Page 1 ZyWALL/USG Series ZyWALL 110 / 310 / 1100 USG40 / USG40W / USG60 / USG60W / USG110 / USG210 / USG310 / USG1100 / USG1900 Security Firewalls Version 4.13 ~ 4.15 Edition 1, 3/2016 Quick Start Guide Tutorial Handbook Default Login Details LAN Port IP Address https://192.168.1.1...
Page 2 This handbook is a series of tutorials that guides you through various applications of the ZyWALL/ USG. The purpose of the handbook is to show you how to proceed through an application rather than explain the meaning of GUI features. For the latter, see the Related Information section. Note: IP addresses, port numbers, and object names are just examples used in these tutorials, so you must replace them with the corresponding information from your own network environment when implementing a tutorial.
Page 3: Table Of Contents
Chapter 1 Set Up Your Network ..........................10 1.1 How to Get Started Using the Wizards ....................10 1.1.1 Set Up the Internet Access (Ethernet) Wizard on the ZyWALL/USG ........10 1.1.2 Set Up the Internet Access (PPPoE) Wizard on the ZyWALL/USG ........13 1.1.3 Set Up the Internet Access (PPTP) Wizard on the ZyWALL/USG ..........16 1.1.4 Set Up the Wireless Settings Wizard on the ZyWALL/USG ............20 1.1.5 Set Up the Device Registration on the ZyWALL/USG .............21...
Page 4 2.3.1 Set Up the Wi-Fi Guest Account and Authentication Method on the ZyWALL/USG ....43 2.3.2 Set Up the Active Directory Server Account on the ZyWALL/USG .........43 2.3.3 Set Up the Security Policy on the ZyWALL/USG ..............44 2.3.4 Test the Result .........................45 2.3.5 What Can Go Wrong? ......................47 Chapter 3 Protect Your Network with UTM ......................48...
Page 5 3.6.3 Test the Result .........................77 3.6.4 What Can Go Wrong? ......................77 3.7 How To Control Access To Google Drive ..................78 3.7.1 Set Up the Application Patrol on the ZyWALL/USG ..............78 3.7.2 Set Up the SSL Inspection on the ZyWALL/USG ..............79 3.7.3 Set Up the Security Policy on the ZyWALL/USG ..............80 3.7.4 Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System ....80 3.7.5 Test the Result .........................83...
Page 6 4.2 How to Configure Site-to-site IPSec VPN Where the Peer has a Dynamic IP Address ....110 4.2.1 Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) ......111 4.2.2 Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch has a Dynamic IP Address) ...........................
Page 7 4.8.12 Spoke_Branch_A .........................180 4.8.13 Spoke_Branch_B .........................182 4.8.14 Test the IPSec VPN Tunnel ....................184 4.8.15 What Can Go Wrong? ......................186 4.9 How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN Concentrator ......187 4.9.1 Set Up the IPSec VPN Tunnel on the ZyWALL/USG ............187 4.9.2 Hub_HQ-to-Branch_A ......................187 4.9.3 Hub_HQ-to-Branch_B ......................189 4.9.4 Hub_HQ Concentrator ......................191...
Page 8 5.6.1 Set Up the SSL VPN Tunnel on the ZyWALL/USG ...............240 5.6.2 Set Up the SSL VPN Tunnel on the Apple MAC OS X 10.10 Operating System ....243 5.6.3 Test the SSL VPN Tunnel ......................246 5.6.4 What Can Go Wrong? ......................248 5.7 How to Deploy SSL VPN with Windows 10 Operating System ............249 5.7.1 Set Up the SSL VPN Tunnel on the ZyWALL/USG ..............249 5.7.2 Set Up the SSL VPN Tunnel on the Windows 10 Operating System ........252...
Page 9 7.2.1 Set Up the Application Patrol Profile on the ZyWALL/USG ...........278 7.2.2 Set Up the Bandwidth Management for BitTorrent on the ZyWALL/USG ......279 7.2.3 Set Up the Bandwidth Management Global Setting on the ZyWALL/USG ......279 7.2.4 Test the Result ........................280 7.2.5 What Can Go Wrong? ......................280 7.3 How to Configure a Trunk for WAN Load Balancing with a Static or Dynamic IP Address .....281 7.3.1 Set Up the Available Bandwidth on WAN1 Interfaces on the ZyWALL/USG ......281...
Page 10: Chapter 1 Set Up Your Network
H A PT ER Set Up Your Network 1.1 How to Get Started Using the Wizards When you log into the Web Configurator for the first time or when you reset the ZyWALL/USG to its default configuration, the Installation Setup Wizard screen displays. This is an example of using ZyWALL/USG Wizards to configure Internet connection settings, wireless settings and device registration services.
Page 11 Chapter 1 Set Up Your Network Figure 2 Installation Setup Wizard > Welcome In the Internet Access page, you can configure Internet connections from two Internet service providers (ISPs). Connect your ISP devices to your ZyWALL/USG WAN port, select I have two ISPs if you want to configure two Internet connections or leave it cleared to configure just one.
Page 12 Chapter 1 Set Up Your Network Figure 3 Installation Setup Wizard > Welcome > Internet Access Enter the IP Address, IP Subnet Mask and Gateway IP Address exactly as given by your ISP or network administrator. First/Second DNS Servers are optional. Click Next. Figure 4 Installation Setup Wizard >...
Page 13: Set Up The Internet Access (Pppoe) Wizard On The Zywall/Usg
Chapter 1 Set Up Your Network The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface or continue to the Wireless Settings page. Figure 5 Installation Setup Wizard >...
Page 14 Chapter 1 Set Up Your Network Figure 6 Installation Setup Wizard > Welcome In the Internet Access page, you can configure Internet connections from two Internet service providers (ISPs). Connect your ISP devices to your ZyWALL/USG WAN port, select I have two ISPs if you want to configure two Internet connections or leave it cleared to configure just one.
Page 15 Chapter 1 Set Up Your Network Figure 7 Installation Setup Wizard > Welcome > Internet Access Select the Authentication Type to be the authentication method by the remote node. Enter the User Name and Password exactly as given by your ISP or network administrator. Select Nailed- UP if you want to keep the connection always up or type the desired Idle Timeout value in seconds.
Page 16: Set Up The Internet Access (Pptp) Wizard On The Zywall/Usg
Chapter 1 Set Up Your Network The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface. Figure 9 Installation Setup Wizard >...
Page 17 Chapter 1 Set Up Your Network Figure 10 Installation Setup Wizard > Welcome In the Internet Access page, you can configure Internet connections from two Internet service providers (ISPs). Connect your ISP devices to your ZyWALL/USG WAN port, select I have two ISPs if you want to configure two Internet connections or leave it cleared to configure just one.
