1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Gateway
  5. ZyWALL USG Series
  6. User manual

ZyXEL Communications ZyWALL USG Series User Manual

Unified security gateway
Hide thumbs Also See for ZyWALL USG Series:
Table of Contents

Advertisement

Quick Links

See also: Reference Manual
ZyWALL USG Series
Unified Security Gateway
Version 3.30
Edition 2, 9/2013
Quick Start Guide
User's Guide
Default Login Details
LAN IP Address
User Name
Password
www.zyxel.com
http://192.168.1.1
admin
1234
Copyright © 2013 ZyXEL Communications Corporation

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications ZyWALL USG Series

Summary of Contents for ZyXEL Communications ZyWALL USG Series

  • Page 1 ZyWALL USG Series Unified Security Gateway Version 3.30 Edition 2, 9/2013 Quick Start Guide User’s Guide Default Login Details LAN IP Address http://192.168.1.1 User Name admin Password 1234 www.zyxel.com Copyright © 2013 ZyXEL Communications Corporation...
  • Page 2 IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate.

  • Page 3: Table Of Contents

    Contents Contents Introduction............................5 1.1 Overview .............................5 1.2 Default Zones, Interfaces, and Ports ....................8 1.3 Management Overview ........................9 1.4 Web Configurator ..........................10 1.5 Stopping the ZyWALL ........................20 1.6 Rack-mounting ..........................20 1.8 Front Panel ............................22 How to Set Up Your Network ......................29 2.1 Wizard Overview ..........................29 2.2 How to Configure Interfaces, Port Roles, and Zones ................29 2.3 How to Configure a Cellular Interface ....................32...
  • Page 4 Contents 5.1 How to Configure Bandwidth Management ..................95 5.2 How to Configure a Trunk for WAN Load Balancing ...............102 5.3 How to Use Multiple Static Public WAN IP Addresses for LAN-to-WAN Traffic ......104 5.4 How to Use Device HA to Backup Your ZyWALL ................105 5.5 How to Configure DNS Inbound Load Balancing ................

  • Page 5: Introduction

    Introduction 1.1 Overview This guide covers the ZyWALL USG series and refers to all models as “ZyWALL”. Features and interface names vary by model. Key feature differences between ZyWALL models are as follows. Other features are common to all models although features may vary slightly by model. See the specific product’s datasheet for detailed specifications.
  • Page 6 Chapter 1 Introduction Figure 1 Applications: Security Router IPv6 Routing The ZyWALL supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6 policy routes and IPv6 objects. The ZyWALL can also route IPv6 packets through IPv4 networks using different tunneling methods.
  • Page 7 Chapter 1 Introduction SSL VPN Network Access SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just browses to the ZyWALL’s web address and enters his user name and password to securely connect to the ZyWALL’s network.

  • Page 8: Default Zones, Interfaces, And Ports

    Chapter 1 Introduction 1.2 Default Zones, Interfaces, and Ports The default configurations for zones, interfaces, and ports are as follows. References to interfaces may be generic rather than the specific name used in your model. For example, this guide may use “the WAN interface”...

  • Page 9: Management Overview

    Chapter 1 Introduction Zones LAN1 LAN2 WLAN Interfaces wan1 wan2 lan1 lan2 ext-wlan USG 100 Physical Ports Zones LAN1 LAN2 Interfaces wan1 wan2 lan1 lan2 USG 100 PLUS Physical Ports Zones LAN1 LAN2 Interfaces wan1 wan2 lan1 lan2 USG 50 Physical Ports Zones LAN1...

  • Page 10: Web Configurator

    Chapter 1 Introduction Figure 8 Managing the ZyWALL: Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. Access it using remote management (for example, SSH or Telnet) or via the physical or Web Configurator console port. See the Command Reference Guide for CLI details.
  • Page 11 Chapter 1 Introduction In your browser go to http://192.168.1.1. By default, the ZyWALL automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears. Type the user name (default: “admin”) and password (default: “1234”). If you have a OTP (One-Time Password) token generate a number and enter it in the One-Time Password field.

  • Page 12: Web Configurator Screens Overview

    Chapter 1 Introduction 1.4.2 Web Configurator Screens Overview The Web Configurator screen is divided into these parts (as illustrated on page 11): • A - title bar • B - navigation panel • C - main window Title Bar Figure 9 Title Bar The title bar icons in the upper right corner provide the following functions.

  • Page 13: Monitor Menu

    Chapter 1 Introduction Dashboard The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See the Web Help for details on the dashboard. Monitor Menu The monitor menu screens display status and statistics information.

  • Page 14: Configuration Menu

    Chapter 1 Introduction Configuration Menu Use the configuration menu screens to configure the ZyWALL’s features. Table 5 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN connections. Licensing Registration Registration Register the device and activate trial services. Service View the licensed service status and upgrade licensed services.
  • Page 15 Chapter 1 Introduction Table 5 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION IPSec VPN VPN Connection Configure IPSec tunnels. VPN Gateway Configure IKE tunnels. Concentrator Combine IPSec VPN connections into a single secure network Configuration Set who can retrieve VPN rule settings from the ZyWALL using the Provisioning ZyWALL IPSec VPN Client.
  • Page 16 Chapter 1 Introduction Table 5 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Device HA General Configure device HA global settings, and see the status of each interface monitored by device HA. Active-Passive Configure active-passive mode device HA. Mode Legacy Mode Configure legacy mode device HA for use with ZyWALLs that...

  • Page 17: Tables And Lists

    Chapter 1 Introduction Table 5 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Dial-in Mgmt. Configure settings for an out of band management connection through a modem connected to the AUX port. Vantage CNM Configure and allow your ZyWALL to be managed by the Vantage CNM server.
  • Page 18 Chapter 1 Introduction Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column. Here are some examples of what you can do: •...
  • Page 19 Chapter 1 Introduction Figure 15 Navigating Pages of Table Entries The tables have icons for working with table entries. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. Figure 16 Common Table Icons Here are descriptions for the most common table icons.

