geographical or ZyWALL USG 20/20W User’s Guide...
  • Page 576 If the bind password is incorrect, the login will fail. Finding Out More • See Section 7.5.3 on page 122 for an example of how to set up user authentication using a radius server. ZyWALL USG 20/20W User’s Guide...
  • Page 577: Active Directory Or Ldap Server Summary

    37.2.1 Adding an Active Directory or LDAP Server Click Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. Click the Add icon or an Edit icon to display the ZyWALL USG 20/20W User’s Guide...
  • Page 578 Specify the port number on the AD or LDAP server to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535. This port number should be the same on all AD or LDAP se rver(s) in this group. ZyWALL USG 20/20W User’s Guide...
  • Page 579: Radius Server Summary

    Click OK to save the changes. Cancel Click Cancel to discard the changes. 37.3 RADIUS Server Summary Use the RADIUS screen to manage the list of RADIUS servers the ZyWALL can use in authenticating users. ZyWALL USG 20/20W User’s Guide...
  • Page 580 Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. Apply Click Apply to save the changes. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 20/20W User’s Guide...
  • Page 581: Adding A Radius Server

    If the RADIUS server has a backup server, enter its address here. Address Backup Specify the port number on the RADIUS server to which the ZyWALL Authentication sends authentication requests. Enter a number between 1 and 65535. Port ZyWALL USG 20/20W User’s Guide...
  • Page 582 “sales”, “RD”, and “management”. Then you could also create a ext- group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 20/20W User’s Guide...
  • Page 583: Authentication Method

    Follow the steps below to specify the authentication method for a VPN connection. Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen. Click Show Advance Setting and select Enable Extended Authentication. ZyWALL USG 20/20W User’s Guide...
  • Page 584: Authentication Method Objects

    Select an entry and click Object References to open a screen that shows References which settings use the entry. See Section 11.3.2 on page 232 for an example. This field displays the index number. Method Name This field displays a descriptive name for identification purposes. ZyWALL USG 20/20W User’s Guide...
  • Page 585: Creating An Authentication Method Object

    ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. Note: You can NOT select two server objects of the same type. ZyWALL USG 20/20W User’s Guide...
  • Page 586 If two accounts with the same username exist on two authentication servers you specify, the ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. ZyWALL USG 20/20W User’s Guide...
  • Page 587 Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 20/20W User’s Guide...
  • Page 588 Chapter 38 Authentication Method ZyWALL USG 20/20W User’s Guide...
  • Page 589: Certificates

    Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). ZyWALL USG 20/20W User’s Guide...
  • Page 590 • Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys. Self-signed Certificates You can have the ZyWALL act as a certification authority and sign its own certificates. ZyWALL USG 20/20W User’s Guide...
  • Page 591: Verifying A Certificate

    MD5 or SHA1 algorithm. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate. Browse to where you have the certificate saved on your computer. ZyWALL USG 20/20W User’s Guide...
  • Page 592 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. ZyWALL USG 20/20W User’s Guide...
  • Page 593: The My Certificates Screen

    This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. ZyWALL USG 20/20W User’s Guide...
  • Page 594: The My Certificates Add Screen

    Click Refresh to display the current validity status of the certificates. 39.2.1 The My Certificates Add Screen Click Configuration > Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the ZyWALL USG 20/20W User’s Guide...
  • Page 595 Chapter 39 Certificates ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 352 Configuration > Object > Certificate > My Certificates > Add ZyWALL USG 20/20W User’s Guide...
  • Page 596 Create a self- Select this to have the ZyWALL generate the certificate and act as signed certificate the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates. ZyWALL USG 20/20W User’s Guide...
  • Page 597 You must have the certification authority’s certificate already imported in the Trusted Certificates screen. Click Trusted CAs to go to the Trusted Certificates screen where you can view (and manage) the ZyWALL's list of certificates of trusted certification authorities. ZyWALL USG 20/20W User’s Guide...
  • Page 598 Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyWALL to enroll a certificate online. ZyWALL USG 20/20W User’s Guide...
  • Page 599: The My Certificates Edit Screen

    Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. Figure 353 Configuration > Object > Certificate > My Certificates > Edit ZyWALL USG 20/20W User’s Guide...
  • Page 600 “none” displays for a certification request. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. “none” displays for a certification request. ZyWALL USG 20/20W User’s Guide...
  • Page 601 Private Key Type the certificate’s password and click this button. Click Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. ZyWALL USG 20/20W User’s Guide...
  • Page 602: The My Certificates Import Screen

    Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL. Browse Click Browse to find the certificate file you want to upload. ZyWALL USG 20/20W User’s Guide...
  • Page 603: The Trusted Certificates Screen

    Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action. ZyWALL USG 20/20W User’s Guide...
  • Page 604: The Trusted Certificates Edit Screen

    Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate’s name and set whether or not you want the ZyWALL to check a certification ZyWALL USG 20/20W User’s Guide...
  • Page 605 Chapter 39 Certificates authority’s list of revoked certificates before trusting a certificate issued by the certification authority. Figure 356 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL USG 20/20W User’s Guide...
  • Page 606 (usually a certification authority). Password Type the password (up to 31 ASCII characters) from the entity maintaining the CRL directory server (usually a certification authority). Certificate These read-only fields display detailed information about the Information certificate. ZyWALL USG 20/20W User’s Guide...
  • Page 607 This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. ZyWALL USG 20/20W User’s Guide...
  • Page 608: The Trusted Certificates Import Screen

    ZyWALL. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 357 Configuration > Object > Certificate > Trusted Certificates > Import ZyWALL USG 20/20W User’s Guide...
  • Page 609: Certificates Technical Reference

    The second is a reduction in network traffic since the ZyWALL only gets information on the certificates that it needs to verify, not a huge list. When the ZyWALL requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response. ZyWALL USG 20/20W User’s Guide...
  • Page 610 Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide...
  • Page 611: Isp Accounts

    ISP accounts in the ZyWALL. 40.2 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL. To access this screen, click Configuration > Object > ISP Account. Figure 358 Configuration > Object > ISP Account ZyWALL USG 20/20W User’s Guide...
  • Page 612: Isp Account Edit

    Account screen. (See Section 40.2 on page 611.) Then, click on an Add icon or Edit icon to open the ISP Account Edit screen below. Figure 359 Configuration > Object > ISP Account > Edit ZyWALL USG 20/20W User’s Guide...
  • Page 613 If this ISP account uses the PPPoE protocol, type the PPPoE service name to access. PPPoE uses the specified service name to identify and reach the PPPoE server. This field can be blank. If this ISP account uses the PPTP protocol, this field is not displayed. ZyWALL USG 20/20W User’s Guide...
  • Page 614 ISP Account Edit screen. Cancel Click Cancel to return to the ISP Account screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists). ZyWALL USG 20/20W User’s Guide...
  • Page 615: Ssl Application

    Available SSL application names are displayed as links in remote user screens. Depending on the application type, remote users can simply click the links or follow the steps in the pop-up dialog box to access. ZyWALL USG 20/20W User’s Guide...
  • Page 616: Example: Specifying A Web Site For Access

    This example shows you how to create a web-based application for an internal web site. The address of the web site is http://info with web page encryption. Click Configuration > Object > SSL Application in the navigation panel. ZyWALL USG 20/20W User’s Guide...
  • Page 617: The Ssl Application Screen

    41.2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects. Click Configuration > Object > SSL Application in the navigation panel. Figure 362 Configuration > Object > SSL Application ZyWALL USG 20/20W User’s Guide...
  • Page 618: Creating/Editing A Web-Based Ssl Application Object

    To configure a web-based application, click the Add or Edit button in the SSL Application screen and select Web Application in the Type field to display the configuration screen as shown. Figure 363 Configuration > Object > SSL Application > Add/Edit: Web Application ZyWALL USG 20/20W User’s Guide...
  • Page 619 If a link contains a file that is not within this domain, then remote users cannot access it. Preview This field displays if the Server Type is set to Web Server, OWA or Weblink. Click Preview to access the URL you specified in a new IE web browser. ZyWALL USG 20/20W User’s Guide...
  • Page 620 Select this option to prevent users from saving the web content. Encryption Click Ok to save the changes and return to the main SSL Application Configuration screen. Cancel Click Cancel to discard the changes and return to the main SSL Application Configuration screen. ZyWALL USG 20/20W User’s Guide...
  • Page 621: Endpoint Security

    SSL VPN access policy; in this example a web server. SSL VPN user C fails all of the SSL VPN’s endpoint security check and is not given any access. Figure 364 Endpoint Security ZyWALL USG 20/20W User’s Guide...
  • Page 622: What You Can Do In This Chapter

    User computers must have Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.4. Finding Out More Section 7.7 on page 126 for an example of how to use endpoint security and authentication policies. ZyWALL USG 20/20W User’s Guide...
  • Page 623: Endpoint Security Screen

    Enter a message to display when a user’s computer fails the endpoint Failure security check. Use up to 1023 characters (0-9a-zA-Z;/?:@=+$\.- Message _!*'()%,”). For example, “Endpoint Security checking failed. Please contact your network administrator for help.”. ZyWALL USG 20/20W User’s Guide...
  • Page 624: Endpoint Security Add/Edit

