ZyXEL Communications ZyWALL USG Series Application Note
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Gateway
  5. ZyWALL USG Series
  6. Application note
ZyXEL Communications ZyWALL USG Series Application Note

ZyXEL Communications ZyWALL USG Series Application Note

Hide thumbs Also See for ZyWALL USG Series:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference Manual, User Manual
ZyWALL USG Series
Unified Security Gateway
Version 4.10
Edition 1, 05/2014
Application Note
Copyright © 2014 ZyXEL Communications Corporation

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ZyWALL USG Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ZyXEL Communications ZyWALL USG Series

Summary of Contents for ZyXEL Communications ZyWALL USG Series

  • Page 1 ZyWALL USG Series Unified Security Gateway Version 4.10 Edition 1, 05/2014 Application Note Copyright © 2014 ZyXEL Communications Corporation...

  • Page 2: Table Of Contents

    ZyXEL – USG Application Note Table of Contents Table of Contents Scenario 1 — Connecting your USG to the Internet 1.1 Application Scenario 1.2 Configuration Guide Scenario 2 — WAN Load Balancing and Customized Usage of WAN Connection for Specific Traffic --Dual WAN setting 9 2.1 Application Scenario 2.2 Configuration Guide Scenario 3 —...
  • Page 3 ZyXEL – USG Application Note 12.2 Configuration Guide Scenario 13: Single sign-on for USG and Windows platform 61 13.1 Application Scenario 13.2 Configuration Guide Scenario 14 – WLAN Controller function on USG 74 14.1 Application Scenario 14.2 Configuration Guide Scenario 15 – Device HA on the USG 15.1 Application Scenario 15.2 Configuration Guide...
  • Page 4 ZyXEL – USG Application Note Tutorial 1: How to Set Up Your Network 1.1 Wizard Overview 1.2 How to Configure Interfaces, Port Roles, and Zones 1.3 How to Configure a Cellular Interface 1.4 How to Set Up a Wireless LAN 1.5 How to Configure Ethernet, PPP, VLAN, Bridge and Policy Routing 1.6 How to Set Up IPv6 Interfaces For Pure IPv6 Routing 1.7 How to Set Up an IPv6 6to4 Tunnel...
  • Page 5 ZyXEL – USG Application Note...

  • Page 6: Scenario 1 - Connecting Your Usg To The Internet

    ZyXEL – USG Application Note Scenario 1 — Connecting your USG to the Internet 1.1 Application Scenario Nowadays, more and more Internet service providers provide IPv6 environment. With IPv6 feature enabled on ZyWALL USG, it can assign an IPv6 address to clients under it and pass IPv6 traffic through IPv4 environment to access a remote IPv6 network.
  • Page 7 ZyXEL – USG Application Note Step2: Setting the static IP on WAN1 Configuration>Interface > Ethernet> Double Click WAN1 interface and configure with static IP address 59.124.163.150. Step3: Setting IPv6 IP address on LAN1 (1) Configuration> Interface >Ethernet> double click LAN1 interface in IPv6 configuration.
  • Page 8 ZyXEL – USG Application Note (2) Convert WAN1 IP address to hexadecimal. 59.124.163.150(Decimal) = 3b7c:a396(Hex). Fill in 2002:3b7c:a396::1/128 in the prefix table as the LAN interface IPv6 address. (3) Check IPv6 Router Advertisement Setting box and add the prefix in the Advertised Prefix Table.
  • Page 9 ZyXEL – USG Application Note (2) Select the 6to4 in that Tunnel Mode (3) Check the Prefix in the 6tp4 tunnel Parameter (4) Select the WAN1 interface as the gateway in the Gateway Setting...

  • Page 10: Scenario 2 - Wan Load Balancing And Customized Usage Of Wan Connection For Specific Traffic --Dual Wan Setting

    ZyXEL – USG Application Note Scenario 2 — WAN Load Balancing and Customized Usage of WAN Connection for Specific Traffic --Dual WAN setting 2.1 Application Scenario The company has two WAN connections for sharing outbound internet traffic. WAN1 uses static IP, and WAN2 uses a PPPoE connection. Since WAN1 ISP is also the company’s VoIP provider, the network administrator wants VoIP traffic primarily sent out over WAN1.
  • Page 11 ZyXEL – USG Application Note Load Balancing algorithm. USG configuration Step 1. Configure a PPPoE account on WAN2 interface. (1) Go to CONFIGURATION > Object > ISP Account, add a PPPoE account: (2) Go to CONFIGURATION > Network > Interface > PPP, add a new PPP interface which is based on WAN 2 interface:...
  • Page 12 ZyXEL – USG Application Note Step 2. Go to CONFIGURATION > Network > Interface > Trunk. Add WAN Trunks. (1) Add WAN trunk for VoIP traffic — Set WAN1 as Active mode, while setting WAN2_ppp as Passive mode. (2) Add WAN trunk for HTTP traffic — Set WAN2_ppp as Active mode, while setting WAN1 as Passive mode.
  • Page 13 ZyXEL – USG Application Note for VoIP traffic and HTTP traffic. (1) Add a policy route for VoIP traffic: Source: LAN1_subnet Destination: Any Service: SIP Next Hop: select the newly created WAN trunk WAN_Trunk_VoIP Please note that to make sure this policy route applies to all VoIP traffic, including both the SIP signaling and RTP (voice data), we need to enable SIP ALG.
  • Page 14 ZyXEL – USG Application Note (3) For all other traffic, use SYSTEM_DEFAULT_WAN_TRUNK to do load balancing. Go to Configuration > Network > Interface > Trunk. Click Show Advanced Settings. Make sure Default SNAT is enabled. Select SYSTEM_DEFAULT_WAN_TRUNK in Default Trunk Selection.

  • Page 15: Scenario 3 — How To Configure Nat If You Have Internet-Facing Public Servers

    ZyXEL – USG Application Note Scenario 3 — How to configure NAT if you have Internet-facing public servers 3.1 Application Scenario It is a common practice to place company servers behind the USG’s protection; while at the same time letting WAN side clients/servers access the intranet servers. To give an example, the company may have an internal FTP server, which needs to be accessible from the Internet as well.
  • Page 16 ZyXEL – USG Application Note Step 2. Click the Add button to create a mapping rule. Step 3. In this page user needs to configure: - Rule’s name - Select Virtual Server type to let USG-50 do packet forwarding - Fill in the Original IP (WAN IP) address - Fill in the Mapped IP (Internal FTP server IP) address - Select the service to be mapped (FTP);...
  • Page 17 ZyXEL – USG Application Note Step 6. User can create an address object for the internal FTP server for further configuration usage. Click Create new Object for this function. Step 7. Configure the rule to: - Allow access from WAN to LAN1 - Source IP address is not specific - Destination IP address is the FTP server’s address - Select FTP service (with port 20/21) to be enabled...
  • Page 18 ZyXEL – USG Application Note Then Click “OK” you will see the rule in policy control.

