Page 1 ZyWALL USG 2000 Unified Security Gateway Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com Firmware Version 2.12 Edition 1, 6/2009 www.zyxel.com Copyright © 2009 ZyXEL Communications Corporation...
Page 3: About This User's Guide
Internet access. • CLI Reference Guide The CLI Reference Guide explains how to use the Command-Line Interface (CLI) to configure the ZyWALL. Note: It is recommended you use the web configurator to configure the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 4 • Knowledge Base If you have a specific question about your product, the answer may be here. This is a collection of answers to previously asked questions about ZyXEL products. ZyWALL USG 2000 User’s Guide...
Page 5 Graphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate. ZyWALL USG 2000 User’s Guide...
Page 6: Document Conventions
For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000” or “1048576” and so on. • “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”. ZyWALL USG 2000 User’s Guide...
Page 7 Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 2000 User’s Guide...
Page 8: Safety Warnings
Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately. ZyWALL USG 2000 User’s Guide...
Page 9: Table Of Contents
IPSec VPN ..........................329 SSL VPN ..........................371 SSL User Screens ........................383 SSL User Application Screens ....................393 SSL User File Sharing ......................395 ZyWALL SecuExtender ......................403 L2TP VPN ..........................407 L2TP VPN Example ......................... 413 ZyWALL USG 2000 User’s Guide...
Page 10 System ........................... 701 Maintenance, Troubleshooting, & Specifications ............. 749 File Manager ........................... 751 Logs ............................763 Reports ........................... 777 Diagnostics ..........................795 Reboot ............................. 797 Troubleshooting ........................799 Product Specifications ......................805 Appendices and Index ......................813 ZyWALL USG 2000 User’s Guide...
Page 11: Table Of Contents
2.3 Applications ......................... 43 2.3.1 VPN Connectivity ....................... 43 2.3.2 SSL VPN Network Access ..................43 2.3.3 User-Aware Access Control ..................45 2.3.4 Multiple WAN Interfaces ..................... 45 2.3.5 Device HA ........................46 Chapter 3 Web Configurator........................47 ZyWALL USG 2000 User’s Guide...
Page 12 5.4.4 IPSec VPN ......................... 91 5.4.5 SSL VPN ........................91 5.4.6 L2TP VPN ........................92 5.4.7 Zones ......................... 92 5.4.8 Device HA ........................93 5.4.9 DDNS ......................... 93 5.4.10 Policy Routes ......................93 5.4.11 Static Routes ......................94 ZyWALL USG 2000 User’s Guide...
Page 13 6.5.3 Set Up User Authentication Using the RADIUS Server ..........116 6.5.4 Set Up Web Surfing Policies With Bandwidth Restrictions ........118 6.5.5 Set Up MSN Policies ....................120 6.5.6 Set Up Firewall Rules ....................121 6.6 How to Configure Service Control ..................122 ZyWALL USG 2000 User’s Guide...
Page 14 8.3 The Service Screen ......................157 Chapter 9 Signature Update ........................159 9.1 Overview ..........................159 9.1.1 What You Can Do in the Update Screens ..............159 9.1.2 What you Need to Know About Signature Updates ..........159 ZyWALL USG 2000 User’s Guide...
Page 15 10.12 Virtual Interfaces ......................219 10.12.1 Virtual Interfaces Add/Edit ..................219 10.13 Interface Technical Reference ..................220 Chapter 11 Trunks ............................ 225 11.1 Overview .......................... 225 11.1.1 What You Can Do in the Trunk Screens ..............225 ZyWALL USG 2000 User’s Guide...
Page 16 15.1.1 What You Can Do in the DDNS Screens ............... 265 15.1.2 What You Need to Know About DDNS ..............265 15.2 The DDNS Screen ......................266 15.2.1 The Dynamic DNS Add/Edit Screen ..............268 15.3 The DDNS Status Screen ....................270 ZyWALL USG 2000 User’s Guide...
Page 17 19.2 IP/MAC Binding Summary ....................302 19.2.1 IP/MAC Binding Edit ....................303 19.2.2 Static DHCP Edit ....................304 19.3 IP/MAC Binding Exempt List ................... 305 19.4 IP/MAC Binding Monitor ....................305 Part III: Firewall ..................307 Chapter 20 Firewall........................... 309 ZyWALL USG 2000 User’s Guide...
Page 18 22.2.1 The SSL Access Policy Add/Edit Screen .............. 375 22.3 The SSL Connection Monitor Screen ................377 22.4 The SSL Global Setting Screen ..................378 22.4.1 How to Upload a Custom Logo ................380 22.5 Establishing an SSL VPN Connection ................381 ZyWALL USG 2000 User’s Guide...
Page 19 27.1.1 What You Can Do in the L2TP VPN Screens ............407 27.1.2 What You Need to Know About L2TP VPN ............407 27.2 L2TP VPN Screen ......................409 27.3 L2TP VPN Session Monitor Screen ................410 ZyWALL USG 2000 User’s Guide...
Page 20 30.1 Overview .......................... 471 30.1.1 What You Can Do in the Anti-Virus Screens ............471 30.1.2 What You Need to Know About Anti-Virus ............. 472 30.1.3 Before You Begin ....................474 30.2 Anti-Virus Summary Screen .................... 474 ZyWALL USG 2000 User’s Guide...
Page 21 32.1.1 ADP and IDP Comparison ..................521 32.1.2 What You Can Do Using the ADP Screens ............521 32.1.3 What You Need To Know About ADP ..............521 32.1.4 Before You Begin ....................522 32.2 The ADP General Screen ....................523 ZyWALL USG 2000 User’s Guide...
Page 22 35.4.1 The Anti-Spam Black or White List Add/Edit Screen ..........582 35.4.2 Regular Expressions in Black or White List Entries ..........584 35.5 The Anti-Spam White List Screen ..................584 35.6 The DNSBL Screen ......................586 ZyWALL USG 2000 User’s Guide...
Page 23 37.4.1 Default User Authentication Timeout Settings Edit Screens ........626 37.4.2 Force User Authentication Policy Add/Edit Screen ..........628 37.4.3 User Aware Login Example ..................629 37.5 User /Group Technical Reference ................... 630 Chapter 38 Addresses..........................631 38.1 Overview .......................... 631 ZyWALL USG 2000 User’s Guide...
Page 24 41.3.1 Creating an Active Directory or LDAP Group ............655 41.4 Configuring a Default RADIUS Server ................656 41.5 Configuring a Group of RADIUS Servers ............... 657 41.5.1 Adding a RADIUS Server Member ................. 658 Chapter 42 Authentication Method ......................661 ZyWALL USG 2000 User’s Guide...
Page 25 45.1.3 Example: Specifying a Web Site for Access ............692 45.2 The SSL Application Screen .................... 693 45.2.1 Creating/Editing a Web-based SSL Application Object ......... 694 45.2.2 Creating/Editing a File Sharing SSL Application Object ......... 696 Part IX: System..................699 ZyWALL USG 2000 User’s Guide...
Page 26 46.8.1 Configuring Telnet ....................737 46.9 FTP ..........................738 46.9.1 Configuring FTP ..................... 739 46.10 SNMP ........................... 740 46.10.1 Supported MIBs ....................742 46.10.2 SNMP Traps ......................742 46.10.3 Configuring SNMP ....................742 46.11 Dial-in Management ....................... 744 ZyWALL USG 2000 User’s Guide...
Page 27 49.4 The Anti-Virus Report Screen ..................783 49.5 The IDP Report Screen ....................785 49.6 The Content Filter Report Screen ..................787 49.7 The Anti-Spam Report Screen ..................789 49.8 The Email Daily Report Screen ..................792 Chapter 50 Diagnostics........................... 795 ZyWALL USG 2000 User’s Guide...
Page 28 Appendix A Log Descriptions ....................815 Appendix B Common Services..................... 875 Appendix C Displaying Anti-Virus Alert Messages in Windows..........879 Appendix D Importing Certificates..................885 Appendix E Open Software Announcements ............... 911 Appendix F Legal Information ....................957 Index............................961 ZyWALL USG 2000 User’s Guide...
Page 29: Getting Started
Getting Started Introducing the ZyWALL (31) Features and Applications (39) Web Configurator (47) Configuration Basics (85) Tutorials (103) Status (137) Registration (153) Signature Update (159)
Page 31: Introducing The Zywall
“1234” respectively. P7 and P8 are GbE dual personality interfaces. A dual personality interface includes one Gigabit port and one slot for a mini-GBIC transceiver (SFP module) with one port active at a time. ZyWALL USG 2000 User’s Guide...
Page 32: Front Panel
The factory default negotiation settings for the Ethernet ports on the ZyWALL are: • Speed: Auto • Duplex: Auto • Flow control: On (you cannot configure the flow control setting, but the ZyWALL can negotiate with the peer and turn it off if needed) ZyWALL USG 2000 User’s Guide...
Page 33 Use the following steps to install a mini GBIC transceiver (SFP module). Insert the transceiver into the slot with the exposed section of PCB board facing down. Figure 2 Transceiver Installation Example Press the transceiver firmly until it clicks into place. Figure 3 Installed Transceiver ZyWALL USG 2000 User’s Guide...
Page 34 Press down on the top of the fiber-optic cable where it connects to the transceiver to release it. Then pull the fiber-optic cable out. Figure 5 Removing the Fiber-optic Cable Example Open the transceiver’s latch (latch styles vary). Figure 6 Opening the Transceiver’s Latch Example ZyWALL USG 2000 User’s Guide...
Page 35: Front Panel Leds
The AUX port is sending or receiving packets for the dial backup connection. CARD Green Reserved for future use. There is no card in the CARD SLOT. There is a card in the CARD SLOT. This LED is reserved for future use. ZyWALL USG 2000 User’s Guide...
Page 36: Management Overview
The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port. See the Command Reference Guide for more information about the CLI. ZyWALL USG 2000 User’s Guide...
Page 37: Starting And Stopping The Zywall
Note: It is recommended you use the shutdown command before turning off the ZyWALL. When you apply configuration files or running shell scripts, the ZyWALL does not stop or start the system processes. However, you might lose access to network ZyWALL USG 2000 User’s Guide...
Page 38 Chapter 1 Introducing the ZyWALL resources temporarily while the ZyWALL is applying configuration files or running shell scripts. ZyWALL USG 2000 User’s Guide...
Page 39: Features And Applications
Many security settings are made by zone, not by interface, port, or network. As a result, it is much simpler to set up and to change security settings in the ZyWALL. You can create or remove zones. You can add interfaces and VPN tunnels to zones. ZyWALL USG 2000 User’s Guide...
Page 40 ZyWALL to check web sites against an external database of dynamically-updated ratings of millions of web sites. You then simply select categories to block or monitor, such as pornography or racial intolerance, from a pre-defined list. ZyWALL USG 2000 User’s Guide...
Page 41: Packet Flow
The PPPoE or PPTP encapsulation used Application Layer Gateway DNAT Destination NAT Routing Routing includes policy routes, interface routing, static routes and load balancing for example. Firewall (Through ZyWALL) Firewall (To ZyWALL) Intrusion Detection and Protection ZyWALL USG 2000 User’s Guide...
Page 42: Interface To Interface (Through Zywall)
Ethernet -> VLAN -> Encap -> ALG -> DNAT-> Routing -> FW -> IDP -> AP -> CF -> AV -> AS -> SNAT -> IPSec E -> Routing -> BWM -> Encap -> VLAN -> Ethernet ZyWALL USG 2000 User’s Guide...
Page 43: Applications
2.3.2.1 Reverse Proxy Mode In reverse proxy mode, the ZyWALL is a proxy that acts on behalf of the local network servers (such as your web and mail servers). As the final destination, the ZyWALL USG 2000 User’s Guide...
Page 44 Figure 11 Network Access Mode: Full Tunnel Mode 192.168.1.100 LAN (192.168.1.X) https;// Web Mail File Share Web-based Application Application Non-Web Server ZyWALL USG 2000 User’s Guide...
Page 45: User-Aware Access Control
Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them. Figure 13 Applications: Multiple WAN Interfaces ZyWALL USG 2000 User’s Guide...
Page 46: Device Ha
Chapter 2 Features and Applications 2.3.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network. Figure 14 Applications: Device HA ZyWALL USG 2000 User’s Guide...
Page 47: Web Configurator
• Enable Java permissions (enabled by default) • Enable cookies The recommended screen resolution is 1024 x 768 pixels. 3.2 Web Configurator Access Make sure your ZyWALL hardware is properly connected. See the Quick Start Guide. ZyWALL USG 2000 User’s Guide...
Page 48 Click Login. If you logged in using the default user name and password, the Update Admin Info screen (Figure 16 on page 48) appears. Otherwise, the main screen (Figure 17 on page 49) appears. Figure 16 Update Admin Info Screen ZyWALL USG 2000 User’s Guide...
Page 49: Web Configurator Main Screen
48) appears after you click Apply. If you click Ignore, the main screen appears. Figure 17 Main Screen 3.3 Web Configurator Main Screen As illustrated in Figure 17 on page 49, the main screen is divided into these parts: ZyWALL USG 2000 User’s Guide...
Page 50: Title Bar
Use this screen to register the device and activate trial services. Service Use this screen to look at the licensed service status and to upgrade licensed services. Update Anti-Virus Use this screen to schedule anti-virus signature updates and to update signature information immediately. ZyWALL USG 2000 User’s Guide...
Page 51 Use this screen to configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. Monitor Use this screen to display the devices that have received an IP address from ZyWALL interfaces with IP/MAC binding enabled. ZyWALL USG 2000 User’s Guide...
Page 52 Use this screen to set up anti-virus black (blocked) and white List (allowed) lists of virus file patterns. Signature Use these screens to search for signatures by signature name or attributes and configure how the ZyWALL uses them. ZyWALL USG 2000 User’s Guide...
Page 53 Service Service Use this screen to create and manage TCP and UDP services. Service Group Use this screen to create and manage groups of services. Schedule Use this screen to create one-time and recurring schedules. ZyWALL USG 2000 User’s Guide...
Page 54 Use this screen to configure settings for an out of band Mgmt. management connection through a modem connected to the AUX port. Vantage Use this screen to configure and allow your ZyWALL to be managed by the Vantage CNM server. ZyWALL USG 2000 User’s Guide...
Page 55: Main Window
Status screen. 3.3.4 Message Bar The message bar displays configuration status information. Check the message bar after you click Apply or OK to verify that the configuration has been updated. Figure 18 Message Bar ZyWALL USG 2000 User’s Guide...
Page 56 Figure 19 Warning Messages Click Refresh Now to update the screen. Close the popup window when you are done with it. Click Clear Warning Messages to remove the current warning messages from the window. ZyWALL USG 2000 User’s Guide...
Page 57 Web Configurator generated to enable it. Close the popup window when you are done with it. See the Command Reference Guide for information about the commands. ZyWALL USG 2000 User’s Guide...
Page 58 Chapter 3 Web Configurator ZyWALL USG 2000 User’s Guide...
Page 59: Wizard Setup
Changes you make in an installation or VPN wizard may not be applied if you have already changed the ZyWALL’s configuration. In the Web Configurator, click the Wizard icon o open the Wizard Setup Welcome screen. Figure 21 Wizard Setup Welcome ZyWALL USG 2000 User’s Guide...
Page 60: Installation Setup, One Isp
ISP to know what to enter in each field. Leave a field blank if you don’t have that information. Note: Enter the Internet access information exactly as your ISP gave it to you. Figure 22 Internet Access: Step 1 ZyWALL USG 2000 User’s Guide...
Page 61: Internet Access: Ethernet Encapsulation
Click Next to continue. 4.2.1 Internet Access: Ethernet Encapsulation Configure your IP address settings and click Next to apply the configuration settings. This configures the ZyWALL to access the Internet. Figure 23 Internet Access: Ethernet Encapsulation ZyWALL USG 2000 User’s Guide...
Page 62 (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Enter the DNS server IP addresses. Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL USG 2000 User’s Guide...
Page 63: Internet Access: Pppoe Encapsulation
CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node. CHAP - Your ZyWALL accepts CHAP only. PAP - Your ZyWALL accepts PAP only. MSCHAP - Your ZyWALL accepts MSCHAP only. MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only. ZyWALL USG 2000 User’s Guide...
Page 64 If you do not configure a DNS server, you must know the IP address of a machine in order to access it. Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL USG 2000 User’s Guide...
Page 65: Internet Access: Pptp Encapsulation
31 @$./ characters long. Password Type the password associated with the user name above. Use up to 64 ASCII characters except the [] and ?. This field can be blank. ZyWALL USG 2000 User’s Guide...
Page 66: Internet Access - Finish
Back Click Back to return to the previous screen. Next Click Next to continue. 4.2.4 Internet Access - Finish You have set up your ZyWALL to access the Internet. ZyWALL USG 2000 User’s Guide...
Page 67: Device Registration
It also shows which trial services are activated (if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Registration > Service screen to update your service subscription status. Figure 26 Registration ZyWALL USG 2000 User’s Guide...
Page 68 Select the check box to activate a trial. The trial period starts the day you activate the trial. Anti-Virus Content Filter Close Click Close to exit the wizard. Next Click Next to save your changes back to the ZyWALL and activate the selected services. ZyWALL USG 2000 User’s Guide...
Page 69: Installation Setup, Two Internet Service Providers
ISP. The configuration of the following screens is explained in Section 4.2 on page 60 section. Configure the First WAN Interface and click Next. Figure 28 Internet Access: Step 1: First WAN Interface ZyWALL USG 2000 User’s Guide...
Page 70 After you configure the Second WAN Interface, a summary of configuration settings display for both WAN interfaces. Figure 30 Internet Access: Finish Note: You can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. ZyWALL USG 2000 User’s Guide...
Page 71: Internet Access Wizard Setup Complete
Click VPN SETUP in the Wizard Setup Welcome screen (Figure 21 on page to open the following screen. Use it to select which type of VPN settings you want to configure. Figure 31 VPN Wizard: Wizard Type ZyWALL USG 2000 User’s Guide...
Page 72: Vpn Express Wizard
Click Back to return to the previous screen. Next Click Next to continue. 4.5.1 VPN Express Wizard Click the Express radio button as shown in Figure 31 on page 71 to display the following screen. Figure 32 VPN Express Wizard: Step 2 ZyWALL USG 2000 User’s Guide...
Page 73 Choose this to connect to an IPSec server. This ZyWALL is the client (dial- Access in user) and can initiate the VPN tunnel. (Client Role) Back Click Back to return to the previous screen. Next Click Next to continue. Figure 33 VPN Express Wizard: Step 3 ZyWALL USG 2000 User’s Guide...
Page 74 To specify IP addresses on a network by their subnet mask, type the subnet mask of the LAN behind the remote gateway. Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL USG 2000 User’s Guide...
Page 75 “.zysh” filename extension. Then you can use the file manager to run the script in order to configure the VPN connection. See the commands reference guide for details on the commands displayed in this list. ZyWALL USG 2000 User’s Guide...
Page 76 Figure 35 VPN Express Wizard: Step 6 Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard. ZyWALL USG 2000 User’s Guide...
Page 77: Vpn Advanced Wizard
Choose this to connect to an IPSec server. This ZyWALL is the client (dial- Access in user) and can initiate the VPN tunnel. (Client Role) Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL USG 2000 User’s Guide...
Page 78 Select Main for identity protection. Select Aggressive to allow more Mode incoming connections from dynamic IP addresses to use separate passwords. Note: Multiple SAs (security associations) connecting through a secure gateway must have the same negotiation mode. ZyWALL USG 2000 User’s Guide...
Page 79 ("0-9", "A-F") characters. Precede a hexadecimal key with “0x”. Both ends of the VPN tunnel must use the same pre-shared key. You will receive a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is not used on both ends. ZyWALL USG 2000 User’s Guide...
Page 80 In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP). ZyWALL USG 2000 User’s Guide...
Page 81 This displays for the site-to-site and remote access client role scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL USG 2000 User’s Guide...
Page 82 ZyWALL. Remote This is a (static) IP address and Subnet Mask on the network behind the Policy remote IPSec router. If this field displays Any, only the remote IPSec router can initiate the VPN connection. ZyWALL USG 2000 User’s Guide...
Page 83: Vpn Advanced Wizard - Finish
Figure 40 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard. ZyWALL USG 2000 User’s Guide...
Page 84 Chapter 4 Wizard Setup ZyWALL USG 2000 User’s Guide...
Page 85: Configuration Basics
You can create address objects based on an interface’s IP address, subnet, or gateway. The ZyWALL automatically updates every rule or setting that uses these objects whenever the interface’s IP address settings change. For example, if you ZyWALL USG 2000 User’s Guide...
Page 86: Zones, Interfaces, And Physical Ports
Port groups combine physical ports into interfaces. Physical The physical port is where you connect a cable. In configuration, you Ethernet Ports use physical ports when configuring port groups. You use interfaces and zones in configuring other features. (P1, P2, ...) ZyWALL USG 2000 User’s Guide...
Page 87: Interface Types
• The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the AUX port. ZyWALL USG 2000 User’s Guide...
Page 88: Default Interface And Zone Configuration
• The LAN zone contains the ge1 interface. The LAN zone is a protected zone. The ge1 interface uses 192.168.1.1. • The WAN zone contains the ge2 and ge3 interfaces (physical ports 2 and 3). They use public IP addresses to connect to the Internet. ZyWALL USG 2000 User’s Guide...
Page 89: Terminology In The Zywall
IPSec VPN Table 25 Bandwidth Management: Differences Between the ZyWALL and ZyNOS ZYNOS FEATURE / SCREEN ZYWALL FEATURE / SCREEN Interface bandwidth management Interface (outbound) OSI level-7 bandwidth management Application patrol General bandwidth management Policy route ZyWALL USG 2000 User’s Guide...
Page 90: Feature Configuration Overview
DDNS entries, so there is no WHERE USED entry. 5.4.2 Interface Section 5.2 on page 86 for background information. Note: When you create an interface, there is no security applied on it until you assign it to a zone. ZyWALL USG 2000 User’s Guide...
Page 91: Trunks
NAT), to-ZyWALL firewall, firewall Policy routes, zones, L2TP VPN WHERE USED Example: See Chapter 6 on page 103. 5.4.5 SSL VPN Use SSL VPN to provide secure network access to remote users. VPN > SSL VPN MENU ITEM(S) ZyWALL USG 2000 User’s Guide...
Page 92: L2Tp Vpn
Interfaces, IPSec VPN, SSL VPN PREREQUISITES Firewall, IDP, remote management, anti-virus, ADP, application patrol WHERE USED Example: For example, to create the DMZ-2 zone and add ge7, click Network > Zone and then the Add icon. ZyWALL USG 2000 User’s Guide...
Page 93: Device Ha
FTP traffic that goes out from the FTP server through your WAN connection. Create an address object for the FTP server (Object > Address). Click Network > Routing > Policy Route to go to the policy route configuration screen. Add a policy route. ZyWALL USG 2000 User’s Guide...
Page 94: Static Routes
(or service groups). Each of these objects must be configured in a different screen. To-ZyWALL firewall rules control access to the ZyWALL. Configure to-ZyWALL firewall rules for remote management. By default, the firewall only allows mangement connections from the LAN, WAN zone. Firewall MENU ITEM(S) ZyWALL USG 2000 User’s Guide...
Page 95: Application Patrol
Create a user account for Bob (User/Group). Click AppPatrol > Peer to Peer to go to the application patrol configuration screen. Click the BitTorrent application patrol entry’s Edit icon. • Set the default policy’s access to Drop. • Add another policy. ZyWALL USG 2000 User’s Guide...
Page 96: Anti-Virus
You can subscribe using the menu item or one of the wizards. Anti-X > Content Filter MENU ITEM(S) Registration, addresses (source), schedules, users, user groups PREREQUISITES ZyWALL USG 2000 User’s Guide...
Page 97: Anti-Spam
Anti-X > Anti-Spam MENU ITEM(S) Zones PREREQUISITES 5.4.19 Virtual Server (Port Forwarding) Use this to change the address and/or port number of packets coming in from a specified interface. This is also known as port forwarding. ZyWALL USG 2000 User’s Guide...
Page 98: Http Redirect
Network > HTTP Redirect MENU ITEM(S) Interfaces PREREQUISITES Example: Suppose you want HTTP requests from your LAN to go to a HTTP proxy server at IP address 192.168.3.80. Click Network > HTTP Redirect. Add an entry. ZyWALL USG 2000 User’s Guide...
Page 99: Alg
Policy routes (criteria, port triggering), firewall, service groups, log group (criteria) schedule Policy routes (criteria), firewall, application patrol, content filter, user settings (force user authentication) AAA server Authentication methods authentication VPN gateways (extended authentication), WWW (client methods authentication), L2TP VPN ZyWALL USG 2000 User’s Guide...
Page 100: User/Group
5.6.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM Use these screens to set which services or protocols can be used to access the ZyWALL through which zone and from which addresses (address objects) the ZyWALL USG 2000 User’s Guide...
Page 101: File Manager
Use these screens to register your ZyWALL and subscribe to services like anti- virus, IDP and application patrol, more SSL VPN tunnels, and content filtering. You must have Internet access to myZyXEL.com. Licensing > Registration MENU ITEM(S) Internet access to myZyXEL.com PREREQUISITES ZyWALL USG 2000 User’s Guide...
Page 102: Licensing Update
Maintenance > Log, Report MENU ITEM(S) 5.6.6 Diagnostics The ZyWALL can generate a file containing the ZyWALL’s configuration and diagnostic information. Maintenance > Diagnostics MENU ITEM(S) ZyWALL USG 2000 User’s Guide...
Page 103: Tutorials
• DMZ servers are connected to ports P4 and P5 and need full wire speed communication with each other, so ports P4 and P5 are combined into a ge4 interface port group. It uses IP address 192.168.2.1. ZyWALL USG 2000 User’s Guide...
Page 104: Configure A Wan Ethernet Interface
Click Network > Interface > Ethernet and the ge2 interface’s Edit icon. Configure the IP address, subnet mask, and default gateway settings as follows and click OK. Figure 44 Network > Interface > Ethernet > Edit ge2 ZyWALL USG 2000 User’s Guide...
Page 105: Configure Zones
Here is how to combine physical ports P4 and P5 into the ge4 interface port group. Click Network > Interface > Port Grouping. Drag physical port 5 onto representative interface ge4 and click Apply Figure 46 Network > Interface > Port Grouping Example ZyWALL USG 2000 User’s Guide...
Page 106: How To Configure A Cellular Interface
Install the 3G device in the ZyWALL’s PCIMCIA slot or connect it to one of the ZyWALL’s USB ports. Click Network > Interface > Cellular. Click the 3G card’s Edit icon. Figure 48 Network > Interface > Cellular ZyWALL USG 2000 User’s Guide...
Page 107 In Related Setting, click WAN Trunk to go to a screen where you can add this interface to the WAN Trunk to allow WAN load balancing. A pop-up asks if you want to apply your configuration, click OK. Figure 49 Network > Interface > Cellular > Edit ZyWALL USG 2000 User’s Guide...
Page 108 Member List button to move it to the list on the right. Click OK in the Member List screen and again in the Trunk Edit screen. Figure 52 Member List ZyWALL USG 2000 User’s Guide...
Page 109: How To Configure Load Balancing
You do not have to change many of the ZyWALL’s settings from the defaults to set up this trunk. You only have to set up the outgoing bandwidth on each of the WAN interfaces and configure the WAN_TRUNK trunk’s load balancing settings. ZyWALL USG 2000 User’s Guide...
Page 110: Set Up Available Bandwidth On Ethernet Interfaces
