Download Print this page

ZyXEL Communications USG40 User Manual

ZyXEL Communications USG40 User Manual

Usg series

Hide thumbs Also See for USG40:

User manual (994 pages)

,

Handbook (810 pages)

,

Reference manual (665 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

See also: Handbook , User Manual

ZyWALL/USG Series

ZyWALL 110 / 310 / 1100

USG40 / USG40W / USG60 / USG60W / USG110 / USG210 /

USG310 / USG1100 / USG1900

Security Firewalls

Version 4.10

Edition 2, 07/2014

Quick Start Guide

User's Guide

Default Login Details

LAN Port IP Address

User Name

www.zyxel.com

Password

https://192.168.1.1

admin

1234

Copyright © 2014 ZyXEL Communications Corporation

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the USG40 and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications USG40

Page 1 ZyWALL/USG Series ZyWALL 110 / 310 / 1100 USG40 / USG40W / USG60 / USG60W / USG110 / USG210 / USG310 / USG1100 / USG1900 Security Firewalls Version 4.10 Edition 2, 07/2014 Quick Start Guide User’s Guide Default Login Details LAN Port IP Address https://192.168.1.1...
Page 2 IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a User’s Guide for a series of products. Not all products support all firmware features. Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system.
Page 3: Table Of Contents
Part I: User’s Guide ..................18 Chapter 1 Introduction............................20 1.1 Overview ............................20 1.1.1 Applications ..........................20 1.2 Management Overview ........................23 1.3 Web Configurator ..........................24 1.3.1 Web Configurator Access ......................24 1.3.2 Web Configurator Screens Overview ..................26 1.3.3 Navigation Panel ........................30 1.3.4 Tables and Lists ........................36 Chapter 2 Installation Setup Wizard ........................39 2.1 Installation Setup Wizard Screens ....................39...
Page 4 4.2.4 ISP and WAN and ISP Connection Settings ................55 4.2.5 Quick Setup Interface Wizard: Summary ................57 4.3 VPN Setup Wizard ..........................58 4.3.1 Welcome ..........................59 4.3.2 VPN Setup Wizard: Wizard Type .....................59 4.3.3 VPN Express Wizard - Scenario .....................60 4.3.4 VPN Express Wizard - Configuration ..................61 4.3.5 VPN Express Wizard - Summary ...................62 4.3.6 VPN Express Wizard - Finish ....................62 4.3.7 VPN Advanced Wizard - Scenario ..................63...
Page 5 5.2.9 Active Session Screen ......................92 5.2.10 Extension Slot Screen ......................93 5.2.11 Interface Status Summary Screen ..................94 5.2.12 Secured Service Status Screen .....................96 5.2.13 Content Filter Statistics Screen .....................96 5.2.14 Top 5 Viruses Screen ......................97 5.2.15 Top 5 Intrusions Screen ......................97 5.2.16 Top 5 IPv4/IPv6 Security Policy Rules that Blocked Traffic Screen ........98 5.2.17 The Latest Alert Logs Screen ....................98 Part II: Technical Reference................
Page 6 6.21 The Anti-Spam Screens ........................132 6.21.1 Anti-Spam Report ........................132 6.21.2 The Anti-Spam Status Screen .....................135 6.22 The SSL Inspection Screens ......................136 6.22.1 Certificate Cache List ......................137 6.23 Log Screens ..........................138 6.23.1 View Log ..........................138 6.23.2 View AP Log ........................140 Chapter 7 Licensing ............................143 7.1 Registration Overview ........................143 7.1.1 What you Need to Know ......................143...
Page 7 8.7.2 VLAN Add/Edit ........................201 8.8 Bridge Interfaces ..........................210 8.8.1 Bridge Summary ........................211 8.8.2 Bridge Add/Edit ........................213 8.9 Virtual Interfaces ..........................221 8.9.1 Virtual Interfaces Add/Edit .....................221 8.10 Interface Technical Reference .......................223 8.11 Trunk Overview ..........................226 8.11.1 What You Need to Know ......................226 8.12 The Trunk Summary Screen ......................229 8.12.1 Configuring a User-Defined Trunk ..................230 8.12.2 Configuring the System Default Trunk ................232...
Page 8 11.1.1 What You Can Do in this Chapter ..................263 11.1.2 What You Need to Know ......................263 11.2 The NAT Screen ..........................263 11.2.1 The NAT Add/Edit Screen ....................265 11.3 NAT Technical Reference ......................267 Chapter 12 HTTP Redirect ...........................270 12.1 Overview ............................270 12.1.1 What You Can Do in this Chapter ..................270 12.1.2 What You Need to Know ......................270 12.2 The HTTP Redirect Screen ......................271...
Page 9 Chapter 16 Inbound Load Balancing........................296 16.1 Inbound Load Balancing Overview ....................296 16.1.1 What You Can Do in this Chapter ..................296 16.2 The Inbound LB Screen ........................297 16.2.1 The Inbound LB Add/Edit Screen ..................298 16.2.2 The Inbound LB Member Add/Edit Screen ................300 Chapter 17 Web Authentication .........................302 17.1 Web Auth Overview ........................302...
Page 10 Chapter 19 IPSec VPN............................340 19.1 Virtual Private Networks (VPN) Overview ..................340 19.1.1 What You Can Do in this Chapter ..................342 19.1.2 What You Need to Know ......................343 19.1.3 Before You Begin .........................345 19.2 The VPN Connection Screen ......................345 19.2.1 The VPN Connection Add/Edit (IKE) Screen ...............346 19.3 The VPN Gateway Screen ......................353 19.3.1 The VPN Gateway Add/Edit Screen ..................354 19.4 VPN Concentrator ........................361...
Page 11 21.7.5 Creating a New Folder ......................396 21.7.6 Renaming a File or Folder ....................396 21.7.7 Deleting a File or Folder ......................397 21.7.8 Uploading a File ........................397 Chapter 22 ZyWALL/USG SecuExtender (Windows) ..................399 22.1 The ZyWALL/USG SecuExtender Icon ..................399 22.2 Status ............................399 22.3 View Log ............................400 22.4 Suspend and Resume the Connection ..................401 22.5 Stop the Connection ........................401...
Page 12 26.1.3 Before You Begin .........................429 26.2 Content Filter Profile Screen ......................430 26.3 Content Filter Profile Add or Edit Screen ..................431 26.3.1 Content Filter Add Profile Category Service ................432 26.3.2 Content Filter Add Filter Profile Custom Service ..............436 26.4 Content Filter Trusted Web Sites Screen ..................439 26.5 Content Filter Forbidden Web Sites Screen .................440 26.6 Content Filter Technical Reference ....................441 Chapter 27...
Page 13 29.2 Before You Begin ..........................477 29.3 The Anti-Spam Profile Screen .......................478 29.3.1 The Anti-Spam Profile Add or Edit Screen ................479 29.4 The Mail Scan Screen ........................481 29.5 The Anti-Spam Black List Screen ....................483 29.5.1 The Anti-Spam Black or White List Add/Edit Screen ............485 29.5.2 Regular Expressions in Black or White List Entries .............486 29.6 The Anti-Spam White List Screen ....................486 29.7 The DNSBL Screen ........................488...
Page 14 32.2.4 The User/Group Setting Screen ..................525 32.3 AP Profile Overview ........................531 32.3.1 Radio Screen ........................532 32.3.2 SSID Screen ........................537 32.4 Application .............................545 32.4.1 Add Application Rule ......................548 32.4.2 Application Group Screen ....................550 32.5 Address Overview .........................552 32.5.1 What You Need To Know .....................552 32.5.2 Address Summary Screen ....................552 32.6 Service Overview ..........................557 32.6.1 What You Need to Know ......................558...
Page 15 Chapter 33 System ...............................606 33.1 Overview ............................606 33.1.1 What You Can Do in this Chapter ..................606 33.2 Host Name ............................607 33.3 USB Storage ..........................607 33.4 Date and Time ..........................608 33.4.1 Pre-defined NTP Time Servers List ..................611 33.4.2 Time Server Synchronization ....................611 33.5 Console Port Speed ........................612 33.6 DNS Overview ..........................613 33.6.1 DNS Server Address Assignment ..................613...
Page 16 33.11.2 SNMP Traps ........................646 33.11.3 Configuring SNMP ......................646 33.12 Language Screen ........................648 33.13 IPv6 Screen ..........................648 Chapter 34 Log and Report ..........................650 34.1 Overview ............................650 34.1.1 What You Can Do In this Chapter ..................650 34.2 Email Daily Report ........................650 34.3 Log Setting Screens ........................652 34.3.1 Log Setting Summary ......................653 34.3.2 Edit System Log Settings ....................654 34.3.3 Edit Log on USB Storage Setting ..................659...
Page 17 Chapter 38 Shutdown............................695 38.1 Overview ............................695 38.1.1 What You Need To Know .....................695 38.2 The Shutdown Screen ........................695 Chapter 39 Troubleshooting..........................696 39.1 Resetting the ZyWALL/USG ......................708 39.2 Getting More Troubleshooting Help ....................709 Appendix A Customer Support ......................710 Appendix B Legal Information......................716 Index ..............................722 ZyWALL/USG Series User’s Guide...
Page 18: Part I User's Guide
User’s Guide...
Page 20: Chapter 1 Introduction
• ZyWALL models need a license for UTM (Unified Threat Management) functionality • ZyWALL models do not support SSL Inspection • USG40 / USG40W / USG60 / USG60W support UTM but not SSL Inspection • USG40W / USG60W have Wi-Fi functionality •...
Page 21 Chapter 1 Introduction • Anomaly Detection & Prevention (ADP) • Content Filtering (CF) • Anti-Virus (AV) • Anti-Spam (AS) • Secure Socket Layer (SSL) encrypted traffic Inspection Figure 1 Applications: Security RouterApplications: Security Router IPv6 Routing The ZyWALL/USG supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6 policy routes and IPv6 objects.
Page 22: Ssl Vpn Network Access
Chapter 1 Introduction Figure 3 Applications: VPN Connectivity ***** OTP PIN SafeWord 2008 Authentication Server File Email Web-based Server Server Application SSL VPN Network Access SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just browses to the ZyWALL/USG’s web address and enters his user name and password to securely connect to the ZyWALL/USG’s network.
Page 23: Management Overview
Chapter 1 Introduction Figure 5 Applications: User-Aware Access Control Load Balancing Set up multiple connections to the Internet on the same port, or different ports, including cellular interfaces. In either case, you can balance the traffic loads between them. Figure 6 Applications: Multiple WAN Interfaces 1.2 Management Overview You can manage the ZyWALL/USG in the following ways.
Page 24: Web Configurator
Chapter 1 Introduction Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL/USG. Access it using remote management (for example, SSH or Telnet) or via the physical or Web Configurator console port. See the Command Reference Guide for CLI details. The default settings for the console port are: Table 2 Console Port Default Settings SETTING...
Page 25 Chapter 1 Introduction Type the user name (default: “admin”) and password (default: “1234”). If you have a OTP (One-Time Password) token generate a number and enter it in the One-Time Password field. The number is only good for one login. You must use the token to generate a new number the next time you log in.
Page 26: Web Configurator Screens Overview
Chapter 1 Introduction If you select Never and you later want to bring this screen back, use these commands (note the space before the underscore). Router> enable Router# Router# configure terminal Router(config)# Router(config)# service-register _setremind after-10-days after-180-days after-30-days every-time never Router(config)# service-register _setremind every-time Router(config)# See the Command Line Interface (CLI) Reference Guide (RG) for details on all supported...
Page 27: Title Bar
Chapter 1 Introduction Title Bar Figure 8 Title Bar The title bar icons in the upper right corner provide the following functions. Table 3 Title Bar: Web Configurator Icons LABEL DESCRIPTION Logout Click this to log out of the Web Configurator. Help Click this to open the help page for the current screen.
Page 28 Chapter 1 Introduction Figure 10 Site Map Object Reference Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object. Figure 11 Object Reference The fields vary with the type of object.
Page 29 Chapter 1 Introduction Table 5 Object References (continued) LABEL DESCRIPTION Priority If it is applicable, this field lists the referencing configuration item’s position in its list, otherwise N/A displays. Name This field identifies the configuration item that references the object. Description If the referencing configuration item has a description configured, it displays here.
Page 30: Navigation Panel
Chapter 1 Introduction Figure 13 CLI Messages 1.3.3 Navigation Panel Use the navigation panel menu items to open status and configuration screens. Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The following sections introduce the ZyWALL/USG’s navigation panel menus and their screens.
Page 31 Chapter 1 Introduction Monitor Menu The monitor menu screens display status and statistics information. Table 6 Monitor Menu Screens Summary FOLDER OR LINK TAB FUNCTION System Status Port Statistics Port Displays packet statistics for each physical port. Statistics Interface Interface Displays general interface information and packet statistics.
Page 32: Configuration Menu
Chapter 1 Introduction Table 6 Monitor Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION SSL Inspection Report Collect and display SSL Inspection statistics. Certificate Displays traffic to destination servers using certificates. Cache List View Log Lists log entries. View AP Log Lists AP log entries.
Page 33 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION IP/MAC Summary Configure IP to MAC address bindings for devices connected to Binding each supported interface. Exempt List Configure ranges of IP addresses to which the ZyWALL/USG does not apply IP/MAC binding.
Page 34 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Anti-Spam Profile Turn anti-spam on or off and manage anti-spam policies. Create anti-spam template(s) of settings to apply to a traffic flow using a security policy. Mail Scan Configure e-mail scanning details.
Page 35 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION SSL Application SSL Application Create SSL web application or file sharing objects to apply to policies. DHCPv6 Request Configure IPv6 DHCP request type and interface information. Lease Configure IPv6 DHCP lease type and interface information.
Page 36: Tables And Lists
Chapter 1 Introduction 1.3.4 Tables and Lists Web Configurator tables and lists are flexible with several options for how to display their entries. Click a column heading to sort the table’s entries according to that column’s criteria. Figure 15 Sorting Table Entries by a Column’s Criteria Click the down arrow next to a column heading for more options about how to display the entries.
Page 37 Chapter 1 Introduction Figure 18 Moving Columns Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time. Figure 19 Navigating Pages of Table Entries The tables have icons for working with table entries.
Page 38 Chapter 1 Introduction Working with Lists When a list of available entries displays next to a list of selected entries, you can often just double- click an entry to move it from one list to the other. In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.
Page 39: Installation Setup Wizard
H A PT ER Installation Setup Wizard 2.1 Installation Setup Wizard Screens When you log into the Web Configurator for the first time or when you reset the ZyWALL/USG to its default configuration, the Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services.
Page 40: Internet Access: Ethernet
Chapter 2 Installation Setup Wizard Figure 23 Internet Access: Step 1 • I have two ISPs: Select this option to configure two Internet connections. Leave it cleared to configure just one. This option appears when you are configuring the first WAN interface. •...
Page 41: Internet Access: Pppoe
Chapter 2 Installation Setup Wizard Figure 24 Internet Access: Ethernet Encapsulation • Encapsulation: This displays the type of Internet connection you are configuring. • First WAN Interface: This is the number of the interface that will connect with your ISP. •...
Page 42 Chapter 2 Installation Setup Wizard Figure 25 Internet Access: PPPoE Encapsulation 2.1.3.1 ISP Parameters • Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and -_@$./ characters, and it can be up to 64 characters long.
Page 43: Internet Access: Pptp
Chapter 2 Installation Setup Wizard • First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Page 44: Internet Access Setup - Second Wan Interface
Chapter 2 Installation Setup Wizard • Type the Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank. Re-type your password in the next field to confirm it. •...
Page 45: Internet Access - Device Registration
Chapter 2 Installation Setup Wizard Figure 27 Internet Access: Step 3: Second WAN Interface 2.1.7 Internet Access - Device Registration Click the link in this screen to register your device at portal.myzyxel.com. Note: The ZyWALL/USG must be connected to the Internet in order to register. 2.1.8 Internet Access - Finish You have set up your ZyWALL/USG to access the Internet.
Page 46: Hardware, Interfaces And Zones
The LED indicators are located on the front panel. Figure 29 ZyWALL 110 / USG110 / USG210 Front Panel Figure 30 ZyWALL 310 / ZyWALL 1100 / USG310 / USG1100 / USG1900 Front Panel Figure 31 USG40 / USG40W Front Panel ZyWALL/USG Series User’s Guide...
Page 47: Rear Panels
Chapter 3 Hardware, Interfaces and Zones Figure 32 USG60 / USG60W Front Panel The following table describes the LEDs. Table 11 LED Descriptions COLOR STATUS DESCRIPTION The ZyWALL/USG is turned off. Green The ZyWALL/USG is turned on. There is a hardware component failure. Shut down the device, wait for a few minutes and then restart the device (see Section 3.2 on page 50).
Page 48: Default Zones, Interfaces, And Ports
Chapter 3 Hardware, Interfaces and Zones Figure 35 USG40 / USG40W Rear Panel Figure 36 USG60 / USG60W Rear Panel The following table describes the items on the rear panel Table 12 Rear Panel Items LABEL DESCRIPTION Console You can use the console port to manage the ZyWALL/USG using CLI commands. You will be prompted to enter your user name and password.
Page 49 Chapter 3 Hardware, Interfaces and Zones The following table shows the default physical port and interface mapping for each model at the time of writing. Table 13 Default Physical Port - Interface Mapping PORT / INTERFACE • USG40 wan1 lan1 lan1 lan1 •...
Page 50: Mounting
Chapter 3 Hardware, Interfaces and Zones 3.2 Mounting Some models can be mounted in a rack, and some can be mounted on a wall. Table 15 Mounting Method RACK-MOUNTING WALL-MOUNTING • ZyWALL 110 • USG40 • ZyWALL 310 • USG40W • ZyWALL 1100 • USG60 •...
Page 51: Wall-Mounting
Chapter 3 Hardware, Interfaces and Zones 3.2.2 Wall-mounting Table 15 on page 50 for the ZyWALL/USG models that can be wall-mounted. Do the following to attach your ZyWALL/USG to a wall. Screw two screws with 6 mm ~ 8 mm (0.24" ~ 0.31") wide heads into the wall 150 mm apart (see the figure in step 2).
Page 52: Chapter 4 Quick Setup Wizards
H A PT ER Quick Setup Wizards 4.1 Quick Setup Overview The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information. In the Web Configurator, click Configuration >...
Page 53: Wan Interface Quick Setup
Chapter 4 Quick Setup Wizards • Wizard Help If the help does not automatically display when you run the wizard, click teh arrow to display it. 4.2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen.
Page 54: Select Wan Type
Chapter 4 Quick Setup Wizards Figure 39 Choose an Ethernet Interface 4.2.2 Select WAN Type WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP.
Page 55: Isp And Wan And Isp Connection Settings
Chapter 4 Quick Setup Wizards Figure 41 WAN Interface Setup: Step 2 • WAN Interface: This is the interface you are configuring for Internet access. • Zone: This is the security zone to which this interface and Internet connection belong. •...
Page 56 Chapter 4 Quick Setup Wizards Figure 42 WAN and ISP Connection Settings: (PPTP Shown) The following table describes the labels in this screen. Table 16 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection. Encapsulation This displays the type of Internet connection you are configuring.
Page 57: Quick Setup Interface Wizard: Summary
Chapter 4 Quick Setup Wizards Table 16 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION Base Interface This displays the identity of the Ethernet interface you configure to connect with a modem or router. Base IP Address Type the (static) IP address assigned to you by your ISP. IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).
Page 58: Vpn Setup Wizard
Chapter 4 Quick Setup Wizards Figure 43 Interface Wizard: Summary WAN (PPTP Shown) The following table describes the labels in this screen. Table 17 Interface Wizard: Summary WAN LABEL DESCRIPTION Encapsulation This displays what encapsulation this interface uses to connect to the Internet. Service Name This field only appears for a PPPoE interface.
Page 59: Welcome
Chapter 4 Quick Setup Wizards Figure 44 VPN Setup Wizard 4.3.1 Welcome Use wizards to create Virtual Private Network (VPN) rules. After you complete the wizard, the Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
Page 60: Vpn Express Wizard - Scenario
Chapter 4 Quick Setup Wizards Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device. Figure 46 VPN Setup Wizard: Wizard Type 4.3.3 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 46 on page 60 to display the following screen.
Page 61: Vpn Express Wizard - Configuration
Chapter 4 Quick Setup Wizards Select the scenario that best describes your intended VPN connection. The figure on the left of the screen changes to match the scenario you select. • Site-to-site - The remote IPSec device has a static IP address or a domain name. This ZyWALL/ USG can initiate the VPN tunnel.
Page 62: Vpn Express Wizard - Summary
Chapter 4 Quick Setup Wizards 4.3.5 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’s configuration and commands that you can copy and paste into another ZLD-based ZyWALL/USG’s command line interface to configure Figure 49 VPN Express Wizard: Summary •...
Page 63: Vpn Advanced Wizard - Scenario
Chapter 4 Quick Setup Wizards Figure 50 VPN Express Wizard: Finish Click Close to exit the wizard. 4.3.7 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 46 on page 60 to display the following screen. ZyWALL/USG Series User’s Guide...
Page 64: Vpn Advanced Wizard - Phase 1 Settings
Chapter 4 Quick Setup Wizards Figure 51 VPN Advanced Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.
Page 65 Chapter 4 Quick Setup Wizards Figure 52 VPN Advanced Wizard: Phase 1 Settings • Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec device by its IP address or a domain name.
Page 66: Vpn Advanced Wizard - Phase 2
Chapter 4 Quick Setup Wizards • Dead Peer Detection (DPD) has the ZyWALL/USG make sure the remote IPSec device is there before transmitting data through the IKE SA. If there has been no traffic for at least 15 seconds, the ZyWALL/USG sends a message to the remote IPSec device. If it responds, the ZyWALL/USG transmits the data.
Page 67: Vpn Advanced Wizard - Summary
Chapter 4 Quick Setup Wizards 4.3.10 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings. Figure 54 VPN Advanced Wizard: Summary • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: IP address or domain name of the remote IPSec device. •...
Page 68: Vpn Settings For Configuration Provisioning Wizard: Wizard Type
Chapter 4 Quick Setup Wizards Figure 55 VPN Wizard: Finish Click Close to exit the wizard. 4.4 VPN Settings for Configuration Provisioning Wizard: Wizard Type Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved with the ZyWALL/USG IPSec VPN Client.
Page 69: Configuration Provisioning Express Wizard - Vpn Settings
Chapter 4 Quick Setup Wizards Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key in the VPN rule.
Page 70: Configuration Provisioning Vpn Express Wizard - Configuration
Chapter 4 Quick Setup Wizards Figure 57 VPN for Configuration Provisioning Express Wizard: Settings Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.
Page 71: Vpn Settings For Configuration Provisioning Express Wizard - Summary
Chapter 4 Quick Setup Wizards Figure 58 VPN for Configuration Provisioning Express Wizard: Configuration • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client. •...
Page 72: Vpn Settings For Configuration Provisioning Express Wizard - Finish
Chapter 4 Quick Setup Wizards Figure 59 VPN for Configuration Provisioning Express Wizard: Summary • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client.
Page 73: Vpn Settings For Configuration Provisioning Advanced Wizard - Scenario
Chapter 4 Quick Setup Wizards Figure 60 VPN for Configuration Provisioning Express Wizard: Finish Click Close to exit the wizard. 4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario Click the Advanced radio button as shown in the screen shown in Figure 56 on page 69 to display the following screen.
Page 74: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 1 Settings
Chapter 4 Quick Setup Wizards Figure 61 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.
Page 75: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 2
Chapter 4 Quick Setup Wizards Figure 62 VPN for Configuration Provisioning Advanced Wizard: Phase 1 Settings • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client. •...
Page 76: Vpn Settings For Configuration Provisioning Advanced Wizard - Summary
Chapter 4 Quick Setup Wizards Figure 63 VPN for Configuration Provisioning Advanced Wizard: Phase 2 Settings • Active Protocol: ESP is compatible with NAT. AH is not available in this wizard. • Encapsulation: Tunnel is compatible with NAT, Transport is not. •...
Page 77: Vpn Settings For Configuration Provisioning Advanced Wizard- Finish
Chapter 4 Quick Setup Wizards Figure 64 VPN for Configuration Provisioning Advanced Wizard: Summary • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client.
Page 78: Vpn Settings For L2Tp Vpn Settings Wizard
Chapter 4 Quick Setup Wizards Figure 65 VPN for Configuration Provisioning Advanced Wizard: Finish Click Close to exit the wizard. 4.5 VPN Settings for L2TP VPN Settings Wizard Use VPN Settings for L2TP VPN Settings to set up an L2TP VPN rule. Click Configuration > Quick Setup >...
Page 79: L2Tp Vpn Settings
Chapter 4 Quick Setup Wizards Figure 66 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings Click Next to continue the wizard. 4.5.1 L2TP VPN Settings Figure 67 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings • Rule Name: Type the name used to identify this L2TP VPN connection (and L2TP VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.
Page 80: L2Tp Vpn Settings
Chapter 4 Quick Setup Wizards • My Address (interface): Select one of the interfaces from the pull down menu to apply the L2TP VPN rule. • Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”) characters.
Page 81: Vpn Settings For L2Tp Vpn Setting Wizard - Summary
Chapter 4 Quick Setup Wizards 4.5.3 VPN Settings for L2TP VPN Setting Wizard - Summary This is a read-only summary of the L2TP VPN settings. Figure 69 VPN Settings for L2TP VPN Settings Advanced Settings Wizard: Summary • Rule Name: Identifies the L2TP VPN connection (and the L2TP VPN gateway). •...
Page 82: Vpn Settings For L2Tp Vpn Setting Wizard Completed
