Page 1 ZyWALL/USG Series ZyWALL 110 / 310 / 1100 USG40 / USG40W / USG60 / USG60W / USG110 / USG210 / USG310 / USG1100 / USG1900 Security Firewalls Firmware Version 4.13 ~ 4.15 Edition 1, 7/2016 Handbook Default Login Details LAN Port IP Address https://192.168.1.1...
Page 2: Table Of Contents
www.zyxel.com Table of Content How to Configure Site-to-site IPSec VPN with Amazon VPC ....8 Set Up the IPSec VPN Tunnel on the Amazon VPC ......9 Set Up the IPSec VPN Tunnel on the ZyWALL/USG ......13 Test the IPSec VPN Tunnel ............... 17 What Could Go Wrong? ................
Page 3 www.zyxel.com Test the SSL VPN ..................60 How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1) on the Windows 10 Operating System ............64 Set up the SSL VPN Tunnel with Windows 10 ........64 What Can Go Wrong? ................68 How to redirect multiple LAN interface traffic to the VPN tunnel ...
Page 4 www.zyxel.com Mobile Phone ..................120 Set Up the L2TP VPN Tunnel on the Android Mobile Device ... 121 Test the L2TP over IPSec VPN Tunnel ..........124 What Could Go Wrong? ..............126 How to Import ZyWALL/USG Certificate for L2TP over IPsec in IOS mobile phone ......................
Page 5 www.zyxel.com How to set up Link Aggregation Group (LAG) ........160 Set up the Active-backup, 802.3ad, Balance-alb ......160 Set up the active-backup mode............164 Test the Result ..................166 What can go wrong ................166 How to Restrict Web Portal access from the Internet ......167 Set Up the ZyWALL/USG System Setting ..........
Page 6 www.zyxel.com Set up Wi-Fi VLAN interfaces ............... 195 Test result....................202 What could go wrong ................203 How to Activate a Free Access Hotspot ..........205 Set up the Free Access Hotspot ............206 Test the User Agreement and Advertisement Webpage ....208 What could Go Wrong? ...............
Page 7 www.zyxel.com Set Up the Schedule Run ..............253 Check the Result ................... 254 7/255...
Page 8: How To Configure Site-To-Site Ipsec Vpn With Amazon Vpc
www.zyxel.com How to Configure Site-to-site IPSec VPN with Amazon VPC This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and an Amazon VPC platform. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 9: Set Up The Ipsec Vpn Tunnel On The Amazon Vpc
www.zyxel.com Set Up the IPSec VPN Tunnel on the Amazon VPC Sign into the Amazon AWS Management Console. Go to Networking > VPC. Figure 2 Amazon AWS Management Console > Networking > VPC In the upper left-hand of the screen, click Start VPC Wizard. Figure 3 Amazon VPC Management Console >...
Page 10 www.zyxel.com Figure 4 Select a VPC Configuration > VPC with a Private Subnet Only and Hardware VPN Access VPC with a Private Subnet Only and Hardware VPN, add your IP CIDR block and Private subnet. Click Next. Figure 5 VPC with a Private Subnet Only and Hardware VPN 10/255...
Page 11 www.zyxel.com Configure your VPN, add your ZyWALL/USG public IP address into Customer Gateway IP. Name your Customer Gateway name and VPN Connection name. Click Create VPC at the bottom of the blade. Figure 6Configure your VPN In the VPC Dashboard, go to VPN Connections. Select Download Configuration from the upper bar.
Page 12 www.zyxel.com Figure 7 VPC Dashboard > VPN Connections Open the downloaded configuration txt. file, it displays IKE SA, IPSec SA and Gateway IP address. Please make sure all the settings match your ZyWALL/USG’s setting. Figure 8 Configuration txt. File 12/255...
Page 13: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the Amazon VPC. Click Next. Figure 9 Quick Setup >...
Page 14 www.zyxel.com Figure 11 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the peer Amazon VPC’s Gateway IP address (in the example, 52.39.135.203); select My Address to be the interface connected to the Internet.
Page 15 www.zyxel.com Continue to Phase 2 Settings to select the Encapsulation, Encryption, Authentication, and SA Life Time settings which Amazon VPC supports. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the Amazon VPC.
Page 16 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Page 17: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Figure 16 CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 18: What Could Go Wrong
www.zyxel.com Figure 17 MONITOR > VPN Monitor > IPSec To test whether or not a tunnel is working, ping from a Local LAN to AWS VPC private Subnet for verification. Ensure that both computers have Internet access. Figure 18 Ping from Local LAN to AWS VPC private Subnet for verification: What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings.
Page 19 www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the Amazon VPC IKE Phase 2 setup list. Figure 20 MONITOR >...
Page 20: How To Configure Gre Over Ipsec Vpn Tunnel
www.zyxel.com How to Configure GRE over IPSec VPN Tunnel This example shows how to use the VPN Setup Wizard to create a GRE over IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site. When the GRE over IPSec VPN tunnel is configured, each site can be accessed securely.
Page 21: Set Up The Zywall/Usg Gre Over Ipsec Vpn Tunnel Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 22 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Figure 24 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 111.250.184.80).
Page 23 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 26 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 24 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. Figure 28 CONFIGURATION >...
Page 25: Set Up The Zywall/Usg Gre Over Ipsec Vpn Tunnel Of Corporate Network (Branch)
www.zyxel.com Figure 30 CONFIGURATION > Network > Interface > Tunnel > Add Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 26 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Figure 32 Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 27 www.zyxel.com Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ). Figure 34 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel.
Page 28 www.zyxel.com appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Figure 36 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings.
Page 29 www.zyxel.com Figure 38 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Show Advanced Settings > Policy The GRE tunnel runs between the IPsec public interface on the Branch unit and the HQ unit. Go to CONFIGURATION > Network > Interface > Tunnel > Add. Enter the Interface Name (The format is tunnelx, where x is 0 - 3.).
Page 30: Test The Gre Over Ipsec Vpn Tunnel
www.zyxel.com Test the GRE over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Figure 40 CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 31 www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the Amazon VPC IKE Phase 2 setup list. Figure 43 MONITOR >...
Page 32: How To Configure Ipsec Site To Site Vpn While One Site Is Behind A Nat Router
www.zyxel.com How to Configure IPSec Site to Site VPN while one Site is behind a NAT router This example shows how to use the VPN Setup Wizard to create a IPSec Site to Site VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while one Site is behind a NAT router.
Page 33: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 34 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Figure 47 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.30.40).
Page 35 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 49 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 36: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Branch)
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. Figure 51 CONFIGURATION >...
Page 37 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Figure 53 Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 38 www.zyxel.com Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.20.30). Then, type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).
Page 39 www.zyxel.com Figure 56 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
Page 40: Set Up The Nat Router (Using Zywall Usg Device In This Example)
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. Figure 58 CONFIGURATION >...
Page 41 www.zyxel.com Go to CONFIGURATION > Security Policy > Policy Control. IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports: IP protocol = 50 → Used by data path (ESP) IP protocol = 51 → Used by data path (AH) UDP Port Number = 500 →...
Page 42: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Figure 61 CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 43: What Could Go Wrong
www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). Figure 63 PC behind ZyWALL/USG (HQ) > Window 7 > cmd > ping 192.168.20.33 Figure 64 PC behind ZyWALL/USG (Branch) >...
Page 44 www.zyxel.com Figure 65 MONITOR > Log If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
Page 45: How To Configure L2Tp Over Ipsec Vpn While The Zywall/Usg Is Behind A Nat Router
www.zyxel.com How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind a NAT router This example shows how to use the VPN Setup Wizard to create a L2TP over IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while the ZyWALL/USG is behind a NAT router.