Page 18 Chapter 1 Set Up Your Network Figure 11 Installation Setup Wizard > Welcome > Internet Access Select the Authentication Type to be the authentication method by the remote node. Enter the User Name and Password exactly as given by your ISP or network administrator. Select Nailed- UP if you want to keep the connection always up or type the desired Idle Timeout value in seconds.
Page 19 Chapter 1 Set Up Your Network Figure 12 Installation Setup Wizard > Welcome > Internet Access The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface.
Page 20: Set Up The Wireless Settings Wizard On The Zywall/Usg
Chapter 1 Set Up Your Network 1.1.4 Set Up the Wireless Settings Wizard on the ZyWALL/USG In the Wireless Settings page, select Yes if you want the ZyWALL/USG to enable AP Controller feature in your network; select No if you want to skip this setting. Click Next. Figure 14 Installation Setup Wizard >...
Page 21: Set Up The Device Registration On The Zywall/Usg
Chapter 1 Set Up Your Network Figure 15 Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed > Wireless Settings 1.1.5 Set Up the Device Registration on the ZyWALL/USG The ZyWALL/USG must be connected to the Internet in order to register. Click portal.myzyxel.com to register the device, you need the ZyWALL/USG’s serial number and LAN MAC address to register it.
Page 22: How To Configure The 3G/Lte Interface On The Zywall/Usg As A Wan Backup
Chapter 1 Set Up Your Network Figure 16 Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed > Wireless Settings > Device Registration 1.2 How to Configure the 3G/LTE Interface on the ZyWALL/ USG as a WAN Backup This is an example of using ZyWALL/USG to configure 3G/LTE interface as a WAN backup that ensures the ZyWALL/USG provides the continuously Internet connections when the primary WAN interface is down.
Page 23: Set Up The 3G/Lte Interface On The Zywall/Usg
Chapter 1 Set Up Your Network Note: This example includes weighted load balancing (Weighted Round Robin) so that most of your Internet traffic is handled by ISP connected to wan1 before it fails over to 3G/LTE. All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
Page 24: Test The Result
Chapter 1 Set Up Your Network Figure 21 CONFIGURATION > Network > Interface > Trunk > User Configuration > Add Trunk In the Configuration screen, go to Default WAN Trunk section, select User Configured Trunk and select the newly created Trunk from the list box. Click Apply. Figure 22 CONFIGURATION >...
Page 25: What Can Go Wrong
Chapter 1 Set Up Your Network Figure 24 MONITOR > Interface Status > Interface Statistics 1.2.4 What Can Go Wrong? If there is no traffic going through cellular interface when other interfaces are down, please make sure you have a compatible mobile broadband device installed or connected. Go to http:// www.zyxel.com/support/download_landing.shtml and see the 3G Dongle Document to check the compatible mobile broadband devices.
Page 26: Set Up The Port Grouping On The Zywall/Usg
Chapter 1 Set Up Your Network 1.3.1 Set Up the Port Grouping on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Port Grouping, select the ports that you want to assign to a representative Interface (in this example, Port 4 and Port 5 are configured as ge5).
Page 27: Set Up The Routing On The Zywall/Usg
Chapter 1 Set Up Your Network Figure 28 CONFIGURATION > Network > Interface > VLAN > vlan1 Figure 29 CONFIGURATION > Network > Interface > VLAN > vlan1:1 1.3.3 Set Up the Routing on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Routing, set Next-Hop Type to be Interface and set Interface to be the vlan1.
Page 28: What Can Go Wrong
Chapter 1 Set Up Your Network Figure 31 MONITOR > Interface Status > Interface Statistics 1.3.5 What Can Go Wrong? If you cannot configure a particular VLAN interface on top of an Ethernet interface, please whether this VLAN has just been created on top of other Ethernet interface. 1.4 How to Let a Server Use the Same Public IP Address as the WAN Interface Using the Bridge Interface This is an example of using ZyWALL/USG to configure an internal server in bridge mode without...
Page 29: Set Up The Bridge Interface On The Zywall/Usg
Chapter 1 Set Up Your Network 1.4.1 Set Up the Bridge Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Bridge > add Bridge, select Interface Type to be the general type, select Zone to be the LAN zone. In the Member Configuration, select internal server (IntServer1 interface in this example) and public IP address (Public WAN interface in this example) to be in the same member group.
Page 30: What Can Go Wrong
Chapter 1 Set Up Your Network Figure 34 MONITOR > Interface Status > Interface Statistics Server can access Internet successfully by using its IP address (172.124.163.158 in this example) and Internet users can also reach this server by this public address as well. Figure 35 Windows 7 >...
Page 31: Set Up The Nat On The Zywall/Usg
Chapter 1 Set Up Your Network Figure 36 ZyWALL/USG enables Public Access to a Server with NAT Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13).
Page 32: Test The Result
Chapter 1 Set Up Your Network Figure 38 CONFIGURATION > Security Policy > Policy Control > add corresponding 1.5.3 Test the Result Type http://172.251.31.90/ into the browser, it displays the HTTP service page. Figure 39 1.5.4 What Can Go Wrong? If you cannot access your server via public IP address, please make sure all your public IP addresses are routing properly.
Page 33 Chapter 1 Set Up Your Network Figure 40 Monitor > Log Note: The default setting of Security Policy is without log notification (except PolicyDefault), if you want to check which policy may potentially block the traffic, please select this policy and set the Log matched traffic to be log or log alert. ZyWALL/USG Series User’s Guide...
Page 34: Chapter 2 Set Up Wifi
H A PT ER Set Up WiFi 2.1 How to Set Up a WiFi Network with ZyXEL APs This is an example of using ZyWALL/USG to manage the Access Points (APs) and allow wireless access to the network. Figure 41 ZyWALL/USG as AP Controller Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 35 Chapter 2 Set Up WiFi Go to MONITOR > Wireless > AP Information > AP List and the ZyXEL AP is listed. A green question mark displays in the Status column since the AP is not yet managed by the ZyWALL/USG. Select the listed AP and click Add to Mgnt AP List on the upper bar.
Page 36: Test The Result
Chapter 2 Set Up WiFi 2.1.2 Test the Result Go to the ZyWALL/USG Monitor > Wireless > AP Information > AP List, you can check the list of APs which are currently connected to it and the details information such as Registration type, Model and Recent On-line Time /Last Off-line Time.
Page 37: How To Set Up Guest Wifi Network Accounts
Chapter 2 Set Up WiFi 2.2 How to Set Up Guest WiFi Network Accounts This is an example of using ZyWALL/USG to configure guest WiFi accounts to allow limited wireless access to the Internet using only HTTP, HTTPS, and DNS protocols. For the wireless network setup, please see the tutorial about How to Set Up WiFi with ZyXEL AP.
Page 38: Set Up The Web Authentication On The Zywall/Usg
Chapter 2 Set Up WiFi In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create the guest Wi-Fi user access subnet. In this example, AP is connected to ZyWALL/USG LAN interface 192.168.2.0/24. Configure the Name for you to identify the Wi-Fi guest subnet. Set the Network to be 192.168.2.0 and set the Netmask to be 255.255.255.0.