Chapter 4 Quick Setup Wizards 4.5.4 VPN Settings for L2TP VPN Setting Wizard Completed Figure 70 VPN Settings for L2TP VPN Settings Wizard: Finish Now the rule is configured on the ZyWALL/USG. The L2TP VPN rule settings appear in the VPN > L2TP VPN screen and also in the VPN >...
Page 83: Dashboard
H A PT ER Dashboard 5.1 Overview Use the Dashboard screens to check status information about the ZyWALL/USG. 5.1.1 What You Can Do in this Chapter Use the main Dashboard screen to see the ZyWALL/USG’s general device information, system status, system resource usage, licensed service status, and interface status. You can also display other status screens for more information.
Page 84 Chapter 5 Dashboard Figure 71 Dashboard The following table describes the labels in this screen. Table 18 Dashboard LABEL DESCRIPTION Widget Setting Use this link to open or close widgets by selecting/clearing the associated checkbox. Up Arrow (B) Click this to collapse a widget. It then becomes a down arrow. Click it again to enlarge the widget again.
Page 85: Device Information Screen
Chapter 5 Dashboard Table 18 Dashboard (continued) LABEL DESCRIPTION Name This field displays the name of each interface. Status This field displays the current status of each interface or device installed in a slot. The possible values depend on what type of interface it is. Inactive - The Ethernet interface is disabled.
Page 86: System Status Screen
Chapter 5 Dashboard This tabel describes the fields in the above screen. Table 19 Dashboard > Device Information LABEL DESCRIPTION Device Information This identifies a device installed in one of the ZyWALL/USG’s extension slots, the Security Extension Module slot, or USB ports. For an installed SEM (Security Extension Module) card, this field displays what kind of SEM card is installed.
Page 87: Vpn Status Screen
Chapter 5 Dashboard Table 20 Dashboard > System Status LABEL DESCRIPTION SSL VPN Status The first number is the actual number of VPN tunnels up and the second number is the maximum number of SSL VPN tunnels allowed. DHCP Table Click this to look at the IP addresses currently assigned to the ZyWALL/USG’s DHCP clients and the IP addresses reserved for specific MAC addresses.
Page 88: Dhcp Table Screen
Chapter 5 Dashboard This table describes the fields in the above screen. Table 21 Dashboard > System Status > VPN Status LABLE DESCRIPTION This field is a sequential value, and it is not associated with a specific SA. Name This field displays the name of the IPSec SA. Encapsulation This field displays how the IPSec SA is encapsulated.
Page 89: Number Of Login Users Screen
Chapter 5 Dashboard Table 22 Dashboard > System Status > DHCP Table (continued) LABEL DESCRIPTION MAC Address This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved. Click the column’s heading cell to sort the table entries by MAC address.
Page 90: System Resources Screen
Chapter 5 Dashboard Table 23 Dashboard > System Status > Number of Login Users LABEL DESCRIPTION User Info This field displays the types of user accounts the ZyWALL/USG uses. If the user type is ext-user (external user), this field will show its external-group information when you move your mouse over it.
Page 91: Cpu Usage Screen
Chapter 5 Dashboard 5.2.7 CPU Usage Screen Use the below screen to look at a chart of the ZyWALL/USG’s recent CPU usage. To access this screen, click CPU Usage in the dashboard. Figure 78 Dashboard > CPU Usage screen This table describes the fields in the above screen. Table 25 Dashboard >...
Page 92: Active Session Screen
Chapter 5 Dashboard Figure 79 Dashboard > Memory Usage screen This table describes the fields in the above screen. Table 26 Dashboard > Memory Usage screen. LABEL DESCRIPTION The y-axis represents the percentage of RAM usage. The x-axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated.
Page 93: Extension Slot Screen
Chapter 5 Dashboard Figure 80 Dashboard > Active Sessions > Show Active Session This table describes the fields in the above screen. Table 27 Dashboard > Active Sessions > Show Active Session Sessions The y-axis represents the number of session. The x-axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated.
Page 94: Interface Status Summary Screen
Chapter 5 Dashboard Table 28 Dashboard > Extension Slot LABEL DESCRIPTION Device This field displays the name of the device connected to the extension slot (or none if no device is detected). For an installed SEM (Security Extension Module) card, this field displays what kind of SEM card is installed. SEM-VPN - The VPN accelerator.
Page 95 Chapter 5 Dashboard Table 29 Dashboard > Interface Status Summary LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface does not have any physical ports associated with it or the Ethernet interface is enabled but not connected.
Page 96: Secured Service Status Screen
Chapter 5 Dashboard 5.2.12 Secured Service Status Screen This part shows what Unified Threat Management (UTM) services are available and enabled. Figure 83 Dashboard > Secured Service Status This table describes the fields in the above screen. Table 30 Dashboard > Secured Service Status LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific status.
Page 97: Top 5 Viruses Screen
Chapter 5 Dashboard This table describes the fields in the above screen. Table 31 Dashboard > Content Filter Statistics LABEL DESCRIPTION Web Request Statistics Total Web Pages This is the number of web pages the ZyWALL/USG has checked to see whether Inspected they belong to the categories you selected in the content filter screen.
Page 98: Top 5 Ipv4/Ipv6 Security Policy Rules That Blocked Traffic Screen
Chapter 5 Dashboard Table 33 Dashboard > Top 5 Intrusions LABEL DESCRIPTION Signature Name This is the name of the signature. Type This is the type of the signature, for example Schedule. Severity This is the level of threat that the intrusions may pose. Hits This is how many times the ZyWALL/USG has detected the event described in the entry.
Page 99 Chapter 5 Dashboard Table 35 Dashboard > The Latest Alert Logs LABEL DESCRIPTION Priority This field displays the severity of the log. Category This field displays the type of log generated. Message This field displays the actual log message. Source This field displays the source address (if any) in the packet that generated the log.
Page 100: Part Ii: Technical Reference
Technical Reference...
Page 102: Monitor
H A PT ER Monitor 6.1 Overview Use the Monitor screens to check status and statistics information. 6.1.1 What You Can Do in this Chapter Use the Monitor screens for the following. • Use the System Status > Port Statistics screen (see Section 6.2 on page 103) to look at packet statistics for each physical port.
Page 103: The Port Statistics Screen
Chapter 6 Monitor • Use the VPN Monitor > SSL screen (see Section 6.15 on page 124) to list the users currently logged into the VPN SSL client portal. You can also log out individual users and delete related session information. •...
Page 104: The Port Statistics Graph Screen
Chapter 6 Monitor The following table describes the labels in this screen. Table 36 Monitor > System Status > Port Statistics LABEL DESCRIPTION Poll Interval Enter how often you want this window to be updated automatically, and click Set Interval. Set Interval Click this to set the Poll Interval the screen uses.
Page 105: Interface Status Screen
Chapter 6 Monitor Figure 90 Monitor > System Status > Port Statistics > Switch to Graphic View The following table describes the labels in this screen. Table 37 Monitor > System Status > Port Statistics > Switch to Graphic View LABEL DESCRIPTION Refresh Interval...
Page 106 Chapter 6 Monitor Figure 91 Monitor > System Status > Interface Status Each field is described in the following table. Table 38 Monitor > System Status > Interface Status LABEL DESCRIPTION Interface Status If an Ethernet interface does not have any physical ports associated with it, its entry is displayed in light gray text.
Page 107 Chapter 6 Monitor Table 38 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION HA Status This field displays the status of the interface in the virtual router. • Active - This interface is the master interface in the virtual router. •...
Page 108: The Traffic Statistics Screen
Chapter 6 Monitor Table 38 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Status This field displays the current status of the interface. • Down - The interface is not connected. • Speed / Duplex - The interface is connected. This field displays the port speed and duplex setting (Full or Half).
Page 109 Chapter 6 Monitor Figure 92 Monitor > System Status > Traffic Statistics There is a limit on the number of records shown in the report. Please see Table 40 on page 110 more information. The following table describes the labels in this screen. Table 39 Monitor >...
Page 110: The Session Monitor Screen
Chapter 6 Monitor Table 39 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION Amount This field displays how much traffic was sent or received from the indicated IP address or user. If the Direction is Ingress, a red bar is displayed; if the Direction is Egress, a blue bar is displayed.
Page 111 Chapter 6 Monitor • Source address • Destination address • Number of bytes received (so far) • Number of bytes transmitted (so far) • Duration (so far) You can look at all established sessions that passed through the ZyWALL/USG by user, service, source IP address, or destination IP address.
Page 112: Igmp Statistics
Chapter 6 Monitor Table 41 Monitor > System Status > Session Monitor (continued) LABEL DESCRIPTION This field displays the amount of information transmitted by the source in the active session. Duration This field displays the length of the active session in seconds. Active Sessions This is the total number of established sessions that passed through the ZyWALL which matched the search criteria.
Page 113: The Ddns Status Screen
Chapter 6 Monitor The following table describes the labels in this screen. Table 42 Monitor > System Status > IGMP Statistics LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific I GMP Statistics. Group This field displays the group of devices in the IGMP.
Page 114: The Login Users Screen
Chapter 6 Monitor binding enabled and have ever established a session with the ZyWALL/USG. Devices that have never established a session with the ZyWALL/USG do not display in the list. Figure 96 Monitor > System Status > IP/MAC Binding The following table describes the labels in this screen. Table 44 Monitor >...
Page 115: Cellular Status Screen
Chapter 6 Monitor The following table describes the labels in this screen. Table 45 Monitor > System Status > Login Users LABEL DESCRIPTION Force Logout Select a user ID and click this icon to end a user’s session. This field is a sequential value and is not associated with any entry. User ID This field displays the user name of each user who is currently logged in to the ZyWALL/USG.
Page 116 Chapter 6 Monitor Table 46 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Status • No device - no mobile broadband device is connected to the ZyWALL/USG. • No Service - no mobile broadband network is available in the area; you cannot connect to the Internet.
Page 117: More Information
Chapter 6 Monitor Table 46 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Cellular System This field displays what type of cellular network the mobile broadband connection is using. The network type varies depending on the mobile broadband card you inserted and could be UMTS, UMTS/HSDPA, GPRS or EDGE when you insert a GSM mobile broadband card, or 1xRTT, EVDO Rev.0 or EVDO Rev.A when you insert a CDMA mobile broadband card.
Page 118: The Upnp Port Status Screen
Chapter 6 Monitor Table 47 Monitor > System Status > More Information (continued) LABEL DESCRIPTION Signal Strength This is the Signal Quality measured in dBm. Signal Quality This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL/USG and the service provider’s base station.
Page 119: Usb Storage Screen
Chapter 6 Monitor Table 48 Monitor > System Status > UPnP Port Status (continued) LABEL DESCRIPTION External Port This field displays the port number that the ZyWALL/USG “listens” on (on the WAN port) for connection requests destined for the NAT rule’s Internal Port and Internal Client. The ZyWALL/USG forwards incoming packets (from the WAN) with this port number to the Internal Client on the Internal Port (on the LAN).
Page 120: Wireless
Chapter 6 Monitor Table 49 Monitor > System Status > USB Storage (continued) LABEL DESCRIPTION Status Ready - you can have the ZyWALL/USG use the USB storage device. Click Remove Now to stop the ZyWALL/USG from using the USB storage device so you can remove it.
Page 121: Wireless Ap Information: Radio List
Chapter 6 Monitor Table 50 Monitor > Wireless > AP Information LABEL DESCRIPTION Registration This field displays the registration information of the AP. You can set the AP’s registration at Configuration > Wireless > Controller screen. APs must be connected to the ZyWALL/USG by a wired connection or network. IP Address This field displays the IP address of the AP.
Page 122: Wireless Station Info
Chapter 6 Monitor Table 51 Monitor > Wireless > Radio List LABEL DESCRIPTION OP Mode This field displays the operating mode of the AP. It displays n/a for the profile for a radio not using an AP profile. AP Mode means the AP can receive connections from wireless clients and pass their data traffic through to the ZyWALL/USG to be managed (or subsequently passed on to an upstream gateway for managing).
Page 123: The Ipsec Monitor Screen
Chapter 6 Monitor 6.14 The IPSec Monitor Screen You can use the IPSec Monitor screen to display and to manage active IPSec To access this screen, click Monitor > VPN Monitor > IPSec. The following screen appears. SAs. Click a column’s heading cell to sort the table entries by that column’s criteria.
Page 124: Regular Expressions In Searching Ipsec Sas
Chapter 6 Monitor 6.14.1 Regular Expressions in Searching IPSec SAs A question mark (?) lets a single character in the VPN connection or policy name vary. For example, use “a?c” (without the quotation marks) to specify abc, acc and so on. Wildcards (*) let multiple VPN connection or policy names match the pattern.
Page 125: The L2Tp Over Ipsec Session Monitor Screen
Chapter 6 Monitor Table 54 Monitor > VPN Monitor > SSL (continued) LABEL DESCRIPTION Login Address This field displays the IP address the user used to establish this SSL VPN connection. Connected Time This field displays the time this connection was established. Inbound (Bytes) This field displays the number of bytes received by the ZyWALL/USG on this connection.
Page 126 Chapter 6 Monitor Click Monitor > UTM Statistics > App Patrol to display the following screen. This screen displays Application Patrol statistics based on the App Patrol profiles bound to Security Policy profiles. Figure 108 Monitor > UTM Statistics > App Patrol The following table describes the labels in this screen.
Page 127: The Content Filter Screen
Chapter 6 Monitor 6.18 The Content Filter Screen Click Monitor > UTM Statistics > Content Filter to display the following screen. This screen displays content filter statistics. Figure 109 Monitor > UTM Statistics > Content Filter The following table describes the labels in this screen. Table 57 Monitor >...
Page 128: The Idp Screen
Chapter 6 Monitor Table 57 Monitor > UTM Statistics > Content Filter (continued) LABEL DESCRIPTION Blocked This is the number of web pages that the ZyWALL/USG blocked access. Warned This is the number of web pages for which the ZyWALL/USG displayed a warning message to the access requesters.
Page 129 Chapter 6 Monitor Figure 110 Monitor > UTM Statistics > IDP: Signature Name The following table describes the labels in this screen. Table 58 Monitor > UTM Statistics > IDP LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL/USG collect IDP statistics. The collection starting time displays after you click Apply.
Page 130: The Anti-Virus Screen
Chapter 6 Monitor Table 58 Monitor > UTM Statistics > IDP (continued) LABEL DESCRIPTION Signature Name This column displays when you display the entries by Signature Name. The signature name identifies the type of intrusion pattern. Click the hyperlink for more detailed information on the intrusion.
Page 131 Chapter 6 Monitor Figure 113 Monitor > UTM Statistics > Anti-Virus: Virus Name The following table describes the labels in this screen. Table 59 Monitor > UTM Statistics > Anti-Virus LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL/USG collect anti-virus statistics. The collection starting time displays after you click Apply.
Page 132: The Anti-Spam Screens
Chapter 6 Monitor Table 59 Monitor > UTM Statistics > Anti-Virus (continued) LABEL DESCRIPTION Destination IP This column displays when you display the entries by Destination. It shows the destination IP address of virus-infected files that the ZyWALL/USG has detected. Occurrences This field displays how many times the ZyWALL/USG has detected the event described in the entry.
Page 133 Chapter 6 Monitor Figure 116 Monitor > UTM Statistics > Anti-Spam The following table describes the labels in this screen. Table 60 Monitor > UTM Statistics > Anti-Spam LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL/USG collect anti-spam statistics. The collection starting time displays after you click Apply.
Page 134 Chapter 6 Monitor Table 60 Monitor > UTM Statistics > Anti-Spam (continued) LABEL DESCRIPTION Spam Mails Detected by This is the number of e-mails that matched an entry in the ZyWALL/USG’s anti- Black List spam black list. Spam Mails Detected by This is the number of e-mails that the ZyWALL/USG has determined to be spam by IP Reputation IP Reputation.
Page 135: The Anti-Spam Status Screen
Chapter 6 Monitor 6.21.2 The Anti-Spam Status Screen Click Monitor > UTM Statistics > Anti-Spam > Status to display the Anti-Spam Status screen. Use the Anti-Spam Status screen to see how many e-mail sessions the anti-spam feature is scanning and statistics for the DNSBLs. Figure 117 Monitor >...
Page 136: The Ssl Inspection Screens
Chapter 6 Monitor Table 61 Monitor > UTM Statistics > Anti-Spam > Status (continued) LABEL DESCRIPTION DNSBL Domain These are the DNSBLs the ZyWALL/USG uses to check sender and relay IP addresses in e-mails. Total Queries This is the total number of DNS queries the ZyWALL/USG has sent to this DNSBL. Avg.
Page 137: Certificate Cache List
Chapter 6 Monitor Table 62 Monitor > UTM Statistics > SSL Inspection > Report (continued) LABEL DESCRIPTION Flush Data Click this button to discard all of the screen’s statistics and update the report display. Status Maximum Concurrent This shows the maximum number of simultaneous SSL Inspection sessions Sessions allowed for your ZyWALL/USG model.
Page 138: Log Screens
Chapter 6 Monitor The following table describes the labels in this screen. Table 63 Monitor > UTM Statistics > SSL Inspection > Certificate Cache List LABEL DESCRIPTION Certificate Cache List Add to Exclude list Select and item in the list and click this icon to add the common name (CN) to the Exclude List.
Page 139 Chapter 6 Monitor heading cell again to reverse the sort order. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. Figure 120 Monitor > Log > View Log The following table describes the labels in this screen. Table 64 Monitor >...
Page 140: View Ap Log
Chapter 6 Monitor Table 64 Monitor > Log > View Log (continued) LABEL DESCRIPTION Protocol This displays when you show the filter. Select a service protocol whose log messages you would like to see. Search This displays when you show the filter. Click this button to update the log using the current filter settings.
Page 141 Chapter 6 Monitor The following table describes the labels in this screen. LABEL DESCRIPTION Show Filter Click this button to show or hide the filter settings. If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear Log fields are available.
Page 142 Chapter 6 Monitor LABEL DESCRIPTION Destination Address This displays when you show the filter. Type the IP address of the destination of the incoming packet when the log message was generated. Do not include the port in this filter. Source Interface This displays when you show the filter.
Page 143: Licensing
H A PT ER Licensing 7.1 Registration Overview Use the Configuration > Licensing > Registration screens to register your ZyWALL/USG and manage its service subscriptions. • Use the Registration screen (see Section 7.1.2 on page 144) to go to portal.myzyxel.com to register your ZyWALL/USG and activate a service, such as content filtering.
Page 144: Registration Screen
Chapter 7 Licensing 7.1.2 Registration Screen Use this screen to go to portal.myzyxel.com to register your ZyWALL/USG and activate a service, such as content filtering. Click Configuration > Licensing > Registration >portal.myzyxel.com in the navigation panel to open the screen as shown next. Figure 122 Configuration >...
Page 145: Signature Update
Chapter 7 Licensing Table 65 Configuration > Licensing > Registration > Service (continued) LABEL DESCRIPTION Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard). This field is blank when a service is not activated.
Page 146 Chapter 7 Licensing Figure 124 Configuration > Licensing > Signature Update >Anti-Virus The following table describes the labels in this screen. Table 66 Configuration > Licensing > Signature Update >Anti-Virus LABEL DESCRIPTION Signature Information The following fields display information on the current signature set that the ZyWALL/USG is using.
Page 147: The Idp/Apppatrol Update Screen
Chapter 7 Licensing Table 66 Configuration > Licensing > Signature Update >Anti-Virus (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL/USG. Reset Click this button to return the screen to its last-saved settings. 7.2.3 The IDP/AppPatrol Update Screen Click Configuration >...
Page 148 Chapter 7 Licensing Table 67 Configuration > Licensing > Signature Update > IDP/AppPatrol (continued) LABEL DESCRIPTION Signature Number This field displays the number of IDP signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.
Page 149: Interfaces
H A PT ER Interfaces 8.1 Interface Overview Use the Interface screens to configure the ZyWALL/USG’s interfaces. You can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. • Interfaces are used within the system operationally. You use them in configuring various features.
Page 150: What You Need To Know
Chapter 8 Interfaces 8.1.2 What You Need to Know Interface Characteristics Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface). • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Page 151 Chapter 8 Interfaces characteristics. These characteristics are listed in the following table and discussed in more detail below. Table 68 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics CHARACTERISTICS ETHERNET ETHERNET CELLULAR VLAN BRIDGE VIRTUAL Name* wan1, wan2 lan1, lan2, pppx cellularx vlanx...
Page 152 Chapter 8 Interfaces Table 69 Relationships Between Different Types of Interfaces (continued) INTERFACE REQUIRED PORT / INTERFACE PPP interface Ethernet interface* VLAN interface* bridge interface WAN1, WAN2, OPT* virtual interface (virtual Ethernet interface) Ethernet interface* (virtual VLAN interface) VLAN interface* (virtual bridge interface) bridge interface trunk...
Page 153 Chapter 8 Interfaces compose the network address. The prefix length is written as “/x” where x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32 means that the first 32 bits (2001:db8) from the left is the network prefix. Link-local Address A link-local address uniquely identifies a device on the local network (the LAN). It is similar to a “private IP address”...
Page 154: What You Need To Do First
The following table shows the models that support port role at the time of writing Table 71 Models with Port Role MODEL WITH PORT ROLE MODEL WITH PORT ROLE ZyWALL 110 USG60 USG40 USG60W USG40W USG110 USG210 Note the following if you are configuring from a computer connected to a lan1, lan2, ext-wlanext- lan or dmz port and change the port's role: •...
Page 155: Ethernet Summary Screen
Chapter 8 Interfaces Figure 126 Configuration > Network > Interface > Port Role Physical Ports Default interface (ZONE) The physical Ethernet ports are shown at the top and the Ethernet interfaces and zones are shown at the bottom of the screen. Use the radio buttons to select for which interface (network) you want to use each physical port.
Page 156 Chapter 8 Interfaces exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. The ZyWALL/USG supports two routing protocols, RIP and OSPF. See Chapter 9 on page 246 for background information about these routing protocols.
Page 157: Ethernet Edit
Chapter 8 Interfaces Table 72 Configuration > Network > Interface > Ethernet (continued) LABEL DESCRIPTION IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0 (in the IPv4 network) or :: (in the IPv6 network), the interface does not have an IP address yet.
Page 158: Igmp Proxy
Chapter 8 Interfaces Set the priority used to identify the DR or BDR if one does not exist. IGMP Proxy Internet Group Management Protocol (IGMP) proxy is used for multicast routing. IGMP proxy enables the ZyWALL/USG ZyWALL/USG to issue IGMP host messages on behalf of hosts that the discovered on its IGMP- ZyWALL/USG enabled interfaces.
Page 159 Chapter 8 Interfaces • Configuration > Network > Interface > Ethernet > Edit (External Type) ZyWALL/USG Series User’s Guide...
Page 160 Chapter 8 Interfaces Configuration > Network > Interface > Ethernet > Edit (External Type ZyWALL/USG Series User’s Guide...
Page 161 Chapter 8 Interfaces Figure 128 Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL/USG Series User’s Guide...
Page 162 Chapter 8 Interfaces Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL/USG Series User’s Guide...
Page 163 Chapter 8 Interfaces Figure 129 Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL/USG Series User’s Guide...
Page 164 Chapter 8 Interfaces Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL/USG Series User’s Guide...
Page 165 Chapter 8 Interfaces This screen’s fields are described in the table below. Table 73 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION IPv4/IPv6 View / Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration IPv4 View / IPv6 fields.
Page 166 Chapter 8 Interfaces Table 73 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.
Page 167 Chapter 8 Interfaces Table 73 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Delegated Select the DHCPv6 request object to use from the drop-down list. Prefix Suffix Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The Address ZyWALL/USG will append it to the delegated prefix.
Page 168 Chapter 8 Interfaces Table 73 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Enable Router Select this to enable this interface to send router advertisement messages periodically. Advertisement IPv6 Router Advertisement on page 154 for more information. Advertised Hosts Select this to have the ZyWALL/USG indicate to hosts to obtain network settings (such Get Network...
Page 169 Chapter 8 Interfaces Table 73 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Address This is the final network prefix combined by the delegated prefix and the suffix. Note: This field displays the combined address after you click OK and reopen this screen.
Page 170 Chapter 8 Interfaces Table 73 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION DHCP Select what type of DHCP service the ZyWALL/USG provides to the network. Choices are: None - the ZyWALL/USG does not provide any DHCP services. There is already a DHCP server on the network.
Page 171 Chapter 8 Interfaces Table 73 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Extended This table is available if you selected DHCP server. Options Configure this table if you want to send more information to DHCP clients through DHCP packets.
Page 172 Chapter 8 Interfaces Table 73 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR). The highest-priority interface identifies the DR, and the second-highest-priority interface identifies the BDR.
Page 173: Object References
Chapter 8 Interfaces 8.3.2 Object References When a configuration screen includes an Object Reference icon, select a configuration object and click Object Reference to open the Object References screen. This screen displays which configuration settings reference the selected object. The fields shown vary with the type of object. Figure 130 Object References The following table describes labels that can appear in this screen.
Page 174: Add/Edit Dhcp Extended Options