    Click Configuration > Object > Endpoint Security and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint security object. Figure 366 Configuration > Object > Endpoint Security > Add ZyWALL USG 20/20W User’s Guide...
  • Page 625 Chapter 42 Endpoint Security ZyWALL USG 20/20W User’s Guide...
  • Page 626 The user’s computer must have one of the listed personal firewalls to pass this checking item. For some personal firewalls the ZyWALL can also detect whether or not the firewall is activated; in those cases it must also be activated. ZyWALL USG 20/20W User’s Guide...
  • Page 627 The user's computer must not have any of the listed applications running to pass this checking item. Include the filename extension for Linux operating systems. Click Add to create a new entry. Select one or more entries and click Remove to delete it or them. ZyWALL USG 20/20W User’s Guide...
  • Page 628 The user’s computer must pass one of the listed file information checks to pass this checking item. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User’s Guide...
  • Page 629: System

    IP addresses the access can come. You can upload and download the ZyWALL’s firmware and configuration files using FTP. Please also see Chapter 45 on page 693 for more information about firmware and configuration files. ZyWALL USG 20/20W User’s Guide...
  • Page 630: Host Name

    IP addresses the access can come. • Vantage CNM (Centralized Network Management) is a browser-based global management tool that allows an administrator to manage ZyXEL devices. Use the System > Vantage CNM screen (see Section 43.12 on page 674) to allow your ZyWALL to be managed by the Vantage CNM server.
  • Page 631: Usb Storage

    Click Reset to return the screen to its last-saved settings. 43.4 Date and Time For effective scheduling and logging, the ZyWALL system time must be accurate. The ZyWALL’s Real Time Chip (RTC) keeps track of the time and date. There is also ZyWALL USG 20/20W User’s Guide...
  • Page 632 When you enter the time settings manually, the ZyWALL uses the new setting once you click Apply. ZyWALL USG 20/20W User’s Guide...
  • Page 633 European Union you would select Last, Sunday, March. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). ZyWALL USG 20/20W User’s Guide...
  • Page 634: Pre-Defined Ntp Time Servers List

    If the synchronization fails, then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried. ZyWALL USG 20/20W User’s Guide...
  • Page 635: Time Server Synchronization

    Select Get from Time Server under Time and Date Setup. Under Time Zone Setup, select your Time Zone from the list. As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for daylight savings. ZyWALL USG 20/20W User’s Guide...
  • Page 636: Console Port Speed

    DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. ZyWALL USG 20/20W User’s Guide...
  • Page 637: Dns Server Address Assignment

    You can also configure the ZyWALL to accept or discard DNS queries. Use the Network > Interface screens to configure the DNS server information that the ZyWALL sends to the specified DHCP client devices. Figure 372 Configuration > System > DNS ZyWALL USG 20/20W User’s Guide...
  • Page 638 (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
  • Page 639 DNS queries. Action This displays whether the ZyWALL accepts DNS queries from the computer with the IP address specified above through the specified zone (Accept) or discards them (Deny). ZyWALL USG 20/20W User’s Guide...
  • Page 640: Address Record

    An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com” is the top level domain.
  • Page 641: Domain Zone Forwarder

    For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
  • Page 642: Mx Record

    For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address. Enter * if all domain zones are served by the specified DNS server(s).
  • Page 643: Adding A Mx Record

    Click Cancel to exit this screen without saving 43.6.10 Adding a DNS Service Control Rule Click the Add icon in the Service Control table to add a service control rule. Figure 376 Configuration > System > DNS > Service Control Rule Add ZyWALL USG 20/20W User’s Guide...
  • Page 644: Www Overview

    HTTPS access from all zones except the LAN. To stop a service from accessing the ZyWALL, clear Enable in the corresponding service screen. 43.7.1 Service Access Limitations A service cannot be used to access the ZyWALL when: ZyWALL USG 20/20W User’s Guide...
  • Page 645: System Timeout

    Certificates is optional and if selected means the HTTPS client must send the ZyWALL a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL. ZyWALL USG 20/20W User’s Guide...
  • Page 646: Configuring Www Service Control

    Click Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ZyWALL using HTTP or HTTPS. You can also specify which IP addresses the access can come from. ZyWALL USG 20/20W User’s Guide...
  • Page 647 Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs connections. ZyWALL USG 20/20W User’s Guide...
  • Page 648 This is the object name of the IP address(es) with which the computer is allowed or denied to access. Action This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). ZyWALL USG 20/20W User’s Guide...
  • Page 649 ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). Authentication Client Select a method the HTTPS or HTTP server uses to authenticate a Authentication client. Method You must have configured the authentication methods in the Auth. method screen. ZyWALL USG 20/20W User’s Guide...
  • Page 650: Service Control Rules

    Click Cancel to exit this screen without saving 43.7.6 Customizing the WWW Login Page Click Configuration > System > WWW > Login Page to open the Login Page screen. Use this screen to customize the Web Configurator login screen. You can ZyWALL USG 20/20W User’s Guide...
  • Page 651 Web Configurator to access network services like the Internet. See Chapter 33 on page for more on access user accounts. Figure 380 Configuration > System > WWW > Login Page ZyWALL USG 20/20W User’s Guide...
  • Page 652 Note Message (last line of text) Figure 382 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: ZyWALL USG 20/20W User’s Guide...
  • Page 653 Web Configurator to access network services like the Internet. Title Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. Message Color Specify the color of the screen’s text. ZyWALL USG 20/20W User’s Guide...
  • Page 654: Https Example

    You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the Web Configurator login screen; if you select No, then Web Configurator access is blocked. Figure 383 Security Alert Dialog Box (Internet Explorer) ZyWALL USG 20/20W User’s Guide...
  • Page 655: Netscape Navigator Warning Messages

    Figure 385 Security Certificate 2 (Netscape) 43.7.7.3 Avoiding Browser Warning Messages Here are the main reasons your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings: ZyWALL USG 20/20W User’s Guide...
  • Page 656: Login Screen

    The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details). ZyWALL USG 20/20W User’s Guide...
  • Page 657 43.7.7.5.1 Installing the CA’s Certificate Double click the CA’s trusted certificate to produce a screen similar to the one shown next. Figure 388 CA Certificate Example Click Install Certificate and follow the wizard as shown earlier in this appendix. ZyWALL USG 20/20W User’s Guide...
  • Page 658 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 390 Personal Certificate Import Wizard 2 ZyWALL USG 20/20W User’s Guide...
  • Page 659 Figure 391 Personal Certificate Import Wizard 3 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 392 Personal Certificate Import Wizard 4 ZyWALL USG 20/20W User’s Guide...
  • Page 660: Using A Certificate When Accessing The Zywall Example

    43.7.7.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. Enter ‘https://ZyWALL IP Address/ in your browser’s web address field. Figure 395 Access the ZyWALL Via HTTPS ZyWALL USG 20/20W User’s Guide...
  • Page 661: Ssh

    Figure 397 Secure Web Configurator Login Screen 43.8 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s command line interface. Specify which zones allow SSH access and from which IP address the access can come. ZyWALL USG 20/20W User’s Guide...
  • Page 662: How Ssh Works

    The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. ZyWALL USG 20/20W User’s Guide...
  • Page 663: Ssh Implementation On The Zywall

    Click Configuration > System > SSH to change your ZyWALL’s Secure Shell settings. Use this screen to specify from which zones SSH can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. ZyWALL USG 20/20W User’s Guide...
  • Page 664 Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. ZyWALL USG 20/20W User’s Guide...
  • Page 665: Secure Telnet Using Ssh Examples

    Configure the SSH client to accept connection using SSH version 1. A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 401 SSH Example 1: Store Host Key ZyWALL USG 20/20W User’s Guide...
  • Page 666: Telnet

    Administrator@192.168.1.1's password: The CLI screen displays next. 43.9 Telnet You can use Telnet to access the ZyWALL’s command line interface. Specify which zones allow Telnet access and from which IP address the access can come. ZyWALL USG 20/20W User’s Guide...
  • Page 667: Configuring Telnet

    To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. ZyWALL USG 20/20W User’s Guide...
  • Page 668: Ftp

    43.10.1 Configuring FTP To change your ZyWALL’s FTP settings, click Configuration > System > FTP tab. The screen appears as shown. Use this screen to specify from which zones FTP can ZyWALL USG 20/20W User’s Guide...
  • Page 669 Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. ZyWALL USG 20/20W User’s Guide...
  • Page 670: Snmp

    Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1) ZyWALL USG 20/20W User’s Guide...
  • Page 671 SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: • Get - Allows the manager to retrieve an object variable from the agent. ZyWALL USG 20/20W User’s Guide...
  • Page 672: Supported Mibs

    43.11.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The ZyWALL also supports private MIBs (zywall.mib and zyxel-zywall-ZLD- Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
  • Page 673 SNMP manager. The default is public and allows all requests. Destination Type the IP address of the station to send your SNMP traps to. Service This specifies from which computers you can access which ZyWALL Control zones. ZyWALL USG 20/20W User’s Guide...
  • Page 674: Vantage Cnm

    Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the Web Configurator or commands) without notifying the Vantage CNM administrator.
  • Page 675: Configuring Vantage Cnm

    If the Vantage CNM server is behind a firewall, you may have to create a rule on the firewall to allow UDP port 11864 traffic through to the Vantage CNM server (most (new) ZyXEL firewalls automatically allow this). ZyWALL USG 20/20W User’s Guide...
  • Page 676 Select the Vantage CNM server’s certificate. This applies when you Certificate enable HTTPS authentication. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 20/20W User’s Guide...
  • Page 677: Language Screen

    You also need to open a new browser session to display the screens in the new language. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 20/20W User’s Guide...
  • Page 678 Chapter 43 System ZyWALL USG 20/20W User’s Guide...
  • Page 679: Log And Report

    44.2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your ZyWALL. Note: Data collection may decrease the ZyWALL’s traffic throughput rate. ZyWALL USG 20/20W User’s Guide...
  • Page 680 Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day. Figure 410 Configuration > Log & Report > Email Daily Report ZyWALL USG 20/20W User’s Guide...
  • Page 681: Log Setting Screens

    The system log is available on the View Log tab, the e-mail profiles are used to mail log messages to the specified destinations, and the other four logs are stored on specified syslog servers. ZyWALL USG 20/20W User’s Guide...
  • Page 682: Log Setting Summary

    Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. ZyWALL USG 20/20W User’s Guide...
  • Page 683: Edit System Log Settings

    Log Format This field displays the format of the log. Internal - system log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. Summary This field is a summary of the settings for each log. Please see Section 44.3.2 on page 683...
  • Page 684 Chapter 44 Log and Report Figure 412 Configuration > Log & Report > Log Setting > Edit (System Log) ZyWALL USG 20/20W User’s Guide...
  • Page 685 2 also has normal logs enabled, the ZyWALL will e-mail logs to them. enable normal logs and debug logs (yellow check mark) - create log messages, alerts, and debugging information for all categories. The ZyWALL does not e-mail debugging information, even if this setting is selected. ZyWALL USG 20/20W User’s Guide...
  • Page 686 (green check mark) and/or in alerts (red exclamation point) for the e-mail settings specified in E-Mail Server 2. The ZyWALL does not e-mail debugging information, even if it is recorded in the System log. Log Consolidation ZyWALL USG 20/20W User’s Guide...
  • Page 687 Message field. Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 20/20W User’s Guide...
  • Page 688: Edit Remote Server Log Settings

    (syslog). Go to the Log Settings Summary screen (see Section 44.3.1 on page 682), and click a remote server Edit icon. Figure 413 Configuration > Log & Report > Log Setting > Edit (Remote Server) ZyWALL USG 20/20W User’s Guide...
  • Page 689 Active Log section. Log Format This field displays the format of the log information. It is read-only. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. Server Type the server name or the IP address of the syslog server to which to Address send log information.
  • Page 690: Active Log Summary Screen

    This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 44.3.2 on page 683, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL USG 20/20W User’s Guide...
  • Page 691 This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software. ZyWALL USG 20/20W User’s Guide...
  • Page 692 (yellow check mark) - log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 20/20W User’s Guide...
  • Page 693: File Manager

    When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. ZyWALL USG 20/20W User’s Guide...
  • Page 694: Comments In Configuration Files Or Shell Scripts

    Comments in Configuration Files or Shell Scripts In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the ZyWALL treat the line as a comment. ZyWALL USG 20/20W User’s Guide...
  • Page 695 The ZyWALL ignores any errors in the configuration file or shell script and applies all of the valid commands. The ZyWALL still generates a log for any errors. ZyWALL USG 20/20W User’s Guide...
  • Page 696: The Configuration File Screen

    The ZyWALL still generates a log for any errors. Figure 416 Maintenance > File Manager > Configuration File Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL USG 20/20W User’s Guide...
  • Page 697 Click OK to delete the configuration file or click Cancel to close the screen without deleting the configuration file. Download Click a configuration file’s row to select it and click Download to save the configuration to your computer. ZyWALL USG 20/20W User’s Guide...
  • Page 698 Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. ZyWALL USG 20/20W User’s Guide...
  • Page 699 The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space. ZyWALL USG 20/20W User’s Guide...
  • Page 700: The Firmware Package Screen

    45.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmware Package screen. Use the Firmware Package screen to check your current firmware version and upload firmware to the ZyWALL. ZyWALL USG 20/20W User’s Guide...
  • Page 701 See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”.
  • Page 702: The Shell Script Screen

    If you do not use the write command, the changes will be lost when the ZyWALL restarts. You could write use multiple commands in a long script. write Figure 424 Maintenance > File Manager > Shell Script ZyWALL USG 20/20W User’s Guide...
  • Page 703 Specify a name for the duplicate file. Use up to 25 characters (including a-zA- Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. ZyWALL USG 20/20W User’s Guide...
  • Page 704 Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. ZyWALL USG 20/20W User’s Guide...
  • Page 705: Diagnostics

    46.2 The Diagnostic Screen The Diagnostic screen provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to send this file to customer support for troubleshooting. ZyWALL USG 20/20W User’s Guide...
  • Page 706: The Diagnostics Files Screen

    This screen lists the files of diagnostic information the ZyWALL has collected and stored in a connected USB storage device. You may need to send these files to customer support for troubleshooting. Figure 428 Maintenance > Diagnostics > Files ZyWALL USG 20/20W User’s Guide...
  • Page 707: The Packet Capture Screen

    Use this screen to capture network traffic going through the ZyWALL’s interfaces. Studying these packet captures may help you identify network problems. Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. ZyWALL USG 20/20W User’s Guide...
  • Page 708 Select User Defined to be able to enter an IP address. Host Port This field is configurable when you set the IP Type to any, tcp, or udp. Specify the port number of traffic to capture. ZyWALL USG 20/20W User’s Guide...
  • Page 709 Modifying the file suffix also avoids making new capture files that overwrite existing files of the same name. The file name format is “interface name-file suffix.cap”, for example “vlan2-packet-capture.cap”. ZyWALL USG 20/20W User’s Guide...
  • Page 710: The Packet Capture Files Screen

    ZyWALL or a connected USB storage device. You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark. Figure 430 Maintenance > Diagnostics > Packet Capture > Files ZyWALL USG 20/20W User’s Guide...
  • Page 711: Example Of Viewing A Packet Capture File

    Notice that the size of frame 15 on the wire is 1514 bytes while the captured size is only 1500 bytes. The ZyWALL truncated the frame because the capture screen’s Number Of Bytes To Capture (Per Packet) field was set to 1500 bytes. ZyWALL USG 20/20W User’s Guide...
  • Page 712: Core Dump Screen

    USB storage device if the process terminates abnormally (crashes). You may need to send this file to customer support for troubleshooting. Click Maintenance > Diagnostics > Core Dump to open the following screen. Figure 432 Maintenance > Diagnostics > Core Dump ZyWALL USG 20/20W User’s Guide...
  • Page 713: Core Dump Files Screen

    This column displays the number for each packet capture file entry. The total number of packet capture files that you can save depends on the file sizes and the available flash storage space. File Name This column displays the label that identifies the file. ZyWALL USG 20/20W User’s Guide...
  • Page 714: The System Log Screen

    This column displays the label that identifies the file. Size This column displays the size (in bytes) of a file. Last This column displays the date and time that the individual files were saved. Modified ZyWALL USG 20/20W User’s Guide...
  • Page 715: Packet Flow Explore

    • use policy routes to control 1-1 NAT by using the policy control-virtual- server-rules activate command. • select use policy routes to control dynamic IPSec rules in the CONFIGURATION > VPN > IPSec VPN > VPN Connection screen. ZyWALL USG 20/20W User’s Guide...
  • Page 716 Figure 436 Maintenance > Packet Flow Explore > Routing Status (Policy Route) Figure 437 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) Figure 438 Maintenance > Packet Flow Explore > Routing Status (SitetoSite VPN) ZyWALL USG 20/20W User’s Guide...
  • Page 717 Figure 440 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) Figure 441 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 442 Maintenance > Packet Flow Explore > Routing Status (Main Route) ZyWALL USG 20/20W User’s Guide...
  • Page 718 This is the DSCP value of incoming packets to which this policy route applies. See Section 13.2 on page 300 for more information. Next Hop This is the type of the next hop to which packets are directed. Type ZyWALL USG 20/20W User’s Guide...
  • Page 719: The Snat Status Screen

    Maintenance > Packet Flow Explore > SNAT Status. The order of the SNAT flow may vary depending on whether you: • select use default SNAT in the CONFIGURATION > Network > Interface > Trunk screen. ZyWALL USG 20/20W User’s Guide...
  • Page 720 Figure 444 Maintenance > Packet Flow Explore > SNAT Status (1-1 SNAT) Figure 445 Maintenance > Packet Flow Explore > SNAT Status (Loopback SNAT) Figure 446 Maintenance > Packet Flow Explore > SNAT Status (Default SNAT) ZyWALL USG 20/20W User’s Guide...
  • Page 721 This indicates which source IP address the SNAT rule uses finally. For example, Outgoing Interface IP means that the ZyWALL uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. ZyWALL USG 20/20W User’s Guide...
  • Page 722 Chapter 47 Packet Flow Explore ZyWALL USG 20/20W User’s Guide...
  • Page 723: Reboot