Page 39: Set Up The Security Policy On The Zywall/Usg
Chapter 2 Set Up WiFi Figure 54 CONFIGURATION > Web Authentication > Web Authentication Policy Summary > Auth. Policy Add In the ZyWALL/USG, go to CONFIGURATION > Web Authentication > General Settings and select Enable Web Authentication. Figure 55 CONFIGURATION > Web Authentication > General Settings 2.2.3 Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 40 Chapter 2 Set Up WiFi Figure 57 Type the Wi-Fi guest User Name and Password, click Login. Figure 58 The access session page will appear. ZyWALL/USG Series User’s Guide...
Page 41 Chapter 2 Set Up WiFi Figure 59 Go to the ZyWALL/USG Monitor > System Status > Login Users, you will see current login user list shown as below. Figure 60 Monitor > System Status > Login Users Attempt to access FTP server (prohibited service in this example) and it gets an error message. Figure 61 Go to the ZyWALL/USG Monitor >...
Page 42: What Can Go Wrong
Chapter 2 Set Up WiFi 2.2.5 What Can Go Wrong? If you see [notice] log shown as below, the Wi-Fi guest traffic is blocked by the priority 1 Security Policy. The ZyWALL/USG checks the security policy in order and applies the first security policy to the matched traffic.
Page 43: Set Up The Wi-Fi Guest Account And Authentication Method On The Zywall/Usg
Chapter 2 Set Up WiFi 2.3.1 Set Up the Wi-Fi Guest Account and Authentication Method on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > User > ad-users, set the Authentication Timeout Settings to Use Manual Settings and enter the number of minutes this user has to renew the current session before the user is logged out.
Page 44: Set Up The Security Policy On The Zywall/Usg
Chapter 2 Set Up WiFi Figure 68 CONFIGURATION > Object > AAA Server > Active Directory > Add Active Directory Scroll down to the Configuration Validation section, use a user account from the server specified above to test if the configuration is correct. Enter the account’s user name (wifi_guest in this example) in the Username field and click Test.
Page 45: Test The Result
Chapter 2 Set Up WiFi Figure 70 CONFIGURATION > Security Policy > Policy > Add corresponding 2.3.4 Test the Result Using a mobile device to connect to the AP which is connected to the ZyWALL/USG. When you try to access the Internet, it will redirect to the user login screen. Figure 71 Type the Wi-Fi guest User Name and Password, click Login.
Page 46 Chapter 2 Set Up WiFi Figure 72 The access session page will appear. Figure 73 Go to the ZyWALL/USG Monitor > System Status > Login Users, you will see current login user list as below. Figure 74 Monitor > System Status > Login Users ZyWALL/USG Series User’s Guide...
Page 47: What Can Go Wrong
Chapter 2 Set Up WiFi 2.3.5 What Can Go Wrong? If you see [notice] log shown as below, the Wi-Fi guest traffic is blocked by the priority 1 Security Policy. The ZyWALL/USG checks the security policy in order and applies the first security policy the traffic matches.
Page 48: Protect Your Network With Utm
H A PT ER Protect Your Network with UTM 3.1 How To Register Your Device and Services at myZyXEL.com myZyXEL.com is ZyXEL’s online services center where you can register your ZyXEL device and manage subscription services available for the device. To update signature files or use a subscription service, you have to register the device and activate the corresponding service at myZyXEL.com.
Page 49 Chapter 3 Protect Your Network with UTM Figure 78 CONFIGURATION > Licensing > Registration Click Not a Member Yet to open the Sign Up screen where you can create an account. Figure 79 myZyXEL.com > Not a Member Yet Select Registration Type to create an Individual account or a Business account. Individual account is for non-commercial, end user of ZyXEL products.
Page 50: Device Registration
Chapter 3 Protect Your Network with UTM After you click Submit, myZyXEL.com 2.0 will send you an account activation notification e-mail. Click the URL link from the e-mail to activate your account and log into myZyXEL.com 2.0. Figure 81 After E-mail activate, sign in myZyXEL.com 2.0 to register or mange your devices and services. If you are a business account, please go to account page and press the Reseller Request button.
Page 51: Service Registration (In The Case Of Standard License)
Chapter 3 Protect Your Network with UTM 3.1.3 Service Registration (In the Case of Standard License) Click Service Registration in the navigation panel to open the screen. Fill in the License Key as shown on E-iCard License. Figure 84 Go to the Service Management page and click the Link button. Select the device then click the Activate button to initiate the services license.
Page 52: Refresh Service
Chapter 3 Protect Your Network with UTM Figure 87 3.1.5 Refresh Service After service activated, please go to the ZyWALL/USG CONFIGURATION > Licensing > Registration > Service and click the Service License Refresh button to update the Status. Figure 88 3.1.6 What Can Go Wrong? If you can’t activate your device’s service license, please check if you entered a correct license key.
Page 53: How To Schedule Youtube Access
Chapter 3 Protect Your Network with UTM If you forget your registered email address on myZyXEL.com, please go to the link below and submit a request to ZyXEL support team for further support: http://www.zyxel.com/form/Support_Feedback.shtml 3.2 How To Schedule YouTube Access This is an example of using the ZyWALL/USG UTM Profile and Security Policy to control access to the network.
Page 54: Create The Application Objects On The Zywall/Usg
Chapter 3 Protect Your Network with UTM 3.2.2 Create the Application Objects on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > Application > Add Application Rule. Configure a Name for you to identify the Application Profile. Then, click Add to create an Application Object.
Page 55: Set Up Ssl Inspection On The Zywall/Usg
Chapter 3 Protect Your Network with UTM 3.2.4 Set Up SSL Inspection on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > SSL Inspection > Add rule, configure a Name for you to identify the SSL Inspection profile. Then, select the CA Certificate to be the certificate used in this profile.
Page 56: Export Certificate From Zywall/Usg And Import It To Windows 7 Operation System
Chapter 3 Protect Your Network with UTM 3.2.6 Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION >...
Page 57 Chapter 3 Protect Your Network with UTM Figure 102 File > Add/Remove Snap-in... In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window. Figure 103 Available snap-ins >...
Page 58 Chapter 3 Protect Your Network with UTM Figure 105 Click Next, type zyx123 in the Password field and click Next again Figure 106 10 Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Figure 107 Note: Each ZyWALL/USG device has its own self-signed certificate by factory default.
Page 59: Test The Result
Chapter 3 Protect Your Network with UTM 3.2.7 Test the Result Type http://www.youtube.com/ https://www.youtube.com/ into the browser. An error message occurs. Figure 108 Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Figure 109 3.2.8 What Can Go Wrong? If you are not be able to configure any Application Patrol policies or it’s not working, there are two possible reasons:...
