Page 1 ZyWALL/USG Series ZyWALL 110 / 310 / 1100 USG40 / USG40W / USG60 / USG60W / USG110 / USG210 / USG310 / USG1100 / USG1900 Security Firewalls Version 4.15 Edition 1, 1/2016 Quick Start Guide User’s Guide Default Login Details LAN Port IP Address https://192.168.1.1...
Page 2 IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a User’s Guide for a series of products. Not all products support all firmware features. Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system.
Page 3: Table Of Contents
Part I: User’s Guide ..................19 Chapter 1 Introduction............................21 1.1 Overview ............................21 1.1.1 Applications ..........................22 1.2 Management Overview ........................24 1.3 Web Configurator ..........................25 1.3.1 Web Configurator Access ......................25 1.3.2 Web Configurator Screens Overview ..................28 1.3.3 Navigation Panel ........................31 1.3.4 Tables and Lists ........................38 Chapter 2 Installation Setup Wizard ........................41 2.1 Installation Setup Wizard Screens ....................41...
Page 4 4.2.3 Configure WAN IP Settings .....................59 4.2.4 ISP and WAN and ISP Connection Settings ................60 4.2.5 Quick Setup Interface Wizard: Summary ................62 4.3 VPN Setup Wizard ..........................63 4.3.1 Welcome ..........................64 4.3.2 VPN Setup Wizard: Wizard Type .....................65 4.3.3 VPN Express Wizard - Scenario .....................65 4.3.4 VPN Express Wizard - Configuration ..................67 4.3.5 VPN Express Wizard - Summary ...................67 4.3.6 VPN Express Wizard - Finish ....................68...
Page 5 5.2.6 System Resources Screen ......................97 5.2.7 CPU Usage Screen .........................98 5.2.8 Memory Usage Screen ......................99 5.2.9 Active Session Screen ......................100 5.2.10 Extension Slot Screen ......................101 5.2.11 Interface Status Summary Screen ..................101 5.2.12 Secured Service Status Screen ...................103 5.2.13 Content Filter Statistics Screen ...................104 5.2.14 Top 5 Viruses Screen ......................104 5.2.15 Top 5 Intrusions Screen .......................105 5.2.16 Top 5 IPv4/IPv6 Security Policy Rules that Blocked Traffic Screen ........105...
Page 6 6.15.1 Regular Expressions in Searching IPSec SAs ..............138 6.16 The SSL Screen ..........................138 6.17 The L2TP over IPSec Session Monitor Screen ................139 6.18 The App Patrol Screen ........................140 6.19 The Content Filter Screen ......................141 6.20 The IDP Screen ..........................143 6.21 The Anti-Virus Screen ........................145 6.22 The Anti-Spam Screens ........................146 6.22.1 Anti-Spam Report ........................147 6.22.2 The Anti-Spam Status Screen .....................149...
Page 7 Chapter 9 Interfaces............................181 9.1 Interface Overview ..........................181 9.1.1 What You Can Do in this Chapter ..................181 9.1.2 What You Need to Know ......................182 9.1.3 What You Need to Do First ....................186 9.2 Port Role Screen ..........................186 9.3 Ethernet Summary Screen ......................187 9.3.1 Ethernet Edit .........................189 9.3.2 Object References .........................205 9.3.3 Add/Edit DHCPv6 Request/Release Options ................205...
Page 8 10.3 IP Static Route Screen ........................276 10.3.1 Static Route Add/Edit Screen ....................276 10.4 Policy Routing Technical Reference ....................278 10.5 Routing Protocols Overview ......................279 10.5.1 What You Need to Know ......................279 10.6 The RIP Screen ..........................279 10.7 The OSPF Screen .........................281 10.7.1 Configuring the OSPF Screen .....................284 10.7.2 OSPF Area Add/Edit Screen ....................285 10.7.3 Virtual Link Add/Edit Screen ....................287...
Page 9 14.1.2 Before You Begin .........................310 14.2 The ALG Screen ...........................310 14.3 ALG Technical Reference ......................313 Chapter 15 UPnP ..............................315 15.1 UPnP and NAT-PMP Overview .....................315 15.2 What You Need to Know .......................315 15.2.1 NAT Traversal ........................315 15.2.2 Cautions with UPnP and NAT-PMP ..................316 15.3 UPnP Screen ..........................316 15.4 Technical Reference ........................317 15.4.1 Turning on UPnP in Windows 7 Example ................317...
Page 10 19.1 Web Auth Overview ........................339 19.1.1 What You Can Do in this Chapter ..................339 19.1.2 What You Need to Know ......................340 19.2 Web Authentication Screen ......................340 19.2.1 Creating Exceptional Services .....................343 19.2.2 Creating/Editing an Authentication Policy ................343 19.3 SSO Overview ..........................344 19.4 SSO - ZyWALL/USG Configuration ....................346 19.4.1 Configuration Overview .......................346 19.4.2 Configure the ZyWALL/USG to Communicate with SSO ............346...
Page 11 22.1 Virtual Private Networks (VPN) Overview ..................385 22.1.1 What You Can Do in this Chapter ..................387 22.1.2 What You Need to Know ......................388 22.1.3 Before You Begin .........................390 22.2 The VPN Connection Screen ......................390 22.2.1 The VPN Connection Add/Edit (IKE) Screen ...............391 22.3 The VPN Gateway Screen ......................398 22.3.1 The VPN Gateway Add/Edit Screen ..................399 22.4 VPN Concentrator ........................406...
Page 12 24.7.5 Creating a New Folder ......................441 24.7.6 Renaming a File or Folder ....................441 24.7.7 Deleting a File or Folder ......................442 24.7.8 Uploading a File ........................442 Chapter 25 ZyWALL/USG SecuExtender (Windows) ..................444 25.1 The ZyWALL/USG SecuExtender Icon ..................444 25.2 Status ............................444 25.3 View Log ............................445 25.4 Suspend and Resume the Connection ..................446 25.5 Stop the Connection ........................446...
Page 13 29.1.2 What You Need to Know ......................474 29.1.3 Before You Begin .........................475 29.2 Content Filter Profile Screen ......................476 29.3 Content Filter Profile Add or Edit Screen ..................478 29.3.1 Content Filter Add Profile Category Service ................478 29.3.2 Content Filter Add Filter Profile Custom Service ..............486 29.4 Content Filter Trusted Web Sites Screen ..................489 29.5 Content Filter Forbidden Web Sites Screen .................490 29.6 Content Filter Technical Reference ....................491...
Page 14 32.1 Overview ............................530 32.1.1 What You Can Do in this Chapter ..................530 32.1.2 What You Need to Know ......................530 32.2 Before You Begin ..........................531 32.3 The Anti-Spam Profile Screen .......................532 32.3.1 The Anti-Spam Profile Add or Edit Screen ................533 32.4 The Mail Scan Screen ........................535 32.5 The Anti-Spam Black List Screen ....................537 32.5.1 The Anti-Spam Black or White List Add/Edit Screen ............539 32.5.2 Regular Expressions in Black or White List Entries .............540...
Page 15 35.2 User/Group Overview ........................572 35.2.1 What You Need To Know .....................573 35.2.2 User/Group User Summary Screen ..................575 35.2.3 User/Group Group Summary Screen ..................578 35.2.4 User/Group Setting Screen ....................579 35.2.5 User/Group MAC Address Summary Screen ..............584 35.2.6 User /Group Technical Reference ..................585 35.3 AP Profile Overview ........................586 35.3.1 Radio Screen ........................587 35.3.2 SSID Screen ........................593...
Page 16 35.11.4 The Trusted Certificates Screen ..................650 35.11.5 Certificates Technical Reference ..................655 35.12 ISP Account Overview .......................655 35.12.1 ISP Account Summary ......................656 35.13 SSL Application Overview ......................658 35.13.1 What You Need to Know ....................658 35.13.2 The SSL Application Screen ....................660 35.14 DHCPv6 Overview ........................663 35.14.1 The DHCPv6 Request Screen ...................664 35.14.2 The DHCPv6 Lease Screen ....................665 Chapter 36...
Page 17 36.7.7 HTTPS Example ........................693 36.8 SSH ............................700 36.8.1 How SSH Works ........................701 36.8.2 SSH Implementation on the ZyWALL/USG .................702 36.8.3 Requirements for Using SSH ....................702 36.8.4 Configuring SSH ........................702 36.8.5 Secure Telnet Using SSH Examples ...................703 36.9 Telnet ............................704 36.9.1 Configuring Telnet ........................704 36.10 FTP ............................706 36.10.1 Configuring FTP ........................706 36.11 SNMP ............................707...
Page 18 38.4 The Shell Script Screen .......................748 Chapter 39 Diagnostics ............................750 39.1 Overview ............................750 39.1.1 What You Can Do in this Chapter ..................750 39.2 The Diagnostic Screen ........................750 39.2.1 The Diagnostics Files Screen ....................751 39.3 The Packet Capture Screen ......................752 39.3.1 The Packet Capture Files Screen ..................754 39.4 The System Log Screen ........................755 39.5 The Network Tool Screen ......................756 39.6 The Wireless Frame Capture Screen ...................757...
Page 19: Part I User's Guide
User’s Guide...
Page 21: Chapter 1 Introduction
• USG40 / USG40W / USG60 / USG60W support UTM but not SSL Inspection • USG40W / USG60W have built-in Wi-Fi functionality • ZyWALL 110, ZyWALL 310, ZyWALL 1100， USG110, USG210, USG310, USG1100, and USG1900 support Device HA (High Availability) •...
Page 22: Applications
Chapter 1 Introduction 1.1.1 Applications These are some ZyWALL/USG application scenarios. Security Router Security includes a Stateful Packet Inspection (SPI) firewall, and UTM (Unified Threat Management). ZyWALL models need a license to use UTM (Unified Threat Management) features. UTM features include the following: •...
Page 23 Chapter 1 Introduction VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also purchase the ZyWALL/USG OTPv2 One-Time Password System for strong two-factor authentication for Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN client user logins.
Page 24: Management Overview
Chapter 1 Introduction Figure 5 Applications: User-Aware Access Control Load Balancing Set up multiple connections to the Internet on the same port, or different ports, including cellular interfaces. In either case, you can balance the traffic loads between them. Figure 6 Applications: Multiple WAN Interfaces 1.2 Management Overview You can manage the ZyWALL/USG in the following ways.
Page 25: Web Configurator
Chapter 1 Introduction Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL/USG. Access it using remote management (for example, SSH or Telnet) or via the physical or Web Configurator console port. See the Command Reference Guide for CLI details. The default settings for the console port are: Table 2 Console Port Default Settings SETTING...
Page 26 Chapter 1 Introduction In your browser go to http://192.168.1.1. By default, the ZyWALL/USG automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears. Type the user name (default: “admin”) and password (default: “1234”). If you have a OTP (One-Time Password) token generate a number and enter it in the One-Time Password field.
Page 27 Chapter 1 Introduction If you select Never and you later want to bring this screen back, use these commands (note the space before the underscore). Router> enable Router# Router# configure terminal Router(config)# Router(config)# service-register _setremind after-10-days after-180-days after-30-days every-time never Router(config)# service-register _setremind every-time Router(config)# See the Command Line Interface (CLI) Reference Guide (RG) for details on all supported...
Page 28: Web Configurator Screens Overview
Chapter 1 Introduction 1.3.2 Web Configurator Screens Overview The Web Configurator screen is divided into these parts (as illustrated on page 27): • A - title bar • B - navigation panel • C - main window Title Bar Figure 8 Title Bar The title bar icons in the upper right corner provide the following functions.
Page 29 Chapter 1 Introduction About Click About to display basic information about the ZyWALL/USG. Figure 9 About Table 4 About LABEL DESCRIPTION Current Version This shows the firmware version of the ZyWALL/USG. Released Date This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the firmware is released. Click this to close the screen.
Page 30 Chapter 1 Introduction Object Reference Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object. Figure 11 Object Reference The fields vary with the type of object. This table describes labels that can appear in this screen. Table 5 Object References LABEL DESCRIPTION...
Page 31: Navigation Panel
Chapter 1 Introduction Figure 12 Console Window CLI Messages Click CLI to look at the CLI commands sent by the Web Configurator. Open the pop-up window and then click some menus in the web configurator to display the corresponding commands. Figure 13 CLI Messages 1.3.3 Navigation Panel Use the navigation panel menu items to open status and configuration screens.
Page 32 Chapter 1 Introduction Figure 14 Navigation Panel Dashboard The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See the Web Help for details on the dashboard. Monitor Menu The monitor menu screens display status and statistics information.
Page 33: Configuration Menu
Chapter 1 Introduction Table 6 Monitor Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION UPnP Port Port Displays details about UPnP connections going through the ZyWALL/USG. Status Statistics USB Storage Storage Displays details about USB device connected to the ZyWALL/USG. Information Ethernet Ethernet...
Page 34 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Registration Registration Register the device and activate trial services. Service View the licensed service status and upgrade licensed services. Signature Anti-Virus Update anti-virus signatures immediately or by a schedule. Update IDP/AppPatrol Update IDP signatures immediately or by a schedule.
Page 35 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Layer 2 General Enable layer-2 isolation on the ZyWALL/USG and the internal Isolation interface(s). White List Enable and configure the white list. DNS Inbound DNS Load Configure DNS Load Balancing.
Page 36 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Black/White List Set up a black list to identify files with virus file patterns and a white list to identify files that should not be checked for AV. Signature Search for signatures by signature name or attributes and configure how the ZyWALL/USG uses them.
Page 37 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION AAA Server Active Directory Configure the Active Directory settings. LDAP Configure the LDAP settings. RADIUS Configure the RADIUS settings. Auth. Method Authentication Create and manage ways of authenticating users. Method Certificate My Certificates...
Page 38: Tables And Lists
Chapter 1 Introduction Maintenance Menu Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the ZyWALL/USG. Table 8 Maintenance Menu Screens Summary FOLDER FUNCTION OR LINK File Configuration File Manage and upload configuration files for the ZyWALL/USG. Manager Firmware Package View the current firmware version and upload firmware.
Page 39 Chapter 1 Introduction Figure 16 Common Table Column Options Select a column heading cell’s right border and drag to re-size the column. Figure 17 Resizing a Table Column Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location.
Page 40 Chapter 1 Introduction Figure 20 Common Table Icons Here are descriptions for the most common table icons. Table 9 Common Table Icons LABEL DESCRIPTION Click this to create a new entry. For features where the entry’s position in the numbered list is important (features where the ZyWALL/USG applies the table’s entries in order like the security policy for example), you can select an entry and click Add to create a new entry after the selected entry.
Page 41: Installation Setup Wizard
H A PT ER Installation Setup Wizard 2.1 Installation Setup Wizard Screens When you log into the Web Configurator for the first time or when you reset the ZyWALL/USG to its default configuration, the Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services.
Page 42: Internet Access: Ethernet
Chapter 2 Installation Setup Wizard Figure 23 Internet Access: Step 1 • I have two ISPs: Select this option to configure two Internet connections. Leave it cleared to configure just one. This option appears when you are configuring the first WAN interface. •...
Page 43: Internet Access: Pppoe
Chapter 2 Installation Setup Wizard Figure 24 Internet Access: Ethernet Encapsulation • Encapsulation: This displays the type of Internet connection you are configuring. • First WAN Interface: This is the number of the interface that will connect with your ISP. •...
Page 44 Chapter 2 Installation Setup Wizard Figure 25 Internet Access: PPPoE Encapsulation 2.1.3.1 ISP Parameters • Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and -_@$./ characters, and it can be up to 64 characters long.
Page 45: Internet Access: Pptp
Chapter 2 Installation Setup Wizard • First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Page 46: Internet Access Setup - Second Wan Interface
Chapter 2 Installation Setup Wizard • Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server. 2.1.4.2 PPTP Configuration • Base Interface: This identifies the Ethernet interface you configure to connect with a modem or router.
Page 47: Internet Access Succeed
Chapter 2 Installation Setup Wizard Figure 27 Internet Access: Step 3: Second WAN Interface 2.1.6 Internet Access Succeed This screen shows your Internet access settings that have been applied successfully. Figure 28 Internet Access Succeed 2.1.7 Wireless Settings: AP Controller The ZyWALL/USG can act as an AP Controller that can manage APs in the same network as the ZyWALL/USG.
Page 48: Wireless Settings: Ssid & Security
Chapter 2 Installation Setup Wizard Figure 29 Wireless Settings: AP Controller Select Yes if you want your ZyWALL/USG to manage APs in your network; otherwise select No. 2.1.8 Wireless Settings: SSID & Security Configure SSID and wireless security in this screen. Figure 30 Wireless Settings: SSID &...
Page 49: Internet Access - Device Registration
Chapter 2 Installation Setup Wizard • Pre-Shared Key - Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters. • Hidden SSID - Select this option if you want to hide the SSID in the outgoing beacon frame. A wireless client then cannot obtain the SSID through scanning using a site survey tool.
Page 50: Hardware, Interfaces And Zones
3.1.1 Front Panels The LED indicators are located on the front panel. Figure 32 ZyWALL 110 / USG110 / USG210 Front Panel Figure 33 ZyWALL 310 / ZyWALL 1100 / USG310 / USG1100 / USG1900 Front Panel Figure 34 USG40 / USG40W Front Panel...
Page 51: Rear Panels
3.1.2 Rear Panels The connection ports are located on the rear panel. Figure 36 ZyWALL 110 / USG110 / USG210 Rear Panel Figure 37 ZyWALL 310 / ZyWALL 1100 / USG310 / USG1100 / USG1900 Rear Panel ZyWALL/USG Series User’s Guide...
Page 52 Chapter 3 Hardware, Interfaces and Zones Figure 38 USG40 / USG40W Rear Panel Figure 39 USG60 / USG60W Rear Panel The following table describes the items on the rear panel Table 12 Rear Panel Items LABEL DESCRIPTION Console You can use the console port to manage the ZyWALL/USG using CLI commands. You will be prompted to enter your user name and password.
Page 53: Mounting
Chapter 3 Hardware, Interfaces and Zones 3.2 Mounting Some models can be mounted in a rack, and some can be mounted on a wall. Table 13 Mounting Method RACK-MOUNTING WALL-MOUNTING • ZyWALL 110 • USG40 • ZyWALL 310 • USG40W •...
Page 54: Wall-Mounting
Chapter 3 Hardware, Interfaces and Zones 3.2.2 Wall-mounting Table 13 on page 53 for the ZyWALL/USG models that can be wall-mounted. Do the following to attach your ZyWALL/USG to a wall. Drill two holes 3 mm ~ 4 mm (0.12" ~ 0.16") wide, 20 mm ~ 30 mm (0.79” ~ 1.18”) deep and 150 mm apart, into a wall.
Page 55: Default Zones, Interfaces, And Ports
• USG60 wan1 wan2 lan1 lan1 lan1 lan1 • USG60W wan1 wan2 lan1 lan1 lan1 lan1 • ZyWALL 110 wan1 wan2 lan1 lan1 lan1 • USG110 • USG210 • ZyWALL 310 • ZyWALL 1100 • USG310 • USG1100 •...
Page 56: Stopping The Zywall/Usg
OPT_PPP • USG60 WAN1 LAN1 LAN2 WAN1_PPP WAN2 WAN2_PPP • USG60W WAN1 LAN1 LAN2 WAN1_PPP WAN2 WAN2_PPP • ZyWALL 110 WAN1 LAN1 LAN2 • USG110 WAN1_PPP OPT_PPP • USG210 WAN2 WAN2_PPP • ZyWALL 310 GE3_PPP • ZyWALL 1100 GE1_PPP GE4_PPP •...
Page 57: Chapter 4 Quick Setup Wizards
H A PT ER Quick Setup Wizards 4.1 Quick Setup Overview The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information. In the Web Configurator, click Configuration >...
Page 58: Wan Interface Quick Setup
Chapter 4 Quick Setup Wizards • Wizard Help If the help does not automatically display when you run the wizard, click teh arrow to display it. 4.2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen.
Page 59: Select Wan Type
Chapter 4 Quick Setup Wizards Figure 43 Choose an Ethernet Interface 4.2.2 Select WAN Type WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP.
Page 60: Isp And Wan And Isp Connection Settings
Chapter 4 Quick Setup Wizards Figure 45 WAN Interface Setup: Step 2 Dynamic IP Figure 46 WAN Interface Setup: Step 2 Fixed IP • WAN Interface: This is the interface you are configuring for Internet access. • Zone: This is the security zone to which this interface and Internet connection belong. •...
Page 61 Chapter 4 Quick Setup Wizards Figure 47 WAN and ISP Connection Settings: (PPTP Shown) The following table describes the labels in this screen. Table 16 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection. Encapsulation This displays the type of Internet connection you are configuring.
Page 62: Quick Setup Interface Wizard: Summary
Chapter 4 Quick Setup Wizards Table 16 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION Base Interface This displays the identity of the Ethernet interface you configure to connect with a modem or router. Base IP Address Type the (static) IP address assigned to you by your ISP. IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).
Page 63: Vpn Setup Wizard
Chapter 4 Quick Setup Wizards Figure 48 Interface Wizard: Summary WAN (PPTP Shown) The following table describes the labels in this screen. Table 17 Interface Wizard: Summary WAN LABEL DESCRIPTION Encapsulation This displays what encapsulation this interface uses to connect to the Internet. Service Name This field only appears for a PPPoE interface.
Page 64: Welcome
Chapter 4 Quick Setup Wizards Figure 49 VPN Setup Wizard 4.3.1 Welcome Use wizards to create Virtual Private Network (VPN) rules. After you complete the wizard, the Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
Page 65: Vpn Setup Wizard: Wizard Type
Chapter 4 Quick Setup Wizards 4.3.2 VPN Setup Wizard: Wizard Type Choose Express to create a VPN rule with the default phase 1 and phase 2 settings to connect to another ZLD-based ZyWALL/USG using a pre-shared key. Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device.
Page 66 Chapter 4 Quick Setup Wizards Figure 52 VPN Express Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.
Page 67: Vpn Express Wizard - Configuration
Chapter 4 Quick Setup Wizards 4.3.4 VPN Express Wizard - Configuration Figure 53 VPN Express Wizard: Configuration • Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name.
Page 68: Vpn Express Wizard - Finish
Chapter 4 Quick Setup Wizards Figure 54 VPN Express Wizard: Summary • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: IP address or domain name of the remote IPSec device. If this field displays Any, only the remote IPSec device can initiate the VPN connection. •...
Page 69: Vpn Advanced Wizard - Scenario
Chapter 4 Quick Setup Wizards Figure 55 VPN Express Wizard: Finish Click Close to exit the wizard. 4.3.7 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 51 on page 65 to display the following screen. ZyWALL/USG Series User’s Guide...
Page 70: Vpn Advanced Wizard - Phase 1 Settings
Chapter 4 Quick Setup Wizards Figure 56 VPN Advanced Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.
Page 71 Chapter 4 Quick Setup Wizards Figure 57 VPN Advanced Wizard: Phase 1 Settings • Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec device by its IP address or a domain name.
Page 72: Vpn Advanced Wizard - Phase 2
Chapter 4 Quick Setup Wizards Note: The remote IPSec device must also have NAT traversal enabled. See the help in the main IPSec VPN screens for more information. • Dead Peer Detection (DPD) has the ZyWALL/USG make sure the remote IPSec device is there before transmitting data through the IKE SA.
Page 73: Vpn Advanced Wizard - Summary
Chapter 4 Quick Setup Wizards 4.3.10 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings. Figure 59 VPN Advanced Wizard: Summary • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: IP address or domain name of the remote IPSec device. •...
Page 74: Vpn Settings For Configuration Provisioning Wizard: Wizard Type
Chapter 4 Quick Setup Wizards Figure 60 VPN Wizard: Finish Click Close to exit the wizard. 4.4 VPN Settings for Configuration Provisioning Wizard: Wizard Type Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved with the ZyWALL/USG IPSec VPN Client.
Page 75: Configuration Provisioning Express Wizard - Vpn Settings
Chapter 4 Quick Setup Wizards Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key in the VPN rule.
Page 76: Configuration Provisioning Vpn Express Wizard - Configuration
Chapter 4 Quick Setup Wizards Figure 62 VPN for Configuration Provisioning Express Wizard: Settings Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.
Page 77: Vpn Settings For Configuration Provisioning Express Wizard - Summary
Chapter 4 Quick Setup Wizards Figure 63 VPN for Configuration Provisioning Express Wizard: Configuration • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client. •...
Page 78: Vpn Settings For Configuration Provisioning Express Wizard - Finish
Chapter 4 Quick Setup Wizards Figure 64 VPN for Configuration Provisioning Express Wizard: Summary • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client.
Page 79: Vpn Settings For Configuration Provisioning Advanced Wizard - Scenario
Chapter 4 Quick Setup Wizards Figure 65 VPN for Configuration Provisioning Express Wizard: Finish Click Close to exit the wizard. 4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario Click the Advanced radio button as shown in the screen shown in Figure 61 on page 75 to display the following screen.
Page 80: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 1 Settings
Chapter 4 Quick Setup Wizards Figure 66 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.
Page 81 Chapter 4 Quick Setup Wizards Figure 67 VPN for Configuration Provisioning Advanced Wizard: Phase 1 Settings • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client. •...
Page 82: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 2
Chapter 4 Quick Setup Wizards 4.4.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 68 VPN for Configuration Provisioning Advanced Wizard: Phase 2 Settings •...
Page 83 Chapter 4 Quick Setup Wizards Figure 69 VPN for Configuration Provisioning Advanced Wizard: Summary Summary • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client.
Page 84: Vpn Settings For Configuration Provisioning Advanced Wizard- Finish
Chapter 4 Quick Setup Wizards • Encryption Algorithm: This displays the encryption method used. The longer the key, the higher the security, the lower the throughput (possibly). • DES uses a 56-bit key. • 3DES uses a 168-bit key. • AES128 uses a 128-bit key •...
Page 85: Vpn Settings For L2Tp Vpn Settings Wizard
Chapter 4 Quick Setup Wizards > VPN Connection screen. Enter the IP address of the ZyWALL/USG in the ZyWALL/USG IPSec VPN Client to get all these VPN settings automatically from the ZyWALL/USG. Figure 70 VPN for Configuration Provisioning Advanced Wizard: Finish Click Close to exit the wizard.
Page 86: L2Tp Vpn Settings
Chapter 4 Quick Setup Wizards Figure 71 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings Click Next to continue the wizard. 4.5.1 L2TP VPN Settings Figure 72 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings • Rule Name: Type the name used to identify this L2TP VPN connection (and L2TP VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.
Page 87: L2Tp Vpn Settings
Chapter 4 Quick Setup Wizards • My Address (interface): Select one of the interfaces from the pull down menu to apply the L2TP VPN rule. • Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”) characters.
Page 88: Vpn Settings For L2Tp Vpn Setting Wizard - Summary
Chapter 4 Quick Setup Wizards Note: DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyWALL/USG uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.
Page 89: Vpn Settings For L2Tp Vpn Setting Wizard Completed
Chapter 4 Quick Setup Wizards 4.5.4 VPN Settings for L2TP VPN Setting Wizard Completed Figure 75 VPN Settings for L2TP VPN Settings Wizard: Finish Now the rule is configured on the ZyWALL/USG. The L2TP VPN rule settings appear in the VPN > L2TP VPN screen and also in the VPN >...
Page 90: Chapter 5
H A PT ER Dashboard 5.1 Overview Use the Dashboard screens to check status information about the ZyWALL/USG. 5.1.1 What You Can Do in this Chapter Use the main Dashboard screen to see the ZyWALL/USG’s general device information, system status, system resource usage, licensed service status, and interface status. You can also display other status screens for more information.
Page 91: Main Dashboard Screen
Chapter 5 Dashboard 5.2 Main Dashboard Screen The Dashboard screen displays when you log into the ZyWALL/USG or click Dashboard in the navigation panel. The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs.
Page 92: Device Information Screen
Chapter 5 Dashboard Table 18 Dashboard (continued) LABEL DESCRIPTION Refresh Now (D) Click this to update the widget’s information immediately. Close Widget (E) Click this to close the widget. Use Widget Setting to re-open it. Virtual Device Rear Panel Click this to view details about the ZyWALL/USG’s rear panel. Hover your cursor over a connected interface or slot to display status details.
Page 93: System Status Screen
Chapter 5 Dashboard Figure 77 Dashboard > Device Information (Example) This tabel describes the fields in the above screen. Table 19 Dashboard > Device Information LABEL DESCRIPTION Device Information This identifies a device installed in one of the ZyWALL/USG’s extension slots, the Security Extension Module slot, or USB ports.
Page 94: Vpn Status Screen
Chapter 5 Dashboard This table describes the fields in the above screen. Table 20 Dashboard > System Status LABEL DESCRIPTION System Uptime This field displays how long the ZyWALL/USG has been running since it last restarted or was turned on. Current Date/Time This field displays the current date and time in the ZyWALL/USG.
Page 95 Chapter 5 Dashboard Figure 79 Dashboard > System Status > VPN Status This table describes the fields in the above screen. Table 21 Dashboard > System Status > VPN Status LABLE DESCRIPTION This field is a sequential value, and it is not associated with a specific SA. Name This field displays the name of the IPSec SA.
Page 96: Dhcp Table Screen
Chapter 5 Dashboard 5.2.4 DHCP Table Screen Click on the DHCP Table link to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. The following screen will show. Figure 80 Dashboard > System Status > DHCP Table This table describes the fields in the above screen.
Page 97: Number Of Login Users Screen