In the Load Balancing Algorithm field, select Weighted Round Robin. After the screen refreshes, enter 2 in the Weight column for ge2. Click OK. Figure 56 Network > Interface > Trunk > WAN_TRUNK > Edit ZyWALL USG 2000 User’s Guide...
Page 111: How To Set Up An Ipsec Vpn Tunnel
The VPN gateway manages the IKE SA. You do not have to set up any other objects before you configure the VPN gateway because this VPN tunnel does not use any certificates or extended authentication. Click VPN > IPSec VPN > VPN Gateway, and then click the Add icon. ZyWALL USG 2000 User’s Guide...
Page 112: Set Up The Vpn Connection
Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK. Figure 59 Object > Address > Add Click VPN > IPSec VPN > VPN Connection. Click the Add icon. ZyWALL USG 2000 User’s Guide...
Page 113: Set Up The Policy Route For The Vpn Tunnel
Figure 60 VPN > IPSec VPN > VPN Connection > Add 6.4.3 Set Up the Policy Route for the VPN Tunnel Do the following to create a policy route to have the ZyWALL send traffic through the VPN tunnel. ZyWALL USG 2000 User’s Guide...
Page 114 To trigger the VPN, either try to connect to a device on the peer IPSec router’s LAN or click VPN > IPSec VPN > VPN Connection and use the VPN connection screen’s Connect icon. ZyWALL USG 2000 User’s Guide...
Page 115: Configure Security Policies For The Vpn Tunnel
Set up one user account for each user account in the RADIUS server. If it is possible to export user names from the RADIUS server to a text file, then you might create a script to create the user accounts instead. This example uses the Web Configurator. ZyWALL USG 2000 User’s Guide...
Page 116: Set Up User Groups
Repeat this process to set up the remaining user groups. 6.5.3 Set Up User Authentication Using the RADIUS Server This step sets up user authentication using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and ZyWALL USG 2000 User’s Guide...
Page 117 Set up a default policy that forces every user to log in to the ZyWALL before the ZyWALL routes traffic for them. Select Enable. Then, select force in the Authentication field. Keep the rest of the default settings, and click OK. ZyWALL USG 2000 User’s Guide...
Page 118: Set Up Web Surfing Policies With Bandwidth Restrictions
You must have already subscribed for the application patrol service. You can subscribe using the Licensing > Registration screens or using one of the wizards. Click AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply. Figure 69 AppPatrol > General ZyWALL USG 2000 User’s Guide...
Page 119 Figure 71 AppPatrol > Common > http Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. Figure 72 AppPatrol > Common > http > Edit Default ZyWALL USG 2000 User’s Guide...
Page 120: Set Up Msn Policies
Give the schedule a descriptive name. Set up the days (Monday through Friday) and the times (8:30 - 18:00) when Sales is allowed to use MSN. Click OK. Figure 74 Object > Schedule > Add (Recurring) ZyWALL USG 2000 User’s Guide...
Page 121: Set Up Firewall Rules
Figure 76 Firewall > LAN to DMZ > Add Click the Add icon at the top of the rule list to create a rule for one of the user groups that is allowed to access the DMZ. ZyWALL USG 2000 User’s Guide...
Page 122: How To Configure Service Control
HTTP or HTTPS access, make sure the firewall is not configured to block that access. 6.6.1 Allow HTTPS Administrator Access Only From the LAN This example configures service control to block administrator HTTPS access from all zones except the LAN. Click System > WWW. ZyWALL USG 2000 User’s Guide...
Page 123 Chapter 6 Tutorials In HTTPS Admin Service Control, click the Add icon. Figure 78 System > WWW In the Zone field select LAN and click OK. Figure 79 System > WWW > Service Control Rule Edit ZyWALL USG 2000 User’s Guide...
Page 124 Figure 80 System > WWW (First Example Admin Service Rule Configured) In the Zone field select ALL and set the Action to Deny. Click OK. Figure 81 System > WWW > Service Control Rule Edit ZyWALL USG 2000 User’s Guide...
Page 125: How To Allow Incoming H.323 Peer-To-Peer Calls
Suppose you have a H.323 device on the LAN for VoIP calls and you want it to be able to receive peer-to-peer calls from the WAN. Here is an example of how to configure virtual server (port forwarding) and firewall rules to have the ZyWALL ZyWALL USG 2000 User’s Guide...
Page 126: Turn On The Alg
6.7.2 Set Up a Virtual Server Policy For H.323 In this example, you need a virtual server policy to forward H.323 (TCP port 1720) traffic received on the ZyWALL’s 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. ZyWALL USG 2000 User’s Guide...
Page 127: Set Up A Firewall Rule For H.323
Here is how to configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN IP address 192.168.1.56. Click Firewall. In From Zone, select WAN; in To Zone, select LAN. ZyWALL USG 2000 User’s Guide...
Page 128: How To Use Active-Passive Device Ha
ZyWALL is functioning as the master uses the default gateway IP address of the LAN computers (192.168.1.1) for its ge1 interface and the static public IP address (1.1.1.1) for its ge2 interface. If ZyWALL A recovers (has both its ge1 and ge2 ZyWALL USG 2000 User’s Guide...
Page 129: Before You Start
131). To avoid an IP address conflict, do not connect ZyWALL B to the LAN subnet until after you configure its device HA settings and the instructions tell you to deploy it (in Section 6.8.4 on page 132). ZyWALL USG 2000 User’s Guide...
Page 130: Configure Device Ha On The Master Zywall
LAN (ge1) to the Internet through the ge2 interface, so turn on monitoring for the ge1 and ge2 interfaces. Enter a Synchronization Password (“mySyncPassword” in this example) and click Apply. Figure 92 Device HA > Active-Passive Mode: Master ZyWALL Example ZyWALL USG 2000 User’s Guide...
Page 131: Configure The Backup Zywall
In ZyWALL B click Device HA > Active-Passive Mode. Click ge1’s Edit icon. Configure 192.168.1.5 as the Management IP and 255.255.255.0 as the Subnet Mask. Click OK. Figure 94 Device HA > Active-Passive Mode > Edit: Backup ZyWALL Example ZyWALL USG 2000 User’s Guide...
Page 132: Deploy The Backup Zywall
Connect ZyWALL B’s ge1 interface to the LAN network. Connect ZyWALL B’s ge2 interface to the same router that ZyWALL A’s ge2 interface uses for Internet access. ZyWALL B copies A’s configuration (and re-synchronizes with A every ZyWALL USG 2000 User’s Guide...
Page 133: Check Your Device Ha Setup
HTTP server’s private IP address of 192.168.3.7. Figure 97 Public Server Example Network Topology 192.168.3.7 1.1.1.2 6.9.1 Create the Address Objects Use Object > Address > Add to create the address objects. ZyWALL USG 2000 User’s Guide...
Page 134: Configure A Virtual Server
HTTP server’s outgoing sessions through ge3 and use 1.1.1.2 as the source IP address (to match the IP address for accessing it). See NAT 1:1 Example on page 278 for details. ZyWALL USG 2000 User’s Guide...
Page 135 Now the public can go to IP address 1.1.1.2 to access the HTTP server. If a domain name is registered for IP address 1.1.1.2, users can just go to the domain name to access the web server. ZyWALL USG 2000 User’s Guide...
Page 136 Chapter 6 Tutorials ZyWALL USG 2000 User’s Guide...
Page 137: Status
ZyWALL. • Use the SEM Status Detail screen (see Section 7.2.9 on page 151) to look at detailed status information for an installed SEM (Security Extension Module) card. ZyWALL USG 2000 User’s Guide...
Page 138: The Status Screen
The following table describes the labels in this screen. Table 29 Status LABEL DESCRIPTION Refresh Select how often you want the screen to automatically refresh. Interval Refresh Now Click this to update the screen immediately. Device Information ZyWALL USG 2000 User’s Guide...
Page 139 Status it, its entry is displayed in light gray text. Click the Detail icon to go to a Summary (more detailed) summary screen of interface statistics. Name This field displays the name of each interface. ZyWALL USG 2000 User’s Guide...
Page 140 If this interface is a member of an active virtual router, this field displays the IP address it is currently using. This is either the static IP address of the interface (if it is the master) or the management IP address (if it is a backup). ZyWALL USG 2000 User’s Guide...
Page 141 This field displays the number of users currently logged in to the Login Users ZyWALL. Click the icon to pop-open a list of the users who are currently logged in to the ZyWALL. See Section 7.2.8 on page 151. ZyWALL USG 2000 User’s Guide...
Page 142 If it displays 0 days, the license has expired. If the Remaining status is not Licensed, click this to open the screen where you can days activate or extend the license. See Section 8.2 on page 155. ZyWALL USG 2000 User’s Guide...
Page 143 The number in brackets indicates how many times the signature has been matched. Click the hyperlink for more detailed information on the intrusion. Virus Detected This is the name of the virus that the ZyWALL has detected. ZyWALL USG 2000 User’s Guide...
Page 144: The Cpu Usage Screen
The x-axis shows the time period over which the CPU usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Now Click this to update the information in the window right away. ZyWALL USG 2000 User’s Guide...
Page 145: The Memory Usage Screen
The x-axis shows the time period over which the RAM usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Now Click this to update the information in the window right away. ZyWALL USG 2000 User’s Guide...
Page 146: The Session Usage Screen
The x-axis shows the time period over which the session usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Now Click this to update the information in the window right away. ZyWALL USG 2000 User’s Guide...
Page 147: The Vpn Status Screen
Set Interval Click this to set the Poll Interval the screen uses. Stop Click this to stop the window from updating automatically. You can start it again by setting the Poll Interval and clicking Set Interval. ZyWALL USG 2000 User’s Guide...
Page 148: The Dhcp Table Screen
Apply. To remove a static DHCP entry, clear this field, and then click Apply. Apply Click this to save your settings to the ZyWALL. Refresh Click this to update the screen immediately. ZyWALL USG 2000 User’s Guide...
Page 149: The Port Statistics Screen
Set Interval Click this to set the Poll Interval the screen uses. Stop Click this to stop the window from updating automatically. You can start it again by setting the Poll Interval and clicking Set Interval. ZyWALL USG 2000 User’s Guide...
Page 150: The Port Statistics Graph Screen
This line represents the traffic received by the ZyWALL on the physical port since it was last connected. Last Update This field displays the date and time the information in the window was last updated. ZyWALL USG 2000 User’s Guide...
Page 151: The Current Users Screen
Click this icon to end a user’s session. 7.2.9 The SEM Status Detail Screen Use this screen to look at detailed status information for an installed SEM (Security Extension Module) card. An SEM enhances the ZyWALL’s VPN and/or ZyWALL USG 2000 User’s Guide...
Page 152 Driver load failed - An error occurred during the ZyWALL’s attempt to activate the SEM card. Make sure the SEM is installed properly and the thumbscrews are tightened. If this status still displays, contact your vendor. ZyWALL USG 2000 User’s Guide...
Page 153: Registration
ZyWALL’s serial number and LAN MAC address to register it. Refer to the web site’s on-line help for details. Note: To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 154 ZyXEL engine anti-virus service subscription and enter the iCard’s PIN number (license key) in the Registration > Service screen. The one-year ZyXEL engine anti-virus service subscription is automatically extended to 18 months. ZyWALL USG 2000 User’s Guide...
Page 155: The Registration Screen
(and the underscore). Spaces are not allowed. Confirm Password Enter the password again for confirmation. E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. ZyWALL USG 2000 User’s Guide...
Page 156 You can have the ZyWALL block, block and/or log access to web sites based on these categories. Apply Click Apply to save your changes back to the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 157: The Service Screen
To activate or extend a standard service subscription, purchase an iCard and enter the iCard’s PIN number (license key) in this screen. Click Licensing > Registration > Service to open the screen as shown next. Figure 113 Licensing > Registration > Service ZyWALL USG 2000 User’s Guide...
Page 158 (specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Click this button to renew service license information (such as the Refresh registration status and expiration day). ZyWALL USG 2000 User’s Guide...
Page 159: Signature Update
• Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network. • Your custom signature configurations are not over-written when you download new signatures. Note: The ZyWALL does not have to reboot when you upload new signatures. ZyWALL USG 2000 User’s Guide...
Page 160: The Antivirus Update Screen
If new signatures are found, they are then downloaded to the ZyWALL. Update Now Click this button to have the ZyWALL check for new signatures immediately. If there are new ones, the ZyWALL will then download them. ZyWALL USG 2000 User’s Guide...
Page 161: The Idp/Apppatrol Update Screen
IDP service in order to be able to download new packet inspection signatures from myZyXEL.com (see the Registration screens). Use the Update IDP /AppPatrol screen to schedule or immediately download IDP signatures. Figure 115 Licensing > Update > IDP/AppPatrol ZyWALL USG 2000 User’s Guide...
Page 162 Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. Figure 116 Downloading IDP Signatures ZyWALL USG 2000 User’s Guide...
Page 163: The System Protect Update Screen
The system-protection feature is enabled by default and can only be disabled via the commands. You do not need an IDP subscription to use the system-protection feature or to download updated system-protection signatures. Figure 118 Licensing > Update > System Protect ZyWALL USG 2000 User’s Guide...
Page 164 Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. Figure 119 Downloading System Protect Signatures ZyWALL USG 2000 User’s Guide...
Page 165 Chapter 9 Signature Update Figure 120 Successful System Protect Signature Download ZyWALL USG 2000 User’s Guide...
Page 166 Chapter 9 Signature Update ZyWALL USG 2000 User’s Guide...
Page 167: Network
Network Interfaces (169) Trunks (225) Policy and Static Routes (235) Routing Protocols (249) Zones (261) DDNS (265) Virtual Servers (273) HTTP Redirect (289) ALG (293) IP/MAC Binding (301)
Page 169: Interfaces
(Section 10.10 on page 209) to combine two or more network segments into a single network. • Use the Auxiliary screens (Section 10.11 on page 216) to configure the ZyWALL’s auxiliary interface to use an external modem. ZyWALL USG 2000 User’s Guide...
Page 170: What You Need To Know About Interfaces
• The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the AUX port. ZyWALL USG 2000 User’s Guide...
Page 171 The relationships between interfaces are explained in the following table. Table 44 Relationships Between Different Types of Interfaces REQUIRED PORT / INTERFACE INTERFACE auxiliary interface auxiliary port port group physical port Ethernet interface physical port port group ZyWALL USG 2000 User’s Guide...
Page 172 Ethernet interfaces and port groups. • See Section 6.2 on page 106 for an example of configuring a cellular (3G) interface. • See Chapter 11 on page 225 to configure load balancing using trunks. ZyWALL USG 2000 User’s Guide...
Page 173: Interface Status Screen
Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to the name, click this to look at the status of virtual interfaces on top of this interface. ZyWALL USG 2000 User’s Guide...
Page 174 Fault - This VRRP group is not functioning in the virtual router right now. For example, this might happen if the interface is down. n/a - Device HA is not active on the interface. Zone This field displays the zone to which the interface is assigned. ZyWALL USG 2000 User’s Guide...
Page 175 This field displays the transmission speed, in bytes per second, on the interface in the one-second interval before the screen updated. Rx B/s This field displays the reception speed, in bytes per second, on the interface in the one-second interval before the screen updated. ZyWALL USG 2000 User’s Guide...
Page 176: Port Grouping
8 (the dual-personality Ethernet port and SFP slot pairs). The are always assigned to interfaces ge7 and ge8, respectively. To access this screen, click Network > Interface > Port Grouping. Figure 122 Network > Interface > Port Grouping ZyWALL USG 2000 User’s Guide...
Page 177: Ethernet Summary Screen
The more routing information is exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. The ZyWALL supports two routing protocols, RIP and OSPF. See ZyWALL USG 2000 User’s Guide...
Page 178 To activate or deactivate an interface, click the Active icon next to it. Make sure you click Apply to save and apply the change. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 2000 User’s Guide...
Page 179: Ethernet Edit
• Override the default link cost and authentication method for the selected area. • Select in which direction(s) routing information is exchanged - The ZyWALL can receive routing information, send routing information, or do both. ZyWALL USG 2000 User’s Guide...
Page 180 Each field is described in the table below. Table 48 Network > Interface > Ethernet > Edit LABEL DESCRIPTION General Settings Enable Select this to enable this interface. Clear this to disable this interface. Interface ZyWALL USG 2000 User’s Guide...
Page 181 ZyWALL uses the one that was configured first. Interface Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the Bandwidth ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576. ZyWALL USG 2000 User’s Guide...
Page 182 DHCP servers you specify. The DHCP server(s) may be on another network. DHCP Server - the ZyWALL assigns IP addresses and provides subnet mask, gateway, and DNS server information to the network. The ZyWALL is the DHCP server for the network. ZyWALL USG 2000 User’s Guide...
Page 183 IP addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses. ZyWALL USG 2000 User’s Guide...
Page 184 Enter the cost (between 1 and 65,535) to route packets through this interface. Passive Select this to stop forwarding OSPF routing information from the Interface selected interface. As a result, this interface only receives routing information. ZyWALL USG 2000 User’s Guide...
Page 185: The Static Dhcp Screen
ZyWALL assigns to computers connected to the interface. If a computer’s MAC address is in the interface’s static DHCP table, the ZyWALL assigns the corresponding IP address. Otherwise, the ZyWALL assigns an IP address dynamically using the interface’s IP Pool Start Address and Pool Size. ZyWALL USG 2000 User’s Guide...
Page 186: Ppp Interfaces
PPPoE/PPTP software on each computer in the network. Figure 126 Example: PPPoE/PPTP Interfaces PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they ZyWALL USG 2000 User’s Guide...
Page 187: Ppp Interface Summary
This field displays the name of the interface. Base Interface This field displays the interface on the top of which the PPPoE/PPTP interface is. Account Profile This field displays the ISP account used by this PPPoE/PPTP interface. ZyWALL USG 2000 User’s Guide...
Page 188: Ppp Interface Edit
Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 10.6.2 PPP Interface Edit Note: You have to set up an ISP account before you create a PPPoE/PPTP interface. ZyWALL USG 2000 User’s Guide...
Page 189 Each field is explained in the following table. Table 51 Network > Interface > PPP > Edit > Configuration LABEL DESCRIPTION General Settings Enable Select this to enable this interface. Clear this to disable this interface. Interface ZyWALL USG 2000 User’s Guide...
Page 190 ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first. Interface Parameters ZyWALL USG 2000 User’s Guide...
Page 191 Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this interface. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 2000 User’s Guide...
Page 192: Cellular Configuration Screen (3G)
Internet access to mobile devices. Note: The actual data rate you obtain varies depending on the 3G card you use, the signal strength to the service provider’s base station, and so on. ZyWALL USG 2000 User’s Guide...
Page 193 To change your 3G WAN settings, click Network > Interface > Cellular. Note: Install (or connect) a compatible 3G card to use a cellular connection. See Chapter 53 on page 805 for details. ZyWALL USG 2000 User’s Guide...
Page 194 You might use this icon to test the interface or to manually establish the connection. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 2000 User’s Guide...
Page 195: Cellular Add/Edit Screen
To change your 3G settings, click Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that you want to configure. The following screen displays. Figure 130 Interface > Cellular > Add ZyWALL USG 2000 User’s Guide...
Page 196 Enter the dial string if your ISP provides a string, which would include the APN, to initialize the 3G card. You can enter up to 63 ASCII printable characters. Spaces are allowed. This field is available only when you insert a GSM 3G card. ZyWALL USG 2000 User’s Guide...
Page 197 Ingress This is reserved for future use. Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from the network through the interface. Allowed values are 0 - 1048576. ZyWALL USG 2000 User’s Guide...
Page 198 This is the default selection. Use Fixed IP Select this option If the ISP assigned a fixed IP address. Address IP Address Enter the cellular interface’s WAN IP address in this field if you selected Use Fixed IP Address. ZyWALL USG 2000 User’s Guide...
Page 199: Cellular Status Screen
Click Cancel to exit this screen without saving. 10.8 Cellular Status Screen To check your 3G connection status, click Network > Interface > Cellular > Status. The following screen displays. Figure 131 Interface > Cellular > Status ZyWALL USG 2000 User’s Guide...
Page 200 Need auth-password - You need to enter the password for the 3G card in the cellular edit screen. Device ready - The ZyWALL successfully applied all of your configuration and you can use the 3G connection. ZyWALL USG 2000 User’s Guide...
Page 201: Vlan Interfaces
Figure 132 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. ZyWALL USG 2000 User’s Guide...
Page 202 VLAN. These rules are also independent of the physical network, so you can change the physical network without changing policies. In this example, the new switch handles the following types of traffic: • Inside VLAN 2. ZyWALL USG 2000 User’s Guide...
Page 203: Vlan Summary Screen
0.0.0.0, the interface does not have an IP address yet. This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces. ZyWALL USG 2000 User’s Guide...
Page 204: Vlan Add/Edit
This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface. To access this screen, click the Add icon at the top of the Add column or click an ZyWALL USG 2000 User’s Guide...
Page 205 Each field is explained in the following table. Table 57 Network > Interface > VLAN > Edit LABEL DESCRIPTION General Settings Enable Select this to turn this interface on. Clear this to disable this interface. Interface ZyWALL USG 2000 User’s Guide...
Page 206 ZyWALL uses the one that was configured first. Interface Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the Bandwidth ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576. ZyWALL USG 2000 User’s Guide...
Page 207 DHCP Server - the ZyWALL assigns IP addresses and provides subnet mask, gateway, and DNS server information to the network. The ZyWALL is the DHCP server for the network. These fields appear if the ZyWALL is a DHCP Relay. ZyWALL USG 2000 User’s Guide...
Page 208 IP addresses and specific MAC addresses for this VLAN. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses. ZyWALL USG 2000 User’s Guide...
Page 209: Bridge Interfaces
If the destination MAC address is not in the table, the bridge broadcasts the packet on every port (except the one on which it was received). ZyWALL USG 2000 User’s Guide...
Page 210 (250.250.250.0/23) between ge1 and vlan1. Table 60 Example: Routing Table Before and After Bridge Interface br0 Is Created IP ADDRESS(ES) DESTINATION IP ADDRESS(ES) DESTINATION 210.210.210.0/24 221.221.221.0/24 vlan0 210.211.1.0/24 ge1:1 230.230.230.192/26 221.221.221.0/24 vlan0 241.241.241.241/32 222.222.222.0/24 vlan1 242.242.242.242/32 ZyWALL USG 2000 User’s Guide...
Page 211: Bridge Summary
This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces. Member This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface. It is blank for virtual interfaces. ZyWALL USG 2000 User’s Guide...
Page 212: Bridge Add/Edit
Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears. Figure 137 Network > Interface > Bridge > Edit ZyWALL USG 2000 User’s Guide...
Page 213 Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. ZyWALL USG 2000 User’s Guide...
Page 214 Relay Server 1 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the ZyWALL is a DHCP Server. ZyWALL USG 2000 User’s Guide...
Page 215 MAC address. Violation Edit static Click this to configure static IP addresses for the ZyWALL to assign to DHCP table computers connected to this interface. See Section 10.5 on page 185. ZyWALL USG 2000 User’s Guide...
Page 216: Auxiliary Interface
WAN interface. You have to connect an external modem to the ZyWALL’s auxiliary port to use the auxiliary interface. Note: You have to connect an external modem to the auxiliary port. ZyWALL USG 2000 User’s Guide...
Page 217: Auxiliary
General Settings Enable Select this to turn on the auxiliary dial up interface. The interface Interface does not dial out, however, unless it is part of a trunk and load- balancing conditions are satisfied. Interface Properties ZyWALL USG 2000 User’s Guide...
Page 218 Set this field to zero to disable the idle timeout. Allowed values are 0 - 360. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 2000 User’s Guide...
Page 219: Virtual Interfaces
This screen lets you configure IP address assignment and interface parameters for virtual interfaces. To access this screen, click an Add icon next to an Ethernet interface, VLAN interface, or bridge interface in the respective interface summary screen. Figure 139 Network > Interface > Add ZyWALL USG 2000 User’s Guide...
Page 220: Interface Technical Reference
0 - 1048576. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 10.13 Interface Technical Reference Here is more detailed information about interfaces on the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 221 However, if there is a default router to which the ZyWALL should send this packet, you can specify it as a gateway in one of the interfaces. For example, if there is a default router at 200.200.200.100, you can create a gateway at ZyWALL USG 2000 User’s Guide...
Page 222 IP addresses, subnet masks, gateways, and some network information (such as the IP addresses of DNS servers) on At the time of writing, the ZyWALL does not support ingress bandwidth management. ZyWALL USG 2000 User’s Guide...
Page 223 255.255.255.0, the starting IP address in the pool is 9.9.9.2, and the pool size is 253. • Subnet mask - The interface provides the same subnet mask you specify for the interface. See IP Address Assignment on page 221. ZyWALL USG 2000 User’s Guide...
Page 224 The first one runs on TCP port 1723. It is used to start and manage the second one. The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. ZyWALL USG 2000 User’s Guide...
Page 225: Trunks
• Use the Trunk Edit screen (Section 11.3 on page 231) to configure which interfaces belong to each trunk and the load balancing algorithm each trunk uses. ZyWALL USG 2000 User’s Guide...
Page 226: What You Need To Know About Trunks
WAN IP address, the file server would deny the request. Here is an example. Figure 141 Link Sticking LAN user A tries to download a file from server B on the Internet. The ZyWALL uses ge2 to send the request to server B. ZyWALL USG 2000 User’s Guide...
Page 227 The outbound bandwidth utilization is used as the load balancing index. In this example, the measured (current) outbound throughput of WAN 1 is 412K and In the load balancing section, a session may refer to normal connection-oriented, UDP and SNMP2 traffic. ZyWALL USG 2000 User’s Guide...
Page 228 This continues as long as there are more member interfaces and traffic to be sent through them. ZyWALL USG 2000 User’s Guide...
Page 229: The Trunk Summary Screen
Click Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 145 Network > Interface > Trunk ZyWALL USG 2000 User’s Guide...
Page 230 To remove a trunk, click the Remove icon next to it. The ZyWALL confirms you want to remove it before doing so. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 2000 User’s Guide...
Page 231: Configuring A Trunk
5 as part of the trunk. If you select interface ge5 as a member here, the ZyWALL will not send traffic through port 5 as part of the trunk. ZyWALL USG 2000 User’s Guide...
Page 232: Trunk Technical Reference