Page 60: Set Up The Security Policy On The Zywall/Usg For Employees
Chapter 3 Protect Your Network with UTM Figure 110 Exempt Specific Users From Security Control Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13).
Page 61: Set Up The Security Policy On The Zywall/Usg For Executives
Chapter 3 Protect Your Network with UTM Figure 112 CONFIGURATION > Security Policy > Policy Control > Add corresponding > Employees_Security 3.3.2 Set Up the Security Policy on the ZyWALL/USG for Executives In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > Add A User to create User Name/Password for each executive.
Page 62: Test The Result
Chapter 3 Protect Your Network with UTM Figure 114 CONFIGURATION > Object > Address Group > Add Address Group Rule Set up Security Policy for executives, go to CONFIGURATION > Security Policy > Policy Control > Add corresponding, configure a Name for you to identify the executives’ Security Policy profile.
Page 63: What Can Go Wrong
Chapter 3 Protect Your Network with UTM Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. In this example result, a connection from executive_1 has user login message and always with ACCESS FORWARD information. A connection from employee address (192.168.30.9) and some of the services are with ACCESS BLOCK information Figure 116 Monitor >...
Page 64: Set Up The Adp Profile On The Zywall/Usg
Chapter 3 Protect Your Network with UTM Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13). 3.4.1 Set Up the ADP Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 65 Chapter 3 Protect Your Network with UTM Figure 119 CONFIGURATION > Security Policy > ADP > Profile > Base Profile > Traffic Anomaly Click the Protocol Anomaly tab. A Name is automatically generated that you can edit. Enable or disable individual rules by selecting a row and clicking Activate or Inactivate. Edit the default log options and actions by selecting a row and making a selection in the Log or Action drop-down menus.
Page 66: Test The Result
Chapter 3 Protect Your Network with UTM Figure 120 CONFIGURATION > Security Policy > ADP > Profile > Base Profile > Protocol Anomaly Go to CONFIGURATION > Security Policy > ADP > General, select Enable Anomaly Detection and Prevention. Then, select the just created Anomaly Profile and click Apply. Figure 121 CONFIGURATION >...
Page 67: What Can Go Wrong
Chapter 3 Protect Your Network with UTM Figure 122 2 Go to the ZyWALL/USG Monitor > Log, you will see [warn] log message such as below. Figure 123 Monitor > Log 3.4.3 What Can Go Wrong? You may find that certain rules are triggering too many false positives or false negatives. A false positive is when valid traffic is flagged as an attack.
Page 68: Set Up The Content Filter On The Zywall/Usg
Chapter 3 Protect Your Network with UTM Figure 124 ZyWALL/USG with Block Facebook Settings Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13).
Page 69: Set Up The Ssl Inspection On The Zywall/Usg
Chapter 3 Protect Your Network with UTM 3.5.2 Set Up the SSL Inspection on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > SSL Inspection > Add rule, configure a Name for you to identify the SSL Inspection profile. Then, select the CA Certificate to be the certificate used in this profile.
Page 70: Export Certificate From Zywall/Usg And Import It To Windows 7 Operation System
Chapter 3 Protect Your Network with UTM 3.5.4 Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION >...
Page 71 Chapter 3 Protect Your Network with UTM Figure 133 File > Add/Remove Snap-in... In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window. Figure 134 Available snap-ins >...
Page 72: Test The Result
Chapter 3 Protect Your Network with UTM Figure 136 Click Next, type zyx123 in the Password field and click Next again Figure 137 10 Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Figure 138 Note: Each ZyWALL/USG device has its own self-signed certificate by factory default.
Page 73: What Can Go Wrong
Chapter 3 Protect Your Network with UTM Figure 139 Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Figure 140 Monitor > Log 3.5.6 What Can Go Wrong? If you are not be able to configure any Content Filter policies or it’s not working, there are two possible reasons: You have not subscribed for the Content Filter service.
Page 74: Set Up The Security Policy On The Zywall/Usg For Employees
Chapter 3 Protect Your Network with UTM Figure 141 ZyWALL/USG with Exempt Specific Users From a Blocked Website Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13).
Page 75: Set Up The Security Policy On The Zywall/Usg For Executives
Chapter 3 Protect Your Network with UTM Set up Security Policy for employees, go to CONFIGURATION > Security Policy > Policy Control > Add corresponding, configure a Name for you to identify the employees’ Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Select Source to be the Employees to apply the policy to all traffic coming from them.
Page 76 Chapter 3 Protect Your Network with UTM CONFIGURATION > Object > Address > Add Address Rule Figure 144 Then, go to CONFIGURATION > Object > Address Group > Add Address Group Rule to create a Group Members’ Name and move the just created executives address object to Member.
Page 77: Test The Result
Chapter 3 Protect Your Network with UTM Figure 146 CONFIGURATION > Security Policy > Policy Control > Add corresponding > Executives_Security 3.6.3 Test the Result Connect to the Internet from two computers: one from executive_2 address (192.168.10.2) and one from an employee address (192.168.20.1) and both access to https://hangouts.google.com/. Go to the ZyWALL/USG Monitor >...
Page 78: How To Control Access To Google Drive
Chapter 3 Protect Your Network with UTM You have subscribed for the UTM service but the license is expired. You can click the link from the CONFIGURATION > Licensing > Registration screen of your ZyXEL device’s Web Configurator or click the myZyXEL.com 2.0 icon from the portal page (https:// portal.myzyxel.com/) to register or extend your UTM license.
Page 79: Set Up The Ssl Inspection On The Zywall/Usg
Chapter 3 Protect Your Network with UTM Figure 150 CONFIGURATION > Object > Application > Add Application Rule > Add Application Object Go to CONFIGURATION > UTM Profile > App Patrol > Add rule, configure a Name for you to identify the App Patrol profile.
Page 80: Set Up The Security Policy On The Zywall/Usg
Chapter 3 Protect Your Network with UTM Figure 153 CONFIGURATION > UTM Profile > SSL Inspection > Add rule 3.7.3 Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile.
Page 81 Chapter 3 Protect Your Network with UTM Figure 155 CONFIGURATION > Object > Certificate > default Figure 156 CONFIGURATION > Object > Certificate > default > Edit > Export Certificate with Private Key Save default certificate as *.p12 file to Windows 7 Operation System. Figure 157 default.p12 In Windows 7 Operating System Start Menu >...
Page 82 Chapter 3 Protect Your Network with UTM Figure 160 Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Figure 161 Click Next.