Chapter 8 Interfaces Figure 131 Configuration > Network > Interface > Ethernet > Edit > Add DHCPv6 Request/Lease Options Select a DHCPv6 request or lease object in the Select one object field and click OK to save it. Click Cancel to exit without saving the setting. 8.3.4 Add/Edit DHCP Extended Options When you configure an interface as a DHCPv4 server, you can additionally add DHCP extended options which have the ZyWALL/USG to add more information in the DHCP packets.
Page 175 Chapter 8 Interfaces Table 75 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options LABEL DESCRIPTION First IP Address, If you selected Time Server (4), NTP Server (41), SIP Server (120), CAPWAP AC Second IP (138), or TFTP Server (150), you have to enter at least one IP address of the Address, Third IP corresponding servers in these fields.
Page 176: Ppp Interfaces
Chapter 8 Interfaces 8.4 PPP Interfaces Use PPPoE/PPTP interfaces to connect to your ISP. This way, you do not have to install or manage PPPoE/PPTP software on each computer in the network. Figure 133 Example: PPPoE/PPTP Interfaces PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions;...
Page 177: Ppp Interface Add Or Edit
Chapter 8 Interfaces Each field is described in the table below. Table 77 Configuration > Network > Interface > PPP LABEL DESCRIPTION User Configuration / The ZyWALL/USG comes with the (non-removable) System Default PPP interfaces System Default pre-configured. You can create (and delete) User Configuration PPP interfaces. System Default PPP interfaces vary by model.
Page 178 Chapter 8 Interfaces Figure 135 Configuration > Network > Interface > PPP > Add ZyWALL/USG Series User’s Guide...
Page 179 Chapter 8 Interfaces Each field is explained in the following table. Table 78 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION IPv4/IPv6 View / Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration IPv4 View / IPv6 fields.
Page 180 Chapter 8 Interfaces Table 78 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION IP Address This field is enabled if you select Use Fixed IP Address. Enter the IP address for this interface. Metric Enter the priority of the gateway (the ISP) on this interface. The ZyWALL/USG decides which gateway to use based on this priority.
Page 181 Chapter 8 Interfaces Table 78 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Enable Rapid Select this to shorten the DHCPv6 message exchange process from four to two steps. Commit This function helps reduce heavy network traffic load. Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.
Page 182: Cellular Configuration Screen
Chapter 8 Interfaces Table 78 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Check this Select this to specify a domain name or IP address for the connectivity check. Enter address that domain name or IP address in the field next to it. Check Port This field only displays when you set the Check Method to tcp.
Page 183 Chapter 8 Interfaces See the following table for a comparison between 2G, 2.5G, 2.75G and 3G wireless technologies. Table 79 2G, 2.5G, 2.75G, 3G and 3.5G Wireless Technologies MOBILE PHONE AND DATA STANDARDS DATA NAME TYPE SPEED GSM-BASED CDMA-BASED Circuit- GSM (Global System for Mobile Interim Standard 95 (IS-95), the first CDMA- Slow...
Page 184 Chapter 8 Interfaces Figure 136 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. Table 80 Configuration > Network > Interface > Cellular LABEL DESCRIPTION Click this to create a new cellular interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 185: Cellular Choose Slot
Chapter 8 Interfaces Table 80 Configuration > Network > Interface > Cellular (continued) LABEL DESCRIPTION Current This displays the currently supported (by the ZyWALL/USG) mobile broadband dongle list Version version number. Update Now If the latest version number is greater than the current version number, then click this button to download the latest list of supported mobile broadband dongle devices to the ZyWALL/USG.
Page 186 Chapter 8 Interfaces Figure 137 Configuration > Network > Interface > Cellular > Add ZyWALL/USG Series User’s Guide...
Page 187 Chapter 8 Interfaces The following table describes the labels in this screen. Table 81 Configuration > Network > Interface > Cellular > Add LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings General Settings...
Page 188 Chapter 8 Interfaces Table 81 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION User Name This field displays when you select an authentication type other than None. This field is read-only if you selected Device in the profile selection. If this field is configurable, enter the user name for this mobile broadband card exactly as the service provider gave it to you.
Page 189 Chapter 8 Interfaces Table 81 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Check Method Select the method that the gateway allows. Select icmp to have the ZyWALL/USG regularly ping the gateway you specify to make sure it is still available.
Page 190 Chapter 8 Interfaces Table 81 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Network This field appears if you selected a mobile broadband device that allows you to select Selection the type of network to use. Select the type of mobile broadband service for your mobile broadband connection.
Page 191: Tunnel Interfaces
Chapter 8 Interfaces Table 81 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Reset time and This button is available only when you enable budget control in this screen. data budget counters Click this button to reset the time and data budgets immediately. The count starts over with the mobile broadband connection’s full configured monthly time and data budgets.
Page 192 Chapter 8 Interfaces Figure 138 GRE Tunnel Example IPv4 Internet IPv6 Over IPv4 Tunnels To route traffic between two IPv6 networks over an IPv4 network, an IPv6 over IPv4 tunnel has to be used. Figure 139 IPv6 over IPv4 Network IPv4 IPv6 IPv6...
Page 193: Configuring A Tunnel
Chapter 8 Interfaces In the ZyWALL/USG, you must also manually configure a policy route for an IPv6-in-IPv4 tunnel to make the tunnel work. 6to4 Tunneling This mode also enables IPv6 packets to cross IPv4 networks. Unlike IPv6-in-IPv4 tunneling, you do not need to configure a policy route for a 6to4 tunnel.
Page 194: Tunnel Add Or Edit Screen
Chapter 8 Interfaces Figure 142 Network > Interface > Tunnel Each field is explained in the following table. Table 82 Network > Interface > Tunnel LABEL DESCRIPTION Click this to create a new GRE tunnel interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 195 Chapter 8 Interfaces Figure 143 Network > Interface > Tunnel > Add/Edit Each field is explained in the following table. Table 83 Network > Interface > Tunnel > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings General Settings...
Page 196 Chapter 8 Interfaces Table 83 Network > Interface > Tunnel > Add/Edit (continued) LABEL DESCRIPTION Tunnel Mode Select the tunneling protocol of the interface (GRE, IPv6-in-IPv4 or 6to4). See Section 8.6 on page 191 for more information. IP Address This section is available if you are configuring a GRE tunnel. Assignment IP Address Enter the IP address for this interface.
Page 197 Chapter 8 Interfaces Table 83 Network > Interface > Tunnel > Add/Edit (continued) LABEL DESCRIPTION Interface Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can send Bandwidth through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management.
Page 198: Vlan Interfaces
Chapter 8 Interfaces 8.7 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 144 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router.
Page 199: Vlan Summary Screen
Chapter 8 Interfaces This approach provides a few advantages. • Increased performance - In VLAN 2, the extra switch should route traffic inside the sales department faster than the router does. In addition, broadcasts are limited to smaller, more logical groups of users. •...
Page 200 Chapter 8 Interfaces Figure 146 Configuration > Network > Interface > VLAN Each field is explained in the following table. Table 84 Configuration > Network > Interface > VLAN LABEL DESCRIPTION Configuration Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration / IPv6 section for IPv6 network settings if you connect your ZyWALL/USG to an IPv6 network.
Page 201: Vlan Add/Edit
Chapter 8 Interfaces 8.7.2 VLAN Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface. To access this screen, click the Create Virtual Interface icon in the VLAN Summary screen. The following screen appears. ZyWALL/USG Series User’s Guide...
Page 202 Chapter 8 Interfaces Figure 147 Configuration > Network > Interface > VLAN > Create Virtual Interface ZyWALL/USG Series User’s Guide...
Page 203 Chapter 8 Interfaces Each field is explained in the following table. Table 85 Configuration > Network > Interface > VLAN > Create Virtual Interface LABEL DESCRIPTION IPv4/IPv6 View / Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration IPv4 View / IPv6 fields.
Page 204 Chapter 8 Interfaces Table 85 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL DESCRIPTION Gateway This field is enabled if you select Use Fixed IP Address. Enter the IP address of the gateway. The ZyWALL/USG sends packets to the gateway when it does not know how to route the packet to its destination.
Page 205 Chapter 8 Interfaces Table 85 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL DESCRIPTION DHCPv6 Setting DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others.
Page 206 Chapter 8 Interfaces Table 85 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL DESCRIPTION Router Select the router preference (Low, Medium or High) for the interface. The interface Preference sends this preference in the router advertisements to tell hosts what preference they should use for the ZyWALL/USG.
Page 207 Chapter 8 Interfaces Table 85 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL DESCRIPTION Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ZyWALL/USG divides it into smaller fragments.
Page 208 Chapter 8 Interfaces Table 85 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL DESCRIPTION Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL/USG can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.
Page 209 Chapter 8 Interfaces Table 85 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL DESCRIPTION Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it.
Page 210: Bridge Interfaces
Chapter 8 Interfaces Table 85 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL DESCRIPTION This field is available if the Authentication is MD5. Type the password for MD5 Authentication authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
Page 211: Bridge Summary
Chapter 8 Interfaces If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly. Table 87 Example: Bridge Table After Computer B Responds to Computer A MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A...
Page 212 Chapter 8 Interfaces Figure 148 Configuration > Network > Interface > Bridge Each field is described in the following table. Table 89 Configuration > Network > Interface > Bridge LABEL DESCRIPTION Configuration / IPv6 Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration Configuration section for IPv6 network settings if you connect your ZyWALL/USG to an IPv6 network.
Page 213: Bridge Add/Edit
Chapter 8 Interfaces 8.8.2 Bridge Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add or Edit icon in the Bridge Summary screen. The following screen appears. Figure 149 Configuration >...
Page 214 Chapter 8 Interfaces Configuration > Network > Interface > Bridge > Add Each field is described in the table below. Table 90 Configuration > Network > Interface > Bridge > Create Virtual Interface LABEL DESCRIPTION IPv4/IPv6 View / Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration IPv4 View / IPv6 fields.
Page 215 Chapter 8 Interfaces Table 90 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL DESCRIPTION Enable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it. Interface Properties Interface Type Select one of the following option depending on the type of network to which the ZyWALL/USG is connected or if you want to additionally manually configure some related settings.
Page 216 Chapter 8 Interfaces Table 90 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL DESCRIPTION Enable IGMP Select this to allow the ZyWALL/USG to act as an IGMP proxy for hosts connected on Support the IGMP downstream interface. IGMP Version: Select the IGMP version to be used on this ZyWALL/USG interface.
Page 217 Chapter 8 Interfaces Table 90 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL DESCRIPTION DHCPv6 Setting DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others.
Page 218 Chapter 8 Interfaces Table 90 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL DESCRIPTION Router Select the router preference (Low, Medium or High) for the interface. The interface Preference sends this preference in the router advertisements to tell hosts what preference they should use for the ZyWALL/USG.
Page 219 Chapter 8 Interfaces Table 90 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL DESCRIPTION Ingress This is reserved for future use. Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can receive from the network through the interface.
Page 220 Chapter 8 Interfaces Table 90 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL DESCRIPTION Default Router If you set this interface to DHCP Server, you can select to use either the interface’s IP address or another IP address as the default router. This default router will become the DHCP clients’...
Page 221: Virtual Interfaces
Chapter 8 Interfaces Table 90 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL DESCRIPTION Check Method Select the method that the gateway allows. Select icmp to have the ZyWALL/USG regularly ping the gateway you specify to make sure it is still available.
Page 222 Chapter 8 Interfaces Figure 150 Configuration > Network > Interface > Create Virtual Interface Each field is described in the table below. Table 91 Configuration > Network > Interface > Create Virtual Interface LABEL DESCRIPTION Interface Properties Interface Name This field is read-only. It displays the name of the virtual interface, which is automatically derived from the underlying Ethernet interface, VLAN interface, or bridge interface.
Page 223: Interface Technical Reference
Chapter 8 Interfaces 8.10 Interface Technical Reference Here is more detailed information about interfaces on the ZyWALL/USG. IP Address Assignment Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routing table. Figure 151 Example: Entry in the Routing Table Derived from Interfaces lan1 wan1...
Page 224 Chapter 8 Interfaces The gateway is an optional setting for each interface. If there is more than one gateway, the ZyWALL/USG uses the gateway with the lowest metric, or cost. If two or more gateways have the same metric, the ZyWALL/USG uses the one that was set up first (the first entry in the routing table).
Page 225 Chapter 8 Interfaces • IP address - If the DHCP client’s MAC address is in the ZyWALL/USG’s static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size. Table 94 Example: Assigning IP Addresses from a Pool START IP ADDRESS POOL SIZE...
Page 226: Trunk Overview
Chapter 8 Interfaces • PPPoE does not usually require any special configuration of the modem. PPTP is used to set up virtual private networks (VPN) in unsecure TCP/IP environments. It sets up two sessions. The first one runs on TCP port 1723. It is used to start and manage the second one. The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers.
Page 227 Chapter 8 Interfaces You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic. • If that interface’s connection goes down, the ZyWALL/USG can still send its traffic through another interface.
Page 228 Chapter 8 Interfaces Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL/USG will send the subsequent new session traffic through WAN 2. Table 95 Least Load First Example OUTBOUND LOAD BALANCING INDEX INTERFACE (M/A)
Page 229: The Trunk Summary Screen
Chapter 8 Interfaces Figure 154 Spillover Algorithm Example 8.12 The Trunk Summary Screen Click Configuration > Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 155 Configuration >...
Page 230: Configuring A User-Defined Trunk
Chapter 8 Interfaces Table 96 Configuration > Network > Interface > Trunk (continued) LABEL DESCRIPTION Enable Default SNAT Select this to have the ZyWALL/USG use the IP address of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks. The ZyWALL/USG automatically adds SNAT settings for traffic it routes from internal interfaces to external interfaces.
Page 231 Chapter 8 Interfaces Each field is described in the table below. Table 97 Configuration > Network > Interface > Trunk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editing an existing trunk. When adding a new trunk, enter a descriptive name for this trunk.
Page 232: Configuring The System Default Trunk
Chapter 8 Interfaces Table 97 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Ingress Bandwidth This is reserved for future use. This field displays with the least load first load balancing algorithm. It displays the maximum number of kilobits of data the ZyWALL/USG is to allow to come in through the interface per second.
Page 233 Chapter 8 Interfaces Each field is described in the table below. Table 98 Configuration > Network > Interface > Trunk > Edit (System Default) LABEL DESCRIPTION Name This field displays the name of the selected system default trunk. Load Balancing Select the load balancing method to use for the trunk.
Page 234: Routing
H A PT ER Routing 9.1 Policy and Static Routes Overview Use policy routes and static routes to override the ZyWALL/USG’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the ZyWALL/USG’s LAN interface. The ZyWALL/USG routes most traffic from A to the Internet through the ZyWALL/USG’s default gateway (R1).
Page 235: What You Need To Know
Chapter 9 Routing 9.1.2 What You Need to Know Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL/USG takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Page 236: Policy Route Screen
Chapter 9 Routing DiffServ QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types.
Page 237 Chapter 9 Routing Figure 159 Configuration > Network > Routing > Policy Route The following table describes the labels in this screen. Table 99 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Enable BWM...
Page 238: Policy Route Edit Screen
Chapter 9 Routing Table 99 Configuration > Network > Routing > Policy Route (continued) LABEL DESCRIPTION User This is the name of the user (group) object from which the packets are sent. any means all users. Schedule This is the name of the schedule object. none means the route is active at all times if enabled.
Page 239 Chapter 9 Routing Figure 160 Configuration > Network > Routing > Policy Route > Add/Edit (IPv4 Configuration) ZyWALL/USG Series User’s Guide...
Page 240 Chapter 9 Routing Figure 161 Configuration > Network > Routing > Policy Route > Add/Edit (IPv6 Configuration) The following table describes the labels in this screen. Table 100 Configuration > Network > Routing > Policy Route > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields.
Page 241 Chapter 9 Routing Table 100 Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL DESCRIPTION DSCP Code Select a DSCP code point value of incoming packets to which this policy route applies or select User Define to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment.
Page 242 Chapter 9 Routing Table 100 Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL DESCRIPTION DSCP Marking Set how the ZyWALL/USG handles the DSCP value of the outgoing packets that match this route. Select one of the pre-defined DSCP values to apply or select User Define to specify another DSCP value.
Page 243: Ip Static Route Screen
Chapter 9 Routing 9.3 IP Static Route Screen Click Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers.
Page 244 Chapter 9 Routing Figure 163 Configuration > Network > Routing > Static Route > Add (IPv4 Configuration) Figure 164 Configuration > Network > Routing > Static Route > Add (IPv6 Configuration) The following table describes the labels in this screen. Table 102 Configuration >...
Page 245: Policy Routing Technical Reference
Chapter 9 Routing 9.4 Policy Routing Technical Reference Here is more detailed information about some of the features you can configure in policy routing. NAT and SNAT NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network.
Page 246: Routing Protocols Overview
Chapter 9 Routing 9.5 Routing Protocols Overview Routing protocols give the ZyWALL/USG routing information about the network from other routers. The ZyWALL/USG stores this routing information in the routing table it uses to make routing decisions. In turn, the ZyWALL/USG can also use routing protocols to propagate routing information to other routers.
Page 247 Chapter 9 Routing • Second, the ZyWALL/USG can also redistribute routing information from non-RIP networks, specifically OSPF networks and static routes, to the RIP network. Costs might be calculated differently, however, so you use the Metric field to specify the cost in RIP terms. •...
Page 248: The Ospf Screen
Chapter 9 Routing Table 105 Configuration > Network > Routing Protocol > RIP (continued) LABEL DESCRIPTION Active Static Route Select this to use RIP to advertise routes that were learned through the static route configuration. Metric Type the cost for routes provided by the static route configuration. The metric represents the “cost”...
Page 249 Chapter 9 Routing • A Not So Stubby Area (NSSA, RFC 1587) has routing information about the OSPF AS and networks outside the OSPF AS to which the NSSA is directly connected. It does not have any routing information about other networks outside the OSPF AS. Each type of area is illustrated in the following figure.
Page 250 Chapter 9 Routing • A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR. Each type of router is illustrated in the following example. Figure 167 OSPF: Types of Routers In order to reduce the amount of traffic between routers, a group of routers that are directly connected to each other selects a designated router (DR) and a backup designated router (BDR).
Page 251: Configuring The Ospf Screen
Chapter 9 Routing OSPF Configuration Follow these steps when you configure OSPF on the ZyWALL/USG. Enable OSPF. Set up the OSPF areas. Configure the appropriate interfaces. See Section 8.3.1 on page 157. Set up virtual links, as needed. 9.7.1 Configuring the OSPF Screen Use the first OSPF screen to specify the OSPF router the ZyWALL/USG uses in the OSPF AS and maintain the policies for redistribution.
Page 252: Ospf Area Add/Edit Screen
Chapter 9 Routing Table 107 Configuration > Network > Routing Protocol > OSPF (continued) LABEL DESCRIPTION Active RIP Select this to advertise routes that were learned from RIP. The ZyWALL/USG advertises routes learned from RIP to Normal and NSSA areas but not to Stub areas.
Page 253 Chapter 9 Routing Figure 170 Configuration > Network > Routing > OSPF > Add The following table describes the labels in this screen. Table 108 Configuration > Network > Routing > OSPF > Add LABEL DESCRIPTION Area ID Type the unique, 32-bit identifier for the area in IP address format. Type Select the type of OSPF area.
Page 254: Virtual Link Add/Edit Screen
Chapter 9 Routing Table 108 Configuration > Network > Routing > OSPF > Add (continued) LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so.
Page 255: Routing Protocol Technical Reference
Chapter 9 Routing The following table describes the labels in this screen. Table 109 Configuration > Network > Routing > OSPF > Add > Add LABEL DESCRIPTION Peer Router ID Enter the 32-bit ID (in IP address format) of the other ABR in the virtual link. Authentication Select the authentication method the virtual link uses.
Page 256 Chapter 9 Routing • The packet’s message-digest is the same as the one the ZyWALL/USG calculates using the MD5 password. For RIP, authentication is not available in RIP version 1. In RIP version 2, you can only select one authentication type for all interfaces. For OSPF, the ZyWALL/USG supports a default authentication type by area.
Page 257: Ddns
HAPTER DDNS 10.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 10.1.1 What You Can Do in this Chapter • Use the DDNS screen (see Section 10.2 on page 258) to view a list of the configured DDNS domain names and their details.
Page 258: The Ddns Screen
Chapter 10 DDNS 10.2 The DDNS Screen The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. Click Configuration > Network > DDNS to open the following screen.
Page 259: The Dynamic Dns Add/Edit Screen
Chapter 10 DDNS Table 111 Configuration > Network > DDNS (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL/USG. Reset Click this button to return the screen to its last-saved settings. 10.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL/USG or to edit the configuration of an existing domain name.
Page 260 Chapter 10 DDNS Figure 174 Configuration > Network > DDNS > Add - Custom The following table describes the labels in this screen. Table 112 Configuration > Network > DDNS > Add LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Enable DDNS Profile...
Page 261 Chapter 10 DDNS Table 112 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION DDNS Settings Domain name Type the domain name you registered. You can use up to 255 characters. Primary Binding Use these fields to set how the ZyWALL/USG determines the IP address that is mapped Address to your domain name in the DDNS server.
Page 262 Chapter 10 DDNS Table 112 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Mail Exchanger This option is only available with a DynDNS account. DynDNS can route e-mail for your domain name to a mail server (called a mail exchanger).
Page 263: Chapter 11 Nat
HAPTER 11.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Network Address Translation (NAT) to make computers on a private network behind the ZyWALL/USG available outside the private network.
Page 264 Chapter 11 NAT screen, login to the Web Configurator and click Configuration > Network > NAT. The following screen appears, providing a summary of the existing NAT rules. Figure 176 Configuration > Network > NAT The following table describes the labels in this screen. Table 113 Configuration >...
Page 265: The Nat Add/Edit Screen
Chapter 11 NAT 11.2.1 The NAT Add/Edit Screen The NAT Add/Edit screen lets you create new NAT rules and edit existing ones. To open this window, open the NAT summary screen. (See Section 11.2 on page 263.) Then, click on an Add icon or Edit icon to open the following screen.
Page 266 Chapter 11 NAT Table 114 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Incoming Interface Select the interface on which packets for the NAT rule must be received. It can be an Ethernet, VLAN, bridge, or PPPoE/PPTP interface. Original IP Specify the destination IP address of the packets received by this NAT rule’s specified incoming interface.
Page 267: Nat Technical Reference
Chapter 11 NAT Table 114 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Mapped End Port This field is available if Mapping Type is Ports. Enter the end of the range of translated destination ports if this NAT rule forwards the packet. The original port range and the mapped port range must be the same size.
Page 268 Chapter 11 NAT Figure 178 LAN Computer Queries a Public DNS Server xxx.LAN-SMTP.com = 1.1.1.1 xxx.LAN-SMTP.com = ? 1.1.1.1 192.168.1.21 192.168.1.89 The LAN user’s computer then sends traffic to IP address 1.1.1.1. NAT loopback uses the IP address of the ZyWALL/USG’s LAN interface (192.168.1.1) as the source address of the traffic going from the LAN users to the LAN SMTP server.
Page 269 Chapter 11 NAT Figure 180 LAN to LAN Return Traffic Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 ZyWALL/USG Series User’s Guide...
Page 270: Http Redirect
HAPTER HTTP Redirect 12.1 Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL/USG) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN1 zone wants to open a web page, its HTTP request is redirected to proxy server A first.
Page 271: The Http Redirect Screen
Chapter 12 HTTP Redirect A client connects to a web proxy server each time he/she wants to access the Internet. The web proxy provides caching service to allow quick access and reduce network usage. The proxy checks its local cache for the requested web resource first. If it is not found, the proxy gets it from the specified server and forwards the response to the client.
Page 272: The Http Redirect Edit Screen