A queue is given an amount of bandwidth irrespective of the incoming traffic on that interface. This queue then moves to the back of the list. The next queue is given an equal amount of ZyWALL USG 2000 User’s Guide...
Page 233 Chapter 11 Trunks bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty. ZyWALL USG 2000 User’s Guide...
Page 234 Chapter 11 Trunks ZyWALL USG 2000 User’s Guide...
Page 235: Policy And Static Routes
Note: You can generally just use policy routes. You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to propagate routing information to other routers. ZyWALL USG 2000 User’s Guide...
Page 236: What You Can Do In The Routing Screens
• A NAT loopback policy route lets local users use a domain name to access a virtual server. When creating a virtual server that local users will use a domain name to access, you can select an option to configure a NAT loopback policy route. ZyWALL USG 2000 User’s Guide...
Page 237: Policy Route Screen
IP protocol (ICMP, UDP, TCP, etc.) and port. The actions that can be taken include: • Routing the packet to a different gateway, outgoing interface, VPN tunnel, or trunk. • Limiting the amount of bandwidth available and setting a priority for traffic. ZyWALL USG 2000 User’s Guide...
Page 238 This is the name of the source IP address (group) object. any means all IP addresses. Destination This is the name of the destination IP address (group) object. any means all IP addresses. Service This is the name of the service object. any means all services. ZyWALL USG 2000 User’s Guide...
Page 239: Policy Route Edit Screen
12.2.1 Policy Route Edit Screen Click Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or edit a policy route. ZyWALL USG 2000 User’s Guide...
Page 240 If the next hop is a dynamic VPN tunnel and you enable Auto Destination Address, the ZyWALL uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here. ZyWALL USG 2000 User’s Guide...
Page 241 ZyWALL send traffic that matches the policy route through the specified interface. Address Use this section to configure NAT for the policy route. This section does Translation not apply to policy routes that use a VPN tunnel as the next hop. ZyWALL USG 2000 User’s Guide...
Page 242 This allows you to allocate bandwidth to a route and prioritize traffic that Shaping matches the routing policy. You must also enable bandwidth management in the main policy route screen (Network > Routing > Policy Route) in order to apply bandwidth shaping. ZyWALL USG 2000 User’s Guide...
Page 243: Ip Static Route Screen
Click Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. Figure 150 Network > Routing > Static Route ZyWALL USG 2000 User’s Guide...
Page 244: Static Route Add/Edit Screen
255.255.255.255 in the subnet mask field to force the network number to be identical to the host Subnet Mask Enter the IP subnet mask here. ZyWALL USG 2000 User’s Guide...
Page 245: Policy Routing Technical Reference
Whenever a client computer’s packets match the routing policy, it can use the pre-defined port triggering setting to connect to the remote server without manually configuring a port forwarding rule for each client computer. ZyWALL USG 2000 User’s Guide...
Page 246: Maximize Bandwidth Usage
When you enable maximize bandwidth usage, the ZyWALL first makes sure that each policy route gets up to its bandwidth allotment. Next, the ZyWALL divides up ZyWALL USG 2000 User’s Guide...
Page 247 The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level. ZyWALL USG 2000 User’s Guide...
Page 248 Chapter 12 Policy and Static Routes ZyWALL USG 2000 User’s Guide...
Page 249: Routing Protocols
Network Size Small (with up to 15 routers) Large Metric Hop count Bandwidth, hop count, throughput, round trip time and reliability. Convergence Slow Fast Finding Out More Section 13.4 on page 259 for background information on routing protocols. ZyWALL USG 2000 User’s Guide...
Page 250: The Rip Screen
• RIP uses UDP port 520. Use the RIP screen to specify the authentication method and maintain the policies for redistribution. Click Network > Routing > RIP to open the following screen. Figure 153 Network > Routing > RIP ZyWALL USG 2000 User’s Guide...
Page 251: The Ospf Screen
Autonomous System (AS). OSPF offers some advantages over vector-space routing protocols like RIP. • OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently. ZyWALL USG 2000 User’s Guide...
Page 252 • A Not So Stubby Area (NSSA, RFC 1587) has routing information about the OSPF AS and networks outside the OSPF AS to which the NSSA is directly connected. It does not have any routing information about other networks outside the OSPF AS. ZyWALL USG 2000 User’s Guide...
Page 253 • An Area Border Router (ABR) connects two or more areas. It is a member of all the areas to which it is connected, and it filters, summarizes, and exchanges routing information between them. ZyWALL USG 2000 User’s Guide...
Page 254 BDR in another group, and neither in a third group all at the same time. Virtual Links In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area ZyWALL USG 2000 User’s Guide...
Page 255: Configuring The Ospf Screen
Use the first OSPF screen to specify the OSPF router the ZyWALL uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them. ZyWALL USG 2000 User’s Guide...
Page 256 The way this is used depends on the Type field. This value is usually the average cost in the OSPF AS, and it can be between 1 and 16777214. Area This section displays information about OSPF areas in the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 257: Ospf Area Add/Edit Screen
To access this screen, go to the OSPF summary screen (see Section 13.3 on page 251), and click either the Add icon or an Edit icon. Figure 158 Network > Routing > OSPF > Edit ZyWALL USG 2000 User’s Guide...
Page 258 ABR that is connected to the backbone. This field is a sequential value, and it is not associated with a specific area. Peer Router ID Type the 32-bit ID (in IP address format) of the other ABR in the virtual link. ZyWALL USG 2000 User’s Guide...
Page 259: Routing Protocol Technical Reference
The receiving router uses its key to encrypt the received message and then verifies that it matches the smaller message sent with it. If the received message is verified, then the receiving router accepts the updated ZyWALL USG 2000 User’s Guide...
Page 260 Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. ZyWALL USG 2000 User’s Guide...
Page 261: Zones
Figure 159 Example: Zones 14.1.1 What You Can Do in the Zones Screens Use the Zone screens (see Section 14.2 on page 263) to view and edit the ZyWALL’s zones. ZyWALL USG 2000 User’s Guide...
Page 262: What You Need To Know About Zones
Any or All. See the specific feature for more information. Finding Out More Section 5.4.7 on page 92 for related information on these screens. ZyWALL USG 2000 User’s Guide...
Page 263: The Zone Screen
To edit a zone, click the Edit icon next to the zone. The Zone Edit screen appears. To delete a zone, click the Remove icon next to the zone. The Web Configurator confirms that you want to delete the zone before doing so. ZyWALL USG 2000 User’s Guide...
Page 264: Zone Edit
Member lists the interfaces and VPN tunnels that belong to the zone. Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them. ZyWALL USG 2000 User’s Guide...
Page 265: Ddns
ZyWALL supports the following DNS service providers. See the listed websites for details about the DNS services offered by each. Table 82 DDNS Service Providers PROVIDER SERVICE TYPES SUPPORTED WEBSITE DynDNS Dynamic DNS, Static DNS, and Custom DNS www.dyndns.com Dynu Basic, Premium www.dynu.com ZyWALL USG 2000 User’s Guide...
Page 266: The Ddns Screen
Profile Name This field displays the descriptive profile name for this entry. DDNS Type This field displays which DDNS service you are using. Domain Name This field displays each domain name the ZyWALL can route. ZyWALL USG 2000 User’s Guide...
Page 267 The Web Configurator confirms that you want to delete the account before doing so. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 2000 User’s Guide...
Page 268: The Dynamic Dns Add/Edit Screen
Spaces are not allowed. DDNS Settings Click Advanced to display more settings. Click Basic to display fewer settings. Domain name Type the domain name you registered. You can use up to 255 characters. ZyWALL USG 2000 User’s Guide...
Page 269 HTTP proxy server between the ZyWALL and the DDNS server. Custom - If you have a static IP address, you can select this to use it for the domain name. The ZyWALL still sends the static IP address to the DDNS server. ZyWALL USG 2000 User’s Guide...
Page 270: The Ddns Status Screen
15.3 The DDNS Status Screen The DDNS Status screen shows the status of the ZyWALL’s DDNS domain names. Click Network > DDNS > Status to open the following screen. Figure 164 Network > DDNS > Status ZyWALL USG 2000 User’s Guide...
Page 271 Click this to have the ZyWALL update the profile to the DDNS server. The ZyWALL attempts to resolve the IP address for the domain name. Refresh Click this to update the information displayed in the screen. ZyWALL USG 2000 User’s Guide...
Page 272 Chapter 15 DDNS ZyWALL USG 2000 User’s Guide...
Page 273: Virtual Servers
16.1.2 What You Need to Know About Virtual Servers Virtual server is also known as port forwarding or port translation. Note: The virtual server changes the destination address of packets. This is also known as Destination NAT (DNAT). ZyWALL USG 2000 User’s Guide...
Page 274: The Virtual Server Screen
This field is a sequential value, and it is not associated with a specific virtual server. Name This field displays the name of the virtual server. Interface This field displays the interface on which packets for the virtual server were received. ZyWALL USG 2000 User’s Guide...
Page 275: The Virtual Server Add/Edit Screen
Click this button to return the screen to its last-saved settings. 16.2.1 The Virtual Server Add/Edit Screen The Virtual Server Add/Edit screen lets you create new virtual servers and edit existing ones. To open this window, open the Virtual Server summary screen. ZyWALL USG 2000 User’s Guide...
Page 276 IP address specified by the address object. Select Create Object to configure a new IP address object. User Defined This field is available if Original IP is User Defined. Type the Original IP destination IP address that this virtual server supports. ZyWALL USG 2000 User’s Guide...
Page 277 Or you can click Policy Route to go to the screens where you can 1:1 mapping. manually configure a NAT 1:1 policy route for this virtual server. page 278 for an example of NAT 1:1. ZyWALL USG 2000 User’s Guide...
Page 278: Nat 1:1 And Nat Loopback Examples
In order for the server to be accessible to people from the Internet (WAN zone), you need to create a 1:1 NAT mapping from the public IP address to the server’s private one. ZyWALL USG 2000 User’s Guide...
Page 279 Figure 169 Create Address Objects NAT 1:1 Virtual Server This section sets up a virtual server rule that changes the destination of SMTP traffic coming to IP address 1.1.1.1 at the ZyWALL’s ge3 interface, to the LAN ZyWALL USG 2000 User’s Guide...
Page 280 NAT 1:1 mapping and loopback so the options to have the ZyWALL automatically create them are not selected here. Figure 171 Create a Virtual Server ZyWALL USG 2000 User’s Guide...
Page 281 Click Network > Routing > Policy Route > Add and configure the screen as shown next. Be careful of where you create the route as routes are ordered in descending priority. Figure 173 Create a Policy Route ZyWALL USG 2000 User’s Guide...
Page 282 IP address to the private IP address of a LAN SMTP mail server to allow users to access the SMTP mail server from the WAN. LAN users can also use an IP address to access the mail server. ZyWALL USG 2000 User’s Guide...
Page 283 1-1 NAT mapped public IP address of 1.1.1.1. NAT Loopback Virtual Server When a LAN user sends SMTP traffic to IP address 1.1.1.1, the traffic comes into the ZyWALL through the LAN interface, thus it does not match the NAT 1:1 ZyWALL USG 2000 User’s Guide...
Page 284 1.1.1.1 and coming in on ge3 to the SMTP server (IP address 192.168.1.21). In this example the SMTP server also uses port 25, so the Mapped Port is set to 25. Figure 177 Create a Virtual Server ZyWALL USG 2000 User’s Guide...
Page 285 LAN users. This way the LAN SMTP server replies to the ZyWALL and the ZyWALL applies NAT. Figure 179 NAT Loopback Policy Route Source 192.168.1.1 Source 192.168.1.89 SMTP SMTP 192.168.1.21 192.168.1.89 Even if the packets go through the ZyWALL, they only undergo layer 2 switching, not NAT. ZyWALL USG 2000 User’s Guide...
Page 286 The source in the return traffic matches the original destination address (1.1.1.1) and the LAN user can use the LAN SMTP server. Figure 181 NAT Loopback Successful Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 ZyWALL USG 2000 User’s Guide...
Page 287 Chapter 16 Virtual Servers ZyWALL USG 2000 User’s Guide...
Page 288 Chapter 16 Virtual Servers ZyWALL USG 2000 User’s Guide...
Page 289: Http Redirect
Figure 182 HTTP Redirect Example LAN1 17.1.1 What You Can Do in the HTTP Redirect Screens Use the HTTP Redirect screens (see Section 17.2 on page 291) to display and edit the HTTP redirect rules. ZyWALL USG 2000 User’s Guide...
Page 290: What You Need To Know About Http Redirect
• a HTTP redirect rule to forward HTTP traffic from ge1 to proxy server A. For HTTP traffic between ge4 and ge2: • a from DMZ to WAN firewall rule (default) to allow HTTP requests from ge4 to ge2. Responses to these requests are allowed automatically. ZyWALL USG 2000 User’s Guide...
Page 291: The Http Redirect Screen
Click the Remove icon to delete an existing rule from the ZyWALL. A window displays asking you to confirm that you want to delete the rule. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 2000 User’s Guide...
Page 292: The Http Redirect Edit Screen
Enter the IP address of the proxy server. Port Enter the port number that the proxy server uses. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 2000 User’s Guide...
Page 293: Alg
The ZyWALL only needs to use the ALG feature for traffic that goes through the ZyWALL’s NAT. 18.1.1 What You Can Do in the ALG Screen Use the ALG screen (Section 18.2 on page 297) to set up SIP, H.323, and FTP ALG settings. ZyWALL USG 2000 User’s Guide...
Page 294: What You Need To Know About Alg
The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A and B. Figure 186 H.323 ALG Example SIP ALG • SIP clients can be connected to the LAN or DMZ. A SIP server must be on the WAN. ZyWALL USG 2000 User’s Guide...
Page 295 LAN IP address A make calls out through WAN IP address 1. Configure another policy route to have H.323 (or SIP) calls from LAN IP addresses B and C go out through WAN IP address 2. Even though only LAN IP address A ZyWALL USG 2000 User’s Guide...
Page 296 • See Section 6.7 on page 125 for a tutorial showing how to use the ALG for peer- to-peer H.323 traffic. • See Section 18.3 on page 299 for ALG background/technical information. ZyWALL USG 2000 User’s Guide...
Page 297: Before You Begin
SIP data payload. Enabling the SIP ALG also allows you to use the application patrol to detect SIP traffic and manage the SIP traffic’s bandwidth (see Chapter 29 on page 443 the application partol). ZyWALL USG 2000 User’s Guide...
Page 298 FTP traffic and manage the FTP traffic’s bandwidth (see Chapter 29 on page 443 the application partol). FTP Signaling If you are using a custom TCP port number (not 21) for FTP traffic, Port enter it here. ZyWALL USG 2000 User’s Guide...
Page 299: Alg Technical Reference
File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts ZyWALL USG 2000 User’s Guide...
Page 300 SIP handles telephone calls and can interface with traditional circuit- switched telephone networks. When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL USG 2000 User’s Guide...
Page 301: Ip/Mac Binding
IP addresses to which the ZyWALL does not apply IP/MAC binding. • The Monitor screen (Section 19.4 on page 305) lists the devices that have received an IP address from ZyWALL interfaces with IP/MAC binding enabled. ZyWALL USG 2000 User’s Guide...
Page 302: What You Need To Know About Ip/Mac Binding
Interface This is the name of an interface that supports IP/MAC binding. Number of This field displays the interface’s total number of IP/MAC bindings and IP Binding addresses that the interface has assigned by DHCP. ZyWALL USG 2000 User’s Guide...
Page 303: Ip/Mac Binding Edit
This table lists the bound IP and MAC addresses. The ZyWALL checks this Bindings table when it assigns IP addresses. If the computer’s MAC address is in the table, the ZyWALL assigns the corresponding IP address. You can also access this table from the interface’s edit screen. ZyWALL USG 2000 User’s Guide...
Page 304: Static Dhcp Edit
Enter up to 64 printable ASCII characters to help identify the entry. For example, you may want to list the computer’s owner. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 2000 User’s Guide...
Page 305: Ip/Mac Binding Exempt List
Click Network > IP/MAC Binding > Monitor to open the IP/MAC Binding Monitor screen. This screen lists the devices that have received an IP address from ZyWALL interfaces with IP/MAC binding enabled and have ever established a ZyWALL USG 2000 User’s Guide...
Page 306 This field displays the MAC address to which the IP address is currently assigned. Last Access This is when the device last established a session with the ZyWALL through this interface. Refresh Click this button to update the information in the screen. ZyWALL USG 2000 User’s Guide...
Page 307: Firewall
Firewall Firewall (309)
Page 309: Firewall
317) to enable or disable the firewall and asymmetrical routes, and manage and configure firewall rules. • Use the Session Limit screens (see Section 20.3 on page 323) to limit the number of concurrent NAT/firewall sessions a client can use. ZyWALL USG 2000 User’s Guide...
Page 310: What You Need To Know About The Firewall
To-ZyWALL Rules on page 310. To-ZyWALL Rules Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default: • The firewall allows only LAN, WAN computers to access or manage the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 311 To use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. The ZyWALL checks the firewall rules before the application patrol rules for traffic going through the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 312: Firewall Rule Example Applications
(Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need ZyWALL USG 2000 User’s Guide...
Page 313 • Has a static IP address, • You configure a static DHCP entry for it so the ZyWALL always assigns it the same IP address (see DHCP Settings on page 222 for information on DHCP). ZyWALL USG 2000 User’s Guide...
Page 314 CEO) to allow IRC traffic from any source IP address to go to any destination address. Your firewall would have the following configuration. Table 99 Limited LAN to WAN IRC Traffic Example 2 USER SOURCE DESTINATION SCHEDULE SERVICE ACTION Allow ZyWALL USG 2000 User’s Guide...
Page 315: Firewall Rule Configuration Example
) in the heading row to configure a new first entry. Remember the sequence (priority) of the rules is important since they are applied in order. Figure 199 Firewall Example: Firewall Screen Select Create Object in the Destination drop-down list box. ZyWALL USG 2000 User’s Guide...
Page 316 Make sure Dest_1 is selected for the Destination and MyService is selected as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done. Figure 202 Firewall Example: Edit a Firewall Rule ZyWALL USG 2000 User’s Guide...
Page 317: The Firewall Screen
A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN. The ZyWALL reroutes the packet to gateway A, which is in Subnet 2. The reply from the WAN goes to the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 318: Configuring The Firewall Screen
LAN IP address as the destination. Section 6.7 on page 125 for an example. • The ordering of your rules is very important as rules are applied in sequence. ZyWALL USG 2000 User’s Guide...
Page 319 Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets. ZyWALL USG 2000 User’s Guide...
Page 320 This displays the source address object to which this firewall rule applies. Destination This displays the destination address object to which this firewall rule applies. Service This displays the service object to which this firewall rule applies. ZyWALL USG 2000 User’s Guide...
Page 321: The Firewall Edit Screen
20.2.2 The Firewall Edit Screen In the Firewall screen, click the Edit or Add icon to display the Firewall Rule Edit screen. Refer to the following table for information on the labels. Figure 206 Firewall > Edit ZyWALL USG 2000 User’s Guide...
Page 322 Select allow to permit the passage of the packets. Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or not (no) when the rule is matched. See Chapter 48 on page 763 for more on logs. ZyWALL USG 2000 User’s Guide...
Page 323: The Session Limit Screen
This is the index number of a session limit rule. It is not associated with a specific rule. User This is the user name or user group name to which this session limit rule applies. ZyWALL USG 2000 User’s Guide...
Page 324: The Session Limit Edit Screen
Click Firewall > Session Limit and the Add or Edit icon to display the Firewall Session Limit Edit screen. Use this screen to configure rules that define a session limit for specific users or addresses. Figure 208 Firewall > Session Limit > Edit ZyWALL USG 2000 User’s Guide...
Page 325 For this rule’s users and addresses, this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 2000 User’s Guide...
Page 326 Chapter 20 Firewall ZyWALL USG 2000 User’s Guide...
Page 327: Vpn
IPSec VPN (329) SSL VPN (371) SSL User Screens (383) SSL User Application Screens (393) SSL User File Sharing (395) L2TP VPN (407) L2TP VPN Example (413)
Page 329: Ipsec Vpn
VPN gateway a VPN connection policy uses and which devices (behind the IPSec routers) can use the VPN tunnel and the IPSec SA settings (phase 2 settings). You can also activate / deactivate and connect / disconnect each VPN connection (each IPSec SA). ZyWALL USG 2000 User’s Guide...
Page 330: What You Need To Know About Ipsec Vpn
Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. ZyWALL USG 2000 User’s Guide...
Page 331 Only the clients can initiate the VPN Only this ZyWALL initiate the VPN tunnel. can initiate the VPN tunnel. tunnel. Finding Out More • See Section 5.4.4 on page 91 for related information on these screens. ZyWALL USG 2000 User’s Guide...
Page 332: Before You Begin
Note: Except for dynamic IPSec VPN rules, each VPN connection requires a corresponding policy route. Dynamic IPSec VPN rules only require a corresponding policy route if you select Use Policy Route to control dynamic IPSec rules. ZyWALL USG 2000 User’s Guide...
Page 333 This field displays the associated VPN gateway(s). If there is no VPN gateway, this field displays “manual key”. Encapsulation This field displays what encapsulation the IPSec SA uses. Algorithm This field displays what encryption and authentication methods, respectively, the IPSec SA uses. ZyWALL USG 2000 User’s Guide...
Page 334: The Vpn Connection Add/Edit (Ike) Screen
332), and click either the Add icon or an Edit icon. If you click the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the following screen appears. ZyWALL USG 2000 User’s Guide...
Page 335 Chapter 21 IPSec VPN Figure 212 VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 2000 User’s Guide...
Page 336 IPSec SA. Policy Click Advanced to display more settings. Click Basic to display fewer settings. Local Policy Select the address or address group corresponding to the local network. Select Create Object to configure a new one. ZyWALL USG 2000 User’s Guide...
Page 337 The ZyWALL and remote IPSec router must use the same encapsulation. Proposal This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. ZyWALL USG 2000 User’s Guide...
Page 338 DH key group. Connectivity The ZyWALL can regularly check the VPN connection to the gateway Check you specified to make sure it is still available. Enable Select this to turn on the VPN connection check. Connectivity Check ZyWALL USG 2000 User’s Guide...
Page 339 (SNAT). Destination Select the address object that represents the original destination address (or select Create Object to configure a new one). This is the address object for the remote network. ZyWALL USG 2000 User’s Guide...
Page 340 These fields are available if the protocol is TCP or UDP. Enter the translated destination port or range of translated destination ports. The size of the original port range must be the same size as the size of the mapped port range. ZyWALL USG 2000 User’s Guide...
Page 341: The Vpn Connection Add/Edit Manual Key Screen
IKE key management. To access this screen, go to the VPN Connection summary screen (see Section 21.2 on page 332), and click either the Add icon or an existing manual key entry’s Edit icon. In the VPN Gateway section of the screen, select Manual Key. ZyWALL USG 2000 User’s Guide...
Page 342 Type the IP address of the remote IPSec router in the IPSec SA. Gateway Address Type a unique SPI (Security Parameter Index) between 256 and 4095. The SPI is used to identify the ZyWALL during authentication. The ZyWALL and remote IPSec router must use the same SPI. ZyWALL USG 2000 User’s Guide...
Page 343 Select which hash algorithm to use to authenticate packet data in the Algorithm IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. The ZyWALL and remote IPSec router must use the same algorithm. ZyWALL USG 2000 User’s Guide...
Page 344 MD5 authentication key, the ZyWALL 12345678901234567890 only uses . The ZyWALL still stores the longer 1234567890123456 key. Click OK to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 2000 User’s Guide...
Page 345: The Vpn Gateway Screen
This field displays the interface or a domain name the ZyWALL uses for the VPN gateway. Secure Gateway This field displays the IP address(es) of the remote IPSec routers. VPN Connection This field displays VPN connections that use this VPN gateway. ZyWALL USG 2000 User’s Guide...
Page 346: The Vpn Gateway Add/Edit Screen
The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 21.3 on page 345), and click either the Add icon or an Edit icon. ZyWALL USG 2000 User’s Guide...
Page 347 Type the name used to identify this VPN gateway. You may use 1-31 Name alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Gateway Settings ZyWALL USG 2000 User’s Guide...
Page 348 “0123456789ABCDEF” is in ASCII format. If you use hexadecimal, you must enter twice as many characters since you need to enter pairs. The ZyWALL and remote IPSec router must use the same pre-shared key. ZyWALL USG 2000 User’s Guide...
Page 349 E-mail - the ZyWALL is identified by an e-mail address; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. ZyWALL USG 2000 User’s Guide...
Page 350 Any - the ZyWALL does not check the identity of the remote IPSec router If the ZyWALL and remote IPSec router use certificates, there is one more choice. Subject Name - the remote IPSec router is identified by the subject name in the certificate ZyWALL USG 2000 User’s Guide...
Page 351 Type the maximum number of seconds the IKE SA can last. When (Seconds) this time has passed, the ZyWALL and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however. ZyWALL USG 2000 User’s Guide...
Page 352 DH5 - use a 1536-bit random number The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. ZyWALL USG 2000 User’s Guide...
Page 353 IPSec router. The password can be 1-31 ASCII characters. It is case- sensitive, but spaces are not allowed. Click OK to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 2000 User’s Guide...
Page 354: The Vpn Concentrator Screen
Therefore, a VPN concentrator is more suitable when there is a minimum amount of traffic between spoke routers. ZyWALL USG 2000 User’s Guide...
Page 355: The Vpn Concentrator Add/Edit Screen
To access this screen, go to the VPN Concentrator summary screen (see Section 21.4 on page 354), and click either the Add icon or an Edit icon. Figure 218 VPN > IPSec VPN > Concentrator > Edit ZyWALL USG 2000 User’s Guide...
Page 356 To remove a member from the concentrator, click on the Remove icon next to the member. The Web Configurator confirms that you want to remove the member. Click OK to save your changes in the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 2000 User’s Guide...
Page 357: The Sa Monitor Screen
This field displays the content of the local and remote policies for this IPSec SA. The IP addresses, not the address objects, are displayed. Algorithm This field displays the encryption and authentication algorithms used in the SA. ZyWALL USG 2000 User’s Guide...
Page 358: Ipsec Vpn Background Information
IPSec router. You can usually enter a static IP address or a domain name for either or both IP addresses. Sometimes, your ZyWALL might offer another alternative, such as using the IP address of a port or interface, as well. ZyWALL USG 2000 User’s Guide...
Page 359 • Data Encryption Standard (DES) is a widely used method of data encryption. It applies a 56-bit key to each 64-bit block of data. • Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively tripling the strength of DES. ZyWALL USG 2000 User’s Guide...