  • Page 19: Application Scenario

    ZyXEL – USG Application Note Scenario 4 — Secure site-to-site connections by using IPSec VPN – IPv4 with IKEv2 / IPv6 4.1 Application Scenario IPv4 with IKEv2 We want to use IKEv2 to establish a VPN tunnel between the HQ and Branch. IPv6 (with IKEv2 only) ISP has changed the environment to IPv6.
  • Page 20 ZyXEL – USG Application Note Peer Gateway Address: 2002:3b7c:a397:2:b2b2:dcff:fe70:c1d6 Pre-Shared Key: 12345678 Step 2. Add a IPv6 VPN phase II on USG1. Go to CONFIGURATION -> VPN -> IPSec VPN -> VPN Connection. VPN Gateway: USG1_GW Local policy: 2002:3b7c:a397:2222::/64 Remote policy: 2002:3b7c:a397:1111::/64 Step3.
  • Page 21 ZyXEL – USG Application Note VPN -> VPN Gateway. My Address: 2002:3b7c:a397:2:b2b2:dcff:fe70:c1d6 Peer Gateway Address: 2002:3b7c:a397:2:ee43:f6ff:fefc:c4b3 Pre-Shared Key: 12345678 Step4. Add an IPV6 VPN phase II on USG2. Go to CONFIGURATION -> VPN -> IPSec VPN -> VPN Connection. VPN Gateway: USG2_GW Local policy: 2002:3b7c:a397:1111::/64 Remote policy: 2002:3b7c:a397:2222::/64...

  • Page 22: Application Scenario

    ZyXEL – USG Application Note Scenario 6 —GRE over IPSec VPN tunnel –VPN fail over 6.1 Application scenario We want to use VPN tunnels to transfer important files between the branch and HQ. To prevent the network disconnected, we rent four WAN interfaces to do redundancy. Now, we want to establish two VPN tunnels between the two USGs to do failover to ensure the transfer will not be interrupted when the first connection gets problem.
  • Page 23 ZyXEL – USG Application Note Goals to achieve: Use GRE over IPSec VPN to do the VPN fail-over. USG configuration Step1. Add two GRE tunnels on USG1. Go to CONFIGURATION -> Tunnel. a. Add first tunnel IP Address: 10.0.0.1, Subnet Mask: 255.255.255.0 My Address: WAN1, Remote Gateway Address: 192.168.3.33 Enable Connectivity Check.
  • Page 24 ZyXEL – USG Application Note Enable Connectivity Check. Check Address is the remote GRE tunnel interface. Step2. Add a GRE tunnel trunk on USG1. Go to CONFIGURATION -> Network -> Interface -> Trunk. gre_trunk member: tunnel0: Active Tunnel1: Passive...
  • Page 25 ZyXEL – USG Application Note Step3. Add two IPSec VPN tunnels on USG1. Go to CONFIGURATION -> VPN -> IPSec VPN. a. Add two VPN Gateways. First VPN Gateway My Address: wan1, Peer Gateway Address: 192.168.3.33 Pre-Shared Key: 12345678...
  • Page 26 ZyXEL – USG Application Note Second VPN Gateway My Address: wan2, Peer Gateway Address: 192.168.4.33 Pre-Shared Key: 12345678 b. Add two VPN Connections First VPN Connection Enable Nailed-Up...
  • Page 27 ZyXEL – USG Application Note Application Scenario: Site-to-Site VPN Gateway: GRE0_GW Local policy: 192.168.1.33 Remote policy: 192.168.3.33 Enable GRE over IPSec Second VPN Connection Enable Nailed-Up Application Scenario: Site-to-Site VPN Gateway: GRE1_GW Local policy: 192.168.2.33 Remote policy: 192.168.4.33 Enable GRE over IPSec...
  • Page 28 ZyXEL – USG Application Note Step4. Add a policy routes on USG1. Go to CONFIGURATION-> Network -> Routing. Source: LAN1_Subnet Destination: Remote subnet Next-Hop: gre_trunk...
  • Page 29 ZyXEL – USG Application Note Step5. Add two GRE tunnels on USG2. Go to CONFIGURATION -> Tunnel. a. Add first tunnel IP Address: 10.0.0.3, Subnet Mask: 255.255.255.0 My Address: WAN1, Remote Gateway Address: 192.168.1.33 Enable Connectivity Check. Check Address is the remote GRE tunnel interface.
  • Page 30 ZyXEL – USG Application Note b. Add Second tunnel IP Address: 10.10.0.4, Subnet Mask: 255.255.255.0 My Address: WAN2, Remote Gateway Address: 192.168.2.33 Enable Connectivity Check. Check Address is the remote GRE tunnel interface.
  • Page 31 ZyXEL – USG Application Note Step6. Add a GRE tunnel trunk on USG2. Go to CONFIGURATION -> Network -> Interface -> Trunk. gre_trunk member: tunnel0: Active Tunnel1: Passive...
  • Page 32 ZyXEL – USG Application Note Step7. Add two IPSec VPN tunnels on USG2. Go to CONFIGURATION -> VPN -> IPSec VPN. a. Add two VPN Gateways. First VPN Gateway My Address: wan1, Peer Gateway Address: 192.168.1.33 Pre-Shared Key: 12345678 Second VPN Gateway My Address: wan2, Peer Gateway Address: 192.168.2.33 Pre-Shared Key: 12345678...
  • Page 33 ZyXEL – USG Application Note b. Add two VPN Connections. First VPN connection Application Scenario: Site-to-Site VPN Gateway: GRE0_GW Local policy: 192.168.3.33 Remote policy: 192.168.1.33 Enable GRE over IPSec...
  • Page 34 ZyXEL – USG Application Note Second VPN connection Enable Nailed-Up Application Scenario: Site-to-Site VPN Gateway: GRE1_GW Local policy: 192.168.4.33 Remote policy: 192.168.2.33 Enable GRE over IPSec...
  • Page 35 ZyXEL – USG Application Note Step8. Add a policy routes on USG2. Go to CONFIGURATION-> Network -> Routing. Source: LAN1_Subnet Destination: Remote subnet Next-Hop: gre_trunk...

  • Page 36: Application Scenario

    ZyXEL – USG Application Note Scenario 7 - Deploying SSL VPN for Tele-workers to Access Company Resources –SSL VPN with Apple Mac OSX 7.1 Application Scenario Tele-workers who work out of the office sometimes need to access company resources by a secured way. While building an IPSec tunnel to the company gateway is an option, the Windows VPN client configuration is too complicated, and for an easier way to configure IPSec VPN, it requires installation of additional IPSec VPN client software.
  • Page 37 ZyXEL – USG Application Note Step3. Go to Configuration > Object > SSL Application, Add Web link with the URL for SSL VPN client to access Step4. Go to Configuration > VPN > SSL VPN > Access Privilege (1) Add one SSL VPN rule and select User/Group Objects with “test” and SSL Application “Test” which you already create (2) Enable Network Extension (Full Tunnel Mode).
  • Page 38 ZyXEL – USG Application Note already create. In the Network List, selected LAN1_Subnet. Step5. Build up SSL VPN on Apple Mac OSX (1) When build up SSL VPN on Apple Mac OSX, the Status will become “Connected”, and you can check IP address information on the Detailed.
  • Page 39 ZyXEL – USG Application Note (3) On third tab – “Log”, the log will contain important information if you are having trouble connecting.