Chapter 12 HTTP Redirect Figure 182 Configuration > Network > HTTP Redirect The following table describes the labels in this screen. Table 115 Configuration > Network > HTTP Redirect LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 273 Chapter 12 HTTP Redirect The following table describes the labels in this screen. Table 116 Network > HTTP Redirect > Edit LABEL DESCRIPTION Enable Use this option to turn the HTTP redirect rule on or off. Name Enter a name to identify this rule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 274: Chapter 13 Alg
HAPTER 13.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyWALL/USG’s NAT. • SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice and multimedia sessions over Internet. •...
Page 275 Chapter 13 ALG FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through. If the FTP server is located on the LAN, you must also configure NAT (port forwarding) and security policies if you want to allow access to the server from the WAN.
Page 276 Chapter 13 ALG • The ZyWALL/USG allows SIP audio connections. • You do not need to use TURN (Traversal Using Relay NAT) for VoIP devices behind the ZyWALL/ USG when you enable the SIP ALG. • Configuring the SIP ALG to use custom port numbers for SIP traffic also configures the application patrol (see Chapter 25 on page 422) to use the same port numbers for SIP traffic.
Page 277: Before You Begin
Chapter 13 ALG corresponding policy routes to have calls from LAN IP address A go out through WAN IP address and calls from LAN IP address B go out through WAN IP address 2. Figure 187 VoIP with Multiple WAN IP Addresses 13.1.2 Before You Begin You must also configure the security policy and enable NAT in the ZyWALL/USG to allow sessions initiated from the WAN.
Page 278 Chapter 13 ALG Figure 188 Configuration > Network > ALG The following table describes the labels in this screen. Table 117 Configuration > Network > ALG LABEL DESCRIPTION Enable SIP ALG Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the ZyWALL/USG’s NAT.
Page 279 Chapter 13 ALG Table 117 Configuration > Network > ALG (continued) LABEL DESCRIPTION SIP Signaling Inactivity Most SIP clients have an “expire” mechanism indicating the lifetime of signaling Timeout sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL/USG.
Page 280: Alg Technical Reference
Chapter 13 ALG 13.3 ALG Technical Reference Here is more detailed information about the Application Layer Gateway. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’ data payload. The ZyWALL/USG examines and uses IP address and port number information embedded in the VoIP traffic’s data stream.
Page 281 Chapter 13 ALG When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL/USG Series User’s Guide...
Page 282: Upnp
HAPTER UPnP 14.1 UPnP and NAT-PMP Overview The ZyWALL/USG supports both UPnP and NAT-PMP to permit networking devices to discover each other and connect seamlessly. Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 283: Cautions With Upnp And Nat-Pmp
Chapter 14 UPnP 14.2.2 Cautions with UPnP and NAT-PMP The automated nature of NAT traversal applications in establishing their own services and opening security policy ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP or NAT-PMP device joins a network, it announces its presence with a multicast message.
Page 284: Technical Reference
Chapter 14 UPnP The following table describes the fields in this screen. Table 118 Configuration > Network > UPnP LABEL DESCRIPTION Enable UPnP Select this check box to activate UPnP on the ZyWALL/USG. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the ZyWALL/USG's IP address (although you must still enter the password to access the web configurator).
Page 285 Chapter 14 UPnP Click Change Advanced Sharing Settings. Select Turn on network discovery and click Save Changes. Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer. This makes it easier to share files and printers. ZyWALL/USG Series User’s Guide...
Page 286: Using Upnp In Windows Xp Example
Chapter 14 UPnP 14.4.2 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyWALL/USG. Make sure the computer is connected to a LAN port of the ZyWALL/USG. Turn on your computer and the ZyWALL/USG.
Page 287 Chapter 14 UPnP Figure 192 Internet Connection Properties: Advanced Settings Figure 193 Internet Connection Properties: Advanced Settings: Add Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.
Page 288: Web Configurator Easy Access
Chapter 14 UPnP Figure 195 Internet Connection Status 14.4.3 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyWALL/USG without finding out the IP address of the ZyWALL/USG first. This comes helpful if you do not know the IP address of the ZyWALL/USG.
Page 289 Chapter 14 UPnP Figure 196 Network Connections An icon with the description for each UPnP-enabled device displays under Local Network. Right-click on the icon for your ZyWALL/USG and select Invoke. The web configurator login screen displays. Figure 197 Network Connections: My Network Places Right-click on the icon for your ZyWALL/USG and select Properties.
Page 290 Chapter 14 UPnP Figure 198 Network Connections: My Network Places: Properties: Example ZyWALL/USG Series User’s Guide...
Page 291: Chapter 15 Ip/Mac Binding
HAPTER IP/MAC Binding 15.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The ZyWALL/USG uses DHCP to assign IP addresses and records the MAC address it assigned to each IP address.
Page 292: Ip/Mac Binding Summary
Chapter 15 IP/MAC Binding Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN, and WLAN interfaces. You can also enable or disable IP/MAC binding and logging in an interface’s configuration screen. 15.2 IP/MAC Binding Summary Click Configuration >...
Page 293: Static Dhcp Edit
Chapter 15 IP/MAC Binding Figure 201 Configuration > Network > IP/MAC Binding > Edit The following table describes the labels in this screen. Table 120 Configuration > Network > IP/MAC Binding > Edit LABEL DESCRIPTION IP/MAC Binding Settings Interface Name This field displays the name of the interface within the ZyWALL/USG and the interface’s IP address and subnet mask.
Page 294: Ip/Mac Binding Exempt List
Chapter 15 IP/MAC Binding Figure 202 Configuration > Network > IP/MAC Binding > Edit > Add The following table describes the labels in this screen. Table 121 Configuration > Network > IP/MAC Binding > Edit > Add LABEL DESCRIPTION Interface Name This field displays the name of the interface within the ZyWALL/USG and the interface’s IP address and subnet mask.
Page 295 Chapter 15 IP/MAC Binding Table 122 Configuration > Network > IP/MAC Binding > Exempt List (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. This is the index number of the IP/MAC binding list entry. Name Enter a name to help identify this entry.
Page 296: Inbound Load Balancing
HAPTER Inbound Load Balancing 16.1 Inbound Load Balancing Overview Inbound load balancing enables the ZyWALL/USG to respond to a DNS query message with a different IP address for DNS name resolution. The ZyWALL/USG checks which member interface has the least load and responds to the DNS query message with the interface’s IP address. In the following figure, an Internet host (A) sends a DNS query message to the DNS server (D) in order to resolve a domain name of www.example.com.
Page 297: The Inbound Lb Screen
Chapter 16 Inbound Load Balancing • Use the Inbound LB Add/Edit screen (see Section 16.2.1 on page 298) to add or edit a DNS load balancing rule. 16.2 The Inbound LB Screen The Inbound LB screen provides a summary of all DNS load balancing rules and the details. You can also use this screen to add, edit, or remove the rules.
Page 298: The Inbound Lb Add/Edit Screen
Chapter 16 Inbound Load Balancing Table 123 Configuration > Network > Inbound LB (continued) LABEL DESCRIPTION Query From Address This field displays the source IP address of the DNS query messages to which the ZyWALL/USG applies the DNS load balancing rule. Query From Zone The ZyWALL/USG applies the DNS load balancing rule to the query messages received from this zone.
Page 299 Chapter 16 Inbound Load Balancing Figure 206 Configuration > Network > Inbound LB > Add The following table describes the labels in this screen. Table 124 Configuration > Network > Inbound LB > Add/Edit LABEL DESCRIPTION Create New Object Use this to configure any new setting objects that you need to use in this screen. General Settings Enable Select this to enable this DNS load balancing rule.
Page 300: The Inbound Lb Member Add/Edit Screen
Chapter 16 Inbound Load Balancing Table 124 Configuration > Network > Inbound LB > Add/Edit (continued) LABEL DESCRIPTION Load Balancing Member Select a load balancing method to use from the drop-down list box. Load Balancing Algorithm Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights.
Page 301 Chapter 16 Inbound Load Balancing Figure 207 Configuration > Network > Inbound LB > Add/Edit > Add The following table describes the labels in this screen. Table 125 Configuration > Network > Inbound LB > Add/Edit > Add/Edit LABEL DESCRIPTION Member The ZyWALL/USG checks each member interface’s loading in the order displayed here.
Page 302: Web Authentication
HAPTER Web Authentication 17.1 Web Auth Overview Web authentication can intercept network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions.
Page 303: What You Need To Know
Chapter 17 Web Authentication 17.1.2 What You Need to Know Single Sign-On A SSO (Single Sign On) agent integrates Domain Controller and ZyWALL/USG authentication mechanisms, so that users just need to log in once (single) to get access to permitted resources. Forced User Authentication Instead of making users for which user-aware policies have been configured go to the ZyWALL/USG Login screen manually, you can configure the ZyWALL/USG to display the Login screen...
Page 304 Chapter 17 Web Authentication Figure 209 Configuration > Web Authentication (Web Portal) The following table gives an overview of the objects you can configure. Table 126 Configuration > Web Authentication LABEL DESCRIPTION Enable Web Select Enable Web Authentication to turn on the web authentication feature. Authentication Once enabled, all network traffic is blocked until a client authenticates with the ZyWALL/ USG through the specifically designated web portal.
Page 305 Chapter 17 Web Authentication Table 126 Configuration > Web Authentication (continued) LABEL DESCRIPTION Welcome URL Specify the welcome page’s URL; for example, http://IIS server IP Address/welcome.html. The Internet Information Server (IIS) is the web server on which the web portal files are installed.
Page 306: Creating Exceptional Services
Chapter 17 Web Authentication 17.2.1 Creating Exceptional Services This screen lists services that users can access without logging in. Click Add under Exceptional Services in the previous screen to display this screen. You can change the list’s membership here. Available services appear on the left.
Page 307: Sso Overview
Chapter 17 Web Authentication The following table gives an overview of the objects you can configure. Table 127 Configuration > Web Authentication > Add Authentication Policy LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this screen. Select Object Address or Schedule.
Page 308 Chapter 17 Web Authentication Note: The ZyWALL/USG, the DC, the SSO agent and the AD server must all be in the same domain and be able to communicate with each other. SSO does not support IPv6, LDAP or RADIUS; you must use it in an IPv4 network environment with Windows AD (Active Directory) authentication database.
Page 309: Sso - Zywall/Usg Configuration
Chapter 17 Web Authentication 17.4 SSO - ZyWALL/USG Configuration This section shows what you have to do on the ZyWALL/USG in order to use SSO. Table 128 ZyWALL/USG - SSO Agent Field Mapping ZYWALL/USG SCREEN FIELD SCREEN FIELD Web Authentication > Listen Port Agent Configuration Gateway Port...
Page 310: Enable Web Authentication
Chapter 17 Web Authentication Figure 213 Configuration > Web Authentication > SSO The following table gives an overview of the objects you can configure. Table 129 Configuration > Web Authentication > SSO LABEL DESCRIPTION Listen Port The default agent listening port is 2158. If you change it on the ZyWALL/USG, then change it to the same number in the Gateway Port field on the SSO agent too.
Page 311: Create A Security Policy
Chapter 17 Web Authentication Make sure you select Enable Policy, Single Sign-On and choose required in Authentication. Do NOT select any as the source address unless you want all incoming connections to be authenticated! Table 126 on page 304 Table 127 on page 307 for more information on configuring these screens.
Page 312: Configure User Information
Chapter 17 Web Authentication Configure the fields as shown in the following screen. Configure the source and destination addresses according to the SSO web authrntication traffic in your network. 17.4.5 Configure User Information Configure a User account of the ext-group-user type. ZyWALL/USG Series User’s Guide...
Page 313: Configure An Authentication Method
Chapter 17 Web Authentication Configure Group Identifier to be the same as Group Membership on the SSO agent. 17.4.6 Configure an Authentication Method Configure Active Directory (AD) for authentication with SSO. Choose group ad as the authentication server for SSO. ZyWALL/USG Series User’s Guide...
Page 314: Configure Active Directory
Chapter 17 Web Authentication 17.4.7 Configure Active Directory You must configure an Active Directory (AD) server in AAA Setup to be the same as AD configured on the SSO agent. The default AD server port is 389. If you change this, make sure you make the same changes on the SSO.
Page 315: Sso Agent Configuration
Chapter 17 Web Authentication 17.5 SSO Agent Configuration This section shows what you have to do on the SSO agent in order to work with the ZyWALL/USG. After you install the SSO agent, you will see an icon in the system tray (bottom right of the screen) Right-click the SSO icon and select Configure ZyXEL SSO Agent.
Page 316 Chapter 17 Web Authentication Configure the Agent Listening Port, AD server exactly as you have done on the ZyWALL/USG. Add the ZyWALL/USG IP address as the Gateway. Make sure the ZyWALL/USG and SSO agent are able to communicate with each other. Configure the Server Address, Port, Base DN, Bind DN, Login Name Attribute and Group Membership for the AD server settings exactly as you have done on the ZyWALL/USG.
Page 317 Chapter 17 Web Authentication Configure the Gateway IP address, Gateway Port and PreShareKey exactly as you have done in the ZyWALL/USG Configuration > Web Authentication > SSO screen. If you want to use Generate Key to have the SSO create a random password, select Check to show PreShareKey as clear Text so as to see the password, then copy and paste it to the ZyWALL/USG.
Page 318 Chapter 17 Web Authentication ZyWALL/USG Series User’s Guide...
Page 319: Chapter 18 Security Policy
HAPTER Security Policy 18.1 Overview A security policy is a template of security settings that can be applied to specific traffic at specific times. The policy can be applied: • to a specific direction of travel of packets (from / to) •...
Page 320: What You Need To Know
Chapter 18 Security Policy • Use the Anomaly Detection and Prevention (ADP) screens (Section 18.3 on page 327) to detect traffic with protocol anomalies and take appropriate action. • Use the Session Control screens (see Section 18.3 on page 327) to limit the number of concurrent NAT/security policies traffic sessions a client can use.
Page 321: The Security Policy Screen
Chapter 18 Security Policy • The ZyWALL/USG drops most packets from the WAN zone to the ZyWALL/USG itself and generates a log except for AH, ESP, GRE, HTTPS, IKE, NATT. When you configure a Security Policy rule for packets destined for the ZyWALL/USG itself, make sure it does not conflict with your service control rule.
Page 322: Configuring The Security Policy Control Screen
Chapter 18 Security Policy directly to the LAN without passing through the ZyWALL/USG. A better solution is to use virtual interfaces to put the ZyWALL/USG and the backup gateway on separate subnets. Virtual interfaces allow you to partition your network into logical sections over the same interface. See the chapter about interfaces for more information.
Page 323 Chapter 18 Security Policy The following screen shows the Security Policy summary screen. Figure 216 Configuration > Security Policy > Policy Control The following table describes the labels in this screen. Table 131 Configuration > Security Policy > Policy Control LABEL DESCRIPTION General Settings...
Page 324 Chapter 18 Security Policy Table 131 Configuration > Security Policy > Policy Control (continued) LABEL DESCRIPTION Allow If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL/ Asymmetrica USG’s LAN IP address, return traffic may not go through the ZyWALL/USG. This is called an l Route asymmetrical or “triangle”...
Page 325: The Security Policy Control Add/Edit Screen
Chapter 18 Security Policy Table 131 Configuration > Security Policy > Policy Control (continued) LABEL DESCRIPTION Action This field displays whether the Security Policy silently discards packets (deny), or permits the passage of packets (allow). Profile This field shows you which UTM profiles (application patrol, content filter, IDP, anti-virus, anti-spam) apply to this Security policy.
Page 326 Chapter 18 Security Policy Table 132 Configuration > Security Policy > Policy Control > Add (continued) LABEL DESCRIPTION Description Enter a descriptive name of up to 60 printable ASCII characters for the Policy. Spaces are allowed. From For through-ZyWALL/USG policies, select the direction of travel of packets to which the policy applies.
Page 327: Anomaly Detection And Prevention Overview
Chapter 18 Security Policy 18.3 Anomaly Detection and Prevention Overview Anomaly Detection and Prevention (ADP) protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans. This section introduces ADP, anomaly profiles and applying an ADP profile to a traffic direction. Traffic Anomalies Traffic anomaly policies look for abnormal behavior or events such as port scanning, sweeping or network flooding.
Page 328: Creating New Adp Profiles
Chapter 18 Security Policy The following table describes the labels in this screen. Table 133 Configuration > Security Policy > ADP > General LABEL DESCRIPTION General Settings Enable Anomaly Detection Select this to enable traffic anomaly and protocol anomaly detection and and Prevention prevention.
Page 329: Traffic Anomaly Profiles
Chapter 18 Security Policy satisfied that they have been reduced to an acceptable level, you could then create an ‘in-line profile’ whereby you configure appropriate actions to be taken when a packet matches a policy. ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles. To create a new profile, select a base profile and then click OK to go to the profile details screen.
Page 330 Chapter 18 Security Policy Figure 220 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly ZyWALL/USG Series User’s Guide...
Page 331 Chapter 18 Security Policy The following table describes the labels in this screen. Table 135 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly LABELS DESCRIPTION Name A name is automatically generated that you can edit. The name must be the same in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile.
Page 332: Protocol Anomalies
Chapter 18 Security Policy Table 135 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly (continued) LABELS DESCRIPTION Threshold (pkt/sec) (Flood detection only.) Select a suitable threshold level (the number of packets per second that match the flood detection criteria) for your network. If you choose a low threshold, most traffic anomaly attacks will be detected, but you may have more logs and false positives.
Page 333 Chapter 18 Security Policy Figure 221 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly The following table describes the labels in this screen. Table 136 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly LABEL DESCRIPTION Name A name is automatically generated that you can edit.
Page 334: The Session Control Screen
Chapter 18 Security Policy Table 136 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly LABEL DESCRIPTION Inactivate To turn off an entry, select it and click Inactivate. To edit an item’s log option, select it and use the Log icon. Select whether to have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly policy.
Page 335 Chapter 18 Security Policy Figure 222 Configuration > Security Policy > Session Control The following table describes the labels in this screen. Table 137 Configuration > Security Policy > Session Control LABEL DESCRIPTION General Settings UDP Session Set how many seconds (from 1 to 300) the ZyWALL/USG will allow a UDP session to Time Out remain idle (without UDP traffic) before closing it.
Page 336: The Session Control Add/Edit Screen
Chapter 18 Security Policy Table 137 Configuration > Security Policy > Session Control (continued) LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so.
Page 337: Security Policy Example Applications
Chapter 18 Security Policy Table 138 Configuration > Security Policy > Session Control > Add / Edit (continued) LABEL DESCRIPTION Description Enter information to help you identify this rule. Use up to 60 printable ASCII characters. Spaces are allowed. User Select a user name or user group to which to apply the rule.
Page 338 Chapter 18 Security Policy • The second row is the Security Policy’s default policy that allows all LAN1 to WAN traffic. The ZyWALL/USG applies the security policies in order. So for this example, when the ZyWALL/USG receives traffic from the LAN, it checks it against the first policy. If the traffic matches (if it is IRC traffic) the security policy takes the action in the policy (drop) and stops checking the subsequent security policies.
Page 339 Chapter 18 Security Policy Your Security Policy would have the following settings. Table 141 Limited LAN1 to WAN IRC Traffic Example 2 USER SOURCE DESTINATION SCHEDULE UTM PROFILE ACTION Allow Deny Allow • The first row allows any LAN1 computer to access the IRC service on the WAN by logging into the ZyWALL/USG with the CEO’s user name.
Page 340: Ipsec Vpn
HAPTER IPSec VPN 19.1 Virtual Private Networks (VPN) Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Page 341 Chapter 19 IPSec VPN Main Mode or Aggressive Mode. Main Mode protects the identity of the peers, but Aggressive Mode does not. During Phase 2, the remote IPSec routers use the secure channel established in Phase 1 to negotiate Security Associations for IPsec. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound).
Page 342: What You Can Do In This Chapter
Chapter 19 IPSec VPN Figure 227 SSL VPN LAN (192.168.1.X) https:// Web Mail File Share Web-based Application Application Non-Web Server L2TP VPN L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, or Windows operating systems for secure connections to the network behind the ZyWALL/USG. The remote users do not need their own IPSec gateways or third-party VPN client software.
Page 343: What You Need To Know
Chapter 19 IPSec VPN 19.1.2 What You Need to Know An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL/USG and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL/USG and remote IPSec router.
Page 344 Chapter 19 IPSec VPN Application Scenarios The ZyWALL/USG’s application scenarios make it easier to configure your VPN connection settings. Table 142 IPSec VPN Application Scenarios SITE-TO-SITE WITH REMOTE ACCESS REMOTE ACCESS SITE-TO-SITE DYNAMIC PEER (SERVER ROLE) (CLIENT ROLE) Choose this if the remote Choose this if the remote Choose this to allow Choose this to connect to...
Page 345: Before You Begin
Chapter 19 IPSec VPN 19.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel. •...
Page 346: The Vpn Connection Add/Edit (Ike) Screen
Chapter 19 IPSec VPN Each field is discussed in the following table. Table 143 Configuration > VPN > IPSec VPN > VPN Connection LABEL DESCRIPTION Use Policy Select this to be able to use policy routes to manually specify the destination addresses of Route to control dynamic IPSec rules.
Page 347 Chapter 19 IPSec VPN Figure 231 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL/USG Series User’s Guide...
Page 348 Chapter 19 IPSec VPN Each field is described in the following table. Table 144 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create new Object...
Page 349 Chapter 19 IPSec VPN Table 144 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Application Select the scenario that best describes your intended VPN connection. Scenario Site-to-site - Choose this if the remote IPSec router has a static IP address or a domain name.
Page 350 Chapter 19 IPSec VPN Table 144 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Active Protocol Select which protocol you want to use in the IPSec SA. Choices are: AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not encryption.
Page 351 Chapter 19 IPSec VPN Table 144 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Perfect Forward Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you Secrecy (PFS) do, which Diffie-Hellman key group to use for encryption. Choices are: none - disable PFS DH1 - enable PFS and use a 768-bit random number DH2 - enable PFS and use a 1024-bit random number...
Page 352 Chapter 19 IPSec VPN Table 144 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Source Select the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the computer or network outside the local network.
Page 353: The Vpn Gateway Screen
Chapter 19 IPSec VPN 19.3 The VPN Gateway Screen The VPN Gateway summary screen displays the IPSec VPN gateway policies in the ZyWALL/USG, as well as the ZyWALL/USG’s address, remote IPSec router’s address, and associated VPN connections for each one. In addition, it also lets you activate and deactivate each VPN gateway. To access this screen, click Configuration >...
Page 354: The Vpn Gateway Add/Edit Screen
Chapter 19 IPSec VPN Table 145 Configuration > VPN > IPSec VPN > VPN Gateway (continued) LABEL DESCRIPTION IKE Version Select IKEv1 or IKEv2. IKEv1 applies to IPv4 traffic only. IKEv2 applies to both IPv4 and IPv6 traffic. IKE (Internet Key Exchange) is a protocol used in setting up security associations that allows two parties to send data securely.
Page 355 Chapter 19 IPSec VPN Figure 233 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit ZyWALL/USG Series User’s Guide...
Page 356 Chapter 19 IPSec VPN Each field is described in the following table. Table 146 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create New Object...
Page 357 Chapter 19 IPSec VPN Table 146 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Pre-Shared Key Select this to have the ZyWALL/USG and remote IPSec router use a pre-shared key (password) to identify each other when they negotiate the IKE SA. Type the pre-shared key in the field to the right.
Page 358 Chapter 19 IPSec VPN Table 146 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Peer ID Type Select which type of identification is used to identify the remote IPSec router during authentication. Choices are: IP - the remote IPSec router is identified by an IP address DNS - the remote IPSec router is identified by a domain name E-mail - the remote IPSec router is identified by the string specified in this field...
Page 359 Chapter 19 IPSec VPN Table 146 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it.
Page 360 Chapter 19 IPSec VPN Table 146 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION X Auth / Extended This part of the screen displays X-Auth when using IKEv1 and Extended Authentication Authentication Protocol when using IKEv2. Protocol X-Auth This displays when using IKEv1.
Page 361: Vpn Concentrator
Chapter 19 IPSec VPN 19.4 VPN Concentrator A VPN concentrator combines several IPSec VPN connections into one secure network. Figure 234 VPN Topologies (Fully Meshed and Hub and Spoke) In a fully-meshed VPN topology (1 in the figure), there is a VPN connection between every pair of routers.
Page 362: Vpn Concentrator Screen
Chapter 19 IPSec VPN 19.4.2 VPN Concentrator Screen The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL/USG. To access this screen, click Configuration > VPN > IPSec VPN > Concentrator. Figure 235 Configuration > VPN > IPSec VPN > Concentrator Each field is discussed in the following table.
Page 363: Zywall/Usg Ipsec Vpn Client Configuration Provisioning
Chapter 19 IPSec VPN Figure 236 Configuration > VPN > IPSec VPN > Concentrator > Add/Edit Each field is described in the following table. Table 148 VPN > IPSec VPN > Concentrator > Add/Edit LABEL DESCRIPTION Name Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores( or dashes (-), but the first character cannot be a number.