Chapter 5 Dashboard 5.2.5 Number of Login Users Screen Click the Number of Login Users link to see the following screen. Figure 81 Dashboard > System Status > Number of Login Users This table describes the fields in the above screen. Table 23 Dashboard >...
Page 98: Cpu Usage Screen
Chapter 5 Dashboard Figure 82 Dashboard > System Resources This table describes the fields in the above screen. Table 24 .Dashboard > System Resources LABEL DESCRIPTION CPU Usage This field displays what percentage of the ZyWALL/USG’s processing capability is currently being used. Hover your cursor over this field to display the Show CPU Usage icon that takes you to a chart of the ZyWALL/USG’s recent CPU usage.
Page 99: Memory Usage Screen
Chapter 5 Dashboard Figure 83 Dashboard > CPU Usage screen This table describes the fields in the above screen. Table 25 Dashboard > CPU Usage LABEL DESCRIPTION The y-axis represents the percentage of CPU usage. The x-axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated.
Page 100: Active Session Screen
Chapter 5 Dashboard This table describes the fields in the above screen. Table 26 Dashboard > Memory Usage screen. LABEL DESCRIPTION The y-axis represents the percentage of RAM usage. The x-axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated.
Page 101: Extension Slot Screen
Chapter 5 Dashboard 5.2.10 Extension Slot Screen Figure 86 Dashboard > Extension Slot This table describes the fields in the above screen. Table 28 Dashboard > Extension Slot LABEL DESCRIPTION Extension Slot This field displays the name of each extension slot. Device This field displays the name of the device connected to the extension slot (or none if no device is detected).
Page 102 Chapter 5 Dashboard Figure 87 Dashboard > Interface Status Summary This table describes the fields in the above screen. Table 29 Dashboard > Interface Status Summary LABEL DESCRIPTION Name This field displays the name of each interface. Status This field displays the current status of each interface. The possible values depend on what type of interface it is.
Page 103: Secured Service Status Screen
Chapter 5 Dashboard Table 29 Dashboard > Interface Status Summary LABEL DESCRIPTION HA Status This field displays the status of the interface in the virtual router. Active - This interface is the master interface in the virtual router. Stand-By - This interface is a backup interface in the virtual router. Fault - This VRRP group is not functioning in the virtual router right now.
Page 104: Content Filter Statistics Screen
Chapter 5 Dashboard Table 30 Dashboard > Secured Service Status LABEL DESCRIPTION Version This field displays the version number of the services. Expiration This field displays the number of days remaining before the license expires. 5.2.13 Content Filter Statistics Screen Configure Configuration >...
Page 105: Top 5 Intrusions Screen
Chapter 5 Dashboard This table describes the fields in the above screen. Table 32 Dashboard > Top 5 Viruses LABEL DESCRIPTION This is the entry’s rank in the list of the most commonly detected viruses. Virus ID This is the IDentification number of the anti-virus signature. Virus Name This is the name of a detected virus.
Page 106: The Latest Alert Logs Screen
Chapter 5 Dashboard Table 34 Dashboard > Top 5 IPv4/IPv6 Security Policy Rules that Blocked Traffic LABEL DESCRIPTION This shows the zone packets went to that the triggered security policy. Description This field displays the descriptive name (if any) of the triggered security policy. Hits This field displays how many times the security policy was triggered.
Page 107: Part Ii: Technical Reference
Technical Reference...
Page 109: Chapter 6 Monitor
H A PT ER Monitor 6.1 Overview Use the Monitor screens to check status and statistics information. 6.1.1 What You Can Do in this Chapter Use the Monitor screens for the following. • Use the System Status > Port Statistics screen (see Section 6.2 on page 110) to look at packet statistics for each physical port.
Page 110: The Port Statistics Screen
Chapter 6 Monitor • Use the Wireless > Detected Device screen (Section 6.14.5 on page 135) to view information about suspected rogue APs. • Use the VPN Monitor > IPSec screen (Section 6.15 on page 137) to display and manage active IPSec SAs.
Page 111: The Port Statistics Graph Screen
Chapter 6 Monitor The following table describes the labels in this screen. Table 36 Monitor > System Status > Port Statistics LABEL DESCRIPTION Poll Interval Enter how often you want this window to be updated automatically, and click Set Interval. Set Interval Click this to set the Poll Interval the screen uses.
Page 112: Interface Status Screen
Chapter 6 Monitor Figure 95 Monitor > System Status > Port Statistics > Switch to Graphic View The following table describes the labels in this screen. Table 37 Monitor > System Status > Port Statistics > Switch to Graphic View LABEL DESCRIPTION Refresh Interval...
Page 113 Chapter 6 Monitor Figure 96 Monitor > System Status > Interface Status Each field is described in the following table. Table 38 Monitor > System Status > Interface Status LABEL DESCRIPTION Interface Status If an Ethernet interface does not have any physical ports associated with it, its entry is displayed in light gray text.
Page 114 Chapter 6 Monitor Table 38 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: • Inactive - The Ethernet interface is disabled.
Page 115: The Traffic Statistics Screen
Chapter 6 Monitor Table 38 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Tunnel Interface This displays the details of the ZyWALL/USG’s configured tunnel interfaces. Status Name This field displays the name of the interface. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Page 116 Chapter 6 Monitor You use the Traffic Statistics screen to tell the ZyWALL/USG when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually in the Traffic Statistics screen. Figure 97 Monitor >...
Page 117 Chapter 6 Monitor Table 39 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION Direction This field indicates whether the IP address or user is sending or receiving traffic. • Ingress- traffic is coming from the IP address or user to the ZyWALL/USG. •...
Page 118: The Session Monitor Screen
Chapter 6 Monitor 6.5 The Session Monitor Screen The Session Monitor screen displays all established sessions that pass through the ZyWALL/USG for debugging or statistical analysis. It is not possible to manage sessions in this screen. The following information is displayed. •...
Page 119: Igmp Statistics
Chapter 6 Monitor Table 41 Monitor > System Status > Session Monitor (continued) LABEL DESCRIPTION Service This field displays when View is set to all sessions. Select the service or service group whose sessions you want to view. The ZyWALL/USG identifies the service by comparing the protocol and destination port of each packet to the protocol and port of each services that is defined.
Page 120: The Ddns Status Screen
Chapter 6 Monitor Figure 99 Monitor > System Status > IGMP Statistics The following table describes the labels in this screen. Table 42 Monitor > System Status > IGMP Statistics LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific I GMP Statistics.
Page 121: Ip/Mac Binding
Chapter 6 Monitor Table 43 Monitor > System Status > DDNS Status (continued) LABEL DESCRIPTION Last Update Status This shows whether the last attempt to resolve the IP address for the domain name was successful or not. Updating means the ZyWALL/USG is currently attempting to resolve the IP address for the domain name.
Page 122: Cellular Status Screen
Chapter 6 Monitor Figure 102 Monitor > System Status > Login Users The following table describes the labels in this screen. Table 45 Monitor > System Status > Login Users LABEL DESCRIPTION Force Logout Select a user ID and click this icon to end a user’s session. This field is a sequential value and is not associated with any entry.
Page 123 Chapter 6 Monitor The following table describes the labels in this screen. Table 46 Monitor > System Status > Cellular Status LABEL DESCRIPTION Refresh Click this button to update the information in the screen. More Information Click this to display more information on your mobile broadband, such as the signal strength, IMEA/ESN and IMSI.
Page 124 Chapter 6 Monitor Table 46 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Status • No device - no mobile broadband device is connected to the ZyWALL/USG. • No Service - no mobile broadband network is available in the area; you cannot connect to the Internet.
Page 125: More Information
Chapter 6 Monitor Table 46 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Cellular System This field displays what type of cellular network the mobile broadband connection is using. The network type varies depending on the mobile broadband card you inserted and could be UMTS, UMTS/HSDPA, GPRS or EDGE when you insert a GSM mobile broadband card, or 1xRTT, EVDO Rev.0 or EVDO Rev.A when you insert a CDMA mobile broadband card.
Page 126: The Upnp Port Status Screen
Chapter 6 Monitor Table 47 Monitor > System Status > More Information (continued) LABEL DESCRIPTION Signal Strength This is the Signal Quality measured in dBm. Signal Quality This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL/USG and the service provider’s base station.
Page 127: Usb Storage Screen
Chapter 6 Monitor Table 48 Monitor > System Status > UPnP Port Status (continued) LABEL DESCRIPTION External Port This field displays the port number that the ZyWALL/USG “listens” on (on the WAN port) for connection requests destined for the NAT rule’s Internal Port and Internal Client. The ZyWALL/USG forwards incoming packets (from the WAN) with this port number to the Internal Client on the Internal Port (on the LAN).
Page 128: Ethernet Neighbor Screen
Chapter 6 Monitor Table 49 Monitor > System Status > USB Storage (continued) LABEL DESCRIPTION Status Ready - you can have the ZyWALL/USG use the USB storage device. Click Remove Now to stop the ZyWALL/USG from using the USB storage device so you can remove it.
Page 129: Wireless
Chapter 6 Monitor The following table describes the fields in the previous screen. Table 50 Monitor > System Status > Ethernet Neighbor LABEL DESCRIPTION Local Port (Description) This field displays the port of the ZyWALL/USG, on which the neighboring device is discovered.
Page 130: Ap List More Information
Chapter 6 Monitor Table 51 Monitor > Wireless > AP Information (continued) LABEL DESCRIPTION Status This field displays the on-line or off-line status of the AP, move the cursor to the AP icon and a status pop up message will appear. Registration This field displays the registration information of the AP.
Page 131 Chapter 6 Monitor configuration information, port status and station statistics for the connected AP. To access this screen, select an entry and click the More Information button in the AP List screen. Figure 109 Monitor > Wireless > AP Information > AP List > More Information The following table describes the labels in this screen.
Page 132: Wireless Ap Information: Radio List
Chapter 6 Monitor Table 53 Monitor > Wireless > AP Information > AP List > More Information (continued) LABEL DESCRIPTION Status This field displays the current status of each physical port on the AP. Down - The port is not connected. Speed / Duplex - The port is connected.
Page 133 Chapter 6 Monitor Table 54 Monitor > Wireless > Radio List LABEL DESCRIPTION OP Mode This field displays the operating mode of the AP. It displays n/a for the profile for a radio not using an AP profile. AP Mode means the AP can receive connections from wireless clients and pass their data traffic through to the ZyWALL/USG to be managed (or subsequently passed on to an upstream gateway for managing).
Page 134: Radio List More Information
Chapter 6 Monitor 6.14.4 Radio List More Information This screen allows you to view detailed information about a selected radio’s SSID(s), wireless traffic and wireless clients for the preceding 24 hours. To access this window, select an entry and click the More Information button in the Radio List screen.
Page 135: Wireless Station Info
Chapter 6 Monitor The following table describes the labels in this screen. Table 55 Monitor > Wireless > AP Info > Radio List > More Information LABEL DESCRIPTION MBSSID Detail This list shows information about the SSID(s) that is associated with the radio over the preceding 24 hours.
Page 136: Detected Device
Chapter 6 Monitor Table 56 Monitor > Wireless > Station List LABEL DESCRIPTION Tx Rate This field displays the transmit data rate of the station. Rx Rate This field displays the receive data rate of the station. Association Time This field displays the time duration the station was online and offline. 6.14.6 Detected Device Use this screen to view information about wireless devices detected by the AP.
Page 137: The Ipsec Monitor Screen
Chapter 6 Monitor Table 57 Monitor > Wireless > Detected Device (continued) LABEL DESCRIPTION MAC Address This indicates the detected device’s MAC address. SSID Name This indicates the detected device’s SSID. Channel ID This indicates the detected device’s channel ID. 802.11 Mode This indicates the 802.11 mode (a/b/g/n) transmitted by the detected device.
Page 138: Regular Expressions In Searching Ipsec Sas
Chapter 6 Monitor Table 58 Monitor > VPN Monitor > IPSec (continued) LABEL DESCRIPTION Policy This field displays the content of the local and remote policies for this IPSec SA. The IP addresses, not the address objects, are displayed. IKE Name This field displays the Internet Key Exchange (IKE) name.
Page 139: The L2Tp Over Ipsec Session Monitor Screen
Chapter 6 Monitor Figure 115 Monitor > VPN Monitor > SSL The following table describes the labels in this screen. Table 59 Monitor > VPN Monitor > SSL LABEL DESCRIPTION Disconnect Select a connection and click this button to terminate the user’s connection and delete corresponding session information from the ZyWALL/USG.
Page 140: The App Patrol Screen
Chapter 6 Monitor Table 60 Monitor > VPN Monitor > L2TP over IPSec (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific L2TP VPN session. User Name This field displays the remote user’s user name. Hostname This field displays the name of the computer that has this L2TP VPN connection with the ZyWALL/USG.
Page 141: The Content Filter Screen
Chapter 6 Monitor Table 61 Monitor > UTM Statistics > App Patrol LABEL DESCRIPTION Flush Data Click this button to discard all of the screen’s statistics and update the report display. App Patrol Statistics This field is a sequential value, and it is not associated with a specific App Patrol session.
Page 142 Chapter 6 Monitor Figure 118 Monitor > UTM Statistics > Content Filter The following table describes the labels in this screen. Table 62 Monitor > UTM Statistics > Content Filter LABEL DESCRIPTION General Settings Collect Statistics Select this check box to have the ZyWALL/USG collect content filtering statistics. The collection starting time displays after you click Apply.
Page 143: The Idp Screen
Chapter 6 Monitor Table 62 Monitor > UTM Statistics > Content Filter (continued) LABEL DESCRIPTION Security Threat This is the number of requested web pages that the ZyWALL/USG’s content filtering (unsafe) service identified as posing a threat to users. Managed Web Pages This is the number of requested web pages that the ZyWALL/USG’s content filtering service identified as belonging to a category that was selected to be managed.
Page 144 Chapter 6 Monitor The following table describes the labels in this screen. Table 63 Monitor > UTM Statistics > IDP LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL/USG collect IDP statistics. The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here.
Page 145: The Anti-Virus Screen
Chapter 6 Monitor Figure 120 Monitor > UTM Statistics > IDP: Source The statistics display as follows when you display the top entries by destination. Figure 121 Monitor > UTM Statistics > IDP: Destination 6.21 The Anti-Virus Screen Click Monitor > UTM Statistics > Anti-Virus to display the following screen. This screen displays anti-virus statistics.
Page 146: The Anti-Spam Screens
Chapter 6 Monitor Table 64 Monitor > UTM Statistics > Anti-Virus (continued) LABEL DESCRIPTION Flush Data Click this button to discard all of the screen’s statistics and update the report display. Total Viruses Detected This field displays the number of different viruses that the ZyWALL/USG has detected.
Page 147: Anti-Spam Report
Chapter 6 Monitor 6.22.1 Anti-Spam Report Click Monitor > UTM Statistics > Anti-Spam to display the following screen. This screen displays spam statistics. Figure 125 Monitor > UTM Statistics > Anti-Spam The following table describes the labels in this screen. Table 65 Monitor >...
Page 148 Chapter 6 Monitor Table 65 Monitor > UTM Statistics > Anti-Spam (continued) LABEL DESCRIPTION Clear Mails This is the number of e-mails that the ZyWALL/USG has determined to not be spam. Clear Mails Detected by This is the number of e-mails that matched an entry in the ZyWALL/USG’s anti- Whitelist spam white list.
Page 149: The Anti-Spam Status Screen
Chapter 6 Monitor Table 65 Monitor > UTM Statistics > Anti-Spam (continued) LABEL DESCRIPTION Sender Email Address This column displays when you display the entries by Sender Email Address. This column displays the e-mail addresses from which the ZyWALL/USG has detected the most spam.
Page 150: The Ssl Inspection Screens
Chapter 6 Monitor Table 66 Monitor > UTM Statistics > Anti-Spam > Status (continued) LABEL DESCRIPTION Total Queries This is the total number of queries the ZyWALL/USG has sent to this service. Avg. Response Time (sec) This is the average for how long it takes to receive a reply from this service. No Response This is how many queries the ZyWALL/USG sent to this service without receiving a reply.
Page 151: Certificate Cache List
Chapter 6 Monitor The following table describes the labels in this screen. Table 67 Monitor > UTM Statistics > SSL Inspection > Report LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL/USG collect SSL Inspection statistics. The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here.
Page 152 Chapter 6 Monitor Figure 128 Monitor > UTM Statistics > SSL Inspection > Certificate Cache List The following table describes the labels in this screen. Table 68 Monitor > UTM Statistics > SSL Inspection > Certificate Cache List LABEL DESCRIPTION Certificate Cache List Add to Exclude list Select and item in the list and click this icon to add the common name (CN) to the...
Page 153: Log Screens
Chapter 6 Monitor 6.24 Log Screens Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regular log, you can look at all the log messages by selecting All Logs, or you can select a specific category of log messages (for example, security policy or user).
Page 154: View Ap Log
Chapter 6 Monitor Table 69 Monitor > Log > View Log (continued) LABEL DESCRIPTION Refresh Click this button to update the information in the screen. Clear Log Click this button to clear the whole log, regardless of what is currently displayed on the screen.
Page 155 Chapter 6 Monitor Figure 130 Monitor > Log > View AP Log The following table describes the labels in this screen. LABEL DESCRIPTION Show Filter Click this button to show or hide the filter settings. If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear Log fields are available.
Page 156 Chapter 6 Monitor LABEL DESCRIPTION Destination Address Type the IP ad re ss of the destination. Destination Interface Select the destination interface from the pull down menu. ZyWALL/USG Keyword Type a keyword of the policy service available from to search for a log.
Page 157: Chapter 7 Licensing
H A PT ER Licensing 7.1 Registration Overview Use the Configuration > Licensing > Registration screens to register your ZyWALL/USG and manage its service subscriptions. • Use the Registration screen (see Section 7.1.2 on page 158) to go to portal.myzyxel.com to register your ZyWALL/USG and activate a service, such as content filtering.
Page 158: Registration Screen
Chapter 7 Licensing 7.1.2 Registration Screen Click the link in this screen to register your ZyWALL/USG at myZyXEL.com. The ZyWALL/USG should already have Internet access before you can access it. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next. Click on the icon to go to the OneSecurity.com website where there is guidance on configuration walkthrough and other information.
Page 159: Signature Update
Chapter 7 Licensing Table 70 Configuration > Licensing > Registration > Service (continued) LABEL DESCRIPTION Status This field displays whether a service is activated (Licensed) or not (Not Licensed) or expired (Expired). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
Page 160 Chapter 7 Licensing Figure 133 Configuration > Licensing > Signature Update >Anti-Virus The following table describes the labels in this screen. Table 71 Configuration > Licensing > Signature Update >Anti-Virus LABEL DESCRIPTION Signature Information The following fields display information on the current signature set that the ZyWALL/USG is using.
Page 161: The Idp/Apppatrol Update Screen
Chapter 7 Licensing Table 71 Configuration > Licensing > Signature Update >Anti-Virus (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL/USG. Reset Click this button to return the screen to its last-saved settings. 7.2.3 The IDP/AppPatrol Update Screen Click Configuration >...
Page 162 Chapter 7 Licensing Table 72 Configuration > Licensing > Signature Update > IDP/AppPatrol (continued) LABEL DESCRIPTION Signature Number This field displays the number of IDP signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.
Page 163: Wireless
H A PT ER Wireless 8.1 Overview Use the Wireless screens to configure how the ZyWALL/USG manages the Access Points (APs) that are connected to it. 8.1.1 What You Can Do in this Chapter • Use the Controller screen (Section 8.2 on page 163) to set how the ZyWALL/USG allows new APs to connect to the network.
Page 164: Ap Management Screens
Chapter 8 Wireless Each field is described in the following table. Table 73 Configuration > Wireless > Controller LABEL DESCRIPTION Registration Select Manual to add each AP to the ZyWALL/USG for management, or Always Accept to Type automatically add APs to the ZyWALL/USG for management. If you select Manual, then go to Monitor >...
Page 165 Chapter 8 Wireless Each field is described in the following table. Table 74 Configuration > Wireless > AP Management > Mgnt. AP List LABEL DESCRIPTION Edit Select an AP and click this button to edit its properties. Remove Select an AP and click this button to remove it from the list. Note: If in the Configuration >...
Page 166 Chapter 8 Wireless 8.3.1.1 Edit AP List Select an AP and click the Edit button in the Configuration > Wireless > AP Management table to display this screen. Figure 137 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List Each field is described in the following table.
Page 167 Chapter 8 Wireless Table 75 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List (continued) LABEL DESCRIPTION Radio 1/2 OP Mode Select the operating mode for radio 1 or radio 2. AP Mode means the AP can receive connections from wireless clients and pass their data traffic through to the ZyWALL/USG to be managed (or subsequently passed on to an upstream gateway for managing).
Page 168: Ap Policy
Chapter 8 Wireless 8.3.2 AP Policy Use this screen to configure the AP controller’s IP address on the managed APs and determine the action the managed APs take if the current AP controller fails. Click Configuration > Wireless > AP Management > AP Policy to access this screen. Figure 138 Configuration >...
Page 169: Ap Group
Chapter 8 Wireless 8.3.3 AP Group Use this screen to configure AP groups, which define the radio, port, VLAN and load balancing settings and apply the settings to all APs in the group. An AP can belong to one AP group at a time. Click Configuration >...
Page 170 Chapter 8 Wireless 8.3.3.1 Add/Edit AP Group Click Add or select an AP group and click the Edit button in the Configuration > Wireless > AP Management > AP Group table to display this screen. Figure 140 Configuration > Wireless > AP Management > AP Group > Add/Edit ZyWALL/USG Series User’s Guide...
Page 171 Chapter 8 Wireless Each field is described in the following table. Table 78 Configuration > Wireless > AP Management > AP Group > Add/Edit LABEL DESCRIPTION General Settings Group Name Enter a name for this group. You can use up to 31 alphanumeric characters. Dashes and underscores are also allowed.
Page 172 Chapter 8 Wireless Table 78 Configuration > Wireless > AP Management > AP Group > Add/Edit (continued) LABEL DESCRIPTION This is the VLAN’s index number in this list. Status This displays whether or not the VLAN is activated. Name This shows the name of the VLAN. This shows the VLAN ID number.
Page 173: Firmware
Chapter 8 Wireless Table 78 Configuration > Wireless > AP Management > AP Group > Add/Edit (continued) LABEL DESCRIPTION Disassociate This function is enabled by default and the disassociation priority is always Signal station when Strength when you set Mode to By Smart Classroom. overloaded Select this option to disassociate wireless clients connected to the AP when it becomes overloaded.
Page 174 Chapter 8 Wireless Click Configuration > Wireless > AP Management > Firmware to access this screen. Figure 141 Configuration > Wireless > AP Management > Firmware Each field is described in the following table. Table 79 Configuration > Wireless > AP Management > Firmware LABEL DESCRIPTION AP Firmware...
Page 175: Mon Mode
Chapter 8 Wireless Table 79 Configuration > Wireless > AP Management > Firmware (continued) LABEL DESCRIPTION Last Check Success This displays the date and time the last check for new firmware was made and whether the check is in progress (checking), was successful (success), or has failed (fail). Apply AP Firmware Due to space limitations, the ZyWALL/USG only downloads and keeps AP firmware for APs it is currently managing.
Page 176: Add/Edit Rogue/Friendly List
Chapter 8 Wireless Each field is described in the following table. Table 80 Configuration > Wireless > MON Mode LABEL DESCRIPTION General Settings Enable Rogue AP Select this to enable rogue AP containment. Containment Rogue/Friendly AP List Click this button to add an AP to the list and assign it either friendly or rogue status.
Page 177: Auto Healing
Chapter 8 Wireless Each field is described in the following table. Table 81 Configuration > Wireless > MON Mode > Add/Edit Rogue/Friendly LABEL DESCRIPTION Enter the MAC address of the AP you want to add to the list. A MAC address is a unique hardware identifier in the following hexadecimal format: xx:xx:xx:xx:xx:xx where xx is a hexadecimal number separated by colons.
Page 178: Technical Reference
Chapter 8 Wireless Table 82 Configuration > Wireless > Auto Healing (continued) LABEL DESCRIPTION Power Threshold Set the power level (in dBm) to which the neighbor APs of the failed AP increase their output power in order to extend their wireless service coverage areas. When the failed AP is working again, its neighbor APs return their output power to the original level.
Page 179: Load Balancing
Chapter 8 Wireless Figure 146 An Example Four-Channel Deployment However, some regions require the use of other channels and often use a safety scheme with the following four channels: 1, 4, 7 and 11. While they are situated sufficiently close to both each other and the three so-called “safe”...
Page 180 Chapter 8 Wireless devices to connect as long as their total bandwidth usage does not exceed the configured bandwidth cap associated with this setting. Once the cap is hit, any new connections are rejected or delayed provided that there are other APs in range. Imagine a coffee shop in a crowded business district that offers free wireless connectivity to its customers.
Page 181: Interfaces
H A PT ER Interfaces 9.1 Interface Overview Use the Interface screens to configure the ZyWALL/USG’s interfaces. You can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. • Interfaces are used within the system operationally. You use them in configuring various features.
Page 182: What You Need To Know
Chapter 9 Interfaces 9.1.2 What You Need to Know Interface Characteristics Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface). • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Page 183 Chapter 9 Interfaces characteristics. These characteristics are listed in the following table and discussed in more detail below. Table 83 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics CHARACTERISTICS ETHERNET ETHERNET CELLULAR VLAN BRIDGE VIRTUAL Name* wan1, wan2 lan1, lan2, pppx cellularx vlanx...
Page 184 Chapter 9 Interfaces Table 84 Relationships Between Different Types of Interfaces (continued) INTERFACE REQUIRED PORT / INTERFACE PPP interface Ethernet interface* VLAN interface* bridge interface WAN1, WAN2, OPT* virtual interface (virtual Ethernet interface) Ethernet interface* (virtual VLAN interface) VLAN interface* (virtual bridge interface) bridge interface trunk...
Page 185 Chapter 9 Interfaces compose the network address. The prefix length is written as “/x” where x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32 means that the first 32 bits (2001:db8) from the left is the network prefix. Link-local Address A link-local address uniquely identifies a device on the local network (the LAN). It is similar to a “private IP address”...
Page 186: What You Need To Do First
MAC address) level. This provides wire-speed throughput but no security. The following table shows the models that support port role at the time of writing. Table 86 Models with Port Role MODEL WITH PORT ROLE MODEL WITH PORT ROLE ZyWALL 110 USG60W USG40 USG110 USG40W...
Page 187: Ethernet Summary Screen
Chapter 9 Interfaces Figure 148 Configuration > Network > Interface > Port Role Physical Ports Default interface (ZONE) The physical Ethernet ports are shown at the top and the Ethernet interfaces and zones are shown at the bottom of the screen. Use the radio buttons to select for which interface (network) you want to use each physical port.
Page 188 Chapter 9 Interfaces exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. The ZyWALL/USG supports two routing protocols, RIP and OSPF. See Chapter 10 on page 279 for background information about these routing protocols.
Page 189: Ethernet Edit
Chapter 9 Interfaces Table 87 Configuration > Network > Interface > Ethernet (continued) LABEL DESCRIPTION IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0 (in the IPv4 network) or :: (in the IPv6 network), the interface does not have an IP address yet.
Page 190: Igmp Proxy
Chapter 9 Interfaces Set the priority used to identify the DR or BDR if one does not exist. IGMP Proxy Internet Group Management Protocol (IGMP) proxy is used for multicast routing. IGMP proxy enables the ZyWALL/USG ZyWALL/USG to issue IGMP host messages on behalf of hosts that the discovered on its IGMP- ZyWALL/USG enabled interfaces.
Page 191 Chapter 9 Interfaces • Configuration > Network > Interface > Ethernet > Edit (External Type) ZyWALL/USG Series User’s Guide...
Page 192 Chapter 9 Interfaces Configuration > Network > Interface > Ethernet > Edit (External Type ZyWALL/USG Series User’s Guide...
Page 193 Chapter 9 Interfaces Figure 150 Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL/USG Series User’s Guide...
Page 194 Chapter 9 Interfaces Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL/USG Series User’s Guide...
Page 195 Chapter 9 Interfaces Figure 151 Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL/USG Series User’s Guide...
Page 196 Chapter 9 Interfaces Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL/USG Series User’s Guide...
Page 197 Chapter 9 Interfaces This screen’s fields are described in the table below. Table 88 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION IPv4/IPv6 View / Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration IPv4 View / IPv6 fields.
Page 198 Chapter 9 Interfaces Table 88 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.
Page 199 Chapter 9 Interfaces Table 88 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Delegated Select the DHCPv6 request object to use from the drop-down list. Prefix Suffix Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The Address ZyWALL/USG will append it to the delegated prefix.