    Click the Reboot button to restart the ZyWALL. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command reboot to restart the ZyWALL. ZyWALL USG 20/20W User’s Guide...
  • Page 724 Chapter 48 Reboot ZyWALL USG 20/20W User’s Guide...
  • Page 725: Shutdown

    Click the Shutdown button to shut down the ZyWALL. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You can also use the CLI command shutdown to shutdown the ZyWALL. ZyWALL USG 20/20W User’s Guide...
  • Page 726 Chapter 49 Shutdown ZyWALL USG 20/20W User’s Guide...
  • Page 727: Troubleshooting

    5 seconds (or until the PWR LED starts to blink), then release it. It returns the ZyWALL to the factory defaults (password is 1234, LAN IP address 192.168.1.1 etc.; see your User’s Guide for details). ZyWALL USG 20/20W User’s Guide...
  • Page 728 The ZyWALL checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that the traffic would also match. The ZyWALL is not applying the custom firewall rule I configured. ZyWALL USG 20/20W User’s Guide...
  • Page 729 I cannot set up a PPP interface. You have to set up an ISP account before you create a PPPoE or PPTP interface. The data rates through my cellular connection are no-where near the rates I expected. ZyWALL USG 20/20W User’s Guide...
  • Page 730 I have it configured it on top of another Ethernet interface. Each VLAN interface is created on top of only one Ethernet interface. The ZyWALL is not applying an interface’s configured ingress bandwidth limit. ZyWALL USG 20/20W User’s Guide...
  • Page 731 The ZyWALL is not applying a policy route’s port triggering settings. You also need to create a firewall rule to allow an incoming service. I cannot get Dynamic DNS to work. • You must have a public WAN IP address to use Dynamic DNS. ZyWALL USG 20/20W User’s Guide...
  • Page 732 If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both ZyXEL IPSec routers and check the settings in each field methodically and slowly. Make sure both the ZyWALL and remote IPSec router have the same security settings for the VPN tunnel.
  • Page 733 ZyWALL encrypts them and check packets the ZyWALL receives after the ZyWALL decrypts them. This depends on the zone to which you assign the VPN tunnel and the zone from which and to which traffic may be routed. ZyWALL USG 20/20W User’s Guide...
  • Page 734 I logged into the SSL VPN but cannot see some of the resource links. Available resource links vary depending on the SSL application object’s configuration. I changed the LAN IP address and can no longer access the Internet. ZyWALL USG 20/20W User’s Guide...
  • Page 735 I cannot add the default admin account to a user group. You cannot put the default admin account into any user group. The schedule I configured is not being applied at the configured times. Make sure the ZyWALL’s current date and time are correct. ZyWALL USG 20/20W User’s Guide...
  • Page 736 I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. ZyWALL USG 20/20W User’s Guide...
  • Page 737 I cannot get the firmware uploaded using the commands. The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. ZyWALL USG 20/20W User’s Guide...
  • Page 738: Resetting The Zywall

    Note: This procedure removes the current configuration. If you want to reboot the device without changing the current configuration, see Chapter 48 on page 723. Make sure the SYS LED is on and not blinking. ZyWALL USG 20/20W User’s Guide...
  • Page 739: Getting More Troubleshooting Help

    Release the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. 50.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL USG 20/20W User’s Guide...
  • Page 740 Chapter 50 Troubleshooting ZyWALL USG 20/20W User’s Guide...
  • Page 741: Product Specifications

    Number of Ethernet interfaces: 4 Management interface RS-232, DB9F connector USB Slots 1, 2.0 plug and play Compatible USB Cards See www.zyxel.com for the supported 3G cards. (3G) Power Requirements 12V DC Operating Environment Temperature: 0 C to 40 C...
  • Page 742 Maximum Session Limit per Host Rules USER PROFILES Maximum Local Users Maximum Admin Users Maximum User Groups Maximum Users in One User Group OBJECTS Address Objects Address Groups Maximum address object in one group Service Objects ZyWALL USG 20/20W User’s Guide...
  • Page 743 2 per interface CENTRALIZED LOG Log Entries Debug Log Entries 1024 Admin E-mail Addresses Syslog Servers Maximum Number of ADP Profiles Maximum Number of ADP Rules Maximum Block Host Number 1000 Maximum Block Period 3600 ZyWALL USG 20/20W User’s Guide...
  • Page 744 Interface-PPTP RFCs 2637, 3078 Interface-PPPOE RFC 2516 Interface-VLAN IEEE 802.1Q Dynamic Route, Show IP route RFCs 1058, 2082, 2453, 2328, 3101, 3137 Telnet server RFCs 1408, 1572 SSH server RFCs 4250, 4251, 4252, 4253, 4254 ZyWALL USG 20/20W User’s Guide...
  • Page 745: Power Adaptor Specifications

    Table 232 North American Plug Standards AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 20 W MAX. SAFETY STANDARDS UL, CUL (UL 60950-1 FIRST EDITION CSA C22.2 NO. 60950-1-03 1ST.) ZyWALL USG 20/20W User’s Guide...
  • Page 746 12VDC, 3.5A POWER CONSUMPTION 20 W MAX. SAFETY STANDARDS Table 237 China Plug Standards AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 3.5A POWER CONSUMPTION 20 W MAX. SAFETY STANDARDS ZyWALL USG 20/20W User’s Guide...
  • Page 747: Appendix A Log Descriptions

    %s: website host The device allowed access to a web site. The content filtering %s: Service is not service is unregistered and the default policy is not set to registered block. %s: website host ZyWALL USG 20/20W User’s Guide...
  • Page 748 The web site contains Java applet and access was blocked %s: Contains Java according to a profile. applet %s: website host The web site contains a cookie and access was blocked %s: Contains cookie according to a profile. %s: website host ZyWALL USG 20/20W User’s Guide...
  • Page 749 The anti-spam white list rule with the specified index number White List rule %d has (%d) has been turned on. been activated. The anti-spam white list rule with the specified index number White List rule %d has (%d) has been turned off. been deactivated. ZyWALL USG 20/20W User’s Guide...
  • Page 750 %s) and Subject (second %s) header values are listed. From:%s Subject:%s The number of concurrent e-mail sessions has exceeded the Mail sessions have maximum number of concurrent e-mail sessions that the reached the maximum anti-spam feature can handle (%d). threshold of %d. ZyWALL USG 20/20W User’s Guide...
  • Page 751 The listed address object (first %s) is not the right kind for The %s address-object the second WINS server specified in the listed SSL VPN is wrong type for policy (second %s). '2nd-wins' in SSL Policy %s. ZyWALL USG 20/20W User’s Guide...
  • Page 752 SSL VPN policy rule %s position (%d) in the list of SSL VPN policies. has been moved to %d. The listed SSL VPN policy has been removed. SSL VPN policy rule %s has been deleted. ZyWALL USG 20/20W User’s Guide...
  • Page 753 SSLVPN from %s exist. (incorrect password or inexistent username) Messages were not received from the UAM daemon. %s: Failed to receive messages from uam daemon. ZyWALL USG 20/20W User’s Guide...
  • Page 754 Can't append entry: %s! 1st:zysh entry name 1st:zysh entry name Can't set entry: %s! Can't define entry: %s! 1st:zysh entry name 1st:zysh list name %s: list is full! 1st:zysh list name Can't undefine %s ZyWALL USG 20/20W User’s Guide...
  • Page 755 1st:zysh entry num Unable to move entry #%d! 1st:zysh table name %s: apply failed at initial stage! 1st:zysh table name %s: apply failed at main stage! 1st:zysh table name %s: apply failed at closing stage! ZyWALL USG 20/20W User’s Guide...
  • Page 756 The ZyWALL’s ADP feature detected traffic with the same IP LAND attack packet. address set as both the source and the destination. Source IP is the same as Destination IP. ZyWALL USG 20/20W User’s Guide...
  • Page 757 Too many failed login attempts were made from an IP Address %u.%u.%u.%u has address so the ZyWALL is blocking login attempts from that been put into lockout IP address. state %u.%u.%u.%u: the source address of the user’s login attempt ZyWALL USG 20/20W User’s Guide...
  • Page 758: Myzyxel.com Logs