  • Page 40: Scenario 8 - Reserving Highest Bandwidth Management Priority For Voip Traffic

    ZyXEL – USG Application Note Scenario 8 — Reserving Highest Bandwidth Management Priority for VoIP traffic 8.1 Application Scenario In an enterprise network, there are various types of traffic. But the company Internet connection bandwidth is limited to a specific value. All this traffic will contend to use the limited bandwidth, which may result in some important traffic, for example, VoIP traffic getting slow or even starved.
  • Page 41 ZyXEL – USG Application Note patrol rules for SIP traffic and does not record SIP traffic bandwidth usage statistics. Step3. Create a bandwidth management rule and configure. For example - Configure the rule as from LAN1 to WAN1 - Allocate 300kbps for both inbound/outbound bandwidths. Step4.
  • Page 42 ZyXEL – USG Application Note - Configure the rest identically to the above rule...

  • Page 43: Scenario 9 - Reserving Highest Bandwidth Management Priority For A Superior User And Control Session Per Host - Bwm Per Ip Or Per User

    ZyXEL – USG Application Note Scenario 9 - Reserving Highest Bandwidth Management Priority for a Superior User and Control Session per Host – BWM Per IP or Per User 9.1 Application Scenario In an enterprise network, there are various types of traffic. But the company Internet connection bandwidth is limited to a specific value.
  • Page 44 ZyXEL – USG Application Note (2) Inbound=2000Kbps, Out bound=2000Kbps, Priority =1 Step 2. Go to Configuration > BWM > Enable BWM function. Task 2. Use the PC IP address of “192.168.1.33” to connect USG. And Visit the website “ http://www.speedtest.net/ ”...
  • Page 45 ZyXEL – USG Application Note Task 3. Use the PC IP address of “192.168.1.40” to connect USG. And Visit the website “ http://www.speedtest.net/ ” to test the speed. The test result is around 2 Mbps, which is the same as our setup to manage per source ip 2 Mbps. BWM Per User- Task1.
  • Page 46 ZyXEL – USG Application Note (2) Add these two accounts “user-phone” and “user-pc” into the group as “user_local”. Task2. Add the policy to limit the user bandwidth via the BWM function. Step 1. Go to Configuration > BWM > Add the policy to limit the Bandwidth by BWM type – Per user. (1) BWM Type : Per user, User: user_local (2) Inbound=2000Kbps, Out bound=2000Kbps, Priority =1...
  • Page 47 ZyXEL – USG Application Note Step 3. Go to Configuration > BWM > Enable BWM function. Task 3. Login to the device via the “user-phone” user. Step 1. Insert the “user-phone” user name and password and Login.
  • Page 48 ZyXEL – USG Application Note Step2. Visit the website “ http://www.speedtest.net/ ” to test the speed. The test result is around 2 Mbps, which is the same as our setup to manage per user 2 Mbps. Task 4. Login to the device via the “user-pc” user. Step 1.
  • Page 49 ZyXEL – USG Application Note...

  • Page 50: Scenario 10 - Using Usg To Control Popular Applications -App Patrol

    ZyXEL – USG Application Note Scenario 10 - Using USG to Control Popular Applications –APP patrol 10.1 Application Scenario In the company, network administrator will need to control access Internet authority with internal managers and employees. USG’s Application Patrol function can take corresponding actions according to the configuration in App Patrol.
  • Page 51 ZyXEL – USG Application Note Step3. Go to Configuration > UTM Profile > App Patrol > Profile > Add rule For example Name: teamviewer_rule. Step4. Profile Management > Add Application For example Application: choose the application object of “Teamviewer” which you already create Action: drop Log: log >...
  • Page 52 ZyXEL – USG Application Note Step5. Configuration > Security policy > Policy Control > Policy > Add corresponding > Enable rule For example Name: teamviewer_drop From: LAN1 UTM Profiles: Enable Application Patrol: choose the application profile of “teamviewer_rule” which you already create Log: by profile >...
  • Page 53 ZyXEL – USG Application Note...
  • Page 54 ZyXEL – USG Application Note Scenario 11 –configure unified policy (firewall policy + UTM profile) Introduction: The unified policy is merging with firewall rule and UTM functions. The flow will checked the firewall rule first, then check the UTM function. If the packets already dropped by firewall rule, then will not check UTM rule any more.

  • Page 55: Application Scenario

    ZyXEL – USG Application Note 11.1 Application Scenario Customer wants to block Skype and all social network in LAN1. 11.2 Configuration Guide (1) Add a Skype object in Application. Go to Configuration > Object > Application click “Add” Button. (2) And add to App Patrol profile Go to Configuration >...
  • Page 56 ZyXEL – USG Application Note profile. (3) Add a social network in Content Filter function to drop Social network. Go to Configuration > UTM profile > Content Filter > Profile > Click “Add” button to add Content filtering profile. (4) Add a SSL inspection rule to drop the SSL web site to access the social network. Go to Configuration >...
  • Page 57 ZyXEL – USG Application Note Go to Configuration > Security Policy > Policy control > Policy and click “Add” button to add the rule, and select the objects into this rule. After configured these rule, then you can drop Skype and all of the social network success.

  • Page 58: Application Scenario

    ZyXEL – USG Application Note Scenario 12 – Block HTTPs web site by Content Filter Introduction: The Content Filter function can distinguish almost website is belonging in which categories website. Content Filter function just support for checking web site by HTTP. So we need using “SSL Inspection”...
  • Page 59 ZyXEL – USG Application Note And in Managed Categories select “Search Engines/ Portals” to block search engine. (3) After Create SSL Inspection and Content Filter profiles, then Go to Policy Control function to setup the rule. Go to Configuration > Security policy > Policy control and click “Add” button to add the rule. After you setup session orientation, then you can setup the UTM profile.
  • Page 60 ZyXEL – USG Application Note Verification: Access to https:yahoo.com...