Page 200 Chapter 9 Interfaces Table 88 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Enable Router Select this to enable this interface to send router advertisement messages periodically. Advertisement IPv6 Router Advertisement on page 186 for more information. Advertised Hosts Select this to have the ZyWALL/USG indicate to hosts to obtain network settings (such Get Network...
Page 201 Chapter 9 Interfaces Table 88 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Address This is the final network prefix combined by the delegated prefix and the suffix. Note: This field displays the combined address after you click OK and reopen this screen.
Page 202 Chapter 9 Interfaces Table 88 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION DHCP Select what type of DHCP service the ZyWALL/USG provides to the network. Choices are: None - the ZyWALL/USG does not provide any DHCP services. There is already a DHCP server on the network.
Page 203 Chapter 9 Interfaces Table 88 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Extended This table is available if you selected DHCP server. Options Configure this table if you want to send more information to DHCP clients through DHCP packets.
Page 204 Chapter 9 Interfaces Table 88 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR). The highest-priority interface identifies the DR, and the second-highest-priority interface identifies the BDR.
Page 205: Object References
Chapter 9 Interfaces 9.3.2 Object References When a configuration screen includes an Object Reference icon, select a configuration object and click Object Reference to open the Object References screen. This screen displays which configuration settings reference the selected object. The fields shown vary with the type of object. Figure 152 Object References The following table describes labels that can appear in this screen.
Page 206: Add/Edit Dhcp Extended Options
Chapter 9 Interfaces Figure 153 Configuration > Network > Interface > Ethernet > Edit > Add DHCPv6 Request/Lease Options Select a DHCPv6 request or lease object in the Select one object field and click OK to save it. Click Cancel to exit without saving the setting. 9.3.4 Add/Edit DHCP Extended Options When you configure an interface as a DHCPv4 server, you can additionally add DHCP extended options which have the ZyWALL/USG to add more information in the DHCP packets.
Page 207 Chapter 9 Interfaces Table 90 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options LABEL DESCRIPTION First IP Address, If you selected Time Server (4), NTP Server (41), SIP Server (120), CAPWAP AC Second IP (138), or TFTP Server (150), you have to enter at least one IP address of the Address, Third IP corresponding servers in these fields.
Page 208: Ppp Interfaces
Chapter 9 Interfaces 9.4 PPP Interfaces Use PPPoE/PPTP interfaces to connect to your ISP. This way, you do not have to install or manage PPPoE/PPTP software on each computer in the network. Figure 155 Example: PPPoE/PPTP Interfaces PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions;...
Page 209: Ppp Interface Add Or Edit
Chapter 9 Interfaces Each field is described in the table below. Table 92 Configuration > Network > Interface > PPP LABEL DESCRIPTION User Configuration / The ZyWALL/USG comes with the (non-removable) System Default PPP interfaces System Default pre-configured. You can create (and delete) User Configuration PPP interfaces. System Default PPP interfaces vary by model.
Page 210 Chapter 9 Interfaces Figure 157 Configuration > Network > Interface > PPP > Add ZyWALL/USG Series User’s Guide...
Page 211 Chapter 9 Interfaces Each field is explained in the following table. Table 93 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION IPv4/IPv6 View / Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration IPv4 View / IPv6 fields.
Page 212 Chapter 9 Interfaces Table 93 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION IP Address This field is enabled if you select Use Fixed IP Address. Enter the IP address for this interface. Metric Enter the priority of the gateway (the ISP) on this interface. The ZyWALL/USG decides which gateway to use based on this priority.
Page 213 Chapter 9 Interfaces Table 93 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Enable Rapid Select this to shorten the DHCPv6 message exchange process from four to two steps. Commit This function helps reduce heavy network traffic load. Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.
Page 214: Cellular Configuration Screen
Chapter 9 Interfaces Table 93 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Check this Select this to specify a domain name or IP address for the connectivity check. Enter address that domain name or IP address in the field next to it. Check Port This field only displays when you set the Check Method to tcp.
Page 215 Chapter 9 Interfaces Note: The actual data rate you obtain varies depending on your mobile environment. The environmental factors may include the number of mobile devices which are currently connected to the mobile network, the signal strength to the mobile network, and so on.
Page 216 Chapter 9 Interfaces Figure 158 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. Table 95 Configuration > Network > Interface > Cellular LABEL DESCRIPTION Click this to create a new cellular interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 217: Cellular Choose Slot
Chapter 9 Interfaces Table 95 Configuration > Network > Interface > Cellular (continued) LABEL DESCRIPTION Current This displays the currently supported (by the ZyWALL/USG) mobile broadband dongle list Version version number. Update Now If the latest version number is greater than the current version number, then click this button to download the latest list of supported mobile broadband dongle devices to the ZyWALL/USG.
Page 218 Chapter 9 Interfaces Figure 159 Configuration > Network > Interface > Cellular > Add / Edit ZyWALL/USG Series User’s Guide...
Page 219 Chapter 9 Interfaces The following table describes the labels in this screen. Table 96 Configuration > Network > Interface > Cellular > Add / Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings General Settings...
Page 220 Chapter 9 Interfaces Table 96 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION User Name This field displays when you select an authentication type other than None. This field is read-only if you selected Device in the profile selection. If this field is configurable, enter the user name for this mobile broadband card exactly as the service provider gave it to you.
Page 221 Chapter 9 Interfaces Table 96 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION Check Method Select the method that the gateway allows. Select icmp to have the ZyWALL/USG regularly ping the gateway you specify to make sure it is still available.
Page 222 Chapter 9 Interfaces Table 96 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION Band Selection This field appears if you selected a mobile broadband device that allows you to select the type of network to use. Select the type of mobile broadband service for your mobile broadband connection.
Page 223: Tunnel Interfaces
Chapter 9 Interfaces Table 96 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION Reset time and This button is available only when you enable budget control in this screen. data budget counters Click this button to reset the time and data budgets immediately. The count starts over with the mobile broadband connection’s full configured monthly time and data budgets.
Page 224 Chapter 9 Interfaces Figure 160 GRE Tunnel Example IPv4 Internet IPv6 Over IPv4 Tunnels To route traffic between two IPv6 networks over an IPv4 network, an IPv6 over IPv4 tunnel has to be used. Figure 161 IPv6 over IPv4 Network IPv4 IPv6 IPv6...
Page 225: Configuring A Tunnel
Chapter 9 Interfaces In the ZyWALL/USG, you must also manually configure a policy route for an IPv6-in-IPv4 tunnel to make the tunnel work. 6to4 Tunneling This mode also enables IPv6 packets to cross IPv4 networks. Unlike IPv6-in-IPv4 tunneling, you do not need to configure a policy route for a 6to4 tunnel.
Page 226: Tunnel Add Or Edit Screen
Chapter 9 Interfaces Figure 164 Network > Interface > Tunnel Each field is explained in the following table. Table 97 Network > Interface > Tunnel LABEL DESCRIPTION Click this to create a new GRE tunnel interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 227 Chapter 9 Interfaces Figure 165 Network > Interface > Tunnel > Add/Edit Each field is explained in the following table. Table 98 Network > Interface > Tunnel > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings General Settings...
Page 228 Chapter 9 Interfaces Table 98 Network > Interface > Tunnel > Add/Edit (continued) LABEL DESCRIPTION Tunnel Mode Select the tunneling protocol of the interface (GRE, IPv6-in-IPv4 or 6to4). See Section 9.6 on page 223 for more information. IP Address This section is available if you are configuring a GRE tunnel. Assignment IP Address Enter the IP address for this interface.
Page 229 Chapter 9 Interfaces Table 98 Network > Interface > Tunnel > Add/Edit (continued) LABEL DESCRIPTION Interface Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can send Bandwidth through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management.
Page 230: Vlan Interfaces
Chapter 9 Interfaces 9.7 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 166 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router.
Page 231: Vlan Summary Screen
Chapter 9 Interfaces This approach provides a few advantages. • Increased performance - In VLAN 2, the extra switch should route traffic inside the sales department faster than the router does. In addition, broadcasts are limited to smaller, more logical groups of users. •...
Page 232 Chapter 9 Interfaces Figure 168 Configuration > Network > Interface > VLAN Each field is explained in the following table. Table 99 Configuration > Network > Interface > VLAN LABEL DESCRIPTION Configuration Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration / IPv6 section for IPv6 network settings if you connect your ZyWALL/USG to an IPv6 network.
Page 233: Vlan Add/Edit
Chapter 9 Interfaces 9.7.2 VLAN Add/Edit Select an existing entry in the previous scrren and click Edit or click Add to create a new entry. The following screen appears. ZyWALL/USG Series User’s Guide...
Page 234 Chapter 9 Interfaces Figure 169 Configuration > Network > Interface > VLAN > Add /Edit ZyWALL/USG Series User’s Guide...
Page 235 Chapter 9 Interfaces Each field is explained in the following table. Table 100 Configuration > Network > Interface > VLAN > Add / Edit LABEL DESCRIPTION IPv4/IPv6 View / Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration IPv4 View / IPv6 fields.
Page 236 Chapter 9 Interfaces Table 100 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Subnet Mask This field is enabled if you select Use Fixed IP Address. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.
Page 237 Chapter 9 Interfaces Table 100 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Delegated Select the DHCPv6 request object to use from the drop-down list. Prefix Suffix Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The Address ZyWALL/USG will append it to the delegated prefix.
Page 238 Chapter 9 Interfaces Table 100 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Enable Router Select this to enable this interface to send router advertisement messages periodically. Advertisement IPv6 Router Advertisement on page 186 for more information.
Page 239 Chapter 9 Interfaces Table 100 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Address This is the final network prefix combined by the delegated prefix and the suffix. Note: This field displays the combined address after you click OK and reopen this screen.
Page 240 Chapter 9 Interfaces Table 100 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION These fields appear if the ZyWALL/USG is a DHCP Relay. Relay Server 1 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional.
Page 241 Chapter 9 Interfaces Table 100 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Value This is the option’s value. Enable IP/MAC Select this option to have the ZyWALL/USG enforce links between specific IP addresses Binding and specific MAC addresses for this VLAN.
Page 242: Bridge Interfaces
Chapter 9 Interfaces Table 100 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Authentication Select an authentication method, or disable authentication. To exchange OSPF routing information with peer border routers, you must use the same authentication method that they use.
Page 243 Chapter 9 Interfaces When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table. It also looks up the destination MAC address in the table. If the bridge knows on which port the destination MAC address is located, it sends the packet to that port.
Page 244: Bridge Summary
Chapter 9 Interfaces Table 103 Example: Routing Table Before and After Bridge Interface br0 Is Created (continued) IP ADDRESS(ES) DESTINATION IP ADDRESS(ES) DESTINATION 241.241.241.241/32 242.242.242.242/32 In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1 is added to br0.
Page 245: Bridge Add/Edit
Chapter 9 Interfaces Table 104 Configuration > Network > Interface > Bridge (continued) LABEL DESCRIPTION Object References Select an entry and click Object Reference to open a screen that shows which settings use the entry. See Section 9.3.2 on page 205 for an example.
Page 246 Chapter 9 Interfaces Figure 171 Configuration > Network > Interface > Bridge > Add / Edit ZyWALL/USG Series User’s Guide...
Page 247 Chapter 9 Interfaces Configuration > Network > Interface > Bridge > Add Each field is described in the table below. Table 105 Configuration > Network > Interface > Bridge > Add / Edit LABEL DESCRIPTION IPv4/IPv6 View / Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration IPv4 View / IPv6 fields.
Page 248 Chapter 9 Interfaces Table 105 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Enable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it. Interface Properties Interface Type Select one of the following option depending on the type of network to which the ZyWALL/USG is connected or if you want to additionally manually configure some related settings.
Page 249 Chapter 9 Interfaces Table 105 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Enable IGMP Select this to allow the ZyWALL/USG to act as an IGMP proxy for hosts connected on Support the IGMP downstream interface. IGMP Version: Select the IGMP version to be used on this ZyWALL/USG interface.
Page 250 Chapter 9 Interfaces Table 105 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION DHCPv6 Setting DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others.
Page 251 Chapter 9 Interfaces Table 105 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Router Select the router preference (Low, Medium or High) for the interface. The interface Preference sends this preference in the router advertisements to tell hosts what preference they should use for the ZyWALL/USG.
Page 252 Chapter 9 Interfaces Table 105 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Ingress This is reserved for future use. Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can receive from the network through the interface.
Page 253 Chapter 9 Interfaces Table 105 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Default Router If you set this interface to DHCP Server, you can select to use either the interface’s IP address or another IP address as the default router. This default router will become the DHCP clients’...
Page 254: Virtual Interfaces
Chapter 9 Interfaces Table 105 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Check Method Select the method that the gateway allows. Select icmp to have the ZyWALL/USG regularly ping the gateway you specify to make sure it is still available.
Page 255 Chapter 9 Interfaces Figure 172 Configuration > Network > Interface > Create Virtual Interface Each field is described in the table below. Table 106 Configuration > Network > Interface > Create Virtual Interface LABEL DESCRIPTION Interface Properties Interface Name This field is read-only. It displays the name of the virtual interface, which is automatically derived from the underlying Ethernet interface, VLAN interface, or bridge interface.
Page 256: Interface Technical Reference
Chapter 9 Interfaces 9.10 Interface Technical Reference Here is more detailed information about interfaces on the ZyWALL/USG. IP Address Assignment Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routing table. Figure 173 Example: Entry in the Routing Table Derived from Interfaces lan1 wan1...
Page 257 Chapter 9 Interfaces The gateway is an optional setting for each interface. If there is more than one gateway, the ZyWALL/USG uses the gateway with the lowest metric, or cost. If two or more gateways have the same metric, the ZyWALL/USG uses the one that was set up first (the first entry in the routing table).
Page 258 Chapter 9 Interfaces • IP address - If the DHCP client’s MAC address is in the ZyWALL/USG’s static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size. Table 109 Example: Assigning IP Addresses from a Pool START IP ADDRESS POOL SIZE...
Page 259: Trunk Overview
Chapter 9 Interfaces • PPPoE does not usually require any special configuration of the modem. PPTP is used to set up virtual private networks (VPN) in unsecure TCP/IP environments. It sets up two sessions. The first one runs on TCP port 1723. It is used to start and manage the second one. The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers.
Page 260 Chapter 9 Interfaces You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic. • If that interface’s connection goes down, the ZyWALL/USG can still send its traffic through another interface.
Page 261 Chapter 9 Interfaces Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL/USG will send the subsequent new session traffic through WAN 2. Table 110 Least Load First Example OUTBOUND LOAD BALANCING INDEX INTERFACE (M/A)
Page 262: The Trunk Summary Screen
Chapter 9 Interfaces Figure 176 Spillover Algorithm Example 9.12 The Trunk Summary Screen Click Configuration > Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 177 Configuration >...
Page 263: Configuring A User-Defined Trunk
Chapter 9 Interfaces Table 111 Configuration > Network > Interface > Trunk (continued) LABEL DESCRIPTION Enable Default SNAT Select this to have the ZyWALL/USG use the IP address of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks. The ZyWALL/USG automatically adds SNAT settings for traffic it routes from internal interfaces to external interfaces.
Page 264 Chapter 9 Interfaces Each field is described in the table below. Table 112 Configuration > Network > Interface > Trunk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editing an existing trunk. When adding a new trunk, enter a descriptive name for this trunk.
Page 265: Configuring The System Default Trunk
Chapter 9 Interfaces Table 112 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Ingress Bandwidth This is reserved for future use. This field displays with the least load first load balancing algorithm. It displays the maximum number of kilobits of data the ZyWALL/USG is to allow to come in through the interface per second.
Page 266 Chapter 9 Interfaces Each field is described in the table below. Table 113 Configuration > Network > Interface > Trunk > Edit (System Default) LABEL DESCRIPTION Name This field displays the name of the selected system default trunk. Load Balancing Select the load balancing method to use for the trunk.
Page 267: Routing
HAPTER Routing 10.1 Policy and Static Routes Overview Use policy routes and static routes to override the ZyWALL/USG’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the ZyWALL/USG’s LAN interface. The ZyWALL/USG routes most traffic from A to the Internet through the ZyWALL/USG’s default gateway (R1).
Page 268: What You Need To Know
Chapter 10 Routing 10.1.2 What You Need to Know Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL/USG takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Page 269: Policy Route Screen
Chapter 10 Routing DiffServ QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types.
Page 270 Chapter 10 Routing Click on the icons to go to the OneSecurity.com website where there is guidance on configuration walkthroughs, troubleshooting, and other information. Figure 181 Configuration > Network > Routing > Policy Route The following table describes the labels in this screen. Table 114 Configuration >...
Page 271: Policy Route Edit Screen
Chapter 10 Routing Table 114 Configuration > Network > Routing > Policy Route (continued) LABEL DESCRIPTION Move To change a rule’s position in the numbered list, select the rule and click Move to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
Page 272 Chapter 10 Routing Policy Route Edit screen opens. Use this screen to configure or edit a policy route. Both IPv4 and IPv6 policy route have similar settings except the Address Translation (SNAT) settings. Figure 182 Configuration > Network > Routing > Policy Route > Add/Edit (IPv4 Configuration) ZyWALL/USG Series User’s Guide...
Page 273 Chapter 10 Routing Figure 183 Configuration > Network > Routing > Policy Route > Add/Edit (IPv6 Configuration) The following table describes the labels in this screen. Table 115 Configuration > Network > Routing > Policy Route > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields.
Page 274 Chapter 10 Routing Table 115 Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL DESCRIPTION DSCP Code Select a DSCP code point value of incoming packets to which this policy route applies or select User Define to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment.
Page 275 Chapter 10 Routing Table 115 Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL DESCRIPTION DSCP Marking Set how the ZyWALL/USG handles the DSCP value of the outgoing packets that match this route. Select one of the pre-defined DSCP values to apply or select User Define to specify another DSCP value.
Page 276: Ip Static Route Screen
Chapter 10 Routing 10.3 IP Static Route Screen Click Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers.
Page 277 Chapter 10 Routing Figure 185 Configuration > Network > Routing > Static Route > Add (IPv4 Configuration) Figure 186 Configuration > Network > Routing > Static Route > Add (IPv6 Configuration) The following table describes the labels in this screen. Table 117 Configuration >...
Page 278: Policy Routing Technical Reference
Chapter 10 Routing 10.4 Policy Routing Technical Reference Here is more detailed information about some of the features you can configure in policy routing. NAT and SNAT NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network.
Page 279: Routing Protocols Overview
Chapter 10 Routing 10.5 Routing Protocols Overview Routing protocols give the ZyWALL/USG routing information about the network from other routers. The ZyWALL/USG stores this routing information in the routing table it uses to make routing decisions. In turn, the ZyWALL/USG can also use routing protocols to propagate routing information to other routers.
Page 280 Chapter 10 Routing • Second, the ZyWALL/USG can also redistribute routing information from non-RIP networks, specifically OSPF networks and static routes, to the RIP network. Costs might be calculated differently, however, so you use the Metric field to specify the cost in RIP terms. •...
Page 281: The Ospf Screen
Chapter 10 Routing Table 120 Configuration > Network > Routing Protocol > RIP (continued) LABEL DESCRIPTION Active Static Route Select this to use RIP to advertise routes that were learned through the static route configuration. Metric Type the cost for routes provided by the static route configuration. The metric represents the “cost”...
Page 282 Chapter 10 Routing • A Not So Stubby Area (NSSA, RFC 1587) has routing information about the OSPF AS and networks outside the OSPF AS to which the NSSA is directly connected. It does not have any routing information about other networks outside the OSPF AS. Each type of area is illustrated in the following figure.
Page 283 Chapter 10 Routing • A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR. Each type of router is illustrated in the following example. Figure 189 OSPF: Types of Routers In order to reduce the amount of traffic between routers, a group of routers that are directly connected to each other selects a designated router (DR) and a backup designated router (BDR).
Page 284: Configuring The Ospf Screen
Chapter 10 Routing OSPF Configuration Follow these steps when you configure OSPF on the ZyWALL/USG. Enable OSPF. Set up the OSPF areas. Configure the appropriate interfaces. See Section 9.3.1 on page 189. Set up virtual links, as needed. 10.7.1 Configuring the OSPF Screen Use the first OSPF screen to specify the OSPF router the ZyWALL/USG uses in the OSPF AS and maintain the policies for redistribution.
Page 285: Ospf Area Add/Edit Screen
Chapter 10 Routing Table 122 Configuration > Network > Routing Protocol > OSPF (continued) LABEL DESCRIPTION Active RIP Select this to advertise routes that were learned from RIP. The ZyWALL/USG advertises routes learned from RIP to Normal and NSSA areas but not to Stub areas.
Page 286 Chapter 10 Routing Figure 192 Configuration > Network > Routing > OSPF > Add The following table describes the labels in this screen. Table 123 Configuration > Network > Routing > OSPF > Add LABEL DESCRIPTION Area ID Type the unique, 32-bit identifier for the area in IP address format. Type Select the type of OSPF area.
Page 287: Virtual Link Add/Edit Screen
Chapter 10 Routing Table 123 Configuration > Network > Routing > OSPF > Add (continued) LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so.
Page 288: Routing Protocol Technical Reference
Chapter 10 Routing The following table describes the labels in this screen. Table 124 Configuration > Network > Routing > OSPF > Add > Add LABEL DESCRIPTION Peer Router ID Enter the 32-bit ID (in IP address format) of the other ABR in the virtual link. Authentication Select the authentication method the virtual link uses.
Page 289 Chapter 10 Routing • The packet’s message-digest is the same as the one the ZyWALL/USG calculates using the MD5 password. For RIP, authentication is not available in RIP version 1. In RIP version 2, you can only select one authentication type for all interfaces. For OSPF, the ZyWALL/USG supports a default authentication type by area.
Page 290: Chapter 11 Ddns
HAPTER DDNS 11.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 11.1.1 What You Can Do in this Chapter • Use the DDNS screen (see Section 11.2 on page 291) to view a list of the configured DDNS domain names and their details.
Page 291: The Ddns Screen
Chapter 11 DDNS 11.2 The DDNS Screen The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. Click Configuration > Network > DDNS to open the following screen.
Page 292: The Dynamic Dns Add/Edit Screen
Chapter 11 DDNS Table 126 Configuration > Network > DDNS (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL/USG. Reset Click this button to return the screen to its last-saved settings. 11.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL/USG or to edit the configuration of an existing domain name.
Page 293 Chapter 11 DDNS Figure 196 Configuration > Network > DDNS > Add - Custom The following table describes the labels in this screen. Table 127 Configuration > Network > DDNS > Add LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Enable DDNS Profile...
Page 294 Chapter 11 DDNS Table 127 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION DDNS Settings Domain name Type the domain name you registered. You can use up to 255 characters. Primary Binding Use these fields to set how the ZyWALL/USG determines the IP address that is mapped Address to your domain name in the DDNS server.
Page 295 Chapter 11 DDNS Table 127 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Mail Exchanger This option is only available with a DynDNS account. DynDNS can route e-mail for your domain name to a mail server (called a mail exchanger).
Page 296: Nat
HAPTER 12.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Network Address Translation (NAT) to make computers on a private network behind the ZyWALL/USG available outside the private network.
Page 297 Chapter 12 NAT screen, login to the Web Configurator and click Configuration > Network > NAT. The following screen appears, providing a summary of the existing NAT rules. Click on the icons to go to the OneSecurity.com website where there is guidance on configuration walkthroughs, troubleshooting, and other information.
Page 298: The Nat Add/Edit Screen
Chapter 12 NAT Table 128 Configuration > Network > NAT (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL/USG. Reset Click this button to return the screen to its last-saved settings. 12.2.1 The NAT Add/Edit Screen The NAT Add/Edit screen lets you create new NAT rules and edit existing ones.
Page 299 Chapter 12 NAT Table 129 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Classification Select what kind of NAT this rule is to perform. Virtual Server - This makes computers on a private network behind the ZyWALL/USG available to a public network outside the ZyWALL/USG (like the Internet). 1:1 NAT - If the private network server will initiate sessions to the outside clients, select this to have the ZyWALL/USG translate the source IP address of the server’s outgoing traffic to the same public IP address that the outside clients use to access the...
Page 300 Chapter 12 NAT Table 129 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Port Mapping Type Use the drop-down list box to select how many original destination ports this NAT rule supports for the selected destination IP address (Original IP). Choices are: Any - this NAT rule supports all the destination ports.
Page 301: Nat Technical Reference
Chapter 12 NAT 12.3 NAT Technical Reference Here is more detailed information about NAT on the ZyWALL/USG. NAT Loopback Suppose an NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP e-mail server to give WAN users access. NAT loopback allows other users to also use the rule’s original IP to access the mail server.
Page 302 Chapter 12 NAT Figure 201 LAN to LAN Traffic Source 192.168.1.1 Source 192.168.1.89 SMTP SMTP 192.168.1.21 192.168.1.89 The LAN SMTP server replies to the ZyWALL/USG’s LAN IP address and the ZyWALL/USG changes the source address to 1.1.1.1 before sending it to the LAN user. The return traffic’s source matches the original destination address (1.1.1.1).
Page 303: Http Redirect
HAPTER HTTP Redirect 13.1 Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL/USG) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN1 zone wants to open a web page, its HTTP request is redirected to proxy server A first.
Page 304: The Http Redirect Screen
Chapter 13 HTTP Redirect A client connects to a web proxy server each time he/she wants to access the Internet. The web proxy provides caching service to allow quick access and reduce network usage. The proxy checks its local cache for the requested web resource first. If it is not found, the proxy gets it from the specified server and forwards the response to the client.
Page 305: The Http Redirect Edit Screen
Chapter 13 HTTP Redirect Figure 204 Configuration > Network > HTTP Redirect The following table describes the labels in this screen. Table 130 Configuration > Network > HTTP Redirect LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 306 Chapter 13 HTTP Redirect The following table describes the labels in this screen. Table 131 Network > HTTP Redirect > Edit LABEL DESCRIPTION Enable Use this option to turn the HTTP redirect rule on or off. Name Enter a name to identify this rule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 307: Chapter 14
HAPTER 14.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyWALL/USG’s NAT. • SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice and multimedia sessions over Internet. •...
Page 308: Sip Alg
Chapter 14 ALG FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through. If the FTP server is located on the LAN, you must also configure NAT (port forwarding) and security policies if you want to allow access to the server from the WAN.
Page 309 Chapter 14 ALG • The ZyWALL/USG allows SIP audio connections. • You do not need to use TURN (Traversal Using Relay NAT) for VoIP devices behind the ZyWALL/ USG when you enable the SIP ALG. • Configuring the SIP ALG to use custom port numbers for SIP traffic also configures the application patrol (see Chapter 28 on page 468) to use the same port numbers for SIP traffic.