Page 364 Chapter 19 IPSec VPN • A subnet or range remote policy In the ZyWALL/USG Quick Setup wizard, you can use the VPN Settings for Configuration Provisioning wizard to create a VPN rule that will not violate these restrictions. Figure 237 Configuration > VPN > IPSec VPN > Configuration Provisioning Each field is discussed in the following table.
Page 365: Ipsec Vpn Background Information
Chapter 19 IPSec VPN Table 149 Configuration > VPN > IPSec VPN > Configuration Provisioning (continued) LABEL DESCRIPTION Edit Select an existing entry and click Edit to change its settings. Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so.
Page 366 Chapter 19 IPSec VPN IP Addresses of the ZyWALL/USG and Remote IPSec Router To set up an IKE SA, you have to specify the IP addresses of the ZyWALL/USG and remote IPSec router. You can usually enter a static IP address or a domain name for either or both IP addresses. Sometimes, your ZyWALL/USG might offer another alternative, such as using the IP address of a port or interface, as well.
Page 367 Chapter 19 IPSec VPN Some ZyWALL/USGs also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit blocks of data. In most ZyWALL/USGs, you can select one of the following authentication algorithms for each proposal. The algorithms are listed in order from weakest to strongest. •...
Page 368 Chapter 19 IPSec VPN Figure 240 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued) Step 5: pre-shared key ZyWALL/USG identity, consisting of - ID type - content Step 6: pre-shared key Remote IPSec router identity, consisting of - ID type - content You have to create (and distribute) a pre-shared key.
Page 369 Chapter 19 IPSec VPN Table 151 VPN Example: Mismatching ID Type and Content ZYWALL/USG REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.20 Peer ID content: tom@yourcompany.com It is also possible to configure the ZyWALL/USG to ignore the identity of the remote IPSec router.
Page 370 Chapter 19 IPSec VPN Most routers like router A now have an IPSec pass-thru feature. This feature helps router A recognize VPN packets and route them appropriately. If router A has this feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Active Protocol on page 371 for more information about active protocols.)
Page 371 Chapter 19 IPSec VPN • Instead of using the pre-shared key, the ZyWALL/USG and remote IPSec router check the signatures on each other’s certificates. Unlike pre-shared keys, the signatures do not have to match. • The local and peer ID type and content come from the certificates. Note: You must set up the certificates for the ZyWALL/USG and remote IPSec router first.
Page 372 Chapter 19 IPSec VPN Figure 242 VPN: Transport and Tunnel Mode Encapsulation Tunnel Mode Packet IP Header AH/ESP IP Header Data Header Header In tunnel mode, the ZyWALL/USG uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: •...
Page 373 Chapter 19 IPSec VPN • Source address in outbound packets - this translation is necessary if you want the ZyWALL/USG to route packets from computers outside the local network through the IPSec SA. • Source address in inbound packets - this translation hides the source address of computers in the remote network.
Page 374 Chapter 19 IPSec VPN • Destination - the original destination address; the local network (A). • SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address. Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) You can set up this translation if you want the ZyWALL/USG to forward some packets from the remote network to a specific computer in the local network.
Page 375: Ssl Vpn
HAPTER SSL VPN 20.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login. The remote users do not need a VPN router or VPN client software. 20.1.1 What You Can Do in this Chapter •...
Page 376: The Ssl Access Privilege Screen
Chapter 20 SSL VPN • allow user access to specific networks. • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. SSL Access Policy Objects The SSL access policies reference the following objects. If you update this information, in response to changes, the ZyWALL/USG automatically propagates the changes through the SSL policies that use the object(s).
Page 377: The Ssl Access Privilege Policy Add/Edit Screen
Chapter 20 SSL VPN The following table describes the labels in this screen. Table 153 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Page 378 Chapter 20 SSL VPN Figure 247 VPN > SSL VPN > Add/Edit The following table describes the labels in this screen. Table 154 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this screen. Object Configuration Enable Policy...
Page 379 Chapter 20 SSL VPN Table 154 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION Name Enter a descriptive name to identify this policy. You can enter up to 31 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed. Zone Select the zone to which to add this SSL access policy.
Page 380: The Ssl Global Setting Screen
Chapter 20 SSL VPN Table 154 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION Network List To allow user access to local network(s), select a network name in the Selectable Address Objects list and click the right arrow button to add to the Selected Address Objects list.
Page 381: How To Upload A Custom Logo
Chapter 20 SSL VPN The following table describes the labels in this screen. Table 155 VPN > SSL VPN > Global Setting LABEL DESCRIPTION Global Setting Network Specify the IP address of the ZyWALL/USG (or a gateway device) for full tunnel mode SSL Extension Local VPN access.
Page 382: Zywall/Usg Secuextender
Chapter 20 SSL VPN The following shows an example logo on the remote user screen. Figure 249 Example Logo Graphic Display 20.4 ZyWALL/USG SecuExtender The ZyWALL/USG automatically loads the ZyWALL/USG SecuExtender client program to your computer after a successful login to an SSL VPN tunnel with network extension support enabled. The ZyWALL/USG SecuExtender lets you: •...
Page 383: Example: Configure Zywall/Usg For Secuextender
Chapter 20 SSL VPN The following table describes the labels in this screen. Table 156 Configuration > VPN > SSL VPN > SecuExtender LABEL DESCRIPTION Latest Version This displays the latest version of the ZyWALL/USG Security SecuExtender that is available. Current Version This displays the current version of SecuExtender that is installed in the ZyWALL/USG.
Page 384 Chapter 20 SSL VPN Figure 252 Create an SSL VPN Access Privilege Policy Then create File Sharing and Web Application SSL Application objects. Using the ZyWALL/USG web configurator, go to Configuration > Object > SSL Application > Add and select the Type accordingly.
Page 385 Chapter 20 SSL VPN Create a Web Application SSL Application Object ZyWALL/USG Series User’s Guide...
Page 386: Ssl User Screens
HAPTER SSL User Screens 21.1 Overview This chapter introduces the remote user SSL VPN screens. The following figure shows a network example where a remote user (A) logs into the ZyWALL/USG from the Internet to access the web server (WWW) on the local network. Figure 254 Network Example Internet 21.1.1 What You Need to Know...
Page 387: Remote Ssl User Login
Chapter 21 SSL User Screens • Using RDP requires Internet Explorer • Sun’s Runtime Environment (JRE) version 1.6 or later installed and enabled. Required Information A remote user needs the following information from the network administrator to log in and access network resources.
Page 388 Chapter 21 SSL User Screens Figure 256 Login Security Screen A login screen displays. Enter the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field. Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources.
Page 389 Chapter 21 SSL User Screens Figure 259 ActiveX Object Installation Blocked by Browser Figure 260 SecuExtender Blocked by Internet Explorer The ZyWALL/USG tries to run the “ssltun” application. You may need to click something to get your browser to allow this. In Internet Explorer, click Run. Figure 261 SecuExtender Progress Click Next to use the setup wizard to install the SecuExtender client on your computer.
Page 390: The Ssl Vpn User Screens
Chapter 21 SSL User Screens Figure 262 SecuExtender Progress If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender client on your computer. Figure 263 Installation Warning The Application screen displays showing the list of resources available to you. See Figure 264 on page 391 for a screen example.
Page 391: Bookmarking The Zywall/Usg
Chapter 21 SSL User Screens Figure 264 Remote User Screen The following table describes the various parts of a remote user screen. Table 157 Remote User Screen Overview DESCRIPTION Click on a menu tab to go to the Application or File Sharing screen. Click this icon to log out and terminate the secure connection.
Page 392: Logging Out Of The Ssl Vpn User Screens
Chapter 21 SSL User Screens A screen displays. Accept the default name in the Name field or enter a descriptive name to identify this link. Click OK to create a bookmark in your web browser. Figure 265 Add Favorite 21.5 Logging Out of the SSL VPN User Screens To properly terminate a connection, click on the Logout icon in any remote user screen.
Page 393: Ssl User File Sharing
Chapter 21 SSL User Screens Figure 267 Application 21.7 SSL User File Sharing The File Sharing screen lets you access files on a file server through the SSL VPN connection. Use it to display and access shared files/folders on a file server. You can also perform the following actions: •...
Page 394: Opening A File Or Folder
Chapter 21 SSL User Screens Figure 268 File Sharing 21.7.2 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer. Log in as a remote user and click the File Sharing tab. Click on a file share icon.
Page 395: Downloading A File
Chapter 21 SSL User Screens A list of files/folders displays. Double click a file to open it in a separate browser window or select a file and click Download to save it to your computer. You can also click a folder to access it. For this example, click on a .doc file to open the Word document.
Page 396: Creating A New Folder
Chapter 21 SSL User Screens Figure 271 File Sharing: Save a Word File 21.7.5 Creating a New Folder To create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add. Note: Make sure the length of the folder name does not exceed the maximum allowed on the file server.
Page 397: Deleting A File Or Folder
Chapter 21 SSL User Screens A popup window displays. Specify the new name and/or file extension in the field provided. You can enter up to 356 characters. Then click Apply. Note: Make sure the length of the name does not exceed the maximum allowed on the file server.
Page 398 Chapter 21 SSL User Screens Note: Uploading a file with the same name and file extension replaces the existing file on the file server. No warning message is displayed. ZyWALL/USG Series User’s Guide...
Page 399: Zywall/Usg Secuextender (Windows)
HAPTER ZyWALL/USG SecuExtender (Windows) The ZyWALL/USG automatically loads the ZyWALL/USG SecuExtender for Windows client program to your computer after a successful login to an SSL VPN tunnel with network extension support enabled. Note: For information on using the ZyWALL/USG SecuExtender for Mac client program, please see its User’s Guide at the download library on the ZyXEL website.
Page 400: View Log
Chapter 22 ZyWALL/USG SecuExtender (Windows) Figure 277 ZyWALL/USG SecuExtender Status The following table describes the labels in this screen. Table 158 ZyWALL/USG SecuExtender Status LABEL DESCRIPTION Connection Status SecuExtender IP This is the IP address the ZyWALL/USG assigned to this remote user computer for an SSL Address VPN connection.
Page 401: Suspend And Resume The Connection
Chapter 22 ZyWALL/USG SecuExtender (Windows) Figure 278 ZyWALL/USG SecuExtender Log Example ################################################################################## ############## [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Build Datetime: Feb 24 2009/ 10:25:07 [ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] rasphone.pbk: C:\Documents and Settings\11746\rasphone.pbk [ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] SecuExtender.log: C:\Documents and Settings\11746\SecuExtender.log [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Check Parameters [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL]...
Page 402 Chapter 22 ZyWALL/USG SecuExtender (Windows) Figure 279 Uninstalling the ZyWALL/USG SecuExtender Confirmation Windows uninstalls the ZyWALL/USG SecuExtender. Figure 280 ZyWALL/USG SecuExtender Uninstallation ZyWALL/USG Series User’s Guide...
Page 403: L2Tp Vpn
HAPTER L2TP VPN 23.1 Overview L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, Windows or Mac OS X operating systems for secure connections to the network behind the ZyWALL/USG. The remote users do not need their own IPSec gateways or third-party VPN client software. Figure 281 L2TP VPN Overview 23.1.1 What You Can Do in this Chapter •...
Page 404: L2Tp Vpn Screen
Chapter 23 L2TP VPN Using the Quick Setup VPN Setup Wizard The VPN Setup Wizard is an easy and convenient way to configure the L2TP VPN settings. Click Configuration > Quick Setup > VPN Setup > VPN Settings for L2TP VPN Settings to get started.
Page 405 Chapter 23 L2TP VPN Figure 283 Configuration > VPN > L2TP VPN The following table describes the fields in this screen. Table 159 Configuration > VPN > L2TP VPN LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create new Object...
Page 406 Chapter 23 L2TP VPN Table 159 Configuration > VPN > L2TP VPN (continued) LABEL DESCRIPTION Keep Alive Timer The ZyWALL/USG sends a Hello message after waiting this long without receiving any traffic from the remote user. The ZyWALL/USG disconnects the VPN tunnel if the remote user does not respond.
Page 407: Bwm (Bandwidth Management)
HAPTER BWM (Bandwidth Management) 24.1 Overview Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video. 24.1.1 What You Can Do in this Chapter Use the BWM screens (see Section 24.2 on page...
Page 408 Chapter 24 BWM (Bandwidth Management) negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going. Connection and Packet Directions Bandwidth management looks at the connection direction, that is, from which interface the connection was initiated and to which interface the connection is going.
Page 409 Chapter 24 BWM (Bandwidth Management) Figure 285 LAN1 to WAN, Outbound 200 kbps, Inbound 500 kbps Inbound Outbound 500 kbps 200 kbps Bandwidth Management Priority • The ZyWALL/USG gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate. •...
Page 410 Chapter 24 BWM (Bandwidth Management) Figure 286 Bandwidth Management Behavior 1000 kbps 1000 kbps 1000 kbps Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Table 160 Configured Rate Effect POLICY CONFIGURED RATE...
Page 411: The Bandwidth Management Screen
Chapter 24 BWM (Bandwidth Management) Priority and Over Allotment of Bandwidth Effect Server A has a configured rate that equals the total amount of available bandwidth and a higher priority. You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error.
Page 412 Chapter 24 BWM (Bandwidth Management) Configuration > Bandwidth Management Table 164 LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it.
Page 413: The Bandwidth Management Add/Edit Screen
Chapter 24 BWM (Bandwidth Management) Configuration > Bandwidth Management Table 164 LABEL DESCRIPTION BWM In/Pri/Out/Pri This field shows the amount of bandwidth the traffic can use. In - This is how much inbound bandwidth, in kilobits per second, this policy allows the matching traffic to use.
Page 414 Chapter 24 BWM (Bandwidth Management) Configuration > Bandwidth Management > Add/Edit Figure 289 The following table describes the labels in this screen. Configuration > Bandwidth Management Table 165 LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration Enable Select this check box to turn on this policy.
Page 415 Chapter 24 BWM (Bandwidth Management) Configuration > Bandwidth Management Table 165 LABEL DESCRIPTION Description Enter a description of this policy. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Criteria Use this section to configure the conditions of traffic to which this policy applies.
Page 416 Chapter 24 BWM (Bandwidth Management) Configuration > Bandwidth Management Table 165 LABEL DESCRIPTION Bandwidth Shaping Configure these fields to set the amount of bandwidth the matching traffic can use. Inbound kbps Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use.
Page 417 Chapter 24 BWM (Bandwidth Management) Figure 290 Configuration >BWM > Create New Object > Add User The following table describes the fields in the above screen. Table 166 Configuration > BWM > Create New Object > Add User LABEL DESCRIPTION User Name Type a user or user group object name of the rule.
Page 418 Chapter 24 BWM (Bandwidth Management) Table 166 Configuration > BWM > Create New Object > Add User LABEL DESCRIPTION Password Type a password for the user object. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ‘...
Page 419 Chapter 24 BWM (Bandwidth Management) Configuration > BWM > Create New Object > Add Schedule Figure 291 The following table describes the fields in the above screen. Table 167 Configuration > BWM > Create New Object > Add Schedule LABEL DESCRIPTION Name Enter a name for the schedule object of the rule.
Page 420 Chapter 24 BWM (Bandwidth Management) Table 167 Configuration > BWM > Create New Object > Add Schedule LABEL DESCRIPTION Start Date Click the icon menu on the right to choose a Start Date for the schedule object. Start Time Click the icon menu on the right to choose a Start Time for the schedule object. Stop Date Click the icon menu on the right to choose a Stop Date for schedule object.
Page 421 Chapter 24 BWM (Bandwidth Management) The following table describes the fields in the above screen. Table 168 Configuration > BWM > Create New Object > Add Address LABEL DESCRIPTION Name Enter a name for the Address object of the rule. Address Type Select an Address Type from the drop down menu on the right.
Page 422: Application Patrol
HAPTER Application Patrol 25.1 Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control the use of a particular application’s individual features (like text messaging, voice, video conferencing, and file transfers).
Page 423: Application Patrol Profile
Chapter 25 Application Patrol Classification of Applications There are two ways the ZyWALL/USG can identify the application. The first is called auto. The ZyWALL/USG looks at the IP payload (OSI level-7 inspection) and attempts to match it with known patterns for specific applications. Usually, this occurs at the beginning of a connection, when the payload is more consistent across connections, and the ZyWALL/USG examines several packets to make sure the match is correct.
Page 424 Chapter 25 Application Patrol Figure 293 Configuration > UTM Profile > App Patrol > Profile The following table describes the labels in this screen. Table 169 Configuration > UTM Profile > App Patrol > Profile LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Page 425: The Application Patrol Profile Add/Edit Screen
Chapter 25 Application Patrol Table 169 Configuration > UTM Profile > App Patrol > Profile LABEL DESCRIPTION Released Date This field displays the date and time the set was released. Update Click this link to go to the screen you can use to download signatures from the update Signatures server.
Page 426: The Application Patrol Profile Rule Add Application Screen
Chapter 25 Application Patrol Table 170 Configuration > UTM Profile > App Patrol > Profile > Add/Edit (continued) LABEL DESCRIPTION Remove Select an entry and click Remove to delete the selected entry. This field is a sequential value showing the number of the profile. The profile order is not important.
Page 427 Chapter 25 Application Patrol Table 171 Configuration > UTM Profile > App Patrol > Profile > Profile Management > Add/Edit LABEL DESCRIPTION Action Select the default action for all signatures in this category. forward - the ZyWALL/USG routes packets that matches these signatures. Drop - the ZyWALL/USG silently drops packets that matches these signatures without notification.
Page 428: Chapter 26 Content Filtering
HAPTER Content Filtering 26.1 Overview Use the content filtering feature to control access to specific web sites or web content. 26.1.1 What You Can Do in this Chapter • Use the Filter Profile screens (Section Figure 297 on page 433) to set up content filtering profiles.
Page 429: Before You Begin
Chapter 26 Content Filtering • Restrict Web Features The ZyWALL/USG can disable web proxies and block web features such as ActiveX controls, Java applets and cookies. • Customize Web Site Access You can specify URLs to which the ZyWALL/USG blocks access. You can alternatively block access to all URLs except ones that you specify.
Page 430: Content Filter Profile Screen
Chapter 26 Content Filtering 26.2 Content Filter Profile Screen Click Configuration > UTM Profile> Content Filter > Profile to open the Content Filter Profile screen. Use this screen to enable content filtering, view and order your list of content filter policies, create a denial of access message or specify a redirect URL and check your external web filtering service registration status.
Page 431: Content Filter Profile Add Or Edit Screen
Chapter 26 Content Filtering Table 172 Configuration > UTM Profile > Content Filter > Profile (continued) LABEL DESCRIPTION Redirect URL Enter the URL of the web page to which you want to send users when their web access is blocked by content filter. The web page you specify here opens in a new frame below the denied access message.
Page 432: Content Filter Add Profile Category Service
Chapter 26 Content Filtering 26.3.1 Content Filter Add Profile Category Service ZyWALL/USG Series User’s Guide...
Page 433 Chapter 26 Content Filtering Figure 297 Content Filter > Profile > Add Filter Profile > Category Service ZyWALL/USG Series User’s Guide...
Page 434 Chapter 26 Content Filtering The following table describes the labels in this screen. Table 173 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration.
Page 435 Chapter 26 Content Filtering Table 173 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service LABEL DESCRIPTION Action for Managed Web Select Pass to allow users to access web pages that match the other Pages categories that you select below. Select Block to prevent users from accessing web pages that match the other categories that you select below.
Page 436: Content Filter Add Filter Profile Custom Service
Chapter 26 Content Filtering Table 173 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service LABEL DESCRIPTION Managed Categories These are categories of web pages based on their content. Select categories in this section to control access to specific types of Internet content. You must have the Category Service content filtering license to filter these categories.
Page 437 Chapter 26 Content Filtering Figure 298 Configuration > UTM Profile > Content Filter > Filter Profile > Custom Service The following table describes the labels in this screen. Table 174 Configuration > UTM Profile > Content Filter > Profile > Custom Service LABEL DESCRIPTION Name...
Page 438 Chapter 26 Content Filtering Table 174 Configuration > UTM Profile > Content Filter > Profile > Custom Service (continued) LABEL DESCRIPTION Allow Web traffic for trusted When this box is selected, the ZyWALL/USG blocks Web access to sites that web sites only are not on the Trusted Web Sites list.
Page 439: Content Filter Trusted Web Sites Screen
Chapter 26 Content Filtering Table 174 Configuration > UTM Profile > Content Filter > Profile > Custom Service (continued) LABEL DESCRIPTION Remove Select an entry and click this to delete it. This displays the index number of the forbidden web sites. Forbidden Web Sites This list displays the forbidden web sites already added.
Page 440: Content Filter Forbidden Web Sites Screen
Chapter 26 Content Filtering Figure 299 Configuration > UTM Profile > Content Filter > Trusted Web Sites The following table describes the labels in this screen. Table 175 Configuration > UTM Profile > Content Filter > Trusted Web Sites LABEL DESCRIPTION Common Trusted Web Sites These are sites that you want to allow access to, regardless of their content...
Page 441: Content Filter Technical Reference
Chapter 26 Content Filtering Figure 300 Configuration > UTM Profile > Content Filter > Forbidden Web Sites The following table describes the labels in this screen. Table 176 Configuration > UTM Profile > Content Filter > Forbidden Web Sites LABEL DESCRIPTION Forbidden Web Site List Sites that you want to block access to, regardless of their content rating, can...
Page 442 Chapter 26 Content Filtering Figure 301 Content Filter Lookup Procedure A computer behind the ZyWALL/USG tries to access a web site. The ZyWALL/USG looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL/USG’s cache.
Page 443: Idp
HAPTER 27.1 Overview This chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic flow, custom signatures and updating signatures. An IDP system can detect malicious or suspicious packets and respond instantaneously. IDP on the ZyWALL/USG protects against network-based intrusions.
Page 444: The Idp Profile Screen
Chapter 27 IDP 27.2 The IDP Profile Screen An IDP profile is a set of packet inspection signatures. Packet inspection signatures examine packet content for malicious data. Packet inspection applies to OSI (Open System Interconnection) layer-4 to layer-7 contents. You need to subscribe for IDP service in order to be able to download new signatures.
Page 445: Base Profiles
Chapter 27 IDP Table 177 Configuration > UTM Profile > IDP > Profile (continued) LABEL DESCRIPTION This is the entry’s index number in the list. Name This displays the name of the IDP Profile. This displays the zones that you can apply. Click ALL to select all zones. Description This displays the description of the IDP Profile.
Page 446: Adding / Editing Profiles
Chapter 27 IDP The following table describes this screen. Table 178 Base Profiles BASE PROFILE DESCRIPTION none All signatures are disabled. No logs are generated nor actions are taken. All signatures are enabled. Signatures with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped.
Page 447: Profile > Group View Screen
Chapter 27 IDP 27.2.3 Profile > Group View Screen Select Configuration > UTM Profile > IDP > Profile and then click Add to create a new profile or select an existing profile, then click a group in the base profile box (or double-click the existing profile) to modify it.
Page 448 Chapter 27 IDP Table 179 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued) LABEL DESCRIPTION Switch to query Click this button to go to a screen where you can search for signatures by criteria such as view name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions.
Page 449 Chapter 27 IDP Table 179 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued) LABEL DESCRIPTION Severity These are the severities as defined in the ZyWALL/USG. The number in brackets is the number you use if using commands. Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.
Page 450: Add Profile > Query View
Chapter 27 IDP Table 179 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL/USG takes when a packet matches a signature, select the signature and use the Action icon. none: Select this action on an individual signature or a complete service group to have the ZyWALL/USG take no action when a packet matches the signature(s).
Page 451: Policy Types
Chapter 27 IDP Policy Types This table describes Policy Types as categorized in the ZyWALL/USG. Table 180 Policy Types POLICY TYPE DESCRIPTION This refers to all IDP attack types. An access control list (ACL) is a list of permissions that specifies which users or system processes are granted access to objects.
Page 452: Idp Service Groups
Chapter 27 IDP Table 180 Policy Types (continued) POLICY TYPE DESCRIPTION Mail A Mail or E-mail bombing attack involves sending several thoursand identical messages to an electronic mailbox in order to overflow it, making it unusable. Misc Miscellaneous attacks takes advantage of vulnerable computer networks and web servers by forcing cache servers or web browsers into disclosing user-specific information that might be sensitive and confidential.
Page 453 Chapter 27 IDP Table 181 IDP Service Groups (continued) POP3 POP2 ORACLE NNTP NETBIOS MYSQL MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC IMAP ICMP FINGER The n/a service group is for signatures that are not for a specific service. Figure 305 Configuration > UTM Profile> IDP > Profile: Query View The following table describes the fields specific to this screen’s query view.
Page 454: Query Example