Page 83: Test The Result
Chapter 3 Protect Your Network with UTM 10 Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Figure 164 Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 84: How To Block Https Websites Using Content Filtering And Ssl Inspection
Chapter 3 Protect Your Network with UTM 3.8 How To Block HTTPS Websites Using Content Filtering and SSL Inspection This is an example of using a ZyWALL/USG Content Filtering, SSL Inspection and Security Policy to block access to malicious or not business-related websites. Figure 167 ZyWALL/USG with Block HTTPS Websites Using Content Filtering and SSL Inspection Settings Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 85: Set Up Ssl Inspection On The Zywall/Usg
Chapter 3 Protect Your Network with UTM Scroll down to the Managed Categories section and select the categories that are not business- related. Click OK. Figure 170 CONFIGURATION > UTM Profile> Content Filter > Profile > Profile Management > Add Filter File >...
Page 86: Set Up The Security Policy On The Zywall/Usg
Chapter 3 Protect Your Network with UTM 3.8.3 Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies.
Page 87 Chapter 3 Protect Your Network with UTM Figure 175 CONFIGURATION > Object > Certificate > default > Edit > Export Certificate with Private Key Save default certificate as *.p12 file to Windows 7 Operation System. Figure 176 default.p12 In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter. Figure 177 Start Menu >...
Page 88 Chapter 3 Protect Your Network with UTM Figure 179 Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Figure 180 Click Next.
Page 89: Test The Result
Chapter 3 Protect Your Network with UTM 10 Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Figure 183 Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 90: How To Block The Spotify Music Streaming Service
Chapter 3 Protect Your Network with UTM 3.9 How To Block the Spotify Music Streaming Service This is an example of using a ZyWALL/USG IDP Profile to block DNS query packet. When the Spotify software launches, it will send a DNS query for Spofity's public server. In this example, you can create a custom IDP to block DNS query packet if this packet includes the Spotify signature.
Page 91: Test The Result
Chapter 3 Protect Your Network with UTM Figure 188 CONFIGURATION > Security Policy > IDP > Custom Signatures > Add Custom Signatures > Payload Options In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > IDP > Profile > Base Profile. A pop-up screen will appear and select a Base Profile to go to the profile details screen.
Page 92: What Can Go Wrong
Chapter 3 Protect Your Network with UTM 3.9.3 What Can Go Wrong? If you are not be able to configure any IDP policies or it’s not working, there are two possible reasons: You have not subscribed for the IDP service. You have subscribed for the IDP service but the license is expired.
Page 93: Set Up The Anti-Virus Profile On The Zywall/Usg
Chapter 3 Protect Your Network with UTM 3.10.1 Set Up the Anti-Virus Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Virus > Profile > Profile Management > Add rule, configure a Name for you to identify the Anti-Virus Profile. Select Log type to be log alert in order to view the result later.
Page 94: Test The Result
Chapter 3 Protect Your Network with UTM 3.10.3 Test the Result Download EICAR Malware File for testing the result: http://www.eicar.org/85-0-Download.html Figure 196 Go to the ZyWALL/USG Monitor > Log to see [crit] log message such as below. Figure 197 Monitor > Log 3.10.4 What Can Go Wrong? If you are not able to see the Log message, the EICAR virus file might be detected and blocked by other Anti-Virus software before ZyWALL/USG scans the virus file.
Page 95: Set Up The Anti-Virus Profile On The Zywall/Usg
Chapter 3 Protect Your Network with UTM Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13). 3.11.1 Set Up the Anti-Virus Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 96: Set Up The Security Policy On The Zywall/Usg
Chapter 3 Protect Your Network with UTM Figure 201 CONFIGURATION > UTM Profile > Anti-Virus > Black/White List > Black List > General Settings 3.11.2 Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile.
Page 97: Test The Result
Chapter 3 Protect Your Network with UTM 3.11.3 Test the Result When you download a PDF file from the HTTP server, the browser will display: Failed to load PDF document. Figure 203 When you download a PDF file from the FTP server, the browser won’t be able to display content. Figure 204 Go to the ZyWALL/USG Monitor >...
Page 98: How To Configure An Anti-Spam Policy With Mail Scan And Dnsbl
Chapter 3 Protect Your Network with UTM 3.12 How To Configure an Anti-Spam Policy with Mail Scan and DNSBL This is an example of using ZyWALL/USG UTM Profile to mark or discard spam (unsolicited commercial or junk e-mail). Use the Anti-Spam white list to identify legitimate e-mail. Use the Anti- Spam black list to identify spam e-mail.
Page 99 Chapter 3 Protect Your Network with UTM In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Spam> Mail Scan. Select Enable Sender Reputation Checking (SMTP only) to have the ZyWALL/USG scan for spam e- mail by IP Reputation. Select Enable Mail Content Analysis to identify Spam Email by content, such as malicious content.
Page 100: Set Up The Security Policy On The Zywall/Usg
Chapter 3 Protect Your Network with UTM Figure 210 CONFIGURATION > UTM Profile > Anti-Virus > Black/White List > Black List > Rule Summary > Add rule In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Spam> DNSBL, select Enable DNS Black List (DNSBL) Checking and enter the DNSBL Domain for a DNSBL service (zen.spamhaus.org in this example).
Page 101: Test The Result
Chapter 3 Protect Your Network with UTM Figure 212 CONFIGURATION > Security Policy > Policy Control 3.12.3 Test the Result Send the mail subject with “sell”. Figure 213 You will receive the mail subject with [Spam] tag. ZyWALL/USG Series User’s Guide...
Page 102: What Can Go Wrong
Chapter 3 Protect Your Network with UTM Figure 214 Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Figure 215 Monitor > Log 3.12.4 What Can Go Wrong? If you are not be able to If you are not be able to configure any Anti-Spam policies or it’s not working, there are two possible reasons: You have not subscribed for the Anti- Spam service.
Page 103 Chapter 3 Protect Your Network with UTM ZyWALL/USG Series User’s Guide...
Page 104: Create Site-To-Site Vpn Tunnels
H A PT ER Create Site-to-Site VPN Tunnels 4.1 How to Configure Site-to-site IPSec VPN Where the Peer has a Static IP Address This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with the Peer has a Static IP Address.
Page 105 Chapter 4 Create Site-to-Site VPN Tunnels Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre- shared key to be the authentication method. Click Next. Figure 218 Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 106 Chapter 4 Create Site-to-Site VPN Tunnels Figure 221 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN >...
Page 107: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Branch)
Chapter 4 Create Site-to-Site VPN Tunnels 4.1.2 Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Figure 224 Quick Setup >...
Page 108 Chapter 4 Create Site-to-Site VPN Tunnels Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG.
Page 109: Test The Ipsec Vpn Tunnel
Chapter 4 Create Site-to-Site VPN Tunnels Figure 230 CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type 4.1.3 Test the IPSec VPN Tunnel Go to ZYWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar.
Page 110: What Can Go Wrong
Chapter 4 Create Site-to-Site VPN Tunnels 4.1.4 What Can Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 111: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Hq)
Chapter 4 Create Site-to-Site VPN Tunnels Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13). 4.2.1 Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION >...
Page 112 Chapter 4 Create Site-to-Site VPN Tunnels Figure 240 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Type a secure Pre-Shared Key (8-32 characters). Then, set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG.