Page 310: Before You Begin
Chapter 14 ALG corresponding policy routes to have calls from LAN IP address A go out through WAN IP address and calls from LAN IP address B go out through WAN IP address 2. Figure 209 VoIP with Multiple WAN IP Addresses 14.1.2 Before You Begin You must also configure the security policy and enable NAT in the ZyWALL/USG to allow sessions initiated from the WAN.
Page 311 Chapter 14 ALG Figure 210 Configuration > Network > ALG The following table describes the labels in this screen. Table 132 Configuration > Network > ALG LABEL DESCRIPTION Enable SIP ALG Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the ZyWALL/USG’s NAT.
Page 312 Chapter 14 ALG Table 132 Configuration > Network > ALG (continued) LABEL DESCRIPTION SIP Signaling Inactivity Most SIP clients have an “expire” mechanism indicating the lifetime of signaling Timeout sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL/USG.
Page 313: Alg Technical Reference
Chapter 14 ALG 14.3 ALG Technical Reference Here is more detailed information about the Application Layer Gateway. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’ data payload. The ZyWALL/USG examines and uses IP address and port number information embedded in the VoIP traffic’s data stream.
Page 314 Chapter 14 ALG When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL/USG Series User’s Guide...
Page 315: Upnp
HAPTER UPnP 15.1 UPnP and NAT-PMP Overview The ZyWALL/USG supports both UPnP and NAT-PMP to permit networking devices to discover each other and connect seamlessly. Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 316: Cautions With Upnp And Nat-Pmp
Chapter 15 UPnP 15.2.2 Cautions with UPnP and NAT-PMP The automated nature of NAT traversal applications in establishing their own services and opening security policy ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP or NAT-PMP device joins a network, it announces its presence with a multicast message.
Page 317: Technical Reference
Chapter 15 UPnP The following table describes the fields in this screen. Table 133 Configuration > Network > UPnP LABEL DESCRIPTION Enable UPnP Select this check box to activate UPnP on the ZyWALL/USG. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the ZyWALL/USG's IP address (although you must still enter the password to access the web configurator).
Page 318 Chapter 15 UPnP Click Change Advanced Sharing Settings. Select Turn on network discovery and click Save Changes. Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer. This makes it easier to share files and printers. ZyWALL/USG Series User’s Guide...
Page 319: Using Upnp In Windows Xp Example
Chapter 15 UPnP 15.4.2 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyWALL/USG. Make sure the computer is connected to a LAN port of the ZyWALL/USG. Turn on your computer and the ZyWALL/USG.
Page 320 Chapter 15 UPnP Figure 214 Internet Connection Properties: Advanced Settings Figure 215 Internet Connection Properties: Advanced Settings: Add Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.
Page 321: Web Configurator Easy Access
Chapter 15 UPnP Figure 217 Internet Connection Status 15.4.3 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyWALL/USG without finding out the IP address of the ZyWALL/USG first. This comes helpful if you do not know the IP address of the ZyWALL/USG.
Page 322 Chapter 15 UPnP Figure 218 Network Connections An icon with the description for each UPnP-enabled device displays under Local Network. Right-click on the icon for your ZyWALL/USG and select Invoke. The web configurator login screen displays. Figure 219 Network Connections: My Network Places Right-click on the icon for your ZyWALL/USG and select Properties.
Page 323 Chapter 15 UPnP Figure 220 Network Connections: My Network Places: Properties: Example ZyWALL/USG Series User’s Guide...
Page 324: Ip/Mac Binding
HAPTER IP/MAC Binding 16.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The ZyWALL/USG uses DHCP to assign IP addresses and records the MAC address it assigned to each IP address.
Page 325: Ip/Mac Binding Summary
Chapter 16 IP/MAC Binding Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN, and WLAN interfaces. You can also enable or disable IP/MAC binding and logging in an interface’s configuration screen. 16.2 IP/MAC Binding Summary Click Configuration >...
Page 326: Static Dhcp Edit
Chapter 16 IP/MAC Binding Figure 223 Configuration > Network > IP/MAC Binding > Edit The following table describes the labels in this screen. Table 135 Configuration > Network > IP/MAC Binding > Edit LABEL DESCRIPTION IP/MAC Binding Settings Interface Name This field displays the name of the interface within the ZyWALL/USG and the interface’s IP address and subnet mask.
Page 327: Ip/Mac Binding Exempt List
Chapter 16 IP/MAC Binding Figure 224 Configuration > Network > IP/MAC Binding > Edit > Add The following table describes the labels in this screen. Table 136 Configuration > Network > IP/MAC Binding > Edit > Add LABEL DESCRIPTION Interface Name This field displays the name of the interface within the ZyWALL/USG and the interface’s IP address and subnet mask.
Page 328 Chapter 16 IP/MAC Binding Table 137 Configuration > Network > IP/MAC Binding > Exempt List (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. This is the index number of the IP/MAC binding list entry. Name Enter a name to help identify this entry.
Page 329: Layer 2 Isolation
HAPTER Layer 2 Isolation 17.1 Overview Layer-2 isolation is used to prevent connected devices from communicating with each other in the ZyWALL/USG’s local network(s), except for the devices in the white list, when layer-2 isolation is enabled on the ZyWALL/USG and the local interface(s). Note: The security policy control must be enabled before you can use layer-2 isolation.
Page 330: Layer-2 Isolation General Screen
Chapter 17 Layer 2 Isolation 17.2 Layer-2 Isolation General Screen This screen allows you to enable Layer-2 isolation on the ZyWALL/USG and specific internal interface(s). To access this screen click Configuration > Network > Layer 2 Isolation. Figure 227 Configuration > Network > Layer 2 Isolation The following table describes the labels in this screen.
Page 331: Add/Edit White List Rule
Chapter 17 Layer 2 Isolation Figure 228 Configuration > Network > Layer 2 Isolation > White List The following table describes the labels in this screen. Table 139 Configuration > Network > Layer 2 Isolation > White List LABEL DESCRIPTION Enable White List Select this option to turn on the white list on the ZyWALL/USG.
Page 332 Chapter 17 Layer 2 Isolation Figure 229 Configuration > Network > Layer 2 Isolation > White List > Add/Edit The following table describes the labels in this screen. Table 140 Configuration > Network > Layer 2 Isolation > White List > Add/Edit LABEL DESCRIPTION Enable...
Page 333: Inbound Load Balancing
HAPTER Inbound Load Balancing 18.1 Inbound Load Balancing Overview Inbound load balancing enables the ZyWALL/USG to respond to a DNS query message with a different IP address for DNS name resolution. The ZyWALL/USG checks which member interface has the least load and responds to the DNS query message with the interface’s IP address. In the following figure, an Internet host (A) sends a DNS query message to the DNS server (D) in order to resolve a domain name of www.example.com.
Page 334: The Inbound Lb Screen
Chapter 18 Inbound Load Balancing • Use the Inbound LB Add/Edit screen (see Section 18.2.1 on page 335) to add or edit a DNS load balancing rule. 18.2 The Inbound LB Screen The Inbound LB screen provides a summary of all DNS load balancing rules and the details. You can also use this screen to add, edit, or remove the rules.
Page 335: The Inbound Lb Add/Edit Screen
Chapter 18 Inbound Load Balancing Table 141 Configuration > Network > Inbound LB (continued) LABEL DESCRIPTION Query From Address This field displays the source IP address of the DNS query messages to which the ZyWALL/USG applies the DNS load balancing rule. Query From Zone The ZyWALL/USG applies the DNS load balancing rule to the query messages received from this zone.
Page 336 Chapter 18 Inbound Load Balancing Figure 232 Configuration > Network > Inbound LB > Add The following table describes the labels in this screen. Table 142 Configuration > Network > Inbound LB > Add/Edit LABEL DESCRIPTION Create New Object Use this to configure any new setting objects that you need to use in this screen. General Settings Enable Select this to enable this DNS load balancing rule.
Page 337: The Inbound Lb Member Add/Edit Screen
Chapter 18 Inbound Load Balancing Table 142 Configuration > Network > Inbound LB > Add/Edit (continued) LABEL DESCRIPTION Load Balancing Member Select a load balancing method to use from the drop-down list box. Load Balancing Algorithm Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights.
Page 338 Chapter 18 Inbound Load Balancing Figure 233 Configuration > Network > Inbound LB > Add/Edit > Add The following table describes the labels in this screen. Table 143 Configuration > Network > Inbound LB > Add/Edit > Add/Edit LABEL DESCRIPTION Member The ZyWALL/USG checks each member interface’s loading in the order displayed here.
Page 339: Web Authentication
HAPTER Web Authentication 19.1 Web Auth Overview Web authentication can intercept network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions.
Page 340: What You Need To Know
Chapter 19 Web Authentication 19.1.2 What You Need to Know Single Sign-On A SSO (Single Sign On) agent integrates Domain Controller and ZyWALL/USG authentication mechanisms, so that users just need to log in once (single) to get access to permitted resources. Forced User Authentication Instead of making users for which user-aware policies have been configured go to the ZyWALL/USG Login screen manually, you can configure the ZyWALL/USG to display the Login screen...
Page 341 Chapter 19 Web Authentication Figure 235 Configuration > Web Authentication (Web Portal) The following table gives an overview of the objects you can configure. Table 144 Configuration > Web Authentication LABEL DESCRIPTION Enable Web Select Enable Web Authentication to turn on the web authentication feature. Authentication Once enabled, all network traffic is blocked until a client authenticates with the ZyWALL/ USG through the specifically designated web portal.
Page 342 Chapter 19 Web Authentication Table 144 Configuration > Web Authentication (continued) LABEL DESCRIPTION Welcome URL Specify the welcome page’s URL; for example, http://IIS server IP Address/welcome.html. The Internet Information Server (IIS) is the web server on which the web portal files are installed.
Page 343: Creating Exceptional Services
Chapter 19 Web Authentication 19.2.1 Creating Exceptional Services This screen lists services that users can access without logging in. Click Add under Exceptional Services in the previous screen to display this screen. You can change the list’s membership here. Available services appear on the left. Select any services you want users to be able to access without logging in and click the right arrow button ->...
Page 344: Sso Overview
Chapter 19 Web Authentication The following table gives an overview of the objects you can configure. Table 145 Configuration > Web Authentication > Add Authentication Policy LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this screen. Select Object Address or Schedule.
Page 345 Chapter 19 Web Authentication Note: The ZyWALL/USG, the DC, the SSO agent and the AD server must all be in the same domain and be able to communicate with each other. SSO does not support IPv6, LDAP or RADIUS; you must use it in an IPv4 network environment with Windows AD (Active Directory) authentication database.
Page 346: Sso - Zywall/Usg Configuration
Chapter 19 Web Authentication 19.4 SSO - ZyWALL/USG Configuration This section shows what you have to do on the ZyWALL/USG in order to use SSO. Table 146 ZyWALL/USG - SSO Agent Field Mapping ZYWALL/USG SCREEN FIELD SCREEN FIELD Web Authentication > Listen Port Agent Configuration Gateway Port...
Page 347: Enable Web Authentication
Chapter 19 Web Authentication Figure 239 Configuration > Web Authentication > SSO The following table gives an overview of the objects you can configure. Table 147 Configuration > Web Authentication > SSO LABEL DESCRIPTION Listen Port The default agent listening port is 2158. If you change it on the ZyWALL/USG, then change it to the same number in the Gateway Port field on the SSO agent too.
Page 348: Create A Security Policy
Chapter 19 Web Authentication Make sure you select Enable Policy, Single Sign-On and choose required in Authentication. Do NOT select any as the source address unless you want all incoming connections to be authenticated! Table 144 on page 341 Table 145 on page 344 for more information on configuring these screens.
Page 349: Configure User Information
Chapter 19 Web Authentication Configure the fields as shown in the following screen. Configure the source and destination addresses according to the SSO web authrntication traffic in your network. 19.4.5 Configure User Information Configure a User account of the ext-group-user type. ZyWALL/USG Series User’s Guide...
Page 350: Configure An Authentication Method
Chapter 19 Web Authentication Configure Group Identifier to be the same as Group Membership on the SSO agent. 19.4.6 Configure an Authentication Method Configure Active Directory (AD) for authentication with SSO. Choose group ad as the authentication server for SSO. ZyWALL/USG Series User’s Guide...
Page 351: Configure Active Directory
Chapter 19 Web Authentication 19.4.7 Configure Active Directory You must configure an Active Directory (AD) server in AAA Setup to be the same as AD configured on the SSO agent. The default AD server port is 389. If you change this, make sure you make the same changes on the SSO.
Page 352: Sso Agent Configuration
Chapter 19 Web Authentication 19.5 SSO Agent Configuration This section shows what you have to do on the SSO agent in order to work with the ZyWALL/USG. After you install the SSO agent, you will see an icon in the system tray (bottom right of the screen) ZyWALL/USG Series User’s Guide...
Page 353 Chapter 19 Web Authentication Right-click the SSO icon and select Configure ZyXEL SSO Agent. Configure the Agent Listening Port, AD server exactly as you have done on the ZyWALL/USG. Add the ZyWALL/USG IP address as the Gateway. Make sure the ZyWALL/USG and SSO agent are able to communicate with each other.
Page 354 Chapter 19 Web Authentication Configure the Server Address, Port, Base DN, Bind DN, Login Name Attribute and Group Membership for the AD server settings exactly as you have done on the ZyWALL/USG. Group Membership is called Group Identifier on the ZyWALL/USG. LDAP/AD Server Configuration ZyWALL/USG Series User’s Guide...
Page 355 Chapter 19 Web Authentication Configure the Gateway IP address, Gateway Port and PreShareKey exactly as you have done in the ZyWALL/USG Configuration > Web Authentication > SSO screen. If you want to use Generate Key to have the SSO create a random password, select Check to show PreShareKey as clear Text so as to see the password, then copy and paste it to the ZyWALL/USG.
Page 356 Chapter 19 Web Authentication ZyWALL/USG Series User’s Guide...
Page 357: Rtls
HAPTER RTLS 20.1 Overview Ekahau RTLS (Real Time Location Service) tracks battery-powered Wi-Fi tags attached to APs managed by the ZyWALL/USG to create maps, alerts, and reports. The Ekahau RTLS Controller is the centerpiece of the RTLS system. This server software runs on a Windows computer to track and locate Ekahau tags from Wi-Fi signal strength measurements.
Page 358: Before You Begin
Chapter 20 RTLS 20.2 Before You Begin You need: • At least three APs managed by the ZyWALL/USG (the more APs the better since it increases the amount of information the Ekahau RTLS Controller has for calculating the location of the tags) •...
Page 359 Chapter 20 RTLS The following table describes the labels in this screen. Table 149 Configuration > RTLS LABEL DESCRIPTION Enable Select this to use Wi-Fi to track the location of Ekahau Wi-Fi tags. IP Address Specify the IP address of the Ekahau RTLS Controller. Server Port Specify the server port number of the Ekahau RTLS Controller.
Page 360: Chapter 21 Security Policy
HAPTER Security Policy 21.1 Overview A security policy is a template of security settings that can be applied to specific traffic at specific times. The policy can be applied: • to a specific direction of travel of packets (from / to) •...
Page 361: One Security
Chapter 21 Security Policy 21.2 One Security OneSecurity.com is a website with guidance on configuration walkthroughs, troubleshooting, and other information. This is an example of a port forwarding configuration walkthrough. Figure 243 Example of a Port Forwarding Configuration Walkthrough. This is an example of L2TP over IPSec VPN Troubleshooting troubleshooting. ZyWALL/USG Series User’s Guide...
Page 362 Chapter 21 Security Policy Figure 244 Example of L2TP over IPSec Troubleshooting - 1 ZyWALL/USG Series User’s Guide...
Page 363 Chapter 21 Security Policy Figure 245 Example of L2TP over IPSec Troubleshooting - 2 In the ZyWALL/USG, you will see icons that link to OneSecurity walkthroughs, troubleshooting and so on in certain screens. For example, at the time of writing, these are the OneSecurity icons you can see. Table 150 OneSecurity Icons ONESECURITY ICON SCREEN...
Page 364: What You Can Do In This Chapter
Chapter 21 Security Policy Table 150 OneSecurity Icons (continued) ONESECURITY ICON SCREEN Click this icon for more information on Application Patrol, which identifies traffic that passes through the ZyWALL/USG, so you can decide what to do with specific types of traffic. Traffic not recognized by application patrol is ignored. •...
Page 365: What You Need To Know
Chapter 21 Security Policy 21.3.1 What You Need to Know Stateful Inspection The ZyWALL/USG uses stateful inspection in its security policies. The ZyWALL/USG restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Zones A zone is a group of interfaces.
Page 366: The Security Policy Screen
Chapter 21 Security Policy A From Any To Device direction policy applies to traffic from an interface which is not in a zone. Global Security Policies Security Policies with from any and/or to any as the packet direction are called global Security Policies.
Page 367: Configuring The Security Policy Control Screen
Chapter 21 Security Policy By putting LAN 1 and the alternate gateway (A in the figure) in different subnets, all returning network traffic must pass through the ZyWALL/USG to the LAN. The following steps and figure describe such a scenario. A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the WAN.
Page 368 Chapter 21 Security Policy Figure 247 Configuration > Security Policy > Policy Control The following table describes the labels in this screen. Table 152 Configuration > Security Policy > Policy Control LABEL DESCRIPTION Show Filter/Hide Click Show Filter to display IPv4 and IPv6 (if enabled) security policy search filters. Filter IPv4 / IPv6 Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies...
Page 369 Chapter 21 Security Policy Table 152 Configuration > Security Policy > Policy Control (continued) LABEL DESCRIPTION IPv4 / IPv6 Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 Destination destination address object used. •...
Page 370: The Security Policy Control Add/Edit Screen
Chapter 21 Security Policy Table 152 Configuration > Security Policy > Policy Control (continued) LABEL DESCRIPTION Name This is the name of the Security policy. From / To This is the direction of travel of packets. Select from which zone the packets come and to which zone they go.
Page 371 Chapter 21 Security Policy Figure 248 Configuration > Security Policy > Policy Control > Add The following table describes the labels in this screen. Table 153 Configuration > Security Policy > Policy Control > Add LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this screen. Object Enable Select this check box to activate the Security policy.
Page 372: Anomaly Detection And Prevention Overview
Chapter 21 Security Policy Table 153 Configuration > Security Policy > Policy Control > Add (continued) LABEL DESCRIPTION User This field is not available when you are configuring a to-ZyWALL/USG policy. Select a user name or user group to which to apply the policy. The Security Policy is activated only when the specified user logs into the system and the policy will be disabled when the user logs out.
Page 373: The Anomaly Detection And Prevention General Screen
Chapter 21 Security Policy Traffic Anomalies Traffic anomaly policies look for abnormal behavior or events such as port scanning, sweeping or network flooding. They operate at OSI layer-2 and layer-3. Traffic anomaly policies may be updated when you upload new firmware. Protocol Anomalies Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments).
Page 374: Creating New Adp Profiles
Chapter 21 Security Policy Table 154 Configuration > Security Policy > ADP > General LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate.
Page 375: Traffic Anomaly Profiles
Chapter 21 Security Policy Figure 250 Configuration > Security Policy > ADP > Profile The following table describes the labels in this screen. Table 155 Configuration > Security Policy > ADP > Profile LABEL DESCRIPTION Profile Management Create ADP profiles here and then apply them in the Configuration > Security Policy >...
Page 376 Chapter 21 Security Policy Figure 251 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly The following table describes the labels in this screen. Table 156 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly LABELS DESCRIPTION Name A name is automatically generated that you can edit.
Page 377 Chapter 21 Security Policy Table 156 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly (continued) LABELS DESCRIPTION Scan/Flood Detection Scan detection, such as port scanning, tries to find attacks where an attacker scans device(s) to determine what types of network protocols or services a device supports.
Page 378: Protocol Anomalies
Chapter 21 Security Policy 21.5.4 Protocol Anomalies Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes: • TCP Decoder • UDP Decoder • ICMP Decoder Figure 252 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly ZyWALL/USG Series User’s Guide...
Page 379 Chapter 21 Security Policy The following table describes the labels in this screen. Table 157 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly LABEL DESCRIPTION Name A name is automatically generated that you can edit. The name must be the same in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile.
Page 380: The Session Control Screen
Chapter 21 Security Policy Table 157 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly LABEL DESCRIPTION These are the log options. To edit this, select an item and use the Log icon. Action This is the action the ZyWALL/USG should take when a packet matches a policy. To edit this, select an item and use the Action icon.
Page 381: The Session Control Add/Edit Screen
Chapter 21 Security Policy The following table describes the labels in this screen. Table 158 Configuration > Security Policy > Session Control LABEL DESCRIPTION General Settings UDP Session Set how many seconds the ZyWALL/USG will allow a UDP session to remain idle (without Time Out UDP traffic) before closing it.
Page 382: Security Policy Example Applications
Chapter 21 Security Policy Figure 254 Configuration > Security Policy > Session Control > Edit The following table describes the labels in this screen. Table 159 Configuration > Security Policy > Session Control > Add / Edit LABEL DESCRIPTION Create new Use to configure new settings for User or Address objects that you need to use in this Object screen.Click on the down arrow to see the menu.
Page 383 Chapter 21 Security Policy Figure 255 Blocking All LAN to WAN IRC Traffic Example Your Security Policy would have the following settings. Table 160 Blocking All LAN to WAN IRC Traffic Example USER SOURCE DESTINATION SCHEDULE UTM PROFILE ACTION Deny Allow •...
Page 384 Chapter 21 Security Policy Figure 256 Limited LAN to WAN IRC Traffic Example Your security policy would have the following configuration. Table 161 Limited LAN1 to WAN IRC Traffic Example 1 USER SOURCE DESTINATION SCHEDULE UTM PROFILE ACTION 172.16.1.7 Allow Deny Allow •...
Page 385: Ipsec Vpn
HAPTER IPSec VPN 22.1 Virtual Private Networks (VPN) Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Page 386 Chapter 22 IPSec VPN Main Mode or Aggressive Mode. Main Mode protects the identity of the peers, but Aggressive Mode does not. During Phase 2, the remote IPSec routers use the secure channel established in Phase 1 to negotiate Security Associations for IPsec. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound).
Page 387: What You Can Do In This Chapter
Chapter 22 IPSec VPN Figure 258 SSL VPN LAN (192.168.1.X) https:// Web Mail File Share Web-based Application Application Non-Web Server L2TP VPN L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, or Windows operating systems for secure connections to the network behind the ZyWALL/USG. The remote users do not need their own IPSec gateways or third-party VPN client software.
Page 388: What You Need To Know
Chapter 22 IPSec VPN 22.1.2 What You Need to Know An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL/USG and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL/USG and remote IPSec router.
Page 389 Chapter 22 IPSec VPN Application Scenarios The ZyWALL/USG’s application scenarios make it easier to configure your VPN connection settings. Table 163 IPSec VPN Application Scenarios SITE-TO-SITE WITH REMOTE ACCESS REMOTE ACCESS SITE-TO-SITE DYNAMIC PEER (SERVER ROLE) (CLIENT ROLE) Choose this if the remote Choose this if the remote Choose this to allow Choose this to connect to...
Page 390: Before You Begin
Chapter 22 IPSec VPN 22.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel. •...
Page 391: The Vpn Connection Add/Edit (Ike) Screen
Chapter 22 IPSec VPN Each field is discussed in the following table. Table 164 Configuration > VPN > IPSec VPN > VPN Connection LABEL DESCRIPTION Global Setting The following two fields are for all IPSec VPN policies. Click on the VPN icon to go to the ZyXEL VPN Client product page at the ZyXEL website. Use Policy Select this to be able to use policy routes to manually specify the destination addresses of Route to...
Page 392 Chapter 22 IPSec VPN Figure 262 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL/USG Series User’s Guide...
Page 393 Chapter 22 IPSec VPN Each field is described in the following table. Table 165 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create new Object...
Page 394 Chapter 22 IPSec VPN Table 165 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Application Select the scenario that best describes your intended VPN connection. Scenario Site-to-site - Choose this if the remote IPSec router has a static IP address or a domain name.
Page 395 Chapter 22 IPSec VPN Table 165 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Active Protocol Select which protocol you want to use in the IPSec SA. Choices are: AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not encryption.
Page 396 Chapter 22 IPSec VPN Table 165 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Perfect Forward Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you Secrecy (PFS) do, which Diffie-Hellman key group to use for encryption. Choices are: none - disable PFS DH1 - enable PFS and use a 768-bit random number DH2 - enable PFS and use a 1024-bit random number...
Page 397 Chapter 22 IPSec VPN Table 165 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Source Select the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the computer or network outside the local network.
Page 398: The Vpn Gateway Screen
Chapter 22 IPSec VPN 22.3 The VPN Gateway Screen The VPN Gateway summary screen displays the IPSec VPN gateway policies in the ZyWALL/USG, as well as the ZyWALL/USG’s address, remote IPSec router’s address, and associated VPN connections for each one. In addition, it also lets you activate and deactivate each VPN gateway. To access this screen, click Configuration >...
Page 399: The Vpn Gateway Add/Edit Screen
Chapter 22 IPSec VPN Table 166 Configuration > VPN > IPSec VPN > VPN Gateway (continued) LABEL DESCRIPTION IKE Version This field displays whether the gateway is using IKEv1 or IKEv2. IKEv1 applies to IPv4 traffic only. IKEv2 applies to both IPv4 and IPv6 traffic. IKE (Internet Key Exchange) is a protocol used in setting up security associations that allows two parties to send data securely.
Page 400 Chapter 22 IPSec VPN Figure 264 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit ZyWALL/USG Series User’s Guide...
Page 401 Chapter 22 IPSec VPN Each field is described in the following table. Table 167 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create New Object...
Page 402 Chapter 22 IPSec VPN Table 167 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Pre-Shared Key Select this to have the ZyWALL/USG and remote IPSec router use a pre-shared key (password) to identify each other when they negotiate the IKE SA. Type the pre-shared key in the field to the right.
Page 403 Chapter 22 IPSec VPN Table 167 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Peer ID Type Select which type of identification is used to identify the remote IPSec router during authentication. Choices are: IP - the remote IPSec router is identified by an IP address DNS - the remote IPSec router is identified by a domain name E-mail - the remote IPSec router is identified by the string specified in this field...
Page 404 Chapter 22 IPSec VPN Table 167 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it.
Page 405 Chapter 22 IPSec VPN Table 167 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION X Auth / Extended This part of the screen displays X-Auth when using IKEv1 and Extended Authentication Authentication Protocol when using IKEv2. Protocol X-Auth This displays when using IKEv1.
Page 406: Vpn Concentrator
Chapter 22 IPSec VPN 22.4 VPN Concentrator A VPN concentrator combines several IPSec VPN connections into one secure network. Figure 265 VPN Topologies (Fully Meshed and Hub and Spoke) In a fully-meshed VPN topology (1 in the figure), there is a VPN connection between every pair of routers.
Page 407: Vpn Concentrator Screen
Chapter 22 IPSec VPN 22.4.2 VPN Concentrator Screen The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL/USG. To access this screen, click Configuration > VPN > IPSec VPN > Concentrator. Figure 266 Configuration > VPN > IPSec VPN > Concentrator Each field is discussed in the following table.
Page 408: Zywall/Usg Ipsec Vpn Client Configuration Provisioning
Chapter 22 IPSec VPN Figure 267 Configuration > VPN > IPSec VPN > Concentrator > Add/Edit Each field is described in the following table. Table 169 VPN > IPSec VPN > Concentrator > Add/Edit LABEL DESCRIPTION Name Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores( or dashes (-), but the first character cannot be a number.
Page 409 Chapter 22 IPSec VPN • A subnet or range remote policy The following VPN Gateway rules configured on the ZyWALL/USG cannot be provisioned to the IPSec VPN Client: • IPv4 rules with IKEv2 version • IPv4 rules with User-based PSK authentication •...
Page 410: Ipsec Vpn Background Information
Chapter 22 IPSec VPN Table 170 Configuration > VPN > IPSec VPN > Configuration Provisioning (continued) LABEL DESCRIPTION Click Add to bind a configured VPN rule to a user or group. Only that user or group may then retrieve the specified VPN rule settings. If you click Add without selecting an entry in advance then the new entry appears as the first entry.
Page 411 Chapter 22 IPSec VPN The ZyWALL/USG supports IKEv1 and IKEv2. See Section 22.1 on page 385 for more information. IP Addresses of the ZyWALL/USG and Remote IPSec Router To set up an IKE SA, you have to specify the IP addresses of the ZyWALL/USG and remote IPSec router.
Page 412 Chapter 22 IPSec VPN • Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. It is faster than 3DES. Some ZyWALL/USGs also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit blocks of data.