    Device registration failed, an error message returned by the Device registration MyZyXEL.com server will be appended to this log. has failed:%s. %s: error message returned by the myZyXEL.com server The device registered successfully with the myZyXEL.com Device registration server. has succeeded. ZyWALL USG 20/20W User’s Guide...
  • Page 759 The device could not connect to the MyZyXEL.com server. Connect to MyZyXEL.com server has failed. The device started to check whether or not the user name in Do account check. MyZyXEL.com's database. ZyWALL USG 20/20W User’s Guide...
  • Page 760 Wrong format for Maybe some required fields are missing. packets received. The device could not resolve the update server's FQDN to an Server setting error. IP address through gethostbyname(). The update process Update stop. stopped. ZyWALL USG 20/20W User’s Guide...
  • Page 761 The processes a service expiration day check every 24 hrs. Time is up. Do expiration daily- check. Read data from EEPROM has failed. Read MyZyXEL.com storage has failed. This error message is shown when getting MAC address. Open /proc/MRD has failed. ZyWALL USG 20/20W User’s Guide...
  • Page 762 The remote IPSec router has not announced its dead peer Peer has not announced detection (DPD) capability to this device. DPD capability Cannot find SA according to the cookie. [COOKIE] Invalid cookie, no sa found ZyWALL USG 20/20W User’s Guide...
  • Page 763 [SA] : Tunnel [%s] was not a ISKAMP packet in the protocol field. Phase 1 invalid protocol %s is the tunnel name. When negotiating Phase-1, the [SA] : Tunnel [%s] transform ID was invalid. Phase 1 invalid transform ZyWALL USG 20/20W User’s Guide...
  • Page 764 Could not dial manual dialed. key tunnel "%s" When receiving a DPD response with invalid ID ignored. DPD response with invalid ID When receiving a DPD response with no active query. DPD response with no active request ZyWALL USG 20/20W User’s Guide...
  • Page 765 %s is the my xauth name. This indicates that my name is XAUTH fail! My name: invalid. %s is the remote xauth name. This indicates that a remote XAUTH fail! Remote user’s name is invalid. user: %s ZyWALL USG 20/20W User’s Guide...
  • Page 766 When outgoing packet need to be transformed, the engine Get outbound transform cannot obtain the transform context. fail After encryption or hardware accelerated processing, the Inbound transform hardware accelerator dropped a packet (resource shortage, operation fail corrupt packet, invalid MAC, and so on). ZyWALL USG 20/20W User’s Guide...
  • Page 767 %d is the global index of rule, %s is appended/inserted/ Firewall rule %d was modified 1st %s is from zone, 2nd %s is to zone, %d is the index of Firewall %s %s rule %d the rule was %s. 3rd %s is appended/inserted/modified ZyWALL USG 20/20W User’s Guide...
  • Page 768 Allocating policy routing rule fails: insufficient memory. The policy route %d allocates memory fail! %d: the policy route rule number Use an empty object group. The policy route %d uses empty user group! %d: the policy route rule number ZyWALL USG 20/20W User’s Guide...
  • Page 769 A trunk went down so the ZyWALL will stop using the related Trunk %s dead, related policy route rules. policy route rules will be disabled ZyWALL USG 20/20W User’s Guide...
  • Page 770 FTP port has been changed to port %s. %s is port number assigned by user An administrator changed the port number for FTP back to FTP port has been the default (21). changed to default port. ZyWALL USG 20/20W User’s Guide...
  • Page 771 An administrator modified the rule %u. DNS access control rule %u has been %u is rule number modified An administrator removed the rule %u. DNS access control rule %u has been %u is rule number deleted. ZyWALL USG 20/20W User’s Guide...
  • Page 772 %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. An access control rule was inserted successfully. Access control rule %u of %s was inserted. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. ZyWALL USG 20/20W User’s Guide...
  • Page 773 Memory usage drops below the threshold of %d%%: mem- threshold-min. When local storage usage drops below threshold-min, %s: partition_name file system drops below the threshold of %d%%: disk-threshold-min. DHCP Server executed with cautious mode enabled. DHCP Server executed with cautious mode enabled ZyWALL USG 20/20W User’s Guide...
  • Page 774 The device successfully synchronized with a NTP time server . NTP update successful, current time is %s %s is the date and time. The device was not able to synchronize with the NTP time NTP update failed server successfully. ZyWALL USG 20/20W User’s Guide...
  • Page 775 Update profile failed because of a dynsdns internal error, %s Update the profile %s is the profile name. has failed because of dyndns internal error ZyWALL USG 20/20W User’s Guide...
  • Page 776 DDNS profile cannot be updated because the ping-check for Update the profile %s WAN iface failed , %s is the profile name. has failed because ping-check of WAN interface has failed. Disable DDNS. Disable DDNS has succeeded. Enable DDNS. Enable DDNS has succeeded. ZyWALL USG 20/20W User’s Guide...
  • Page 777 Cannot recover routing status which is link-down. Can't open link_up2 Cannot open connectivity check process ID file. Can not open %s.pid %s: interface name Cannot open configuration file for connectivity check process. Can not open %s.arg %s: interface name ZyWALL USG 20/20W User’s Guide...
  • Page 778 The connectivity check process can't use multicast address to Can't use MULTICAST IP check link-status. for destination The connectivity check process can't use broadcast address to The destination is check link-status. invalid, because destination IP is broadcast IP ZyWALL USG 20/20W User’s Guide...
  • Page 779 RIP global version has been changed to version 1 or 2. RIP global version has been changed to %s. RIP redistribute OSPF routes has been enabled. RIP redistribute OSPF routes has been enabled. ZyWALL USG 20/20W User’s Guide...
  • Page 780 Interface Name interface %s has been disabled. One or more interfaces are still using this area, so area %s Area %s cannot be cannot be removed. %s: OSPF Area removed. This area is in use. ZyWALL USG 20/20W User’s Guide...
  • Page 781 %s H.323 ALG has Disable succeeded. Extra H.323 ALG port has been changed. Extra signal port of H.323 ALG has been modified. Default H.323 ALG port has been changed. Signal port of H.323 ALG has been modified. ZyWALL USG 20/20W User’s Guide...
  • Page 782 "%s" successfully The router was not able to create anPKCS#12 format Generate PKCS#12 certificate with the specified name. See Table 282 on page certificate "%s" for details about the error number. failed, errno %d ZyWALL USG 20/20W User’s Guide...
  • Page 783 Certificates. %s is the certificate request name. certificate "%s" from "My Certificate" successfully The device was not able to export a PKCS#12 format Export PKCS#12 certificate from My Certificates. %s is the certificate request certificate "%s" from name. "My Certificate" failed ZyWALL USG 20/20W User’s Guide...
  • Page 784 Certificate decoding failed. Certificate was not found (anywhere). Certificate chain looped (did not find trusted root). Certificate contains critical extension that was not handled. Certificate issuer was not valid (CA specific information missing). (Not used) ZyWALL USG 20/20W User’s Guide...
  • Page 785 MTU > (base interface MTU - 8), PPP interface may not run %s may not work correctly because PPP packets will be fragmented by base correctly. interface and the peer will not receive correct PPP packets. 1st %s: PPP interface name, 2nd %s: ethernet interface name. ZyWALL USG 20/20W User’s Guide...
  • Page 786 CHAP cases where the server does not support CHAP). CHAP: authentication interface name. failed. A PPP interface connected successfully. %s: interface name. Interface %s is connected. ZyWALL USG 20/20W User’s Guide...
  • Page 787 You entered an incorrect PUK code so you were not able to "Incorrect PUK code of unlock the SIM card for the cellular device associated with the interface cellular%d. listed cellular interface (%d). Please check the PUK code setting. ZyWALL USG 20/20W User’s Guide...
  • Page 788 %s] has been inserted into %s. The cellular device (identified by its manufacturer and model) "Cellular device [%s has been removed from the specified slot. %s] has been removed from %s. ZyWALL USG 20/20W User’s Guide...
  • Page 789 A reserved word was not permitted to be used in an interface Configured interface name. name is reserved word. A reserved pre-fix was not permitted to be used in an Configured interface interface name. name match reserved prefix. ZyWALL USG 20/20W User’s Guide...
  • Page 790 The interface does not support port grouping. Port-grouping is not support This type of interface does not support setting a third DNS This interface type server setting. can not set 3rd-dns. ZyWALL USG 20/20W User’s Guide...
  • Page 791 There was an EAP timeout for a wireless client connected to WPA or WPA2 enterprise the specified WLAN interface (first %s). The MAC address of EAP timeout. the wireless client is listed (second %s). Interface: %s, MAC: ZyWALL USG 20/20W User’s Guide...
  • Page 792 Account %s %s has been changed. 1st %s: profile type, 2nd %s: profile name. A user added a new ISP account profile. Account %s %s has been added. 1st %s: profile type, 2nd %s: profile name. ZyWALL USG 20/20W User’s Guide...
  • Page 793 2nd %s is error message when apply CLI command. Apply configuration failed, this log will be what CLI command WARNING:#%s, %s is and what warning message is. 1st %s is CLI command. 2nd %s is warning message when apply CLI command. ZyWALL USG 20/20W User’s Guide...
  • Page 794 ACK to the client. DHCP server assigned %s The DHCP server feature assigned a client the IP address that to %s(%s) it requested. The DHCP client’s hostname and MAC address are listed. ZyWALL USG 20/20W User’s Guide...
  • Page 795 The interface the packet came in %s#%u.%u.%u.%u#%0 through, the sender’s IP address and MAC address, are also 2X:%02X:%02X:%02X: shown along with the binding type (“s” for static or “d” for %02X:%02X. dynamic). ZyWALL USG 20/20W User’s Guide...
  • Page 796 A user’s computer did not match the user-defined file information Files information check in the specified EPS object. check fail in %s A user’s computer did not match the OS type check in the OS type check fail specified EPS object. in %s ZyWALL USG 20/20W User’s Guide...
  • Page 797 LOG MESSAGE DESCRIPTION A user’s computer did not match the Windows version check in Windows version the specified EPS object. check fail in %s A user’s computer passed the EPS check. EPS checking result is pass. ZyWALL USG 20/20W User’s Guide...
  • Page 798 Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide...
  • Page 799: Appendix B Common Services