Chapter 27 IDP Table 182 Configuration > UTM Profile > IDP > Profile: Query View (continued) LABEL DESCRIPTION Query Signatures Select the criteria on which to perform the search. Search all Select this check box to include signatures you created or imported in the Custom custom Signatures screen in the search.
Page 455: Idp Custom Signatures
Chapter 27 IDP • Severity: high • Policy Type: DoS • Platform: Windows • Service: Any • Actions: Any Figure 306 Query Example Search 27.3 IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others.
Page 456 Chapter 27 IDP Figure 307 IP v4 Packet Headers The header fields are discussed in the following table. Table 183 IP v4 Packet Headers HEADER DESCRIPTION Version The value 4 indicates IP version 4. IP Header Length is the number of 32 bit words forming the total length of the header (usually five).
Page 457 Chapter 27 IDP Select Configuration > UTM Profile > IDP > Custom Signatures. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature. You can also delete custom signatures here or save them to your computer.
Page 458: Add / Edit Custom Signatures
Chapter 27 IDP Table 184 Configuration > UTM Profile> IDP > Custom Signatures (continued) LABEL DESCRIPTION Customer Use this part of the screen to import custom signatures (previously saved to your Signature Rule computer) to the ZyWALL/USG. Importing Note: The name of the complete custom signature file on the ZyWALL/USG is ‘custom.rules’.
Page 459 Chapter 27 IDP Figure 309 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit ZyWALL/USG Series User’s Guide...
Page 460 Chapter 27 IDP The following table describes the fields in this screen. Table 185 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 461 Chapter 27 IDP Table 185 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION IP Options IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed...
Page 462: Custom Signature Example
Chapter 27 IDP Table 185 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overflows Select the check box, then select Equal, Smaller or Greater and then type the payload size.
Page 463 Chapter 27 IDP 27.3.2.1 Understand the Vulnerability Check the ZyWALL/USG logs when the attack occurs. Use web sites such as Google or Security Focus to get as much information about the attack as you can. The more specific your signature, the less chance it will cause false positives.
Page 464: Applying Custom Signatures
Chapter 27 IDP From the details about DNS query you see that the protocol is UDP and the port is 53. The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as the first pattern.
Page 465: Verifying Custom Signatures
Chapter 27 IDP 27.3.4 Verifying Custom Signatures Configure the signature to create a log when traffic matches the signature. (You may also want to configure an alert if it is for a serious attack and needs immediate attention.) After you apply the signature to a zone, you can see if it works by checking the logs (Monitor >...
Page 466 Chapter 27 IDP the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/ server.
Page 467 Chapter 27 IDP Table 186 ZyWALL/USG - Snort Equivalent Terms (continued) ZYWALL/USG TERM SNORT EQUIVALENT TERM Transport Protocol: ICMP Type itype Code icode icmp_id Sequence Number icmp_seq Payload Options (Snort rule options) Payload Size dsize Offset (relative to start of payload) offset Relative to end of last match distance...
Page 468: Chapter 28 Anti-Virus
HAPTER Anti-Virus 28.1 Overview Use the ZyWALL/USG’s anti-virus feature to protect your connected network from virus/spyware infection. The ZyWALL/USG checks traffic going in the direction(s) you specify for signature matches. In the following figure the ZyWALL/USG is set to check traffic coming from the WAN zone (which includes two interfaces) to the LAN zone.
Page 469: What You Need To Know
Chapter 28 Anti-Virus 28.1.2 What You Need to Know Anti-Virus Engines Subscribe to signature files for Kaspersky’s anti-virus engine. After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and register it in the Registration > Service screen.
Page 470: Anti-Virus Profile Screen
Chapter 28 Anti-Virus Notes About the ZyWALL/USG Anti-Virus The following lists important notes about the anti-virus scanner: The ZyWALL/USG anti-virus scanner can detect polymorphic viruses. When a virus is detected, an alert message is displayed in Microsoft Windows computers. Changes to the ZyWALL/USG’s anti-virus settings affect new sessions (not the sessions that already existed before you applied the changed settings).
Page 471 Chapter 28 Anti-Virus Figure 314 Configuration > UTM Profile > Anti-Virus > Profile The following table describes the labels in this screen. Table 187 Configuration > UTM Profile > Anti-Virus > Profile LABEL DESCRIPTION Profile Management Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Page 472: Anti-Virus Profile Add Or Edit
Chapter 28 Anti-Virus Table 187 Configuration > UTM Profile > Anti-Virus > Profile (continued) LABEL DESCRIPTION Current Version This field displays the anti-virus signature set version number. This number gets larger as the set is enhanced. Signature This field displays the number of anti-virus signatures in this set. Number Released Date This field displays the date and time the set was released.
Page 473: Av Signature Searching
Chapter 28 Anti-Virus Table 188 Configuration > UTM > Anti-Virus > Profile: Profile Management > Add (continued) LABEL DESCRIPTION Destroy infected file When you select this check box, if a virus pattern is matched, the ZyWALL/USG overwrites the infected portion of the file (and the rest of the file) with zeros. The un- infected portion of the file before a virus pattern was matched goes through unmodified.
Page 474: Anti-Virus Technical Reference
Chapter 28 Anti-Virus Figure 316 Configuration > UTM Profile > Anti-Virus > Signature The following table describes the labels in this screen. Table 189 Configuration > UTM > Anti-Virus > Signature LABEL DESCRIPTION Signatures Search Enter the name,part of the name or keyword of the signature(s) you want to find. This search is not case-sensitive and accepts numerical strings.
Page 475 Chapter 28 Anti-Virus Table 190 Common Computer Virus Types (continued) TYPE DESCRIPTION E-mail Virus E-mail viruses are malicious programs that spread through e-mail. Polymorphic Virus A polymorphic virus (also known as a mutation virus) tries to evade detection by changing a portion of its code structure after each execution or self replication. This makes it harder for an anti-virus scanner to detect or intercept it.
Page 476: Anti-Spam
HAPTER Anti-Spam 29.1 Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL/USG can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
Page 477: Before You Begin
Chapter 29 Anti-Spam that individual e-mail. A properly configured black list helps catch spam e-mail and increases the ZyWALL/USG’s anti-spam speed and efficiency. SMTP and POP3 Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard. It controls the sending of e-mail messages between servers.
Page 478: The Anti-Spam Profile Screen
Chapter 29 Anti-Spam • Configure your zones before you configure anti-spam. 29.3 The Anti-Spam Profile Screen Click Configuration > UTM Profile > Anti-Spam to open the Anti-Spam Profile screen. Use this screen to turn the anti-spam feature on or off and manage anti-spam policies. You can also select the action the ZyWALL/USG takes when the mail sessions threshold is reached.
Page 479: The Anti-Spam Profile Add Or Edit Screen
Chapter 29 Anti-Spam Table 191 Configuration > UTM Profile > Anti-Spam > Profile LABEL DESCRIPTION Object Select an entry and click Object References to open a screen that shows which settings Reference use the entry. Click Refresh to update information in this screen. Priority This is the index number of the anti-spam rule.
Page 480 Chapter 29 Anti-Spam Figure 318 Configuration > UTM Profile > Anti-Spam > Profile > Add The following table describes the labels in this screen. Table 192 Configuration > UTM Profile > Anti-Spam > Profile > Add LABEL DESCRIPTION General Settings Name Enter a descriptive name for this anti-spam rule.
Page 481: The Mail Scan Screen
Chapter 29 Anti-Spam Table 192 Configuration > UTM Profile > Anti-Spam > Profile > Add (continued) LABEL DESCRIPTION Check Mail Select this to identify Spam Email by content, such as malicious content. Content Check Virus Select this to scan emails for attached viruses. Outbreak Check DNSBL Select this check box to check e-mail against the ZyWALL/USG’s configured DNSBL...
Page 482 Chapter 29 Anti-Spam Figure 319 Configuration > UTM Profile > Anti-Spam > Mail Scan The following table describes the labels in this screen. Table 193 Configuration > UTM Profile > Anti-Spam > Mail Scan LABEL DESCRIPTION Sender Reputation Enable Sender Select this to have the ZyWALL/USG scan for spam e-mail by IP Reputation.
Page 483: The Anti-Spam Black List Screen
Chapter 29 Anti-Spam Table 193 Configuration > UTM Profile > Anti-Spam > Mail Scan LABEL DESCRIPTION Enable Virus This scans emails for attached viruses. Outbreak Detection Virus Outbreak Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of e-mails that are determined have an attached viruses.
Page 484 Chapter 29 Anti-Spam Figure 320 Configuration > UTM Profile > Anti-Spam > Black/White List > Black List The following table describes the labels in this screen. Table 194 Configuration > UTM Profile > Anti-Spam > Black/White List > Black List LABEL DESCRIPTION General Settings...
Page 485: The Anti-Spam Black Or White List Add/Edit Screen
Chapter 29 Anti-Spam 29.5.1 The Anti-Spam Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the following screen. Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create entries based on specific subject text, or the sender’s or relay’s IP address or e-mail address.
Page 486: Regular Expressions In Black Or White List Entries
Chapter 29 Anti-Spam Table 195 Configuration > UTM Profile > Anti-Spam > Black/White List > Black/White List > Add LABEL DESCRIPTION Sender E-Mail This field displays when you select the E-Mail type. Enter a keyword (up to 63 ASCII Address characters).
Page 487 Chapter 29 Anti-Spam Figure 322 Configuration > UTM Profile > Anti-Spam > Black/White List > White List The following table describes the labels in this screen. Table 196 Configuration > UTM Profile > Anti-Spam > Black/White List > White List LABEL DESCRIPTION General Settings...
Page 488: The Dnsbl Screen
Chapter 29 Anti-Spam 29.7 The DNSBL Screen Click Configuration > UTM Profile > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to configure the ZyWALL/USG to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). Figure 323 Configuration >...
Page 489 Chapter 29 Anti-Spam The following table describes the labels in this screen. Table 197 Configuration > UTM Profile > Anti-Spam > DNSBL LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Enable DNS Black List Select this to have the ZyWALL/USG check the sender and relay IP addresses in e-...
Page 490: Anti-Spam Technical Reference
Chapter 29 Anti-Spam Table 197 Configuration > UTM Profile > Anti-Spam > DNSBL (continued) LABEL DESCRIPTION Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Page 491 Chapter 29 Anti-Spam Figure 324 DNSBL Spam Detection Example DNSBL A IPs: a.a.a.a b.b.b.b a.a.a.a? DNSBL B b.b.b.b? DNSBL C The ZyWALL/USG receives an e-mail that was sent from IP address a.a.a.a and relayed by an e- mail server at IP address b.b.b.b. The ZyWALL/USG sends a separate query to each of its DNSBL domains for IP address a.a.a.a.
Page 492 Chapter 29 Anti-Spam Figure 325 DNSBL Legitimate E-mail Detection Example DNSBL A IPs: c.c.c.c d.d.d.d c.c.c.c? DNSBL B d.d.d.d? d.d.d.d Not spam DNSBL C The ZyWALL/USG receives an e-mail that was sent from IP address c.c.c.c and relayed by an e-mail server at IP address d.d.d.d.
Page 493 Chapter 29 Anti-Spam Figure 326 Conflicting DNSBL Replies Example DNSBL A IPs: a.b.c.d w.x.y.z a.b.c.d? DNSBL B w.x.y.z? a.b.c.d Spam! DNSBL C The ZyWALL/USG receives an e-mail that was sent from IP address a.b.c.d and relayed by an e- mail server at IP address w.x.y.z. The ZyWALL/USG sends a separate query to each of its DNSBL domains for IP address a.b.c.d.
Page 494: Ssl Inspection
HAPTER SSL Inspection 30.1 Overview Secure Socket Layer (SSL) traffic, such as https://www.google.com/HTTPS, FTPs, POP3s, SMTPs, etc. is encrypted, and cannot be inspected using Unified Threat Management (UTM) profiles such as App Patrol, Content Filter, Intrusion, Detection and Prevention (IDP), or Anti-Virus. The ZyWALL/ USG uses SSL Inspection to decrypt SSL traffic, sends it to the UTM engines for inspection, then encrypts traffic that passes inspection and forwards it to the destination server, such as Google.
Page 495: Before You Begin
Chapter 30 SSL Inspection • RC4 (Rivest Cipher 4) • DES (Data Encryption Standard) • 3DES • AES (Advanced Encryption Standard) • SSLv3/TLS1.0 (Transport Layer Security) Support • SSLv3/TLS1.0 is currently supported with option to pass or block SSLv2 traffic •...
Page 496: Add / Edit Ssl Inspection Profiles
Chapter 30 SSL Inspection Table 198 Configuration > UTM Profile > SSL Inspection > Profile (continued) LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Object Reference Select an entry and click Object References to open a screen that shows which settings use the entry.
Page 497 Chapter 30 SSL Inspection The following table describes the fields in this screen. Table 199 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 498 Chapter 30 SSL Inspection Table 199 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit (continued) LABEL DESCRIPTION Click this to configure settings to a signature that are different to the severity level to which it belongs. Remove Select an existing signature exception and then click this to delete the exception.
Page 499: Exclude List Screen
Chapter 30 SSL Inspection 30.3 Exclude List Screen There may be privacy and legality issues regarding inspecting a user's encrypted session. The legal issues may vary by locale, so it's important to check with your legal department to make sure that it’s OK to intercept SSL traffic from your ZyWALL/USG users.
Page 500: Install A Ca Certificate In A Browser
Chapter 30 SSL Inspection Table 200 Configuration > UTM Profile > SSL Inspection > Exclude List (continued) LABEL DESCRIPTION Exclude List of SSL traffic to a server to be excluded from SSL Inspection is identified by its certificate. Certificate Identify the certificate in one of the following ways: Identity •...
Page 501 Chapter 30 SSL Inspection From the main menu, select Action > All Tasks > Import and run the Certificate Import Wizard to install the certificate on the PC. ZyWALL/USG Series User’s Guide...
Page 502 Chapter 30 SSL Inspection 30.3.1.1 Firefox Browser If you’re using a Firefox browser, in addition to the above you need to do the following to import a certificate into the browser. Click Tools > Options > Advanced > Encryption > View Certificates, click Import and enter the filename of the certificate you want to import.
Page 503: Device Ha
HAPTER Device HA 31.1 Overview Device HA lets a backup ZyWALL/USG (B) automatically take over if the master ZyWALL/USG (A) fails. Figure 331 Device HA Backup Taking Over for the Master 31.1.1 What You Can Do in this Chapter • Use the General screen (Section 31.2 on page 504) to configure device HA global settings, and see the status of each interface monitored by device HA.
Page 504: Before You Begin
Chapter 31 Device HA Synchronization Use synchronization to have a backup ZyWALL/USG copy the master ZyWALL/USG’s configuration, signatures (anti-virus, IDP/application patrol, and system protect), and certificates. Note: Only ZyWALL/USGs of the same model and firmware version can synchronize. Otherwise you must manually configure the master ZyWALL/USG’s settings on the backup (by editing copies of the configuration files in a text editor for example).
Page 505: The Active-Passive Mode Screen
Chapter 31 Device HA The following table describes the labels in this screen. Table 201 Configuration > Device HA > General LABEL DESCRIPTION Enable Device Turn the ZyWALL/USG’s device HA feature on or off. Note: It is not recommended to use STP (Spanning Tree Protocol) with device HA. Device HA Mode This displays whether the ZyWALL/USG is currently set to use active-passive mode device HA.
Page 506 Chapter 31 Device HA Figure 333 Virtual Router Cluster ID You can have multiple ZyWALL/USG virtual routers on your network. Use a different cluster ID to identify each virtual router. In the following example, ZyWALL/USGs A and B form a virtual router that uses cluster ID 1.
Page 507: Configuring Active-Passive Mode Device Ha
Chapter 31 Device HA • Each interface can also have a management IP address. You can connect to this IP address to manage the ZyWALL/USG regardless of whether it is the master or the backup. For example, ZyWALL/USG B takes over A’s 192.168.1.1 LAN interface IP address. This is a virtual router IP address.
Page 508 Chapter 31 Device HA Figure 336 Configuration > Device HA > Active Passive Mode ZyWALL/USG Series User’s Guide...
Page 509 Chapter 31 Device HA The following table describes the labels in this screen. See Section 31.4 on page 510 for more information as well. Table 202 Configuration > Device HA > Active-Passive Mode LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings...
Page 510: Active-Passive Mode Edit Monitored Interface
Chapter 31 Device HA Table 202 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Server Port If this ZyWALL/USG is set to the backup role, enter the port number to use for Secure FTP when synchronizing with the specified master ZyWALL/USG. If this ZyWALL/USG is set to master role, this field displays the ZyWALL/USG’s Secure FTP port number.
Page 511: Device Ha Technical Reference
Chapter 31 Device HA Figure 338 Configuration > Device HA > Active-Passive Mode > Edit The following table describes the labels in this screen. Table 203 Configuration > Device HA > Active-Passive Mode > Edit LABEL DESCRIPTION Enable Select this to have device HA monitor the status of this interface’s connection. Monitored Interface Interface Name...
Page 512 Chapter 31 Device HA Make sure the bridge interfaces of the master ZyWALL/USG (A) and the backup ZyWALL/USG (B) are not connected. Configure the bridge interface on the master ZyWALL/USG, set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Configure the bridge interface on the backup ZyWALL/USG, set the bridge interface as a monitored interface, and activate device HA.
Page 513 Chapter 31 Device HA Br0 {ge4, ge5} Br0 {ge4, ge5} Second Option for Connecting the Bridge Interfaces on Two ZyWALL/USGs Another option is to disable the bridge interfaces, connect the bridge interfaces, activate device HA, and finally reactivate the bridge interfaces as shown in the following example. In this case the ZyWALL/USGs are already connected, but the bridge faces have not been configured yet.
Page 514 Chapter 31 Device HA Enable the bridge interface on the master ZyWALL/USG and then on the backup ZyWALL/USG. Br0 {ge4, ge5} Br0 {ge4, ge5} Connect the ZyWALL/USGs. Br0 {ge4, ge5} Br0 {ge4, ge5} Synchronization During synchronization, the master ZyWALL/USG sends the following information to the backup ZyWALL/USG.
Page 515 Chapter 31 Device HA The backup ZyWALL/USG gets the configuration from the master ZyWALL/USG. The backup ZyWALL/USG cannot become the master or be managed while it applies the new configuration. This usually takes two or three minutes or longer depending on the configuration complexity. The following restrictions apply with active-passive mode.
Page 516: Object
HAPTER Object 32.1 Zones Overview Set up zones to configure network security and network policies in the ZyWALL/USG. A zone is a group of interfaces and/or VPN tunnels. The ZyWALL/USG uses zones instead of interfaces in many security and policy settings, such as Secure Policies rules, UTM Profile, and remote management. Zones cannot overlap.
Page 517: The Zone Screen
Chapter 32 Object Inter-zone Traffic Inter-zone traffic is traffic between interfaces or VPN tunnels in different zones. For example, in Figure 339 on page 516, traffic between VLAN 1 and the Internet is inter-zone traffic. This is the normal case when zone-based security and policy settings apply. Extra-zone Traffic •...
Page 518: User/Groupoverview
Chapter 32 Object 32.1.2.1 Zone Edit The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 32.7.2 on page 563), and click the Add icon or an Edit icon. Figure 341 Configuration >...
Page 519: What You Need To Know
Chapter 32 Object • The Group screen (see Section 32.2.3 on page 524) provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. User groups may consist of access users and other user groups. You cannot put admin users in user groups •...
Page 520 Chapter 32 Object Once an ext-user user has been authenticated, the ZyWALL/USG tries to get the user type (see Table 206 on page 519) from the external server. If the external server does not have the information, the ZyWALL/USG sets the user type for this session to User. For the rest of the user attributes, such as reauthentication time, the ZyWALL/USG checks the following places, in order.
Page 521: User Summary Screen
Chapter 32 Object 32.2.2 User Summary Screen The User screen provides a summary of all user accounts. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group. Figure 342 Configuration > Object > User/Group The following table describes the labels in this screen.
Page 522 Chapter 32 Object 32.2.2.2 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only contain the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] • - [dashes] The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-).
Page 523 Chapter 32 Object The following table describes the labels in this screen. Table 208 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 524: User Group Summary Screen
Chapter 32 Object Table 208 Configuration > User/Group > User > Add (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL/USG. Cancel Click Cancel to exit this screen without saving your changes. 32.2.3 User Group Summary Screen User groups consist of access users and other user groups.
Page 525: The User/Group Setting Screen
Chapter 32 Object Figure 345 Configuration > User/Group > Group > Add The following table describes the labels in this screen. Table 210 Configuration > User/Group > Group > Add LABEL DESCRIPTION Name Type the name for this user group. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 526 Chapter 32 Object Figure 346 Configuration > Object > User/Group > Setting The following table describes the labels in this screen. Table 211 Configuration > Object > User/Group > Setting LABEL DESCRIPTION User Authentication Timeout Settings Default Authentication These authentication timeout settings are used by default when you create a Timeout Settings new user account.
Page 527 Chapter 32 Object Table 211 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION User Type These are the kinds of user account the ZyWALL/USG supports. • admin - this user can look at and change the configuration of the ZyWALL/USG •...
Page 528 Chapter 32 Object Table 211 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION Maximum number per This field is effective when Limit ... for access account is checked. Type access account the maximum number of simultaneous logins by each access user. User Lockout Settings Enable logon retry limit Select this check box to set a limit on the number of times each user can...
Page 529: User Aware Login Example
Chapter 32 Object The following table describes the labels in this screen. Table 212 Configuration > Object > User/Group > Setting > Edit LABEL DESCRIPTION User Type This read-only field identifies the type of user account for which you are configuring the default settings.
Page 530 Chapter 32 Object The following table describes the labels in this screen. Table 213 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined Access users can specify a lease time shorter than or equal to the one that you specified. lease time (max The default value is the lease time that you specified.
Page 531: Ap Profile Overview
Chapter 32 Object Creating a Large Number of Ext-User Accounts If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts.
Page 532: Radio Screen
Chapter 32 Object the wireless stations and the access points must use the same WEP key for data encryption and decryption. WPA and WPA2 Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA.
Page 533 Chapter 32 Object Table 215 Configuration > Object > AP Profile > Radio (continued) LABEL DESCRIPTION Profile Name This field indicates the name assigned to the radio profile. Frequency Band This field indicates the frequency band which this radio profile is configured to use. Channel ID This field indicates the broadcast channel which this radio profile is configured to use.
Page 534 Chapter 32 Object 32.3.1.1 Add/Edit Radio Profile This screen allows you to create a new radio profile or edit an existing one. To access this screen, click the Add button or select a radio profile from the list and click the Edit button. Figure 352 Configuration >...
Page 535 Chapter 32 Object The following table describes the labels in this screen. Table 216 Configuration > Object > AP Profile > Add/Edit Radio Profile LABEL DESCRIPTION Hide / Show Click this to hide or show the Advanced Settings in this window. Advanced Settings Create New Object Select an item from this menu to create a new object of that type.
Page 536 Chapter 32 Object Table 216 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION A-MPDU Enter the maximum number of frames to be aggregated each time. Subframe Enable A-MSDU Select this to enable A-MSDU aggregation. Aggregation Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header.
Page 537: Ssid Screen
Chapter 32 Object Table 216 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION Rate Configuration This section controls the data rates permitted for clients. For each Rate, select a rate option from its list. The rates are: •...
Page 538 Chapter 32 Object Note: You can have a maximum of 32 SSID profiles on the ZyWALL/USG. Figure 353 Configuration > Object > AP Profile > SSID List The following table describes the labels in this screen. Table 217 Configuration > Object > AP Profile > SSID List LABEL DESCRIPTION Click this to add a new SSID profile.
Page 539 Chapter 32 Object 32.3.2.2 Add/Edit SSID Profile This screen allows you to create a new SSID profile or edit an existing one. To access this screen, click the Add button or select an SSID profile from the list and click the Edit button. Figure 354 Configuration >...
Page 540 Chapter 32 Object Table 218 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile (continued) LABEL DESCRIPTION Select a Quality of Service (QoS) access category to associate with this SSID. Access categories minimize the delay of data packets across a wireless network. Certain categories, such as video or voice, are given a higher priority due to the time sensitive nature of their data packets.
Page 541 Chapter 32 Object Note: You can have a maximum of 32 security profiles on the ZyWALL/USG. Figure 355 Configuration > Object > AP Profile > SSID > Security List The following table describes the labels in this screen. Table 219 Configuration > Object > AP Profile > SSID > Security List LABEL DESCRIPTION Click this to add a new security profile.
Page 542 Chapter 32 Object 32.3.2.3.1 Add/Edit Security Profile This screen allows you to create a new security profile or edit an existing one. To access this screen, click the Add button or select a security profile from the list and click the Edit button. Note: This screen’s options change based on the Security Mode selected.
Page 543 Chapter 32 Object Table 220 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile LABEL DESCRIPTION Radius Server IP Enter the IP address of the RADIUS server to be used for authentication. Address Radius Server Port Enter the port number of the RADIUS server to be used for authentication.
Page 544 Chapter 32 Object Table 220 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile LABEL DESCRIPTION Pre-Authentication This field is available only when you set Security Mode to wpa2 or wpa2-mix and enable 802.1x authentication. Enable or Disable pre-authentication to allow the AP to send authentication information to other APs on the network, allowing connected wireless clients to switch APs without having to re-authenticate their network connection.
Page 545: Application