Page 413 Chapter 22 IPSec VPN Figure 271 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued) Step 5: pre-shared key ZyWALL/USG identity, consisting of - ID type - content Step 6: pre-shared key Remote IPSec router identity, consisting of - ID type - content You have to create (and distribute) a pre-shared key.
Page 414 Chapter 22 IPSec VPN Table 172 VPN Example: Mismatching ID Type and Content ZYWALL/USG REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.20 Peer ID content: tom@yourcompany.com It is also possible to configure the ZyWALL/USG to ignore the identity of the remote IPSec router.
Page 415 Chapter 22 IPSec VPN Most routers like router A now have an IPSec pass-thru feature. This feature helps router A recognize VPN packets and route them appropriately. If router A has this feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Active Protocol on page 416 for more information about active protocols.)
Page 416 Chapter 22 IPSec VPN • Instead of using the pre-shared key, the ZyWALL/USG and remote IPSec router check the signatures on each other’s certificates. Unlike pre-shared keys, the signatures do not have to match. • The local and peer ID type and content come from the certificates. Note: You must set up the certificates for the ZyWALL/USG and remote IPSec router first.
Page 417 Chapter 22 IPSec VPN Figure 273 VPN: Transport and Tunnel Mode Encapsulation Tunnel Mode Packet IP Header AH/ESP IP Header Data Header Header In tunnel mode, the ZyWALL/USG uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: •...
Page 418 Chapter 22 IPSec VPN • Source address in outbound packets - this translation is necessary if you want the ZyWALL/USG to route packets from computers outside the local network through the IPSec SA. • Source address in inbound packets - this translation hides the source address of computers in the remote network.
Page 419 Chapter 22 IPSec VPN • Destination - the original destination address; the local network (A). • SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address. Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) You can set up this translation if you want the ZyWALL/USG to forward some packets from the remote network to a specific computer in the local network.
Page 420: Ssl Vpn
HAPTER SSL VPN 23.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login. The remote users do not need a VPN router or VPN client software. 23.1.1 What You Can Do in this Chapter •...
Page 421: The Ssl Access Privilege Screen
Chapter 23 SSL VPN • allow user access to specific networks. • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. SSL Access Policy Objects The SSL access policies reference the following objects. If you update this information, in response to changes, the ZyWALL/USG automatically propagates the changes through the SSL policies that use the object(s).
Page 422: The Ssl Access Privilege Policy Add/Edit Screen
Chapter 23 SSL VPN The following table describes the labels in this screen. Table 174 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Access Policy This screen shows a summary of SSL VPN policies created. Summary Click on the VPN icon to go to the ZyXEL VPN Client product page at the ZyXEL website. Click this to create a new entry.
Page 423 Chapter 23 SSL VPN Figure 278 VPN > SSL VPN > Add/Edit The following table describes the labels in this screen. Table 175 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this screen. Object Configuration Enable Policy...
Page 424 Chapter 23 SSL VPN Table 175 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION Name Enter a descriptive name to identify this policy. You can enter up to 31 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed. Zone Select the zone to which to add this SSL access policy.
Page 425: The Ssl Global Setting Screen
Chapter 23 SSL VPN Table 175 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION Network List To allow user access to local network(s), select a network name in the Selectable Address Objects list and click the right arrow button to add to the Selected Address Objects list.
Page 426: How To Upload A Custom Logo
Chapter 23 SSL VPN The following table describes the labels in this screen. Table 176 VPN > SSL VPN > Global Setting LABEL DESCRIPTION Global Setting Network Specify the IP address of the ZyWALL/USG (or a gateway device) for full tunnel mode SSL Extension Local VPN access.
Page 427: Zywall/Usg Secuextender
Chapter 23 SSL VPN The following shows an example logo on the remote user screen. Figure 280 Example Logo Graphic Display 23.4 ZyWALL/USG SecuExtender The ZyWALL/USG automatically loads the ZyWALL/USG SecuExtender client program to your computer after a successful login to an SSL VPN tunnel with network extension support enabled. The ZyWALL/USG SecuExtender lets you: •...
Page 428: Example: Configure Zywall/Usg For Secuextender
Chapter 23 SSL VPN The following table describes the labels in this screen. Table 177 Configuration > VPN > SSL VPN > SecuExtender LABEL DESCRIPTION Latest Version This displays the latest version of the ZyWALL/USG Security SecuExtender that is available. Current Version This displays the current version of SecuExtender that is installed in the ZyWALL/USG.
Page 429 Chapter 23 SSL VPN Figure 283 Create an SSL VPN Access Privilege Policy Then create File Sharing and Web Application SSL Application objects. Using the ZyWALL/USG web configurator, go to Configuration > Object > SSL Application > Add and select the Type accordingly.
Page 430 Chapter 23 SSL VPN Create a Web Application SSL Application Object ZyWALL/USG Series User’s Guide...
Page 431: Chapter 24
HAPTER SSL User Screens 24.1 Overview This chapter introduces the remote user SSL VPN screens. The following figure shows a network example where a remote user (A) logs into the ZyWALL/USG from the Internet to access the web server (WWW) on the local network. Figure 285 Network Example Internet 24.1.1 What You Need to Know...
Page 432: Remote Ssl User Login
Chapter 24 SSL User Screens System Requirements Here are the browser and computer system requirements for remote user access. • Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit) • Internet Explorer 7 and above or Firefox 1.5 and above •...
Page 433 Chapter 24 SSL User Screens Figure 287 Login Security Screen A login screen displays. Enter the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field. Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources.
Page 434 Chapter 24 SSL User Screens Figure 290 ActiveX Object Installation Blocked by Browser Figure 291 SecuExtender Blocked by Internet Explorer The ZyWALL/USG tries to run the “ssltun” application. You may need to click something to get your browser to allow this. In Internet Explorer, click Run. Figure 292 SecuExtender Progress Click Next to use the setup wizard to install the SecuExtender client on your computer.
Page 435: The Ssl Vpn User Screens
Chapter 24 SSL User Screens Figure 293 SecuExtender Progress If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender client on your computer. Figure 294 Installation Warning The Application screen displays showing the list of resources available to you. See Figure 295 on page 436 for a screen example.
Page 436: Bookmarking The Zywall/Usg
Chapter 24 SSL User Screens Figure 295 Remote User Screen The following table describes the various parts of a remote user screen. Table 178 Remote User Screen Overview DESCRIPTION Click on a menu tab to go to the Application or File Sharing screen. Click this icon to log out and terminate the secure connection.
Page 437: Logging Out Of The Ssl Vpn User Screens
Chapter 24 SSL User Screens A screen displays. Accept the default name in the Name field or enter a descriptive name to identify this link. Click OK to create a bookmark in your web browser. Figure 296 Add Favorite 24.5 Logging Out of the SSL VPN User Screens To properly terminate a connection, click on the Logout icon in any remote user screen.
Page 438: Ssl User File Sharing
Chapter 24 SSL User Screens Figure 298 Application 24.7 SSL User File Sharing The File Sharing screen lets you access files on a file server through the SSL VPN connection. Use it to display and access shared files/folders on a file server. You can also perform the following actions: •...
Page 439: Opening A File Or Folder
Chapter 24 SSL User Screens Figure 299 File Sharing 24.7.2 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer. Log in as a remote user and click the File Sharing tab. Click on a file share icon.
Page 440: Downloading A File
Chapter 24 SSL User Screens A list of files/folders displays. Double click a file to open it in a separate browser window or select a file and click Download to save it to your computer. You can also click a folder to access it. For this example, click on a .doc file to open the Word document.
Page 441: Creating A New Folder
Chapter 24 SSL User Screens Figure 302 File Sharing: Save a Word File 24.7.5 Creating a New Folder To create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add. Note: Make sure the length of the folder name does not exceed the maximum allowed on the file server.
Page 442: Deleting A File Or Folder
Chapter 24 SSL User Screens A popup window displays. Specify the new name and/or file extension in the field provided. You can enter up to 356 characters. Then click Apply. Note: Make sure the length of the name does not exceed the maximum allowed on the file server.
Page 443 Chapter 24 SSL User Screens Note: Uploading a file with the same name and file extension replaces the existing file on the file server. No warning message is displayed. ZyWALL/USG Series User’s Guide...
Page 444: Zywall/Usg Secuextender (Windows)
HAPTER ZyWALL/USG SecuExtender (Windows) The ZyWALL/USG automatically loads the ZyWALL/USG SecuExtender for Windows client program to your computer after a successful login to an SSL VPN tunnel with network extension support enabled. Note: For information on using the ZyWALL/USG SecuExtender for Mac client program, please see its User’s Guide at the download library on the ZyXEL website.
Page 445: View Log
Chapter 25 ZyWALL/USG SecuExtender (Windows) Figure 308 ZyWALL/USG SecuExtender Status The following table describes the labels in this screen. Table 179 ZyWALL/USG SecuExtender Status LABEL DESCRIPTION Connection Status SecuExtender IP This is the IP address the ZyWALL/USG assigned to this remote user computer for an SSL Address VPN connection.
Page 446: Suspend And Resume The Connection
Chapter 25 ZyWALL/USG SecuExtender (Windows) Figure 309 ZyWALL/USG SecuExtender Log Example ################################################################################## ############## [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Build Datetime: Feb 24 2009/ 10:25:07 [ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] rasphone.pbk: C:\Documents and Settings\11746\rasphone.pbk [ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] SecuExtender.log: C:\Documents and Settings\11746\SecuExtender.log [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Check Parameters [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL]...
Page 447 Chapter 25 ZyWALL/USG SecuExtender (Windows) Figure 310 Uninstalling the ZyWALL/USG SecuExtender Confirmation Windows uninstalls the ZyWALL/USG SecuExtender. Figure 311 ZyWALL/USG SecuExtender Uninstallation ZyWALL/USG Series User’s Guide...
Page 448: L2Tp Vpn
HAPTER L2TP VPN 26.1 Overview L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, Windows or Mac OS X operating systems for secure connections to the network behind the ZyWALL/USG. The remote users do not need their own IPSec gateways or third-party VPN client software. Figure 312 L2TP VPN Overview 26.1.1 What You Can Do in this Chapter •...
Page 449: L2Tp Vpn Screen
Chapter 26 L2TP VPN Using the Quick Setup VPN Setup Wizard The VPN Setup Wizard is an easy and convenient way to configure the L2TP VPN settings. Click Configuration > Quick Setup > VPN Setup > VPN Settings for L2TP VPN Settings to get started.
Page 450 Chapter 26 L2TP VPN Figure 314 Configuration > VPN > L2TP VPN The following table describes the fields in this screen. Table 180 Configuration > VPN > L2TP VPN LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create new Object...
Page 451: Example: L2Tp And Zywall/Usg Behind A Nat Router
Chapter 26 L2TP VPN Table 180 Configuration > VPN > L2TP VPN (continued) LABEL DESCRIPTION Allowed User The remote user must log into the ZyWALL/USG to use the L2TP VPN tunnel. Select a user or user group that can use the L2TP VPN tunnel. Use Create new Object if you need to configure a new user account.
Page 452 Chapter 26 L2TP VPN Select the NAT router WAN IP address object as the Local Policy. Go to Configuration > VPN > L2TP VPN and select the VPN Connection just configured. ZyWALL/USG Series User’s Guide...
Page 453: Bwm (Bandwidth Management)
HAPTER BWM (Bandwidth Management) 27.1 Overview Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video. 27.1.1 What You Can Do in this Chapter Use the BWM screens (see Section 27.2 on page...
Page 454 Chapter 27 BWM (Bandwidth Management) In the following example, you configure a Per user bandwidth management rule for radius-users to limit outgoing traffic to 300 kbs. Then all radius-users (A, B and C) can send 300 kbps of traffic. DiffServ and DSCP Marking QoS is used to prioritize source-to-destination traffic flows.
Page 455 Chapter 27 BWM (Bandwidth Management) LAN1 to WAN Connection and Packet Directions Figure 315 Connection LAN1 Outbound Inbound Outbound and Inbound Bandwidth Limits You can limit an application’s outbound or inbound bandwidth. This limit keeps the traffic from using up too much of the out-going interface’s bandwidth. This way you can make sure there is bandwidth for other applications.
Page 456 Chapter 27 BWM (Bandwidth Management) Maximize Bandwidth Usage Maximize bandwidth usage allows applications with maximize bandwidth usage enabled to “borrow” any unused bandwidth on the out-going interface. After each application gets its configured bandwidth rate, the ZyWALL/USG uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications that need more bandwidth and have maximize bandwidth usage enabled.
Page 457: The Bandwidth Management Screen
Chapter 27 BWM (Bandwidth Management) Maximize Bandwidth Usage Effect With maximize bandwidth usage enabled, after each server gets its configured rate, the rest of the available bandwidth is divided equally between the two. So server A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps.
Page 458 Chapter 27 BWM (Bandwidth Management) Configuration > Bandwidth Management Figure 318 The following table describes the labels in this screen. See Section 27.2.1 on page 460 for more information as well. Configuration > Bandwidth Management Table 185 LABEL DESCRIPTION Enable BWM Select this check box to activate management bandwidth.
Page 459 Chapter 27 BWM (Bandwidth Management) Configuration > Bandwidth Management Table 185 LABEL DESCRIPTION Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. DSCP Code These are the DSCP code point values of incoming and outgoing packets to which this policy applies.
Page 460: The Bandwidth Management Add/Edit Screen
Chapter 27 BWM (Bandwidth Management) 27.2.1 The Bandwidth Management Add/Edit Screen The Configuration > Bandwidth Management Add/Edit screen allows you to create a new condition or edit an existing one. 802.1P Marking Use 802.1P to prioritize outgoing traffic from a VLAN interface. The Priority Code is a 3-bit field within a 802.1Q VLAN tag that’s used to prioritize associated outgoing VLAN traffic.
Page 461 Chapter 27 BWM (Bandwidth Management) Configuration > Bandwidth Management > Add/Edit Figure 320 The following table describes the labels in this screen. Configuration > Bandwidth Management > Add/Edit Table 189 LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration Enable Select this check box to turn on this policy.
Page 462 Chapter 27 BWM (Bandwidth Management) Configuration > Bandwidth Management > Add/Edit Table 189 LABEL DESCRIPTION BWM Type This field displays the below types of BWM rule: • Shared, when the policy is set for all users • Per User, when the policy is set for an individual user or a user group •...
Page 463 Chapter 27 BWM (Bandwidth Management) Configuration > Bandwidth Management > Add/Edit Table 189 LABEL DESCRIPTION Inbound kbps Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the ZyWALL/USG sends to a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the ZyWALL/USG sends to the initiator.
Page 464 Chapter 27 BWM (Bandwidth Management) 27.2.1.1 Adding Objects for the BWM Policy Objects are parameters to which the Policy rules are built upon. There are three kinds of objects you can add/edit for the BWM policy, they are User, Schedule and Address objects. Click Configuration >...
Page 465 Chapter 27 BWM (Bandwidth Management) Table 190 Configuration > BWM > Create New Object > Add User LABEL DESCRIPTION Password Type a password for the user object. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ‘...
Page 466 Chapter 27 BWM (Bandwidth Management) Configuration > BWM > Create New Object > Add Schedule Figure 322 The following table describes the fields in the above screen. Table 191 Configuration > BWM > Create New Object > Add Schedule LABEL DESCRIPTION Name Enter a name for the schedule object of the rule.
Page 467 Chapter 27 BWM (Bandwidth Management) Figure 323 Configuration > BWM > Create New Object > Add Address The following table describes the fields in the above screen. Table 192 Configuration > BWM > Create New Object > Add Address LABEL DESCRIPTION Name Enter a name for the Address object of the rule.
Page 468: Application Patrol
HAPTER Application Patrol 28.1 Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control the use of a particular application’s individual features (like text messaging, voice, video conferencing, and file transfers).
Page 469: Application Patrol Profile
Chapter 28 Application Patrol Classification of Applications There are two ways the ZyWALL/USG can identify the application. The first is called auto. The ZyWALL/USG looks at the IP payload (OSI level-7 inspection) and attempts to match it with known patterns for specific applications. Usually, this occurs at the beginning of a connection, when the payload is more consistent across connections, and the ZyWALL/USG examines several packets to make sure the match is correct.
Page 470 Chapter 28 Application Patrol Figure 324 Configuration > UTM Profile > App Patrol > Profile The following table describes the labels in this screen. Table 193 Configuration > UTM Profile > App Patrol > Profile LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Page 471: The Application Patrol Profile Add/Edit Screen
Chapter 28 Application Patrol Table 193 Configuration > UTM Profile > App Patrol > Profile LABEL DESCRIPTION Released Date This field displays the date and time the set was released. Update Click this link to go to the screen you can use to download signatures from the update Signatures server.
Page 472: The Application Patrol Profile Rule Add Application Screen
Chapter 28 Application Patrol Table 194 Configuration > UTM Profile > App Patrol > Profile > Add/Edit (continued) LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Remove Select an entry and click Remove to delete the selected entry.
Page 473 Chapter 28 Application Patrol Table 195 Configuration > UTM Profile > App Patrol > Profile > Profile Management > Add/Edit LABEL DESCRIPTION Action Select the default action for all signatures in this category. forward - the ZyWALL/USG routes packets that matches these signatures. Drop - the ZyWALL/USG silently drops packets that matches these signatures without notification.
Page 474: Content Filtering
HAPTER Content Filtering 29.1 Overview Use the content filtering feature to control access to specific web sites or web content. 29.1.1 What You Can Do in this Chapter • Use the Filter Profile screens (Section Figure 328 on page 479) to set up content filtering profiles.
Page 475: Before You Begin
Chapter 29 Content Filtering • Restrict Web Features The ZyWALL/USG can disable web proxies and block web features such as ActiveX controls, Java applets and cookies. • Customize Web Site Access You can specify URLs to which the ZyWALL/USG blocks access. You can alternatively block access to all URLs except ones that you specify.
Page 476: Content Filter Profile Screen
Chapter 29 Content Filtering 29.2 Content Filter Profile Screen Click Configuration > UTM Profile> Content Filter > Profile to open the Content Filter Profile screen. Use this screen to enable content filtering, view and order your list of content filter policies, create a denial of access message or specify a redirect URL and check your external web filtering service registration status.
Page 477 Chapter 29 Content Filtering Table 196 Configuration > UTM Profile > Content Filter > Profile (continued) LABEL DESCRIPTION Denied Access Message Enter a message to be displayed when content filter blocks access to a web page. Use up to 127 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%,”). For example, “Access to this web page is not allowed.
Page 478: Content Filter Profile Add Or Edit Screen
Chapter 29 Content Filtering 29.3 Content Filter Profile Add or Edit Screen Click Configuration > UTM > Content Filter > Profile > Add or Edit to open the Add Filter Profile screen. Configure Category Service and Custom Service tabs. 29.3.1 Content Filter Add Profile Category Service ZyWALL/USG Series User’s Guide...
Page 479 Chapter 29 Content Filtering Figure 328 Content Filter > Profile > Add Filter Profile > Category Service ZyWALL/USG Series User’s Guide...
Page 480 Chapter 29 Content Filtering The following table describes the labels in this screen. Table 197 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration.
Page 481 Chapter 29 Content Filtering Table 197 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service LABEL DESCRIPTION Action for Managed Web Select Pass to allow users to access web pages that match the other Pages categories that you select below. Select Block to prevent users from accessing web pages that match the other categories that you select below.
Page 482 Chapter 29 Content Filtering Table 197 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service LABEL DESCRIPTION Malware Sites that install unwanted software on a user's computer with the intent to enable third-party monitoring or make system changes without the user's consent.
Page 483 Chapter 29 Content Filtering Table 198 Managed Category Descriptions (continued) Child Abuse Images Sites that portray or discuss children in sexual or other abusive acts. For example, a.uuzhijia.info. Computers & Technology Sites that contain information about computers, software, hardware, IT, peripheral and computer services, such as product reviews, discussions, and IT news.
Page 484 Chapter 29 Content Filtering Table 198 Managed Category Descriptions (continued) Hacking Sites that promote or give advice about how to gain unauthorized access to proprietary computer systems, for the purpose of stealing information, perpetrating fraud, creating viruses, or committing other illegal activity related to theft of digital information.
Page 485 Chapter 29 Content Filtering Table 198 Managed Category Descriptions (continued) Pornography/Sexually Sites that contain explicit sexual content. Includes adult products such as sex Explicit toys, CD-ROMs, and videos, adult services such as videoconferencing, escort services, and strip clubs, erotic stories and textual descriptions of sexual acts. For example, www.dvd888.com, www.18center.com, blog.sina.com.tw.
Page 486: Content Filter Add Filter Profile Custom Service
Chapter 29 Content Filtering Table 198 Managed Category Descriptions (continued) Travel Sites that provide travel and tourism information or online booking of travel services such as airlines, accommodations, car rentals. Includes regional or city information sites. For example, www.startravel.com.tw, taipei.grand.hyatt.com.tw, www.car-plus.com.tw. Unknown Unknown For example, www.669.com.tw, www.appleballoon.com.tw, www.uimco.com.tw.
Page 487 Chapter 29 Content Filtering Figure 329 Configuration > UTM Profile > Content Filter > Filter Profile > Custom Service The following table describes the labels in this screen. Table 199 Configuration > UTM Profile > Content Filter > Profile > Custom Service LABEL DESCRIPTION Name...
Page 488 Chapter 29 Content Filtering Table 199 Configuration > UTM Profile > Content Filter > Profile > Custom Service (continued) LABEL DESCRIPTION Allow Web traffic for trusted When this box is selected, the ZyWALL/USG blocks Web access to sites that web sites only are not on the Trusted Web Sites list.
Page 489: Content Filter Trusted Web Sites Screen
Chapter 29 Content Filtering Table 199 Configuration > UTM Profile > Content Filter > Profile > Custom Service (continued) LABEL DESCRIPTION Remove Select an entry and click this to delete it. This displays the index number of the forbidden web sites. Forbidden Web Sites This list displays the forbidden web sites already added.
Page 490: Content Filter Forbidden Web Sites Screen
Chapter 29 Content Filtering Figure 330 Configuration > UTM Profile > Content Filter > Trusted Web Sites The following table describes the labels in this screen. Table 200 Configuration > UTM Profile > Content Filter > Trusted Web Sites LABEL DESCRIPTION Common Trusted Web Sites These are sites that you want to allow access to, regardless of their content...
Page 491: Content Filter Technical Reference
Chapter 29 Content Filtering Figure 331 Configuration > UTM Profile > Content Filter > Forbidden Web Sites The following table describes the labels in this screen. Table 201 Configuration > UTM Profile > Content Filter > Forbidden Web Sites LABEL DESCRIPTION Forbidden Web Site List Sites that you want to block access to, regardless of their content rating, can...
Page 492 Chapter 29 Content Filtering Figure 332 Content Filter Lookup Procedure A computer behind the ZyWALL/USG tries to access a web site. The ZyWALL/USG looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL/USG’s cache.
Page 493: Idp
HAPTER 30.1 Overview This chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic flow, custom signatures and updating signatures. An IDP system can detect malicious or suspicious packets and respond instantaneously. IDP on the ZyWALL/USG protects against network-based intrusions.
Page 494: The Idp Profile Screen
Chapter 30 IDP 30.2 The IDP Profile Screen An IDP profile is a set of packet inspection signatures. Packet inspection signatures examine packet content for malicious data. Packet inspection applies to OSI (Open System Interconnection) layer-4 to layer-7 contents. You need to subscribe for IDP service in order to be able to download new signatures.
Page 495: Base Profiles
Chapter 30 IDP Table 202 Configuration > UTM Profile > IDP > Profile (continued) LABEL DESCRIPTION Object Reference Select an entry and click Object References to open a screen that shows which settings use the entry. Click Refresh to update information on this screen. Clone Use Clone to create a new entry by modifying an existing one.
Page 496: Adding / Editing Profiles
Chapter 30 IDP The following table describes this screen. Table 203 Base Profiles BASE PROFILE DESCRIPTION none All signatures are disabled. No logs are generated nor actions are taken. All signatures are enabled. Signatures with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped.
Page 497: Profile > Group View Screen
Chapter 30 IDP 30.2.3 Profile > Group View Screen Select Configuration > UTM Profile > IDP > Profile and then click Add to create a new profile or select an existing profile, then click a group in the base profile box (or double-click the existing profile) to modify it.
Page 498 Chapter 30 IDP Table 204 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued) LABEL DESCRIPTION Switch to query Click this button to go to a screen where you can search for signatures by criteria such as view name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions.
Page 499 Chapter 30 IDP Table 204 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued) LABEL DESCRIPTION Severity These are the severities as defined in the ZyWALL/USG. The number in brackets is the number you use if using commands. Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.
Page 500: Add Profile > Query View
Chapter 30 IDP Table 204 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL/USG takes when a packet matches a signature, select the signature and use the Action icon. none: Select this action on an individual signature or a complete service group to have the ZyWALL/USG take no action when a packet matches the signature(s).
Page 501: Policy Types
Chapter 30 IDP Policy Types This table describes Policy Types as categorized in the ZyWALL/USG. Table 205 Policy Types POLICY TYPE DESCRIPTION Access Control Access control refers to procedures and controls that limit or detect access. Access control attacks try to bypass validation checks in order to access network resources such as servers, directories, and files.
Page 502: Idp Service Groups
Chapter 30 IDP Table 205 Policy Types (continued) POLICY TYPE DESCRIPTION Scan A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels.
Page 503 Chapter 30 IDP Figure 336 Configuration > UTM Profile> IDP > Profile: Query View The following table describes the fields specific to this screen’s query view. Table 207 Configuration > UTM Profile > IDP > Profile: Query View LABEL DESCRIPTION Name This is the name of the profile that you created in the IDP >...
Page 504: Query Example
Chapter 30 IDP Table 207 Configuration > UTM Profile > IDP > Profile: Query View (continued) LABEL DESCRIPTION Severity Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections. These are the severities as defined in the ZyWALL/USG. The number in brackets is the number you use if using commands.
Page 505: Idp Custom Signatures
Chapter 30 IDP Figure 337 Query Example Search 30.3 IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures.
Page 506 Chapter 30 IDP Figure 338 IP v4 Packet Headers The header fields are discussed in the following table. Table 208 IP v4 Packet Headers HEADER DESCRIPTION Version The value 4 indicates IP version 4. IP Header Length is the number of 32 bit words forming the total length of the header (usually five).
Page 507 Chapter 30 IDP Select Configuration > UTM Profile > IDP > Custom Signatures. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature. You can also delete custom signatures here or save them to your computer.
Page 508: Add / Edit Custom Signatures
Chapter 30 IDP Table 209 Configuration > UTM Profile> IDP > Custom Signatures (continued) LABEL DESCRIPTION Customer Use this part of the screen to import custom signatures (previously saved to your Signature Rule computer) to the ZyWALL/USG. Importing Note: The name of the complete custom signature file on the ZyWALL/USG is ‘custom.rules’.
Page 509 Chapter 30 IDP Figure 340 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit ZyWALL/USG Series User’s Guide...
Page 510 Chapter 30 IDP The following table describes the fields in this screen. Table 210 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 511 Chapter 30 IDP Table 210 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION IP Options IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed...
Page 512: Custom Signature Example
Chapter 30 IDP Table 210 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overflows Select the check box, then select Equal, Smaller or Greater and then type the payload size.
Page 513 Chapter 30 IDP 30.3.2.1 Understand the Vulnerability Check the ZyWALL/USG logs when the attack occurs. Use web sites such as Google or Security Focus to get as much information about the attack as you can. The more specific your signature, the less chance it will cause false positives.
Page 514: Applying Custom Signatures
Chapter 30 IDP From the details about DNS query you see that the protocol is UDP and the port is 53. The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as the first pattern.
Page 515: Verifying Custom Signatures
Chapter 30 IDP 30.3.4 Verifying Custom Signatures Configure the signature to create a log when traffic matches the signature. (You may also want to configure an alert if it is for a serious attack and needs immediate attention.) After you apply the signature to a zone, you can see if it works by checking the logs (Monitor >...