  • Page 61: Configuration Guide

    ZyXEL – USG Application Note Scenario 13: Single sign-on with USG and Windows platform 13.1 Application Scenario When the employee’s PC is connected to the company’s network, usually he needs to logs in on the domain first and then logs in to USG with the same username and password again to pass web authentication before accessing the Internet and the company resources.
  • Page 62 ZyXEL – USG Application Note SSO Agent Installation 1. Prepare the package of SSO Agent. 2. Install .NET Framework v4.0.30319 or above version. Double click “dotNetFx40_Full_x86_x64.exe”.
  • Page 63 ZyXEL – USG Application Note 3. Install Visual C++. Double click “vcredist_x86.exe”.
  • Page 64 ZyXEL – USG Application Note 4. Double click "SSOAgentInstaller.exe" to install SSO Agent.
  • Page 65 ZyXEL – USG Application Note Click “Next” to proceed. Select folder or setup with default location and click “Next”. In this scenario, SSO Agent is installed on the Domain Controller. Select DC.
  • Page 66 ZyXEL – USG Application Note Click Next to confirm start to install A dialog window “Set SSO Agent Service” will pop-up. Enter the Domain\Username and password of the domain account that created in Domain Controller configuration. Click OK to continue.
  • Page 67 ZyXEL – USG Application Note SSO Agent is installed successfully. SSO Agent Installation 1. Click on “Configure ZyXEL SSO Agent”.
  • Page 68 ZyXEL – USG Application Note 2. Click “Configure” to configure the LDAP query to get group information of user from Active Directory. Configure the IP of the AD server, Base DN and Bind DN.
  • Page 69 ZyXEL – USG Application Note Under Gateway Settings, click “Add” to configure the IP address of the USG and the Pre-Shared Key.
  • Page 70 ZyXEL – USG Application Note Enable SSO service. When the SSO service is started successfully, the icon turns on. USG Configuration 1. Go to CONFIGURATION > Object > AAA server > Active Directory > Edit Active Directory. Configure AD server which has the same settings as the step 2 of “SSO Agent Installation”.
  • Page 71 ZyXEL – USG Application Note 2. Go to CONFIGURATION > Object > User/Group > User and add a new ext-group-user. Ex: csosecurity. The domain user “Amy” must belong to this group on the AD. 3. Go to CONFIGURATION > Web Authentication > SSO. Fill in the Pre-Shared Key which is configured in SSO Configuration.
  • Page 72 ZyXEL – USG Application Note 4. Go to CONFIGURATION > Web Authentication > Web Authentication Policy Summary to add a new authentication policy. Check the box of Single Sign-on to be authenticated by SSO. Verification 1. On the client's laptop, login with domain account "Amy". Example: CSO\Amy Then open browser or application on the client's laptop to trigger traffic to pass USG.
  • Page 73 ZyXEL – USG Application Note 2. Check SSO Agent Log. User login successfully and send information to USG’s GW (192.168.1.1) successfully. 3. Check Logon user lists on the SSO Agent. The user “Amy” is on the logon list. 4. Go to MONITOR > System Status > Login Users. The client “Amy”...

  • Page 74: Application Scenario

    ZyXEL – USG Application Note Scenario 14 – WLAN Controller function on USG 14.1 Application Scenario USG with 4.10 firmware, the USG supports for AP controller function. You can step by step to control your AP device. 14.2 Configuration Guide Management external AP device (1) Add a SSID object on the device Go to Configuration >...
  • Page 75 ZyXEL – USG Application Note (3) Connect your AP to LAN interface.(in this document is using NWA 3560-N to test) a. The AP must select as managed mode. b. After connection is success, NWA will start upgrading the firmware from USG. After upgrade the firmware success, you will saw the MAC address and model name on the GUI.
  • Page 76 ZyXEL – USG Application Note Management Local AP interface(Only for USG40W & USG60W) (1) Add 2 SSIDs in SSID list(LAN1 and LAN2 subnet) Go to Configuration > Object > AP Profile > SSID > SSID list and Click add button to create SSID object. Disable VLAN support and select LAN1 interface in Local VAP setting Disable VLAN support and select LAN2 interface in Local VAP setting...
  • Page 77 ZyXEL – USG Application Note (2) Add AP profiles and select these 2 SSID object in the rule Go to Configuration > Object > AP Profile > RADIO and Click add button to create AP profile 2.4G Band 5G Band (3) Apply AP profiles to Local AP interface Go to Configuration >...
  • Page 78 ZyXEL – USG Application Note If connect to For_LAN1 SSID, then you will get LAN1 subnet IP address. If you connect to For_LAN2, then you will get LAN2 subnet IP address.

  • Page 79: Application Scenario

    ZyXEL – USG Application Note Scenario 15 – Device HA on the USG 15.1 Application Scenario Internet LAN Side WAN Side 192.168.1.0/24 10.59.3.0/24 Master device Backup device WAN interface IP 10.59.3.100/24 10.59.3.100/24 WAN Management IP 10.59.3.101/24 10.59.3.102/24 LAN1 Interface IP 192.168.1.1/24 192.168.1.1/24 LAN1 Management IP...
  • Page 80 ZyXEL – USG Application Note (3) Go to Configuration > Device HA > General to enable Device HA function. After you enabled Device HA function, you will saw the interface that you monitored. On Backup setting: (4) Go to Configuration > Network > Interface > Ethernet to make sure WAN and LAN interface setting. WAN interface is: 10.59.3.100/24 LAN interface is: 192.168.1.1/24 (5) Go to Configuration >...
  • Page 81 ZyXEL – USG Application Note (6) Go to Configuration > Device HA > General to enable Device HA function. After you enabled Device HA function, you will saw the interface that you monitored. Verification: You can check the status of the Device HA on the GUI. The status of master device will be Master/Activate The status of backup device will be Backup/Stand-By...

  • Page 82: Wizard Overview

    ZyXEL – USG Application Note Tutorial 1: How to Set Up Your Network Here are examples of using the Web Configurator to set up your network in the ZyWALL. Note: The tutorials featured here require a basic understanding of connecting to and using the Web Configurator , see Section 1.4 on page 10 for details.

  • Page 83: Configure A Wan Ethernet Interface

    • The wan1 interface uses a static IP address of 1.2.3.4. • Add P5 (lan2) to the DMZ interface (Note: In USG 20/20W , use P4 (lan2) instead of P5 in this example). The DMZ interface is used for a protected local network. It uses IP address 192.168.3.1 and serves as a DHCP server by default.

  • Page 84: Configure Port Roles

    1.2.2 Configure Port Roles Here is how to take the P5 port from the lan2 interface and add it to the dmz interface. Click Configuration > Network > Interface > Port Role. Under P5 select the dmz (DMZ) radio button and click Apply. 1.2.3 Configure Zones In this example you have created a WIZ_VPN tunnel through the Quick Setup - VPN Setup wizard.

  • Page 85: How To Configure A Cellular Interface

    Back to the Configuration > Network > Zone screen and click Add in the User Configuration section. Enter VPN as the new zone’s name. Select WIZ_VPN and move it to the Member box and click Then you can configure firewall rules to apply specific security settings to this VPN zone. 1.3 How to Configure a Cellular Interface Use 3G cards for cellular WAN (Internet) connections.
  • Page 86 Note: The Network Selection is set to auto by default. This means that the 3G USB modem may connect to another 3G network when your service provider is not in range or when necessary. Select Home to have the 3G device connect only to your home network or local service provider .