Page 360 (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt. Authentication Before the ZyWALL and remote IPSec router establish an IKE SA, they have to verify each other’s identity. This process is based on pre-shared keys and router identities. ZyWALL USG 2000 User’s Guide...
Page 361 IPSec router’s peer and local ID type and content, respectively. For example, in Table 113 on page 362, the ZyWALL and the remote IPSec router authenticate each other successfully. In contrast, in Table 114 on page 362, the ZyWALL USG 2000 User’s Guide...
Page 362 DH key group, to establish a shared secret. Steps 5 - 6: Finally, the ZyWALL and the remote IPSec router generate an encryption key (from the shared secret), encrypt their identities, and exchange their encrypted identity information for authentication. ZyWALL USG 2000 User’s Guide...
Page 363 • Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header.) The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the ZyWALL and remote IPSec router support. ZyWALL USG 2000 User’s Guide...
Page 364: Regular Expressions In Searching Ipsec Sas
There could be any number (of any type) of characters in front of the “abc” at the end and the VPN connection or policy name would still match. A VPN connection or policy name named “testacc” for example would not match. ZyWALL USG 2000 User’s Guide...
Page 365: Ipsec Sa Overview
ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. Note: The ZyWALL and remote IPSec router must use the same encapsulation. ZyWALL USG 2000 User’s Guide...
Page 366 If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. ZyWALL USG 2000 User’s Guide...
Page 367 • Destination address in inbound packets - this translation is used if you want to forward packets (for example, mail) from the remote network to a specific computer (like the mail server) in the local network. ZyWALL USG 2000 User’s Guide...
Page 368 To set up this NAT, you have to specify the following information: • Source - the original source address; the remote network (B). • Destination - the original destination address; the local network (A). ZyWALL USG 2000 User’s Guide...
Page 369 IP address of the mail server in the local network (A). • Mapped Port - the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size. ZyWALL USG 2000 User’s Guide...
Page 370 Chapter 21 IPSec VPN ZyWALL USG 2000 User’s Guide...
Page 371: Ssl Vpn
ZyWALL appears to be the server to remote users. This provides an added layer of protection for your internal servers. With reverse proxy mode, remote users can easily access any web-based applications on the local network by clicking on links or entering the provided URL. ZyWALL USG 2000 User’s Guide...
Page 372 • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. SSL Access Policy Objects The SSL access policies reference the following objects. If you update this information, in response to changes, the ZyWALL automatically propagates the ZyWALL USG 2000 User’s Guide...
Page 373: The Ssl Access Privilege Screen
SSL application objects. 22.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. Figure 229 VPN > SSL VPN > Access Privilege ZyWALL USG 2000 User’s Guide...
Page 374 To delete a policy, click the Remove icon next to the policy. To rearrange a policy in the list, click the Move to N icon next to the policy. Apply Click Apply to save the settings. Reset Click Reset to discard all changes. ZyWALL USG 2000 User’s Guide...
Page 375: The Ssl Access Policy Add/Edit Screen
Enter a descriptive name to identify this policy. You can enter up to 15 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed. Description Enter additional information about this SSL access policy. You can enter up to 31 characters (“0-9”, “a-z”, “A-Z”, “-” and “_”). ZyWALL USG 2000 User’s Guide...
Page 376 To block access to a network, select the network name in the Selected Address Objects list and click <<. Create New Click this to create a new network object. Refer to Chapter 38 on page Address Object for more information. ZyWALL USG 2000 User’s Guide...
Page 377: The Ssl Connection Monitor Screen
This field displays the IP address the user used to establish this SSL VPN connection. Connected This field displays the time this connection was established. Time Inbound This field displays the number of bytes received by the ZyWALL on this (Bytes) connection. ZyWALL USG 2000 User’s Guide...
Page 378: The Ssl Global Setting Screen
Specify the IP address of the ZyWALL (or a gateway device) for full Extension Local tunnel mode SSL VPN access. Leave this field to the default settings unless it conflicts with another interface. SSL VPN Login Domain Name ZyWALL USG 2000 User’s Guide...
Page 379 100 kilobytes or less. Transparent background is recommended. Browse Click Browse to locate the graphic file on your computer. Upload Click Upload to transfer the specified graphic file from your computer to the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 380: How To Upload A Custom Logo
Click Apply to start the file transfer process. Log in as a user to verify that the new logo displays properly. The following shows an example logo on the remote user screen. Figure 234 Example Logo Graphic Display ZyWALL USG 2000 User’s Guide...
Page 381: Establishing An Ssl Vpn Connection
SSL VPN button to establish an SSL VPN connection. See Section 23.2 on page 384 for details. Display the ZyWALL’s login screen and enter your user account information (the user name and password). Click SSL VPN. Figure 235 Login Screen ZyWALL USG 2000 User’s Guide...
Page 382 Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal screens, refer to Chapter 23 on page 383. ZyWALL USG 2000 User’s Guide...
Page 383: Ssl User Screens
ZyWALL SecuExtender client program to your computer. With the ZyWALL SecuExtender, you can access network resources, remote desktops and manage files as if you were on the local network. See Chapter 26 on page 403 for more on the ZyWALL SecuExtender. ZyWALL USG 2000 User’s Guide...
Page 384: Remote User Login
SSL VPN on the ZyWALL. 23.2 Remote User Login This section shows you how to access and log into the network through the ZyWALL. Example screens for Internet Explorer are shown. ZyWALL USG 2000 User’s Guide...
Page 385 If a token password is also required, enter it in the One-Time Password field. Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources. Figure 240 Login Screen ZyWALL USG 2000 User’s Guide...
Page 386 Figure 242 ActiveX Object Installation Blocked by Browser 7 The ZyWALL tries to install the SecuExtender client. You may need to click a pop-up to get your browser to allow this. In Internet Explorer, click Install. ZyWALL USG 2000 User’s Guide...
Page 387 In Internet Explorer, click Run. Figure 244 SecuExtender Progress 9 Click Next to use the setup wizard to install the SecuExtender client on your computer. Figure 245 SecuExtender Progress ZyWALL USG 2000 User’s Guide...
Page 388 11 The Application screen displays showing the list of resources available to you. Figure 247 on page 389 for a screen example. Note: Available resource links vary depending on the configuration your network administrator made. ZyWALL USG 2000 User’s Guide...
Page 389: The Ssl Vpn User Screens
This part of the screen displays a list of the resources available to you. In the Application screen, click on a link to access or display the access method. In the File Sharing screen, click on a link to open a file or directory. ZyWALL USG 2000 User’s Guide...
Page 390: Bookmarking The Zywall
To properly terminate a connection, click on the Logout icon in any remote user screen. Click the Logout icon in any remote user screen. A prompt window displays. Click OK to continue. Figure 249 Logout: Prompt ZyWALL USG 2000 User’s Guide...
Page 391 Chapter 23 SSL User Screens An information screen displays to indicate that the SSL VPN connection is about to terminate. Figure 250 Logout: Connection Termination Progress ZyWALL USG 2000 User’s Guide...
Page 392 Chapter 23 SSL User Screens ZyWALL USG 2000 User’s Guide...
Page 393: Ssl User Application Screens
(Web Server) or web-based e-mail using Microsoft Outlook Web Access (OWA). To access a web-based application, simply click a link in the Application screen to display the web screen in a separate browser window. Figure 251 Application ZyWALL USG 2000 User’s Guide...
Page 394 Chapter 24 SSL User Application Screens ZyWALL USG 2000 User’s Guide...
Page 395: Ssl User File Sharing
• Rename a file or folder. • Delete a file or folder. • Upload a file. Note: Available actions you can perform in the File Sharing screen vary depending on the rights granted to you on the file server. ZyWALL USG 2000 User’s Guide...
Page 396: The Main File Sharing Screen
You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer. Log in as a remote user and click the File Sharing tab. Click on a file share icon. ZyWALL USG 2000 User’s Guide...
Page 397 If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue. Figure 253 File Sharing: Enter Access User Name and Password ZyWALL USG 2000 User’s Guide...
Page 398: Downloading A File
You are prompted to download a file which cannot be opened using a web browser. Follow the on-screen instructions to download and save the file to your computer. Then launch the associated application to open the file. ZyWALL USG 2000 User’s Guide...
Page 399: Saving A File
Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add. Note: Make sure the length of the folder name does not exceed the maximum allowed on the file server. Figure 256 File Sharing: Save a Word File ZyWALL USG 2000 User’s Guide...
Page 400: Renaming A File Or Folder
You may not be able to open a file if you change the file extension. Figure 258 File Sharing: Rename 25.6 Deleting a File or Folder Click the Delete icon next to a file or folder to remove it. ZyWALL USG 2000 User’s Guide...
Page 401: Uploading A File
After the file is uploaded successfully, you should see the name of the file and a message in the screen. Figure 259 File Sharing: File Upload Note: Uploading a file with the same name and file extension replaces the existing file on the file server. No warning message is displayed. ZyWALL USG 2000 User’s Guide...
Page 402 Chapter 25 SSL User File Sharing ZyWALL USG 2000 User’s Guide...
Page 403: Zywall Secuextender
26.2 Statistics Right-click the ZyWALL SecuExtender icon in the system tray and select Status to open the Status screen. Use this screen to view the ZyWALL SecuExtender’s statistics. ZyWALL USG 2000 User’s Guide...
Page 404 This is how long the computer has been connected to the SSL VPN tunnel. Transmitted This is how many bytes and packets the computer has sent through the SSL VPN connection. Received This is how many bytes and packets the computer has received through the SSL VPN connection. ZyWALL USG 2000 User’s Guide...
Page 405: View Log
Right-click the icon and select Stop Connection to disconnect the SSL VPN tunnel. 26.6 Uninstalling the ZyWALL SecuExtender Do the following if you need to remove the ZyWALL SecuExtender. 1 Click start > All Programs > ZyXEL > ZyWALL SecuExtender > Uninstall. ZyWALL USG 2000 User’s Guide...
Page 406 Chapter 26 ZyWALL SecuExtender 2 In the confirmation screen, click Yes. Figure 263 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender. Figure 264 ZyWALL SecuExtender Uninstallation ZyWALL USG 2000 User’s Guide...
Page 407: L2Tp Vpn
IPSec VPN. IPSec Configuration Required for L2TP VPN You must configure an IPSec VPN connection for L2TP VPN to use (see Chapter 21 on page 329 for details). The IPSec VPN connection must: ZyWALL USG 2000 User’s Guide...
Page 408 • Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users (L2TP_POOL in the following figure). • Set the next hop to be the VPN tunnel that you are using for L2TP. Figure 266 Policy Route for L2TP VPN L2TP_POOL LAN_SUBNET ZyWALL USG 2000 User’s Guide...
Page 409: L2Tp Vpn Screen
L2TP VPN sessions. IP Address Pool Select the pool of IP addresses that the ZyWALL uses to assign to the L2TP VPN clients. Select Create Object to configure a new pool of IP addresses. ZyWALL USG 2000 User’s Guide...
Page 410: L2Tp Vpn Session Monitor Screen
Click VPN > L2TP VPN > Session Monitor to open the following screen. Use this screen to display and manage the ZyWALL’s connected L2TP VPN sessions. Figure 268 VPN > L2TP VPN > Session Monitor ZyWALL USG 2000 User’s Guide...
Page 411 This field displays the public IP address that the remote user is using to connect to the Internet. Action Click the Disconnect icon next to an L2TP VPN connection to disconnect it. Refresh Click Refresh to update the information in the display. ZyWALL USG 2000 User’s Guide...
Page 412 Chapter 27 L2TP VPN ZyWALL USG 2000 User’s Guide...
Page 413: L2Tp Vpn Example
• You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel. • The VPN rule allows the remote user to access the LAN_SUBNET which covers the 192.168.1.x subnet. ZyWALL USG 2000 User’s Guide...
Page 414: Configuring The Default L2Tp Vpn Gateway Example
• Select Pre-Shared Key and configure a password. This example uses top- secret. Click OK. Click the Default_L2TP_VPN_GW entry’s Enable icon and click Apply to turn on the entry. Figure 271 VPN > IPSec VPN > VPN Gateway (Enable) ZyWALL USG 2000 User’s Guide...
Page 415: Configuring The Default L2Tp Vpn Connection Example
Default_L2TP_VPN_GW. The address object in this example uses the ge2 interface’s IP address (172.16.1.2) and is named L2TP_IFACE. • For the Remote Policy, create an address object that uses host type and an IP address of 0.0.0.0. It is named L2TP_HOST in this example. ZyWALL USG 2000 User’s Guide...
Page 416: Configuring The L2Tp Vpn Settings Example
• Select a user or group of users that can use the tunnel. Here a user account named L2TP-test has been created. • The other fields are left to the defaults in this example, click Apply. ZyWALL USG 2000 User’s Guide...
Page 417: Configuring The Policy Route For L2Tp Example
• Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users (L2TP_POOL in this example). • Set the next hop to be the Default_L2TP_VPN_Connection VPN tunnel. • Click OK. ZyWALL USG 2000 User’s Guide...
Page 418: Configuring L2Tp Vpn In Windows Xp And 2000
Click Start > Control Panel > Network Connections > New Connection Wizard. Click Next in the Welcome screen. Select Connect to the network at my workplace and click Next. Figure 276 New Connection Wizard: Network Connection Type ZyWALL USG 2000 User’s Guide...
Page 419 Chapter 28 L2TP VPN Example Select Virtual Private Network connection and click Next. Figure 277 New Connection Wizard: Network Connection Type L2TP to ZyWALL as the Company Name. Figure 278 New Connection Wizard: Connection Name ZyWALL USG 2000 User’s Guide...
Page 420 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). Figure 280 New Connection Wizard: VPN Server Selection 172.16.1.2 Click Finish. ZyWALL USG 2000 User’s Guide...
Page 421 Chapter 28 L2TP VPN Example The Connect L2TP to ZyWALL screen appears. Click Properties > Security. Figure 281 Connect L2TP to ZyWALL 10 Click Security, select Advanced (custom settings) and click Settings. Figure 282 Connect L2TP to ZyWALL: Security ZyWALL USG 2000 User’s Guide...
Page 422 Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Figure 283 Connect ZyWALL L2TP: Security > Advanced 12 Click IPSec Settings. Figure 284 L2TP to ZyWALL Properties > Security ZyWALL USG 2000 User’s Guide...
Page 423 Figure 286 L2TP to ZyWALL Properties: Networking 15 Enter the user name and password of your ZyWALL account. Click Connect. Figure 287 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified. ZyWALL USG 2000 User’s Guide...
Page 424: Configuring L2Tp In Windows 2000
L2TP client. 28.6.2.1 Editing the Windows 2000 Registry In Windows 2000, you need to create a registry entry and restart the computer to have it use pre-shared keys. ZyWALL USG 2000 User’s Guide...
Page 425 Click Registry > Export Registry File and save a backup copy of your registry. You can go back to using this backup if you misconfigure the registry settings. Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\P arameters. Figure 291 Registry Key Right-click Parameters and select New > DWORD Value. Figure 292 New DWORD Value ZyWALL USG 2000 User’s Guide...
Page 426 IPSec policy for the computer to use. Click Start > Run. Type mmc and click OK. Figure 294 Run mmc Click Console > Add/Remove Snap-in. Figure 295 Console > Add/Remove Snap-in ZyWALL USG 2000 User’s Guide...
Page 427 Figure 296 Add > IP Security Policy Management > Finish Right-click IP Security Policies on Local Machine and click Create IP Security Policy. Click Next in the welcome screen. Figure 297 Create IP Security Policy ZyWALL USG 2000 User’s Guide...
Page 428 Name the IP security policy L2TP to ZyWALL, and click Next. Figure 298 IP Security Policy: Name Clear the Activate the default response rule check box and click Next. Figure 299 IP Security Policy: Request for Secure Communication ZyWALL USG 2000 User’s Guide...
Page 429 Leave the Edit Properties check box selected and click Finish. Figure 300 IP Security Policy: Completing the IP Security Policy Wizard In the properties dialog box, click Add > Next. Figure 301 IP Security Policy Properties > Add ZyWALL USG 2000 User’s Guide...
Page 430 Select This rule does not specify a tunnel and click Next. Figure 302 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next. Figure 303 IP Security Policy Properties: Network Type ZyWALL USG 2000 User’s Guide...
Page 431 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 304 IP Security Policy Properties: Authentication Method 12 Click Add. Figure 305 IP Security Policy Properties: IP Filter List ZyWALL USG 2000 User’s Guide...
Page 432 (172.16.1.2 in this example) in the IP Address field. Make certain the Mirrored. Also match packets with the exact opposite source and destination addresses check box is selected and click Apply. Figure 307 Filter Properties: Addressing . 16 ZyWALL USG 2000 User’s Guide...
Page 433 UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 308 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next. Figure 309 IP Security Policy Properties: IP Filter List ZyWALL USG 2000 User’s Guide...
Page 434 18 In the Console window, right-click L2TP to ZyWALL and select Assign. Figure 311 Console: L2TP to ZyWALL Assign 28.6.2.3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy, use these directions to create a network connection. ZyWALL USG 2000 User’s Guide...
Page 435 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click Next. Figure 314 New Connection Wizard: Destination Address 172.16.1.2 ZyWALL USG 2000 User’s Guide...
Page 436 Select For all users and click Next. Figure 315 New Connection Wizard: Connection Availability Name the connection L2TP to ZyWALL and click Finish. Figure 316 New Connection Wizard: Naming the Connection Click Properties. Figure 317 Connect L2TP to ZyWALL ZyWALL USG 2000 User’s Guide...
Page 437 Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Click Yes if a screen pops up. Figure 319 Connect L2TP to ZyWALL: Security > Advanced ZyWALL USG 2000 User’s Guide...
Page 438 Figure 321 Connect L2TP to ZyWALL 11 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 322 ZyWALL-L2TP System Tray Icon ZyWALL USG 2000 User’s Guide...
Page 439 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 323 L2TP to ZyWALL Status: Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works. ZyWALL USG 2000 User’s Guide...
Page 440 Chapter 28 L2TP VPN Example ZyWALL USG 2000 User’s Guide...
Page 441: Application Patrol
Application Patrol Application Patrol (443)
Page 443: Application Patrol
It also lets you open the Other Configuration Add/ Edit screen to create new conditions or edit existing ones. • Use the Statistics screen (see Section 29.5 on page 465) to see a bandwidth usage graph and statistics for each protocol. ZyWALL USG 2000 User’s Guide...
Page 444: What You Need To Know About Application Patrol
Custom Ports for SIP and the SIP ALG Configuring application patrol to use custom port numbers for SIP traffic also configures the SIP ALG (see Chapter 18 on page 293) to use the same port ZyWALL USG 2000 User’s Guide...
Page 445 For example, a LAN to WAN connection is initiated from LAN and goes to the WAN. • Outbound traffic goes from a LAN zone device to a WAN zone device. Bandwidth management is applied before sending the packets out a WAN zone interface on the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 446 • Then lower-priority traffic gets bandwidth. • The ZyWALL uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority. • The ZyWALL automatically treats traffic with bandwidth management disabled as priority 7 (the lowest priority). ZyWALL USG 2000 User’s Guide...
Page 447 In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Table 124 Configured Rate Effect POLIC CONFIGURED MAX. B. PRIORIT ACTUAL RATE RATE 300 kbps 300 kbps 200 kbps 200 kbps ZyWALL USG 2000 User’s Guide...
Page 448 B gets almost no bandwidth with this configuration. Table 127 Priority and Over Allotment of Bandwidth Effect POLIC CONFIGURED MAX. B. PRIORIT ACTUAL RATE RATE 1000 kbps 999 kbps 1000 kbps 1 kbps ZyWALL USG 2000 User’s Guide...
Page 449: Application Patrol Bandwidth Management Examples
FTP: WAN to DMZ Up: 1 Mbps Outbound: 100 Kbps Down 8 Mbps Inbound: 300 Kbps Priority: 3 No Max. B. U. FTP: LAN to DMZ Outbound: 50 Mbps Inbound: 50 Mbps Priority: 4 No Max. B. U. ZyWALL USG 2000 User’s Guide...
Page 450: Sip Any To Wan Bandwidth Management Example
(and the ADSL connection supports this). • Second highest priority (2). Set policies for other applications (except SIP) to lower priorities so the local users’ HTTP traffic gets sent before non-SIP traffic. ZyWALL USG 2000 User’s Guide...
Page 451: Ftp Wan To Dmz Bandwidth Management Example
29.1.3.6 FTP LAN to DMZ Bandwidth Management Example • The LAN and DMZ zone interfaces are connected to Ethernet networks (not an ADSL device) so you limit both outbound and inbound traffic to 50 Mbps. • Fourth highest priority (4). ZyWALL USG 2000 User’s Guide...
Page 452: Application Patrol General Screen
ZyWALL is using. Note: You must register for the IDP/AppPatrol signature service (at least the trial) before you can use it. Chapter 8 on page 153 for how to register. ZyWALL USG 2000 User’s Guide...
Page 453 Apply new This link appears if you have not registered for the service or only have Registration the trial registration. Click this link to go to the screen where you can register for the service. ZyWALL USG 2000 User’s Guide...
Page 454: Application Patrol Applications
Table 129 AppPatrol > Common LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific application. Service This field displays the name of the application. ZyWALL USG 2000 User’s Guide...
Page 455: The Application Patrol Edit Screen
Figure 334 Application Edit The following table describes the labels in this screen. Table 130 Application Edit LABEL DESCRIPTION Service Enable Select this check box to turn on patrol for this application. Service Service Identification ZyWALL USG 2000 User’s Guide...
Page 456 Drop - the ZyWALL does not route the packets for this application and does not notify the client of its decision. Reject - the ZyWALL does not route the packets for this application and notifies the client of its decision. ZyWALL USG 2000 User’s Guide...
Page 457: The Application Patrol Policy Edit Screen
The Application Policy Edit screen allows you to edit a group of settings for an application. To access this screen, go to the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or Streaming screen and click an application’s ZyWALL USG 2000 User’s Guide...
Page 458 Drop - the ZyWALL does not route the packets for this application and does not notify the client of its decision. Reject - the ZyWALL does not route the packets for this application and notifies the client of its decision. ZyWALL USG 2000 User’s Guide...
Page 459 If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. ZyWALL USG 2000 User’s Guide...
Page 460: The Other Applications Screen
ZyWALL should do more precisely. You can also control the bandwidth used by these other applications.This screen also allows you to add, edit, and remove conditions to this default policy. ZyWALL USG 2000 User’s Guide...
Page 461 - the ZyWALL routes the packets. Drop - the ZyWALL does not route the packets and does not notify the client of its decision. Reject - the ZyWALL does not route the packets and notifies the client of its decision. ZyWALL USG 2000 User’s Guide...
Page 462 The # field is updated accordingly. The ordering of the entries is important as they are applied in order of their numbering. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 2000 User’s Guide...
Page 463: The Other Applications Add/Edit Screen
Reject - the ZyWALL does not route the packets and notifies the client of its decision. Source Select a source address or address group for whom this policy applies. Select Create Object to configure a new one. Select any if the policy is effective for every source. ZyWALL USG 2000 User’s Guide...
Page 464 After each application or type of traffic gets its configured bandwidth rate, the ZyWALL uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications and traffic types that need more bandwidth and have maximize bandwidth usage enabled. ZyWALL USG 2000 User’s Guide...
Page 465: Application Patrol Statistics
Select the protocols for which to display statistics. Protocols Select All selects all of the protocols. Clear All clears all of the protocols. Click Expand to display individual protocols. Collapse hides them. Statistics for the selected protocols display after you click Apply. ZyWALL USG 2000 User’s Guide...
Page 466: Application Patrol Statistics: Bandwidth Statistics
ZyWALL sends to the initiator of the connection. • A dotted line represents a protocol’s outgoing bandwidth usage. This is the protocol’s traffic that the ZyWALL sends out from the initiator of the connection. • Different colors represent different protocols. ZyWALL USG 2000 User’s Guide...
Page 467: Application Patrol Statistics: Protocol Statistics
IP payload. Matched This is how much of the application’s traffic the ZyWALL identified by Service Ports examining OSI level-3 information such as IP addresses and port Connection numbers. Rule This is a protocol’s rule. ZyWALL USG 2000 User’s Guide...
Page 468 This is how much of the application’s traffic the ZyWALL has discarded Data (KB) and notified the client that the traffic was rejected (in kilobytes). This traffic was rejected because it matched a policy set to “reject”. ZyWALL USG 2000 User’s Guide...
Page 469: Anti-X
Anti-X Anti-Virus (471) IDP (487) ADP (521) Content Filtering (541) Content Filter Reports (567) Anti-Spam (575)
Page 471: Anti-Virus
479) to set up anti- virus black (blocked) and white (allowed) lists of virus file patterns. • Use the Signature screen (Section 30.6 on page 483) to search signatures to get more information about signatures. ZyWALL USG 2000 User’s Guide...
Page 472: What You Need To Know About Anti-Virus
• IMAP4 (Internet Message Access Protocol version 4) How the ZyWALL Anti-Virus Scanner Works The following describes the virus scanning process on the ZyWALL. The ZyWALL first identifies SMTP, POP3, IMAP4, HTTP and FTP packets through standard ports. ZyWALL USG 2000 User’s Guide...
Page 473 • ZIP file(s) within a ZIP file. Finding Out More • See Section 5.4.14 on page 96 for related information on these screens. • See Section 30.7 on page 484 for anti-virus background information. ZyWALL USG 2000 User’s Guide...
Page 474: Before You Begin
Select this check box to check traffic for viruses and spyware. The Virus and Anti- following table lists policies that define which traffic the ZyWALL scans Spyware and the action it takes upon finding a virus. ZyWALL USG 2000 User’s Guide...
Page 475 6, the policy you are moving becomes number 6 and the previous policy 6 (if there is one) gets pushed up (or down) one. The ordering of your policies is important as they are applied in order of their numbering. ZyWALL USG 2000 User’s Guide...
Page 476 Click this link to go to the screen you can use to download signatures Signatures from the update server. Apply Click Apply to save your changes. Reset Click Reset to start configuring this screen again. ZyWALL USG 2000 User’s Guide...
Page 477: Anti-Virus Policy Add Or Edit Screen
FTP applies to traffic using the TCP port number specified for FTP in the ALG screen. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. IMAP4 applies to traffic using TCP port 143. Actions When Matched ZyWALL USG 2000 User’s Guide...
Page 478 You can upload the firmware package to the ZyWALL with the option enabled, so you only need to clear this option while you download the firmware package. ZyWALL USG 2000 User’s Guide...
Page 479: Anti-Virus Black List
This is the entry’s index number in the list. File Pattern This is the file name pattern. If a file’s name that matches this pattern, the ZyWALL logs and deletes the file. ZyWALL USG 2000 User’s Guide...
Page 480: Anti-Virus Black List Or White List Add/Edit