Chapter 32 Object 32.3.2.4.1 Add/Edit MAC Filter Profile This screen allows you to create a new MAC filtering profile or edit an existing one. To access this screen, click the Add button or select a MAC filter profile from the list and click the Edit button. Figure 358 SSID >...
Page 546 Chapter 32 Object objects in Configuration > Object > Application > Application. Categories of applications include (at the time of writing): Table 223 Categories of Applications • Instant Messaging • • File Transfer • Streaming Media • Mail and Collaboration •...
Page 547 Chapter 32 Object The Application screen allows you to create application objects consisting of service signatures as well as view license and signature information. To access this screen click Configuration > Object > Application > Application. Figure 360 Configuration > Object > Application > Application The following table describes the labels in this screen.
Page 548: Add Application Rule
Chapter 32 Object 32.4.1 Add Application Rule Click Add in Configuration > Object > Application > Application to create a new application rule. In the first screen you type a name to identify this application object and write an optional brief description of it.
Page 549 Chapter 32 Object 32.4.1.1 Add Application Object by Category or Service Click Add in Configuration > Object > Application > Application > Add Application Rule to choose the signatures that should go into this object. Figure 362 Configuration > Object > Application > Application > Add Application Rule > Add By Category Figure 363 Configuration >...
Page 550: Application Group Screen
Chapter 32 Object The following table describes the labels in this screen. Table 226 Configuration > Object > Application > Application > Add Application Rule > Add Application Object LABEL DESCRIPTION Query Search Choose signatures in one of the following ways: •...
Page 551 Chapter 32 Object Table 227 Configuration > Object > Application > Application Group (continued) LABEL DESCRIPTION Name This field indicates the name assigned to the application group. Description You may type some extra information on the application group here. Member This field shows the application objects in this application group.
Page 552: Address Overview
Chapter 32 Object The following table describes the labels in this screen. Table 228 Configuration > Object > Application > Application > Add Application Group Rule LABEL DESCRIPTION Name Enter a name for the group. You may use 1-31 alphanumeric characters, underscores( or dashes (-), but the first character cannot be a number.
Page 553 Chapter 32 Object The Address screen provides a summary of all addresses in the ZyWALL/USG. To access this screen, click Configuration > Object > Address > Address. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 366 Configuration >...
Page 554 Chapter 32 Object 32.5.2.1 IPv4 Address Add/Edit Screen The Configuration > IPv4 Address Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 32.5.2 on page 552), and click either the Add icon or an Edit icon in the IPv4 Address Configuration section.
Page 555: Address Group Summary Screen
Chapter 32 Object Figure 368 IPv6 Address Configuration > Add/Edit The following table describes the labels in this screen. Table 231 IPv6 Address Configuration > Add/Edit LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 556 Chapter 32 Object Figure 369 Configuration > Object > Address > Address Group The following table describes the labels in this screen. See Section 32.5.2.4 on page 556 for more information as well. Table 232 Configuration > Object > Address > Address Group LABEL DESCRIPTION IPv4 Address Group Configuration...
Page 557: Service Overview
Chapter 32 Object Figure 370 IPv4/IPv6 Address Group Configuration > Add The following table describes the labels in this screen. Table 233 IPv4/IPv6 Address Group Configuration > Add LABEL DESCRIPTION Name Enter a name for the address group. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 558: What You Need To Know
Chapter 32 Object 32.6.1 What You Need to Know IP Protocols IP protocols are based on the eight-bit protocol field in the IP header. This field represents the next- level protocol that is sent in this packet. This section discusses three of the most common IP protocols.
Page 559 Chapter 32 Object To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 371 Configuration >...
Page 560: The Service Group Summary Screen
Chapter 32 Object The following table describes the labels in this screen. Table 235 Configuration > Object > Service > Service > Edit LABEL DESCRIPTION Name Type the name used to refer to the service. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 561 Chapter 32 Object The following table describes the labels in this screen. See Section 32.6.3.1 on page 561 for more information as well. Table 236 Configuration > Object > Service > Service Group LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Page 562: Schedule Overview
Chapter 32 Object The following table describes the labels in this screen. Table 237 Configuration > Object > Service > Service Group > Edit LABEL DESCRIPTION Name Enter the name of the service group. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 563: The Schedule Summary Screen
Chapter 32 Object schedules always begin and end in the same day. Recurring schedules are useful for defining the workday and off-work hours. 32.7.2 The Schedule Summary Screen The Schedule summary screen provides a summary of all schedules in the ZyWALL/USG. To access this screen, click Configuration >...
Page 564 Chapter 32 Object Table 238 Configuration > Object > Schedule (continued) LABEL DESCRIPTION Start Time This field displays the time at which the schedule begins. Stop Time This field displays the time at which the schedule ends. Reference This displays the number of times an object reference is used in a profile. 32.7.2.1 The One-Time Schedule Add/Edit Screen The One-Time Schedule Add/Edit screen allows you to define a one-time schedule or edit an existing one.
Page 565 Chapter 32 Object Table 239 Configuration > Object > Schedule > Edit (One Time) (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL/USG. Cancel Click Cancel to exit this screen without saving your changes. 32.7.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to define a recurring schedule or edit an existing one.
Page 566: The Schedule Group Screen
Chapter 32 Object 32.7.3 The Schedule Group Screen The Schedule Group summary screen provides a summary of all groups of schedules in the ZyWALL/USG. To access this screen, click Configuration > Object > Schedule >Group. Figure 378 Configuration > Object > Schedule > Schedule Group The following table describes the fields in the above screen.
Page 567: Aaa Server Overview
Chapter 32 Object Figure 379 Configuration > Schedule > Schedule Group > Add The following table describes the fields in the above screen. Table 242 Configuration > Schedule > Schedule Group > Add LABEL DESCRIPTION Group Members Name Type the name used to refer to the recurring schedule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 568: Directory Service (Ad/Ldap)
Chapter 32 Object AAA server objects in configuring ext-group-user user objects and authentication method objects (see Chapter 32 on page 576). 32.8.1 Directory Service (AD/LDAP) LDAP/AD allows a client (the ZyWALL/USG) to connect to a server to retrieve information from a directory.
Page 569: What You Need To Know
Chapter 32 Object package contains server software and physical OTP tokens (PIN generators). Do the following to use OTP. See the documentation included on the ASAS’ CD for details. Install the ASAS server software on a computer. Create user accounts on the ZyWALL/USG and in the ASAS server. Import each token’s database file (located on the included CD) into the server.
Page 570: Active Directory Or Ldap Server Summary
Chapter 32 Object Figure 382 Basic Directory Structure Sales Sprint Root Sales Japan Countries (c) Organizations Organization Units Unique Common Name (cn) Distinguished Name (DN) A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas.
Page 571 Chapter 32 Object Figure 383 Configuration > Object > AAA Server > Active Directory (or LDAP) The following table describes the labels in this screen. Table 243 Configuration > Object > AAA Server > Active Directory (or LDAP) LABEL DESCRIPTION Click this to create a new entry.
Page 572 Chapter 32 Object Figure 384 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add ZyWALL/USG Series User’s Guide...
Page 573 Chapter 32 Object The following table describes the labels in this screen. Table 244 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add LABEL DESCRIPTION Name Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.
Page 574: Radius Server Summary
Chapter 32 Object Table 244 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add (continued) LABEL DESCRIPTION Retype to Confirm Retype your new password for confirmation. This is only for Active Directory. Realm Enter the realm FQDN. This is only for Active Directory.
Page 575 Chapter 32 Object 32.8.6.1 Adding a RADIUS Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one.
Page 576: Auth. Method Overview
Chapter 32 Object Table 246 Configuration > Object > AAA Server > RADIUS > Add (continued) LABEL DESCRIPTION Timeout Specify the timeout period (between 1 and 300 seconds) before the ZyWALL/USG disconnects from the RADIUS server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.
Page 577: Authentication Method Objects
Chapter 32 Object Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen. Click Show Advance Setting and select Enable Extended Authentication. Select Server Mode and select an authentication method object from the drop-down list box. Click OK to save the settings.
Page 578: Creating An Authentication Method Object
Chapter 32 Object 32.9.3.1 Creating an Authentication Method Object Follow the steps below to create an authentication method object. Click Configuration > Object > Auth. Method. Click Add. Specify a descriptive name for identification purposes in the Name field. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
Page 579: Certificate Overview
Chapter 32 Object Table 248 Configuration > Object > Auth. Method > Add (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. Move To change a method’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
Page 580 Chapter 32 Object Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key).
Page 581: Verifying A Certificate
Chapter 32 Object Certificate File Formats Any certificate that you want to import has to be in one of these file formats: • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. • PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.
Page 582: The My Certificates Screen
Chapter 32 Object Figure 391 Certificate Details Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 32.10.3 The My Certificates Screen Click Configuration >...
Page 583: The My Certificates Add Screen
Chapter 32 Object The following table describes the labels in this screen. Table 249 Configuration > Object > Certificate > My Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL/USG’s PKI storage space that is currently Space in Use in use.
Page 584 Chapter 32 Object Figure 393 Configuration > Object > Certificate > My Certificates > Add The following table describes the labels in this screen. Table 250 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 585 Chapter 32 Object Table 250 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Organization Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Page 586 Chapter 32 Object 32.10.3.2 The My Certificates Edit Screen Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name.
Page 587 Chapter 32 Object The following table describes the labels in this screen. Table 251 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 588: The My Certificates Import Screen
Chapter 32 Object Table 251 Configuration > Object > Certificate > My Certificates > Edit (continued) LABEL DESCRIPTION MD5 Fingerprint This is the certificate’s message digest that the ZyWALL/USG calculated using the MD5 algorithm. SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL/USG calculated using the SHA1 algorithm.
Page 589: The Trusted Certificates Screen
Chapter 32 Object Figure 395 Configuration > Object > Certificate > My Certificates > Import The following table describes the labels in this screen. Table 252 Configuration > Object > Certificate > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 590: The Trusted Certificates Edit Screen
Chapter 32 Object The following table describes the labels in this screen. Table 253 Configuration > Object > Certificate > Trusted Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL/USG’s PKI storage space that is currently Space in Use in use.
Page 591 Chapter 32 Object Figure 397 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL/USG Series User’s Guide...
Page 592 Chapter 32 Object The following table describes the labels in this screen. Table 254 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 593: The Trusted Certificates Import Screen
Chapter 32 Object Table 254 Configuration > Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field.
Page 594: Certificates Technical Reference
Chapter 32 Object Figure 398 Configuration > Object > Certificate > Trusted Certificates > Import The following table describes the labels in this screen. Table 255 Configuration > Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 595: Isp Account Summary
Chapter 32 Object 32.11.1 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL/USG. To access this screen, click Configuration > Object > ISP Account. Figure 399 Configuration > Object > ISP Account The following table describes the labels in this screen. See the ISP Account Edit section below for more information as well.
Page 596 Chapter 32 Object Figure 400 Configuration > Object > ISP Account > Edit The following table describes the labels in this screen. Table 257 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you are editing an existing account. Type in the profile name of the ISP account.
Page 597: Ssl Application Overview
Chapter 32 Object Table 257 Configuration > Object > ISP Account > Edit (continued) LABEL DESCRIPTION Connection ID This field is available if this ISP account uses the PPTP protocol. Type your identification name for the PPTP server. This field can be blank. Service Name If this ISP account uses the PPPoE protocol, type the PPPoE service name to access.
Page 598 Chapter 32 Object Remote User Screen Links Available SSL application names are displayed as links in remote user screens. Depending on the application type, remote users can simply click the links or follow the steps in the pop-up dialog box to access.
Page 599: The Ssl Application Screen
Chapter 32 Object Click the Add button and select Web Application in the Type field. In the Server Type field, select Web Server. Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”. In the URLAddress field, enter “http://my-info”. Select Web Page Encryption to prevent users from saving the web content.
Page 600 Chapter 32 Object The following table describes the labels in this screen. Table 258 Configuration > Object > SSL Application LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Page 601 Chapter 32 Object Figure 405 Configuration > Object > SSL Application > Add/Edit: File Sharing The following table describes the labels in this screen. Table 259 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this screen.
Page 602: Dhcpv6 Overview
Chapter 32 Object Table 259 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing LABEL DESCRIPTION Preview This field only appears when you choose Web Application or File Sharing as the object type. This field displays if the Server Type is set to Web Server, OWA or Weblink. Note: If your Internet Explorer or other browser screen doesn’t show a preview, it may be due to your web browser security settings.
Page 603: The Dhcpv6 Request Screen
Chapter 32 Object 32.13.1 The DHCPv6 Request Screen The Request screen allows you to add, edit, and remove DHCPv6 request type objects. To access this screen, login to the Web Configurator, and click Configuration > Object > DHCPv6 > Request. Figure 406 Configuration >...
Page 604: The Dhcpv6 Lease Screen
Chapter 32 Object The following table describes the labels in this screen. Table 261 Configuration > DHCPv6 > Request > Add LABEL DESCRIPTION Name Type the name for this request object. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 605 Chapter 32 Object Figure 409 Configuration > DHCPv6 > Lease > Add The following table describes the labels in this screen. Table 263 Configuration > DHCPv6 > Lease > Add LABEL DESCRIPTION Name Type the name for this lease object. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 606: System
HAPTER System 33.1 Overview Use the system screens to configure general ZyWALL/USG settings. 33.1.1 What You Can Do in this Chapter • Use the System > Host Name screen (see Section 33.2 on page 607) to configure a unique name for the ZyWALL/USG in your network. •...
Page 607: Host Name
Chapter 33 System 33.2 Host Name A host name is the unique name by which a device is known on a network. Click Configuration > System > Host Name to open the Host Name screen. Figure 410 Configuration > System > Host Name The following table describes the labels in this screen.
Page 608: Date And Time
Chapter 33 System Figure 411 Configuration > System > USB Storage The following table describes the labels in this screen. Table 265 Configuration > System > USB Storage LABEL DESCRIPTION Activate USB Select this if you want to use the connected USB device(s). storage service Disk full warning Set a number and select a unit (MB or %) to have the ZyWALL/USG send a warning...
Page 609 Chapter 33 System Figure 412 Configuration > System > Date and Time The following table describes the labels in this screen. Table 266 Configuration > System > Date and Time LABEL DESCRIPTION Current Time and Date Current Time This field displays the present time of your ZyWALL/USG. Current Date This field displays the present date of your ZyWALL/USG.
Page 610 Chapter 33 System Table 266 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Get from Time Select this radio button to have the ZyWALL/USG get the time and date from the time Server server you specify below. The ZyWALL/USG requests time and date settings from the time server under the following circumstances.
Page 611: Pre-Defined Ntp Time Servers List
Chapter 33 System 33.4.1 Pre-defined NTP Time Servers List When you turn on the ZyWALL/USG for the first time, the date and time start at 2003-01-01 00:00:00. The ZyWALL/USG then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers.
Page 612: Console Port Speed
Chapter 33 System Click Apply. To get the ZyWALL/USG date and time from a time server Click System > Date/Time. Select Get from Time Server under Time and Date Setup. Under Time Zone Setup, select your Time Zone from the list. As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL/USG clock for daylight savings.
Page 613: Dns Overview
Chapter 33 System 33.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 33.6.1 DNS Server Address Assignment The ZyWALL/USG can get the DNS server addresses in the following ways.
Page 614 Chapter 33 System Figure 415 Configuration > System > DNS The following table describes the labels in this screen. Table 269 Configuration > System > DNS LABEL DESCRIPTION Address/PTR This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP Record address.
Page 615 Chapter 33 System Table 269 Configuration > System > DNS (continued) LABEL DESCRIPTION FQDN This is a host’s fully qualified domain name. IP Address This is the IP address of a host. CNAME Record This record specifies an alias for a FQDN. Use this record to bind all subdomains with the same IP address as the FQDN without having to update each one individually, which increases chance for errors.
Page 616: Address Record
Chapter 33 System Table 269 Configuration > System > DNS (continued) LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so.
Page 617: Ptr Record
Chapter 33 System 33.6.4 PTR Record A PTR (pointer) record is also called a reverse record or a reverse lookup record. It is a mapping of an IP address to a domain name. 33.6.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/PTR record. Figure 416 Configuration >...
Page 618: Adding A Cname Record
Chapter 33 System 33.6.7 Adding a CNAME Record Click the Add icon in the CNAME Record table to add a record. Use “*.” as a prefix for a wildcard domain name. For example *.zyxel.com. Figure 417 Configuration > System > DNS > CNAME Recrod > Add The following table describes the labels in this screen.
Page 619: Mx Record
Chapter 33 System Figure 418 Configuration > System > DNS > Domain Zone Forwarder Add The following table describes the labels in this screen. Table 272 Configuration > System > DNS > Domain Zone Forwarder Add LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host.
Page 620: Adding A Mx Record
Chapter 33 System be delivered to your mail server and vice versa. Each host or domain can have only one MX record, that is, one domain is mapping to one host. 33.6.11 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 419 Configuration >...
Page 621: Www Overview
Chapter 33 System Table 274 Configuration > System > DNS > Service Control Rule Add (continued) LABEL DESCRIPTION Zone Select ALL to allow or prevent DNS queries through any zones. Select a predefined zone on which a DNS query to the ZyWALL/USG is allowed or denied. Action Select Accept to have the ZyWALL/USG allow the DNS queries from the specified computer.
Page 622: Https
Chapter 33 System 33.7.3 HTTPS You can set the ZyWALL/USG to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions. Specify which zones allow Web Configurator access and from which IP address the access can come. HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages.
Page 623: Configuring Www Service Control
Chapter 33 System 33.7.4 Configuring WWW Service Control Click Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ZyWALL/USG using HTTP or HTTPS. You can also specify which IP addresses the access can come from.
Page 624 Chapter 33 System The following table describes the labels in this screen. Table 275 Configuration > System > WWW > Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL/USG Web Configurator using secure HTTPs connections.
Page 625: Service Control Rules
Chapter 33 System Table 275 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service to access the ZyWALL/USG. Admin/User Service Admin Service Control specifies from which zones an administrator can use HTTP to Control...
Page 626: Customizing The Www Login Page
Chapter 33 System The following table describes the labels in this screen. Configuration > System > Service Control Rule > Edit Table 276 LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this screen. Object Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL/USG using this...
Page 627 Chapter 33 System Figure 424 Configuration > System > WWW > Login Page The following figures identify the parts you can customize in the login and access pages. ZyWALL/USG Series User’s Guide...
Page 628 Chapter 33 System Figure 425 Login Page Customization Title Logo Message (color of all text) Background Note Message (last line of text) Figure 426 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways:...
Page 629 Chapter 33 System • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
Page 630: Https Example
Chapter 33 System Table 277 Configuration > System > WWW > Login Page LABEL DESCRIPTION Background Set how the window’s background looks. To use a graphic, select Picture and upload a graphic. Specify the location and file name of the logo graphic or click Browse to locate it. The picture’s size cannot be over 438 x 337 pixels.
Page 631 Chapter 33 System Figure 428 Security Certificate 1 (Firefox) Figure 429 Security Certificate 2 (Firefox) 33.7.7.3 Avoiding Browser Warning Messages Here are the main reasons your browser displays warnings about the ZyWALL/USG’s HTTPS server certificate and what you can do to avoid seeing the warnings: •...
Page 632 Chapter 33 System Figure 430 Login Screen (Internet Explorer) 33.7.7.5 Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL/ USG. You must have imported at least one trusted CA to the ZyWALL/USG in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Page 633 Chapter 33 System Figure 432 CA Certificate Example Click Install Certificate and follow the wizard as shown earlier in this appendix. 33.7.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 634 Chapter 33 System Figure 433 Personal Certificate Import Wizard 1 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 434 Personal Certificate Import Wizard 2 Enter the password given to you by the CA.
Page 635 Chapter 33 System Figure 435 Personal Certificate Import Wizard 3 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 436 Personal Certificate Import Wizard 4 Click Finish to complete the wizard and begin the import process.
Page 636 Chapter 33 System Figure 437 Personal Certificate Import Wizard 5 You should see the following screen when the certificate is correctly installed on your computer. Figure 438 Personal Certificate Import Wizard 6 33.7.7.6 Using a Certificate When Accessing the ZyWALL/USG Example Use the following procedure to access the ZyWALL/USG via HTTPS.
Page 637: Ssh
Chapter 33 System Figure 440 SSL Client Authentication You next see the Web Configurator login screen. Figure 441 Secure Web Configurator Login Screen 33.8 SSH You can use SSH (Secure SHell) to securely access the ZyWALL/USG’s command line interface. Specify which zones allow SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Page 638: How Ssh Works
Chapter 33 System Figure 442 SSH Communication Over the WAN Example 33.8.1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1. Figure 443 How SSH v1 Works Example Host Identification The SSH client sends a connection request to the SSH server.
Page 639: Ssh Implementation On The Zywall/Usg
Chapter 33 System 33.8.2 SSH Implementation on the ZyWALL/USG Your ZyWALL/USG supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the ZyWALL/USG for management using port 22 (by default). 33.8.3 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL/USG over SSH.
Page 640: Secure Telnet Using Ssh Examples
Chapter 33 System Table 278 Configuration > System > SSH (continued) LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 276 on page 626 for details on the screen that opens.
Page 641: Telnet
Chapter 33 System 33.8.5.2 Example 2: Linux This section describes how to access the ZyWALL/USG using the OpenSSH client program that comes with most Linux distributions. Test whether the SSH service is available on the ZyWALL/USG. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the ZyWALL/USG (using the default IP address of 192.168.1.1).
Page 642 Chapter 33 System Figure 448 Configuration > System > TELNET The following table describes the labels in this screen. Table 279 Configuration > System > TELNET LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL/USG CLI using this service.
Page 643: Ftp
Chapter 33 System 33.10 FTP You can upload and download the ZyWALL/USG’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 33.10.1 Configuring FTP To change your ZyWALL/USG’s FTP settings, click Configuration > System > FTP tab. The screen appears as shown.
Page 644: Snmp
Chapter 33 System Table 280 Configuration > System > FTP (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
Page 645: Supported Mibs
Chapter 33 System Figure 450 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL/USG). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 646: Snmp Traps
Chapter 33 System administrators collect statistical data and monitor status and performance. You can download the ZyWALL/USG’s MIBs from www.zyxel.com. 33.11.2 SNMP Traps The ZyWALL/USG will send traps to the SNMP manager when any one of the following events occurs. Table 281 SNMP Traps OBJECT LABEL OBJECT ID...
Page 647 Chapter 33 System Figure 451 Configuration > System > SNMP The following table describes the labels in this screen. Table 282 Configuration > System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL/USG using this service.
Page 648: Language Screen
Chapter 33 System Table 282 Configuration > System > SNMP (continued) LABEL DESCRIPTION This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the ZyWALL/USG’s (non-configurable) default policy. The ZyWALL/USG applies this to traffic that does not match any other configured rule.