    Border Gateway Protocol. BOOTP_CLIENT DHCP Client. BOOTP_SERVER DHCP Server. CU-SEEME 7648 A popular videoconferencing solution from White Pines Software. 24032 TCP/UDP Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers. ZyWALL USG 20/20W User’s Guide...
  • Page 800 ICMP echo requests to test whether or not a remote host is reachable. POP3 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other). ZyWALL USG 20/20W User’s Guide...
  • Page 801 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX en vironments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems. ZyWALL USG 20/20W User’s Guide...
  • Page 802 PROTOCOL PORT(S) DESCRIPTION TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. ZyWALL USG 20/20W User’s Guide...
  • Page 803: Appendix C Wireless Lans

    (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate ZyWALL USG 20/20W User’s Guide...
  • Page 804 This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. ZyWALL USG 20/20W User’s Guide...
  • Page 805 A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or ZyWALL USG 20/20W User’s Guide...
  • Page 806 If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. ZyWALL USG 20/20W User’s Guide...
  • Page 807: Fragmentation Threshold

    Note: The wireless devices MUST use the same preamble mode in order to communicate. IEEE 802.11g Wireless LAN IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point ZyWALL USG 20/20W User’s Guide...
  • Page 808: Wireless Security Overview

    IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional ZyWALL USG 20/20W User’s Guide...
  • Page 809 Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. ZyWALL USG 20/20W User’s Guide...
  • Page 810 Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 ZyWALL USG 20/20W User’s Guide...
  • Page 811: Dynamic Wep Key Exchange

    If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled. ZyWALL USG 20/20W User’s Guide...
  • Page 812 Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 ZyWALL USG 20/20W User’s Guide...
  • Page 813 (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre- ZyWALL USG 20/20W User’s Guide...
  • Page 814 The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client. ZyWALL USG 20/20W User’s Guide...
  • Page 815 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. ZyWALL USG 20/20W User’s Guide...
  • Page 816: Security Parameters Summary

    Open Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable Shared Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable TKIP/AES Enable WPA-PSK TKIP/AES Disable WPA2 TKIP/AES Enable WPA2-PSK TKIP/AES Disable ZyWALL USG 20/20W User’s Guide...
  • Page 817: Antenna Characteristics

    Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications. ZyWALL USG 20/20W User’s Guide...
  • Page 818: Positioning Antennas

    For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. ZyWALL USG 20/20W User’s Guide...
  • Page 819: Appendix D Importing Certificates

    Many ZyXEL products, such as the ZyWALL, issue their own public key certificates. These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it.
  • Page 820 Figure 455 Internet Explorer 7: Certification Error Click Continue to this website (not recommended). Figure 456 Internet Explorer 7: Certification Error In the Address Bar, click Certificate Error > View certificates. Figure 457 Internet Explorer 7: Certificate Error ZyWALL USG 20/20W User’s Guide...
  • Page 821 Appendix D Importing Certificates In the Certificate dialog box, click Install Certificate. Figure 458 Internet Explorer 7: Certificate In the Certificate Import Wizard, click Next. Figure 459 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 20/20W User’s Guide...
  • Page 822 Next again and then go to step 9. Figure 460 Internet Explorer 7: Certificate Import Wizard Otherwise, select Place all certificates in the following store and then click Browse. Figure 461 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 20/20W User’s Guide...
  • Page 823 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 462 Internet Explorer 7: Select Certificate Store In the Completing the Certificate Import Wizard screen, click Finish. Figure 463 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 20/20W User’s Guide...
  • Page 824 Figure 465 Internet Explorer 7: Certificate Import Wizard 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information.
  • Page 825 Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.
  • Page 826 Appendix D Importing Certificates Open Internet Explorer and click Tools > Internet Options. Figure 469 Internet Explorer 7: Tools Menu In the Internet Options dialog box, click Content > Certificates. Figure 470 Internet Explorer 7: Internet Options ZyWALL USG 20/20W User’s Guide...
  • Page 827 Figure 471 Internet Explorer 7: Certificates In the Certificates confirmation, click Yes. Figure 472 Internet Explorer 7: Certificates In the Root Certificate Store dialog box, click Yes. Figure 473 Internet Explorer 7: Root Certificate Store ZyWALL USG 20/20W User’s Guide...
  • Page 828 If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Select Accept this certificate permanently and click OK. Figure 474 Firefox 2: Website Certified by an Unknown Authority ZyWALL USG 20/20W User’s Guide...
  • Page 829 Figure 475 Firefox 2: Page Info Installing a Stand-Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.
  • Page 830 Appendix D Importing Certificates Open Firefox and click Tools > Options. Figure 476 Firefox 2: Tools Menu In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 477 Firefox 2: Options ZyWALL USG 20/20W User’s Guide...
  • Page 831 Figure 479 Firefox 2: Select File The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information. ZyWALL USG 20/20W User’s Guide...
  • Page 832 This section shows you how to remove a public key certificate in Firefox 2. Open Firefox and click Tools > Options. Figure 480 Firefox 2: Tools Menu In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 481 Firefox 2: Options ZyWALL USG 20/20W User’s Guide...
  • Page 833 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Opera The following example uses Opera 9 on Windows XP Professional; however, the screens can apply to Opera 9 on all platforms. ZyWALL USG 20/20W User’s Guide...
  • Page 834 Figure 484 Opera 9: Certificate signer not found The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Figure 485 Opera 9: Security information ZyWALL USG 20/20W User’s Guide...
  • Page 835 Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Opera Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.
  • Page 836 Appendix D Importing Certificates In Preferences, click Advanced > Security > Manage certificates. Figure 487 Opera 9: Preferences ZyWALL USG 20/20W User’s Guide...
  • Page 837 Appendix D Importing Certificates In the Certificates Manager, click Authorities > Import. Figure 488 Opera 9: Certificate manager Use the Import certificate dialog box to locate the certificate and then click Open. Figure 489 Opera 9: Import certificate ZyWALL USG 20/20W User’s Guide...
  • Page 838 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9. ZyWALL USG 20/20W User’s Guide...
  • Page 839 Appendix D Importing Certificates Open Opera and click Tools > Preferences. Figure 492 Opera 9: Tools Menu In Preferences, Advanced > Security > Manage certificates. Figure 493 Opera 9: Preferences ZyWALL USG 20/20W User’s Guide...
  • Page 840 Konqueror 3.5 on all Linux KDE distributions. If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. ZyWALL USG 20/20W User’s Guide...
  • Page 841 Click Forever when prompted to accept the certificate. Figure 496 Konqueror 3.5: Server Authentication Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details. Figure 497 Konqueror 3.5: KDE SSL Information ZyWALL USG 20/20W User’s Guide...
  • Page 842 Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Konqueror Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.
  • Page 843 Figure 501 Konqueror 3.5: Settings Menu In the Configure dialog box, select Crypto. On the Peer SSL Certificates tab, select the certificate you want to delete and then click Remove. Figure 502 Konqueror 3.5: Configure ZyWALL USG 20/20W User’s Guide...
  • Page 844 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button. ZyWALL USG 20/20W User’s Guide...
  • Page 845: Appendix E Open Software Announcements