  • Page 20: Stopping The Zywall

    Chapter 1 Introduction Figure 17 Working with Lists 1.5 Stopping the ZyWALL Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. 1.6 Rack-mounting Table 1 on page 5 for the ZyWALL USG models that can be rack mounted.
  • Page 21 Chapter 1 Introduction 1.7 Wall-mounting Table 1 on page 5 for the ZyWALL USG models that can be wall-mounted. Do the following to attach your ZyWALL to a wall. Screw two screws with 6 mm ~ 8 mm (0.24" ~ 0.31") wide heads into the wall 150 mm apart (see the figure in step 2).

  • Page 22: Front Panel

    Chapter 1 Introduction USG 20W Wall-mount the ZyWALL horizontally. The ZyWALL's side panels with ventilation slots should not be facing up or down as this position is less safe. 1.8 Front Panel This section introduces the ZyWALL’s front panel. Figure 18 ZyWALL Front Panel USG 2000 USG 1000 USG 300...

  • Page 23: Dual Personality Interfaces

    Chapter 1 Introduction USG 200 USG 100 PLUS USG 100 USG 50 USG 20W USG 20 1.8.1 Dual Personality Interfaces A dual personality interface is a 1000Base-T/mini-GBIC combo port. For each interface you can connect either to the 1000Base-T port or the mini-GBIC port. The mini-GBIC port has priority over the 1000Base-T port so the 1000Base-T port is disabled if both are connected at the same time.
  • Page 24 Chapter 1 Introduction 1.0 for details. You can change transceivers while the ZyWALL is operating. You can use different transceivers to connect to devices with different types of fiber-optic connectors. • Type: SFP connection interface • Connection speed: 1 Gigabit per second (Gbps) To avoid possible eye injury, do not look into an operating fiber-optic module’s connectors or fiber-optic cable.

  • Page 25: Maximizing Throughput

    Chapter 1 Introduction Open the transceiver’s latch (latch styles vary). Pull the transceiver out of the slot. 1.8.2 Maximizing Throughput A ZyWALL USG with dual internal buses (see Table 1 on page 5) for Gigabit interfaces has one internal bus for ports P1-P7 and another for port P8. To maximize the ZyWALL’s throughput, use P8 for your connection with the most traffic.
  • Page 26 Chapter 1 Introduction Table 8 ZyWALL USG 20 ~ USG 1000 Front Panel LEDs (continued) COLOR STATUS DESCRIPTION Green The ZyWALL is not ready or has failed. The ZyWALL is ready and running. Blinking The ZyWALL is booting. The ZyWALL had an error or has failed. Green The AUX port is not connected.
  • Page 27 Chapter 1 Introduction Table 9 ZyWALL USG 2000 Front Panel LEDs (continued) COLOR STATUS DESCRIPTION CARD Green Reserved for future use. There is no card in the CARD SLOT. There is a card in the CARD SLOT. This LED is reserved for future use. P1~P8 Green There is no traffic on this port.
  • Page 28 Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide...

  • Page 29: How To Set Up Your Network

    H A PT ER How to Set Up Your Network Here are examples of using the Web Configurator to set up your network in the ZyWALL. Note: The tutorials featured here require a basic understanding of connecting to and using the Web Configurator, see Section 1.4 on page 10 for details.

  • Page 30: Configure A Wan Ethernet Interface

    Chapter 2 How to Set Up Your Network • The wan1 interface uses a static IP address of 1.2.3.4. • Add P5 (lan2) to the DMZ interface (Note: In USG 20/20W, use P4 (lan2) instead of P5 in this example). The DMZ interface is used for a protected local network. It uses IP address 192.168.3.1 and serves as a DHCP server by default.

  • Page 31: Configure Port Roles

    Chapter 2 How to Set Up Your Network 2.2.2 Configure Port Roles Here is how to take the P5 port from the lan2 interface and add it to the dmz interface. Click Configuration > Network > Interface > Port Role. Under P5 select the dmz (DMZ) radio button and click Apply.

  • Page 32: How To Configure A Cellular Interface

    Chapter 2 How to Set Up Your Network Back to the Configuration > Network > Zone screen and click Add in the User Configuration section. Enter VPN as the new zone’s name. Select WIZ_VPN and move it to the Member box and click Then you can configure firewall rules to apply specific security settings to this VPN zone.
  • Page 33 Chapter 2 How to Set Up Your Network Note: The Network Selection is set to auto by default. This means that the 3G USB modem may connect to another 3G network when your service provider is not in range or when necessary. Select Home to have the 3G device connect only to your home network or local service provider.

  • Page 34: How To Set Up A Wireless Lan

    Chapter 2 How to Set Up Your Network This way the ZyWALL can automatically balance the traffic load amongst the available WAN connections to enhance overall network throughput. Plus, if a WAN connection goes down, the ZyWALL still sends traffic through the remaining WAN connections. For a simple test, disconnect all of the ZyWALL’s wired WAN connections.
  • Page 35 Chapter 2 How to Set Up Your Network Edit this screen as follows. A (internal) name for the WLAN interface displays. You can modify it if you want to. The ZyWALL’s security settings are configured by zones. Select to which security zone you want the WLAN interface to belong (the WLAN zone in this example).
  • Page 36 Chapter 2 How to Set Up Your Network Configure your wireless clients to connect to the wireless network. 2.4.2.1 Wireless Clients Import the ZyWALL’s Certificate You must import the ZyWALL’s certificate into the wireless clients if they are to validate the ZyWALL’s certificate.