Page 46: Set Up The L2Tp Vpn Tunnel On The Zywall/Usg_Hq
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG_HQ In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the remote Android Mobile Devices. Click Next. Figure 68 Quick Setup >...
Page 47 www.zyxel.com Assign the remote users IP addresses range from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click Next. Figure 70 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) 8 This screen provides a read-only summary of the VPN tunnel.
Page 48 www.zyxel.com Figure 72 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN Connection > Create new Object > Create Address, create an address object as the NAT router’s WAN IP address (in the example, 172.100.20.30).
Page 49 www.zyxel.com Figure 74 CONFIGURATION > VPN Connection > Policy > Local Policy Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example).
Page 50: Set Up The Nat Router (Using Zywall Usg Device In This Example)
www.zyxel.com Set Up the NAT Router (Using ZyWALL USG device in this example) Go to CONFIGURATION > Network > NAT > Add. Select the Incoming Interface on which packets for the NAT rule must be received. Specified the User-Defined Original IP field and Type the translated destination IP address that this NAT rule supports.
Page 51 www.zyxel.com Figure 77 CONFIGURATION > Object > Address Go to CONFIGURATION > Object > Service > Service Group, create a service group for the following UDP ports: UDP Port Number = 1701 → Used by L2TP UDP Port Number = 500 → Used by IKE UDP Port Number = 4500 →...
Page 52: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Figure 79 CONFIGURATION > Security Policy > Policy Control Test the L2TP over IPSec VPN Tunnel Use a smartphone or a PC to establish a L2TP VPN connection to the ZyWALL/USG. Configure the NAT's public IP address as the L2TP server address on the client.
Page 53 www.zyxel.com Set Secret to the Pre-Shared Key of the IPSec VPN gateway the ZyWALL/USG uses for L2TP VPN over IPSec (xyz12345 in this example). Figure 80 After you create a VPN configuration, slide the button right to the on position to initiate L2TP VPN session.
Page 54 www.zyxel.com Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Figure 82 CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 55: What Could Go Wrong
www.zyxel.com Figure 83 Menu > Settings > VPN > ZyXEL_L2TP What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. Figure 84 55/255...
Page 56 www.zyxel.com If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. iOS Mobile users must use the same Secret as configured in ZyWALL/USG to establish the IKE SA. Figure 85 If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings.
Page 57: How To Configure If I Want User Can Only See Ssl Vpn Login Button In Web Portal Login Page
www.zyxel.com How to configure if I want user can only see SSL VPN Login button in web portal login page This example shows how to strict portal access for SSL VPN clients. The example instructs how to allow end users to only see the SSL VPN Login button in the web portal login screen and the administrator can only manage the device from LAN.
Page 58: Set Up The Dns Service
www.zyxel.com Set Up the DNS Service In this scenario, you need to have a DNS host to fulfill the requirement. In this example, go to https://www.noip.com/ to register an account and create a DNS host. The following mapping IP address is the public IP of the ZyWALL/USG's WAN IP address.
Page 59: Set Up The Zywall/Usg System Setting
www.zyxel.com Figure 90 CONFIGURATION > Security Policy > Policy Control Set Up the ZyWALL/USG System Setting Go to CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1. Set the address access action as Deny for ALL address in WAN. Figure 91 CONFIGURATION >...
Page 60: Test The Ssl Vpn
www.zyxel.com Test the SSL VPN Type in the URL (https://sslvpnzyxeltest.ddns.net) and you will only see the SSL VPN Login button in the web portal screen. Figure 92 Type in the URL (https://sslvpnzyxeltest.ddns.net) 60/255...
Page 61 www.zyxel.com Login to the device via the WAN interface with the administrator's user name and password. The screen will show Login denied. Figure 93 Login to the device via the WAN interface Login to the device via the LAN interface with the administrator's user name and password.
Page 62 www.zyxel.com Figure 94 Login to the device via the LAN interface 62/255...
Page 63 www.zyxel.com Go to MONITOR > Log. You can see that the admin login has been denied access from the WAN interface but it is allowed from the LAN interface. Figure 95 MONITOR > 63/255...
Page 64: How To Configure An Ssl Vpn Tunnel (With Secuextender Version 4.0.0.1) On The Windows 10 Operating System
www.zyxel.com How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1) on the Windows 10 Operating System Set up the SSL VPN Tunnel with Windows 10 Please download SecuExtender version 4.0.0.1 from the download library of ZyXEL’s official website. Figure 96 Before you start installing the SecuExtender, it is required to install the “Visual C++ 2015 Redistributable”...
Page 65 www.zyxel.com Figure 97 Figure 98 Figure 99 65/255...
Page 66 www.zyxel.com Figure 100 Figure 101 Figure 102 66/255...
Page 67 www.zyxel.com Figure 103 Figure 104 Figure 105 67/255...
Page 68: What Can Go Wrong
www.zyxel.com Double-click the shortcut icon on your desktop. It is the same as the SSL VPN standalone software on MAC OS X. Enter the server’s IP or domain name, user name, and password to connect to the server. The example below shows that the client IP is 7.7.7.1 and you can also check the traffic statistic in the Status screen.
Page 69 www.zyxel.com must use the same Username and Password as configured in the ZyWALL/USG to establish the SSL VPN tunnel. Figure 108 If you have uploaded a logo to show on the SSL VPN user screens but it does not display properly, check if the logo graphic is in GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed.
Page 70: How To Redirect Multiple Lan Interface Traffic To The Vpn Tunnel
www.zyxel.com How to redirect multiple LAN interface traffic to the VPN tunnel This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with multiple LAN access to the VPN tunnel. The example instructs how to configure the VPN tunnel between each site and redirect multiple LAN interface traffic to the VPN tunnel.
Page 71: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 72 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Figure 112 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54).
Page 73 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 114 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 74: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Branch)
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Page 75 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Click Next. Figure 118 Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 76 www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG.
Page 77: Set Up The Policy Route (Zywall/Usg_Hq)
www.zyxel.com appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Figure 122 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings.
Page 78 www.zyxel.com Go to ZyWALL/USG_HQ CONFIGURATION > Network > Routing > Add. Set Source Address to be the subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. Set Destination Address to be the remote LAN subnet (192.168.10.0/24 in this example). Figure 124 CONFIGURATION >...
Page 79: Set Up The Policy Route (Zywall/Usg_Branch)
www.zyxel.com Set up the Policy Route (ZyWALL/USG_Branch) Go to ZyWALL/USG_Branch CONFIGURATION > Network > Routing > Add, create Address to be the remote LAN subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. Figure 125 CONFIGURATION > Object > Address > Add 79/255...
Page 80: Test The Ipsec Vpn Tunnel
www.zyxel.com Go to ZyWALL/USG_Branch CONFIGURATION > Network > Routing > Add. Set Source Address to be the local subnet (192.168.10.0/24 in this example). Set Destination Address to be the remote LAN subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. Figure 126 CONFIGURATION >...
Page 81 www.zyxel.com Figure 128 MONITOR > VPN Monitor > IPSec To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices).
Page 82: What Could Go Wrong
www.zyxel.com Figure 131 PC at Branch Office > Window 7 > cmd > ping 192.168.2.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 83 www.zyxel.com Figure 133 MONITOR > Log Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
Page 84: How To Configure Ipsec Vpn Failover
www.zyxel.com How to Configure IPSec VPN Failover This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with failover. The example instructs how to configure the VPN tunnel between each site if one site has multi-WAN. When the multi-WAN VPN failover is configured, IPSec VPN tunnels automatically fail over to a backup WAN interface if the primary WAN interface becomes unavailable.
Page 85: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 86 www.zyxel.com Figure 137 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZyWALL/USG.
Page 87 www.zyxel.com Figure 139 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
Page 88: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Branch)