• For a white list entry, enter a file pattern that should cause the ZyWALL to allow a file. Figure 345 Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add ZyWALL USG 2000 User’s Guide...
Page 481: Anti-Virus White List
Click Anti-X > Anti-Virus > Black/White List > White List to display the screen shown next. Use the Black/White List screen to set up Anti-Virus black (blocked) and white (allowed) lists of virus file patterns. Click a column’s heading ZyWALL USG 2000 User’s Guide...
Page 482 To delete an entry, click the entry’s Remove icon. The Web Configurator confirms that you want to delete the entry. Apply Click Apply to save your changes. Reset Click Reset to start configuring this screen again. ZyWALL USG 2000 User’s Guide...
Page 483: Signature Searching
Click Search to have the ZyWALL search the signatures based on your specified criteria. Query all Click Export to have the ZyWALL save all of the anti-virus signatures to signatures and your computer in a .txt file. export Query Result ZyWALL USG 2000 User’s Guide...
Page 484: Anti-Virus Technical Reference
Macro viruses or Macros are small programs that are created to perform repetitive actions. Macros run automatically when a file to which they are attached is opened. Macros spread more rapidly than other types of viruses as data files are often shared on a network. ZyWALL USG 2000 User’s Guide...
Page 485 (such as your ZyWALL) on the network edge. NAV scanners inspect real-time data traffic (such as E-mail messages or web) that tends to bypass HAV scanners. The following lists some of the benefits of NAV scanners. ZyWALL USG 2000 User’s Guide...
Page 486 • NAV scanners stops virus threats at the network edge before they enter or exit a network. • NAV scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. ZyWALL USG 2000 User’s Guide...
Page 487: Idp
Chapter 32 on page 521). Zone A zone is a combination of ZyWALL interfaces and VPN connections used for configuring security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces. ZyWALL USG 2000 User’s Guide...
Page 488: Before You Begin
When the trial subscription expires, purchase and enter a license key using the same screens to continue the subscription. • Configure zones on the ZyWALL - see Chapter 14 on page 261 for more information. ZyWALL USG 2000 User’s Guide...
Page 489: The Idp General Screen
If you don’t have a standard license, you can register for Detection a once-off trial one. Policies Use this list to specify which IDP profile the ZyWALL uses for traffic flowing in a specific direction. Priority IDP policies are applied in order of priority. ZyWALL USG 2000 User’s Guide...
Page 490 Apply new This link appears if you have not registered for the service or only Registration have the trial registration. Click this link to go to the screen where you can register for the service. ZyWALL USG 2000 User’s Guide...
Page 491: Configuring Idp Policies
Use the From field to specify the zone from which the traffic is coming. Use the To field to specify the zone to which the traffic is going. ZyWALL USG 2000 User’s Guide...
Page 492: Introducing Idp Profiles
The ZyWALL comes with several base profiles. You use base profiles to create new profiles. In the Anti-X > IDP > Profile screen, click the Add icon to display the following screen. Figure 350 Base Profiles ZyWALL USG 2000 User’s Guide...
Page 493: The Profile Summary Screen
Click Cancel to exit this screen without saving your changes. 31.4 The Profile Summary Screen Select Anti-X > IDP > Profile. Use this screen to: • Add a new profile • Edit an existing profile • Delete an existing profile. ZyWALL USG 2000 User’s Guide...
Page 494: Creating New Profiles
When you’re satisfied that they have been reduced to an acceptable level, you could then create an ‘inline profile’ whereby you configure appropriate actions to be taken when a packet matches a signature. 31.5.1 Procedure To Create a New Profile To create a new profile: ZyWALL USG 2000 User’s Guide...
Page 495: Profiles: Packet Inspection
Select Anti-X > IDP > Profile and then add a new or edit an existing profile select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer-4 to layer-7. ZyWALL USG 2000 User’s Guide...
Page 496: Profile > Group View Screen
Chapter 31 IDP 31.6.1 Profile > Group View Screen Figure 352 Anti-X > IDP > Profile > Edit : Group View ZyWALL USG 2000 User’s Guide...
Page 497 This is the attack type as defined on the ZyWALL. See Table 148 on page Type for a description of each type. Activation Click the icon to enable or disable a signature or group of signatures. ZyWALL USG 2000 User’s Guide...
Page 498 A profile consists of three separate screens. If you want to configure just one screen for an IDP profile, click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page. ZyWALL USG 2000 User’s Guide...
Page 499: Policy Types
80 on a server, he determines that it is a HTTP service run by some web server application. He then uses a web vulnerability scanner (for example, Nikto) to look for documented vulnerabilities. ZyWALL USG 2000 User’s Guide...
Page 500: Idp Service Groups
The following figure shows the WEB_PHP service group that contains signatures related to attacks on web servers using PHP exploits. PHP (PHP: Hypertext Preprocessor) is a server-side HTML embedded scripting language that allows web developers to build dynamic websites. ZyWALL USG 2000 User’s Guide...
Page 501: Profile > Query View Screen
31.6.4 Profile > Query View Screen Click Switch to query view in the screen as shown in Figure 352 on page 496 go to a signature query screen. In the query view screen, you can search for ZyWALL USG 2000 User’s Guide...
Page 502 Search for signatures by attack type(s) (see Table 148 on page 499). Attack types are known as policy types in the group view screen. Hold down the [Ctrl] key if you want to make multiple selections. ZyWALL USG 2000 User’s Guide...
Page 503: Query Example
Click OK in the final profile screen to complete the profile. 31.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attack Type: DDoS • Platform: Windows 2000 and Windows XP computers • Service: Any ZyWALL USG 2000 User’s Guide...
Page 504: Introducing Idp Custom Signatures
Figure 356 Query Example Search Results 31.7 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. ZyWALL USG 2000 User’s Guide...
Page 505: Ip Packet Header
When it reaches zero, the datagram is discarded. It is used to prevent accidental routing loops. Protocol The protocol indicates the type of transport packet being carried, for example, 1 = ICMP; 2= IGMP; 6 = TCP; 17= UDP. ZyWALL USG 2000 User’s Guide...
Page 506: Configuring Custom Signatures
Click the SID or Name heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature. You can also delete custom signatures here or save them to your computer. ZyWALL USG 2000 User’s Guide...
Page 507 Export. Click Save in the file download dialog box and then select a location and name for the file. Custom signatures must end with the ‘rules’ file name extension, for example, MySig.rules. ZyWALL USG 2000 User’s Guide...
Page 508: Creating Or Editing A Custom Signature
Figure 358 on page 507. A packet must match all items you configure in this screen before it matches the signature. The more specific your signature (including packet contents), then the fewer false positives the signature will trigger. ZyWALL USG 2000 User’s Guide...
Page 509 Chapter 31 IDP Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. Figure 359 Anti-X > IDP > Custom Signatures > Add/Edit ZyWALL USG 2000 User’s Guide...
Page 510 If a datagram is fragmented, it contains a value that identifies the datagram to which the fragment belongs. Some intrusions use an invalid Identification number. Select the check box and then type in the invalid number that the intrusion uses. ZyWALL USG 2000 User’s Guide...
Page 511 The following fields vary depending on whether you choose TCP, UDP or ICMP. Transport Protocol: TCP Port Select the check box and then enter the source and destination TCP port numbers that will trigger this signature. ZyWALL USG 2000 User’s Guide...
Page 512 Payload Options The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature. ZyWALL USG 2000 User’s Guide...
Page 513 /winnt/system32/cmd.exe?/c+ver Click this button to save your changes to the ZyWALL and return to the summary screen. Cancel Click this button to return to the summary screen without saving any changes. ZyWALL USG 2000 User’s Guide...
Page 514: Custom Signature Example
From the NetBIOS header you see that the first byte ‘00’ defines the message type. The next three bytes represent the length of data, so you can ignore it. Therefore enter |00| as the first pattern. Figure 360 Custom Signature Example Pattern 1 ZyWALL USG 2000 User’s Guide...
Page 515 ‘TransactionNmPipe’ to the signature as the next patterns. Figure 361 Custom Signature Example Pattern 2 Figure 362 Custom Signature Example Patterns 3 and 4 The final custom signature should look like as shown in the following figure. ZyWALL USG 2000 User’s Guide...
Page 516 Chapter 31 IDP If the attack occurs, check the logs for a log of your custom signature. This indicates the signature works correctly. Figure 363 Example Custom Signature ZyWALL USG 2000 User’s Guide...
Page 517: Applying Custom Signatures
The Note column displays ACCESS FORWARD when no action is configured for the signature. It displays ACCESS ZyWALL USG 2000 User’s Guide...
Page 518: Idp Technical Reference
Typical “network-based intrusions” are SQL slammer, Blaster, Nimda MyDoom etc. ZyWALL USG 2000 User’s Guide...
Page 519 Time to Live IP Options ipopts Same IP sameip Transport Protocol Transport Protocol: TCP Port (In Snort rule header) Flow flow Flags flags Sequence Number Ack Number Window Size window Transport Protocol: UDP (In Snort rule header) ZyWALL USG 2000 User’s Guide...
Page 520 Payload Size dsize Offset (relative to start of offset payload) Relative to end of last match distance Content content Case-insensitive nocase Decode as URI uricontent Note: Not all Snort functionality is supported in the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 521: Adp
Traffic anomaly rules look for abnormal behavior or events such as port scanning, sweeping or network flooding. It operates at OSI layer-2 and layer-3. Traffic anomaly rules may be updated when you upload new firmware. ZyWALL USG 2000 User’s Guide...
Page 522: Before You Begin
IDP-related term definitions. • See Section 32.4 on page 532 for background information on these screens. 32.1.4 Before You Begin Configure the ZyWALL’s zones - see Chapter 14 on page 261 for more information. ZyWALL USG 2000 User’s Guide...
Page 523: The Adp General Screen
ZyWALL’s performance. Anomaly Profile An anomaly profile is a set of anomaly rules with configured activation, log and action settings. This field shows which anomaly profile is bound to which traffic direction. ZyWALL USG 2000 User’s Guide...
Page 524: Configuring Adp Policies
Click Anti-X > ADP > General and then an Add or Edit icon to display the following screen. Use this screen to apply an ADP profile to a traffic direction. Figure 367 Anti-X > ADP > General > Add ZyWALL USG 2000 User’s Guide...
Page 525: The Profile Summary Screen
Click Cancel to exit this screen without saving your changes. 32.3 The Profile Summary Screen Use this screen to: • Create a new profile using an existing base profile • Edit an existing profile • Delete an existing profile ZyWALL USG 2000 User’s Guide...
Page 526: Base Profiles
Click OK to save your changes. Cancel Click Cancel to exit this screen without saving your changes. 32.3.2 Configuring The ADP Profile Summary Screen Select Anti-X > ADP > Profile. Figure 369 Anti-X > ADP > Profile ZyWALL USG 2000 User’s Guide...
Page 527: Creating New Adp Profiles
In the Anti-X > ADP > Profile screen, click the Edit icon or click the Add icon and choose a base profile. If you made changes to other screens belonging to this ZyWALL USG 2000 User’s Guide...
Page 528 Chapter 32 ADP profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 370 Profiles: Traffic Anomaly ZyWALL USG 2000 User’s Guide...
Page 529 For flood detection you can set the number of detected flood packets per second that causes the ZyWALL to take the configured action. Click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page. ZyWALL USG 2000 User’s Guide...
Page 530: Protocol Anomaly Profiles
Protocol Anomaly tab. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab. ZyWALL USG 2000 User’s Guide...
Page 531 Chapter 32 ADP Figure 371 Profiles: Protocol Anomaly ZyWALL USG 2000 User’s Guide...
Page 532: Adp Technical Reference
You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile. 32.4 ADP Technical Reference This section is divided into traffic anomaly background information and protocol anomaly background information. ZyWALL USG 2000 User’s Guide...
Page 533 This may be used to evade intrusion detection. These are distributed port scan types: • TCP Distributed Portscan • UDP Distributed Portscan • IP Distributed Portscan ZyWALL USG 2000 User’s Guide...
Page 534 A smurf attacker (A) floods a router (B) with Internet Control Message Protocol (ICMP) echo request packets (pings) with the destination IP address of each packet as the broadcast address of the network. The router will broadcast the ZyWALL USG 2000 User’s Guide...
Page 535 ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses on a backlog queue. SYN-ACKs are only moved off the queue when an ACK comes back or when an internal timer ends the three-way handshake. Once the queue is ZyWALL USG 2000 User’s Guide...
Page 536 If enough UDP packets are delivered to ports on victim, the system will go down. Protocol Anomaly Background Information The following sections may help you configure the protocol anomaly profile screen (see Section 32.3.5 on page 530) ZyWALL USG 2000 User’s Guide...
Page 537 This rule lets you receive a log or alert if certain non-RFC CHAR ATTACK characters are used in a request URI. For instance, you may want to know if there are NULL bytes in the request-URI. ZyWALL USG 2000 User’s Guide...
Page 538 This is when a TCP packet is sent where the TCP data offset ATTACK is larger than the payload. TRUNCATED-OPTIONS This is when a TCP packet is sent which doesn’t have ATTACK enough data to read. This could mean the packet was truncated. ZyWALL USG 2000 User’s Guide...
Page 539 TRUNCATED- This is when an ICMP packet is sent which has an ICMP TIMESTAMP-HEADER datagram length of less than the ICMP Time Stamp header ATTACK length. This may cause some applications to crash. ZyWALL USG 2000 User’s Guide...
Page 540 Chapter 32 ADP ZyWALL USG 2000 User’s Guide...
Page 541: Content Filtering
• Use schedule objects to define when to apply a content filter profile. • Use address and/or user/group objects to define to whose web access to apply the content filter profile. • Apply a content filter profile that you have custom-tailored. ZyWALL USG 2000 User’s Guide...
Page 542 URL. For example, with the URL www.zyxel.com.tw/news/ pressroom.php, the domain name is www.zyxel.com.tw. The file path is the characters that come after the first slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the file path is news/pressroom.php. ZyWALL USG 2000 User’s Guide...
Page 543: Before You Begin
Use this screen to enable content filtering, view and order your list of content filter policies, create a denial of access message or specify a redirect URL and check your external web filtering service registration status. Figure 375 Anti-X > Content Filter > General ZyWALL USG 2000 User’s Guide...
Page 544 This column displays the name of the content filter profile that each content filter policy uses. The content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied. ZyWALL USG 2000 User’s Guide...
Page 545 The web page you specify here opens in a new frame below the denied access message. Use “http://” or “https://” followed by up to 255 characters (0-9a- zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/ blocked access. ZyWALL USG 2000 User’s Guide...
Page 546: Content Filter Policy Add Or Edit Screen
33.3 Content Filter Policy Add or Edit Screen Click Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen. Use this screen to configure a content filter policy. A content ZyWALL USG 2000 User’s Guide...
Page 547 Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any user. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 2000 User’s Guide...
Page 548: Content Filter Profile Screen
Categories screen. Use this screen to enable external database content filtering and select which web site categories to block and/or log. Note: You must register for external content filtering before you can use it. See Section 8.2 on page 155 for how to register. ZyWALL USG 2000 User’s Guide...
Page 549 Chapter 33 Content Filtering Chapter 34 on page 567 for how to view content filtering reports. Figure 378 Anti-X > Content Filter > Filter Profile > Add ZyWALL USG 2000 User’s Guide...
Page 550 The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page. ZyWALL USG 2000 User’s Guide...
Page 551 Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized. Select Log to record attempts to access web pages that are not categorized. ZyWALL USG 2000 User’s Guide...
Page 552 Phishing This category includes pages that are designed to appear as a legitimate bank or retailer with the intent to fraudulently capture sensitive data (i.e. credit card numbers, pin numbers). ZyWALL USG 2000 User’s Guide...
Page 553 This category includes pages that contain images or offer the Swimsuit sale of swimsuits or intimate apparel or other types of suggestive clothing. It does not include pages selling undergarments as a subsection of other products offered. ZyWALL USG 2000 User’s Guide...
Page 554 Hacking encompasses instructions on illegal or questionable tactics, such as creating viruses, distributing cracked or pirated software, or distributing other protected intellectual property. ZyWALL USG 2000 User’s Guide...
Page 555 It also includes pages dedicated to selling board games as well as journals and magazines dedicated to game playing. It includes pages that support or host online sweepstakes and giveaways. ZyWALL USG 2000 User’s Guide...
Page 556 This category includes pages that offer access to Usenet news groups or other messaging or bulletin board systems. Also, blog specific sites or an individual with his own blog. This does not include social networking communities with blogs. ZyWALL USG 2000 User’s Guide...
Page 557 Pornography category. Restaurants/Dining/ This category includes pages that list, review, discuss, advertise Food and promote food, catering, dining services, cooking and recipes. ZyWALL USG 2000 User’s Guide...
Page 558 (if the database has an entry for it). Test Against Content Click this button to see the category recorded in the external Filter Server content filter server’s database for the web page you specified. ZyWALL USG 2000 User’s Guide...
Page 559: Content Filter Blocked And Warning Messages
Click Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block ZyWALL USG 2000 User’s Guide...
Page 560 When this box is selected, the ZyWALL blocks Web access to trusted web sites only sites that are not on the Trusted Web Sites list. If they are chosen carefully, this is the most effective way to block objectionable material. ZyWALL USG 2000 User’s Guide...
Page 561 Forbidden Web Site List Sites that you want to block access to, regardless of their content rating, can be allowed by adding them to this list. ZyWALL USG 2000 User’s Guide...
Page 562: Content Filter Cache Screen
ZyWALL only queries the external content filtering database for sites not found in the cache. You can remove individual entries from the cache. When you do this, the ZyWALL queries the external content filtering database the next time someone tries to ZyWALL USG 2000 User’s Guide...
Page 563 The following table describes the labels in this screen. Table 167 Anti-X > Content Filter > Cache LABEL DESCRIPTION URL Cache Entry Flush Click this button to clear all web site addresses from the cache manually. ZyWALL USG 2000 User’s Guide...
Page 564: Content Filter Technical Reference
Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 33.8 Content Filter Technical Reference This section provides content filtering background information. ZyWALL USG 2000 User’s Guide...
Page 565 ZyWALL, which then blocks and/or logs access to the web site based on the settings in the content filter profile. The web site’s address and category are then stored in the ZyWALL’s content filter cache. ZyWALL USG 2000 User’s Guide...
Page 566 Chapter 33 Content Filtering ZyWALL USG 2000 User’s Guide...
Page 567: Content Filter Reports
You need to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days). Go to http://www.myZyXEL.com. ZyWALL USG 2000 User’s Guide...
Page 568 Chapter 34 Content Filter Reports Fill in your myZyXEL.com account information and click Login. Figure 383 myZyXEL.com: Login ZyWALL USG 2000 User’s Guide...
Page 569 Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 385 on page 570). Figure 384 myZyXEL.com: Welcome ZyWALL USG 2000 User’s Guide...
Page 570 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 385 myZyXEL.com: Service Management In the Web Filter Home screen, click the Reports tab. Figure 386 Content Filter Reports Main Screen ZyWALL USG 2000 User’s Guide...
Page 571 Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen. ZyWALL USG 2000 User’s Guide...
Page 572 Chapter 34 Content Filter Reports A chart and/or list of requested web site categories display in the lower half of the screen. Figure 388 Global Report Screen Example ZyWALL USG 2000 User’s Guide...
Page 573 Chapter 34 Content Filter Reports You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 389 Requested URLs Example ZyWALL USG 2000 User’s Guide...
Page 574 Chapter 34 Content Filter Reports ZyWALL USG 2000 User’s Guide...
Page 575: Anti-Spam
The white list can also increases the ZyWALL’s anti-spam speed and efficiency by not having the ZyWALL perform the full anti-spam checking process on legitimate e-mail. ZyWALL USG 2000 User’s Guide...
Page 576 For example, in Microsoft’s Outlook Express, select a mail and click File > Properties > Details. This displays the e-mail’s header. Click Message Source to see the source for the entire mail including both the header and the body. ZyWALL USG 2000 User’s Guide...
Page 577: Before You Begin
You can also select the action the ZyWALL takes when the mail sessions threshold is reached. Figure 390 Anti-X > Anti-Spam > General ZyWALL USG 2000 User’s Guide...
Page 578 The anti-spam policy has the ZyWALL scan e-mail traffic that is going to this zone from the From zone. Protocol These are the protocols of traffic to scan for spam. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. ZyWALL USG 2000 User’s Guide...
Page 579: The Anti-Spam Policy Add Or Edit Screen
Click the Add or Edit icon in the Anti-X > Anti-Spam > General screen to display the configuration screen as shown next. Use this screen to configure an anti-spam policy that controls what traffic direction of e-mail to check, which e- ZyWALL USG 2000 User’s Guide...
Page 580 (not spam). Check Black List Select this check box to check e-mail against the black list. The ZyWALL classifies e-mail that matches a black list entry as spam. ZyWALL USG 2000 User’s Guide...
Page 581: The Anti-Spam Black List Screen
Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 392 Anti-X > Anti-Spam > Black/White List > Black List ZyWALL USG 2000 User’s Guide...
Page 582: The Anti-Spam Black Or White List Add/Edit Screen
Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create entries based on specific subject text, or the sender’s or relay’s IP ZyWALL USG 2000 User’s Guide...
Page 583 This field displays when you select the IP type. Enter the subnet mask here, if applicable. Sender E-Mail This field displays when you select the E-Mail type. Enter a keyword (up Address to 63 ASCII characters). See Section 35.4.2 on page 584 for more details. ZyWALL USG 2000 User’s Guide...
Page 584: Regular Expressions In Black Or White List Entries
Click Anti-X > Anti-Spam > Black/White List and then the White List tab to display the Anti-Spam White List screen. Configure the white list to identify legitimate e-mail. You can create white list entries based on the sender’s or relay’s IP address or e-mail address. You can also ZyWALL USG 2000 User’s Guide...
Page 585 To delete an entry, click the entry’s Remove icon. The Web Configurator confirms that you want to delete the entry. Click OK to save your changes. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 2000 User’s Guide...
Page 586: The Dnsbl Screen
Select last N IPs to have the ZyWALL start checking from the last IP address in the mail header. This is the IP of the last server that forwarded the mail. ZyWALL USG 2000 User’s Guide...
Page 587: The Dnsbl Add/Edit Screen
Click the Add or Edit icon in the Anti-X > Anti-Spam > DNSBL screen to display the configuration screen as shown next. Use this screen to specify a DNSBL (spam IP address black list). You need to enter the name of a domain that maintains DNSBL servers. ZyWALL USG 2000 User’s Guide...
Page 588: The Anti-Spam Status Screen
Click Anti-X > Anti-Spam > Status to display the Anti-Spam Status screen. Use the Anti-Spam Status screen to see how many e-mail sessions the anti- spam feature is scanning and statistics for the DNSBLs. Figure 397 Anti-X > Anti-Spam > Status ZyWALL USG 2000 User’s Guide...
Page 589: Anti-Spam Technical Reference
ZyWALL’s DNSBL domains at the same time. • The DNSBL servers send replies as to whether or not each IP address matches an entry in their list. Each IP address has a separate reply. ZyWALL USG 2000 User’s Guide...
Page 590 DNSBL domains for IP address a.a.a.a. The ZyWALL sends another separate query to each of its DNSBL domains for IP address b.b.b.b. DNSBL A replies that IP address a.a.a.a does not match any entries in its list (not spam). ZyWALL USG 2000 User’s Guide...
Page 591 Now that the ZyWALL has received at least one non-spam reply for each of the e- mail’s routing IP addresses, the ZyWALL immediately classifies the e-mail as legitimate and forwards it. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 2000 User’s Guide...
Page 592 In this example it was an SMTP mail and the defined action was to drop the mail. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 2000 User’s Guide...
Page 593: Device Ha
Device HA Device HA (595)
Page 595: Device Ha
VRRP group settings and synchronize backup ZyWALLs. 36.1.2 What You Need to Know About Device HA Active-Passive Mode and Legacy Mode • Active-passive mode lets a backup ZyWALL take over if the master ZyWALL fails. ZyWALL USG 2000 User’s Guide...
Page 596: Before You Begin
ZyWALLs are both subscribed. For example, a backup subscribed to IDP/ AppPatrol, but not anti-virus, gets IDP/AppPatrol updates from the master, but not anti-virus updates. It is highly recommended to subscribe the master and backup ZyWALLs to the same services. ZyWALL USG 2000 User’s Guide...
Page 597: Device Ha General
You can use this IP address and subnet mask to access the ZyWALL whether it is in master or backup mode. Link Status This tells whether the monitored interface’s connection is down or up. ZyWALL USG 2000 User’s Guide...
Page 598: The Active-Passive Mode Screen
ZyWALL A and backup ZyWALL B form a virtual router. Figure 403 Virtual Router Cluster ID You can have multiple ZyWALL virtual routers on your network. Use a different cluster ID to identify each virtual router. In the following example, ZyWALLs A and ZyWALL USG 2000 User’s Guide...
Page 599 IP address to manage the ZyWALL regardless of whether it is the master or the backup. For example, ZyWALL B takes over A’s 192.168.1.1 LAN interface IP address. This is a virtual router IP address. ZyWALL A keeps it’s LAN management IP address of ZyWALL USG 2000 User’s Guide...
Page 600: Configuring Active-Passive Mode Device Ha
The Device HA Active-Passive Mode screen lets you configure general active- passive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup ZyWALLs. To access this screen, click Device HA > Active-Passive Mode. Figure 406 Device HA > Active-Passive Mode ZyWALL USG 2000 User’s Guide...
Page 601 Authentication Types on page 259 for more information about authentication methods. Interface This field identifies the interface. At the time of writing, only the Ethernet interfaces can be included in the virtual router. ZyWALL USG 2000 User’s Guide...
Page 602 ZyWALL in the virtual router must use the same password. If you leave this field blank in the master ZyWALL, no backup ZyWALLs can synchronize from it. If you leave this field blank in a backup ZyWALL, it cannot synchronize from the master ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 603: Configuring An Active-Passive Mode Monitored Interface
The following table describes the labels in this screen. Table 178 Device HA > Active-Passive Mode > Edit LABEL DESCRIPTION Enable Select this to have device HA monitor the status of this interface’s Monitored connection. Interface Interface This identifies the interface. Name ZyWALL USG 2000 User’s Guide...