  • Page 37: How To Configure Ethernet, Ppp, Vlan, Bridge And Policy Routing

    Chapter 2 How to Set Up Your Network The My Certificates screen indicates what type of information is being displayed, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). Repeat the steps to import the certificate into each wireless client computer that is to validate the ZyWALL’s certificate when using the WLAN interface.

  • Page 38: How To Set Up Ipv6 Interfaces For Pure Ipv6 Routing

    Chapter 2 How to Set Up Your Network Table 10 Ethernet, PPP, VLAN, Bridge and Policy Routing Screen Relationships SCREEN DESCRIPTION Ethernet Configure this if any interface on the ZyWALL is connecting to an Ethernet network. Ethernet interfaces are the foundation for defining other interfaces and network policies. Configure this if you need your service provider to provide an IP address through PPPoE or PPTP in order to access the Internet or another network.
  • Page 39 Chapter 2 How to Set Up Your Network 2.6.1 Setting Up the WAN IPv6 Interface In the CONFIGURATION > Network > Interface > Ethernet screen’s IPv6 Configuration section, double-click the wan1. The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6. Select Enable Auto-Configuration.
  • Page 40 Chapter 2 How to Set Up Your Network You have completed the settings on the ZyWALL. But if you want to request a network address prefix from your ISP for your computers on the LAN, you can configure prefix delegation (see Section Section 2.6.3 on page 40).
  • Page 41 Chapter 2 How to Set Up Your Network Figure 23 Pure IPv6 Network Example Using Prefix Delegation IPv6 IPv6 IPv6 2001:b050:2d:1111::1/128 2002:b050:2d:1111::/64 2.6.3.2 Setting Up the WAN IPv6 Interface In the Configuration > Network > Interface > Ethernet screen’s IPv6 Configuration section, double-click the wan1.
  • Page 42 Chapter 2 How to Set Up Your Network 2.6.3.3 Setting Up the LAN Interface In the Configuration > Network > Interface > Ethernet screen, double-click the lan1 in the IPv6 Configuration section. The Edit Ethernet screen appears. Click Show Advanced Settings to display more settings on this screen.
  • Page 43 Chapter 2 How to Set Up Your Network 2.6.4 Test Connect a computer to the ZyWALL’s LAN1. ZyWALL USG 20-2000 User’s Guide...

  • Page 44: How To Set Up An Ipv6 6To4 Tunnel

    Chapter 2 How to Set Up Your Network Enable IPv6 support on you computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center >...
  • Page 45 Chapter 2 How to Set Up Your Network the LAN1 network address is assigned to use 2002:7a64:dcee:1::/64 and the LAN1 IP address is set to 2002:7a64:dcee:1::111/128. A relay router R (192.99.88.1) is used in this example in order to forward 6to4 packets to any unknown IPv6 addresses.
  • Page 46 Chapter 2 How to Set Up Your Network 2.7.3 Setting Up the 6to4 Tunnel Click Add in the CONFIGURATION > Network > Interface > Tunnel screen. The Add Tunnel screen appears. Select Enable. Enter tunnel0 as the Interface Name and select 6to4 as the Tunnel Mode. In the 6to4 Tunnel Parameter section, this example just simply uses the default 6to4 Prefix, 2002:://16.
  • Page 47 Chapter 2 How to Set Up Your Network 2.7.4 Testing the 6to4 Tunnel Connect a computer to the ZyWALL’s LAN1. Enable IPv6 support on you computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default.

  • Page 48: How To Set Up An Ipv6-In-Ipv4 Tunnel

    Chapter 2 How to Set Up Your Network You don’t need to activate the WAN1 IPv6 interface but make sure you enable the WAN1 IPv4 interface. In 6to4, the ZyWALL uses the WAN1 IPv4 interface to forward your 6to4 packets over the IPv4 network.
  • Page 49 Chapter 2 How to Set Up Your Network The Edit Tunnel screen appears. Select Enable. Enter tunnel0 as the Interface Name and select IPv6-in-IPv4 as the Tunnel Mode. Select wan1 in the Interface field in the Gateway Settings section. Enter 5.6.7.8 as the remote gateway’s IP address. Click OK. 2.8.3 Setting Up the LAN IPv6 Interface Select lan1 in the IPv6 Configuration section in the CONFIGURATION >...
  • Page 50 Chapter 2 How to Set Up Your Network 2.8.4 Setting Up the Policy Route Go to the CONFIGURATION > Network > Routing screen and click Add in the IPv6 Configuration table. The Add Policy Route screen appears. Click Create New Object to create an IPv6 address object with the address prefix of 2003:1111:1111:1::/64.
  • Page 51 Chapter 2 How to Set Up Your Network 2.8.5 Testing the IPv6-in-IPv4 Tunnel Connect a computer to the ZyWALL’s LAN1. Enable IPv6 support on you computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default.
  • Page 52 Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide...

  • Page 53: Protecting Your Network

    H A PT ER Protecting Your Network These sections cover configuring the ZyWALL to protect your network. • Firewall on page 53 • User-aware Access Control on page 54 • Endpoint Security (EPS) on page 55 • Device and Service Registration on page 55 •...

  • Page 54: User-Aware Access Control

    Chapter 3 Protecting Your Network 3.1.1 What Can Go Wrong • The ZyWALL checks the firewall rules in order and applies the first firewall rule the traffic matches. If traffic is unexpectedly blocked or allowed, make sure the firewall rule you want to apply to the traffic comes before any other rules that the traffic would also match.

  • Page 55: Endpoint Security (Eps)

    Chapter 3 Protecting Your Network 3.3 Endpoint Security (EPS) Use endpoint security objects with authentication policies or SSL VPN to make sure users’ computers meet specific security requirements before they are allowed to access the network. Configure endpoint security objects (Configuration > Object > Endpoint Security > Add). Configure an authentication policy to use the endpoint security objects (Configuration >...