www.zyxel.com Figure 141 CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 89 www.zyxel.com Figure 143 Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next. Figure 144 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68).
Page 90 www.zyxel.com Figure 145 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 146 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG.
Page 91 www.zyxel.com Figure 147 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Page 92: Set Up The Wan Trunk (Zywall/Usg_Hq)
www.zyxel.com Figure 149 Configuration > VPN > IPSec VPN > VPN Gateway > Gateway Settings Set up the WAN Trunk (ZyWALL/USG_HQ) Go to CONFIGURATION > Interface > Trunk > User Configuration > Add. Select wan1 and wan2 into the trunk Member and set wan2 Mode to be Passive. Figure 150 CONFIGURATION >...
Page 93: Set Up The Failover Command Line (Zywall/Usg Hq)
www.zyxel.com Go to CONFIGURATION > Interface > Trunk > Configuration. Select Disconnect Connection before Falling Back. In the Default WAN Trunk, select User Configured Trunk to be the customized WAN trunk added in the previous step (Multi_WAN_Failover in this example). Figure 151 CONFIGURATION >...
Page 94 www.zyxel.com Figure 152 CONFIGURATION > Security Policy > Policy Control > Add corresponding If the Security Policy is created but still cannot access to ZyWALL, please go to CONFIGURAITON > System > SSH to check do you Enable the General Settings and make sure the Service Port is correct and the same in your terminal program.
Page 95: Test The Ipsec Vpn Tunnel
www.zyxel.com Enter the command line in terminal mode (Using Tera Term in this example). Figure 154 Tera Term command Test the IPSec VPN Tunnel Go to ZYWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
Page 96: What Could Go Wrong
www.zyxel.com Figure 157 MONITOR > Log What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 97 www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
Page 98: How To Create Vti And Configure Vpn Failover With Vti
www.zyxel.com How to Create VTI and Configure VPN Failover with VTI This example illustrates how to create a VTI object and configure a policy route with the VTI. Furthermore, it applies the VTI to the WAN trunk to achieve VPN load balancing.
Page 99: Set Up The Zywall/Usg Vti Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG VTI of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add to create the VPN gateway HQ1 with wan1. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add In the same screen, create the VPN gateway HQ2 with wan2.
Page 100 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add and configure a VPN tunnel for the VPN gateway HQ1. Select VPN Tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add In the same screen, create a VPN tunnel for the VPN gateway HQ2.
Page 101 www.zyxel.com Go to CONFIGURATION > Network > Interface > VTI > Add to create a VTI for the VPN tunnel HQ1. Enable the connectivity check. Enter the IP address of vti1, which is configured on USG2. CONFIGURATION > Network > Interface > VTI > Add CONFIGURATION >...
Page 102 www.zyxel.com CONFIGURATION > Network > Interface > VTI > Add CONFIGURATION > Network > Interface > VTI > vti2 > Connectivity Check Go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add to create a new trunk. Add vti1 and vti2 to the new trunk. CONFIGURATION >...
Page 103 www.zyxel.com Go to CONFIGURATION > Network > Routing > Policy Route > Add to configure a policy route. Source Address: LAN1_SUBNET (192.168.1.0/24) Destination Address: BO_subnet (192.168.11.0/24) Next-Hop: HQ_vti_trunk SNAT: none CONFIGURATION > Network > Routing > Policy Route > Add Connect the VPN tunnels when the VTIs are ready.
Page 104: Set Up The Zywall/Usg Vti Of Corporate Network (Branch)
www.zyxel.com 10 Go to CONFIGURATION > Network > Interface > VTI. You will see that the status of the VTI is up when the corresponding VPN tunnel is established. CONFIGURATION > Network > Interface > VTI Set Up the ZyWALL/USG VTI of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION >...
Page 105 www.zyxel.com In the same screen, create the VPN gateway BO2 with wan2. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add and configure a VPN tunnel for the VPN gateway BO1. Select VPN Tunnel Interface as the application scenario.
Page 106 www.zyxel.com In the same screen, create a VPN tunnel for the VPN gateway BO2. Select VPN tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add 106/255...
Page 107 www.zyxel.com Go to CONFIGURATION > Network > Interface > VTI > Add to create a VTI for the VPN tunnel BO1. Be aware that the IP address of this VTI must be in the same subnet as vti1 on USG1. In this example, the IP address and subnet mask of vti1 on USG1 is 10.10.10.10 and 255.255.255.0 respectively.
Page 108 www.zyxel.com In the same screen, create a VTI for the VPN tunnel BO2. Be aware that the IP address of this VTI must be in the same subnet as vti2 on USG1. In this example, the IP address and subnet mask of vti2 on USG1 is 10.10.11.10 and 255.255.255.0 respectively.
Page 109 www.zyxel.com Go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add to create a new trunk. Add vti1 and vti2 to the new trunk. CONFIGURATION > Network > Interface > Trunk > User Configuration > Add Go to CONFIGURATION >...
Page 110 www.zyxel.com Connect the VPN tunnels when the VTIs are ready. Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to connect the VPN tunnels. 110/255...
Page 111: Test The Ipsec Vpn Tunnel
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Connection > Connect 10 Go to CONFIGURATION > Network > Interface > VTI. You will see that the status of the VTI is up when the corresponding VPN tunnel is established. CONFIGURATION >...
Page 112 www.zyxel.com To test whether or not VPN failover is working, unplug wan1 of USG1. Then ping from a PC in LAN1 of USG1 to a PC in LAN1 of USG2 and vice versa. Check the VPN status of the USG1 in the MONITOR > VPN Monitor > IPSec screen.
Page 113: What Can Go Wrong
www.zyxel.com PC of USG2 (192.168.11.33) > Window 7 > cmd > ping 192.168.1.34 What Can Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 114 www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
Page 115: How To Import Zywall/Usg Certificate For L2Tp Over Ipsec In Android Mobile Phone
www.zyxel.com the Branch must be in the subnet of 10.10.10.0/24, and so on. How to Import ZyWALL/USG Certificate for L2TP over IPsec in Android mobile phone This is an example of using the L2TP VPN and VPN client software included in Android mobile phone operating systems.
Page 116: Set Up The L2Tp Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the Android mobile phone clients.
Page 117 www.zyxel.com Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click OK. Figure 163 Quick Setup >...
Page 118 www.zyxel.com Figure 165 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN, change Authentication method to be Certificate and select the certificate which ZyWALL/USG uses to identify itself to the Android mobile phone. Figure 166 CONFIGURATION >...
Page 119 www.zyxel.com Figure 167 CONFIGURATION > VPN > L2TP VPN > Create new Object > User 119/255...
Page 120: Export A Certificate From Zywall/Usg And Import It To Android
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to Android Mobile Phone Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. Figure 168 CONFIGURATION > Object > Certificate > default Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) Figure 169 CONFIGURATION >...
Page 121: Set Up The L2Tp Vpn Tunnel On The Android Mobile Device
www.zyxel.com Set Up the L2TP VPN Tunnel on the Android Mobile Device To configure L2TP VPN in Android, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in). Configure Connection name for you to identify the VPN configuration.
Page 122 www.zyxel.com Figure 171 Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. 122/255...
Page 123 www.zyxel.com Figure 172 123/255...
Page 124: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Go to Network & Internet Settings window, click Connect. Figure 173 Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. Figure 174 CONFIGURATION >...
Page 125 www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Figure 175 Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR >...
Page 126: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Android users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. Figure 178 If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 127 www.zyxel.com Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use. If you cannot access devices in the local network, verify that the devices in the local network set the USG’s IP as their default gateway to utilize the L2TP tunnel.
Page 128: How To Import Zywall/Usg Certificate For L2Tp Over Ipsec In Ios Mobile Phone
www.zyxel.com How to Import ZyWALL/USG Certificate for L2TP over IPsec in IOS mobile phone This is an example of using the L2TP VPN and VPN client software included in Android mobile phone operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from an iOS mobile phone.
Page 129: Set Up The L2Tp Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the iOS mobile phone clients.