Page 604: The Legacy Mode Screen
• If you create a VRRP group for an Ethernet interface that has a VLAN interface configured on it, make sure you create a separate VRRP group for the VLAN interface. This will avoid an IP conflict if the backup ZyWALL takes over for the master. ZyWALL USG 2000 User’s Guide...
Page 605: Configuring The Legacy Mode Screen
The Device HA Legacy Mode screen lets you configure general legacy mode HA settings including link monitoring, configure the VRRP group and synchronize backup ZyWALLs. To access this screen, click Device HA > Legacy Mode. Figure 408 Device HA > Legacy Mode ZyWALL USG 2000 User’s Guide...
Page 606 To edit a VRRP group, click the Edit icon next to the group. The VRRP Group Add/Edit screen appears. To delete a VRRP group, click the Remove icon next to the group. The Web Configurator confirms that you want to delete the VRRP group before doing so. Synchronization ZyWALL USG 2000 User’s Guide...
Page 607 IP address to the IP address of the virtual router. • You can only enable one VRRP group for each interface. • You can only have one active VRRP group for each virtual router (VR ID). ZyWALL USG 2000 User’s Guide...
Page 608 This management IP address should be in the same subnet as the interface IP address so the backup ZyWALL cannot synchronize with the master via this VRRP interface. Subnet Mask Enter the subnet mask of the interface’s management IP address. ZyWALL USG 2000 User’s Guide...
Page 609 Authentication Types on page 259 for more information about authentication methods. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 2000 User’s Guide...
Page 610: Device Ha Technical Reference
Figure 411 Example: VRRP, Master Becomes Unavailable 192.168.10.112 ZyWALL B is now using the IP address of the default gateway, and it is forwarding packets for the network. The loss of ZyWALL A has no effect on the network. ZyWALL USG 2000 User’s Guide...
Page 611 • The master ZyWALL must have at least one active VRRP group and no standby VRRP groups. • The backup ZyWALL cannot be the master in any active VRRP group. This refers to the actual role at the time of synchronization, not the role setting in the VRRP group. ZyWALL USG 2000 User’s Guide...
Page 612 Chapter 36 Device HA The backup applies the entire configuration if it is different from the backup’s current configuration. ZyWALL USG 2000 User’s Guide...
Page 613: Objects
VIII Objects User/Group (615) Addresses (631) Services (637) Schedules (643) AAA Server (649) Authentication Method (661) Certificates (665) ISP Accounts (687) SSL Application (691)
Page 615: User/Group
User Types These are the types of user accounts the ZyWALL uses. Table 181 Types of User Accounts TYPE ABILITIES LOGIN METHOD(S) Admin Users Admin Change ZyWALL configuration (web, CLI) WWW, TELNET, SSH, FTP, Console, Dial-in ZyWALL USG 2000 User’s Guide...
Page 616 Default user account for AD users (ad-users), LDAP users (ldap-users) or RADIUS users (radius-users) in the ZyWALL. Setting up User Attributes in an External Server on page 630 for a list of attributes and how to set up the attributes in an external server. ZyWALL USG 2000 User’s Guide...
Page 617 • See Section 5.5.1 on page 100 for related information on these screens. • See Section 37.5 on page 630 for some information on users who use an external authentication server in order to log in. ZyWALL USG 2000 User’s Guide...
Page 618: User Summary Screen
37.2.1.1 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only contain the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] ZyWALL USG 2000 User’s Guide...
Page 619 • zyxel To access this screen, go to the User screen (see Section 37.2 on page 618), and click either the Add icon or an Edit icon. Figure 413 User/Group > User > Edit ZyWALL USG 2000 User’s Guide...
Page 620 Unlike Lease Time, the user has no opportunity to renew the session without logging out. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 2000 User’s Guide...
Page 621: User Group Summary Screen
To delete a user group, click the Remove icon next to the user group. The Web Configurator confirms that you want to delete the user group before doing so. If you delete the group, you do not delete the users in the group. ZyWALL USG 2000 User’s Guide...
Page 622: Group Add/Edit Screen
The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. ZyWALL USG 2000 User’s Guide...
Page 623 They also control the settings for any Timeout Settings existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings. ZyWALL USG 2000 User’s Guide...
Page 624 This field is effective when Enable user idle detection is checked. Type the number of minutes each access user can be logged in and idle before the ZyWALL automatically logs out the access user. User Logon Settings ZyWALL USG 2000 User’s Guide...
Page 625 This field is a sequential value, and it is not associated with a specific condition. Schedule This field displays the schedule object that specifies when this condition applies. It displays none if this condition always applies. ZyWALL USG 2000 User’s Guide...
Page 626: Default User Authentication Timeout Settings Edit Screens
These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings. ZyWALL USG 2000 User’s Guide...
Page 627 Unlike Lease Time, the user has no opportunity to renew the session without logging out. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 2000 User’s Guide...
Page 628: Force User Authentication Policy Add/Edit Screen
Chapter 40 on page for details). Select none if this condition always applies. Select this to save your changes and return to the previous screen. Cancel Select this to return to the previous screen without saving any changes. ZyWALL USG 2000 User’s Guide...
Page 629: User Aware Login Example
Section 37.4 on page automatically 622.) Access users can select this check box to reset the lease time automatically 30 seconds before it expires. Otherwise, access users have to click the Renew button to reset the lease time. ZyWALL USG 2000 User’s Guide...
Page 630: User /Group Technical Reference
Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 47 on page 751 for more information about shell scripts. ZyWALL USG 2000 User’s Guide...
Page 631: Addresses
• HOST - a host address is defined by an IP Address. • RANGE - a range address is defined by a Starting IP Address and an Ending IP Address. ZyWALL USG 2000 User’s Guide...
Page 632 To edit an address, click the Edit icon next to the address. The Address Add/Edit screen appears. To delete an address, click on the Remove icon next to the address. The Web Configurator confirms that you want to delete the address before doing so. ZyWALL USG 2000 User’s Guide...
Page 633: Address Add/Edit Screen
Use dotted decimal format. Interface If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the Address Type, use this field to select the interface of the network that this address object represents. ZyWALL USG 2000 User’s Guide...
Page 634: Address Group Summary Screen
To edit an address group, click the Edit icon next to the address group. The Address Group Add/Edit screen appears. To delete an address group, click on the Remove icon next to the address group. The Web Configurator confirms that you want to delete the address group. ZyWALL USG 2000 User’s Guide...
Page 635: Address Group Add/Edit Screen
The order of members is not important. To remove members, select them and click the left arrow. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 2000 User’s Guide...
Page 636 Chapter 38 Addresses ZyWALL USG 2000 User’s Guide...
Page 637: Services
Then, the connection is terminated. In contrast, computers use UDP to send short messages to each other. There is no guarantee that the messages arrive in sequence or that the messages arrive at all. ZyWALL USG 2000 User’s Guide...
Page 638: The Service Summary Screen
39.2 The Service Summary Screen The Service summary screen provides a summary of all services and their definitions. In addition, this screen allows you to add, edit, and remove services. ZyWALL USG 2000 User’s Guide...
Page 639 To edit a service, click the Edit icon next to the service. The Service Add/Edit screen appears. To delete a service, click the Remove icon next to the service. The Web Configurator confirms that you want to delete the service before doing ZyWALL USG 2000 User’s Guide...
Page 640: The Service Add/Edit Screen
Click Cancel to exit this screen without saving your changes. 39.3 The Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. ZyWALL USG 2000 User’s Guide...
Page 641 To edit a service group, click the Edit icon next to the service group. The Service Group Add/Edit screen appears. To delete a service group, click on the Remove icon next to the service group. The Web Configurator confirms that you want to delete the service group. ZyWALL USG 2000 User’s Guide...
Page 642: The Service Group Add/Edit Screen
The order of members is not important. To remove members, select them and click the left arrow. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 2000 User’s Guide...
Page 643: Schedules
(Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday). Recurring schedules always begin and end in the same day. Recurring schedules are useful for defining the workday and off-work hours. ZyWALL USG 2000 User’s Guide...
Page 644: The Schedule Summary Screen
To edit a schedule, click the Edit icon next to the schedule. The Schedule Add/Edit screen appears. To delete a schedule, click the Remove icon next to the schedule. The Web Configurator confirms that you want to delete the schedule before doing so. Recurring ZyWALL USG 2000 User’s Guide...
Page 645: The One-Time Schedule Add/Edit Screen
To access this screen, go to the Schedule screen (see Section 40.2 on page 644), and click either the Add icon or an Edit icon in the One Time section. Figure 431 Object > Schedule > Edit (One Time) ZyWALL USG 2000 User’s Guide...
Page 646: The Recurring Schedule Add/Edit Screen
Click Cancel to exit this screen without saving your changes. 40.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to define a recurring schedule or edit an existing one. To access this screen, go to the Schedule screen ZyWALL USG 2000 User’s Guide...
Page 647 Day - disabled Hour - 0 - 23 Minute - 0 - 59 The Hour and Minute fields are both required. To set all day (24 hours), configure the start hour and minute both to 0. ZyWALL USG 2000 User’s Guide...
Page 648 Weekly Week Days Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 2000 User’s Guide...
Page 649: Aaa Server
The ZyWALL tries to bind (or log in) to the LDAP/AD server. When the binding process is successful, the ZyWALL checks the user information in the directory against the user name and password pair. If it matches, the user is allowed access. Otherwise, access is blocked. ZyWALL USG 2000 User’s Guide...
Page 650: Radius Server Overview
653) to configure the Active Directory or LDAP default server settings. • Use the Object > AAA Server > RADIUS screen (Section 41.4 on page 656) to configure the default external RADIUS server to use for user authentication. ZyWALL USG 2000 User’s Guide...
Page 651: What You Need To Know About Aaa Servers
41.2 Active Directory or LDAP Default Server Screen Directory Structure The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the directory structure reflects the geographical or ZyWALL USG 2000 User’s Guide...
Page 652 The bind DN is used in conjunction with a bind password. When a bind DN is not specified, the ZyWALL will try to log in as an anonymous user. If the bind password is incorrect, the login will fail. ZyWALL USG 2000 User’s Guide...
Page 653: Configuring Active Directory Or Ldap Default Server Settings
ZyWALL disconnects from the AD or LDAP server. In this case, user authentication fails. The search timeout occurs when either the user information is not in the AD or LDAP server or the server is down. ZyWALL USG 2000 User’s Guide...
Page 654: Active Directory Or Ldap Group Summary Screen
Group Name This field displays the descriptive name for identification purposes. Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to remove an entry. ZyWALL USG 2000 User’s Guide...
Page 655: Creating An Active Directory Or Ldap Group
127 alphanumerical characters. For example, specifies as the user cn=zywallAdmin zywallAdmin name. Password If required, enter the password (up to 15 alphanumerical characters) for the ZyWALL to bind (or log in) to the AD or LDAP server. ZyWALL USG 2000 User’s Guide...
Page 656: Configuring A Default Radius Server
To configure the default external RADIUS server to use for user authentication, click Object > AAA Server > RADIUS to display the screen as shown. Figure 439 Object > AAA Server > RADIUS > Default ZyWALL USG 2000 User’s Guide...
Page 657: Configuring A Group Of Radius Servers
Figure 440 Object > AAA Server > RADIUS > Group The following table describes the labels in this screen. Table 206 Object > AAA Server > RADIUS > Group LABEL DESCRIPTION This field displays the index number. ZyWALL USG 2000 User’s Guide...
Page 658: Adding A Radius Server Member
Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 659 Click Add to add a new RADIUS server. You can add up to four RADIUS member servers. Click Delete to remove a RADIUS server. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 2000 User’s Guide...
Page 660 Chapter 41 AAA Server ZyWALL USG 2000 User’s Guide...
Page 661: Authentication Method
VPN connection. Refer to the chapter on VPN for more information. Follow the steps below to specify the authentication method for a VPN connection. Access the VPN > IPSec VPN > VPN Gateway > Edit screen. ZyWALL USG 2000 User’s Guide...
Page 662: Viewing Authentication Method Objects
Figure 443 Object > Auth. Method The following table describes the labels in this screen. Table 208 Object > Auth. Method LABEL DESCRIPTION This field displays the index number. Method Name This field displays a descriptive name for identification purposes. ZyWALL USG 2000 User’s Guide...
Page 663: Creating An Authentication Method Object
ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. Note: You can NOT select two server objects of the same type. ZyWALL USG 2000 User’s Guide...
Page 664 Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 2000 User’s Guide...
Page 665: Certificates
Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). ZyWALL USG 2000 User’s Guide...
Page 666 • Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys. Self-signed Certificates You can have the ZyWALL act as a certification authority and sign its own certificates. ZyWALL USG 2000 User’s Guide...
Page 667: Verifying A Certificate
MD5 or SHA1 algorithm. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate. Browse to where you have the certificate saved on your computer. ZyWALL USG 2000 User’s Guide...
Page 668 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. ZyWALL USG 2000 User’s Guide...
Page 669: The My Certificates Screen
This field displays the date that the certificate becomes applicable. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. ZyWALL USG 2000 User’s Guide...
Page 670: The My Certificates Add Screen
43.2.1 The My Certificates Add Screen Click Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the ZyWALL create a self- ZyWALL USG 2000 User’s Guide...
Page 671 You do not have to fill in every field, although the Common Name is mandatory. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information. ZyWALL USG 2000 User’s Guide...
Page 672 Copy the certification request from the My Certificate Details screen (see Section 43.2.2 on page 675) and then send it to the certification authority. ZyWALL USG 2000 User’s Guide...
Page 673 CMP enrollment protocol. Just the Key field displays if your certification authority uses the SCEP enrollment protocol. For the reference number, use 0 to 99999999. For the key, use up to 31 of the following characters. a-zA-Z0- 9;|`~!@#$%^&*()_+\{}':,./<>=- ZyWALL USG 2000 User’s Guide...
Page 674 Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyWALL to enroll a certificate online. ZyWALL USG 2000 User’s Guide...
Page 675: The My Certificates Edit Screen
Click Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. Figure 449 Object > Certificate > My Certificates > Edit ZyWALL USG 2000 User’s Guide...
Page 676 “none” displays for a certification request. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. “none” displays for a certification request. ZyWALL USG 2000 User’s Guide...
Page 677 Private Key Type the certificate’s password and click this button. Click Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. ZyWALL USG 2000 User’s Guide...
Page 678: The My Certificates Import Screen
Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL. Browse Click Browse to find the certificate file you want to upload. ZyWALL USG 2000 User’s Guide...
Page 679: The Trusted Certificates Screen
With self-signed certificates, this is the same information as in the Subject field. Valid From This field displays the date that the certificate becomes applicable. ZyWALL USG 2000 User’s Guide...
Page 680: The Trusted Certificates Edit Screen
Trusted Certificates Edit screen. Use this screen to view in- depth information about the certificate, change the certificate’s name and set whether or not you want the ZyWALL to check a certification authority’s list of ZyWALL USG 2000 User’s Guide...
Page 681 Chapter 43 Certificates revoked certificates before trusting a certificate issued by the certification authority. Figure 452 Object > Certificate > Trusted Certificates > Edit ZyWALL USG 2000 User’s Guide...
Page 682 (usually a certification authority). Password Type the password (up to 31 ASCII characters) from the entity maintaining the CRL directory server (usually a certification authority). Certificate These read-only fields display detailed information about the Information certificate. ZyWALL USG 2000 User’s Guide...
Page 683 This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. ZyWALL USG 2000 User’s Guide...
Page 684: The Trusted Certificates Import Screen
Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the ZyWALL. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 453 Object > Certificate > Trusted Certificates > Import ZyWALL USG 2000 User’s Guide...
Page 685: Certificates Technical Reference
The second is a reduction in network traffic since the ZyWALL only gets information on the certificates that it needs to verify, not a huge list. When the ZyWALL requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response. ZyWALL USG 2000 User’s Guide...
Page 686 Chapter 43 Certificates ZyWALL USG 2000 User’s Guide...
Page 687: Isp Accounts
ISP accounts in the ZyWALL. 44.2 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL. To access this screen, click Object > ISP Account. Figure 454 Object > ISP Account ZyWALL USG 2000 User’s Guide...
Page 688: Isp Account Edit
To open this window, open the ISP Account screen. (See Section 44.2 on page 687.) Then, click on an Add icon or Edit icon to open the ISP Account Edit screen below. Figure 455 Object > ISP Account > Edit ZyWALL USG 2000 User’s Guide...
Page 689 If this ISP account uses the PPPoE protocol, type the PPPoE service name to access. PPPoE uses the specified service name to identify and reach the PPPoE server. This field can be blank. If this ISP account uses the PPTP protocol, this field is not displayed. ZyWALL USG 2000 User’s Guide...
Page 690 ISP Account Edit screen. Cancel Click Cancel to return to the ISP Account screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists). ZyWALL USG 2000 User’s Guide...
Page 691: Ssl Application
You can configure the following types of SSL applications on the ZyWALL. • Web-based A web-based application allows remote users to access an intranet site using standard web browsers. • File sharing Configure file sharing to allow users to access files on the intranet. ZyWALL USG 2000 User’s Guide...
Page 692: Example: Specifying A Web Site For Access
This example shows you how to create a web-based application for an internal web site. The address of the web site is http://info with web page encryption. Click Object > SSL Application in the navigation panel. ZyWALL USG 2000 User’s Guide...
Page 693: The Ssl Application Screen
Figure 457 Example: SSL Application: Specifying a Web Site for Access 45.2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects. Click Object > SSL Application in the navigation panel. Figure 458 Object > SSL Application ZyWALL USG 2000 User’s Guide...
Page 694: Creating/Editing A Web-Based Ssl Application Object
Figure 459 Object > SSL Application > Add/Edit: Web Application The following table describes the labels in this screen. Table 220 Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Object Type Select Web Application from the drop-down list box. ZyWALL USG 2000 User’s Guide...
Page 695 Program Path This field displays if the Server Type is set to RDP. You can specify an application to open when a remote user logs into the remote desktop application. Web Page Select this option to prevent users from saving the web content. Encryption ZyWALL USG 2000 User’s Guide...
Page 696: Creating/Editing A File Sharing Ssl Application Object
Select File Sharing to create a file share application for VPN SSL. File Sharing Name Enter a descriptive name to identify this object. You can enter up to 31 characters (“0-9”, “a-z”, “A-Z”, “-” and “_”). Spaces are not allowed. ZyWALL USG 2000 User’s Guide...
Page 697 Click Preview to display the file share in a new web browser. Click Ok to save the changes and return to the main SSL Application Configuration screen. Cancel Click Cancel to discard the changes and return to the main SSL Application Configuration screen. ZyWALL USG 2000 User’s Guide...
Page 698 Chapter 45 SSL Application ZyWALL USG 2000 User’s Guide...
Page 699: System
System System (701)
Page 701: System
SNMP screen (see Section 46.10 on page 740) to configure SNMP settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. ZyWALL USG 2000 User’s Guide...
Page 702: Host Name
Click Reset to begin configuring this screen afresh. 46.3 Date and Time For effective scheduling and logging, the ZyWALL system time must be accurate. The ZyWALL’s Real Time Chip (RTC) keeps track of the time and date. There is ZyWALL USG 2000 User’s Guide...
Page 703 This field displays the last updated time from the time server or the mm-ss) last time configured manually. When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. ZyWALL USG 2000 User’s Guide...
Page 704 European Union you would select Last, Sunday, March. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). ZyWALL USG 2000 User’s Guide...
Page 705: Pre-Defined Ntp Time Servers List
If the synchronization fails, then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried. ZyWALL USG 2000 User’s Guide...
Page 706: Time Server Synchronization
Select Get from Time Server under Time and Date Setup. Under Time Zone Setup, select your Time Zone from the list. As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for daylight savings. ZyWALL USG 2000 User’s Guide...
Page 707: Console Port Speed
IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 46.5.1 DNS Server Address Assignment The ZyWALL can get the DNS server addresses in the following ways. ZyWALL USG 2000 User’s Guide...
Page 708: Configuring The Dns Screen
“tw” is the top level domain. This is the index number of the address/PTR record. FQDN This is a host’s fully qualified domain name. IP Address This is the IP address of a host. ZyWALL USG 2000 User’s Guide...
Page 709 A MX (Mail eXchange) record identifies a mail server that handles the My FQDN) mail for a particular domain. This is the index number of the MX record. Domain Name This is the domain name where the mail is destined for. ZyWALL USG 2000 User’s Guide...
Page 710: Address Record
“www” is the host, “zyxel” is the second-level domain, and “com” is the top level domain. mail.myZyXEL.com.tw is also a FQDN, where “mail” is the host, “myZyXEL” is the ZyWALL USG 2000 User’s Guide...
Page 711: Ptr Record
A domain zone forwarder contains a DNS server’s IP address. The ZyWALL can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully qualified domain name without the host. ZyWALL USG 2000 User’s Guide...
Page 712: Adding A Domain Zone Forwarder
ZyWALL connects through a VPN tunnel. Enter the DNS server's IP address in the field to the right. You cannot use 0.0.0.0. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving ZyWALL USG 2000 User’s Guide...
Page 713: Mx Record
Click Cancel to exit this screen without saving 46.5.10 Adding a DNS Service Control Rule Click the Add icon in the Service Control table to add a service control rule. Figure 469 System > DNS > Service Control Rule Add ZyWALL USG 2000 User’s Guide...
Page 714: Www Overview
Note: To allow the ZyWALL to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-ZyWALL firewall rule to block that traffic. • See To-ZyWALL Rules on page 310 for more on To-ZyWALL firewall rules. ZyWALL USG 2000 User’s Guide...
Page 715: Service Access Limitations
(one party can identify the other party) and data integrity (you know if data has been changed). It relies upon certificates, public keys, and private keys (see Chapter 43 on page for more information). ZyWALL USG 2000 User’s Guide...
Page 716: Configuring Www Service Control
Click System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ZyWALL using HTTP or HTTPS. You can also specify which IP addresses the access can come from. ZyWALL USG 2000 User’s Guide...
Page 717 To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL (see Section 46.6.7.5 on page 727 on importing certificates for details). ZyWALL USG 2000 User’s Guide...
Page 718 ZyWALL Web Configurator using HTTP connections. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service to access the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 719 Select a method the HTTPS or HTTP server uses to authenticate a client. Authentication You must have configured the authentication methods in the Auth. Method method screen. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 2000 User’s Guide...
Page 720: Service Control Rules
Click System > WWW > Login Page to open the Login Page screen. Use this screen to customize the Web Configurator login screen. You can also customize the page that displays after an access user logs into the Web Configurator to ZyWALL USG 2000 User’s Guide...
Page 721 Chapter 46 System access network services like the Internet. See Chapter 37 on page 615 for more on access user accounts. Figure 474 System > WWW > Login Page ZyWALL USG 2000 User’s Guide...
Page 722 • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)” for black. ZyWALL USG 2000 User’s Guide...
Page 723 To use a color, select Color and specify the color. Customized Use this section to customize the page that displays after an access user Access Page logs into the Web Configurator to access network services like the Internet. ZyWALL USG 2000 User’s Guide...
Page 724: Https Example
When you attempt to access the ZyWALL HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 725: Netscape Navigator Warning Messages
Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL. If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape. ZyWALL USG 2000 User’s Guide...
Page 726: Avoiding Browser Warning Messages
• To have the browser trust the certificates issued by a certificate authority, import the certificate authority’s certificate into your operating system as a trusted certificate. Refer to Appendix D on page 885 for details. ZyWALL USG 2000 User’s Guide...
Page 727: Login Screen
ZyWALL (see the ZyWALL’s Trusted CA Web Configurator screen). Figure 481 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). ZyWALL USG 2000 User’s Guide...
Page 728 You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next ZyWALL USG 2000 User’s Guide...
Page 729 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 484 Personal Certificate Import Wizard 2 ZyWALL USG 2000 User’s Guide...
Page 730 Figure 485 Personal Certificate Import Wizard 3 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 486 Personal Certificate Import Wizard 4 ZyWALL USG 2000 User’s Guide...
Page 731: Using A Certificate When Accessing The Zywall Example
46.6.7.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. Enter ‘https://ZyWALL IP Address/ in your browser’s web address field. Figure 489 Access the ZyWALL Via HTTPS ZyWALL USG 2000 User’s Guide...
Page 732: Ssh
Specify which zones allow SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an ZyWALL USG 2000 User’s Guide...
Page 733: How Ssh Works
The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. ZyWALL USG 2000 User’s Guide...
Page 734: Ssh Implementation On The Zywall
SSH can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 494 System > SSH ZyWALL USG 2000 User’s Guide...
Page 735: Secure Telnet Using Ssh Examples
This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide. ZyWALL USG 2000 User’s Guide...
Page 736 192.168.1.1). A message displays indicating the SSH protocol version supported by the ZyWALL. Figure 496 SSH Example 2: Test $ telnet 192.168.1.1 22 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. SSH-1.5-1.0.0 ZyWALL USG 2000 User’s Guide...