  • Page 56: Anti-Virus Policy Configuration

    Chapter 3 Protecting Your Network 3.5 Anti-Virus Policy Configuration This tutorial shows you how to configure an Anti-Virus policy. Note: You need to first activate your Anti-Virus service license or trial. See Device and Service Registration on page Click Configuration > Anti-X > Anti-Virus to display the Anti-Virus General screen. In the Policies section click Add to display the Add Rule screen.
  • Page 57 Chapter 3 Protecting Your Network The policy configured in the previous step will display in the Policies section. Select Enable Anti- Virus and Anti-Spyware and click Apply. 3.5.1 What Can Go Wrong • The ZyWALL does not scan the following file/traffic types: •...

  • Page 58: Idp Profile Configuration

    Chapter 3 Protecting Your Network 3.6 IDP Profile Configuration IDP (Intrusion, Detection and Prevention) detects malicious or suspicious packets and protects against network-based intrusions. Note: You need to first activate your IDP service license or trial. See Device and Service Registration on page You may want to create a new profile if not all signatures in a base profile are applicable to your network.

  • Page 59: Adp Profile Configuration

    Chapter 3 Protecting Your Network Edit the default log options and actions. 3.7 ADP Profile Configuration ADP (Anomaly Detection and Prevention) protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal traffic flows such as port scans. You may want to create a new profile if not all traffic or protocol rules in a base profile are applicable to your network.
  • Page 60 Chapter 3 Protecting Your Network Note: If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. The Traffic Anomaly screen will display. Type a new profile Name. Enable or disable individual scan or flood types by selecting a row and clicking Activate or Inactivate.

  • Page 61: Content Filter Profile Configuration

    Chapter 3 Protecting Your Network 3.8 Content Filter Profile Configuration Content filter allows you to control access to specific web sites or filter web content by checking against an external database. This tutorial shows you how to configure a Content Filter profile. Note: You need to first activate your Content Filter service license or trial to use Commtouch or BlueCoat content filtering service.
  • Page 62 Chapter 3 Protecting Your Network Click the General tab and in the Policies section click Add. In the Add Policy screen that appears, select the Filter Profile you created in the previous step. Click OK. In the General screen, the configured policy will appear in the Policies section. Select Enable Content Filter and select BlueCoat.

  • Page 63: Viewing Content Filter Reports

    Chapter 3 Protecting Your Network 3.9 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen. You need to register your iCard before you can view content filtering reports.
  • Page 64 Chapter 3 Protecting Your Network In the Web Filter Home screen, click Commtouch Report or BlueCoat Report. Select items under Global Reports to view the corresponding reports. Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.
  • Page 65 Chapter 3 Protecting Your Network A chart and/or list of requested web site categories display in the lower half of the screen. You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.

  • Page 66: Anti-Spam Policy Configuration

    Chapter 3 Protecting Your Network 3.10 Anti-Spam Policy Configuration This tutorial shows you how to configure an Anti-Spam policy with Mail Scan functions and DNS Black List (DNSBL). Note: You need to first activate your Anti-Spam service license or trial to use the Mail Scan functions (Sender Reputation, Mail Content Analysis and Virus Outbreak Detection).
  • Page 67 Chapter 3 Protecting Your Network Click the General tab. In the Policy Summary section, click Add to display the Add rule screen. Select from the list of available Scan Options and click OK to return to the General screen. In the General screen, the policy configured in the previous step will display in the Policy Summary section.
  • Page 68 Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide...

  • Page 69: Create Secure Connections Across The Internet

    H A PT ER Create Secure Connections Across the Internet These sections cover using VPN to create secure connections across the Internet. • IPSec VPN on page 69 • VPN Concentrator Example on page 71 • Hub-and-spoke IPSec VPN Without VPN Concentrator on page 73 •...
  • Page 70 Chapter 4 Create Secure Connections Across the Internet 4.1.3 What Can Go Wrong If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both IPSec routers and check the settings in each field methodically and slowly.

  • Page 71: Vpn Concentrator Example

    Chapter 4 Create Secure Connections Across the Internet If you have the Configuration > VPN > IPSec VPN > VPN Connection screen’s Use Policy Route to control dynamic IPSec rules option enabled and the VPN connection is up but VPN traffic cannot be transmitted through the VPN tunnel, check the routing policies to see if they are sending traffic elsewhere instead of through the VPN tunnels.
  • Page 72 Chapter 4 Create Secure Connections Across the Internet • Destination: 192.168.12.0 • Next Hop: VPN Tunnel 1 Headquarters VPN Gateway (VPN Tunnel 1): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.2 VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.1.0/255.255.255.0 •...

  • Page 73: Hub-And-Spoke Ipsec Vpn Without Vpn Concentrator

    Chapter 4 Create Secure Connections Across the Internet • Destination: 192.168.11.0 • Next Hop: VPN Tunnel 2 4.2.1 What Can Go Wrong Consider the following when using the VPN concentrator. • The local IP addresses configured in the VPN rules should not overlap. •...
  • Page 74 Chapter 4 Create Secure Connections Across the Internet Network Policy (Phase 2): Local Network: 192.168.167.0/255.255.255.0; Remote Network: 192.168.168.0~192.168.169.255 Headquarters (ZLD-based ZyWALL): VPN Gateway (VPN Tunnel 1): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.2 VPN Connection (VPN Tunnel 1): •...

  • Page 75: Zywall Ipsec Vpn Client Configuration Provisioning

    Chapter 4 Create Secure Connections Across the Internet • To have all Internet access from the spoke routers to go through the VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. •...