Page 130 www.zyxel.com Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click OK. Figure 184 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) This screen provides a read-only summary of the VPN tunnel.
Page 131 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Figure 186 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 132 www.zyxel.com Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example). Figure 188 CONFIGURATION > VPN > L2TP VPN > Create new Object > User 132/255...
Page 133: Export A Certificate From Zywall/Usg And Import It To Ios Mobile Phone
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to iOS Mobile Phone Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. Figure 189 CONFIGURATION > Object > Certificate > default Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) Figure 190 CONFIGURATION >...
Page 134: Set Up The L2Tp Vpn Tunnel On The Ios Mobile Device
www.zyxel.com default.p12 Figure 191 Set Up the L2TP VPN Tunnel on the iOS Mobile Device To configure L2TP VPN in iOS operating system, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in).
Page 135 www.zyxel.com Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. Figure 193 135/255...
Page 136 www.zyxel.com 136/255...
Page 137: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Go to Network & Internet Settings window, click Connect. Figure 194 Test the L2TP over IPSec VPN Tunnel 1. Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. Figure 195 CONFIGURATION >...
Page 138: What Could Go Wrong
www.zyxel.com 3. Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. Figure 197 MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users 4. Go to iOS operating system Start > Settings > Network & Internet > VPN and show Connected status.
Page 139 www.zyxel.com 2. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. iOS users must use the same Pre-Shared Key as configured in ZyWALL/USG to establish the IKE SA. Figure 200 3. If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings.
Page 140: How To Configure The Usg When Using A Cloud Based Sip System
www.zyxel.com How to configure the USG when using a Cloud Based SIP system This example shows how to configure USG when there is a Cloud Based SIP system. The IP phones are more and more popular nowadays. USG supports the scenario as IP phones located in LAN and connect to internet to register the SIP server.
Page 141: Set Up The Sip Alg
www.zyxel.com Set Up the SIP ALG Go to CONFIGURATION > Network > ALG, and check “Enable SIP ALG”. Also, check the “Enable SIP Transformations” if the SIP content which is needed to be transform. Then click “Apply”. Figure 203 CONFIGURATION > Network > ALG Direct-media and Direct-signalling are activated after ZLD 4.20.
Page 142: Test Result
www.zyxel.com Router(config)# no alg sip direct-signalling Router(config)# no alg sip direct-media Test result Connect SIP phone to the USG, and check the register status. Register successfully. Figure 205 Check the SIP register status on PBX. Figure 206 What could go wrong? SIP phone does not support transform itself, but the “SIP Transformations”...
Page 143: How To Block Https Websites By Domain Filter Without Applying Ssl Inspection
www.zyxel.com How to block HTTPS websites by Domain Filter without applying SSL Inspection The Content Filter with HTTPs Domain Filter allows you to block HTTPs websites by category service without SSL-Inspection. The filtering feature is based on more than 50 Managed Categories built in ZyWALL/USG such as pornography, gambling, hacking, etc.
Page 144: Set Up The Content Filter On The Zywall/Usg
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG Go to CONFIGURATION > UTM Profile> Content Filter > Profile > General Settings. Select Enable HTTPS Domain Filter for HTTPS traffic. Figure 209 Go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter Profile >...
Page 145 www.zyxel.com Figure 212 Scroll down to the Managed Categories section, select categories in this section to control access to specific types of Internet content. You must have the Content Filtering license to filter these categories. Figure 213 145/255...
Page 146: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Social_Net_Block in this example). Figure 214 Set Up the System Policy on the ZyWALL/USG Go to CONFIGURATION >...
Page 147: Test The Result
www.zyxel.com Test the Result Type http://www.facebook.com/ or https://www.facebook.com/ into the browser, the error message occurs. Figure 216 147/255...
Page 148 www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. HTTP traffic log matches (Content Filter) and HTTPS traffic log matches (HTTPS Domain Filter) in message field. Figure 217 Monitor > Log 148/255...
Page 149: How To Configure Content Filter 2.0 - Geo Ip Blocking
www.zyxel.com How to configure Content Filter 2.0 - Geo IP Blocking The Content Filter 2.0 - Geo IP blocking offers identify the country based on IP address, it allows you to block the client accessing to certain country based on organizational policy.
Page 150: Set Up The Address Objet With Geo Ip On The Zywall/Usg
www.zyxel.com Set Up the Address Objet with Geo IP on the ZyWALL/USG Figure 219 Go to CONFIGURATION > Object > Address/Geo IP > Address > Add Address Rule. Figure 220 Go to CONFIGURATION > Object > Address/Geo IP > Address, you can see the customized GEOGRAPHY address.
Page 151: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Figure 221 Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Set Geo IP traffic from WAN to LAN allow source from local country (geo_allow_policy in this example).
Page 152: Test The Result
www.zyxel.com Test the Result Type http://csosuppport.ddns.net/ into the browser, and the http can be reached. Figure 223 Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. Traffic matches Geo IP policy will be blocked and shows in message field. Figure 224 152/255...
Page 153: What Could Go Wrong
www.zyxel.com What could go wrong 1. The Security Policy configured wrong. The traffic cannot access the LAN server. Figure 225 2. The Content-Filter service ix expired. Since Geo-IP server is bind with Content-Filter license, there must be available date for Content-Filter service. 153/255...
Page 154: How To Block The Client Accessing To Certain Country Using Geo Ip And Content Filter
www.zyxel.com How to block the client accessing to certain country using Geo IP and Content Filter The Content Filter with Geo IP offers identify the country based on IP address, it allows you to block the client accessing to certain country based on organizational policy. When user makes HTTP or HTTPS request, ZyWALL/USG query IP address from MaxMind database, then take action when it matches the block country in Content Filter profile.
Page 155: Check Geo Ip License Status On The Zywall/Usg
www.zyxel.com Check Geo IP License Status on the ZyWALL/USG Go to CONFIGURATION > Licensing > Registration > Service, the Geo IP Service should be Licensed to configure this feature. Figure 227 Set Up the Address Objet with Geo IP on the ZyWALL/USG Go to CONFIGURATION >...
Page 156: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Go to CONFIGURATION > Object > Address/Geo IP > Address Group> Add Address Group Rule, add all customized GEOGRAPHY address into the same Member object. Figure 230 Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile.
Page 157 www.zyxel.com Figure 231 157/255...
Page 158: Test The Result
www.zyxel.com Test the Result Type http://www.pku.edu.cn/ https://www.rwth-aachen.de/ into the browser, sites can’t be reached. Figure 232 158/255...
Page 159 www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. Traffic matches Geo IP policy will be blocked and shows in message field. Figure 233 159/255...
Page 160: How To Set Up Link Aggregation Group (Lag)
www.zyxel.com How to set up Link Aggregation Group (LAG) A Link Aggregation Group (LAG) allows you to combine a number of physical ports together to create a single high bandwidth data path. It helps to implement the traffic to perform load balancing or failover features, depending on the situation of the actual case.
Page 161 www.zyxel.com On the USG, go to Configuration > Network > Interface > LAG. Choose the proper interface type and zone depending on the case. Also, select the slave ports that will be added in the LAG interface. The interface format will be lagx (x = 0~3). Figure 235 Link Monitoring: You can choose link up/down detection (specify the MII link monitoring frequency or...
Page 162 www.zyxel.com Updelay is the time to wait to enable the slave port after the device detects the link recovery. Downdelay is the time to wait to disable the slave port after the device detects the link failure. Figure 237 The taget IP can be the Layer 3 device or the host IP, can be reachable by the USG. 802.3ad (LACP) Mode: (Both devices need to be configured.
Page 163 www.zyxel.com Figure 239 Xmit Hash Policy: Xmit Hash policy: Select layer2 or layer2+3. Select layer 2 if the LAG interface is connect to a layer 2 subnet. Select layer 2+3 if the LAG interface is connect to a network with a router or a L3 switch.
Page 164: Set Up The Active-Backup Mode