    YOUR MONEY WILL BE REFUNDED. HOWEVER CERTAIN COMPONENTS OF THE SOFTWARE, AND THIRD PARTY OPEN SOURCE PROGRAMS INCLUDED WITH THE SOFTWARE, HAVE BEEN OR MAY BE MADE AVAILABLE BY ZyXEL LISTED IN THE BELOW NOTICE (COLLECTIVELY THE ìOPEN-SOURCED COMPONENTASî). FOR...
  • Page 846 Appendix E Open Software Announcements therein shall remain at all times with ZyXEL. Any other use of the Software by any other entity is strictly forbidden and is a violation of this License Agreement. 3. Copyright The Software and Documentation contain material that is protected by International Copyright Law and trade secret law, and by international treaty provisions.
  • Page 847 AND NO WARRANTIES SHALL APPLY AFTER THAT PERIOD. 7. Limitation of Liability IN NO EVENT WILL ZyXEL BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, INDIRECT, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES FOR LOSS OF...
  • Page 848 Software and Documentation in your possession or under your control. ZyXEL may terminate this License Agreement for any reason, including, but not limited to, if ZyXEL finds that you have violated any of the terms of this License Agreement. Upon notification of termination, you agree to destroy or return to ZyXEL all copies of the Software and Documentation and to certify in writing that all known copies, including backup copies, have been destroyed.
  • Page 849 Further, for at least three (3) years from the date of distribution of the applicable product or software, we will give to anyone who contacts us at the ZyXEL Technical Support (support@zyxel.com.tw), for a charge of no more than our cost of physically performing source code distribution, a...
  • Page 850 OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl- core@openssl.org. OpenSSL License ZyWALL USG 20/20W User’s Guide...
  • Page 851 OpenSSL Toolkit. (http://www.openssl.org/)" * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. ZyWALL USG 20/20W User’s Guide...
  • Page 852 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. ================================================== ZyWALL USG 20/20W User’s Guide...
  • Page 853 * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution ZyWALL USG 20/20W User’s Guide...
  • Page 854 (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ZyWALL USG 20/20W User’s Guide...
  • Page 855 License a 3-clause BSD-style license This is a Free Software License This license is compatible with The GNU General Public License, Version 1 This license is compatible with The GNU General Public License, Version 2 ZyWALL USG 20/20W User’s Guide...
  • Page 856 MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING ZyWALL USG 20/20W User’s Guide...
  • Page 857 "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original ZyWALL USG 20/20W User’s Guide...
  • Page 858 Derivative Works hereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and ZyWALL USG 20/20W User’s Guide...
  • Page 859 TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. ZyWALL USG 20/20W User’s Guide...
  • Page 860 For written permission, please contact apache@apache.org. Products derived from this software may not be called ìApacheî, nor may ìApacheî appear in their name, without prior written permission of the Apache Software Foundation. ZyWALL USG 20/20W User’s Guide...
  • Page 861 Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General ZyWALL USG 20/20W User’s Guide...
  • Page 862 General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a ZyWALL USG 20/20W User’s Guide...
  • Page 863 A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such ZyWALL USG 20/20W User’s Guide...
  • Page 864 License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as ZyWALL USG 20/20W User’s Guide...
  • Page 865 When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially ZyWALL USG 20/20W User’s Guide...
  • Page 866 For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not ZyWALL USG 20/20W User’s Guide...
  • Page 867 (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this ZyWALL USG 20/20W User’s Guide...
  • Page 868 Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. ZyWALL USG 20/20W User’s Guide...
  • Page 869 This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors ZyWALL USG 20/20W User’s Guide...
  • Page 870 Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than ZyWALL USG 20/20W User’s Guide...
  • Page 871 Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the ZyWALL USG 20/20W User’s Guide...
  • Page 872 These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and ZyWALL USG 20/20W User’s Guide...
  • Page 873 License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the ZyWALL USG 20/20W User’s Guide...
  • Page 874 All other trademarks or trade names mentioned herein, if any, are the property of their respective owners. This Product includes ppp, libpcap, tcpdump, unzip, zip, libnet, net-snmp, openssh, and ftp-tls software under BSD license Copyright (c) [dates as appropriate to package] ZyWALL USG 20/20W User’s Guide...
  • Page 875 Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ZyWALL USG 20/20W User’s Guide...
  • Page 876 Software without specific, written prior permission.Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. ZyWALL USG 20/20W User’s Guide...
  • Page 877 0.97, January 1998, through 1.0.6, March 20, 2000, are Copyright (c) 1998, 1999 Glenn Randers-Pehrson, and are distributed according to the same ZyWALL USG 20/20W User’s Guide...
  • Page 878 Permission is hereby granted to use, copy, modify, and distribute this source code, or portions hereof, for any purpose, without fee, subject to the following restrictions: 1. The origin of this source code must not be misrepresented. ZyWALL USG 20/20W User’s Guide...
  • Page 879 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. ZyWALL USG 20/20W User’s Guide...
  • Page 880 Initial Developer in the Source Code notice required by Exhibit A. 1.7. "Larger Work" means a work which combines Covered Code or portions thereof with code not governed by the terms of this License. 1.8. "License" means this document. ZyWALL USG 20/20W User’s Guide...
  • Page 881 "control" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. 2. Source Code License. ZyWALL USG 20/20W User’s Guide...
  • Page 882 Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed by Covered Code in the absence of Modifications made by that Contributor. 3. Distribution Obligations. 3.1. Application of License. ZyWALL USG 20/20W User’s Guide...
  • Page 883 Section 3.2, Contributor shall promptly modify the LEGAL file in all copies Contributor makes available thereafter and shall take other steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new knowledge has been obtained. ZyWALL USG 20/20W User’s Guide...
  • Page 884 Source Code version from the rights set forth in this License. If You distribute the Executable version under a different license You must make it absolutely clear that any terms which differ from this License are offered by You ZyWALL USG 20/20W User’s Guide...
  • Page 885 If You create or use a modified version of this License (which you may only do in order to apply it to code which is not already Covered Code governed by this License), You must (a) rename Your license so that the phrases "Mozilla", ZyWALL USG 20/20W User’s Guide...
  • Page 886 Your past and future use of Modifications made by such Participant, or (ii) withdraw Your litigation claim with respect to the Contributor Version against such Participant. If within 60 days of notice, a reasonable royalty and ZyWALL USG 20/20W User’s Guide...
  • Page 887 "commercial computer software documentation," as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995), all U.S. Government End Users acquire Covered Code with only those rights set forth herein. ZyWALL USG 20/20W User’s Guide...
  • Page 888 Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License. ZyWALL USG 20/20W User’s Guide...
  • Page 889 NOTE: The text of this Exhibit A may differ slightly from the text of the notices in the Source Code files of the Original Code. You should use the text of this Exhibit A rather than the text found in the Original Code Source Code for Your Modifications. ZyWALL USG 20/20W User’s Guide...
  • Page 890 Software as long as this License Agreement remains in full force and effect. Ownership of the Software, Documentation and all intellectual property rights therein shall remain at all times with ZyXEL. Any other use of the Software by any other entity is strictly forbidden and is a violation of this License Agreement.
  • Page 891 License and any applicable licensing terms governing use of the Open-Sourced Components, which have been provided on the License Notice as below for the Software. ZyXEL is not obligated to provide any maintenance, technical or other support for the resultant modified Software.
  • Page 892 AND NO WARRANTIES SHALL APPLY AFTER THAT PERIOD. 7. Limitation of Liability IN NO EVENT WILL ZyXEL BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, INDIRECT, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES FOR LOSS OF...
  • Page 893 Software and Documentation in your possession or under your control. ZyXEL may terminate this License Agreement for any reason, including, but not limited to, if ZyXEL finds that you have violated any of the terms of this License Agreement. Upon notification of termination, you agree to destroy or return to ZyXEL all copies of the Software and Documentation and to certify in writing that all known copies, including backup copies, have been destroyed.
  • Page 894 Appendix E Open Software Announcements be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, except the express written permission of ZyXEL Communications Corporation. This Product includes ntp software under the NTP License NTP License Copyright (c) David L.
  • Page 895 OpenSSL License --------------- ================================================== * Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved. * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions ZyWALL USG 20/20W User’s Guide...
  • Page 896 * 5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. * 6. Redistributions of any form whatsoever must retain the following ZyWALL USG 20/20W User’s Guide...
  • Page 897 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. ================================================== * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). ZyWALL USG 20/20W User’s Guide...
  • Page 898 * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions ZyWALL USG 20/20W User’s Guide...
  • Page 899 PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ZyWALL USG 20/20W User’s Guide...
  • Page 900 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. ZyWALL USG 20/20W User’s Guide...
  • Page 901 AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. This Product includes httpd software developed by the Apache Software Foundation under Apache License. Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ ZyWALL USG 20/20W User’s Guide...
  • Page 902 Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed ZyWALL USG 20/20W User’s Guide...
  • Page 903 NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; ZyWALL USG 20/20W User’s Guide...
  • Page 904 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or ZyWALL USG 20/20W User’s Guide...
  • Page 905 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ZyWALL USG 20/20W User’s Guide...
  • Page 906 To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions ZyWALL USG 20/20W User’s Guide...
  • Page 907 Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. ZyWALL USG 20/20W User’s Guide...
  • Page 908 Activities other than copying, distribution and modification are not covered by this License; they ZyWALL USG 20/20W User’s Guide...
  • Page 909 Library with the Library (or with a work based on the Libr ary) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. ZyWALL USG 20/20W User’s Guide...
  • Page 910 Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. ZyWALL USG 20/20W User’s Guide...
  • Page 911 It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. ZyWALL USG 20/20W User’s Guide...
  • Page 912 Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in ZyWALL USG 20/20W User’s Guide...
  • Page 913 OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE ZyWALL USG 20/20W User’s Guide...
  • Page 914 General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software ZyWALL USG 20/20W User’s Guide...
  • Page 915 Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately ZyWALL USG 20/20W User’s Guide...
  • Page 916 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: ZyWALL USG 20/20W User’s Guide...
  • Page 917 Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted ZyWALL USG 20/20W User’s Guide...
  • Page 918 For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. ZyWALL USG 20/20W User’s Guide...
  • Page 919 Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. ZyWALL USG 20/20W User’s Guide...
  • Page 920 HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ZyWALL USG 20/20W User’s Guide...
  • Page 921 OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. This Product includes libpng software under the Libpng License ZyWALL USG 20/20W User’s Guide...
  • Page 922 Contributing Authors: Tom Lane Glenn Randers-Pehrson Willem van Schaik libpng versions 0.89, June 1996, through 0.96, May 1997, are Copyright (c) 1996, 1997 Andreas Dilger Distributed according to the same disclaimer and license as ZyWALL USG 20/20W User’s Guide...
  • Page 923 3. This Copyright notice may not be removed or altered from any source or altered source distribution. The Contributing Authors and Group 42, Inc. specifically permit, without fee, and encourage the use of this source code as a component to supporting the PNG file ZyWALL USG 20/20W User’s Guide...
  • Page 924 3. This notice may not be removed or altered from any source distribution. This Product includes pcmcia-cs software under the MPL License Mozilla Public License Version 1.1 1. Definitions. ZyWALL USG 20/20W User’s Guide...
  • Page 925 1.8.1. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently acquired, any and all of the rights conveyed herein. ZyWALL USG 20/20W User’s Guide...
  • Page 926 (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. 2. Source Code License. 2.1. The Initial Developer Grant. ZyWALL USG 20/20W User’s Guide...
  • Page 927 Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed by Covered Code in the absence of Modifications made by that Contributor. 3. Distribution Obligations. 3.1. Application of License. ZyWALL USG 20/20W User’s Guide...
  • Page 928 Section 3.2, Contributor shall promptly modify the LEGAL file in all copies Contributor makes available thereafter and shall take other steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new knowledge has been obtained. ZyWALL USG 20/20W User’s Guide...
  • Page 929 Source Code version from the rights set forth in this License. If You distribute the Executable version under a different license You must make it absolutely clear that any terms which differ from this License are offered by You ZyWALL USG 20/20W User’s Guide...
  • Page 930 If You create or use a modified version of this License (which you may only do in order to apply it to code which is not already Covered Code governed by this License), You must (a) rename Your license so that the phrases "Mozilla", ZyWALL USG 20/20W User’s Guide...
  • Page 931 Your past and future use of Modifications made by such Participant, or (ii) withdraw Your litigation claim with respect to the Contributor Version against such Participant. If within 60 days of notice, a reasonable royalty and ZyWALL USG 20/20W User’s Guide...
  • Page 932 "commercial computer software documentation," as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995), all U.S. Government End Users acquire Covered Code with only those rights set forth herein. ZyWALL USG 20/20W User’s Guide...
  • Page 933 Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License. ZyWALL USG 20/20W User’s Guide...
  • Page 934 NOTE: The text of this Exhibit A may differ slightly from the text of the notices in the Source Code files of the Original Code. You should use the text of this Exhibit A rather than the text found in the Original Code Source Code for Your Modifications. ZyWALL USG 20/20W User’s Guide...
  • Page 935: Appendix F Legal Information

    Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice.
  • Page 936 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. FCC Radiation Exposure Statement • This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. ZyWALL USG 20/20W User’s Guide...
  • Page 937: Zyxel Limited Warranty

    Canada. Viewing Certifications Go to http://www.zyxel.com. Select your product on the ZyXEL home page to go to that product's page. Select the certification you wish to view from this page. ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in material or workmanship for a specific period (the Warranty Period) from the date of purchase.
  • Page 938 To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http:// www.zyxel.com/web/support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. ZyWALL USG 20/20W User’s Guide...
  • Page 939: Index

    370, 386 access and FTP Access Point Name, see APN and NAT 306, 341 access point, See AP and policy routes access users and SNMP 540, 541 custom page and SSH forcing login and Telnet ZyWALL USG 20/20W User’s Guide...
  • Page 940 352, 358 peer-to-peer calls ATC+WMM see also VoIP pass through attacks Apache-whitespace tutorial ASCII-encoding Anomaly Detection and Prevention, see ADP bare byte encoding antenna base36-encoding directional Denial of Service (DoS) gain directory traversal ZyWALL USG 20/20W User’s Guide...
  • Page 941 73, 613 and certificates Authentication, Authorization, Accounting CA (Certificate Authority), see certificates servers, see AAA server capturing packets authorization server card SIM CEF (Common Event Format) 683, 689 ZyWALL USG 20/20W User’s Guide...
  • Page 942 696, 700 thumbprint algorithms managing thumbprints not stopping or starting the ZyWALL used for authentication startup-config.conf verifying fingerprints startup-config-bad.conf where used syntax certification requests system-default.conf certifications uploading notices uploading with FTP viewing use without restart ZyWALL USG 20/20W User’s Guide...
  • Page 943 DHCP cookies diagnostics 43, 510 705, 712 copyright Diffie-Hellman key group CPU usage DiffServ 169, 171 CTS (Clear to Send) Digital Signature Algorithm public-key algorithm, see DSA current date/time 168, 631 ZyWALL USG 20/20W User’s Guide...
  • Page 944 OSPF DynDNS see also DDNS and RIP Dynu and routing protocols basic characteristics examples (tutorials) exceptional services experimental-options attack extended authentication EAP Authentication and VPN gateways EGP (Exterior Gateway Protocol) IKE SA egress bandwidth ZyWALL USG 20/20W User’s Guide...
  • Page 945 Generic Routing Encapsulation, see GRE. 386, 389 and users 386, 389 global SSL setting and VoIP pass through user portal logo and zones 374, 384 asymmetrical routes 381, 383 configuration overview Guide global rules CLI Reference prerequisites ZyWALL USG 20/20W User’s Guide...
  • Page 946 VPN user name IMAP incoming bandwidth Independent Basic Service Set IBSS See IBSS ICMP ingress bandwidth datagram length decoder initialization vector (IV) 475, 483 echo inline profile flood attack interface portsweep status 170, 181 ZyWALL USG 20/20W User’s Guide...
  • Page 947 SA monitor Internet Message Access Protocol, see IMAP SA see also IPSec SA Internet Protocol Security, see IPSec see also VPN IP alias, see virtual interfaces site-to-site with dynamic peer IP decoy portscan static site-to-site ZyWALL USG 20/20W User’s Guide...
  • Page 948 ISP account license CHAP CHAP/PAP upgrading MPPE licensing MSCHAP Lightweight Directory Access Protocol, see MSCHAP-V2 LDAP load balancing ISP accounts algorithms 290, 294 and PPPoE/PPTP interfaces 233, 611 least load first authentication type round robin ZyWALL USG 20/20W User’s Guide...
  • Page 949 My Certificates, see also certificates myZyXEL.com accounts, creating MAC address and VLAN Ethernet interface filter 309, 337 range address mapping, see policy routes mail sessions threshold ALG, see ALG ZyWALL USG 20/20W User’s Guide...
  • Page 950 313, 315 non-RFC OSPF areas characters and Ethernet interfaces defined-char attack backbone HTTP-delimiter attack Not So Stubby Area (NSSA) NSSA stub areas types of OSPF routers area border (ABR) autonomous system boundary (ASBR) backbone (BR) object ZyWALL USG 20/20W User’s Guide...
  • Page 951 PFS (Perfect Forward Secrecy) port translation, see NAT 400, 422 phishing port triggering and firewall physical ports 306, 731 and policy routes and interfaces and service groups packet statistics 178, 180 and services PIN code troubleshooting PIN generator ZyWALL USG 20/20W User’s Guide...
  • Page 952 FTP, see FTP prerequisites see also service control Telnet 251, 299, 453 to-ZyWALL firewall Quick Start Guide WWW, see WWW remote network remote user screen links replay detection reports anti-spam RADIUS 574, 575, 809 collecting data advantages ZyWALL USG 20/20W User’s Guide...
  • Page 953 Routing Information Protocol, see RIP where used routing protocols service objects and authentication algorithms and firewall and Ethernet interfaces and IP protocols and policy routes 596, 600, 607 service set ZyWALL USG 20/20W User’s Guide...
  • Page 954 SMTP connection monitor smurf attack full tunnel mode SNAT global setting troubleshooting IP pool SNMP 670, 671 network list agents remote user login and address groups remote user logout and address objects ZyWALL USG 20/20W User’s Guide...
  • Page 955 ACK (acknowledgment) startup-config-bad.conf connections static DHCP decoder 475, 483 static routes decoy portscan and interfaces distributed portscan and OSPF port numbers and RIP portscan configuration overview portsweep ZyWALL USG 20/20W User’s Guide...
  • Page 956 705, 712, 727 see also load balancing admin user tutorial bandwidth limit where used cellular 729, 730 Trusted Certificates, see also certificates certificate configuration file TTCP-detected attack connection resets tunnel encapsulation content filter ZyWALL USG 20/20W User’s Guide...
  • Page 957 Ext-User (type) user group objects ext-user (type) groups, see user groups user groups 539, 541 Guest (type) and content filtering lease time and firewall 386, 389 limited-admin (type) and policy routes 303, 304, 462, 464 ZyWALL USG 20/20W User’s Guide...
  • Page 958 NAT create and the firewall weblink basic troubleshooting webroot-directory-traversal attack IKE SA, see IKE SA weighted round robin (for load balancing) IPSec white list (anti-spam) 521, 527, 529, 531 IPSec SA Wi-Fi Protected Access proposal ZyWALL USG 20/20W User’s Guide...
  • Page 959 WPA-PSK wireless client supplicant with RADIUS application example WPA2 user authentication vs WPA2-PSK wireless client supplicant with RADIUS application example WPA2-Pre-Shared Key (WPA2-PSK) WPA2-PSK 812, 813 application example WPA-PSK 812, 813 application example ZyWALL USG 20/20W User’s Guide...

This manual is also suitable for:

Zywall usg 20wZywall usg 2000

Table of Contents