  • Page 76: Configuration Steps

    Chapter 4 Create Secure Connections Across the Internet Figure 32 ZyWALL IPSec VPN Client with VPN Tunnel Connected 4.4.2 Configuration Steps In the ZyWALL Quick Setup wizard, use the VPN Settings for Configuration Provisioning wizard to create a VPN rule that can be used with the ZyWALL IPSec VPN Client. Click Configuration >...

  • Page 77: Ssl Vpn

    Chapter 4 Create Secure Connections Across the Internet Click OK. The rule settings are now imported from the ZyWALL into the ZyWALL IPSec VPN Client. 4.4.3 What Can Go Wrong • VPN rule settings violate the the ZyWALL IPSec VPN Client restrictions: Check that the rule does not contain AH active protocol, NULL encryption, SHA512 authentication, or a subnet/range remote policy.
  • Page 78 Chapter 4 Create Secure Connections Across the Internet Figure 33 SSL VPN LAN (192.168.1.X) Non-Web Web Mail File Share https:// Application Server Web-based Application • Click Configuration > Object > SSL Application and configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access.

  • Page 79: L2Tp Vpn With Android, Ios, And Windows

    Chapter 4 Create Secure Connections Across the Internet 4.6 L2TP VPN with Android, iOS, and Windows L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, or Windows operating systems for secure connections to the network behind the ZyWALL. L2TP VPN uses one of the ZyWALL’s IPSec VPN connections.
  • Page 80 Chapter 4 Create Secure Connections Across the Internet Click Configuration > VPN > IPSec VPN > VPN Gateway and double-click the Default_L2TP_VPN_GW entry. Select Enable. Set My Address. This example uses a WAN interface with static IP address 172.16.1.2. Set Authentication to Pre-Shared Key and configure a password. This example uses top- secret.
  • Page 81 Chapter 4 Create Secure Connections Across the Internet Click Configuration > VPN > L2TP VPN and then Create New Object > Address to create an IP address pool for the L2TP VPN clients. This example uses L2TP_POOL with a range of 192.168.10.10 to 192.168.10.20.
  • Page 82 Chapter 4 Create Secure Connections Across the Internet To manage the ZyWALL through the L2TP VPN tunnel, create a routing policy that sends the ZyWALL’s return traffic back through the L2TP VPN tunnel. • Set Incoming to ZyWALL. • Set Destination Address to the L2TP address pool. •...
  • Page 83 Chapter 4 Create Secure Connections Across the Internet • Set the Next-Hop Type to Trunk and select the appropriate WAN trunk. 4.6.3 Configuring L2TP VPN in Android To configure L2TP VPN in an Android device, go to Menu > Settings > Wireless & networks > VPN settings >...
  • Page 84 Chapter 4 Create Secure Connections Across the Internet • Secret is the pre-shared key of the IPSec VPN gateway the ZyWALL uses for L2TP VPN over IPSec (top-secret in this example). • Send All Traffic leave this on. • Proxy leave this off. 4.6.5 Configuring L2TP VPN in Windows The following sections cover how to configure L2TP in remote user computers using Windows 7, Vista, or XP.
  • Page 85 Chapter 4 Create Secure Connections Across the Internet Click Close. Configure the Connection Object In the Network and Sharing Center screen, click Connect to a network. Right-click the L2TP VPN connection and select Properties. In Windows 7, click Security and set the Type of VPN to Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec).
  • Page 86 Chapter 4 Create Secure Connections Across the Internet If a warning screen about data encryption not occurring if PAP or CHAP is negotiated, click Yes. When you use L2TP VPN to connect to the ZyWALL, the ZyWALL establishes an encrypted IPSec VPN tunnel first and then builds an L2TP tunnel inside it.
  • Page 87 Chapter 4 Create Secure Connections Across the Internet L2TP to ZyWALL After the connection is up a connection icon displays in your system tray. Click it and then the L2TP connection to open a status screen. Click the L2TP connection’s View status link to open a status screen. Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20 in the example).
  • Page 88 Chapter 4 Create Secure Connections Across the Internet Click Next in the Welcome screen. Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Next. Type L2TP to ZyWALL as the Company Name. Select Do not dial the initial connection and click Next.
  • Page 89 Chapter 4 Create Secure Connections Across the Internet Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). 172.16.1.2 Click Finish. The Connect L2TP to ZyWALL screen appears.
  • Page 90 Chapter 4 Create Secure Connections Across the Internet 12 Click IPSec Settings. 13 Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK. 14 Click Networking.
  • Page 91 Chapter 4 Create Secure Connections Across the Internet 15 Enter the user name and password of your ZyWALL account. Click Connect. 16 A window appears while the user name and password are verified. 17 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. 18 Click Details to see the address that you received from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20).

  • Page 92: One-Time Password Version 2 (Otpv2)

    Chapter 4 Create Secure Connections Across the Internet 19 Access a server or other network resource behind the ZyWALL to make sure your access works. 4.6.6 What Can Go Wrong The IPSec VPN connection must: • Be enabled • Use transport mode •...
  • Page 93 Chapter 4 Create Secure Connections Across the Internet Install the SafeWord 2008 authentication server software on a computer. Create user accounts on the ZyWALL and in the SafeWord 2008 authentication server. Import each ZyWALL OTPv2 token’s database file (located on the included CD) into the server. Assign users to ZyWALL OTPv2 tokens on the server.
  • Page 94 Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide...