  • Page 87: How To Set Up A Wireless Lan

    This way the ZyWALL can automatically balance the traffic load amongst the available WAN connections to enhance overall network throughput. Plus, if a WAN connection goes down, the ZyWALL still sends traffic through the remaining WAN connections. For a simple test, disconnect all of the ZyWALL’s wired WAN connections.
  • Page 88 Edit this screen as follows. A (internal) name for the WLAN interface displays. You can modify it if you want to. The ZyWALL’s security settings are configured by zones. Select to which security zone you want the WLAN interface to belong (the WLAN zone in this example). This determines which security settings the ZyWALL applies to the WLAN interface.
  • Page 89 Configure your wireless clients to connect to the wireless network. 1.4.2.1 Wireless Clients Import the ZyWALL’s Certificate You must import the ZyWALL’s certificate into the wireless clients if they are to validate the ZyWALL’s certificate. Use the Configuration > Object > Certificate > Edit screen to export the certificate the ZyWALL is using for the WLAN interface.
  • Page 90 The My Certificates screen indicates what type of information is being displayed, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). Repeat the steps to import the certificate into each wireless client computer that is to validate the ZyWALL’s certificate when using the WLAN interface.

  • Page 91: How To Set Up Ipv6 Interfaces For Pure Ipv6 Routing

    Ethernet, PPP, VLAN, Bridge and Policy Routing Screen Relationships Table 10 SCREEN DESCRIPTION Ethernet Configure this if any interface on the ZyWALL is connecting to an Ethernet network. Ethernet interfaces are the foundation for defining other interfaces and network policies. Configure this if you need your service provider to provide an IP address through PPPoE or PPTP in order to access the Internet or another network.
  • Page 92 2006:1111:1111:1111::/64...
  • Page 93 1.6.1 Setting Up the WAN IPv6 Interface In the CONFIGURATION > Network > Interface > Ethernet screen’s IPv6 Configuration section, double-click the wan1. The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6. Select Enable Auto-Configuration. Click OK. Note: Your ISP or uplink router should enable router advertisement. 1.6.2 Setting Up the LAN Interface In the CONFIGURATION >...
  • Page 94 You have completed the settings on the ZyWALL. But if you want to request a network address prefix from your ISP for your computers on the LAN, you can configure prefix delegation (see Section Section 2.6.3 on page 40). 1.6.3 Prefix Delegation and Router Advertisement Settings This example shows how to configure prefix delegation on the ZyWALL’s WAN and router advertisement on the LAN.
  • Page 95 Pure IPv6 Network Example Using Prefix Delegation Figure 23 IPv6 2001:b050:2d:1111::1/128 2002:b050:2d:1111::/64 1.6.3.2 Setting Up the WAN IPv6 Interface In the Configuration > Network > Interface > Ethernet screen’s IPv6 Configuration section, double-click the wan1. The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6. Click Create new Object to add a DHCPv6 Request object with the Prefix Delegation type.
  • Page 96 1.6.3.3 Setting Up the LAN Interface In the Configuration > Network > Interface > Ethernet screen, double-click the lan1 in the IPv6 Configuration section. The Edit Ethernet screen appears. Click Show Advanced Settings to display more settings on this screen. Select Enable Interface and Enable IPv6.
  • Page 97 1.6.4 Test Connect a computer to the ZyWALL’s LAN1.

  • Page 98: How To Set Up An Ipv6 6To4 Tunnel

    Enable IPv6 support on you computer . In Windows XP , you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center >...
  • Page 99 the LAN1 network address is assigned to use 2002:7a64:dcee:1::/64 and the LAN1 IP address is set to 2002:7a64:dcee:1::111/128. A relay router R (192.99.88.1) is used in this example in order to forward 6to4 packets to any unknown IPv6 addresses. 1.7.1 Configuration Concept After the 6to4 tunnel settings are complete, IPv4 and IPv6 packets transmitted between WAN1 and LAN1 will be handled by the ZyWALL through the following flow.
  • Page 100 1.7.3 Setting Up the 6to4 Tunnel Click Add in the CONFIGURATION > Network > Interface > Tunnel screen. The Add Tunnel screen appears. Select Enable. Enter tunnel0 as the Interface Name and select 6to4 as the Tunnel Mode. In the 6to4 Tunnel Parameter section, this example just simply uses the default 6to4 Prefix, 2002:://16.
  • Page 101 1.7.4 Testing the 6to4 Tunnel Connect a computer to the ZyWALL’s LAN1. Enable IPv6 support on you computer . In Windows XP , you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center >...
  • Page 102 You don’t need to activate the WAN1 IPv6 interface but make sure you enable the WAN1 IPv4 interface. In 6to4, the ZyWALL uses the WAN1 IPv4 interface to forward your 6to4 packets over the IPv4 network. Note: For 6to4, you do not need to enable IPv6 in the wan1 since the IPv6 packets will be redirected into the 6to4 tunnel.
  • Page 103 TUNNEL Policy Route 1.8.2 Setting Up the IPv6-in-IPv4 Tunnel Click Add in the CONFIGURATION > Network > Interface > Tunnel screen.
  • Page 104 The Edit Tunnel screen appears. Select Enable. Enter tunnel0 as the Interface Name and select IPv6-in-IPv4 as the Tunnel Mode. Select wan1 in the Interface field in the Gateway Settings section. Enter 5.6.7.8 as the remote gateway’s IP address. Click OK. 1.8.3 Setting Up the LAN IPv6 Interface Select lan1 in the IPv6 Configuration section in the CONFIGURATION >...
  • Page 105 1.8.4 Setting Up the Policy Route Go to the CONFIGURATION > Network > Routing screen and click Add in the IPv6 Configuration table. The Add Policy Route screen appears. Click Create New Object to create an IPv6 address object with the address prefix of 2003:1111:1111:1::/64. Select Enable.
  • Page 106 1.8.5 Testing the IPv6-in-IPv4 Tunnel Connect a computer to the ZyWALL’s LAN1. Enable IPv6 support on you computer . In Windows XP , you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center >...
  • Page 107 Tutorial 2: Protecting Your Network These sections cover configuring the ZyWALL to protect your network. • Firewall on page 53 • User-aware Access Control on page 54 • Endpoint Security (EPS) on page 55 • Device and Service Registration on page 55 •...
  • Page 108 2.1.1 What Can Go Wrong • The ZyWALL checks the firewall rules in order and applies the first firewall rule the traffic matches. If traffic is unexpectedly blocked or allowed, make sure the firewall rule you want to apply to the traffic comes before any other rules that the traffic would also match.