Page 113: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Branch Has A Dynamic Ip Address)
Chapter 4 Create Site-to-Site VPN Tunnels Figure 243 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings > Wizard completed Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Page 114 Chapter 4 Create Site-to-Site VPN Tunnels Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Click Next. Figure 246 Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 115: Test The Ipsec Vpn Tunnel
Chapter 4 Create Site-to-Site VPN Tunnels Figure 249 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN >...
Page 116: What Can Go Wrong
Chapter 4 Create Site-to-Site VPN Tunnels Figure 252 CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/ Outbound(Bytes) Traffic. Figure 253 MONITOR > VPN Monitor > IPSec To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other.
Page 117: How To Configure Site-To-Site Ipsec Vpn With Fortigate
Chapter 4 Create Site-to-Site VPN Tunnels If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
Page 118 Chapter 4 Create Site-to-Site VPN Tunnels Figure 259 Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre- shared key to be the authentication method. Click Next. Figure 260 Quick Setup >...
Page 119 Chapter 4 Create Site-to-Site VPN Tunnels Figure 262 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 263 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG.
Page 120: Set Up The Ipsec Vpn Tunnel On The Fortigate
Chapter 4 Create Site-to-Site VPN Tunnels Figure 266 CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type 4.3.2 Set Up the IPSec VPN Tunnel on the FortiGate In the FortiGate VPN > IPsec > Wizard > Custom VPN Tunnel (No Template), use the VPN Setup to create a Site-to-site VPN rule Name.
Page 121 Chapter 4 Create Site-to-Site VPN Tunnels Go to Authentication section, enter Pre-shared Key and choose negotiation Mode the same as the peer ZyWALL/USG’s. Figure 269 VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) > Authentication Configure Phase 1 Proposal and Diffie-Hellman Group as the peer ZyWALL/USG Advanced Settings’ Phase 1 Settings >...
Page 122 Chapter 4 Create Site-to-Site VPN Tunnels Figure 271 VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) > Phase 2 Selectors This screen provides a summary of the VPN tunnel. Click OK to exit the configuration page. ZyWALL/USG Series User’s Guide...
Page 123: Test The Ipsec Vpn Tunnel
Chapter 4 Create Site-to-Site VPN Tunnels Figure 272 VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) 4.3.3 Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Figure 273 CONFIGURATION >...
Page 124: What Can Go Wrong
Chapter 4 Create Site-to-Site VPN Tunnels Figure 275 VPN > Monitor > IPsec Monitor To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). Figure 276 PC behind ZyWALL/USG >...
Page 125: How To Configure Site-To-Site Ipsec Vpn With Cisco
Chapter 4 Create Site-to-Site VPN Tunnels Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled. 4.4 How to Configure Site-to-site IPSec VPN with Cisco This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a Cisco router.
Page 126 Chapter 4 Create Site-to-Site VPN Tunnels Figure 282 Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next.
Page 127 Chapter 4 Create Site-to-Site VPN Tunnels Figure 284 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Phase 1 Setting) Continue to Phase 2 Settings to select the desired Encapsulation, Encryption, Authentication, and Perfect Forward Secrecy (PFS) settings. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the Cisco.
Page 128 Chapter 4 Create Site-to-Site VPN Tunnels Figure 286 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN >...
Page 129 Chapter 4 Create Site-to-Site VPN Tunnels Figure 287 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings.
Page 130: Set Up The Ipsec Vpn Tunnel On The Cisco
Chapter 4 Create Site-to-Site VPN Tunnels 4.4.2 Set Up the IPSec VPN Tunnel on the Cisco To create an Address Object Name of your peer ZyWALL/USG Local IP address, go to Networking > Address Management > Address Objects and click Add Address. Select Network as the Type.
Page 131 Chapter 4 Create Site-to-Site VPN Tunnels Figure 291 VPN > Site-to-site > Transform Sets Go to VPN > Site-to-site > IPsec Policies and click Add. The new IPsec Policies dialog box appears. Go to Basic Settings, create IPsec policy Description name and click On the IPsec Policy Enable option.
Page 132: Test The Ipsec Vpn Tunnel
Chapter 4 Create Site-to-Site VPN Tunnels Then, go to Advanced Settings enable PFS and DPD if you enable both options in the ZyWALL/ USG. Set IKE Policy to be the IKE Policy created in Step 2 (found under IKE Policy Link); set Transform to be the Transform Set created in Step 3 (found under Transform Link) and SA- Lifetime to be 24 hours.
Page 133: What Can Go Wrong
Chapter 4 Create Site-to-Site VPN Tunnels Figure 296 VPN > VPN Status > IPsec VPN Status > Active Sessions Go to Cisco VPN > VPN Status > IPsec VPN Status > Statics and check the Tx Packets (Transmit data) and Rx Packets (Receive data). Figure 297 VPN >...
Page 134: How To Configure Site-To-Site Ipsec Vpn With Watchguard
Chapter 4 Create Site-to-Site VPN Tunnels If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG and Cisco Phase 2 Settings. Both ZyWALL/USG and Cisco must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. Figure 301 MONITOR >...
Page 135 Chapter 4 Create Site-to-Site VPN Tunnels Figure 303 Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre- shared key to be the authentication method. Click Next. Figure 304 Quick Setup >...
Page 136 Chapter 4 Create Site-to-Site VPN Tunnels Figure 306 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 307 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG.
Page 137: Set Up The Ipsec Vpn Tunnel On The Watchguard
Chapter 4 Create Site-to-Site VPN Tunnels Figure 309 CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type 4.5.2 Set Up the IPSec VPN Tunnel on the WatchGuard Go to Dashboard > Network Interfaces to check your External IP Address (the Internet- facing interface) and Trusted IP Address (the Local IP address).
Page 138 Chapter 4 Create Site-to-Site VPN Tunnels Figure 312 VPN > Branch Office VPN > Gateway > General Settings > Gateway Endpoints The new Gateway Endpoint dialog box appears. Configure your Local Gateway identity as WatchGuard’s External IP Address (in the example, 172.100.30.63) and Remote Gateway identity as your ZyWALL/USG’s WAN IP Address (in the example, 172.101.30.73).
Page 139 Chapter 4 Create Site-to-Site VPN Tunnels Figure 314 VPN > Branch Office VPN > Gateway > Phase 1 Settings Use Transform Settings to create the same security settings as in the ZyWALL/USG Phase 1 settings. Click OK and Save to exit the Transform Settings page. Figure 315 VPN >...
Page 140: Test The Ipsec Vpn Tunnel
Chapter 4 Create Site-to-Site VPN Tunnels Go to VPN > Branch Office VPN > Tunnel > Phase 2 Settings to create a Tunnel Name. Then, select the Gateway. Make sure you enable Perfect Forward Secrecy and select Diffie-Hellman Group 2. Then, scroll down Phase 2 Proposals and add the encryption types to match your ZyWALL/USG’s VPN Connection >...