  • Page 95: Managing Traffic

    H A PT ER Managing Traffic These sections cover controlling the traffic going through the ZyWALL. • How to Configure Bandwidth Management on page 95 • How to Configure a Trunk for WAN Load Balancing • How to Use Multiple Static Public WAN IP Addresses for LAN-to-WAN Traffic on page 104 •...
  • Page 96 Chapter 5 Managing Traffic 5.1.1 Bandwidth Allocation Example Say a 10-person office has WAN1 connected to a 50 Mbps downstream and 5 Mbps upstream VDSL line and you want to allocate bandwidth for the following: • SIP: Up to 10 simultaneous 100 Kbps calls guaranteed •...
  • Page 97 Chapter 5 Managing Traffic • Inbound and outbound traffic are both guaranteed 1000 kbps and limited to 2000 kbps. Figure 37 SIP Any-to-WAN Guaranteed / Maximum Bandwidths Example Outbound: 1000/2000 kbps Inbound: 1000/2000 kbps In the Configuration > BWM screen, click Add. In the Add Policy screen, select Enable and type SIP Any-to-WAN as the policy’s name.
  • Page 98 Chapter 5 Managing Traffic Figure 38 HTTP Any-to-WAN Bandwidth Management Example Outbound: Bandwidth not managed Inbound: 10240 kbps guaranteed 46080 kbps maximum In the Configuration > BWM screen, click Add. In the Add Policy screen, select Enable and type HTTP Any-to-WAN as the policy’s name. Leave the incoming interface to any and select wan1 as the outgoing interface.
  • Page 99 Chapter 5 Managing Traffic 5.1.6 FTP WAN-to-DMZ Bandwidth Management Example Suppose the office has an FTP server on the DMZ. Here is how to limit WAN1 to DMZ FTP traffic so it does not interfere with SIP and HTTP traffic. •...

  • Page 100: Ftp Lan-To-Dmz Bandwidth Management Example

    Chapter 5 Managing Traffic 5.1.7 FTP LAN-to-DMZ Bandwidth Management Example FTP traffic from the LAN1 to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but give it lower priority and limit it to avoid interference with other traffic. •...
  • Page 101 Chapter 5 Managing Traffic In the Configuration > BWM screen, click Add. In the Add Policy screen, select Enable and type FTP LAN-to-DMZ as the policy’s name. Select lan1 as the incoming interface and dmz as the outgoing interface. Select App Patrol Service and ftp as the service type. Type 10240 (kbps) with priority 5 for both the inbound and outbound guaranteed bandwidth.

  • Page 102: How To Configure A Trunk For Wan Load Balancing

    Chapter 5 Managing Traffic 5.1.8 What Can Go Wrong? • The “outbound” in the guaranteed bandwidth settings apply to traffic going from the connection initiator to the outgoing interface. The “inbound” refers to the reverse direction. • Make sure you have registered the IDP/App.Patrol service on the ZyWALL to use App Patrol Service as the service type in the bandwidth management rules.

  • Page 103: Configure The Wan Trunk

    Chapter 5 Managing Traffic Repeat the process to set the egress bandwidth for wan2 to 512 Kbps. For 3G interface settings, go to Configuration > Network > Interface > Cellular. Double-click the cellular1 entry and set the egress bandwidth for cellular1 to 512 Kbps. 5.2.2 Configure the WAN Trunk Click Configuration >...

  • Page 104: How To Use Multiple Static Public Wan Ip Addresses For Lan-To-Wan Traffic

    Chapter 5 Managing Traffic Select the trunk as the default trunk and click Apply. 5.3 How to Use Multiple Static Public WAN IP Addresses for LAN-to-WAN Traffic If your ISP gave you a range of static public IP addresses, this example shows how to configure a policy route to have the ZyWALL use them for traffic it sends out from the LAN.

  • Page 105: How To Use Device Ha To Backup Your Zywall

    Chapter 5 Managing Traffic 5.3.2 Configure the Policy Route Now you need to configure a policy route that has the ZyWALL use the range of public IP addresses as the source address for WAN to LAN traffic. Click Configuration > Network > Routing > Policy Route > Add (in IPv4 Configuration). It is recommended to add a description.
  • Page 106 Chapter 5 Managing Traffic Management Access IP Addresses For each interface you can configure an IP address in the same subnet as the interface IP address to use to manage the ZyWALL whether it is the master or the backup. Synchronization Synchronize ZyWALLs of the same model and firmware version to copy the master ZyWALL’s configuration, signatures (anti-virus, IDP/application patrol, and system protect), and certificates to...

  • Page 107: Before You Start

    Chapter 5 Managing Traffic 5.4.2 Before You Start ZyWALL A should already be configured. You will use device HA to copy ZyWALL A’s settings to B later (in Section 5.4.4 on page 108). To avoid an IP address conflict, do not connect ZyWALL B to the LAN subnet until after you configure its device HA settings and the instructions tell you to deploy it (in Section 5.4.5 on page...

  • Page 108: Configure The Backup Zywall

    Chapter 5 Managing Traffic Click the General tab, enable device HA, and click Apply. 5.4.4 Configure the Backup ZyWALL Connect a computer to ZyWALL B’s LAN interface and log into its Web Configurator. Connect ZyWALL B to the Internet and subscribe it to the same subscription services (like content filtering and anti-virus) to which ZyWALL A is subscribed.
  • Page 109 Chapter 5 Managing Traffic Set the Device Role to Backup. Activate monitoring for the LAN and WAN interfaces. Set the Synchronization Server Address to 192.168.1.1, the Port to 21, and the Password to “mySyncPassword”. Retype the password, select Auto Synchronize, and set the Interval to 60. Click Apply.

  • Page 110: Deploy The Backup Zywall

    Chapter 5 Managing Traffic 5.4.5 Deploy the Backup ZyWALL Connect ZyWALL B’s LAN interface to the LAN network. Connect ZyWALL B’s WAN interface to the same router that ZyWALL A’s WAN interface uses for Internet access. ZyWALL B copies A’s configuration (and re-synchronizes with A every hour).
  • Page 111 Chapter 5 Managing Traffic Click Add in the Configuration table. The following screen appears. Select Enable, enter *.example.com as the Query Domain Name. Enter 300 in the Time to Live field to have DNS query senders keep the resolved DNS entries on their computers for 5 minutes.