Page 516 Chapter 30 IDP the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/ server.
Page 517 Chapter 30 IDP Table 211 ZyWALL/USG - Snort Equivalent Terms (continued) ZYWALL/USG TERM SNORT EQUIVALENT TERM Transport Protocol: ICMP Type itype Code icode icmp_id Sequence Number icmp_seq Payload Options (Snort rule options) Payload Size dsize Offset (relative to start of payload) offset Relative to end of last match distance...
Page 518: Chapter 31 Anti-Virus
HAPTER Anti-Virus 31.1 Overview Use the ZyWALL/USG’s anti-virus feature to protect your connected network from virus/spyware infection. The ZyWALL/USG checks traffic going in the direction(s) you specify for signature matches. In the following figure the ZyWALL/USG is set to check traffic coming from the WAN zone (which includes two interfaces) to the LAN zone.
Page 519: What You Need To Know
Chapter 31 Anti-Virus 31.1.2 What You Need to Know Anti-Virus Engines Subscribe to signature files for Kaspersky’s anti-virus engine. After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and register it in the Registration > Service screen.
Page 520: Anti-Virus Profile Screen
Chapter 31 Anti-Virus Notes About the ZyWALL/USG Anti-Virus The following lists important notes about the anti-virus scanner: The ZyWALL/USG anti-virus scanner can detect polymorphic viruses. When a virus is detected, an alert message is displayed in Microsoft Windows computers. Changes to the ZyWALL/USG’s anti-virus settings affect new sessions (not the sessions that already existed before you applied the changed settings).
Page 521 Chapter 31 Anti-Virus Figure 345 Configuration > UTM Profile > Anti-Virus > Profile The following table describes the labels in this screen. Table 212 Configuration > UTM Profile > Anti-Virus > Profile LABEL DESCRIPTION General Setting Scan and detect Select this option to have the ZyWALL/USG check for the EICAR test file and treat it in EICAR test virus the same way as a real virus file.
Page 522: Anti-Virus Profile Add Or Edit
Chapter 31 Anti-Virus Table 212 Configuration > UTM Profile > Anti-Virus > Profile (continued) LABEL DESCRIPTION License The following fields display information about the current state of your subscription for virus signatures. License Status This field displays whether a service is activated (Licensed) or not (Not Licensed) or expired (Expired).
Page 523 Chapter 31 Anti-Virus Figure 346 Configuration > UTM Profile > Anti-Virus > Profile: Profile Management > Add The following table describes the labels in this screen. Table 213 Configuration > UTM > Anti-Virus > Profile: Profile Management > Add LABEL DESCRIPTION Configuration Name...
Page 524: Anti-Virus Black List
Chapter 31 Anti-Virus Table 213 Configuration > UTM > Anti-Virus > Profile: Profile Management > Add (continued) LABEL DESCRIPTION Enable file Select this check box to have the ZyWALL/USG scan a ZIP file (the file does not have decompression (ZIP to have a “zip”...
Page 525: Anti-Virus Black List Or White List Add/Edit
Chapter 31 Anti-Virus The following table describes the labels in this screen. Table 214 Configuration > UTM Profile > Anti-Virus > Black/White List > Black List LABEL DESCRIPTION Enable Black List Select this check box to log and delete files with names that match the black list patterns.
Page 526: Anti-Virus White List
Chapter 31 Anti-Virus The following table describes the labels in this screen. Table 215 Configuration > UTM Profile > Anti-Virus > Black/White List > Black List (or White List) > LABEL DESCRIPTION Enable If this is a black list entry, select this option to have the ZyWALL/USG apply this entry when using the black list.
Page 527: Av Signature Searching
Chapter 31 Anti-Virus Figure 349 Configuration > UTM Profile > Anti-Virus > Black/White List > White List The following table describes the labels in this screen. Table 216 Configuration > UTM Profile > Anti-Virus > Black/White List > White List LABEL DESCRIPTION Enable White List...
Page 528: Anti-Virus Technical Reference
Chapter 31 Anti-Virus Figure 350 Configuration > UTM Profile > Anti-Virus > Signature The following table describes the labels in this screen. Table 217 Configuration > UTM > Anti-Virus > Signature LABEL DESCRIPTION Signatures Search Enter the name,part of the name or keyword of the signature(s) you want to find. This search is not case-sensitive and accepts numerical strings.
Page 529 Chapter 31 Anti-Virus Computer Virus Infection and Prevention The following describes a simple life cycle of a computer virus. A computer gets a copy of a virus from a source such as the Internet, e-mail, file sharing or any removable storage media. The virus is harmless until the execution of an infected program. The virus spreads to other files and programs on the computer.
Page 530: Chapter 32 Anti-Spam
HAPTER Anti-Spam 32.1 Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL/USG can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
Page 531: Before You Begin
Chapter 32 Anti-Spam that individual e-mail. A properly configured black list helps catch spam e-mail and increases the ZyWALL/USG’s anti-spam speed and efficiency. SMTP and POP3 Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard. It controls the sending of e-mail messages between servers.
Page 532: The Anti-Spam Profile Screen
Chapter 32 Anti-Spam • Configure your zones before you configure anti-spam. 32.3 The Anti-Spam Profile Screen Click Configuration > UTM Profile > Anti-Spam to open the Anti-Spam Profile screen. Use this screen to turn the anti-spam feature on or off and manage anti-spam policies. You can also select the action the ZyWALL/USG takes when the mail sessions threshold is reached.
Page 533: The Anti-Spam Profile Add Or Edit Screen
Chapter 32 Anti-Spam Table 219 Configuration > UTM Profile > Anti-Spam > Profile LABEL DESCRIPTION Remove Select an entry and click this to delete it. Object Select an entry and click Object References to open a screen that shows which settings Reference use the entry.
Page 534 Chapter 32 Anti-Spam Figure 352 Configuration > UTM Profile > Anti-Spam > Profile > Add The following table describes the labels in this screen. Table 220 Configuration > UTM Profile > Anti-Spam > Profile > Add LABEL DESCRIPTION General Settings Name Enter a descriptive name for this anti-spam rule.
Page 535: The Mail Scan Screen
Chapter 32 Anti-Spam Table 220 Configuration > UTM Profile > Anti-Spam > Profile > Add (continued) LABEL DESCRIPTION Check Mail Select this to identify Spam Email by content, such as malicious content. Content Check Virus Select this to scan emails for attached viruses. Outbreak Check DNSBL Select this check box to check e-mail against the ZyWALL/USG’s configured DNSBL...
Page 536 Chapter 32 Anti-Spam Figure 353 Configuration > UTM Profile > Anti-Spam > Mail Scan The following table describes the labels in this screen. Table 221 Configuration > UTM Profile > Anti-Spam > Mail Scan LABEL DESCRIPTION Sender Reputation Enable Sender Select this to have the ZyWALL/USG scan for spam e-mail by IP Reputation.
Page 537: The Anti-Spam Black List Screen
Chapter 32 Anti-Spam Table 221 Configuration > UTM Profile > Anti-Spam > Mail Scan LABEL DESCRIPTION Enable Virus This scans emails for attached viruses. Outbreak Detection Virus Outbreak Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of e-mails that are determined have an attached viruses.
Page 538 Chapter 32 Anti-Spam Figure 354 Configuration > UTM Profile > Anti-Spam > Black/White List > Black List The following table describes the labels in this screen. Table 222 Configuration > UTM Profile > Anti-Spam > Black/White List > Black List LABEL DESCRIPTION General Settings...
Page 539: The Anti-Spam Black Or White List Add/Edit Screen
Chapter 32 Anti-Spam 32.5.1 The Anti-Spam Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the following screen. Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create entries based on specific subject text, or the sender’s or relay’s IP address or e-mail address.
Page 540: Regular Expressions In Black Or White List Entries
Chapter 32 Anti-Spam Table 223 Configuration > UTM Profile > Anti-Spam > Black/White List > Black/White List > Add LABEL DESCRIPTION Sender E-Mail This field displays when you select the E-Mail type. Enter a keyword (up to 63 ASCII Address characters).
Page 541 Chapter 32 Anti-Spam Figure 356 Configuration > UTM Profile > Anti-Spam > Black/White List > White List The following table describes the labels in this screen. Table 224 Configuration > UTM Profile > Anti-Spam > Black/White List > White List LABEL DESCRIPTION General Settings...
Page 542: The Dnsbl Screen
Chapter 32 Anti-Spam 32.7 The DNSBL Screen Click Configuration > UTM Profile > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to configure the ZyWALL/USG to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). Figure 357 Configuration >...
Page 543 Chapter 32 Anti-Spam The following table describes the labels in this screen. Table 225 Configuration > UTM Profile > Anti-Spam > DNSBL LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Enable DNS Black List Select this to have the ZyWALL/USG check the sender and relay IP addresses in e-...
Page 544: Anti-Spam Technical Reference
Chapter 32 Anti-Spam Table 225 Configuration > UTM Profile > Anti-Spam > DNSBL (continued) LABEL DESCRIPTION Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Page 545 Chapter 32 Anti-Spam Figure 358 DNSBL Spam Detection Example DNSBL A IPs: a.a.a.a b.b.b.b a.a.a.a? DNSBL B b.b.b.b? DNSBL C The ZyWALL/USG receives an e-mail that was sent from IP address a.a.a.a and relayed by an e- mail server at IP address b.b.b.b. The ZyWALL/USG sends a separate query to each of its DNSBL domains for IP address a.a.a.a.
Page 546 Chapter 32 Anti-Spam Figure 359 DNSBL Legitimate E-mail Detection Example DNSBL A IPs: c.c.c.c d.d.d.d c.c.c.c? DNSBL B d.d.d.d? d.d.d.d Not spam DNSBL C The ZyWALL/USG receives an e-mail that was sent from IP address c.c.c.c and relayed by an e-mail server at IP address d.d.d.d.
Page 547 Chapter 32 Anti-Spam Figure 360 Conflicting DNSBL Replies Example DNSBL A IPs: a.b.c.d w.x.y.z a.b.c.d? DNSBL B w.x.y.z? a.b.c.d Spam! DNSBL C The ZyWALL/USG receives an e-mail that was sent from IP address a.b.c.d and relayed by an e- mail server at IP address w.x.y.z. The ZyWALL/USG sends a separate query to each of its DNSBL domains for IP address a.b.c.d.
Page 548: Chapter 33 Ssl Inspection
HAPTER SSL Inspection 33.1 Overview Secure Socket Layer (SSL) traffic, such as https://www.google.com/HTTPS, FTPs, POP3s, SMTPs, etc. is encrypted, and cannot be inspected using Unified Threat Management (UTM) profiles such as App Patrol, Content Filter, Intrusion, Detection and Prevention (IDP), or Anti-Virus. The ZyWALL/ USG uses SSL Inspection to decrypt SSL traffic, sends it to the UTM engines for inspection, then encrypts traffic that passes inspection and forwards it to the destination server, such as Google.
Page 549: Before You Begin
Chapter 33 SSL Inspection • RC4 (Rivest Cipher 4) • DES (Data Encryption Standard) • 3DES • AES (Advanced Encryption Standard) • SSLv3/TLS1.0 (Transport Layer Security) Support • SSLv3/TLS1.0 is currently supported with option to pass or block SSLv2 traffic •...
Page 550: Add / Edit Ssl Inspection Profiles
Chapter 33 SSL Inspection Table 226 Configuration > UTM Profile > SSL Inspection > Profile (continued) LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Object Reference Select an entry and click Object References to open a screen that shows which settings use the entry.
Page 551 Chapter 33 SSL Inspection Table 227 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit (continued) LABEL DESCRIPTION CA Certificate This contains the default certificate and the certificates created in Object > Certificate > My Certificates. Choose the certificate for this profile. Severity Level Select a severity level and these use the icons to enable/disable and configure logs and actions for all signatures of that level.
Page 552: Exclude List Screen
Chapter 33 SSL Inspection Table 227 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL/USG takes when a packet matches a signature, select the signature and use the Action icon. none: Select this action on an individual signature or a complete service group to have the ZyWALL/USG take no action when a packet matches the signature(s).
Page 553 Chapter 33 SSL Inspection Figure 364 Configuration > UTM Profile > SSL Inspection > Exclude List (> Add/Edit) The following table describes the fields in this screen. Table 228 Configuration > UTM Profile > SSL Inspection > Exclude List LABEL DESCRIPTION General Settings Enable Logs...
Page 554: Certificate Update Screen
Chapter 33 SSL Inspection 33.4 Certificate Update Screen Use this screen to update the latest certificates of servers using SSL connections to the ZyWALL/ USG network. User U sends an SSL request to destination server D (1), via the ZyWALL/USG, Z . D replies (2);...
Page 555: Install A Ca Certificate In A Browser
Chapter 33 SSL Inspection Table 229 Configuration > UTM Profile > SSL Inspection > Certificate Update (continued) LABEL DESCRIPTION Update Now Click this button to download the latest certificate set from the myZyXEL.com and update it on the ZyWALL/USG. Auto Update Select this to automatically have the ZyWALL/USG update the certificate set when a new one becomes available on myZyXEL.com.
Page 556 Chapter 33 SSL Inspection 33.5.0.1 Firefox Browser If you’re using a Firefox browser, in addition to the above you need to do the following to import a certificate into the browser. Click Tools > Options > Advanced > Encryption > View Certificates, click Import and enter the filename of the certificate you want to import.
Page 557: Chapter 34 Device Ha
Device HA lets a backup ZyWALL/USG (B) automatically take over if the master ZyWALL/USG (A) fails. Figure 367 Device HA Backup Taking Over for the Master ZyWALL 110, ZyWALL 310, ZyWALL 1100， USG110, USG210, USG310, USG1100, and USG1900 support Device HA (High Availability). 34.1.1 What You Can Do in this Chapter •...
Page 558: Before You Begin
Chapter 34 Device HA Synchronization Use synchronization to have a backup ZyWALL/USG copy the master ZyWALL/USG’s configuration, signatures (anti-virus, IDP/application patrol, and system protect), and certificates. Note: Only ZyWALL/USGs of the same model and firmware version can synchronize. Otherwise you must manually configure the master ZyWALL/USG’s settings on the backup (by editing copies of the configuration files in a text editor for example).
Page 559: The Active-Passive Mode Screen
Chapter 34 Device HA The following table describes the labels in this screen. Table 230 Configuration > Device HA > General LABEL DESCRIPTION Enable Device Turn the ZyWALL/USG’s device HA feature on or off. Note: It is not recommended to use STP (Spanning Tree Protocol) with device HA. Device HA Mode This displays whether the ZyWALL/USG is currently set to use active-passive mode device HA.
Page 560 Chapter 34 Device HA Figure 369 Virtual Router Cluster ID You can have multiple ZyWALL/USG virtual routers on your network. Use a different cluster ID to identify each virtual router. In the following example, ZyWALL/USGs A and B form a virtual router that uses cluster ID 1.
Page 561: Configuring Active-Passive Mode Device Ha
Chapter 34 Device HA • Each interface can also have a management IP address. You can connect to this IP address to manage the ZyWALL/USG regardless of whether it is the master or the backup. For example, ZyWALL/USG B takes over A’s 192.168.1.1 LAN interface IP address. This is a virtual router IP address.
Page 562 Chapter 34 Device HA Figure 372 Configuration > Device HA > Active Passive Mode The following table describes the labels in this screen. See Section 34.4 on page 564 for more information as well. Table 231 Configuration > Device HA > Active-Passive Mode LABEL DESCRIPTION Show Advanced...
Page 563 Chapter 34 Device HA Table 231 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Priority This field is available for a backup ZyWALL/USG. Type the priority of the backup ZyWALL/ USG. The backup ZyWALL/USG with the highest value takes over the role of the master ZyWALL/USG if the master ZyWALL/USG becomes unavailable.
Page 564: Active-Passive Mode Edit Monitored Interface
Chapter 34 Device HA Table 231 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Server Address If this ZyWALL/USG is set to backup role, enter the IP address or Fully-Qualified Domain Name (FQDN) of the ZyWALL/USG from which to get updated configuration. Usually, you should enter the IP address or FQDN of a virtual router on a secure network.
Page 565 Chapter 34 Device HA Figure 373 Configuration > Device HA > Active-Passive Mode > Edit Figure 374 Configuration > Device HA > Active-Passive Mode > Edit The following table describes the labels in this screen. Table 232 Configuration > Device HA > Active-Passive Mode > Edit LABEL DESCRIPTION Enable...
Page 566: Device Ha Technical Reference
Chapter 34 Device HA 34.5 Device HA Technical Reference Active-Passive Mode Device HA with Bridge Interfaces Here are two ways to avoid a broadcast storm when you connect the bridge interfaces on two ZyWALL/USGs. First Option for Connecting the Bridge Interfaces on Two ZyWALL/USGs The first way is to activate device HA before connecting the bridge interfaces as shown in the following example.
Page 567 Chapter 34 Device HA Br0 {ge4, ge5} Br0 {ge4, ge5} Connect the ZyWALL/USGs. Br0 {ge4, ge5} Br0 {ge4, ge5} Second Option for Connecting the Bridge Interfaces on Two ZyWALL/USGs Another option is to disable the bridge interfaces, connect the bridge interfaces, activate device HA, and finally reactivate the bridge interfaces as shown in the following example.
Page 568 Chapter 34 Device HA Configure a corresponding disabled bridge interface on the backup ZyWALL/USG. Then set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Disabled Br0 {ge4, ge5} Disabled Enable the bridge interface on the master ZyWALL/USG and then on the backup ZyWALL/USG. Br0 {ge4, ge5} Br0 {ge4, ge5} Connect the ZyWALL/USGs.
Page 569 Chapter 34 Device HA • Startup configuration file (startup-config.conf) • AV signatures • IDP and application patrol signatures • System protect signatures • Certificates (My Certificates, and Trusted Certificates) Synchronization does not change the device HA settings in the backup ZyWALL/USG. Synchronization affects the entire device configuration.
Page 570: Chapter 35 Object
HAPTER Object 35.1 Zones Overview Set up zones to configure network security and network policies in the ZyWALL/USG. A zone is a group of interfaces and/or VPN tunnels. The ZyWALL/USG uses zones instead of interfaces in many security and policy settings, such as Secure Policies rules, UTM Profile, and remote management. Zones cannot overlap.
Page 571: The Zone Screen
Chapter 35 Object Inter-zone Traffic Inter-zone traffic is traffic between interfaces or VPN tunnels in different zones. For example, in Figure 375 on page 570, traffic between VLAN 1 and the Internet is inter-zone traffic. This is the normal case when zone-based security and policy settings apply. Extra-zone Traffic •...
Page 572: User/Group Overview
Chapter 35 Object 35.1.2.1 Zone Edit The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 35.8.2 on page 624), and click the Add icon or an Edit icon. Figure 377 Configuration >...
Page 573: What You Need To Know
Chapter 35 Object • The Group screen (see Section 35.2.3 on page 578) provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. User groups may consist of access users and other user groups. You cannot put admin users in user groups •...
Page 574 Chapter 35 Object attempt always fails. (This is related to AAA servers and authentication methods, which are discussed in those chapters in this guide.) Note: If the ZyWALL/USG tries to authenticate an ext-user using the local database, the attempt always fails. Once an ext-user user has been authenticated, the ZyWALL/USG tries to get the user type (see Table 235 on page 573) from the external server.
Page 575: User/Group User Summary Screen
Chapter 35 Object • The ZyWALL/USG supports TTLS using PAP so you can use the ZyWALL/USG’s local user database to authenticate users with WPA or WPA2 instead of needing an external RADIUS server. 35.2.2 User/Group User Summary Screen The User screen provides a summary of all user accounts. To access this screen, login to the Web Configurator, and click Configuration >...
Page 576 Chapter 35 Object 35.2.2.2 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only contain the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] • - [dashes] The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-).
Page 577 Chapter 35 Object The following table describes the labels in this screen. Table 237 Configuration > Object > User/Group > User > Add LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 578: User/Group Group Summary Screen
Chapter 35 Object Table 237 Configuration > Object > User/Group > User > Add (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL/USG. Cancel Click Cancel to exit this screen without saving your changes. 35.2.3 User/Group Group Summary Screen User groups consist of access users and other user groups.
Page 579: User/Group Setting Screen
Chapter 35 Object Figure 381 Configuration > Object > User/Group > Group > Add The following table describes the labels in this screen. Table 239 Configuration > Object > User/Group > Group > Add LABEL DESCRIPTION Name Type the name for this user group. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 580 Chapter 35 Object Figure 382 Configuration > Object > User/Group > Setting The following table describes the labels in this screen. Table 240 Configuration > Object > User/Group > Setting LABEL DESCRIPTION User Authentication Timeout Settings Default Authentication These authentication timeout settings are used by default when you create a Timeout Settings new user account.
Page 581 Chapter 35 Object Table 240 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION User Type These are the kinds of user account the ZyWALL/USG supports. • admin - this user can look at and change the configuration of the ZyWALL/USG •...
Page 582 Chapter 35 Object Table 240 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION Maximum number per This field is effective when Limit ... for access account is checked. Type access account the maximum number of simultaneous logins by each access user. User Lockout Settings Enable logon retry limit Select this check box to set a limit on the number of times each user can...
Page 583: User Aware Login Example
Chapter 35 Object The following table describes the labels in this screen. Table 241 Configuration > Object > User/Group > Setting > Edit LABEL DESCRIPTION User Type This read-only field identifies the type of user account for which you are configuring the default settings.
Page 584: User/Group Mac Address Summary Screen
Chapter 35 Object The following table describes the labels in this screen. Table 242 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined Access users can specify a lease time shorter than or equal to the one that you specified. lease time (max The default value is the lease time that you specified.
Page 585: User /Group Technical Reference
Chapter 35 Object Table 243 Configuration > Object > User/Group > MAC Address (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. MAC Address/ This field displays the MAC address or OUI (Organizationally Unique Identifier of computer hardware manufacturers) of wireless clients using MAC authentication with the ZyWALL/ USG local user database.
Page 586: Ap Profile Overview
Chapter 35 Object Setting up User Attributes in an External Server To set up user attributes, such as reauthentication time, in LDAP or RADIUS servers, use the following keywords in the user configuration file. Table 245 LDAP/RADIUS: Keywords for User Attributes KEYWORD CORRESPONDING ATTRIBUTE IN WEB CONFIGURATOR type...
Page 587: Radio Screen
Chapter 35 Object • Radio - This profile type defines the properties of an AP’s radio transmitter. You can have a maximum of 32 radio profiles on the ZyWALL/USG. • SSID - This profile type defines the properties of a single wireless network signal broadcast by an AP.
Page 588 Chapter 35 Object Note: You can have a maximum of 32 radio profiles on the ZyWALL/USG. Figure 389 Configuration > Object > AP Profile > Radio The following table describes the labels in this screen. Table 246 Configuration > Object > AP Profile > Radio LABEL DESCRIPTION Click this to add a new radio profile.
Page 589 Chapter 35 Object 35.3.1.1 Add/Edit Radio Profile This screen allows you to create a new radio profile or edit an existing one. To access this screen, click the Add button or select a radio profile from the list and click the Edit button. Figure 390 Configuration >...
Page 590 Chapter 35 Object Table 247 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION Activate Select this option to make this profile active. Profile Name Enter up to 31 alphanumeric characters to be used as this profile’s name. Spaces and underscores are allowed.
Page 591 Chapter 35 Object Table 247 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION 2.4 GHz Channel This field is available when you set Channel Selection to DCS. Selection Method Select auto to have the AP search for available channels automatically in the 2.4 GHz band.
Page 592 Chapter 35 Object Table 247 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION Enable A-MSDU Select this to enable A-MSDU aggregation. Aggregation Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header.
Page 593: Ssid Screen
Chapter 35 Object Table 247 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION Multicast Rate If you set the multicast transmission mode to fixed multicast rate, set the data rate for (Mbps) multicast traffic here. For example, to deploy 4 Mbps video, select a fixed multicast rate higher than 4 Mbps.
Page 594 Chapter 35 Object Table 248 Configuration > Object > AP Profile > SSID List (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific profile. Profile Name This field indicates the name assigned to the SSID profile. SSID This field indicates the SSID name as it appears to wireless clients.
Page 595 Chapter 35 Object Table 249 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile (continued) LABEL DESCRIPTION Security Profile Select a security profile from this list to associate with this SSID. If none exist, you can use the Create new Object menu to create one.
Page 596 Chapter 35 Object Table 249 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile (continued) LABEL DESCRIPTION Hidden SSID Select this if you want to “hide” your SSID from wireless clients. This tells any wireless clients in the vicinity of the AP using this SSID profile not to display its SSID name as a potential connection.
Page 597 Chapter 35 Object Table 250 Configuration > Object > AP Profile > SSID > Security List (continued) LABEL DESCRIPTION Profile Name This field indicates the name assigned to the security profile. Security Mode This field indicates this profile’s security mode (if any). 35.3.2.3.1 Add/Edit Security Profile This screen allows you to create a new security profile or edit an existing one.
Page 598 Chapter 35 Object The following table describes the labels in this screen. Table 251 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile LABEL DESCRIPTION Profile Name Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes.
Page 599 Chapter 35 Object Table 251 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile LABEL DESCRIPTION Key Length Select the bit-length of the encryption key to be used in WEP connections. If you select WEP-64: •...
Page 600 Chapter 35 Object 35.3.2.4 MAC Filter List This screen allows you to create and manage security configurations that can be used by your SSIDs. To access this screen click Configuration > Object > AP Profile > SSID > MAC Filter List.
Page 601 Chapter 35 Object 35.3.2.4.1 Add/Edit MAC Filter Profile This screen allows you to create a new MAC filtering profile or edit an existing one. To access this screen, click the Add button or select a MAC filter profile from the list and click the Edit button. Figure 396 SSID >...
Page 602: Mon Profile
Chapter 35 Object 35.4 MON Profile 35.4.1 Overview This screen allows you to set up monitor mode configurations that allow your connected APs to scan for other wireless devices in the vicinity. Once detected, you can use the MON Mode screen (Section 8.4 on page 175) to classify them as either rogue or friendly and then manage them accordingly.
Page 603 Chapter 35 Object The following table describes the labels in this screen. Table 254 Configuration > Object > MON Profile LABEL DESCRIPTION Click this to add a new monitor mode profile. Edit Click this to edit the selected monitor mode profile. Remove Click this to remove the selected monitor mode profile.
Page 604 Chapter 35 Object Figure 398 Configuration > Object > MON Profile > Add/Edit MON Profile The following table describes the labels in this screen. Table 255 Configuration > Object > MON Profile > Add/Edit MON Profile LABEL DESCRIPTION Activate Select this to activate this monitor mode profile. Profile Name This field indicates the name assigned to the monitor mode profile.
Page 605: Technical Reference
Chapter 35 Object Table 255 Configuration > Object > MON Profile > Add/Edit MON Profile (continued) LABEL DESCRIPTION Set Scan Channel Move a channel from the Available channels column to the Channels selected List (5 GHz) column to have the APs using this profile scan that channel when Scan Channel Mode is set to manual.
Page 606: Application
Chapter 35 Object Friendly APs If you have more than one AP in your wireless network, you should also configure a list of “friendly” APs. Friendly APs are other wireless access points that are detected in your network, as well as any others that you know are not a threat (those from recognized networks, for example).
Page 607 Chapter 35 Object • Use the Application screen (Section on page 607) to create application objects that can be used in App Patrol profiles. • Use the Application Group screen (Section 35.5.2 on page 611) to group application objects as an individual object that can be used in App Patrol profiles.
Page 608: Add Application Rule
Chapter 35 Object Table 257 Configuration > Object > Application > Application (continued) LABEL DESCRIPTION Signature An activated license allows you to download signatures to the ZyWALL/USG from Information myZyXEL.com. These fields show details on the signatures downloaded. Current The version number increments when signatures are updated at myZyXEL.com. This field Version shows the current version downloaded to the ZyWALL/USG.
Page 609 Chapter 35 Object Table 258 Configuration > Object > Application > Application (continued)> Add Application Rule LABEL DESCRIPTION Application This displays the name of the application signature used in this application rule. Click OK to save your changes back to the ZyWALL/USG. Cancel Click Cancel to exit this screen without saving your changes.
Page 610 Chapter 35 Object Figure 404 Configuration > Object > Application > Application > Add Application Rule > Add By Service The following table describes the labels in this screen. Table 259 Configuration > Object > Application > Application > Add Application Rule > Add Application Object LABEL DESCRIPTION...
Page 611: Application Group Screen
Chapter 35 Object 35.5.2 Application Group Screen This screen allows you to group individual application objects to be treated as a single application object. To access this screen click Configuration > Object > Application > Application Group. Figure 405 Configuration > Object > Application > Application Group The following table describes the labels in this screen.
Page 612: Address Overview
Chapter 35 Object 35.5.2.1 Add Application Group Rule Click Add in Configuration > Object > Application > Application Group to select already created application rules and combine them as a single new rule. Figure 406 Configuration > Object > Application > Application > Add Application Group Rule The following table describes the labels in this screen.
Page 613: What You Need To Know