  • Page 109: Device And Service Registration

    2.3 Endpoint Security (EPS) Use endpoint security objects with authentication policies or SSL VPN to make sure users’ computers meet specific security requirements before they are allowed to access the network. Configure endpoint security objects (Configuration > Object > Endpoint Security > Add). Configure an authentication policy to use the endpoint security objects (Configuration >...
  • Page 110 2.5 Anti-Virus Policy Configuration This tutorial shows you how to configure an Anti-Virus policy. Note: You need to first activate your Anti-Virus service license or trial. See Device and Service Registration on page Click Configuration > Anti-X > Anti-Virus to display the Anti-Virus General screen. In the Policies section click Add to display the Add Rule screen.
  • Page 111 The policy configured in the previous step will display in the Policies section. Select Enable Anti- Virus and Anti-Spyware and click Apply. 2.5.1 What Can Go Wrong • The ZyWALL does not scan the following file/traffic types: • Simultaneous downloads of a file using multiple connections. For example, when you use FlashGet to download sections of a file simultaneously.

  • Page 112: Idp Profile Configuration

    2.6 IDP Profile Configuration IDP (Intrusion, Detection and Prevention) detects malicious or suspicious packets and protects against network-based intrusions. Note: You need to first activate your IDP service license or trial. See Device and Service Registration on page You may want to create a new profile if not all signatures in a base profile are applicable to your network.

  • Page 113: Adp Profile Configuration

    Edit the default log options and actions. 2.7 ADP Profile Configuration ADP (Anomaly Detection and Prevention) protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal traffic flows such as port scans. You may want to create a new profile if not all traffic or protocol rules in a base profile are applicable to your network.
  • Page 114 Note: If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. The Traffic Anomaly screen will display . T ype a new profile Name. Enable or disable individual scan or flood types by selecting a row and clicking Activate or Inactivate.

  • Page 115: Content Filter Profile Configuration

    2.8 Content Filter Profile Configuration Content filter allows you to control access to specific web sites or filter web content by checking against an external database. This tutorial shows you how to configure a Content Filter profile. Note: You need to first activate your Content Filter service license or trial to use Commtouch or BlueCoat content filtering service.
  • Page 116 Click the General tab and in the Policies section click Add. In the Add Policy screen that appears, select the Filter Profile you created in the previous step. Click OK. In the General screen, the configured policy will appear in the Policies section. Select Enable Content Filter and select BlueCoat.

  • Page 117: Viewing Content Filter Reports

    2.9 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen. You need to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days).
  • Page 118 In the Web Filter Home screen, click Commtouch Report or BlueCoat Report. Select items under Global Reports to view the corresponding reports. Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.
  • Page 119 A chart and/or list of requested web site categories display in the lower half of the screen. You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.
  • Page 120 2.10 Anti-Spam Policy Configuration This tutorial shows you how to configure an Anti-Spam policy with Mail Scan functions and DNS Black List (DNSBL). Note: You need to first activate your Anti-Spam service license or trial to use the Mail Scan functions (Sender Reputation, Mail Content Analysis and Virus Outbreak Detection).
  • Page 121 Click the General tab. In the Policy Summary section, click Add to display the Add rule screen. Select from the list of available Scan Options and click OK to return to the General screen. In the General screen, the policy configured in the previous step will display in the Policy Summary section.

  • Page 122: Ipsec Vpn

    Tutorial 3: Create Secure Connections Across the Internet These sections cover using VPN to create secure connections across the Internet. • IPSec VPN on page 69 • VPN Concentrator Example on page 71 • Hub-and-spoke IPSec VPN Without VPN Concentrator on page 73 •...
  • Page 123 3.1.3 What Can Go Wrong If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both IPSec routers and check the settings in each field methodically and slowly. Make sure both the ZyWALL and remote IPSec router have the same security settings for the VPN tunnel.

  • Page 124: Vpn Concentrator

    If you have the Configuration > VPN > IPSec VPN > VPN Connection screen’s Use Policy Route to control dynamic IPSec rules option enabled and the VPN connection is up but VPN traffic cannot be transmitted through the VPN tunnel, check the routing policies to see if they are sending traffic elsewhere instead of through the VPN tunnels.
  • Page 125 • Destination: 192.168.12.0 • Next Hop: VPN T unnel 1 Headquarters VPN Gateway (VPN Tunnel 1): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.2 VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.1.0/255.255.255.0 • Remote Policy: 192.168.11.0/255.255.255.0 • Disable Policy Enforcement VPN Gateway (VPN Tunnel 2): •...
  • Page 126 • Destination: 192.168.11.0 • Next Hop: VPN T unnel 2 3.2.1 What Can Go Wrong Consider the following when using the VPN concentrator . • The local IP addresses configured in the VPN rules should not overlap. • The concentrator must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel.
  • Page 127 Network Policy (Phase 2): Local Network: 192.168.167.0/255.255.255.0; Remote Network: 192.168.168.0~192.168.169.255 Headquarters (ZLD-based ZyWALL): VPN Gateway (VPN Tunnel 1): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.2 VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.168.0~192.168.169.255 • Remote Policy: 192.168.167.0/255.255.255.0 •...

  • Page 128: Zywall Ipsec Vpn Client Configuration Provisioning

    • T o have all Internet access from the spoke routers to go through the VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. • Your firewall rules can still block VPN packets. •...

  • Page 129: Configuration Steps

    ZyWALL IPSec VPN Client with VPN Tunnel Connected Figure 32 3.4.2 Configuration Steps In the ZyWALL Quick Setup wizard, use the VPN Settings for Configuration Provisioning wizard to create a VPN rule that can be used with the ZyWALL IPSec VPN Client. Click Configuration >...

  • Page 130: Ssl Vpn

    Click OK. The rule settings are now imported from the ZyWALL into the ZyWALL IPSec VPN Client. 3.4.3 What Can Go Wrong • VPN rule settings violate the the ZyWALL IPSec VPN Client restrictions: Check that the rule does not contain AH active protocol, NULL encryption, SHA512 authentication, or a subnet/range remote policy.
  • Page 131 Figure 33 (192.168.1.X) Non-Web Web Mail File https:// Share Application Server Web-based Application • Click Configuration > Object > SSL Application and configure an SSL application object to specify the type of application and the address of the local computer , server , or web site SSL users are to be able to access.
  • Page 132 • Sun’s Runtime Environment (JRE) version 1.6 or later installed and enabled. • Changing the HTTP/HTTPS configuration disconnects SSL VPN network extension sessions. Users need to re-connect if this happens.