Page 141: What Can Go Wrong
Chapter 4 Create Site-to-Site VPN Tunnels Figure 321 PC behind ZyWALL/USG > Window 7 > cmd > ping 192.168.10.33 Figure 322 PC behind WatchGuard> Window 7 > cmd > ping 192.168.1.33 4.5.4 What Can Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and WatchGuard must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 142: How To Configure Site-To-Site Ipsec Vpn With A Sonicwall Router
Chapter 4 Create Site-to-Site VPN Tunnels 4.6 How to Configure Site-to-site IPSec VPN with a SonicWALL router This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a SonicWALL router. The example instructs how to configure the VPN tunnel between each site.
Page 143 Chapter 4 Create Site-to-Site VPN Tunnels Figure 327 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next.
Page 144 Chapter 4 Create Site-to-Site VPN Tunnels Figure 329 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 1 Setting) Continue to Phase 2 Settings to select the desired Encapsulation, Encryption, Authentication, and SA Life Time settings. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the SonicWALL.
Page 145 Chapter 4 Create Site-to-Site VPN Tunnels Figure 331 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Note: The Phase 1 and Phase 2 settings established here must match the Phase 1 and Phase 2 settings configured later in the SonicWALL. Now the rule is configured on the ZyWALL/USG.
Page 146 Chapter 4 Create Site-to-Site VPN Tunnels Figure 332 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Go to VPN Gateway > Show Advanced Settings > Authentication to configure your Local ID Type and Peer ID Type to match your SonicWALL’s VPN >...
Page 147: Set Up The Ipsec Vpn Tunnel On The Sonicwall
Chapter 4 Create Site-to-Site VPN Tunnels 4.6.2 Set Up the IPSec VPN Tunnel on the SonicWALL In the SonicWALL VPN > Settings > VPN Policies, click Add to create a new VPN policy. Select Policy Type to be the Site to Site, select Authentication Method to be the IKE using Preshared Secret.
Page 148 Chapter 4 Create Site-to-Site VPN Tunnels Figure 335 VPN > Settings > VPN Policies > Network In the SonicWALL VPN > Settings > VPN Policies > Proposals > IKE (Phase 1) Proposal and set Exchange, DH Group, Encryption and Authentication to match your ZyWALL/USG’s VPN Gateway >...
Page 149: Test The Ipsec Vpn Tunnel
Chapter 4 Create Site-to-Site VPN Tunnels Figure 336 VPN > Settings > VPN Policies > Proposals Select Enable VPN and click Refresh Active. Figure 337 VPN > Settings > VPN Global Settings 4.6.3 Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar.
Page 150: What Can Go Wrong
Chapter 4 Create Site-to-Site VPN Tunnels Figure 340 VPN > VPN Settings > VPN Policies Go to SonicWALL VPN > VPN Settings > Currently Active VPN Tunnels > VPN Tunnel Statics to check Tunnel valid time, Bytes In (Incoming Data) and Bytes Out (Outgoing Data). Figure 341 VPN >...
Page 151: How To Configure Site-To-Site Ipsec Vpn With Microsoft (Ms) Azure
Chapter 4 Create Site-to-Site VPN Tunnels Figure 344 MONITOR > Log If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG and SonicWALL Phase 2 Settings. Both ZyWALL/USG and SonicWALL must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
Page 152: Set Up The Ipsec Vpn Tunnel On The Ms Azure
Chapter 4 Create Site-to-Site VPN Tunnels Note: 1. All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13) and MS Azure (Version: 2.7.1).
Page 153 Chapter 4 Create Site-to-Site VPN Tunnels Figure 349 CREATE A VIRTUAL NETWORK > Virtual Network Details On the DNS Servers and VPN Connectivity page, select the checkbox for Configure a Site-to- site VPN. Click Next (?). Figure 350 CREATE A VIRTUAL NETWORK > Virtual Network Details > DNS Servers and VPN Connectivity On the Site-to-site Connectivity page, create the name for the local network behind the ZyWALL/ USG.
Page 154 Chapter 4 Create Site-to-Site VPN Tunnels Figure 351 CREATE A VIRTUAL NETWORK > Virtual Network Details > DNS Servers and VPN Connectivity > Site-to-site Connectivity On the Virtual Network Address Spaces page, configure ADDRESS SPACE to specify the address range (s) of the Windows Azure virtual network. The Windows Azure virtual network address space and the network behind the ZyWALL/USG should not overlap Click gateway subnet to add a gateway subnet.
Page 155 Chapter 4 Create Site-to-Site VPN Tunnels Figure 352 CREATE A VIRTUAL NETWORK > Virtual Network Details > DNS Servers and VPN Connectivity > Site-to-site Connectivity > Virtual Network Address Spaces When the configuration has been completed, users can see the text Created under STATUS on the networks page of the management portal.
Page 156 Chapter 4 Create Site-to-Site VPN Tunnels Figure 354 networks > NAME Go to the Dashboard page, at the bottom of the screen, click Create Gateway. Then, select Static Routing. When the system prompts for confirmation that the user wants a gateway created, click YES.
Page 157 Chapter 4 Create Site-to-Site VPN Tunnels Figure 357 12 Once the Virtual Network is configured, obtain the Preshared Key which would be used in ZyWALL/ USG by clicking MANAGE KEY at the bottom of the MS Azure DASHBOARD. Figure 358 13 A pop-up dialog appears.
Page 158: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
Chapter 4 Create Site-to-Site VPN Tunnels 4.7.2 Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the MS Azure. Click Next. Figure 360 Quick Setup >...
Page 159 Chapter 4 Create Site-to-Site VPN Tunnels Then, configure the Secure Gateway IP as the peer MS Azure’s Gateway IP address (in the example, 23.101.5.141); select My Address to be the interface connected to the Internet. Set the desired Negotiation, Encryption, Authentication, Key Group and SA Life Time settings.
Page 160 Chapter 4 Create Site-to-Site VPN Tunnels Figure 364 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 2 Setting) Note: For more information about the IPsec Parameters supported in MS Azure, see the Microsoft Azure Documentation About VPN devices for Site-to-Site VPN Gateway connections.
Page 161: Test The Ipsec Vpn Tunnel
Chapter 4 Create Site-to-Site VPN Tunnels Figure 366 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed 4.7.3 Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar.
Page 162: What Can Go Wrong
Chapter 4 Create Site-to-Site VPN Tunnels Go to Networks > VPN_to_ZyWALL > Dashboard to check the tunnel DATA IN and DATA OUT. Figure 369 VPN > VPN Settings > Currently Active VPN Tunnels To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other.
Page 163: How To Set Up Hub-And-Spoke Ipsec Vpn
Chapter 4 Create Site-to-Site VPN Tunnels Figure 372 MONITOR > Log If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the MS Azure IKE Phase 2 setup list.