Chapter 35 Object • Use the Address Group summary screen (Section 35.6.2.3 on page 616) and the Address Group Add/Edit screen, to maintain address groups in the ZyWALL/USG. 35.6.1 What You Need To Know Address objects and address groups are used in dynamic routes, security policies, application patrol, content filtering, and VPN connection policies.
Page 614 Chapter 35 Object Table 262 Configuration > Object > Address > Address (continued) LABEL DESCRIPTION Name This field displays the configured name of each address object. Type This field displays the type of each address object. “INTERFACE” means the object uses the settings of one of the ZyWALL/USG’s interfaces.
Page 615 Chapter 35 Object The following table describes the labels in this screen. Table 263 IPv4 Address Configuration > Add/Edit LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 616: Address Group Summary Screen
Chapter 35 Object The following table describes the labels in this screen. Table 264 IPv6 Address Configuration > Add/Edit LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 617 Chapter 35 Object The following table describes the labels in this screen. See Section 35.6.2.4 on page 617 for more information as well. Table 265 Configuration > Object > Address > Address Group LABEL DESCRIPTION IPv4 Address Group Configuration Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Page 618: Service Overview
Chapter 35 Object Figure 411 IPv4/IPv6 Address Group Configuration > Add The following table describes the labels in this screen. Table 266 IPv4/IPv6 Address Group Configuration > Add LABEL DESCRIPTION Name Enter a name for the address group. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 619: What You Need To Know
Chapter 35 Object 35.7.1 What You Need to Know IP Protocols IP protocols are based on the eight-bit protocol field in the IP header. This field represents the next- level protocol that is sent in this packet. This section discusses three of the most common IP protocols.
Page 620 Chapter 35 Object To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 412 Configuration >...
Page 621: The Service Group Summary Screen
Chapter 35 Object The following table describes the labels in this screen. Table 268 Configuration > Object > Service > Service > Edit LABEL DESCRIPTION Name Type the name used to refer to the service. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 622 Chapter 35 Object The following table describes the labels in this screen. See Section 35.7.3.1 on page 622 for more information as well. Table 269 Configuration > Object > Service > Service Group LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Page 623: Schedule Overview
Chapter 35 Object The following table describes the labels in this screen. Table 270 Configuration > Object > Service > Service Group > Edit LABEL DESCRIPTION Name Enter the name of the service group. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 624: The Schedule Summary Screen
Chapter 35 Object schedules always begin and end in the same day. Recurring schedules are useful for defining the workday and off-work hours. 35.8.2 The Schedule Summary Screen The Schedule summary screen provides a summary of all schedules in the ZyWALL/USG. To access this screen, click Configuration >...
Page 625 Chapter 35 Object Table 271 Configuration > Object > Schedule (continued) LABEL DESCRIPTION Start Time This field displays the time at which the schedule begins. Stop Time This field displays the time at which the schedule ends. Reference This displays the number of times an object reference is used in a profile. 35.8.2.1 The One-Time Schedule Add/Edit Screen The One-Time Schedule Add/Edit screen allows you to define a one-time schedule or edit an existing one.
Page 626 Chapter 35 Object Table 272 Configuration > Object > Schedule > Edit (One Time) (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL/USG. Cancel Click Cancel to exit this screen without saving your changes. 35.8.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to define a recurring schedule or edit an existing one.
Page 627: The Schedule Group Screen
Chapter 35 Object 35.8.3 The Schedule Group Screen The Schedule Group summary screen provides a summary of all groups of schedules in the ZyWALL/USG. To access this screen, click Configuration > Object > Schedule >Group. Figure 419 Configuration > Object > Schedule > Schedule Group The following table describes the fields in the above screen.
Page 628: Aaa Server Overview
Chapter 35 Object Figure 420 Configuration > Schedule > Schedule Group > Add The following table describes the fields in the above screen. Table 275 Configuration > Schedule > Schedule Group > Add LABEL DESCRIPTION Group Members Name Type the name used to refer to the recurring schedule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 629: Directory Service (Ad/Ldap)
Chapter 35 Object AAA server objects in configuring ext-group-user user objects and authentication method objects (see Chapter 35 on page 637). 35.9.1 Directory Service (AD/LDAP) LDAP/AD allows a client (the ZyWALL/USG) to connect to a server to retrieve information from a directory.
Page 630: What You Need To Know
Chapter 35 Object package contains server software and physical OTP tokens (PIN generators). Do the following to use OTP. See the documentation included on the ASAS’ CD for details. Install the ASAS server software on a computer. Create user accounts on the ZyWALL/USG and in the ASAS server. Import each token’s database file (located on the included CD) into the server.
Page 631: Active Directory Or Ldap Server Summary
Chapter 35 Object Figure 423 Basic Directory Structure Sales Sprint Root Sales Japan Countries (c) Organizations Organization Units Unique Common Name (cn) Distinguished Name (DN) A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas.
Page 632 Chapter 35 Object Figure 424 Configuration > Object > AAA Server > Active Directory (or LDAP) The following table describes the labels in this screen. Table 276 Configuration > Object > AAA Server > Active Directory (or LDAP) LABEL DESCRIPTION Click this to create a new entry.
Page 633 Chapter 35 Object Figure 425 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add ZyWALL/USG Series User’s Guide...
Page 634 Chapter 35 Object The following table describes the labels in this screen. Table 277 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add LABEL DESCRIPTION Name Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.
Page 635: Radius Server Summary
Chapter 35 Object Table 277 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add (continued) LABEL DESCRIPTION Retype to Confirm Retype your new password for confirmation. This is only for Active Directory. Realm Enter the realm FQDN. This is only for Active Directory.
Page 636 Chapter 35 Object 35.9.6.1 Adding a RADIUS Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one.
Page 637: Auth. Method Overview
Chapter 35 Object Table 279 Configuration > Object > AAA Server > RADIUS > Add (continued) LABEL DESCRIPTION Timeout Specify the timeout period (between 1 and 300 seconds) before the ZyWALL/USG disconnects from the RADIUS server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.
Page 638: Authentication Method Objects
Chapter 35 Object Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen. Click Show Advance Setting and select Enable Extended Authentication. Select Server Mode and select an authentication method object from the drop-down list box. Click OK to save the settings.
Page 639 Chapter 35 Object 35.10.3.1 Creating an Authentication Method Object Follow the steps below to create an authentication method object. Click Configuration > Object > Auth. Method. Click Add. Specify a descriptive name for identification purposes in the Name field. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
Page 640: Certificate Overview
Chapter 35 Object Table 281 Configuration > Object > Auth. Method > Add (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. Move To change a method’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
Page 641 Chapter 35 Object Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key).
Page 642: Verifying A Certificate
Chapter 35 Object Certificate File Formats Any certificate that you want to import has to be in one of these file formats: • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. • PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.
Page 643: The My Certificates Screen
Chapter 35 Object Figure 432 Certificate Details Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 35.11.3 The My Certificates Screen Click Configuration >...
Page 644: The My Certificates Add Screen
Chapter 35 Object The following table describes the labels in this screen. Table 282 Configuration > Object > Certificate > My Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL/USG’s PKI storage space that is currently Space in Use in use.
Page 645 Chapter 35 Object Figure 434 Configuration > Object > Certificate > My Certificates > Add The following table describes the labels in this screen. Table 283 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 646 Chapter 35 Object Table 283 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Organization Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Page 647 Chapter 35 Object 35.11.3.2 The My Certificates Edit Screen Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name.
Page 648 Chapter 35 Object The following table describes the labels in this screen. Table 284 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 649: The My Certificates Import Screen
Chapter 35 Object Table 284 Configuration > Object > Certificate > My Certificates > Edit (continued) LABEL DESCRIPTION MD5 Fingerprint This is the certificate’s message digest that the ZyWALL/USG calculated using the MD5 algorithm. SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL/USG calculated using the SHA1 algorithm.
Page 650: The Trusted Certificates Screen
Chapter 35 Object Figure 436 Configuration > Object > Certificate > My Certificates > Import The following table describes the labels in this screen. Table 285 Configuration > Object > Certificate > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 651: The Trusted Certificates Edit Screen
Chapter 35 Object The following table describes the labels in this screen. Table 286 Configuration > Object > Certificate > Trusted Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL/USG’s PKI storage space that is currently Space in Use in use.
Page 652 Chapter 35 Object Figure 438 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL/USG Series User’s Guide...
Page 653 Chapter 35 Object The following table describes the labels in this screen. Table 287 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 654: The Trusted Certificates Import Screen
Chapter 35 Object Table 287 Configuration > Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field.
Page 655: Certificates Technical Reference
Chapter 35 Object Figure 439 Configuration > Object > Certificate > Trusted Certificates > Import The following table describes the labels in this screen. Table 288 Configuration > Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 656: Isp Account Summary
Chapter 35 Object 35.12.1 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL/USG. To access this screen, click Configuration > Object > ISP Account. Figure 440 Configuration > Object > ISP Account The following table describes the labels in this screen. See the ISP Account Edit section below for more information as well.
Page 657 Chapter 35 Object Figure 441 Configuration > Object > ISP Account > Edit The following table describes the labels in this screen. Table 290 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you are editing an existing account. Type in the profile name of the ISP account.
Page 658: Ssl Application Overview
Chapter 35 Object Table 290 Configuration > Object > ISP Account > Edit (continued) LABEL DESCRIPTION Connection ID This field is available if this ISP account uses the PPTP protocol. Type your identification name for the PPTP server. This field can be blank. Service Name If this ISP account uses the PPPoE protocol, type the PPPoE service name to access.
Page 659 Chapter 35 Object Remote User Screen Links Available SSL application names are displayed as links in remote user screens. Depending on the application type, remote users can simply click the links or follow the steps in the pop-up dialog box to access.
Page 660: The Ssl Application Screen
Chapter 35 Object Click the Add button and select Web Application in the Type field. In the Server Type field, select Web Server. Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”. In the URLAddress field, enter “http://my-info”. Select Web Page Encryption to prevent users from saving the web content.
Page 661 Chapter 35 Object The following table describes the labels in this screen. Table 291 Configuration > Object > SSL Application LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Page 662 Chapter 35 Object Figure 446 Configuration > Object > SSL Application > Add/Edit: File Sharing The following table describes the labels in this screen. Table 292 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this screen.
Page 663: Dhcpv6 Overview
Chapter 35 Object Table 292 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing LABEL DESCRIPTION Preview This field only appears when you choose Web Application or File Sharing as the object type. This field displays if the Server Type is set to Web Server, OWA or Weblink. Note: If your Internet Explorer or other browser screen doesn’t show a preview, it may be due to your web browser security settings.
Page 664: The Dhcpv6 Request Screen
Chapter 35 Object 35.14.1 The DHCPv6 Request Screen The Request screen allows you to add, edit, and remove DHCPv6 request type objects. To access this screen, login to the Web Configurator, and click Configuration > Object > DHCPv6 > Request. Figure 447 Configuration >...
Page 665: The Dhcpv6 Lease Screen
Chapter 35 Object The following table describes the labels in this screen. Table 294 Configuration > DHCPv6 > Request > Add LABEL DESCRIPTION Name Type the name for this request object. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 666 Chapter 35 Object Figure 450 Configuration > DHCPv6 > Lease > Add The following table describes the labels in this screen. Table 296 Configuration > DHCPv6 > Lease > Add LABEL DESCRIPTION Name Type the name for this lease object. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 667: Chapter 36 System
HAPTER System 36.1 Overview Use the system screens to configure general ZyWALL/USG settings. 36.1.1 What You Can Do in this Chapter • Use the System > Host Name screen (see Section 36.2 on page 668) to configure a unique name for the ZyWALL/USG in your network. •...
Page 668: Host Name
Chapter 36 System • Use the System > IPv6 screen (see Section 36.15 on page 716) to enable or disable IPv6 support on the ZyWALL/USG. • Use the System > ZON screen (see Section 36.16 on page 717) to enable or disable the ZyXEL One Network (ZON) utility that uses ZyXEL Discovery Protocol (ZDP) for discovering and configuring ZDP-aware ZyXEL devices in the same network as the computer on which ZON is installed.
Page 669: Date And Time
Chapter 36 System Figure 452 Configuration > System > USB Storage The following table describes the labels in this screen. Table 298 Configuration > System > USB Storage LABEL DESCRIPTION Activate USB Select this if you want to use the connected USB device(s). storage service Disk full warning Set a number and select a unit (MB or %) to have the ZyWALL/USG send a warning...
Page 670 Chapter 36 System Figure 453 Configuration > System > Date and Time The following table describes the labels in this screen. Table 299 Configuration > System > Date and Time LABEL DESCRIPTION Current Time and Date Current Time This field displays the present time of your ZyWALL/USG. Current Date This field displays the present date of your ZyWALL/USG.
Page 671 Chapter 36 System Table 299 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Get from Time Select this radio button to have the ZyWALL/USG get the time and date from the time Server server you specify below. The ZyWALL/USG requests time and date settings from the time server under the following circumstances.
Page 672: Pre-Defined Ntp Time Servers List
Chapter 36 System 36.4.1 Pre-defined NTP Time Servers List When you turn on the ZyWALL/USG for the first time, the date and time start at 2003-01-01 00:00:00. The ZyWALL/USG then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers.
Page 673: Console Port Speed
Chapter 36 System Click Apply. To get the ZyWALL/USG date and time from a time server Click System > Date/Time. Select Get from Time Server under Time and Date Setup. Under Time Zone Setup, select your Time Zone from the list. As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL/USG clock for daylight savings.
Page 674: Dns Overview
Chapter 36 System 36.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 36.6.1 DNS Server Address Assignment The ZyWALL/USG can get the DNS server addresses in the following ways.
Page 675 Chapter 36 System Figure 456 Configuration > System > DNS The following table describes the labels in this screen. Table 302 Configuration > System > DNS LABEL DESCRIPTION Address/PTR This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP Record address.
Page 676 Chapter 36 System Table 302 Configuration > System > DNS (continued) LABEL DESCRIPTION FQDN This is a host’s fully qualified domain name. IP Address This is the IP address of a host. CNAME Record This record specifies an alias for a FQDN. Use this record to bind all subdomains with the same IP address as the FQDN without having to update each one individually, which increases chance for errors.
Page 677 Chapter 36 System Table 302 Configuration > System > DNS (continued) LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so.
Page 678: Address Record
Chapter 36 System 36.6.3 Address Record An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com” is the top level domain.
Page 679: Cname Record
Chapter 36 System 36.6.6 CNAME Record A Canonical Name Record or CNAME record is a type of resource record in the Domain Name System (DNS) that specifies that the domain name is an alias of another, canonical domain name. This allows users to set up a record for a domain name which translates to an IP address, in other words, the domain name is an alias of another.
Page 680: Adding A Domain Zone Forwarder
Chapter 36 System fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. 36.6.9 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 459 Configuration >...
Page 681: Mx Record
Chapter 36 System 36.6.10 MX Record A MX (Mail eXchange) record indicates which host is responsible for the mail for a particular domain, that is, controls where mail is sent for that domain. If you do not configure proper MX records for your domain or other domain, external e-mail from other mail servers will not be able to be delivered to your mail server and vice versa.
Page 682: Adding A Dns Service Control Rule
Chapter 36 System Figure 461 Configuration > System > DNS > Security Option Control Edit (Customize) The following table describes the labels in this screen. Table 307 Configuration > System > DNS > Security Option Control Edit (Customize) LABEL DESCRIPTION Name You may change the name for the customized security option control policy.
Page 683: Www Overview
Chapter 36 System Figure 462 Configuration > System > DNS > Service Control Rule Add The following table describes the labels in this screen. Table 308 Configuration > System > DNS > Service Control Rule Add LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this screen.
Page 684: System Timeout
Chapter 36 System The IP address (address object) in the Service Control table is not in the allowed zone or the action is set to Deny. There is a security policy rule that blocks it. 36.7.2 System Timeout There is a lease timeout for administrators. The ZyWALL/USG automatically logs you out if the management session remains idle for longer than this timeout period.
Page 685: Configuring Www Service Control
Chapter 36 System Figure 463 HTTP/HTTPS Implementation Note: If you disable HTTP in the WWW screen, then the ZyWALL/USG blocks all HTTP connection attempts. 36.7.4 Configuring WWW Service Control Click Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ZyWALL/USG using HTTP or HTTPS.
Page 686 Chapter 36 System Figure 464 Configuration > System > WWW > Service Control The following table describes the labels in this screen. Table 309 Configuration > System > WWW > Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL/USG Web Configurator using secure HTTPs connections.
Page 687 Chapter 36 System Table 309 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Authenticate Client Select Authenticate Client Certificates (optional) to require the SSL client to Certificates authenticate itself to the ZyWALL/USG by sending the ZyWALL/USG a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL/USG (see Section 36.7.7.5 on page 695...
Page 688: Service Control Rules
Chapter 36 System Table 309 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so.
Page 689: Customizing The Www Login Page
Chapter 36 System The following table describes the labels in this screen. Configuration > System > Service Control Rule > Edit Table 310 LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this screen. Object Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL/USG using this...
Page 690 Chapter 36 System Figure 466 Configuration > System > WWW > Login Page The following figures identify the parts you can customize in the login and access pages. ZyWALL/USG Series User’s Guide...
Page 691 Chapter 36 System Figure 467 Login Page Customization Title Logo Message (color of all text) Background Note Message (last line of text) Figure 468 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways:...
Page 692 Chapter 36 System • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
Page 693: Https Example
Chapter 36 System Table 311 Configuration > System > WWW > Login Page LABEL DESCRIPTION Background Set how the window’s background looks. To use a graphic, select Picture and upload a graphic. Specify the location and file name of the logo graphic or click Browse to locate it. The picture’s size cannot be over 438 x 337 pixels.
Page 694 Chapter 36 System Figure 470 Security Certificate 1 (Firefox) Figure 471 Security Certificate 2 (Firefox) 36.7.7.3 Avoiding Browser Warning Messages Here are the main reasons your browser displays warnings about the ZyWALL/USG’s HTTPS server certificate and what you can do to avoid seeing the warnings: •...
Page 695 Chapter 36 System Figure 472 Login Screen (Internet Explorer) 36.7.7.5 Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL/ USG. You must have imported at least one trusted CA to the ZyWALL/USG in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Page 696 Chapter 36 System Figure 474 CA Certificate Example Click Install Certificate and follow the wizard as shown earlier in this appendix. 36.7.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 697 Chapter 36 System Figure 475 Personal Certificate Import Wizard 1 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 476 Personal Certificate Import Wizard 2 Enter the password given to you by the CA.
Page 698 Chapter 36 System Figure 477 Personal Certificate Import Wizard 3 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 478 Personal Certificate Import Wizard 4 Click Finish to complete the wizard and begin the import process.
Page 699 Chapter 36 System Figure 479 Personal Certificate Import Wizard 5 You should see the following screen when the certificate is correctly installed on your computer. Figure 480 Personal Certificate Import Wizard 6 36.7.7.6 Using a Certificate When Accessing the ZyWALL/USG Example Use the following procedure to access the ZyWALL/USG via HTTPS.
Page 700: Ssh
Chapter 36 System Figure 482 SSL Client Authentication You next see the Web Configurator login screen. Figure 483 Secure Web Configurator Login Screen 36.8 SSH You can use SSH (Secure SHell) to securely access the ZyWALL/USG’s command line interface. Specify which zones allow SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Page 701: How Ssh Works
Chapter 36 System Figure 484 SSH Communication Over the WAN Example 36.8.1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1. Figure 485 How SSH v1 Works Example Host Identification The SSH client sends a connection request to the SSH server.
Page 702: Ssh Implementation On The Zywall/Usg
Chapter 36 System 36.8.2 SSH Implementation on the ZyWALL/USG Your ZyWALL/USG supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the ZyWALL/USG for management using port 22 (by default). 36.8.3 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL/USG over SSH.
Page 703: Secure Telnet Using Ssh Examples
Chapter 36 System Table 312 Configuration > System > SSH (continued) LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 310 on page 689 for details on the screen that opens.
Page 704: Telnet
Chapter 36 System 36.8.5.2 Example 2: Linux This section describes how to access the ZyWALL/USG using the OpenSSH client program that comes with most Linux distributions. Test whether the SSH service is available on the ZyWALL/USG. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the ZyWALL/USG (using the default IP address of 192.168.1.1).
Page 705 Chapter 36 System Figure 490 Configuration > System > TELNET The following table describes the labels in this screen. Table 313 Configuration > System > TELNET LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL/USG CLI using this service.
Page 706: Ftp
Chapter 36 System 36.10 FTP You can upload and download the ZyWALL/USG’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 36.10.1 Configuring FTP To change your ZyWALL/USG’s FTP settings, click Configuration > System > FTP tab. The screen appears as shown.
Page 707: Snmp
Chapter 36 System Table 314 Configuration > System > FTP (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
Page 708: Snmpv3 And Security
Chapter 36 System Figure 492 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL/USG). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 709: Supported Mibs
Chapter 36 System Security can be further enhanced by encrypting the SNMP messages sent from the managers. Encryption protects the contents of the SNMP messages. When the contents of the SNMP messages are encrypted, only the intended recipients can read them. 36.11.2 Supported MIBs The ZyWALL/USG supports MIB II that is defined in RFC-1213 and RFC-1215.
Page 710 Chapter 36 System Figure 493 Configuration > System > SNMP The following table describes the labels in this screen. Table 316 Configuration > System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL/USG using this service.
Page 711 Chapter 36 System Table 316 Configuration > System > SNMP (continued) LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Page 712: Authentication Server
Chapter 36 System 36.12 Authentication Server You can set the ZyWALL/USG to work as a RADIUS server to exchange messages with a RADIUS client, such as an AP for user authentication and authorization. Click Configuration > System > Auth. Server tab. The screen appears as shown. Use this screen to enable the authentication server feature of the ZyWALL/USG and specify the RADIUS client’s IP address.
Page 713: Add/Edit Trusted Radius Client
Chapter 36 System Table 317 Configuration > System > Auth. Server (continued) LABEL DESCRIPTION IP Address This is the IP address of the RADIUS client that is allowed to exchange messages with the ZyWALL/USG. Mask This is the subnet mask of the RADIUS client. Description This is the description of the RADIUS client.
Page 714: Cloudcnm Screen
Chapter 36 System 36.13 CloudCNM Screen CloudCNM is a cloud-based network management system that allows management and monitoring of ZyWALL/USG/UAG security gateways with firmware that supports the TR-069 protocol. In the following figure, SP is the management service provider, while A and B are sites with devices being managed by SP.
Page 715 Chapter 36 System • Perform Site-to-Site, Hub & Spoke, Fully-meshed and Remote Access VPN provisioning. To allow CloudCNM management of your ZyWALL/USG: • You must have a CloudCNM license with CNM ID number or a CloudCNM URL identifying the server. •...
Page 716: Language Screen
Chapter 36 System Table 319 Configuration > System > CloudCNM (continued) LABEL DESCRIPTION Periodic Inform Enable this to have the ZyWALL/USG inform the CloudCNM server of its presence at regular intervals. Interval Type how often the ZyWALL/USG should inform CloudCNM server of its presence. Apply Click Apply to save your changes back to the ZyWALL/USG.
Page 717: Zyxel One Network (Zon) Utility
Chapter 36 System The following table describes the labels in this screen. Table 321 Configuration > System > IPv6 LABEL DESCRIPTION Enable IPv6 Select this to have the ZyWALL/USG support IPv6 and make IPv6 settings be available on the screens that the functions support, such as the Configuration > Network >...
Page 718: Zyxel One Network (Zon) System Screen
Chapter 36 System Table 322 ZON Utility Icons ICON DESCRIPTION 6 Firmware Upgrade Use this icon to upgrade new firmware to selected device(s) of the same model. Make sure you have downloaded the firmware from the ZyXEL website to your computer and unzipped it in advance.
Page 719 Chapter 36 System Figure 501 Configuration > System > ZON The following table describes the labels in this screen. Table 324 Configuration > System > ZON LABEL DESCRIPTION ZyXEL Discovery Protocol (ZDP) is the protocol that the ZyXEL One Network (ZON) utility uses for discovering and configuring ZDP-aware ZyXEL devices in the same broadcast domain as the computer on which ZON is installed.
Page 720: Chapter 37 Log And Report
HAPTER Log and Report 37.1 Overview Use these screens to configure daily reporting and log settings. 37.1.1 What You Can Do In this Chapter • Use the Email Daily Report screen (Section 37.2 on page 720) to configure where and how to send daily reports and what reports to send.
Page 721 Chapter 37 Log and Report Figure 502 Configuration > Log & Report > Email Daily Report ZyWALL/USG Series User’s Guide...
Page 722: Log Setting Screens
Chapter 37 Log and Report The following table describes the labels in this screen. Table 325 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Select this to send reports by e-mail every day. Daily Report Mail Server Type the name or IP address of the outgoing SMTP server.
Page 723: Log Setting Summary
Chapter 37 Log and Report to the specific destinations. You can also have the ZyWALL/USG store system logs on a connected USB storage device. The other four logs are stored on specified syslog servers. The Log Setting screens control what information the ZyWALL/USG saves in each log. You can also specify which log messages to e-mail for the system log, and where and how often to e-mail them.
Page 724: Edit System Log Settings
Chapter 37 Log and Report Table 326 Configuration > Log & Report > Log Setting (continued) LABEL DESCRIPTION Log Format This field displays the format of the log. Internal - system log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format.
Page 725 Chapter 37 Log and Report Figure 504 Configuration > Log & Report > Log Setting > Edit (System Log - E-mail Servers) ZyWALL/USG Series User’s Guide...
Page 726 Chapter 37 Log and Report Figure 505 Configuration > Log & Report > Log Setting > Edit (System Log - AC) ZyWALL/USG Series User’s Guide...
Page 727 Chapter 37 Log and Report Figure 506 Configuration > Log & Report > Log Setting > Edit (System Log - AP) The following table describes the labels in this screen. Table 327 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2...
Page 728 Chapter 37 Log and Report Table 327 Configuration > Log & Report > Log Setting > Edit (System Log) (continued) LABEL DESCRIPTION SMTP Select this check box if it is necessary to provide a user name and password to the Authentication SMTP server.
Page 729: Edit Log On Usb Storage Setting
Chapter 37 Log and Report Table 327 Configuration > Log & Report > Log Setting > Edit (System Log) (continued) LABEL DESCRIPTION E-mail Server 1 Select whether each category of events should be included in the log messages when it is e-mailed (green check mark) and/or in alerts (red exclamation point) for the e- mail settings specified in E-Mail Server 1.