  • Page 133: L2Tp Vpn Example

    3.6 L2TP VPN with Android, iOS, and Windows L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, or Windows operating systems for secure connections to the network behind the ZyWALL. L2TP VPN uses one of the ZyWALL’s IPSec VPN connections. Edit Default_L2TP_VPN_GW as follows: •...
  • Page 134 • The VPN rule allows the remote user to access the LAN1_SUBNET (the 192.168.1.x subnet). Do the following to configure the L2TP VPN example:...
  • Page 135 Click Configuration > VPN > IPSec VPN > VPN Gateway and double-click the Default_L2TP_VPN_GW entry. Select Enable. Set My Address. This example uses a WAN interface with static IP address 172.16.1.2. Set Authentication to Pre-Shared Key and configure a password. This example uses top- secret.
  • Page 136 Select Enable, set Application Scenario to Remote Acces and Local Policy to L2TP_IFACE, and click OK.
  • Page 137 Click Configuration > VPN > L2TP VPN and then Create New Object > Address to create an IP address pool for the L2TP VPN clients. This example uses L2TP_POOL with a range of 192.168.10.10 to 192.168.10.20. Click Create New Object > User/Group to create a user object for the users allowed to use the tunnel.
  • Page 138 T o manage the ZyWALL through the L2TP VPN tunnel, create a routing policy that sends the yWALL’s return traffic back through the L2TP VPN tunnel. • Set Incoming to ZyWALL. • Set Destination Address to the L2TP address pool. •...
  • Page 139 • Set the Next-Hop Type to Trunk and select the appropriate WAN trunk. 3.6.3 onfiguring L2TP VPN in Android T o configure L2TP VPN in an Android device, go to Menu > Settings > Wireless & networks > VPN settings > Add VPN > Add L2TP/IPSec PSK VPN and configure as follows. The example settings here go along with the L2TP VPN configuration example in Section 4.6.1 on page •...
  • Page 140 • Secret is the pre-shared key of the IPSec VPN gateway the ZyWALL uses for L2TP VPN over IPSec (top-secret in this example). • Send All Traffic leave this on. • Proxy leave this off. 3.6.5 Configuring L2TP VPN in Windows The following sections cover how to configure L2TP in remote user computers using Windows 7, Vista, or XP .
  • Page 141 Click Close. Configure the Connection Object In the Network and Sharing Center screen, click Connect to a network. Right-click the L2TP VPN connection and select Properties. In Windows 7, click Security and set the Type of VPN to Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec).
  • Page 142 If a warning screen about data encryption not occurring if PAP or CHAP is negotiated, click Yes. When you use L2TP VPN to connect to the ZyWALL, the ZyWALL establishes an encrypted IPSec VPN tunnel first and then builds an L2TP tunnel inside it. The L2TP tunnel itself does not need encryption since it is inside the encrypted IPSec VPN tunnel.
  • Page 143 L2TP to ZyWALL After the connection is up a connection icon displays in your system tray. Click it and then the L2TP connection to open a status screen. Click the L2TP connection’s View status link to open a status screen. Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20 in the example).
  • Page 144 Click Next in the Welcome screen. Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Next. T ype L2TP to ZyWALL as the Company Name. Select Do not dial the initial connection and click Next.
  • Page 145 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). 172.16.1.2 Click Finish. The Connect L2TP to ZyWALL screen appears. Click Properties > Security. Click Security, select Advanced (custom settings) and click Settings.
  • Page 146 Click IPSec Settings. Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK. Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK.
  • Page 147 Enter the user name and password of your ZyWALL account. Click Connect. A window appears while the user name and password are verified. A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Click Details to see the address that you received from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20).
  • Page 148 Access a server or other network resource behind the ZyWALL to make sure your access works. 3.6.6 What Can Go Wrong The IPSec VPN connection must: • Be enabled • Use transport mode • Not be a manual key VPN connection •...
  • Page 149 File Email Web-based Server Server Application Here is an overview of how to use OTP . See the ZyWALL OTPv2 support note for details.
  • Page 150 Install the SafeWord 2008 authentication server software on a computer . Create user accounts on the ZyWALL and in the SafeWord 2008 authentication server . Import each ZyWALL OTPv2 token’s database file (located on the included CD) into the server . Assign users to ZyWALL OTPv2 tokens on the server .

  • Page 151: How To Configure Bandwidth Management

    Tutorial 4: Managing Traffic These sections cover controlling the traffic going through the ZyWALL. • How to Configure Bandwidth Management on page 95 • How to Configure a Trunk for WAN Load Balancing • How to Use Multiple Static Public WAN IP Addresses for LAN-to-WAN Traffic on page 104 •...
  • Page 152 Inbound • Outbound traffic goes from a LAN1 device to the WAN. The ZyWALL applies bandwidth management before sending the packets out a WAN interface. • Inbound traffic comes back from the WAN to the LAN1 device. The ZyWALL applies bandwidth management before sending the traffic out a LAN1 interface.
  • Page 153 4.1.1 Bandwidth Allocation Example Say a 10-person office has WAN1 connected to a 50 Mbps downstream and 5 Mbps upstream VDSL line and you want to allocate bandwidth for the following: • SIP: Up to 10 simultaneous 100 Kbps calls guaranteed •...
  • Page 154 • Inbound and outbound traffic are both guaranteed 1000 kbps and limited to 2000 kbps. SIP Any-to-WAN Guaranteed / Maximum Bandwidths Example Figure 37 Outbound: 1000/2000 kbps Inbound: 1000/2000 kbps In the Configuration > BWM screen, click Add. In the Add Policy screen, select Enable and type SIP Any-to-WAN as the policy’s name. Leave the incoming interface to any and select wan1 as the outgoing interface.
  • Page 155 HTTP Any-to-WAN Bandwidth Management Example Figure 38 Outbound: Bandwidth not managed Inbound: 10240 kbps guaranteed 46080 kbps maximum In the Configuration > BWM screen, click Add. In the Add Policy screen, select Enable and type HTTP Any-to-WAN as the policy’s name. Leave the incoming interface to any and select wan1 as the outgoing interface.
  • Page 156 4.1.6 FTP WAN-to-DMZ Bandwidth Management Example Suppose the office has an FTP server on the DMZ. Here is how to limit WAN1 to DMZ FTP traffic so it does not interfere with SIP and HTTP traffic. • Allow remote users only 2048 kbps inbound for downloading from the DMZ FTP server but up to 10240 kbps outbound for uploading to the DMZ FTP server .
  • Page 157 4.1.7 FTP LAN-to-DMZ Bandwidth Management Example FTP traffic from the LAN1 to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but give it lower priority and limit it to avoid interference with other traffic. •...
  • Page 159 In the Configuration > BWM screen, click Add. In the Add Policy screen, select Enable and type FTP LAN-to-DMZ as the policy’s name. Select lan1 as the incoming interface and dmz as the outgoing interface. Select App Patrol Service and ftp as the service type. T ype 10240 (kbps) with priority 5 for both the inbound and outbound guaranteed bandwidth.

  • Page 160: How To Configure A Trunk For Wan Load Balancing

    4.1.8 What Can Go Wrong? • The “outbound” in the guaranteed bandwidth settings apply to traffic going from the connection initiator to the outgoing interface. The “inbound” refers to the reverse direction. • Make sure you have registered the IDP/App.Patrol service on the ZyWALL to use App Patrol Service as the service type in the bandwidth management rules.