www.zyxel.com LACP rate: The interval can be fast (every second) or slow (every 30 seconds). Balance-alb Mode: (Does not require configuration on the switch and one or multiple switches can be used.) Figure 241 Set up the active-backup mode. The VLAN interface is cross-connected to different switches and the link statuses on both switches are active.
Page 165 www.zyxel.com The VLAN interface is cross-connected to different switches (fault tolerance). Figure 244 Only one link connection is up and the other is down. In this case, you will need to use the active-backup mode. Figure 245 You can find the LAG interface in the VLAN interface. Figure 247 165/255...
Page 166: Test The Result
www.zyxel.com Test the Result After the deployment you can see the interface status through Monitor>interface Status Figure 248 Below we are using 802.3ad LAG interface with Vlan66 for the example, unplug one of the network cable during the ping, the connection should still alive after one ping lost. Figure 249 What can go wrong 1.
Page 167: How To Restrict Web Portal Access From The Internet
www.zyxel.com How to Restrict Web Portal access from the Internet This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with multiple LAN access to the VPN tunnel. The example instructs how to configure the VPN tunnel between each site and redirect multiple LAN interface traffic to the VPN tunnel.
Page 168: Set Up The Zywall/Usg System Setting
www.zyxel.com Set Up the ZyWALL/USG System Setting Go to CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1. Set the address access action as Deny for ALL address in WAN. Figure 251 CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1 168/255...
Page 169: Test The Web Access
www.zyxel.com Test the Web Access Login to the device via the WAN interface with the administrator's user name and password. The screen will show Login denied. Figure 252 Login to the device via the WAN interface Login to the device via the LAN interface with the administrator's user name and password.
Page 170 www.zyxel.com Go to MONITOR > Log. You can see that the admin login has been denied access from the WAN interface but it is allowed from the LAN interface. Figure 254 MONITOR > Log 170/255...
Page 171: How To Setup And Configure Daily Report
www.zyxel.com How to Setup and Configure Daily Report This example shows how to set up the data collection and view various statistics about traffic passing through your ZyWALL/USG. When the Daily Report is configured, you will receive statistics report every day. Figure 255 ZyWALL/USG Setup and Configure Daily Report Note: All network IP addresses and subnet masks are used as examples in this article.
Page 172: Set Up The Zywall/Usg Email Daily Report Setting
www.zyxel.com Set Up the ZyWALL/USG Email Daily Report Setting Go to CONFIGURATION > Log & Report > Email Daily Report > General Settings. Select Enable Email Daily Report to send reports by e-mail every day. Figure 256 CONFIGURATION > Log & Report > Email Daily Report > General Settings Type the SMTP server name or IP address.
Page 173: Test The Daily Log Report
www.zyxel.com Select Reset counters after sending report successfully if you only want to see statistics for a 24 hour period. Figure 259 CONFIGURATION > Log & Report > Email Daily Report > Report Items Test the Daily Log Report Click Send Report Now to have the ZyWALL/USG send the daily e-mail report immediately.
Page 174: What Could Go Wrong
www.zyxel.com You will receive a daily report mail. Figure 261 ZyXEL Daily Report Mail What Could Go Wrong? Make sure your Email settings are all correct. Figure 262 CONFIGURATION > Log & Report > Email Daily Report > Email Settings Make sure your ZyWALL to WAN security policy allow.
Page 175: How To Setup And Configure Email Logs
www.zyxel.com How to Setup and Configure Email Logs This example shows how to set up the e-mail profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to e-mail, and where and how often to e-mail them. When the Email Logs is configured, you will receive logs email report base on customized schedule.
Page 176: Set Up The Zywall/Usg Email Logs Setting
www.zyxel.com Set Up the ZyWALL/USG Email Logs Setting 1. Go to CONFIGURATION > Log & Report > Log Settings > System Log > Edit > E-mail Server 1. Select Active. Type the SMTP server name or IP address. In Mail From, type the e-mail address from which the outgoing e-mail is delivered.
Page 177 www.zyxel.com 5. Go to CONFIGURATION > Log & Report > Log Settings > System Log > Edit > Active Log and Alert. Use the System Log drop-down list to change the log settings for all of the log categories. Figure 265 CONFIGURATION > Log & Report > Log Settings > System Log > Edit > Active Log and Alert.
Page 178: Test The Email Log
www.zyxel.com Test the Email Log You will receive a log mail depends on the time you set in the E-mail Server. Figure 266 ZyXEL Log Mail What Could Go Wrong? Make sure your Email settings are all correct. Figure 267 CONFIGURATION > Log & Report > Email Daily Report > Email Settings Make sure your ZyWALL to WAN security policy allow.
Page 179: How To Setup And Send Logs To A Syslog Server
www.zyxel.com How to setup and send logs to a Syslog Server This example shows how to set up the syslog server profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to syslog server. When the syslog server is configured, you will receive the real time system logs.
Page 180: Set Up The Syslog Server (Use Papertrail Syslog In This Example)
www.zyxel.com Set Up the Syslog Server (Use Papertrail syslog in this example) Register an account on Papertrail: https://papertrailapp.com Go to Dashboard > Add Systems. Figure 269 Dashboard > Add Systems Select Not shown here? and My syslog daemon only sends to port 514. Figure 270 Dashboard >...
Page 181 www.zyxel.com Select My syslogd only uses the default port, set ZyWALL/USG public IP address (111.250.188.9 in this example) and name the log system. Click Save. Figure 271 Dashboard > Add Systems > > I’m using > Choose your situation Write down the Papertrail-provided domain name (logs.papertrialpp.com in this example).
Page 182: Set Up The Zywall/Usg Remote Server Setting
www.zyxel.com Set Up the ZyWALL/USG Remote Server Setting 1. Go to CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit. Set Log Format to be CEF/Syslog. Type the Server Address to be the Papertrail-provided domain name (logs.papertrialpp.com in this example). 2.
Page 183: Test The Remote Server
www.zyxel.com Figure 273 CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit Test the Remote Server You will receive a log mail depends on the time you set in the E-mail Server. Figure 274 ZyXEL Log Mail 183/255...
Page 184: What Could Go Wrong
www.zyxel.com What Could Go Wrong? Make sure your Log settings for Remote Server are all correct. Figure 275 CONFIGURATION > Log & Report > Log Settings > Remote Server Make sure your ZyWALL to WAN security policy allow traffic to log server. 184/255...
Page 185: How To Setup And Send Logs To A Vantage Reports Server
www.zyxel.com How to setup and send logs to a Vantage Reports Server This example shows how to set up the Vantage Report Server profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to Vantage Report Server. When the Vantage Report Server is configured, you will receive the real time system logs.
Page 186: Set Up The Vrpt Server
www.zyxel.com Set Up the VRPT Server 1. The Vantage Report server must have register account http://www.myZyXEL.com. 2. Install VRPT software: http://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=M-01 339&md=VRPT 4. Unzipped the file and click Vantage Reeport.exe to start installing Vantage Report. Then, the Vantage Report installation wizard appears. Click Next. Figure 277 5.
Page 187 www.zyxel.com Figure 278 Check if any applications also use port 3316 (TCP), 514 (UDP) or 8080 (UDP) by entering “netstat -a” into the command line. Uninstall them if any. Click OK. Figure 279 When you finish installing Vantage Report, restart the Vantage Report server. 7.
Page 188 www.zyxel.com Figure 280 Go to Dashboard > License Information > Manage Device, click Add Device, the Add Device screen appears on the left side. Enter the Name of the device you want to add to Vantage Report. Enter the LAN MAC address of the device you want to add.
Page 189: Set Up The Zywall/Usg Remote Server Setting
www.zyxel.com Set Up the ZyWALL/USG Remote Server Setting Go to CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit. Set Log Format to be VRPT/Syslog. Type the Server Address to be the Vantage Report server IP address (10.251.30.61 in this example).
Page 190: What Could Go Wrong
www.zyxel.com Figure 283 VRPT Server > Logs > Log Viewer What Could Go Wrong? Make sure your Log settings for Remote Server are all correct. Figure 284 CONFIGURATION > Log & Report > Log Settings > Remote Server Make sure your ZyWALL to WAN security policy allow traffic to log server. 190/255...
Page 191: How To Enable And Send Logs To The Usb Storage
www.zyxel.com How to enable and send logs to the USB storage This example shows how to use the USB device to store the system log information. Figure 285 ZyWALL/USG enable and send logs to the USB storage Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system.