Page 730 Chapter 37 Log and Report Figure 507 Configuration > Log & Report > Log Setting > Edit (USB Storage) ZyWALL/USG Series User’s Guide...
Page 731: Edit Remote Server Log Settings
Chapter 37 Log and Report The following table describes the labels in this screen. Table 328 Configuration > Log & Report > Log Setting > Edit (USB Storage) LABEL DESCRIPTION Duplicate logs to Select this to have the ZyWALL/USG save a copy of its system logs to a connected USB USB storage (if storage device.
Page 732 Chapter 37 Log and Report Figure 508 Configuration > Log & Report > Log Setting > Edit (Remote Server - AC) ZyWALL/USG Series User’s Guide...
Page 733 Chapter 37 Log and Report Configuration > Log & Report > Log Setting > Edit (Remote Server - AP) The following table describes the labels in this screen. Table 329 Configuration > Log & Report > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for...
Page 734: Log Category Settings Screen
Chapter 37 Log and Report Table 329 Configuration > Log & Report > Log Setting > Edit (Remote Server) (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific address. This field displays each category of messages. It is the same value used in the Display and Category Category fields in the View Log tab.
Page 735 Chapter 37 Log and Report Figure 509 Log Category Settings AC ZyWALL/USG Series User’s Guide...
Page 736 Chapter 37 Log and Report Figure 510 Log Category Settings AP This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 37.3.2 on page 724, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL/USG Series User’s Guide...
Page 737 Chapter 37 Log and Report The following table describes the fields in this screen. Table 330 Configuration > Log & Report > Log Setting > Log Category Settings LABEL DESCRIPTION System Log Use the System Log drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not log any information for any category for the system log or e-mail any logs to e-mail server 1 or 2.
Page 738 Chapter 37 Log and Report Table 330 Configuration > Log & Report > Log Setting > Log Category Settings (continued) LABEL DESCRIPTION System Log Select which events you want to log by Log Category. There are three choices: disable all logs (red X) - do not log any information from this category enable normal logs (green check mark) - create log messages and alerts from this category enable normal logs and debug logs (yellow check mark) - create log messages, alerts,...
Page 739: Chapter 38 File Manager
HAPTER File Manager 38.1 Overview Configuration files define the ZyWALL/USG’s settings. Shell scripts are files of commands that you can store on the ZyWALL/USG and run when you need them. You can apply a configuration file or run a shell script without the ZyWALL/USG restarting. You can store multiple configuration files and shell script files on the ZyWALL/USG.
Page 740: Comments In Configuration Files Or Shell Scripts
Chapter 38 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 511 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...
Page 741: The Configuration File Screen
Chapter 38 File Manager Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface ge1 # this interface is a DHCP client Lines 1 and 2 are comments.
Page 742 Chapter 38 File Manager Configuration File Flow at Restart • If there is not a startup-config.conf when you restart the ZyWALL/USG (whether through a management interface or by physically turning the power off and back on), the ZyWALL/USG uses the system-default.conf configuration file with the ZyWALL/USG’s default settings. •...
Page 743 Chapter 38 File Manager The following table describes the labels in this screen. Table 332 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the ZyWALL/USG. You can only rename manually saved configuration files.
Page 744 Chapter 38 File Manager Table 332 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Apply Use this button to have the ZyWALL/USG use a specific configuration file. Click a configuration file’s row to select it and click Apply to have the ZyWALL/USG use that configuration file.
Page 745: The Firmware Package Screen
Chapter 38 File Manager Table 332 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION File Name This column displays the label that identifies a configuration file. You cannot delete the following configuration files or change their file names. The system-default.conf file contains the ZyWALL/USG’s default settings.
Page 746 Chapter 38 File Manager the Destroy compressed files that could not be decompressed option while you download the firmware package. See Section 31.2.1 on page 522 for more on the anti-virus Destroy compressed files that could not be decompressed option. The firmware update can take up to five minutes.
Page 747 Chapter 38 File Manager Table 333 Maintenance > File Manager > Firmware Package (continued) LABEL DESCRIPTION To upload image Click the To upload image file in system space pull-down menu and select 1 or 2. The file in system default is the Standby system space, so if you want to upload new firmware to be the space Running firmware, then select the correct system space.
Page 748: The Shell Script Screen
Chapter 38 File Manager 38.4 The Shell Script Screen Use shell script files to have the ZyWALL/USG use commands that you specify. Use a text editor to create the shell script files. They must use a “.zysh” filename extension. Click Maintenance > File Manager > Shell Script to open the Shell Script screen. Use the Shell Script screen to store, name, download, upload and run shell script files.
Page 749 Chapter 38 File Manager Table 334 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Download Click a shell script file’s row to select it and click Download to save the configuration to your computer. Copy Use this button to save a duplicate of a shell script file on the ZyWALL/USG. Click a shell script file’s row to select it and click Copy to open the Copy File screen.
Page 750: Chapter 39 Diagnostics
HAPTER Diagnostics 39.1 Overview Use the diagnostics screens for troubleshooting. 39.1.1 What You Can Do in this Chapter • Use the Diagnostics screen (see Section 39.2 on page 750) to generate a file containing the ZyWALL/USG’s configuration and diagnostic information if you need to provide it to customer support during troubleshooting.
Page 751: The Diagnostics Files Screen
Chapter 39 Diagnostics The following table describes the labels in this screen. Table 335 Maintenance > Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file. Last modified This is the date and time that the last diagnostic file was created. The format is yyyy-mm-dd hh:mm:ss.
Page 752: The Packet Capture Screen
Chapter 39 Diagnostics Table 336 Maintenance > Diagnostics > Files (continued) LABEL DESCRIPTION Size This column displays the size (in bytes) of a file. Last Modified This column displays the date and time that the individual files were saved. 39.3 The Packet Capture Screen Use this screen to capture network traffic going through the ZyWALL/USG’s interfaces.
Page 753 Chapter 39 Diagnostics The following table describes the labels in this screen. Table 337 Maintenance > Diagnostics > Packet Capture LABEL DESCRIPTION Interfaces Enabled interfaces (except for virtual interfaces) appear under Available Interfaces. Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list.
Page 754: The Packet Capture Files Screen
Chapter 39 Diagnostics Table 337 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Duration Set a time limit in seconds for the capture. The ZyWALL/USG stops the capture and generates the capture file when either this period of time has passed or the file reaches the size specified in the File Size field.
Page 755: The System Log Screen
Chapter 39 Diagnostics The following table describes the labels in this screen. Table 338 Maintenance > Diagnostics > Packet Capture > Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL/USG or the connected USB storage device.
Page 756: The Network Tool Screen
Chapter 39 Diagnostics 39.5 The Network Tool Screen Use this screen to ping or traceroute an IP address. Click Maintenance > Diagnostics > Network Tool to display this screen. Figure 528 Maintenance > Diagnostics > Network Tool The following table describes the labels in this screen. Table 340 Maintenance >...
Page 757: The Wireless Frame Capture Screen
Chapter 39 Diagnostics 39.6 The Wireless Frame Capture Screen Use this screen to capture wireless network traffic going through the AP interfaces connected to your ZyWALL/USG. Studying these frame captures may help you identify network problems. Click Maintenance > Diagnostics > Wireless Frame Capture to display this screen. Note: New capture files overwrite existing files of the same name.
Page 758: The Wireless Frame Capture Files Screen
Chapter 39 Diagnostics Table 341 Maintenance > Diagnostics > Wireless Frame Capture > Capture (continued) LABEL DESCRIPTION File Size Specify a maximum size limit in kilobytes for the total combined size of all the capture files on the ZyWALL/USG, including any existing capture files and any new capture files you generate.
Page 759 Chapter 39 Diagnostics The following table describes the labels in this screen. Table 342 Maintenance > Diagnostics > Wireless Frame Capture > Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL/USG. Use the [Shift] and/or [Ctrl] key to select multiple files.
Page 760: Chapter 40 Packet Flow Explore
HAPTER Packet Flow Explore 40.1 Overview Use this to get a clear picture on how the ZyWALL/USG determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot any related problems.
Page 761 Chapter 40 Packet Flow Explore Figure 531 Maintenance > Packet Flow Explore > Routing Status (Direct Route) Figure 532 Maintenance > Packet Flow Explore > Dynamic VPN Figure 533 Maintenance > Packet Flow Explore > Routing Status (Policy Route) ZyWALL/USG Series User’s Guide...
Page 762 Chapter 40 Packet Flow Explore Figure 534 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) Figure 535 Maintenance > Packet Flow Explore > Routing Status (SiteToSite VPN) Figure 536 Maintenance > Packet Flow Explore > Routing Status (Dynamic VPN) ZyWALL/USG Series User’s Guide...
Page 763 Chapter 40 Packet Flow Explore Figure 537 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) Figure 538 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 539 Maintenance > Packet Flow Explore > Routing Status (Main Route) ZyWALL/USG Series User’s Guide...
Page 764 Chapter 40 Packet Flow Explore The following table describes the labels in this screen. Table 343 Maintenance > Packet Flow Explore > Routing Status LABEL DESCRIPTION Routing Flow This section shows you the flow of how the ZyWALL/USG determines where to route a packet.
Page 765: The Snat Status Screen
Chapter 40 Packet Flow Explore Table 343 Maintenance > Packet Flow Explore > Routing Status (continued) LABEL DESCRIPTION Outgoing This is the name of an interface which transmits packets out of the ZyWALL/USG. Gateway This is the IP address of the gateway in the same network of the outgoing interface. The following fields are available if you click Dynamic VPN or SiteToSite VPN in the Routing Flow section.
Page 766 Chapter 40 Packet Flow Explore Figure 541 Maintenance > Packet Flow Explore > SNAT Status (1-1 SNAT) Figure 542 Maintenance > Packet Flow Explore > SNAT Status (Loopback SNAT) Figure 543 Maintenance > Packet Flow Explore > SNAT Status (Default SNAT) The following table describes the labels in this screen.
Page 767 Chapter 40 Packet Flow Explore Table 344 Maintenance > Packet Flow Explore > SNAT Status (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with any entry. NAT Rule This is the name of an activated NAT rule which uses SNAT. Source This is the original source IP address(es).
Page 768: Chapter 41 Shutdown
HAPTER Shutdown 41.1 Overview Use this to shutdown the device in preparation for disconnecting the power. Always use the Maintenance > Shutdown > Shutdown screen or the “shutdown” command before you turn off the ZyWALL/USG or remove the power. Not doing so can cause the firmware to become corrupt. 41.1.1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes.
Page 769: Chapter 42 Troubleshooting
HAPTER Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Chapter 6 on page 151). • For the order in which the ZyWALL/USG applies its features and checks, see Chapter 40 on page 760.
Page 770 Chapter 42 Troubleshooting • Check the ZyWALL/USG’s connection to the Ethernet jack with Internet access. Make sure the Internet gateway device (such as a DSL modem) is working properly. • Check the WAN interface's status in the Dashboard. Use the installation setup wizard again and make sure that you enter the correct settings.
Page 771 Chapter 42 Troubleshooting The ZyWALL/USG checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that the traffic would also match. The ZyWALL/USG is not applying the custom security policy I configured. The ZyWALL/USG checks the security policies in the order that they are listed.
Page 772 Chapter 42 Troubleshooting The data rates through my cellular connection are no-where near the rates I expected. The actual cellular data rate you obtain varies depending on the cellular device you use, the signal strength to the service provider’s base station, and so on. I created a cellular interface but cannot connect through it.
Page 773 Chapter 42 Troubleshooting The ZyWALL/USG is not applying my application patrol bandwidth management settings. Bandwidth management in policy routes has priority over application patrol bandwidth management. The ZyWALL/USG’s performance slowed down after I configured many new application patrol entries. The ZyWALL/USG checks the ports and conditions configured in application patrol entries in the order they appear in the list.
Page 774 Chapter 42 Troubleshooting Depending on your network topology and traffic load, binding every packet direction to an IDP profile may affect the ZyWALL/USG’s performance. You may want to focus IDP scanning on certain traffic directions such as incoming traffic. IDP is dropping traffic that matches a rule that says no action should be taken. The ZyWALL/USG checks all signatures and continues searching even after a match is found.
Page 775 Chapter 42 Troubleshooting I cannot get Dynamic DNS to work. • You must have a public WAN IP address to use Dynamic DNS. • Make sure you recorded your DDNS account’s user name, password, and domain name and have entered them properly in the ZyWALL/USG. •...
Page 776 Chapter 42 Troubleshooting You can set the ZyWALL/USG’s security policy to permit the use of asymmetrical route topology on the network (so it does not reset the connection) although this is not recommended since allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL/USG.
Page 777 Chapter 42 Troubleshooting • Make sure regular security policies allow traffic between the VPN tunnel and the rest of the network. Regular security policies check packets the ZyWALL/USG sends before the ZyWALL/USG encrypts them and check packets the ZyWALL/USG receives after the ZyWALL/USG decrypts them.
Page 778 Chapter 42 Troubleshooting I changed the LAN IP address and can no longer access the Internet. The ZyWALL/USG automatically updates address objects based on an interface’s IP address, subnet, or gateway if the interface’s IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface.
Page 779 Chapter 42 Troubleshooting I cannot add the default admin account to a user group. You cannot put the default admin account into any user group. The schedule I configured is not being applied at the configured times. Make sure the ZyWALL/USG’s current date and time are correct. I cannot get a certificate to import into the ZyWALL/USG.
Page 780 Chapter 42 Troubleshooting I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. I uploaded a logo to use as the screen or window background but it does not display properly.
Page 781: Resetting The Zywall/Usg
Chapter 42 Troubleshooting The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. My packet capture captured less than I wanted or failed.
Page 782: Getting More Troubleshooting Help
Chapter 42 Troubleshooting 42.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL/USG Series User’s Guide...
Page 783: Appendix A Customer Support
• Brief description of the problem and the steps you took to solve it. Corporate Headquarters (Worldwide) Taiwan • ZyXEL Communications Corporation • http://www.zyxel.com Asia China • ZyXEL Communications (Shanghai) Corp. ZyXEL Communications (Beijing) Corp. ZyXEL Communications (Tianjin) Corp. • http://www.zyxel.cn India • ZyXEL Technology India Pvt Ltd • http://www.zyxel.in Kazakhstan •...
Page 784 • ZyXEL Singapore Pte Ltd. • http://www.zyxel.com.sg Taiwan • ZyXEL Communications Corporation • http://www.zyxel.com Thailand • ZyXEL Thailand Co., Ltd • http://www.zyxel.co.th Vietnam • ZyXEL Communications Corporation-Vietnam Office • http://www.zyxel.com/vn/vi Europe Austria • ZyXEL Deutschland GmbH • http://www.zyxel.de ZyWALL/USG Series User’s Guide...
Page 785 • ZyXEL BY • http://www.zyxel.by Belgium • ZyXEL Communications B.V. • http://www.zyxel.com/be/nl/ Bulgaria • ZyXEL България • http://www.zyxel.com/bg/bg/ Czech • ZyXEL Communications Czech s.r.o • http://www.zyxel.cz Denmark • ZyXEL Communications A/S • http://www.zyxel.dk Estonia • ZyXEL Estonia • http://www.zyxel.com/ee/et/ Finland •...
Page 786 • ZyXEL Communications Poland • http://www.zyxel.pl Romania • ZyXEL Romania • http://www.zyxel.com/ro/ro Russia • ZyXEL Russia • http://www.zyxel.ru Slovakia • ZyXEL Communications Czech s.r.o. organizacna zlozka • http://www.zyxel.sk Spain • ZyXEL Spain • http://www.zyxel.es Sweden • ZyXEL Communications • http://www.zyxel.se Switzerland •...
Page 787 Ecuador • ZyXEL Communication Corporation • http://www.zyxel.com/ec/es/ Middle East Egypt • ZyXEL Communication Corporation • http://www.zyxel.com/homepage.shtml Middle East • ZyXEL Communication Corporation • http://www.zyxel.com/homepage.shtml North America • ZyXEL Communications, Inc. - North America Headquarters • http://www.us.zyxel.com/ ZyWALL/USG Series User’s Guide...
Page 788 Appendix A Customer Support Oceania Australia • ZyXEL Communications Corporation • http://www.zyxel.com/au/en/ Africa South Africa • Nology (Pty) Ltd. • http://www.zyxel.co.za ZyWALL/USG Series User’s Guide...
Page 789: Appendix B Legal Information
ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice. Regulatory Notice and Statement (Class A) Model List: ZyWALL 110, ZyWALL 310, ZyWALL 1100, USG110, USG210, USG310, USG1110, USG1900 United States of America The following information applies if you use the product within USA area.
Page 790 Appendix B Legal Information CE EMC statement This is Class A Product. In domestic environment this product may cause radio interference in which case the user may be required to take adequate measures. List of National Codes COUNTRY ISO 3166 2 LETTER CODE COUNTRY ISO 3166 2 LETTER CODE Austria...
Page 791 Appendix B Legal Information Environment Statment European Union - Disposal and Recycling Information The symbol below means that according to local regulations your product and/or its battery shall be disposed of separately from domestic waste. If this product is end of life, take it to a recycling station designated by local authorities. At the time of disposal, the separate collection of your product and/or its battery will help save natural resources and ensure that the environment is sustainable development.
Page 792 Appendix B Legal Information Environmental Product Declaration ZyWALL/USG Series User’s Guide...
Page 793 North American products. Trademarks ZyNOS (ZyXEL Network Operating System) and ZON (ZyXEL One Network)are registered trademarks of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Page 794 Appendix B Legal Information Regulatory Notice and Statement (Class B) Model List: USG40, USG40W, USG60, USG60W UNITED STATES of AMERICA The following information applies if you use the product within USA area. FCC EMC Statement • The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause undesired operation.
Page 795 Appendix B Legal Information If the product with 5G wireless function operating in 5250-5350 MHz and 5470-5725 MHz , the following attention must be paid. • For devices with detachable antenna(s), the maximum antenna gain permitted for devices in the bands 5250-5350 MHz and 5470- 5725 MHz shall be such that the equipment still complies with the e.i.r.p.
Page 796 Appendix B Legal Information Ελληνικά ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ ZyXEL ∆ΗΛΩΝΕΙ ΟΤΙ εξοπλισμός ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ ΤΙΣ ΟΥΣΙΩ∆ΕΙΣ ΑΠΑΙΤΗΣΕΙΣ ΚΑΙ ΤΙΣ (Greek) ΛΟΙΠΕΣ ΣΧΕΤΙΚΕΣ ∆ΙΑΤΑΞΕΙΣ ΤΗΣ Ο∆ΗΓΙΑΣ 1999/5/ΕC. English Hereby, ZyXEL declares that this device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC.
Page 797: Safety Warnings
Appendix B Legal Information Denmark In Denmark, the band 5150 - 5350 MHz is also allowed for outdoor usage. I Danmark må frekvensbåndet 5150 - 5350 også anvendes udendørs. Italy This product meets the National Radio Interface and the requirements specified in the National Frequency Allocation Table for Italy. Unless this wireless LAN product is operating within the boundaries of the owner's property, its use requires a “general authorization.”...
Page 798 Appendix B Legal Information • CAUTION: Risk of explosion if battery is replaced by an incorrect type, dispose of used batteries according to the instruction. Dispose them at the applicable collection point for the recycling of electrical and electronic devices. For detailed information about recycling of this product, please contact your local city office, your household waste disposal service or the store where you purchased the product.
Page 799 Appendix B Legal Information Environmental Product Declaration ZyWALL/USG Series User’s Guide...
Page 800 Appendix B Legal Information 台灣以下訊息僅適用於產品具有無線功能且銷售至台灣地區第十二條經型式認證合格之低功率射頻電機，非經許可，公司，商號或使用者均不得擅自變更頻率、加大功率或變更原設計之特性及功能。第十四條低功率射頻電機之使用不得影響飛航安全及干擾合法通信；經發現有干擾現象時，應立即停用，並改善至無干擾時方得繼續使用。前項合法通信，指依電信法規定作業之無線電通信。低功率射頻電機須忍受合法通信或工業、科學及醫療用電波輻射性電機設備之干擾。用 20cm 計算 MPE 能符合 1 mW/cm2 電磁波曝露量 MPE 標準值 1mW/cm2，送測產品實測值為： 0.150 mW/ cm2 (USG60W); 0.108 mW/ cm2 (USG40W) 無線資訊傳輸設備忍受合法通信之干擾且不得干擾合法通信；如造成干擾，應立即停用，俟無干擾之虞，始得繼續使用。無線資訊傳設備的製造廠商應確保頻率穩定性，如依製造廠商使用手冊上所述正常操作，發射的信號應維持於操作頻帶中以下訊息僅適用於產品操作於 5.25-5.35 秭赫頻帶內並銷售至台灣地區 • 在 5.25-5.35 秭赫頻帶內操作之無線資訊傳輸設備，限於室內使用。以下訊息僅適用於產品屬於專業安裝並銷售至台灣地區...
Page 801 Appendix B Legal Information Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products. Open Source Licenses This product contains in part some free software distributed under GPL license terms and/or GPL like licenses. Open source licenses are provided with the firmware package.
Page 802: Appendix C Product Features
PP EN D I X Product Features Please refer to the product datasheet for the latest product features. Table 345 Product Features MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 # of MAC Interface VLAN Virtual...
Page 803 Appendix C Product Features Table 345 Product Features MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 Session Limit per Host Rules Max.
Page 804 Appendix C Product Features Table 345 Product Features MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 Schedule Group Max. Schedule Object In One Group Application 1000 1000 1000 1000 1000 Object Application Group Max.
Page 805 Appendix C Product Features Table 345 Product Features MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 Max. VPN 1000 1000 2000 Tunnels Number Max. VPN Concentrat or Number Max. VPN 1000 1000 2000 Configurati Provision Rule...
Page 806 Appendix C Product Features Table 345 Product Features MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 Admin E- mail Address Syslog Server Max. IDP Profile Number Max. Custom Signatures Inspection Max. SSL Inspection Profile Max.
Page 807 Appendix C Product Features Table 345 Product Features MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 Maximum Black List Rule Support Maximum DNSBL Domain Support Max. Statistics Number Max. Statistics Ranking Anti-Virus Max. AV Rule (Profile) Max.
Page 808 Appendix C Product Features Table 345 Product Features MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 Device HA VRRP Group Max OSPF Areas ZyWALL/USG Series User’s Guide...
Page 809: Index
Index Index logging in Symbols multiple logins see also users Web Configurator access users, see also force user authentication policies Numbers account user 572, 663 3322 Dynamic DNS accounting server 3DES Active Directory, see AD 6in4 tunneling active protocol 6to4 tunneling and encapsulation active sessions 98, 118...
Page 810 Index RANGE log options SUBNET mail scan types of mail sessions threshold POP2 address record POP3 admin user registration status troubleshooting 778, 779 regular expressions admin users SMTP multiple logins status see also users white list 530, 534, 539, 540 anti-virus 518, 519 false negatives...
Page 811 Index troubleshooting signatures update authentication server updating signatures authentication type 61, 657 AppPatrol, see application patrol Authentication, Authorization, Accounting servers, see AAA server ASAS (Authenex Strong Authentication System) authorization server asymmetrical routes auxiliary interfaces allowing through the security policy vs virtual interfaces attacks access control backdoor...
Page 812 Index verifying fingerprints certification requests certifications viewing and certificates 793, 800 Challenge Handshake Authentication Protocol CA (Certificate Authority), see certificates (CHAP) Calling Station ID CHAP (Challenge Handshake Authentication capturing packets Protocol) card SIM CHAP/PAP CEF (Common Event Format) 724, 733 25, 31 cellular button...
Page 813 Index connection applying troubleshooting example verifying connection monitor (in SSL) custom.rules file connectivity check 508, 774 201, 213, 220, 229, 239, 253, 396 customer support console port 783, 802 speed contact information 783, 802 content (pattern) content filter troubleshooting Data Encryption Standard, see DES content filtering 474, 475 date...
Page 814 Index DHCP DUID 257, 668 and DNS servers Dynamic Domain Name System, see DDNS and domain name Dynamic Host Configuration Protocol, see DHCP. and interfaces dynamic peers in IPSec pool DynDNS static DHCP DynDNS see also DDNS DHCP Unique IDentifier Dynu DHCPv6 DHCP Unique IDentifier...
Page 815 Index basic characteristics and address objects virtual and certificates and zones exceptional services signaling port extended authentication troubleshooting and VPN gateways with Transport Layer Security (TLS) IKE SA full tunnel mode 420, 424 Extended Service Set IDentification Fully-Qualified Domain Name, see FQDN ext-user troubleshooting Generic Routing Encapsulation, see GRE.
Page 816 Index HTTPS statistics and certificates troubleshooting 770, 774 authenticating clients troubleshooting signatures update avoiding warning messages updating signatures example verifying custom signatures vs HTTP IEEE 802.1q VLAN with Internet Explorer IEEE 802.1q. See VLAN. with Netscape Navigator IEEE 802.1x hub-and-spoke VPN, see VPN concentrator IHL (IP Header Length) HyperText Transfer Protocol over Secure Socket IKE SA...
Page 817 Index managing Internet Protocol version 6, see IPv6 interface Intrusion, Detection and Prevention see IDP status intrusions troubleshooting host interfaces network and DNS servers IP (Internet Protocol) and HTTP redirect IP options 506, 511 and layer-3 virtualization IP policy routing, see policy routes and NAT IP pool and physical ports...
Page 818 Index remote policy ISP account replay detection CHAP SA life time CHAP/PAP SA monitor MPPE SA see also IPSec SA MSCHAP see also VPN MSCHAP-V2 site-to-site with dynamic peer static site-to-site ISP accounts transport encapsulation and PPPoE/PPTP interfaces 208, 655 tunnel encapsulation authentication type VPN gateway...
Page 819 Index directory structure logs Distinguished Name, see DN and security policy e-mail profiles 631, 632, 634 password e-mailing log messages 156, 727 port formats 634, 636 search time limit log consolidation settings user attributes syslog servers system least connection algorithm types of least load algorithm loose source routing...
Page 820 Index model name NAT-PMP Monitor NBNS 202, 240, 252, 258, 424 monitor NetBIOS Broadcast over IPSec Name Server, see NBNS. monitor profile NetBIOS Name Server, see NBNS NetMeeting monitored interfaces see also H.323 device HA Netscape Navigator mounting network access mode rack full tunnel 24, 53...
Page 821 Index and to-ZyWALL security policy packet captures area 0 downloading files 751, 755 areas, see OSPF areas padding authentication method PAP (Password Authentication Protocol) autonomous system (AS) Password Authentication Protocol (PAP) backbone payload configuration steps option direction size link cost Peanut Hull priority Peer-to-peer (P2P)
Page 822 Index polymorphic virus POP2 rack-mounting 24, 53 POP3 RADIUS 629, 630 pop-up windows advantages port forwarding, see NAT and IKE SA and PPPoE port groups 182, 187 and users port roles user attributes and Ethernet interfaces RADIUS server and physical ports troubleshooting port translation, see NAT Post Office Protocol, see POP...
Page 823 Index collecting data see also ALG content filtering daily daily e-mail specifications same IP traffic statistics scan attacks reset scanner types RESET button schedule troubleshooting 1058 (RIP) 1389 (RIP) schedules 1587 (OSPF areas) and content filtering 474, 475 1631 (NAT) and current date/time 1889 (RTP) and policy routes...
Page 824 Index see also to-Device security policy backdoor/Trojan session limits buffer overflow 366, 380 triangle routes DoS/DDoS 366, 369 troubleshooting security settings scan troubleshooting spam sensitivity level virus/worm serial number Web attack service control signature ID 500, 507, 510, 552 and to-ZyWALL security policy signatures and users anti-virus...
Page 825 Index rule header SSL application object rule options file sharing application signatures remote user screen links summary Source Network Address Translation, see SNAT types spam 364, 502, 530 web-based 658, 661 spillover (for load balancing) web-based example SQL slammer SSL policy and address groups edit and address objects...
Page 826 Index status and NAT traversal (VPN) 159, 522 and OSPF supported browsers and RIP and service control synchronization and VPN and subscription services TR-069 protocol information synchronized trademarks password port number traffic statistics restrictions Transmission Control Protocol, see TCP syslog 724, 733 transport encapsulation syslog servers, see also logs...
Page 827 Index performance uploading 773, 774 policy route configuration files 770, 778 firmware RADIUS server shell scripts routing UPnP schedules URI (Uniform Resource Identifier) security policy usage security settings shell scripts flash memory SNAT onboard flash sessions SSL VPN user accounts throughput rate for WLAN VLAN...
Page 828 Index and LDAP life cycle and policy routes macro 273, 458, 462 and RADIUS mutation and security policy polymorphic 372, 382 and service control scan and shell scripts VLAN 223, 230 attributes for Ext-User advantages attributes for LDAP and MAC address attributes for RADIUS attributes in AAA servers troubleshooting...
Page 829 Index and address objects and authentication method objects and certificates wall-mounting and zones warranty 793, 800 see also HTTP, HTTPS note 793, 800 Web attack Web Configurator access access users requirements zipped files supported browsers troubleshooting web features ZON Utility ActiveX zones cookies...

This manual is also suitable for:

Zywall 310 Zywall 1100 Usg40 Usg40w Usg60 Usg60w ... Show all

ZyXEL Communications ZyWALL 110 User Manual

PART I User's Guide

Chapter 1 Introduction

Chapter 2 Installation Setup Wizard

Chapter 3 Hardware, Interfaces and Zones

Chapter 4 Quick Setup Wizards

Chapter 5

Dashboard

Part II: Technical Reference

Chapter 6 Monitor

Chapter 7 Licensing

Chapter 8 Wireless

Chapter 9 Interfaces

Chapter 10 Routing

Chapter 11 DDNS

Chapter 12 NAT

Chapter 13 HTTP Redirect

Chapter 14

Alg

Chapter 15 Upnp

Chapter 16 IP/MAC Binding

Chapter 17 Layer 2 Isolation

Chapter 18 Inbound Load Balancing

Chapter 19 Web Authentication

Chapter 20 RTLS

Chapter 21 Security Policy

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWALL 110

Summary of Contents for ZyXEL Communications ZyWALL 110