Page 737: Telnet
Click System > TELNET to configure your ZyWALL for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. Figure 498 System > Telnet ZyWALL USG 2000 User’s Guide...
Page 738: Ftp
You can upload and download the ZyWALL’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. Please see Chapter 47 on page 751 for more information about firmware and configuration files. ZyWALL USG 2000 User’s Guide...
Page 739: Configuring Ftp
This is the zone on the ZyWALL the user is allowed or denied to access. Address This is the object name of the IP address(es) with which the computer is allowed or denied to access. ZyWALL USG 2000 User’s Guide...
Page 740: Snmp
Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1) ZyWALL USG 2000 User’s Guide...
Page 741 SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: • Get - Allows the manager to retrieve an object variable from the agent. ZyWALL USG 2000 User’s Guide...
Page 742: Supported Mibs
This trap is sent when an SNMP request comes from non-authenticated hosts. 46.10.3 Configuring SNMP To change your ZyWALL’s SNMP settings, click System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP settings, including ZyWALL USG 2000 User’s Guide...
Page 743 This is the zone on the ZyWALL the user is allowed or denied to access. Address This is the object name of the IP address(es) with which the computer is allowed or denied to access. ZyWALL USG 2000 User’s Guide...
Page 744: Dial-In Management
WAN device to hang up, in addition to issuing the drop command ATH. Response Strings The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the serial modem. The response strings ZyWALL USG 2000 User’s Guide...
Page 745: Configuring Dial-In Mgmt
Note: Consult the manual of your external serial modem connected to your ZyWALL’s auxiliary port for specific AT commands. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 2000 User’s Guide...
Page 746: Vantage Cnm
If the Vantage CNM server is behind a firewall, you may have to create a rule on the firewall to allow UDP port 11864 traffic through to the Vantage CNM server (most (new) ZyXEL firewalls automatically allow this). ZyWALL USG 2000 User’s Guide...
Page 747: Language Screen
Click Reset to begin configuring this screen afresh. 46.13 Language Screen Click System > Language to open the following screen. Use this screen to select a display language for the ZyWALL’s Web Configurator screens. Figure 504 System > Language ZyWALL USG 2000 User’s Guide...
Page 748 You also need to open a new browser session to display the screens in the new language. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 2000 User’s Guide...
Page 749: Maintenance, Troubleshooting, & Specifications
Maintenance, Troubleshooting, & Specifications File Manager (751) Logs (763) Reports (777) Diagnostics (795) Reboot (797) Troubleshooting (799) Product Specifications (805)
Page 751: File Manager
When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. ZyWALL USG 2000 User’s Guide...
Page 752: Comments In Configuration Files Or Shell Scripts
Comments in Configuration Files or Shell Scripts In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the ZyWALL treat the line as a comment. ZyWALL USG 2000 User’s Guide...
Page 753 The ZyWALL ignores any errors in the configuration file or shell script and applies all of the valid commands. The ZyWALL still generates a log for any errors. ZyWALL USG 2000 User’s Guide...
Page 754: The Configuration File Screen
If there isn’t a lastgood.conf configuration file or it also has an error, the ZyWALL applies the system-default.conf configuration file. ZyWALL USG 2000 User’s Guide...
Page 755 The ZyWALL still generates a log for any errors. Figure 506 Maintenance > File Manager > Configuration File Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL USG 2000 User’s Guide...
Page 756 Specify the new name for the configuration file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. ZyWALL USG 2000 User’s Guide...
Page 757 If you upload startup-config.conf, it will replace the current configuration and immediately apply the new settings. File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. ZyWALL USG 2000 User’s Guide...
Page 758: The Firmware Package Screen
ZyWALL with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package. See Section 30.2.1 on page 477 for more on the anti-virus Destroy compressed files that could not be decompressed option. ZyWALL USG 2000 User’s Guide...
Page 759 Click Upload to begin the upload process. This process may take up to two minutes. After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 510 Firmware Upload In Process Note: The ZyWALL automatically reboots after a successful upload. ZyWALL USG 2000 User’s Guide...
Page 760: The Shell Script Screen
If you do not use the write command, the changes will be lost when the ZyWALL restarts. You write could use multiple commands in a long script. write Figure 513 Maintenance > File Manager > Shell Script ZyWALL USG 2000 User’s Guide...
Page 761 Click a shell script file’s row to select it and click Run to have the ZyWALL use that shell script file. You may need to wait awhile for the ZyWALL to finish applying the commands. This column displays the number for each shell script file entry. ZyWALL USG 2000 User’s Guide...
Page 762 Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. ZyWALL USG 2000 User’s Guide...
Page 763: Logs
(for example, firewall or user). You can also look at the debugging log by selecting Debug Log. All debugging messages have the same priority. To access this screen, click Maintenance > View Log. The log is displayed in the following screen. ZyWALL USG 2000 User’s Guide...
Page 764 Click this button to clear the whole log, regardless of what is currently displayed on the screen. Display Select the log message(s) you want to view. You can also view All Logs at one time, or you can view the Debug Log. ZyWALL USG 2000 User’s Guide...
Page 765 Type a page number to go to or use the arrows to navigate to the pages of entries. This field is a sequential value, and it is not associated with a specific log message. ZyWALL USG 2000 User’s Guide...
Page 766: Log Setting Screens
Alternatively, if you want to edit what events is included in each log, you can also use the Active Log Summary screen to edit this information for all logs at the same time. ZyWALL USG 2000 User’s Guide...
Page 767: Log Setting Summary
To activate or deactivate a log, click the Active icon. Make sure you click Apply to save and apply the change. To edit the settings, click the Edit icon next to the associated log. The Log Settings Edit screen appears. ZyWALL USG 2000 User’s Guide...
Page 768: Edit System Log Settings
48.4.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings ZyWALL USG 2000 User’s Guide...
Page 769 Chapter 48 Logs Summary screen (see Section 48.4.1 on page 767), and click the system log Edit icon. Figure 519 Maintenance > Log > Log Setting > Edit (System Log) ZyWALL USG 2000 User’s Guide...
Page 770 Log Category This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software. ZyWALL USG 2000 User’s Guide...
Page 771 Message field. Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 2000 User’s Guide...
Page 772: Edit Remote Server Log Settings
(syslog). Go to the Log Settings Summary screen (see Section 48.4.1 on page 767), and click a remote server Edit icon. Figure 520 Maintenance > Log > Log Setting > Edit (Remote Server) ZyWALL USG 2000 User’s Guide...
Page 773: Active Log Summary Screen
It does not let you change other log settings (for example, where and how often log information is e-mailed or remote server names).To access this screen, ZyWALL USG 2000 User’s Guide...
Page 774 This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 48.4.2 on page 768, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL USG 2000 User’s Guide...
Page 775 If you check one of the check boxes for All Logs, it affects the settings for every category. Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 2000 User’s Guide...
Page 776 Chapter 48 Logs ZyWALL USG 2000 User’s Guide...
Page 777: Reports
• Most-visited Web sites and the number of times each one was visited. This count may not be accurate in some cases because the ZyWALL counts HTTP GET packets. Please see Table 251 on page 778 for more information. ZyWALL USG 2000 User’s Guide...
Page 778 Web Site Hits - displays the most-visited Web sites and how many times each one has been visited. Each type of report has different information in the report (below). Refresh Click this button to update the report display. ZyWALL USG 2000 User’s Guide...
Page 779 Table 252 on page 780. These fields are available when the Traffic Type is Web Site Hits. This field is the rank of each record. The domain names are sorted by the number of hits. ZyWALL USG 2000 User’s Guide...
Page 780: The Session Monitor Screen
You can look at all the active sessions by user, service, source IP address, or destination IP address. You can also filter the information by user, protocol / service or service group, source address, and/or destination address and view it by user. ZyWALL USG 2000 User’s Guide...
Page 781 Search This button displays when View is set to all sessions. Click this button to update the information on the screen using the filter criteria in the User, Service, Source Address, and Destination Address fields. ZyWALL USG 2000 User’s Guide...
Page 782 This field displays the length of the active session in seconds. Count This field displays the number of active sessions for each user, service, or IP address. This field does not display when you are viewing all sessions (since each session is displayed individually). ZyWALL USG 2000 User’s Guide...
Page 783: The Anti-Virus Report Screen
Select Destination to list the most common destination IP addresses for virus-infected files that ZyWALL has detected. This field displays the entry’s rank in the list of the top entries. ZyWALL USG 2000 User’s Guide...
Page 784 The statistics display as follows when you display the top entries by source. Figure 525 Maintenance > Report > Anti-Virus: Source The statistics display as follows when you display the top entries by destination. Figure 526 Maintenance > Report > Anti-Virus: Destination ZyWALL USG 2000 User’s Guide...
Page 785: The Idp Report Screen
This field displays the number of packets that the ZyWALL has dropped. Total Packet The ZyWALL can detect and drop malicious packets from network traffic. Reset This field displays the number of packets that the ZyWALL has reset. ZyWALL USG 2000 User’s Guide...
Page 786 This field displays the sum of the occurrences of the events in the entries. The statistics display as follows when you display the top entries by source. Figure 528 Maintenance > Report > IDP: Source ZyWALL USG 2000 User’s Guide...
Page 787: The Content Filter Report Screen
Figure 529 Maintenance > Report > IDP: Destination 49.6 The Content Filter Report Screen Click Maintenance > Report > Content Filter to display the following screen. This screen displays content filter statistics. Figure 530 Maintenance > Report > Content Filter ZyWALL USG 2000 User’s Guide...
Page 788 This is the number of web pages to which the ZyWALL allowed access. Passed Unsafe Web This is the number of requested web pages that the ZyWALL’s content Pages filtering service identified as posing a threat to users. ZyWALL USG 2000 User’s Guide...
Page 789: The Anti-Spam Report Screen
All of the statistics are erased if you restart the ZyWALL or click Flush Data. Collecting starts over and a new collection start time displays. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 2000 User’s Guide...
Page 790 This field displays the entry’s rank in the list of the top entries. Sender IP This column displays when you display the entries by Sender IP. It shows the source IP address of spam e-mails that the ZyWALL has detected. ZyWALL USG 2000 User’s Guide...
Page 791 ZyWALL has detected the most spam. Occurrence This field displays how many spam e-mails the ZyWALL detected from the sender. Total This field displays the sum of the occurrences of the events in the entries. ZyWALL USG 2000 User’s Guide...
Page 792: The Email Daily Report Screen
Table 258 Maintenance > Report > Email Daily Report LABEL DESCRIPTION Enable Email Select this to send reports by e-mail every day. Daily Report Mail Server Type the name or IP address of the outgoing SMTP server. ZyWALL USG 2000 User’s Guide...
Page 793 Click this to discard all report data and start all of the counters over at Counters zero. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 2000 User’s Guide...
Page 794 Chapter 49 Reports ZyWALL USG 2000 User’s Guide...
Page 795: Diagnostics
This is the size of the most recently created diagnostic file. Collect Now Click this to have the ZyWALL create a new diagnostic file. Download Click this to save the most recent diagnostic file to a computer. ZyWALL USG 2000 User’s Guide...
Page 796 Chapter 50 Diagnostics ZyWALL USG 2000 User’s Guide...
Page 797: Reboot
Click the Reboot button to restart the ZyWALL. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command reboot to restart the ZyWALL. ZyWALL USG 2000 User’s Guide...
Page 798 Chapter 51 Reboot ZyWALL USG 2000 User’s Guide...
Page 799: Troubleshooting
Chapter 12 on page 235. • Make sure the To-ZyWALL firewall rules allow IPSec VPN traffic to the ZyWALL. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. ZyWALL USG 2000 User’s Guide...
Page 800 The VPN wizard automatically creates a corresponding policy route. If you use the VPN > IPSec VPN or VPN > L2TP VPN screens to set up a VPN tunnel, you need to manually configure a policy route for the VPN tunnel. ZyWALL USG 2000 User’s Guide...
Page 801: Resetting The Zywall
Note: This procedure removes the current configuration. If you want to reboot the device without changing the current configuration, see Chapter 51 on page 797. Make sure the SYS LED is on and not blinking. ZyWALL USG 2000 User’s Guide...
Page 802: Changing A Power Module
Disconnect the power cord from the power outlet. Disconnect the power cord from the ZyWALL’s power module. Use a Philips screwdriver to remove the power module’s retaining screw. Figure 535 Removing the Power Module Retaining Screw ZyWALL USG 2000 User’s Guide...
Page 803 Use the handle to slide out the power module and remove it. Figure 536 Removing the Power Module Install the new ZyWALL power module. Figure 537 Installing the Replacement Power Module Tighten the power module’s retaining screw. Figure 538 Replacing the Power Module Retaining Screw ZyWALL USG 2000 User’s Guide...
Page 804: Getting More Troubleshooting Help
Reconnect the power cord to the power outlet. 10 Push the ZyWALL power module switch to the on position. 52.3 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL USG 2000 User’s Guide...
Page 805: Product Specifications
The -45 connectors support auto-negotiation and auto- MDI/MDIX (auto-crossover). Compatible SFP SFP-SX (Multi-mode, distance: 550m, wavelength: 850nm) Transceivers SFP-LX-10 (Single-mode, distance: 10Km, wavelength: 1,310nm) SFP-LHX1310-40 (Single-mode, distance: 40Km, wavelength: 1,310nm) SFP-ZX-80 (Single-mode, distance: 80Km, wavelength: 1,550nm) Management interface RS-232, DB9F connector ZyWALL USG 2000 User’s Guide...
Page 806 This table gives details about the ZyWALL’s features. Table 262 Feature Specifications VERSION # V2.10 V2.11, V2.12 FEATURE # of MAC Flash Size DRAM Size 2048 2048 INTERFACE VLAN Virtual (alias) 4 per interface 4 per interface Bridge ROUTING ZyWALL USG 2000 User’s Guide...
Page 807 Address Objects 10,000 10,000 Address Groups 2,000 2,000 Service Objects 10,000 10,000 Service Groups 2,000 2,000 Schedule Objects 1024 1024 ISP Accounts Maximum Number of LDAP Groups Maximum Number of LDAP Servers for Each LDAP Group ZyWALL USG 2000 User’s Guide...
Page 808 Maximum Number of DDNS Profiles DHCP Relay 2 per interface 2 per interface CENTRALIZED LOG Log Entries 1024 1024 Debug Log Entries 1024 1024 Admin E-mail Addresses Syslog Servers Maximum Number of IDP Profiles Custom Signatures ZyWALL USG 2000 User’s Guide...
Page 809 Maximum Number of Anti-Spam Statistics Maximum Anti-Spam Statistics Ranking ANTI-VIRUS Maximum Number of Concurrent 200 ZIP files 200 ZIP files ZIP File Decompression Sessions 32 RAR-LZSS or 32 RAR-LZSS or 4 RAR-PPM 4 RAR-PPM SSL VPN ZyWALL USG 2000 User’s Guide...
Page 810 RFCs 959, 2228, 2389, 2865, 2138, 2640 Used by Centralized log RFC 3164 Login, new PAM module OSF-RFC 86.0, 1321 Built-in service, NTP client RFCs 958, 1059, 1119, 1305 Used by SSH service RFCs 4250, 4251, 4252, 4253, 4254 ZyWALL USG 2000 User’s Guide...
Page 811: Pcmcia Card Installation
IP/IPv4 RFC 791 RFC 793 53.1 3G PCMCIA Card Installation Only insert a compatible 3G card. Slide the connector end of the card into the slot. Note: Do not force, bend or twist the card. ZyWALL USG 2000 User’s Guide...
Page 812 Chapter 53 Product Specifications ZyWALL USG 2000 User’s Guide...
Page 813: Appendices And Index
Appendices and Index Common Services (875) Displaying Anti-Virus Alert Messages in Windows (879) Importing Certificates (885) Open Software Announcements (911) Legal Information (957) Customer Support (899) Index (961)
Page 815: Appendix A Log Descriptions
%s: website host The device allowed access to a web site. The content filtering %s: Service is not service is unregistered and the default policy is not set to registered block. %s: website host ZyWALL USG 2000 User’s Guide...
Page 816 The web site contains Java applet and access was blocked %s: Contains Java according to a profile. applet %s: website host The web site contains a cookie and access was blocked %s: Contains cookie according to a profile. %s: website host ZyWALL USG 2000 User’s Guide...
Page 817 The anti-spam white list rule with the specified index number White List rule %d has (%d) has been turned on. been activated. The anti-spam white list rule with the specified index number White List rule %d has (%d) has been turned off. been deactivated. ZyWALL USG 2000 User’s Guide...
Page 818 %s) and Subject (second %s) header values are listed. From:%s Subject:%s The number of concurrent e-mail sessions has exceeded the Mail sessions have maximum number of concurrent e-mail sessions that the reached the maximum anti-spam feature can handle (%d). threshold of %d. ZyWALL USG 2000 User’s Guide...
Page 819 The listed address object (first %s) is not the right kind for The %s address-object the second WINS server specified in the listed SSL VPN is wrong type for policy (second %s). '2nd-wins' in SSL Policy %s. ZyWALL USG 2000 User’s Guide...
Page 820 SSL VPN policy rule %s position (%d) in the list of SSL VPN policies. has been moved to %d. The listed SSL VPN policy has been removed. SSL VPN policy rule %s has been deleted. ZyWALL USG 2000 User’s Guide...
Page 821 The listed user (%s) failed to log into SSL VPN because of Failed login attempt entering an incorrect password or a user name that does not to SSLVPN from %s exist. (incorrect password or inexistent username) ZyWALL USG 2000 User’s Guide...
Page 822 L2TP over IPSec may not work because the configuration of L2TP over IPSec the IPSec VPN connection it uses (Crypto Map %s) has been sessions have been all changed. disconnected since configuration of Tunnel %s has been changed ZyWALL USG 2000 User’s Guide...
Page 823 Can't append entry: %s! 1st:zysh entry name 1st:zysh entry name Can't set entry: %s! Can't define entry: %s! 1st:zysh entry name 1st:zysh list name %s: list is full! 1st:zysh list name Can't undefine %s ZyWALL USG 2000 User’s Guide...
Page 824 1st:zysh entry num Unable to move entry #%d! 1st:zysh table name %s: apply failed at initial stage! 1st:zysh table name %s: apply failed at main stage! 1st:zysh table name %s: apply failed at closing stage! ZyWALL USG 2000 User’s Guide...
Page 825 The ZyWALL’s ADP feature detected traffic with the same IP LAND attack packet. address set as both the source and the destination. Source IP is the same as Destination IP. ZyWALL USG 2000 User’s Guide...
Page 826 A file matched a file pattern in the anti-virus black list. %s, %s matched the Black-List %s 1st %s: The protocol of the packet. 2nd %s: The filename of the related file. 3rd %s: The file pattern that the file matched. ZyWALL USG 2000 User’s Guide...
Page 827 (2nd %d). been moved to %d All of the anti-virus rules have been deleted. Anti-Virus rules have been flushed. The anti-virus rule of the specified number has been Anti-Virus rule %d has deleted. been deleted. ZyWALL USG 2000 User’s Guide...
Page 828 2nd %s: The filename of the related file. 3rd %s: Whether the file was deleted (DESTROY) or forwarded (PASS). Updating of the signature file information failed due to an Update signature info internal error. has failed. ZyWALL USG 2000 User’s Guide...
Page 829 Too many failed login attempts were made from an IP Address %u.%u.%u.%u has address so the ZyWALL is blocking login attempts from that been put into lockout IP address. state %u.%u.%u.%u: the source address of the user’s login attempt ZyWALL USG 2000 User’s Guide...
Page 830 Device registration failed, an error message returned by the Device registration MyZyXEL.com server will be appended to this log. has failed:%s. %s: error message returned by the myZyXEL.com server The device registered successfully with the myZyXEL.com Device registration server. has succeeded. ZyWALL USG 2000 User’s Guide...
Page 831 The device could not connect to the MyZyXEL.com server. Connect to MyZyXEL.com server has failed. The device started to check whether or not the user name in Do account check. MyZyXEL.com's database. ZyWALL USG 2000 User’s Guide...
Page 832 File download to the update server again. after %d seconds. The device already has the latest version of the file so no Device has latest update is needed. file. No need to update. ZyWALL USG 2000 User’s Guide...
Page 833 Some information was missing in the packets that the device Build query message sent to the server. has failed. The device could not process an HTTPS connection because it Verify server's could not verify the server's certificate. certificate has failed. ZyWALL USG 2000 User’s Guide...
Page 834 Load trusted root the device can verify a server's certificate. This log displays if certificates has the device failed to load it. failed. Verification of a server’s certificate failed because it has Certificate has expired. expired. ZyWALL USG 2000 User’s Guide...
Page 835 The device turned off the use of the IDP signature file. Disable IDP succeeded. The device failed to turn on the IDP engine. Enable IDP engine failed. The device failed to turn off the IDP engine. Disable IDP engine failed. ZyWALL USG 2000 User’s Guide...
Page 836 (second num), and the number of the custom signature is <num. Adding custom (third num) that was not added display. signature number is <num>. The device failed to get the custom IDP signature number. Get custom signature number error. ZyWALL USG 2000 User’s Guide...
Page 837 The setting for IDP Out of memory. IDP activation has not changed. activation unchanged. Activation of the IDP system-protect function failed due to System-protect error. an internal system error. Create IDP proc failed. IDP activation failed. ZyWALL USG 2000 User’s Guide...
Page 838 Checking for duplicated signature IDs failed. There was an Check duplicate sid error while allocating memory. failed. Allocate memory error. Checking for duplicated signature IDs failed. Opening a Check duplicate sid temporary file failed. failed. Open file error. ZyWALL USG 2000 User’s Guide...
Page 839 An application patrol rule has been modified. 1st %s: Rule %s:%s has been Protocol Name, 2nd: Rule Index. modified Application patrol was turned on. App. Patrol has been activated. Application patrol was turned off. App. Patrol has been deactivated. ZyWALL USG 2000 User’s Guide...
Page 840 The device failed to get the application patrol protocol list. System fatal error: 60011002. The device failed to initiate XML. System fatal error: 60011003. The device failed to turn application patrol off while the System fatal error: system was initiating. 60011004. ZyWALL USG 2000 User’s Guide...
Page 841 [SA] : Tunnel [%s] authentication method did not match. Phase 1 authentication method mismatch %s is the tunnel name. When negotiating Phase-1, the [SA] : Tunnel [%s] encryption algorithm did not match. Phase 1 encryption algorithm mismatch ZyWALL USG 2000 User’s Guide...
Page 842 %s is the tunnel name. The tunnel is a dynamic tunnel and Could not dial dynamic the device cannot dial it. tunnel "%s" %s is the tunnel name. The tunnel setting is not complete. Could not dial incomplete tunnel "%s" ZyWALL USG 2000 User’s Guide...
Page 843 %s is the tunnel name. When IKE request is already sent but Tunnel [%s] IKE still attempting to dial a tunnel. Negotiation is in process %s is the gateway name. An administrator disabled the VPN VPN gateway %s was gateway. disabled ZyWALL USG 2000 User’s Guide...
Page 844 An outgoing packet needed to be transformed but was longer Encapsulated packet than 65535. too big with length When performing inbound processing for incoming IPSEC Get inbound transform packets and ICMPs related to them, the engine cannot obtain fail the transform context. ZyWALL USG 2000 User’s Guide...
Page 845 %d is the global index of rule Firewall rule %d has been deleted. Firewall rules were flushed Firewall rules have been flushed. %d is the global index of rule, %s is appended/inserted/ Firewall rule %d was modified ZyWALL USG 2000 User’s Guide...
Page 846 Failed to send control message to policy routing manager. To send message to policy route daemon failed! Allocating policy routing rule fails: insufficient memory. The policy route %d allocates memory fail! %d: the policy route rule number ZyWALL USG 2000 User’s Guide...
Page 847 %s %u.%u.%u.%u is IP address %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET An administrator assigned a nonexistent certificate to HTTPS. HTTPS certificate:%s does not exist. HTTPS %s is certificate name assigned by user service will not work. ZyWALL USG 2000 User’s Guide...
Page 848 An administrator changed the port number for SNMP back to SNMP port has been the default (161). changed to default port. An administrator changed the console port baud rate. Console baud has been changed to %s. %s is baud rate assigned by user ZyWALL USG 2000 User’s Guide...
Page 849 An administrator modified the rule %u. DNS access control rule %u has been %u is rule number modified An administrator removed the rule %u. DNS access control rule %u has been %u is rule number deleted. ZyWALL USG 2000 User’s Guide...
Page 850 %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. An access control rule was inserted successfully. Access control rule %u of %s was inserted. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. ZyWALL USG 2000 User’s Guide...
Page 851 Memory usage drops below the threshold of %d%%: mem- threshold-min. When local storage usage drops below threshold-min, %s: partition_name file system drops below the threshold of %d%%: disk-threshold-min. DHCP Server executed with cautious mode enabled. DHCP Server executed with cautious mode enabled ZyWALL USG 2000 User’s Guide...
Page 852 The device successfully synchronized with a NTP time server . NTP update successful, current time is %s %s is the date and time. The device was not able to synchronize with the NTP time NTP update failed server successfully. ZyWALL USG 2000 User’s Guide...
Page 853 Update profile failed because of a dynsdns internal error, %s Update the profile %s is the profile name. has failed because of dyndns internal error ZyWALL USG 2000 User’s Guide...
Page 854 WAN interface was empty. DDNS profile cannot be updated because the ping-check for Update the profile %s WAN iface failed , %s is the profile name. has failed because ping-check of WAN interface has failed. ZyWALL USG 2000 User’s Guide...
Page 855 - Server did not respond. The diagnostics scripts were executed successfully. Collect Diagnostic Infomation has succeeded. The specified port has it’s link up. Port %d is up!! The specified port has it’s link down. Port %d is down!! ZyWALL USG 2000 User’s Guide...
Page 856 The connectivity check process can't get netmask address of Can't get NETMASK interface. address of %s interface %s: interface name The connectivity check process can't get broadcast address of Can't get BROADCAST interface address of %s interface %s: interface name ZyWALL USG 2000 User’s Guide...
Page 857 The System Startup configuration file synchronized from the Master configuration Master is the same with the one in the Backup, so the is the same with configuration does not have to be updated. Backup. Skip updating ZyWALL USG 2000 User’s Guide...
Page 858 Master. 1st %s: The object to syncing %s since %s is be synchronized, 2ed %s: The feature name for the object to be synchronized, 3rd %s: unlicensed or license expired. ZyWALL USG 2000 User’s Guide...
Page 859 %s for %s due to transmission timeout. %s: The name of the VRRP interface. VRRP interface %s has been shutdown. %s: The name of the VRRP interface. VRRP interface %s has been brought up. ZyWALL USG 2000 User’s Guide...