Page 649 Chapter 33 System Figure 453 Configuration > System > IPv6 The following table describes the labels in this screen. Table 284 Configuration > System > IPv6 LABEL DESCRIPTION Enable IPv6 Select this to have the ZyWALL/USG support IPv6 and make IPv6 settings be available on the screens that the functions support, such as the Configuration >...
Page 650: Chapter 34 Log And Report
HAPTER Log and Report 34.1 Overview Use these screens to configure daily reporting and log settings. 34.1.1 What You Can Do In this Chapter • Use the Email Daily Report screen (Section 34.2 on page 650) to configure where and how to send daily reports and what reports to send.
Page 651 Chapter 34 Log and Report Figure 454 Configuration > Log & Report > Email Daily Report ZyWALL/USG Series User’s Guide...
Page 652: Log Setting Screens
Chapter 34 Log and Report The following table describes the labels in this screen. Table 285 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Select this to send reports by e-mail every day. Daily Report Mail Server Type the name or IP address of the outgoing SMTP server.
Page 653: Log Setting Summary
Chapter 34 Log and Report to the specific destinations. You can also have the ZyWALL/USG store system logs on a connected USB storage device. The other four logs are stored on specified syslog servers. The Log Setting screens control what information the ZyWALL/USG saves in each log. You can also specify which log messages to e-mail for the system log, and where and how often to e-mail them.
Page 654: Edit System Log Settings
Chapter 34 Log and Report Table 286 Configuration > Log & Report > Log Setting (continued) LABEL DESCRIPTION Log Format This field displays the format of the log. Internal - system log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format.
Page 655 Chapter 34 Log and Report Figure 456 Configuration > Log & Report > Log Setting > Edit (System Log - E-mail Servers) ZyWALL/USG Series User’s Guide...
Page 656 Chapter 34 Log and Report Figure 457 Configuration > Log & Report > Log Setting > Edit (System Log - AC) ZyWALL/USG Series User’s Guide...
Page 657 Chapter 34 Log and Report Figure 458 Configuration > Log & Report > Log Setting > Edit (System Log - AP) The following table describes the labels in this screen. Table 287 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2...
Page 658 Chapter 34 Log and Report Table 287 Configuration > Log & Report > Log Setting > Edit (System Log) (continued) LABEL DESCRIPTION SMTP Select this check box if it is necessary to provide a user name and password to the Authentication SMTP server.
Page 659: Edit Log On Usb Storage Setting
Chapter 34 Log and Report Table 287 Configuration > Log & Report > Log Setting > Edit (System Log) (continued) LABEL DESCRIPTION E-mail Server 1 Select whether each category of events should be included in the log messages when it is e-mailed (green check mark) and/or in alerts (red exclamation point) for the e- mail settings specified in E-Mail Server 1.
Page 660 Chapter 34 Log and Report Figure 459 Configuration > Log & Report > Log Setting > Edit (USB Storage) ZyWALL/USG Series User’s Guide...
Page 661: Edit Remote Server Log Settings
Chapter 34 Log and Report The following table describes the labels in this screen. Table 288 Configuration > Log & Report > Log Setting > Edit (USB Storage) LABEL DESCRIPTION Duplicate logs to Select this to have the ZyWALL/USG save a copy of its system logs to a connected USB USB storage (if storage device.
Page 662 Chapter 34 Log and Report Figure 460 Configuration > Log & Report > Log Setting > Edit (Remote Server - AC) ZyWALL/USG Series User’s Guide...
Page 663 Chapter 34 Log and Report Configuration > Log & Report > Log Setting > Edit (Remote Server - AP) The following table describes the labels in this screen. Table 289 Configuration > Log & Report > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for...
Page 664: Log Category Settings Screen
Chapter 34 Log and Report Table 289 Configuration > Log & Report > Log Setting > Edit (Remote Server) (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific address. This field displays each category of messages. It is the same value used in the Display and Category Category fields in the View Log tab.
Page 665 Chapter 34 Log and Report Figure 461 Log Category Settings AC ZyWALL/USG Series User’s Guide...
Page 666 Chapter 34 Log and Report Figure 462 Log Category Settings AP This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 34.3.2 on page 654, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL/USG Series User’s Guide...
Page 667 Chapter 34 Log and Report The following table describes the fields in this screen. Table 290 Configuration > Log & Report > Log Setting > Log Category Settings LABEL DESCRIPTION System Log Use the System Log drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not log any information for any category for the system log or e-mail any logs to e-mail server 1 or 2.
Page 668 Chapter 34 Log and Report Table 290 Configuration > Log & Report > Log Setting > Log Category Settings (continued) LABEL DESCRIPTION System Log Select which events you want to log by Log Category. There are three choices: disable all logs (red X) - do not log any information from this category enable normal logs (green check mark) - create log messages and alerts from this category enable normal logs and debug logs (yellow check mark) - create log messages, alerts,...
Page 669: Chapter 35 File Manager
HAPTER File Manager 35.1 Overview Configuration files define the ZyWALL/USG’s settings. Shell scripts are files of commands that you can store on the ZyWALL/USG and run when you need them. You can apply a configuration file or run a shell script without the ZyWALL/USG restarting. You can store multiple configuration files and shell script files on the ZyWALL/USG.
Page 670: Comments In Configuration Files Or Shell Scripts
Chapter 35 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 463 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...
Page 671: The Configuration File Screen
Chapter 35 File Manager Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface ge1 # this interface is a DHCP client Lines 1 and 2 are comments.
Page 672 Chapter 35 File Manager Configuration File Flow at Restart • If there is not a startup-config.conf when you restart the ZyWALL/USG (whether through a management interface or by physically turning the power off and back on), the ZyWALL/USG uses the system-default.conf configuration file with the ZyWALL/USG’s default settings. •...
Page 673 Chapter 35 File Manager The following table describes the labels in this screen. Table 292 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the ZyWALL/USG. You can only rename manually saved configuration files.
Page 674 Chapter 35 File Manager Table 292 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Apply Use this button to have the ZyWALL/USG use a specific configuration file. Click a configuration file’s row to select it and click Apply to have the ZyWALL/USG use that configuration file.
Page 675: The Firmware Package Screen
Chapter 35 File Manager Table 292 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION File Name This column displays the label that identifies a configuration file. You cannot delete the following configuration files or change their file names. The system-default.conf file contains the ZyWALL/USG’s default settings.
Page 676 Chapter 35 File Manager the Destroy compressed files that could not be decompressed option while you download the firmware package. See Section 28.2.1 on page 472 for more on the anti-virus Destroy compressed files that could not be decompressed option. The firmware update can take up to five minutes.
Page 677: The Shell Script Screen
Chapter 35 File Manager Table 293 Maintenance > File Manager > Firmware Package (continued) LABEL DESCRIPTION Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process.
Page 678 Chapter 35 File Manager Figure 472 Maintenance > File Manager > Shell Script Each field is described in the following table. Table 294 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Rename Use this button to change the label of a shell script file on the ZyWALL/USG. You cannot rename a shell script to the name of another shell script in the ZyWALL/USG.
Page 679 Chapter 35 File Manager Table 294 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a shell script file on the ZyWALL/USG. Click a shell script file’s row to select it and click Copy to open the Copy File screen. Figure 474 Maintenance >...
Page 680: Chapter 36 Diagnostics
HAPTER Diagnostics 36.1 Overview Use the diagnostics screens for troubleshooting. 36.1.1 What You Can Do in this Chapter • Use the Diagnostics screen (see Section 36.2 on page 680) to generate a file containing the ZyWALL/USG’s configuration and diagnostic information if you need to provide it to customer support during troubleshooting.
Page 681: The Diagnostics Files Screen
Chapter 36 Diagnostics The following table describes the labels in this screen. Table 295 Maintenance > Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file. Last modified This is the date and time that the last diagnostic file was created. The format is yyyy-mm-dd hh:mm:ss.
Page 682: The Packet Capture Screen
Chapter 36 Diagnostics Table 296 Maintenance > Diagnostics > Files (continued) LABEL DESCRIPTION File Name This column displays the label that identifies the file. Size This column displays the size (in bytes) of a file. Last Modified This column displays the date and time that the individual files were saved. 36.3 The Packet Capture Screen Use this screen to capture network traffic going through the ZyWALL/USG’s interfaces.
Page 683 Chapter 36 Diagnostics Figure 477 Maintenance > Diagnostics > Packet Capture The following table describes the labels in this screen. Table 297 Maintenance > Diagnostics > Packet Capture LABEL DESCRIPTION Interfaces Enabled interfaces (except for virtual interfaces) appear under Available Interfaces.
Page 684 Chapter 36 Diagnostics Table 297 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Host Port This field is configurable when you set the IP Type to any, tcp, or udp. Specify the port number of traffic to capture. Continuously capture Select this to have the ZyWALL/USG keep capturing traffic and overwriting old and overwrite old ones packet capture entries when the available storage space runs out.
Page 685: The Packet Capture Files Screen
Chapter 36 Diagnostics Table 297 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Capture Click this button to have the ZyWALL/USG capture packets according to the settings configured in this screen. You can configure the ZyWALL/USG while a packet capture is in progress although you cannot modify the packet capture settings.
Page 686: The System Log Screen
Chapter 36 Diagnostics Table 298 Maintenance > Diagnostics > Packet Capture > Files (continued) LABEL DESCRIPTION This column displays the number for each packet capture file entry. The total number of packet capture files that you can save depends on the file sizes and the available flash storage space.
Page 687: Packet Flow Explore
HAPTER Packet Flow Explore 37.1 Overview Use this to get a clear picture on how the ZyWALL/USG determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot any related problems.
Page 688 Chapter 37 Packet Flow Explore Figure 480 Maintenance > Packet Flow Explore > Routing Status (Direct Route) Figure 481 Maintenance > Packet Flow Explore > Dynamic VPN Figure 482 Maintenance > Packet Flow Explore > Routing Status (Policy Route) ZyWALL/USG Series User’s Guide...
Page 689 Chapter 37 Packet Flow Explore Figure 483 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) Figure 484 Maintenance > Packet Flow Explore > Routing Status (SiteToSite VPN) Figure 485 Maintenance > Packet Flow Explore > Routing Status (Dynamic VPN) ZyWALL/USG Series User’s Guide...
Page 690 Chapter 37 Packet Flow Explore Figure 486 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) Figure 487 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 488 Maintenance > Packet Flow Explore > Routing Status (Main Route) ZyWALL/USG Series User’s Guide...
Page 691 Chapter 37 Packet Flow Explore The following table describes the labels in this screen. Table 300 Maintenance > Packet Flow Explore > Routing Status LABEL DESCRIPTION Routing Flow This section shows you the flow of how the ZyWALL/USG determines where to route a packet.
Page 692: The Snat Status Screen
Chapter 37 Packet Flow Explore Table 300 Maintenance > Packet Flow Explore > Routing Status (continued) LABEL DESCRIPTION Outgoing This is the name of an interface which transmits packets out of the ZyWALL/USG. Gateway This is the IP address of the gateway in the same network of the outgoing interface. The following fields are available if you click Dynamic VPN or SiteToSite VPN in the Routing Flow section.
Page 693 Chapter 37 Packet Flow Explore Figure 490 Maintenance > Packet Flow Explore > SNAT Status (1-1 SNAT) Figure 491 Maintenance > Packet Flow Explore > SNAT Status (Loopback SNAT) Figure 492 Maintenance > Packet Flow Explore > SNAT Status (Default SNAT) The following table describes the labels in this screen.
Page 694 Chapter 37 Packet Flow Explore Table 301 Maintenance > Packet Flow Explore > SNAT Status (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with any entry. NAT Rule This is the name of an activated NAT rule which uses SNAT. Source This is the original source IP address(es).
Page 695: Chapter 38 Shutdown
HAPTER Shutdown 38.1 Overview Use this to shutdown the device in preparation for disconnecting the power. See also Section on page 38 for information on different ways to start and stop the ZyWALL/USG. Always use the Maintenance > Shutdown > Shutdown screen or the “shutdown”...
Page 696: Chapter 39 Troubleshooting
HAPTER Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Chapter 6 on page 136). • For the order in which the ZyWALL/USG applies its features and checks, see Chapter 37 on page 687.
Page 697 Chapter 39 Troubleshooting • Check the ZyWALL/USG’s connection to the Ethernet jack with Internet access. Make sure the Internet gateway device (such as a DSL modem) is working properly. • Check the WAN interface's status in the Dashboard. Use the installation setup wizard again and make sure that you enter the correct settings.
Page 698 Chapter 39 Troubleshooting The ZyWALL/USG checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that the traffic would also match. The ZyWALL/USG is not applying the custom security policy I configured. The ZyWALL/USG checks the security policies in the order that they are listed.
Page 699 Chapter 39 Troubleshooting The data rates through my cellular connection are no-where near the rates I expected. The actual cellular data rate you obtain varies depending on the cellular device you use, the signal strength to the service provider’s base station, and so on. I created a cellular interface but cannot connect through it.
Page 700 Chapter 39 Troubleshooting The ZyWALL/USG is not applying my application patrol bandwidth management settings. Bandwidth management in policy routes has priority over application patrol bandwidth management. The ZyWALL/USG’s performance slowed down after I configured many new application patrol entries. The ZyWALL/USG checks the ports and conditions configured in application patrol entries in the order they appear in the list.
Page 701 Chapter 39 Troubleshooting Depending on your network topology and traffic load, binding every packet direction to an IDP profile may affect the ZyWALL/USG’s performance. You may want to focus IDP scanning on certain traffic directions such as incoming traffic. IDP is dropping traffic that matches a rule that says no action should be taken. The ZyWALL/USG checks all signatures and continues searching even after a match is found.
Page 702 Chapter 39 Troubleshooting I cannot get Dynamic DNS to work. • You must have a public WAN IP address to use Dynamic DNS. • Make sure you recorded your DDNS account’s user name, password, and domain name and have entered them properly in the ZyWALL/USG. •...
Page 703 Chapter 39 Troubleshooting You can set the ZyWALL/USG’s security policy to permit the use of asymmetrical route topology on the network (so it does not reset the connection) although this is not recommended since allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL/USG.
Page 704 Chapter 39 Troubleshooting • Make sure regular security policies allow traffic between the VPN tunnel and the rest of the network. Regular security policies check packets the ZyWALL/USG sends before the ZyWALL/USG encrypts them and check packets the ZyWALL/USG receives after the ZyWALL/USG decrypts them.
Page 705 Chapter 39 Troubleshooting I changed the LAN IP address and can no longer access the Internet. The ZyWALL/USG automatically updates address objects based on an interface’s IP address, subnet, or gateway if the interface’s IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface.
Page 706 Chapter 39 Troubleshooting I cannot add the default admin account to a user group. You cannot put the default admin account into any user group. The schedule I configured is not being applied at the configured times. Make sure the ZyWALL/USG’s current date and time are correct. I cannot get a certificate to import into the ZyWALL/USG.
Page 707 Chapter 39 Troubleshooting I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. I uploaded a logo to use as the screen or window background but it does not display properly.
Page 708: Resetting The Zywall/Usg
Chapter 39 Troubleshooting The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. My packet capture captured less than I wanted or failed.
Page 709: Getting More Troubleshooting Help
Chapter 39 Troubleshooting 39.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL/USG Series User’s Guide...
Page 710: Appendix A Customer Support
• Brief description of the problem and the steps you took to solve it. Corporate Headquarters (Worldwide) Taiwan • ZyXEL Communications Corporation • http://www.zyxel.com Asia China • ZyXEL Communications (Shanghai) Corp. ZyXEL Communications (Beijing) Corp. ZyXEL Communications (Tianjin) Corp. • http://www.zyxel.cn India • ZyXEL Technology India Pvt Ltd • http://www.zyxel.in Kazakhstan •...
Page 711 • ZyXEL Singapore Pte Ltd. • http://www.zyxel.com.sg Taiwan • ZyXEL Communications Corporation • http://www.zyxel.com Thailand • ZyXEL Thailand Co., Ltd • http://www.zyxel.co.th Vietnam • ZyXEL Communications Corporation-Vietnam Office • http://www.zyxel.com/vn/vi Europe Austria • ZyXEL Deutschland GmbH • http://www.zyxel.de Belarus • ZyXEL BY • http://www.zyxel.by...
Page 712 Appendix A Customer Support Belgium • ZyXEL Communications B.V. • http://www.zyxel.com/be/nl/ Bulgaria • ZyXEL България • http://www.zyxel.com/bg/bg/ Czech • ZyXEL Communications Czech s.r.o • http://www.zyxel.cz Denmark • ZyXEL Communications A/S • http://www.zyxel.dk Estonia • ZyXEL Estonia • http://www.zyxel.com/ee/et/ Finland • ZyXEL Communications •...
Page 713 • ZyXEL Communications Poland • http://www.zyxel.pl Romania • ZyXEL Romania • http://www.zyxel.com/ro/ro Russia • ZyXEL Russia • http://www.zyxel.ru Slovakia • ZyXEL Communications Czech s.r.o. organizacna zlozka • http://www.zyxel.sk Spain • ZyXEL Spain • http://www.zyxel.es Sweden • ZyXEL Communications • http://www.zyxel.se Switzerland •...
Page 714 Ecuador • ZyXEL Communication Corporation • http://www.zyxel.com/ec/es/ Middle East Egypt • ZyXEL Communication Corporation • http://www.zyxel.com/homepage.shtml Middle East • ZyXEL Communication Corporation • http://www.zyxel.com/homepage.shtml North America • ZyXEL Communications, Inc. - North America Headquarters • http://www.us.zyxel.com/ ZyWALL/USG Series User’s Guide...
Page 715 Appendix A Customer Support Oceania Australia • ZyXEL Communications Corporation • http://www.zyxel.com/au/en/ Africa South Africa • Nology (Pty) Ltd. • http://www.zyxel.co.za ZyWALL/USG Series User’s Guide...
Page 716: Appendix B Legal Information
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.
Page 717 Appendix B Legal Information b) Off mode power consumption < 0.5W Certifications (Class A) Model List: USG40, USG40W, USG60, USG60W Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference.
Page 718 Appendix B Legal Information Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products. Open Source Licenses This product contains in part some free software distributed under GPL license terms and/or GPL like licenses. Open source licenses are provided with the firmware package.
Page 719 Appendix B Legal Information [Norwegian] Erklærer herved ZyXEL at dette utstyret er I samsvar med de grunnleggende kravene og andre relevante bestemmelser I direktiv 1999/5/EF. [Romanian] Prin prezenta, ZyXEL declară că acest echipament este în conformitate cu cerinţele esenţiale şi alte prevederi relevante ale Directivei 1999/5/EC.
Page 720: Safety Warnings
Appendix B Legal Information The outdoor usage of the 2.4 GHz band requires an authorization from the Electronic Communications Office. Please check http:// www.esd.lv for more details. 2.4 GHz frekvenèu joslas izmantoðanai ârpus telpâm nepiecieðama atïauja no Elektronisko sakaru direkcijas. Vairâk informâcijas: http://www.esd.lv. Notes: 1.
Page 721 Appendix B Legal Information • Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning. • CAUTION: RISK OF EXPLOSION IF BATTERY (on the motherboard) IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
Page 722: Index
Index Index logging in Symbols multiple logins see also users Web Configurator access users, see also force user authentication policies Numbers account user 518, 602 3322 Dynamic DNS accounting server 3DES Active Directory, see AD 6in4 tunneling active protocol 6to4 tunneling and encapsulation active sessions 90, 110...
Page 723 Index RANGE log options SUBNET mail scan types of mail sessions threshold POP2 address record POP3 admin user registration status troubleshooting 705, 706 regular expressions admin users SMTP multiple logins status see also users white list 476, 480, 485, 486 anti-virus 468, 469 false negatives...
Page 724 Index ASAS (Authenex Strong Authentication System) asymmetrical routes backdoor attacks allowing through the security policy backing up configuration files vs virtual interfaces bandwidth attacks egress 188, 197 access control ingress 188, 197 backdoor bandwidth limit buffer overflow troubleshooting Denial of Service (DoS) bandwidth management DoS/DDoS maximize bandwidth usage...
Page 725 Index signal quality messages 117, 118 SIM card popup window status Reference Guide system client troubleshooting cluster ID certificate commands troubleshooting sent by Web Configurator Certificate Authority (CA) Common Event Format (CEF) 654, 663 see certificates compression (stac) Certificate Revocation List (CRL) computer names 170, 208, 219, 225, 406 vs OCSP...
Page 726 Index and address objects daylight savings 428, 429 and registration DDNS 431, 434 and schedules backup mail exchanger 428, 429 and user groups mail exchanger and users service providers by category troubleshooting 428, 429, 435 by keyword (in URL) 429, 439 DDoS attacks by URL 429, 438, 440, 441...
Page 727 Index Diffie-Hellman key group DiffServ Digital Signature Algorithm public-key algorithm, e-Donkey see DSA egress bandwidth 188, 197 direct routes e-mail directory daily statistics report directory service header buffer file structure headers virus disclaimer e-Mule Distinguished Name (DN) 570, 571, 573 Encapsulating Security Payload, see ESP Distributed Denial of Service (DDoS) attacks encapsulation...
Page 728 Index false negatives Generic Routing Encapsulation, see GRE. 328, 446 false positives global SSL setting 328, 331, 332, 446 user portal logo FCC interference statement 716, 717 file decompression (in anti-virus) file extensions configuration files Guide shell scripts CLI Reference Quick Start file infector file manager...
Page 729 Index and to-ZyWALL security policy authentication algorithms 366, 367 content ICMP Dead Peer Detection (DPD) code Diffie-Hellman key group sequence number encryption algorithms type extended authentication identification (IP) ID type identifying IP address, remote IPSec router legitimate e-mail IP address, ZyXEL device spam local identity main mode...
Page 730 Index as DHCP relays IP security option as DHCP servers IP static routes, see static routes 224, 607 auxiliary, see also auxiliary interfaces. IP stream identifier backup, see trunks IP v4 packet headers bandwidth management 224, 232, 233 IP/MAC binding bridge, see also bridge interfaces.
Page 731 Index authentication algorithms 366, 367 destination NAT for inbound traffic encapsulation Java encryption algorithms permissions local policy JavaScripts NAT for inbound traffic NAT for outbound traffic Perfect Forward Secrecy (PFS) proposal remote policy search by name key pairs search by policy Security Parameter Index (SPI) (manual keys) see also IPSec...
Page 732 Index load balancing macro virus algorithms mail sessions threshold 227, 231, 233 DNS inbound managed web pages least load first management access round robin troubleshooting see also trunks management access and device HA session-oriented Management Information Base (MIB) spillover weighted round robin memory usage local user database Message Digest 5, see MD5...
Page 733 Index certificates schedules services and service groups 245, 263 SSL application ALG, see ALG users, user groups 518, 602 and address objects offset (patterns) and address objects (HOST) One-Time Password (OTP) and ALG 274, 276 and interfaces Online Certificate Status Protocol (OCSP) and policy routes vs CRL 235, 242...
Page 734 Index other documentation policy routes actions OTP (One-Time Password) and address objects outgoing bandwidth 188, 197 and ALG 276, 280 and HTTP redirect and interfaces and NAT and schedules 241, 412, 415 and service objects P2P (Peer-to-peer) and trunks attacks 227, 241 and user groups see also Peer-to-peer...
Page 735 Index prefix delegation sender 334, 448, 450, 498 problems related documentation product registration Relative Distinguished Name (RDN) 570, 571, 573 profiles remote access IPSec packet inspection Remote Authentication Dial-In User Service, see RADIUS proxy servers web, see web proxy servers remote desktop connections PTR record Remote Desktop Protocol...
Page 736 Index and to-ZyWALL security policyl and ALG 274, 276 authentication and application patrol direction and H.323 (ALG) redistribute and HTTP redirect RIP-2 broadcasting methods and IPSec VPN versions and logs vs OSPF and NAT and schedules Rivest, Shamir and Adleman public-key algorithm 307, 326, 412, 415 (RSA) and service groups...
Page 737 Index sessions troubleshooting sessions usage SNMP 644, 645 agents severity (IDP) 446, 449 and address groups SHA1 and address objects shell script and zones troubleshooting shell scripts GetNext and users Manager downloading managers editing how applied network components managing syntax Trap uploading traps...
Page 738 Index global setting and OSPF IP pool and RIP network list metric remote user login statistics remote user logout anti-virus SecuExtender content filtering see also SSL VPN daily e-mail report troubleshooting user application screens traffic user file sharing status user screen bookmarks streaming protocols management user screens 386, 390...
Page 739 Index Telnet DDNS and address groups device access and address objects ext-user and zones firmware package with SSH firmware upload throughput rate H.323 troubleshooting HTTP redirect TightVNC 697, 701 time IDP signatures update time servers (default) interface time to live Internet access 696, 705 timestamp...
Page 740 Index links logo see SSL user screens 386, 390 user sessions, see sessions attack packet 334, 448, 450, 498 user SSL screens messages 386, 390 access methods port numbers bookmarks UltraVNC certificates Universal Plug and Play login Application logout security issues required information unsafe web pages system requirements...
Page 741 Index security associations (SA) see also IKE SA see also IPSec Vantage Report (VRPT) 654, 663 see also IPSec SA virtual interfaces 150, 221 status basic characteristics troubleshooting not DHCP clients VPN concentrator types of advantages vs asymmetrical routes and IPSec SA policy enforcement vs triangle routes disadvantages Virtual Local Area Network, see VLAN.
Page 742 Index Wi-Fi Protected Access Windows Internet Naming Service, see WINS Windows Internet Naming Service, see WINS. Windows Remote Desktop WINS 170, 208, 219, 225, 379 in L2TP VPN WINS server 170, 406 Wireshark Wizard Setup 39, 52 WLAN troubleshooting user accounts WLAN interfaces worm 452, 469...

This manual is also suitable for:

Usg40w Usg210 Usg310 Usg1100 Usg60 Usg1900 ... Show all

Save PDF