  • Page 112: How To Allow Public Access To A Web Server

    Chapter 5 Managing Traffic 5.6 How to Allow Public Access to a Web Server This is an example of making an HTTP (web) server in the DMZ zone accessible from the Internet (the WAN zone). In this example you have public IP address 1.1.1.1 that you will use on the WAN interface and map to the HTTP server’s private IP address of 192.168.3.7.

  • Page 113: Set Up A Firewall Rule

    Chapter 5 Managing Traffic 5.6.2 Set Up a Firewall Rule Create a firewall rule to allow the public to send HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server. If a domain name is registered for IP address 1.1.1.1, users can just go to the domain name to access the web server.

  • Page 114: How To Manage Voice Traffic

    Chapter 5 Managing Traffic 5.6.3 What Can Go Wrong • The ZyWALL checks the firewall rules in order and applies the first firewall rule the traffic matches. If traffic matches a rule that comes earlier in the list, it may be unexpectedly blocked. •...
  • Page 115 Chapter 5 Managing Traffic Figure 47 Configuration > Network > ALG 5.7.1.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720) traffic received on the ZyWALL’s 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. Click Configuration >...
  • Page 116 Chapter 5 Managing Traffic 5.7.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN IP address 192.168.1.56. Click Configuration > Firewall > Add. In the From field select WAN.

  • Page 117: How To Use An Ippbx On The Dmz

    Chapter 5 Managing Traffic 5.7.2 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet (the WAN zone). In this example you have public IP address 1.1.1.2 that you will use on the WAN interface and map to the IPPBX’s private IP address of 192.168.3.9.
  • Page 118 Chapter 5 Managing Traffic 5.7.2.2 Set Up a NAT Policy for the IPPBX Click Configuration > Network > NAT > Add > Create New Object > Address and create an IPv4 host address object for the IPPBX’s private DMZ IP address of 192.168.3.9. Repeat to create a host address object named IPPBX-Public for the public WAN IP address 1.1.1.2.
  • Page 119 Chapter 5 Managing Traffic 5.7.2.4 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks traffic from the DMZ zone to the LAN1 zone by default so you need to create a firewall rule to allow the IPPBX to send SIP traffic to the SIP clients on the LAN. Click Configuration >...

  • Page 120: How To Limit Web Surfing And Msn To Specific People

    Chapter 5 Managing Traffic 5.8 How to Limit Web Surfing and MSN to Specific People The following is an example of using application patrol (AppPatrol) to enforce web surfing and MSN policies for the sales department of a company. 5.8.1 Set Up Web Surfing Policies Before you configure any policies, you must have already subscribed for the application patrol service.

  • Page 121: Set Up Msn Policies

    Chapter 5 Managing Traffic Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. Click the Add icon in the policy list. In the new policy, select Sales as the user group allowed to browse the web.
  • Page 122 Chapter 5 Managing Traffic Click Configuration > AppPatrol > Query, and in the second dropdown menu, select Instant Messager, and click Search. Then, double-click the msn entry to edit it. Double-click the Default policy. Change the access to Drop because you do not want anyone except the authorized user group (sales) to use MSN.
  • Page 123 Chapter 5 Managing Traffic Click Configuration > AppPatrol > Query, and in the second dropdown menu, select Instant Messager, and click Search. Then, double-click the msn entry to edit it. Click the Add icon in the policy list. In the new policy, select WorkHours as the schedule and Sales as the user group that is allowed to use MSN at the appointed schedule.
  • Page 124 Chapter 5 Managing Traffic Now only the sales group may use MSN during work hours on week days. 5.8.3 What Can Go Wrong If you have not already subscribed for the application patrol service, you will not be able to configure any policies.

  • Page 125: Maintenance

    H A PT ER Maintenance These sections cover managing and maintaining the ZyWALL. • How to Allow Management Service from WAN on page 125 • How to Use a RADIUS Server to Authenticate User Accounts based on Groups on page 128 •...
  • Page 126 Chapter 6 Maintenance Check the Admin Service Control and User Service Control sections: • accept under Action means that the user is to access the ZyWALL from the specified computers. • ALL under Zone means that all ZyWALL zones are allowed to use this service. •...
  • Page 127 Chapter 6 Maintenance In the Edit Firewall Rule screen, you can also configure a schedule object, address object, or apply it to certain a user/user group. Refer to 24.1.4 Firewall Rule Configuration Example for details on firewall configuration. ZyWALL USG 20-2000 User’s Guide...

  • Page 128: How To Use A Radius Server To Authenticate User Accounts Based On Groups

    Chapter 6 Maintenance 6.2 How to Use a RADIUS Server to Authenticate User Accounts based on Groups The previous example showed how to have a RADIUS server authenticate individual user accounts. If the RADIUS server has different user groups distinguished by the value of a specific attribute, you can make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defined in the RADIUS server.

  • Page 129: How To Use Ssh For Secure Telnet Access

    Chapter 6 Maintenance Repeat the steps above if you need to add other user groups. 6.3 How to Use SSH for Secure Telnet Access This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs.

  • Page 130: How To Manage Zywall Configuration Files

    Chapter 6 Maintenance 6.3.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions. Test whether the SSH service is available on the ZyWALL. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the ZyWALL (using the default IP address of 192.168.1.1).

  • Page 131: How To Manage Zywall Firmware

    Chapter 6 Maintenance The default configuration files are: • system-default.conf: This file contains all of the ZyWALL settings. If you apply this file, the ZyWALL’s default IP address and password will be restored. • startup-config.conf: This is the configuration file that the ZyWALL is currently using. All the changes you have saved/applied in the Web Configurator or in CLI commands (when you use the write command) are applied to this file.