Page 192: Set Up The Usb System Settings
www.zyxel.com Set Up the USB System Settings Go to CONFIGURATION > System > USB Storage > Settings > General. Select Activate USB storage service if you want to use the connected USB device(s). Set a number and select a unit (MB or %) to have the ZyWALL/USG send a warning message when the remaining USB storage space is less than the value you set here.
Page 193: Check The Usg Log Files
www.zyxel.com Go to CONFIGURATION > Log & Report > Log Settings > USB Storage > Edit. Select Duplicate logs to USB storage (if ready) to have the ZyWALL/USG save a copy of its system logs to a connected USB storage device. Use the Selection drop-down list to change the log settings for all of the log categories.
Page 194: How To Create A Wi-Fi Vlan Interfaces To Separate Staff Network And Guest Network
www.zyxel.com How to create a Wi-Fi VLAN interfaces to separate staff network and Guest network This example shows how to create Wi-Fi VLAN interfaces to separate staff network and Guest network. Suppose there should be no limitation for the staff network, but restrict the guests not access the USG.
Page 195: Set Up Wi-Fi Vlan Interfaces
www.zyxel.com Set up Wi-Fi VLAN interfaces Create VLAN interfaces Go to CONFIGURATION > Object > Zone. Create a zone for the guest. Figure 291 CONFIGURATION > Object > Zone Go to CONFIGURATION > Network > Interface > VLAN. Create VLAN16 for Staff_WiFi and VLAN17 for Guest_WiF Figure 292 CONFIGURATION >...
Page 196 www.zyxel.com Figure 293 CONFIGURATION > Network > Interface > VLAN > VLAN17 There will be two VLAN interfaces. Figure 294 CONFIGURATION > Network > Interface > VLAN 196/255...
Page 197 www.zyxel.com Set Up the User Go to Configuration > Object > User/Group > User, and create users for the staff and the guest Figure 295 Configuration > Object > User/Group > User > staff Figure 296 Configuration > Object > User/Group > User > guest 197/255...
Page 198 www.zyxel.com There will be two users. Figure 297 Set Up the AP Profile Go to CONFIGURATION > Object > AP Profile > SSID > Security List, and create two security profiles. Figure 298 CONFIGURATION > Object > AP Profile > SSID > Security List > Guest_WPA2 198/255...
Page 199 www.zyxel.com Figure 299 CONFIGURATION > Object > AP Profile > SSID > Security List > Staff_WPA2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, and create two SSID profiles. Figure 300 CONFIGURATION > Object > AP Profile > SSID > SSID List > Staff_Wifi 199/255...
Page 200 www.zyxel.com Figure 301 CONFIGURATION > Object > AP Profile > SSID > SSID List > Guest_Wifi Go to CONFIGURATION > Wireless > AP Management > AP Group, and add an AP Group as WiFi. Figure 302 CONFIGURATION > Wireless > AP Management > AP Group Go to CONFIGURATION >...
Page 201 www.zyxel.com Figure 303 CONFIGURATION > Wireless > AP Management > Mgnt. AP List, Set Up the Security policy rule Go to CONFIGURATION > Security Policy > Policy Control > Policy. Add one rule to restrict Guest access USG, and another one to allow to access internet. Figure 304 CONFIGURATION >...
Page 202: Test Result
www.zyxel.com Figure 305 CONFIGURATION > Security Policy > Policy Control > Policy > Guest_Internet Test result. Connect to the SSID Staff_WiFi, and ping the USG interface. Figure 306 202/255...
Page 203: What Could Go Wrong
www.zyxel.com Connect to the SSID Guest_WiFi, and ping the USG interface Figure 307 What could go wrong Figure 308 Choose the wrong zone for the Guest VLAN interface. 203/255...
Page 204 www.zyxel.com Figure 309 Not change the AP to the correct group Figure 310 Not create the correct rule to block the Guest to access USG 204/255...
Page 205: How To Activate A Free Access Hotspot
www.zyxel.com How to Activate a Free Access Hotspot Some hotels need to provide free Internet services to hundreds of guests on a daily basis, and managing the Internet access for so many people can be very complicated without the right equipment. With web authentication methods such as user agreement and web portal, hotel guests are redirected to a web-based authentication portal upon the first attempt to access the network.
Page 206: Set Up The Free Access Hotspot
www.zyxel.com Configuration Guide Network Conditions  WAN: 10.251.31.112  LAN 1: 192.168.1.1/255.255.255.0  User’s laptop: 192.168.1.33 Set up the Free Access Hotspot Configurations on the USG1100 The user agreement of this feature allows clients to access the Internet without a guest account.
Page 207 www.zyxel.com Figure 313 2. Go to Configuration > Hotspot > Advertisement. (1) Select Enable Advertisement. (2) Add the URL of the website that you want to advertise. Figure 314 207/255...
Page 208: Test The User Agreement And Advertisement Webpage
www.zyxel.com Test the User Agreement and Advertisement Webpage 1. When a client attempts to access the Internet via a browser, he/she will be redirected to the user agreement page. Figure 315 2. The advertisement webpage will be displayed in a new window and it is the first page that appears whenever the user connects to the Internet.
Page 209: What Could Go Wrong
www.zyxel.com Figure 316 What could Go Wrong? If users can access the internet without any Authentication, please make sure the Source Address is configured on the correct the subnet. For example, if you want users to be controlled via authentication in Subnet 192.168.1.0/24, you need to make sure the Source Address should be 192.168.1.0/24 Figure 317 209/255...
Page 210: Set Up Enable The Free Time Feature
www.zyxel.com Set up Enable the Free Time Feature Configurations on the USG1100 On the USG1100, you need to enable the SMS service and select SMS as the delivery method in the Free Time feature. 1. Register for a ViaNett account at http://www.vianett.com.
Page 211 www.zyxel.com 3. After the form has been submitted, the account information will be sent to your E-mail address. Figure 320 Figure 321 211/255...
Page 212 www.zyxel.com Figure 322 4. Enter the activation code and proceed to make the payment. Figure 321 5. Fill-in the credit card information to complete the payment. 212/255...
Page 213 www.zyxel.com Figure 322 The payment is complete. Figure 323 6. After the ViaNett account is ready, go to the USG1100’s Configuration > Hotspot > SMS screen. (1)Enable SMS. (2)Fill-in your local phone country code as the default country code. 213/255...
Page 214 www.zyxel.com (3) Add authentication policy for every source. Figure 324 7. Go to Configuration > Hotspot > Free Time. (1) Select Enable Free Time and set up the free time period. By default, the Reset Time is at AM 00:00. You can also set up how many times a MAC address can access the Internet.
Page 215: Test Free Time Feature
www.zyxel.com Figure 326 9. Select Enable Policy, Force User Authentication, and then select default-web-portal as the Authentication Type. Figure 327 Test Free Time Feature 1. The user will be redirected to the Login screen before he/she is permitted to access the Internet.
Page 216 www.zyxel.com Figure 328 Select Free Time as the service plan. Then submit your country code and mobile phone number. Figure 329 216/255...
Page 217 www.zyxel.com 3. The account and password will be sent to your mobile phone. Figure 330 4. Check your account information. Figure 331 5. Fill-in the account information received on your mobile phone and click Login. 217/255...
Page 218: What Can Go Wrong
www.zyxel.com Figure 332 6. Now the client can start accessing the Internet. Figure 333 What Can Go Wrong? If client cannot get the SMS message from ViaNett, please make sure the Country code, Username and Password are all correct. 218/255...
Page 219 www.zyxel.com Figure 334 219/255...
Page 220: How To Enable Device Ha Pro
www.zyxel.com How to Enable Device HA Pro The Device HA feature acts as a failover when one of the devices in the network is dead or can’t access the Internet. Therefore, this is a popular feature for network environments. In the previous firmware version, the USG supports AP (Activate-Passive/Master-Backup) mode.
Page 221: Device Ha Pro License
www.zyxel.com Device HA Pro License The Device HA Pro feature is license required. You must register both of your devices on the myZyXEL.com server first. Then make sure the Device HA Pro license is available on both of your devices. Figure 337 221/255...
Page 222: Behavior Of The Device Ha Pro
www.zyxel.com Behavior of the Device HA Pro The behavior of the Device HA Pro includes a heartbeat link to monitor the “activate” device’s interface status. If one of the monitored interfaces is dead or fails, the “passive” device’s status will became “activate”. (This means only 1 device’s status can be “activate”...
Page 223 www.zyxel.com Figure 339 223/255...
Page 224: Suggestions
www.zyxel.com Heartbeat Link The heartbeat port is the latest physical port on the device. After you have enabled Device HA Pro, the devices will transmit multicast packets (UDP 694) to check each device’s status. When the passive device is working properly, the system LED light will be on. Only the heartbeat port’s LED light can be on.