Page 860 Interface Name interface %s has been changed to BiDir. RIP text or md5 authentication has been disabled. RIP authentication has benn disabled. RIP text authentication key has been deleted. RIP text authentication key has been deleted. ZyWALL USG 2000 User’s Guide...
Page 861 %s: Virtual-Link link %d md5 authentication of area Virtual-link %s text authentication has been set without Invalid OSPF virtual- setting text authentication key first. %s: Virtual-Link ID link %s text authentication of area ZyWALL USG 2000 User’s Guide...
Page 862 SIP ALG has been modified. Default SIP ALG port has been changed. Signal port of SIP ALG has been modified. SIP ALG apply additional signal port failed. Register SIP ALG extra port=%d failed. %d: Port number ZyWALL USG 2000 User’s Guide...
Page 863 The device was unable to use CMP to enroll a certificate. 1st CMP enrollment "%s" %s is a request name, 2nd %s is the CA name, 3rd %s is the failed, CA "%s", URL "%s" ZyWALL USG 2000 User’s Guide...
Page 864 Trusted Certificates. %s is the certificate request name. certificate "%s" from "Trusted Certificate" failed The device exported a x509 format certificate from My Export X509 Certificates. %s is the certificate request name. certificate "%s" from "My Certificate" successfully ZyWALL USG 2000 User’s Guide...
Page 865 CRL was not found (anywhere). CRL was not added to the cache. CRL decoding failed. CRL is not currently valid, but in the future. CRL contains duplicate serial numbers. Time interval is not continuous. Time information not available. ZyWALL USG 2000 User’s Guide...
Page 866 1st %s is interface name, 2nd %s is is disabled now. interface. An administrator changed an interface’s configuration. %s: Interface %s has been interface name. changed. An administrator added a new interface. %s: interface name. Interface %s has been added. ZyWALL USG 2000 User’s Guide...
Page 867 MS-CHAPv2 authentication failed (the server must support Interface %s connect mS-CHAPv2 and verify that the authentication failed, this failed: MS-CHAPv2 does not include cases where the servers does not support mutual authentication MS-CHAPv2). %s: interface name. failed. ZyWALL USG 2000 User’s Guide...
Page 868 %s. Please try to remove then insert the device. The PIN code configured for the listed cellular interface (%d) "PIN code is required is incorrect or missing. for inteface cellular%d. Please check the PIN code setting. ZyWALL USG 2000 User’s Guide...
Page 869 %s, but current inserted device is %s. The cellular device (identified by its manufacturer and model) "Cellular device [%s has been inserted in or connected to the specified slot. %s] has been inserted into %s. ZyWALL USG 2000 User’s Guide...
Page 870 DHCP client and has more than one member in its client. group. In this case the DHCP client will renew. %s: interface name. An administrator configured port-grouping, %s: interface Port Grouping %s has name. been changed. ZyWALL USG 2000 User’s Guide...
Page 871 After the system reset, it started to apply the configuration System resetted. Now file. apply %s.. %s is configuration file name. An administrator ran the listed shell script. Running %s... %s is script file name. ZyWALL USG 2000 User’s Guide...
Page 872 The ZyWALL could not connect to the SMTP e-mail server Failed to connect to (%s). The address configured for the server may be incorrect mail server %s. or there may be a problem with the ZyWALL’s or the server’s network connection. ZyWALL USG 2000 User’s Guide...
Page 873 The interface the packet came in %s#%u.%u.%u.%u#%0 through, the sender’s IP address and MAC address, are also 2X:%02X:%02X:%02X: shown along with the binding type (“s” for static or “d” for %02X:%02X. dynamic). ZyWALL USG 2000 User’s Guide...
Page 874 Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide...
Page 875: Appendix B Common Services
Border Gateway Protocol. BOOTP_CLIENT DHCP Client. BOOTP_SERVER DHCP Server. CU-SEEME 7648 A popular videoconferencing solution from White Pines Software. 24032 TCP/UDP Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers. ZyWALL USG 2000 User’s Guide...
Page 876 ICMP echo requests to test whether or not a remote host is reachable. POP3 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other). ZyWALL USG 2000 User’s Guide...
Page 877 TELNET Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems. ZyWALL USG 2000 User’s Guide...
Page 878 PROTOCOL PORT(S) DESCRIPTION TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. ZyWALL USG 2000 User’s Guide...
Page 879: Appendix C Displaying Anti-Virus Alert Messages In Windows
Windows XP Click Start > Control Panel > Administrative Tools > Services. Figure 539 Windows XP: Opening the Services Window ZyWALL USG 2000 User’s Guide...
Page 880 Figure 540 Windows XP: Starting the Messenger Service Close the window when you are done. Windows 2000 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 541 Windows 2000: Opening the Services Window ZyWALL USG 2000 User’s Guide...
Page 881 WinPopup window displays as shown. Figure 543 Windows 98 SE: WinPopup If you want to display the WinPopup window at startup, follow the steps below for Windows 98 SE (steps are similar for Windows Me). ZyWALL USG 2000 User’s Guide...
Page 882 Right-click on the program task bar and click Properties. Figure 544 WIndows 98 SE: Program Task Bar Click the Start Menu Programs tab and click Advanced ... Figure 545 Windows 98 SE: Task Bar Properties Double-click Programs and click StartUp. ZyWALL USG 2000 User’s Guide...
Page 883 Right-click in the StartUp pane and click New, Shortcut. Figure 546 Windows 98 SE: StartUp A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. Figure 547 Windows 98 SE: Startup: Create Shortcut ZyWALL USG 2000 User’s Guide...
Page 884 A shortcut is created in the StartUp pane. Restart the computer when prompted. Figure 549 Windows 98 SE: Startup: Shortcut Note: The WinPopup window displays after the computer finishes the startup process (see Figure 543 on page 881). ZyWALL USG 2000 User’s Guide...
Page 885: Appendix D Importing Certificates
• Opera on page 899 • Konqueror on page 906 Internet Explorer The following example uses Microsoft Internet Explorer 7 on Windows XP Professional; however, they can also apply to Internet Explorer on Windows Vista. ZyWALL USG 2000 User’s Guide...
Page 886: Appendix D Importing Certificates
Figure 550 Internet Explorer 7: Certification Error Click Continue to this website (not recommended). Figure 551 Internet Explorer 7: Certification Error In the Address Bar, click Certificate Error > View certificates. Figure 552 Internet Explorer 7: Certificate Error ZyWALL USG 2000 User’s Guide...
Page 887 Appendix D Importing Certificates In the Certificate dialog box, click Install Certificate. Figure 553 Internet Explorer 7: Certificate In the Certificate Import Wizard, click Next. Figure 554 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 2000 User’s Guide...
Page 888 Next again and then go to step 9. Figure 555 Internet Explorer 7: Certificate Import Wizard Otherwise, select Place all certificates in the following store and then click Browse. Figure 556 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 2000 User’s Guide...
Page 889 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 557 Internet Explorer 7: Select Certificate Store In the Completing the Certificate Import Wizard screen, click Finish. Figure 558 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 2000 User’s Guide...
Page 890 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information. Figure 561 Internet Explorer 7: Website Identification ZyWALL USG 2000 User’s Guide...
Page 891 Refer to steps 4-12 in the Internet Explorer procedure beginning on page 885 complete the installation process. Removing a Certificate in Internet Explorer This section shows you how to remove a public key certificate in Internet Explorer ZyWALL USG 2000 User’s Guide...
Page 892 Appendix D Importing Certificates Open Internet Explorer and click Tools > Internet Options. Figure 564 Internet Explorer 7: Tools Menu In the Internet Options dialog box, click Content > Certificates. Figure 565 Internet Explorer 7: Internet Options ZyWALL USG 2000 User’s Guide...
Page 893 Figure 566 Internet Explorer 7: Certificates In the Certificates confirmation, click Yes. Figure 567 Internet Explorer 7: Certificates In the Root Certificate Store dialog box, click Yes. Figure 568 Internet Explorer 7: Root Certificate Store ZyWALL USG 2000 User’s Guide...
Page 894 If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Select Accept this certificate permanently and click OK. Figure 569 Firefox 2: Website Certified by an Unknown Authority ZyWALL USG 2000 User’s Guide...
Page 895 Installing a Stand-Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. ZyWALL USG 2000 User’s Guide...
Page 896 Appendix D Importing Certificates Open Firefox and click Tools > Options. Figure 571 Firefox 2: Tools Menu In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 572 Firefox 2: Options ZyWALL USG 2000 User’s Guide...
Page 897 Figure 574 Firefox 2: Select File The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information. ZyWALL USG 2000 User’s Guide...
Page 898 This section shows you how to remove a public key certificate in Firefox 2. Open Firefox and click Tools > Options. Figure 575 Firefox 2: Tools Menu In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 576 Firefox 2: Options ZyWALL USG 2000 User’s Guide...
Page 899 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Opera The following example uses Opera 9 on Windows XP Professional; however, the screens can apply to Opera 9 on all platforms. ZyWALL USG 2000 User’s Guide...
Page 900 Figure 579 Opera 9: Certificate signer not found The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Figure 580 Opera 9: Security information ZyWALL USG 2000 User’s Guide...
Page 901 Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. Open Opera and click Tools > Preferences. Figure 581 Opera 9: Tools Menu ZyWALL USG 2000 User’s Guide...
Page 902 Appendix D Importing Certificates In Preferences, click Advanced > Security > Manage certificates. Figure 582 Opera 9: Preferences ZyWALL USG 2000 User’s Guide...
Page 903 Appendix D Importing Certificates In the Certificates Manager, click Authorities > Import. Figure 583 Opera 9: Certificate manager Use the Import certificate dialog box to locate the certificate and then click Open. Figure 584 Opera 9: Import certificate ZyWALL USG 2000 User’s Guide...
Page 904 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9. ZyWALL USG 2000 User’s Guide...
Page 905 Appendix D Importing Certificates Open Opera and click Tools > Preferences. Figure 587 Opera 9: Tools Menu In Preferences, Advanced > Security > Manage certificates. Figure 588 Opera 9: Preferences ZyWALL USG 2000 User’s Guide...
Page 906 Konqueror 3.5 on all Linux KDE distributions. If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. ZyWALL USG 2000 User’s Guide...
Page 907 Click Forever when prompted to accept the certificate. Figure 591 Konqueror 3.5: Server Authentication Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details. Figure 592 Konqueror 3.5: KDE SSL Information ZyWALL USG 2000 User’s Guide...
Page 908 Figure 593 Konqueror 3.5: Public Key Certificate File In the Certificate Import Result - Kleopatra dialog box, click OK. Figure 594 Konqueror 3.5: Certificate Import Result The public key certificate appears in the KDE certificate manager, Kleopatra. Figure 595 Konqueror 3.5: Kleopatra ZyWALL USG 2000 User’s Guide...
Page 909 Figure 596 Konqueror 3.5: Settings Menu In the Configure dialog box, select Crypto. On the Peer SSL Certificates tab, select the certificate you want to delete and then click Remove. Figure 597 Konqueror 3.5: Configure ZyWALL USG 2000 User’s Guide...
Page 910 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button. ZyWALL USG 2000 User’s Guide...
Page 911: Appendix E Open Software Announcements
Carnegie Mellon University. The name of the University may not be used to endorse or promote products derived from this software without specific prior ZyWALL USG 2000 User’s Guide...
Page 912 Note: This Product includes ntp-4.1.2 software under the NTP License NTP License Copyright (c) David L. Mills 1992-2004 Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that ZyWALL USG 2000 User’s Guide...
Page 913 The GNU General Public License, Version 1 • This license is compatible with The GNU General Public License, Version 2 This is just like a Simple Permissive license, but it requires that a copyright notice be maintained. ZyWALL USG 2000 User’s Guide...
Page 914 For written permission, please contact openssl-core@openssl.org. 5. Products derived from this software may not be called "OpenSSL" nor may “OpenSSL" appear in their names without prior written permission of the OpenSSL Project. ZyWALL USG 2000 User’s Guide...
Page 915 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic ZyWALL USG 2000 User’s Guide...
Page 916 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. ZyWALL USG 2000 User’s Guide...
Page 917 Portions Copyright (C) 1996-2001 Nominum, Inc. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. ZyWALL USG 2000 User’s Guide...
Page 918 Internet Systems Consortium, Inc. 950 Charter Street Redwood City, CA 94063 <info@isc.org> http://www.isc.org/ Note: This Product includes httpd-2.0.55 software developed by the Apache Software Foundation under Apache License. Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ ZyWALL USG 2000 User’s Guide...
Page 919 Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed ZyWALL USG 2000 User’s Guide...
Page 920 NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; ZyWALL USG 2000 User’s Guide...
Page 921 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or ZyWALL USG 2000 User’s Guide...
Page 922 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ZyWALL USG 2000 User’s Guide...
Page 923 To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions ZyWALL USG 2000 User’s Guide...
Page 924 Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. ZyWALL USG 2000 User’s Guide...
Page 925 Activities other than copying, distribution and modification are not covered by this License; they ZyWALL USG 2000 User’s Guide...
Page 926 Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. ZyWALL USG 2000 User’s Guide...
Page 927 Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. ZyWALL USG 2000 User’s Guide...
Page 928 7. You may place library facilities that are a work based on the Library side-by- side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate ZyWALL USG 2000 User’s Guide...
Page 929 Many people have made generous contributions to the ZyWALL USG 2000 User’s Guide...
Page 930 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR ZyWALL USG 2000 User’s Guide...
Page 931 To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you ZyWALL USG 2000 User’s Guide...
Page 932 Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. ZyWALL USG 2000 User’s Guide...
Page 933 Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, ZyWALL USG 2000 User’s Guide...
Page 934 (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this ZyWALL USG 2000 User’s Guide...
Page 935 NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE ZyWALL USG 2000 User’s Guide...
Page 936 Modifications. 1.2. "Contributor Version" means the combination of the Original Code, prior Modifications used by a Contributor, and the Modifications made by that particular Contributor. 1.3. "Covered Code" ZyWALL USG 2000 User’s Guide...
Page 937 Source Code of computer software code which is described in the Source Code notice required by Exhibit A as Original Code, and which, at the time of its release under this License is not already Covered Code governed by this License. ZyWALL USG 2000 User’s Guide...
Page 938 Developer first distributes Original Code under the terms of this License. Notwithstanding Section 2.1 (b) above, no patent license is granted: 1) for code that You delete from the Original Code; 2) separate from the Original Code; or 3) ZyWALL USG 2000 User’s Guide...
Page 939 You may not offer or impose any terms on any Source Code version that alters or restricts the applicable version of this License or the recipients' rights hereunder. However, You may include an additional document offering the additional rights described in Section 3.5. 3.2. Availability of Source Code. ZyWALL USG 2000 User’s Guide...
Page 940 Contributor has knowledge of patent licenses which are reasonably necessary to implement that API, Contributor must also include this information in the legal file. (c) Representations. Contributor represents that, except as disclosed pursuant to Section 3.4 (a) above, Contributor believes that Contributor's Modifications are Contributor's ZyWALL USG 2000 User’s Guide...
Page 941 Initial Developer or such Contributor as a result of any such terms You offer. 3.7. Larger Works. You may create a Larger Work by combining Covered Code with other code not governed by the terms of this License and distribute the Larger Work as a single ZyWALL USG 2000 User’s Guide...
Page 942 Mozilla Public License and Netscape Public License. (Filling in the name of the Initial Developer, Original Code or Contributor in the notice described in Exhibit A shall not of themselves be deemed to be modifications of this License.) ZyWALL USG 2000 User’s Guide...
Page 943 You first made, used, sold, distributed, or had made, Modifications made by that Participant. 8.3. If You assert a patent infringement claim against Participant alleging that such Participant's Contributor Version directly or indirectly infringes any patent ZyWALL USG 2000 User’s Guide...
Page 944 License shall be subject to the jurisdiction of the Federal Courts of the Northern District of California, with venue lying in Santa Clara County, California, with the losing party responsible for costs, including without limitation, court costs and reasonable attorneys' fees and expenses. The ZyWALL USG 2000 User’s Guide...
Page 945 [____] License and not to allow others to use your version of this file under the MPL, indicate your decision by deleting the provisions above and replace them with the notice and other provisions required ZyWALL USG 2000 User’s Guide...
Page 946 The sole exception to this condition is redistribution of a standard UnZipSFX binary (including SFXWiz) as part of a self-extracting archive; that is permitted without inclusion of this license, as long as the normal SFX banner has not been removed from the binary or disabled. ZyWALL USG 2000 User’s Guide...
Page 947 PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR ZyWALL USG 2000 User’s Guide...
Page 948 1. Redistributions in source form must retain copyright statements and notices, tributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and ZyWALL USG 2000 User’s Guide...
Page 949 Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson (ellson@lucent.com). Portions relating to gdft.c copyright 2001, 2002 John Ellson (ellson@lucent.com). ZyWALL USG 2000 User’s Guide...
Page 950 WISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Note: This Product includes libmd5-rfc software under the below License Copyright (C) 1999, 2000, 2002 Aladdin Enterprises. All rights reserved. ZyWALL USG 2000 User’s Guide...
Page 951 INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ZyWALL USG 2000 User’s Guide...
Page 952 OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Note: Some components of the ZyWALL USG 2000 incorporate source code covered under the Apache License, GPL License, LGPL License, BSD License, Open...
Page 953 License Agreement to those persons employed by you who come into contact with the Software, and to use reasonable best efforts to ensure their compliance with such terms and conditions, including, without limitation, not ZyWALL USG 2000 User’s Guide...
Page 954 IMPOSED FROM TIME TO TIME. YOU SHALL NOT EXPORT THE SOFTWARE, DOCUMENTATION OR INFORMATION ABOUT THE SOFTWARE AND DOCUMENTATION WITHOUT COMPLYING WITH SUCH LAWS, REGULATIONS, ORDERS, OR OTHER RESTRICTIONS. YOU AGREE TO INDEMNIFY ZyXEL AGAINST ZyWALL USG 2000 User’s Guide...
Page 955 If any part of this License Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this License Agreement shall be interpreted so as to reasonably effect the intention of the parties. ZyWALL USG 2000 User’s Guide...
Page 956 Appendix E Open Software Announcements ZyWALL USG 2000 User’s Guide...
Page 957: Appendix F Legal Information
ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 958: Appendix F Legal Information
注意 ! 依據低功率電波輻射性電機管理辦法第十二條經型式認證合格之低功率射頻電機，非經許可，公司、商號或使用者均不得擅自變更頻率、加大功率或變更原設計之特性及功能。第十四條低功率射頻電機之使用不得影響飛航安全及干擾合法通信；經發現有干擾現象時，應立即停用，並改善至無干擾時方得繼續使用。前項合法通信，指依電信規定作業之無線電信。低功率射頻電機須忍受合法通信或工業、科學及醫療用電波輻射性電機設備之干擾。 Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. ZyWALL USG 2000 User’s Guide...
Page 959: Zyxel Limited Warranty
To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http:// www.zyxel.com/web/support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. ZyWALL USG 2000 User’s Guide...
Page 960 Appendix F Legal Information ZyWALL USG 2000 User’s Guide...
Page 961: Index
654, 656 RADIUS address groups 650, 651 RADIUS default and content filtering 541, 542, 547 RADIUS group and firewall RADIUS group members and force user authentication policies see also RADIUS and FTP ZyWALL USG 2000 User’s Guide...
Page 962 575, 580, 582, 584 337, 365 anti-virus and transport mode 471, 472 alert message alerts 766, 770, 773, 774, 775 alerts anti-spam black list 478, 479, 480 anti-virus boot sector virus ZyWALL USG 2000 User’s Guide...
Page 963 IIS-backslash-evasion classification IIS-unicode-codepoint-encoding configuration overview configured rate effect known exceptions multi-slash-encoding interface’s bandwidth network-based maximize bandwidth usage non-RFC-defined-char 447, 448, 460, 464 over allotment of bandwidth non-RFC-HTTP-delimiter port-less obsolete-options ports oversize-chunk-encoding prerequisites oversize-len ZyWALL USG 2000 User’s Guide...
Page 964 63, 65, 218, 689 black list Authentication, Authorization, Accounting 580, 581 servers, see AAA server anti-spam authorization server Blaster AUX LED bookmarks AUX port boot module see also auxiliary interface boot sector virus ZyWALL USG 2000 User’s Guide...
Page 965 SSH Common Event Format (CEF) 767, 773 and synchronization (device HA) common services and VPN gateways compression (stac) and WWW computer names 183, 208, 215, 224, 410 certification path 666, 676, 682 computer virus expired ZyWALL USG 2000 User’s Guide...
Page 966 Data Encryption Standard, see DES 562, 565 categories Data Terminal Ready, see DTR category service date configuration overview daylight savings default policy 542, 544 DDNS external web filtering service 550, 565 backup mail exchanger filter list configuration overview ZyWALL USG 2000 User’s Guide...
Page 967 High Availability see device HA DNS Blacklist see DNSBL device introduction DNS servers DHCP 707, 711 222, 702 and interfaces and DNS servers and domain name DNSBL 577, 581, 586 and interfaces domain client list see also anti-spam ZyWALL USG 2000 User’s Guide...
Page 968 L2TP VPN file sharing SSL application 422, 437 IPSec create filtered port scan encryption algorithms Firefox 3DES firewall 309, 310 ZyWALL USG 2000 User’s Guide...
Page 969 H.323 125, 300 and address groups additional signaling port and address objects 293, 300 and schedules and firewall prerequisites and RTP forcing login signaling port ZyWALL USG 2000 User’s Guide...
Page 970 IEEE 802.1q VLAN portsweep IGP (Interior Gateway Protocol) sequence number IHL (IP Header Length) Time Stamp header length type backslash-evasion attack unreachables emulation identification (IP) encoding identifying server legitimate e-mail unicode ZyWALL USG 2000 User’s Guide...
Page 971 IP decoy portscan and layer-3 virtualization and physical ports IP distributed portscan 86, 170 and policy routes IP options 240, 241 506, 511 and static routes IP policy routing, see policy routes and virtual servers ZyWALL USG 2000 User’s Guide...
Page 972 IKE SA is disconnected peer IPSec VPN Perfect Forward Secrecy configuration overview prerequisites phase 2 settings see also IPSec policy enforcement tutorial policy routes where used proposals ISP account remote access CHAP remote IPSec router ZyWALL USG 2000 User’s Guide...
Page 973 IPSec configuration see also trunks policy routes session-oriented policy routes example spillover prerequisites tutorial remote user configuration weighted round robin session monitor local user database where used log messages WINS categories 770, 773, 774, 775 ZyWALL USG 2000 User’s Guide...
Page 974 HA My Certificates, see also certificates Management Information Base (MIB) 741, 742 MyDoom managing bandwidth myZyXEL.com 153, 161 manual key IPSec accounts, creating mapping ports and IDP memory usage 139, 145 ZyWALL USG 2000 User’s Guide...
Page 975 IP options configuration steps No-IP direction non-RFC link cost characters priority defined-char attack redistribute HTTP-delimiter attack redistribute type (cost) NSSA routers, see OSPF routers virtual links vs RIP 249, 251 OSPF areas and Ethernet interfaces ZyWALL USG 2000 User’s Guide...
Page 976 L2TP VPN 218, 689 password L2TP VPN example prerequisites Password Authentication Protocol (PAP) 218, 689 polymorphic virus payload option size POP2 POP3 PCMCIA card installation pop-up windows Peanut Hull port forwarding, see virtual servers Peer-to-peer (P2P) ZyWALL USG 2000 User’s Guide...
Page 977 546, 548, 550 as VPN configuration overview privacy concerns prerequisites product product overview subscription services, see subscription registration services profiles registration status anti-virus packet inspection application patrol proposals in IPSec reject (IDP) protocol anomaly 522, 537 ZyWALL USG 2000 User’s Guide...
Page 978 SCEP (Simple Certificate Enrollment Protocol) 1058 (RIP) schedules 1389 (RIP) and content filtering 541, 542, 547 1587 (OSPF areas) and current date/time 1631 (NAT) and firewall 322, 458, 461, 463 1889 (RTP) and force user authentication policies 2131 (DHCP) ZyWALL USG 2000 User’s Guide...
Page 979 Session Initiation Protocol, see SIP signaling inactivity timeout session limits 312, 323 signaling port session monitor (L2TP VPN) SMTP sessions smurf attack sessions usage 139, 146 SNAT severity (IDP) 493, 497 SNMP 740, 741 SHA1 agents ZyWALL USG 2000 User’s Guide...
Page 980 AAA 654, 656 and synchronization (device HA) and AD 654, 656 if errors and LDAP 654, 656 missing at restart certificates present at restart client virtual desktop logo startup-config-bad.conf computer names ZyWALL USG 2000 User’s Guide...
Page 981 Telnet upgrading and address groups supported browsers and address objects supporting disc and zones SYN flood with SSH synchronization terminating an SSL user connection and subscription services terminology differences information synchronized bandwidth management ZyWALL USG 2000 User’s Guide...
Page 982 795, 799 IDP and application patrol signatures packet flow signatures truncated-address-header attack system protect signatures truncated-header attack upgrading truncated-options attack firmware truncated-timestamp-header attack licenses trunk uploading trunks configuration files 171, 225 ZyWALL USG 2000 User’s Guide...
Page 983 Virtual Router Redundancy Protocol, see VRRP and firewall 322, 325 virtual servers and LDAP and address objects (HOST) 276, 277 and policy routes 240, 456, 458, 461, 463 and ALG and RADIUS ZyWALL USG 2000 User’s Guide...
Page 984 (SA) supported browsers see also IKE SA web features see also IPSec ActiveX see also IPSec SA cookies see also L2TP VPN Java status web proxy servers VPN concentrator web proxy servers advantages 290, 561 ZyWALL USG 2000 User’s Guide...
Page 985 310, 320 and FTP and interfaces 86, 261 and SNMP and SSH and Telnet and VPN 86, 261 and WWW block intra-zone traffic 264, 318 configuration overview default extra-zone traffic inter-zone traffic intra-zone traffic prerequisites ZyWALL USG 2000 User’s Guide...
Page 986 Index ZyWALL USG 2000 User’s Guide...

This manual is also suitable for:

Zywall usg 1000

ZyXEL Communications ZyWall USG 2000 User Manual

About this User's Guide

Document Conventions

Safety Warnings

Contents Overview

Table of Contents

Getting Started

Part I: Getting Started

Chapter 1 Introducing the Zywall

Chapter 2 Features and Applications

Chapter 3 Web Configurator

Chapter 4 Wizard Setup

Chapter 5 Configuration Basics

Chapter 6 Tutorials

Chapter 7 Status

Chapter 8 Registration

Chapter 9 Signature Update

Part II: Network

Network

Chapter 10 Interfaces

Chapter 11 Trunks

Chapter 12 Policy and Static Routes

Chapter 13 Routing Protocols

Chapter 14 Zones

Chapter 15 DDNS

Chapter 16 Virtual Servers

Chapter 17 HTTP Redirect

Chapter 18 ALG

Chapter 19 IP/MAC Binding

Firewall

Part III: Firewall

Chapter 20 Firewall

Part IV: VPN

Vpn

Chapter 21 Ipsec VPN

Chapter 22 SSL VPN

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWall USG 2000

Summary of Contents for ZyXEL Communications ZyWall USG 2000