  • Page 132: How To Download And Upload A Shell Script

    Chapter 6 Maintenance You can find and download the latest firmware package for the ZyWALL at www.zyxel.com in a *.zip file. After you unzip the file, you will find several files contained in the package. The file that you should use for firmware upload is a *.bin file, for example “300BDS0C0.bin”. In the firmware naming rule, 300 is the major firmware version;...

  • Page 133: How To Change A Power Module

    Chapter 6 Maintenance 6.6.1 What Can Go Wrong When you run a shell script, the ZyWALL processes the file line-by-line. The ZyWALL checks the first line and applies the line if no errors are detected. Then it continues with the next line. If the ZyWALL finds an error, it stops applying the shell script.
  • Page 134 Chapter 6 Maintenance Use the handle to slide out the power module and remove it. Install the new ZyWALL power module. Tighten the power module’s retaining screw. ZyWALL USG 20-2000 User’s Guide...

  • Page 135: How To Save System Logs To A Usb Storage Device

    Chapter 6 Maintenance Connect the power cord to the new ZyWALL power module. Reconnect the power cord to the power outlet. 10 Push the ZyWALL power module switch to the on position. 6.8 How to Save System Logs to a USB Storage Device The ZyWALL uses the memory space to store system logs.
  • Page 136 Chapter 6 Maintenance Go to Configuration > System > USB Storage, select Activate USB storage service and click Apply to allow the ZyWALL to save diagnostic data to the connected USB device. Go to Configuration > Log & Report > Log Setting, select the USB Storage entry and click Edit.
  • Page 137 Chapter 6 Maintenance In the Configuration > Log & Report > Log Setting screen, select the USB Storage entry again and click Activate. Click Apply to have the ZyWALL start recording system logs to the USB device. In the Maintenance > Diagnostics > System Log screen, you can see a new log file which is recording the system logs.

  • Page 138: How To Get The Zywall's Diagnostic File

    Chapter 6 Maintenance 6.8.1 What Can Go Wrong? • Before you physically remove a connected USB device, go to Monitor > System Status > USB Storage and click Remove Now. • If you want to use the USB device and you have not physically remove it, click Use It in the same screen to mount the device.

  • Page 139: How To Capture Packets On The Zywall

    Chapter 6 Maintenance Note: You can check the remaining flash space in the Dashboard or Maintenance > Diagnostics > Packet Capture screen. To save diagnostic files to a USB storage device, do the following before you collect a diagnostic file: Insert the USB storage device to any USB port on your ZyWALL.
  • Page 140 Chapter 6 Maintenance Click the Stop button to end the packet-capture session when you think you have captured enough packets. How long it may take depends on the packet type and network behavior that you want to capture. Click the Files tab, you can see two files (CAP and TXT) generated for each interface. Select a file and click Download.
  • Page 141 Chapter 6 Maintenance The ZyWALL uses the flash space to store packet capture files. Once the flash is full, the ZyWALL stops generating the file or has new captured packets override old packets depending on your setting. If your ZyWALL’s flash is full or the size of the packet capture files you want to capture may exceed the remaining space, you can use a USB storage device.
  • Page 142 Chapter 6 Maintenance 6.10.1 Example of Viewing a Packet Capture (CAP) File Here is an example of a packet capture file viewed in the Wireshark packet analyzer. Notice that the size of frame 15 on the wire is 1514 bytes while the captured size is only 1500 bytes. The ZyWALL truncated the frame because the capture screen’s Number Of Bytes To Capture (Per Packet) field was set to 1500 bytes.

  • Page 143: How To Use Packet Flow Explore For Troubleshooting

    Chapter 6 Maintenance Figure 51 Packet Capture File Example 6.11 How to Use Packet Flow Explore for Troubleshooting Use the packet flow explore function to help resolve routing or NAT problems. For example: an interface suddenly goes down, you configure a policy route but packets do not go through the configured interface or go through another route.
  • Page 144 Chapter 6 Maintenance The Maintenance > Packet Flow Explore > SNAT Status screen displays the ZyWALL’s current source NAT (SNAT) flow. Click a function box to see the corresponding active SNAT rules. The ZyWALL checks if a packet matches an SNAT rule’s criteria by following the order of the flow as shown from left to right.

  • Page 145: Appendix A Legal Information

    The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.
  • Page 146 Appendix A Legal Information Certifications (Class A for ZyWALL USG 300, 1000, and 2000) Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.

  • Page 147: Regulatory Information

    Appendix A Legal Information Regulatory Information European Union The following information applies if you use the product within the European Union. Declaration of Conformity with Regard to EU Directive 1999/5/EC (R&TTE Directive) Compliance Information for 2.4GHz and 5GHz Wireless Products Relevant to the EU and Other Countries Following the EU Directive 1999/5/EC (R&TTE Directive) [Czech] ZyXEL tímto prohlašuje, že tento zařízení...

  • Page 148: Safety Warnings

    Appendix A Legal Information Ce produit peut être utilisé dans tous les pays de l’UE (et dans tous les pays ayant transposés la directive 1999/5/CE) sans aucune limitation, excepté pour les pays mentionnés ci-dessous: Questo prodotto è utilizzabile in tutte i paesi EU (ed in tutti gli altri paesi che seguono le direttive EU 1999/5/EC) senza nessuna limitazione, eccetto per i paesii menzionati di seguito: Das Produkt kann in allen EU Staaten ohne Einschränkungen eingesetzt werden (sowie in anderen Staaten die der EU Direktive 1995/5/CE folgen) mit Außnahme der folgenden aufgeführten Staaten:...
  • Page 149 Appendix A Legal Information • ZyWALL USG 20W: Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). Only use the included antenna(s). • ZyWALL USG 20, 20W: If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged. Your product is marked with this symbol, which is known as the WEEE mark.
  • Page 150 Appendix A Legal Information ZyWALL USG 20-2000 User’s Guide...

Table of Contents