Page 225 www.zyxel.com The Device HA Pro feature is license required. Please go to register both of your devices on myZyXEL.com and make sure the devices have the license after syncing with the myZyXEL.com server. Figure 341 2. Configurations on the Primary Device: The Device HA Pro feature is license required.
Page 226 www.zyxel.com Go to the Configuration > Device HA > General screen. - Select Enable Device HA and click Apply to enable Device HA Pro. Figure 343 226/255...
Page 227 www.zyxel.com 3. Configurations on the Secondary Device: Go to the Configuration > Device HA > Device-HA Pro screen. -Select Enable Configuration Provisioning From Active Device. -Click Apply. Figure 344 227/255...
Page 228 www.zyxel.com Go to the Configuration > Device HA > General screen. -Select Enable Device HA and click Apply. -Before the Device HA Pro feature is enabled on the secondary device, a warning message will pop-up for you to confirm. Click OK to enable it. Figure 345 228/255...
Page 229: What Can Go Wrong
www.zyxel.com 4. Connecting the Device HA Pro Port: The Device HA Pro port is the latest physical port on the DUT. You can use a cable to connect the devices with each other. What can go wrong Why I can’t see correct license status from myzyxel.com server? On the Device-HA Pro setting, there is a function “Serial number of the licensed device for license synchronization”.
Page 230 www.zyxel.com device? Because Device-HA Pro purpose is for networking environment stability, so after mechanism failover to secondary device it will keeping the latest status even primary device is back. It can avoided the network service unstable. 230/255...
Page 231: How To Set Up Ipv6 Interfaces For Pure Ipv6 Routing
www.zyxel.com How to Set Up IPv6 Interfaces For Pure IPv6 Routing This example shows how to configure your USG Z’s WAN and LAN interfaces which connects two IPv6 networks. USG Z periodically advertises a network prefix of 2006:1111:1111:1111::/64 to the LAN through router advertisements. Figure 346 ZyWALL/USG access the internet via IPv6 Note: Instead of using router advertisement, you can use DHCPv6 to pass the...
Page 232: Setting Up The Ipv6 Interface
www.zyxel.com Setting Up the IPv6 Interface 1. In the CONFIGURATION > Network > Interface > Ethernet screen’s IPv6 Configuration section, double-click the wan1. 2. The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6. Select Enable Auto-Configuration. Click OK. Note: Your ISP or uplink router should enable router advertisement.
Page 233 www.zyxel.com Figure 348 3. Using command line ipconfig to check. Figure 349 233/255...
Page 234: Set Up The Prefix Delegation And Router Advertisement
www.zyxel.com Set up the Prefix Delegation and Router Advertisement This example shows how to configure prefix delegation on the ZyWALL’s WAN and router advertisement on the LAN. Apply a network Prefix From Your ISP First of all, you have to apply a network prefix from your ISP or the uplink router’s administrator.
Page 235 www.zyxel.com Click Add in the DHCPv6 Request Options table and select the DHCPv6 request object you just created. You cannot see the prefix your ISP gave you in the Value field until you click OK and then come back to this screen again. It is 2001:b050:2d::/48 in this example. Note: Your ISP or a DHCPv6 server in the same network as the WAN should assign an IPv6 IP address for the WAN interface.
Page 236 www.zyxel.com Figure 352 Setting Up the WAN IPv6 Interface 1. In the Configuration > Network > Interface > Ethernet screen, double-click the lan interface in the IPv6 Configuration section. 2. The Edit Ethernet screen appears. Click Show Advanced Settings to display more settings on this screen.
Page 237 www.zyxel.com Address field. (The combined prefix 2001:b050:2d:1111::/64 will display for the LAN1’s network prefix after you click OK and come back to this screen again). Figure 353 237/255...
Page 238: Test
www.zyxel.com Test 1. Connect a computer to the ZyWALL’s LAN interface. 2. Enable IPv6 support on you computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel >...
Page 239 www.zyxel.com 3. If the Value field in the WAN1’s DHCPv6 Request Options table displays n/a, contact your ISP for further support. 4. In Windows, some IPv6 related tunnels may be enabled by default such as Teredo and 6to4 tunnels. It may cause your computer to handle IPv6 packets in an unexpected way.
Page 240: Test
www.zyxel.com Figure 356 Test You can use command “netsh interface ipv6 show dnsservers” to check the DNS server IP. Figure 357 240/255...
Page 241: How To Perform And Use The Packet Capture Feature On The Zywall/Usg
www.zyxel.com How to Perform and Use the Packet Capture Feature on the ZyWALL/USG This example shows how to use the Packet Capture feature to capture network traffic going through the ZyWALL/USG’s interfaces. Studying these packet captures may help you identify network problems. Figure 358 ZyWALL/USG Packet Capture Feature Settings Note: New capture files overwrite existing files of the same name.
Page 242: Set Up The Packet Capture Feature
www.zyxel.com Set Up the Packet Capture Feature Go to MAINTENANCE > Diagnostics > Packet Capture > Capture > Interfaces. Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list. Figure 359 10 Go to MAINTENANCE >...
Page 243 www.zyxel.com 11 Go to MAINTENANCE > Diagnostics > Packet Capture > Capture > Misc setitng. Select Continuously capture and overwrite old ones to have the ZyWALL/USG keep capturing traffic and overwriting old packet capture entries when the available storage space runs out. Select Save data to onboard storage only or Save data to USB storage (If status shows service deactivated, go to CONFIGURATION >...
Page 244: Check The Capture Files
www.zyxel.com 13 Click Stop when collection is done. Figure 363 Check the Capture Files Go to MAINTENANCE > Diagnostics > Packet Capture > Files, select the .cap file and click Download. Figure 364 244/255...
Page 245 www.zyxel.com Open .cap files with Wireshark Figure 365 245/255...
Page 246: How To Automatically Reboot The Zywall/Usg By Schedule
www.zyxel.com How to Automatically Reboot the ZyWALL/USG by Schedule This example shows how to use shell script and schedule run to reboot device automatically for maintenance purpose. Figure 366 ZyWALL/USG Auto Schedule Reboot Settings Note: This example was tested using USG110 (Firmware Version: ZLD 4.15). 246/255...
Page 247: Set Up The Shell Script
www.zyxel.com Set Up the Shell Script Run Windows Notepad application and input below command: Figure 367 Save this file as "reboot_device.zysh" Figure 368 In the ZyWALL/USG, go to MAINTENANCE > File Manager > Shell Script. Click Browse... to find the reboot_device.zysh file. Click Upload to begin the upload process. Figure 369 247/255...
Page 248: Set Up The Schedule Run
www.zyxel.com Set Up the Schedule Run Login the device via console/telnet/SSH (using PuTTY in this example) Figure 370 Issuing below commands based on three different (daily, weekly and monthly) user scenarios: a. Router(config)# schedule-run 1 reboot_device.zysh daily 10:00 (The device will reboot at 10:00 everyday) Figure 371 248/255...
Page 249: Check The Reboot Status
www.zyxel.com b. Router(config)# schedule-run 1 reboot_device.zysh weekly 10:00 sun (The device will reboot at 10:00 every Sunday) Figure 372 c. Router(config)# schedule-run 1 reboot_device.zysh monthly 10:00 23 (The device will reboot at 10:00 every month on 23th) Figure 373 Check the Reboot Status Login the device via console/telnet/SSH (using PuTTY in this example), the reboot runs as scheduled 249/255...
Page 250 www.zyxel.com Figure 374 Figure Putty Go to DASHBOARD > System Status, check System Uptime, Current Date/Time and Boot Status. Figure 375 Figure DASHBOARD > System Status 250/255...
Page 251: How To Continuously Run A Zysh Script
www.zyxel.com How to continuously run a ZySH script This example shows how to use shell script and continuously run a ZySH script automatically for maintenance purpose. Figure 376 ZyWALL/USG continuously run a ZySH script Settings Note: This example was tested using USG110 (Firmware Version: ZLD 4.15). 251/255...
Page 252: Set Up The Shell Script
www.zyxel.com Set Up the Shell Script Run Windows Notepad application and input below command: Figure 377 Save this file as "disable_firewall.zysh" Figure 378 Run Windows Notepad application and input below command: Figure 379 Save this file as "enable_firewall.zysh" 252/255...
Page 253 www.zyxel.com Figure 380 In the ZyWALL/USG, go to MAINTENANCE > File Manager > Shell Script. Click Browse... to find the disable_firewall.zysh and enable_firewall.zysh file. Click Upload to begin the upload process. Figure 381 Set Up the Schedule Run Login the device via console/telnet/SSH (using PuTTY in this example) 253/255...
Page 254 www.zyxel.com Figure 382 Issuing below commands: Router> configure terminal Router(config)# schedule-run 1 disable_firewall.zysh daily 01:00 Figure 383 Check the Result In the ZyWALL/USG, go to DASHBOARD. Refresh the Secure Service Status, the Security Policy Control is disabled at 1:00. 254/255...
Page 255 www.zyxel.com Figure 384 DASHBOARD In the ZyWALL/USG, go to DASHBOARD. Refresh the Secure Service Status, the Security Policy Control is enabled at 2:00. Figure 385 DASHBOARD 255/255...