  • Page 161: Configure The Wan Trunk

    Repeat the process to set the egress bandwidth for wan2 to 512 Kbps. For 3G interface settings, go to Configuration > Network > Interface > Cellular. Double-click the cellular1 entry and set the egress bandwidth for cellular1 to 512 Kbps. 4.2.2 Configure the WAN Trunk Click Configuration >...

  • Page 162: Create The Public Ip Address Range Object

    Select the trunk as the default trunk and click Apply. 4.3 How to Use Multiple Static Public WAN IP Addresses for LAN-to-WAN Traffic If your ISP gave you a range of static public IP addresses, this example shows how to configure a policy route to have the ZyWALL use them for traffic it sends out from the LAN.

  • Page 163: Configure The Policy Route

    4.3.2 Configure the Policy Route Now you need to configure a policy route that has the ZyWALL use the range of public IP addresses as the source address for WAN to LAN traffic. Click Configuration > Network > Routing > Policy Route > Add (in IPv4 Configuration). It is recommended to add a description.
  • Page 164 Management Access IP Addresses For each interface you can configure an IP address in the same subnet as the interface IP address to use to manage the ZyWALL whether it is the master or the backup. Synchronization Synchronize ZyWALLs of the same model and firmware version to copy the master ZyWALL’s configuration, signatures (anti-virus, IDP/application patrol, and system protect), and certificates to the backup ZyWALL so you do not need to do it manually.
  • Page 165 192.168.1.3 192.168.1.5...

  • Page 166: Before You Start

    4.4.2 Before You Start ZyWALL A should already be configured. You will use device HA to copy ZyWALL A’s settings to B later (in Section 5.4.4 on page 108). T o avoid an IP address conflict, do not connect ZyWALL B to the LAN subnet until after you configure its device HA settings and the instructions tell you to deploy it Section 5.4.5 on page 110).

  • Page 167: Configure The Backup Zywall

    Click the General tab, enable device HA, and click Apply. 4.4.4 Configure the Backup ZyWALL Connect a computer to ZyWALL B’s LAN interface and log into its Web Configurator . Connect ZyWALL B to the Internet and subscribe it to the same subscription services (like content filtering and anti-virus) to which ZyWALL A is subscribed.
  • Page 168 Set the Device Role to Backup. Activate monitoring for the LAN and WAN interfaces. Set the Synchronization Server Address to 192.168.1.1, the Port to 21, and the Password to “mySyncPassword” . Retype the password, select Auto Synchronize, and set the Interval to 60. Click Apply.

  • Page 169: Deploy The Backup Zywall

    4.4.5 Deploy the Backup ZyWALL Connect ZyWALL B’s LAN interface to the LAN network. Connect ZyWALL B’s WAN interface to the same router that ZyWALL A’s WAN interface uses for Internet access. ZyWALL B copies A’s configuration (and re-synchronizes with A every hour). If ZyWALL A fails or loses its LAN or WAN connection, ZyWALL B functions as the master .
  • Page 170 Click Add in the Configuration table. The following screen appears. Select Enable, enter *.example.com as the Query Domain Name. Enter 300 in the Time to Live field to have DNS query senders keep the resolved DNS entries on their computers for 5 minutes. Select any in the IP Address field and WAN in the Zone field to apply this rule for all DNS query messages the WAN zone receives.

  • Page 171: How To Allow Public Access To A Web Server

    4.6 How to Allow Public Access to a Web Server This is an example of making an HTTP (web) server in the DMZ zone accessible from the Internet (the WAN zone). In this example you have public IP address 1.1.1.1 that you will use on the WAN interface and map to the HTTP server’s private IP address of 192.168.3.7.

  • Page 172: Set Up A Firewall Rule

    4.6.2 Set Up a Firewall Rule Create a firewall rule to allow the public to send HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server . If a domain name is registered for IP address 1.1.1.1, users can just go to the domain name to access the web server .

  • Page 173: How To Manage Voice Traffic

    4.6.3 What Can Go Wrong • The ZyWALL checks the firewall rules in order and applies the first firewall rule the traffic matches. If traffic matches a rule that comes earlier in the list, it may be unexpectedly blocked. • The ZyWALL does not apply the firewall rule. The ZyWALL only apply’s a zone’s rules to the interfaces that belong to the zone.
  • Page 174 transformations and click Apply.
  • Page 175 Configuration > Network > ALG Figure 47 4.7.1.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720) traffic received on the ZyWALL’s 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. Click Configuration >...
  • Page 176 4.7.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN IP address 192.168.1.56. Click Configuration > Firewall > Add. In the From field select WAN. In the To field select LAN1.

  • Page 177: How To Use An Ippbx On The Dmz

    4.7.2 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet (the WAN zone). In this example you have public IP address 1.1.1.2 that you will use on the WAN interface and map to the IPPBX’s private IP address of 192.168.3.9.
  • Page 178 4.7.2.2 Set Up a NAT Policy for the IPPBX Click Configuration > Network > NAT > Add > Create New Object > Address and create an IPv4 host address object for the IPPBX’s private DMZ IP address of 192.168.3.9. Repeat to create a host address object named IPPBX-Public for the public WAN IP address 1.1.1.2.
  • Page 179 4.7.2.4 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks traffic from the DMZ zone to the LAN1 zone by default so you need to create a firewall rule to allow the IPPBX to send SIP traffic to the SIP clients on the LAN. Click Configuration >...

  • Page 180: How To Limit Web Surfing And Msn To Specific People

    4.8 How to Limit Web Surfing and MSN to Specific People The following is an example of using application patrol (AppPatrol) to enforce web surfing and MSN policies for the sales department of a company. 4.8.1 Set Up Web Surfing Policies Before you configure any policies, you must have already subscribed for the application patrol service.

  • Page 181: Set Up Msn Policies

    Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. Click the Add icon in the policy list. In the new policy , select Sales as the user group allowed to browse the web.
  • Page 182 Click Configuration > AppPatrol > Query, and in the second dropdown menu, select Instant Messager, and click Search. Then, double-click the msn entry to edit it. Double-click the Default policy . Change the access to Drop because you do not want anyone except the authorized user group (sales) to use MSN.
  • Page 183 Click Configuration > AppPatrol > Query, and in the second dropdown menu, select Instant Messager, and click Search. Then, double-click the msn entry to edit it. Click the Add icon in the policy list. In the new policy , select WorkHours as the schedule and Sales as the user group that is allowed to use MSN at the appointed schedule.
  • Page 184 Now only the sales group may use MSN during work hours on week days. 4.8.3 What Can Go Wrong If you have not already subscribed for the application patrol service, you will not be able to configure any policies. You can do so by using the Configuration > Licensing > Registration screens or using one of the wizards.

Table of Contents