This manual is also suitable for:

Zywall 310 Usg40 Zywall 1100 Usg40w Usg60 Usg60w ... Show all

ZyXEL Communications ZyWALL 110 Handbook & Instructions

How to Configure Site-To-Site Ipsec VPN with Amazon VPC

How to Configure GRE over Ipsec VPN Tunnel

How to Configure Ipsec Site to Site VPN While One Site Is Behind a NAT Router

How to Configure L2TP over Ipsec VPN While the Zywall/Usg Is Behind a NAT Router

How to Configure if I Want User Can Only See SSL VPN Login Button in Web Portal Login Page

How to Configure an SSL VPN Tunnel (with Secuextender Version 4.0.0.1) on the Windows 10 Operating System

How to Redirect Multiple LAN Interface Traffic to the VPN Tunnel

How to Configure Ipsec VPN Failover

How to Create VTI and Configure VPN Failover with VTI

How to Import Zywall/Usg Certificate for L2TP over Ipsec in Android Mobile Phone

How to Import Zywall/Usg Certificate for L2TP over Ipsec in IOS Mobile Phone

How to Configure the USG When Using a Cloud Based SIP System

How to Block HTTPS Websites by Domain Filter Without Applying SSL Inspection

How to Configure Content Filter 2.0 - Geo IP Blocking

How to Block the Client Accessing to Certain Country Using Geo IP and Content Filter

How to Set up Link Aggregation Group (LAG)

How to Restrict Web Portal Access from the Internet

How to Setup and Configure Daily Report

How to Setup and Configure Email Logs

How to Setup and Send Logs to a Syslog Server

How to Setup and Send Logs to a Vantage Reports Server

How to Enable and Send Logs to the USB Storage

How to Create a Wi-Fi VLAN Interfaces to Separate Staff Network and Guest Network

How to Activate a Free Access Hotspot

How to Enable Device HA Pro

How to Set up Ipv6 Interfaces for Pure Ipv6 Routing

How to Perform and Use the Packet Capture Feature on the Zywall/Usg

How to Automatically Reboot the Zywall/Usg by Schedule

How to Continuously Run a Zysh Script

Quick Links

Related Manuals for ZyXEL Communications ZyWALL 110

Summary of Contents for ZyXEL Communications ZyWALL 110