Page 164: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg By Using Vpn Concentrator
Chapter 4 Create Site-to-Site VPN Tunnels Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13). 4.8.1 Set Up the IPSec VPN Tunnel on the ZyWALL/USG by Using VPN Concentrator 4.8.2 Hub_HQ-to-Branch_A...
Page 165 Chapter 4 Create Site-to-Site VPN Tunnels Figure 377 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the Branch A’s Gateway IP address (in the example, 172.16.20.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Branch A’s Pre-Shared Key.
Page 166: Hub_Hq-To-Branch_B
Chapter 4 Create Site-to-Site VPN Tunnels Figure 380 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings > Wizard Completed 4.8.3 Hub_HQ-to-Branch_B In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 167 Chapter 4 Create Site-to-Site VPN Tunnels Figure 383 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the Branch B’s Gateway IP address (in the example, 172.16.30.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Branch B’s Pre-Shared Key.
Page 168: Hub_Hq Concentrator
Chapter 4 Create Site-to-Site VPN Tunnels Figure 386 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings > Wizard Completed 4.8.4 Hub_HQ Concentrator In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > Concentrator, add a VPN Concentrator rule.
Page 169 Chapter 4 Create Site-to-Site VPN Tunnels Figure 388 Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre- shared key to be the authentication method. Click Next. Figure 389 Quick Setup >...
Page 170 Chapter 4 Create Site-to-Site VPN Tunnels Figure 391 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 392 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG.
Page 171: Spoke_Branch_B
Chapter 4 Create Site-to-Site VPN Tunnels Figure 394 Network > Routing > Policy Route 4.8.6 Spoke_Branch_B In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Figure 395 Quick Setup >...
Page 172 Chapter 4 Create Site-to-Site VPN Tunnels Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre- shared key to be the authentication method. Click Next. Figure 396 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 173 Chapter 4 Create Site-to-Site VPN Tunnels Figure 399 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN >...
Page 174: Test The Ipsec Vpn Tunnel
Chapter 4 Create Site-to-Site VPN Tunnels Figure 401 Network > Routing > Policy Route 4.8.7 Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Figure 402 Hub_HQ >...
Page 175 Chapter 4 Create Site-to-Site VPN Tunnels Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Figure 405 Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_A Figure 406 Hub_HQ >...
Page 176: What Can Go Wrong
Chapter 4 Create Site-to-Site VPN Tunnels Figure 408 Spoke_Branch_B > MONITOR > VPN Monitor > IPSec 4.8.8 What Can Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 177: Set Up The Ipsec Vpn Tunnel Of Zywall/Usg Without Using Vpn Concentrator
Chapter 4 Create Site-to-Site VPN Tunnels 4.8.9 Set Up the IPSec VPN Tunnel of ZyWALL/USG without Using VPN Concentrator 4.8.10 Hub_HQ-to-Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Branch A’s Gateway IP address (in the example, 172.16.20.1).
Page 178: Hub_Hq-To-Branch_B
Chapter 4 Create Site-to-Site VPN Tunnels Figure 412 CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway Click Create new Object on the upper bar to add the address range of the local network behind Hub_HQ to Branch_B and an address of local network behind Branch A.
Page 179 Chapter 4 Create Site-to-Site VPN Tunnels Figure 415 CONFIGURATION > VPN > IPSec VPN > VPN Gateway Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
Page 180: Spoke_Branch_A
Chapter 4 Create Site-to-Site VPN Tunnels Figure 417 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be HQ-to-Branch_B and Remote Policy to Branch_B which are newly created. Click OK. Figure 418 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy 4.8.12 Spoke_Branch_A Go to CONFIGURATION >...
Page 181 Chapter 4 Create Site-to-Site VPN Tunnels Figure 419 CONFIGURATION > VPN > IPSec VPN > VPN Gateway Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
Page 182: Spoke_Branch_B
Chapter 4 Create Site-to-Site VPN Tunnels Figure 421 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Branch_A and Remote Policy to HQ-to-Branch_B which are newly created. Click OK. Figure 422 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy 4.8.13 Spoke_Branch_B Go to CONFIGURATION >...
Page 183 Chapter 4 Create Site-to-Site VPN Tunnels Figure 423 CONFIGURATION > VPN > IPSec VPN > VPN Gateway Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
Page 184: Test The Ipsec Vpn Tunnel
Chapter 4 Create Site-to-Site VPN Tunnels Figure 425 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Branch_B and Remote Policy to HQ-to-Branch_A which are newly created. Click OK. Figure 426 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy 4.8.14 Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION >...
Page 185 Chapter 4 Create Site-to-Site VPN Tunnels Figure 430 Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_A Figure 431 Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_B Figure 432 Spoke_Branch_A > MONITOR > VPN Monitor > IPSec ZyWALL/USG Series User’s Guide...
Page 186: What Can Go Wrong
Chapter 4 Create Site-to-Site VPN Tunnels Figure 433 Spoke_Branch_B > MONITOR > VPN Monitor > IPSec 4.8.15 What Can Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 187: How To Use Dual-Wan To Perform Fail-Over On Vpn Using The Vpn Concentrator
Chapter 4 Create Site-to-Site VPN Tunnels 4.9 How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN Concentrator This is an example of using Dual-WAN to perform fail-over on a hub-and-spoke VPN with the HQ ZyWALL/USG as the hub and spoke VPNs to Branches A and B. When the VPN tunnel is configured, traffic passes between branches via the hub (HQ).
Page 188 Chapter 4 Create Site-to-Site VPN Tunnels Figure 437 CONFIGURATION > VPN > IPSec VPN > VPN Gateway Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
Page 189: Hub_Hq-To-Branch_B
Chapter 4 Create Site-to-Site VPN Tunnels Figure 439 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Hub_HQ and Remote Policy to Branch_A which are newly created. Click Figure 440 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy 4.9.3 Hub_HQ-to-Branch_B Go to CONFIGURATION >...
Page 190 Chapter 4 Create Site-to-Site VPN Tunnels Figure 441 CONFIGURATION > VPN > IPSec VPN > VPN Gateway Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to enable VPN Connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. Figure 442 CONFIGURATION >...
Page 191: Hub_Hq Concentrator
Chapter 4 Create Site-to-Site VPN Tunnels Figure 443 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Hub_HQ and Remote Policy to Branch_B which are newly created. Click Figure 444 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy 4.9.4 Hub_HQ Concentrator In the ZyWALL/USG, go to CONFIGURATION >...
Page 192: Spoke_Branch_A
Chapter 4 Create Site-to-Site VPN Tunnels 4.9.5 Spoke_Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Hub_HQ’s wan1 IP address (in the example, 172.16.10.1) and Secondary Gateway IP as the Hub_HQ’s wan2 IP address (in the example, 172.100.110.1).
Page 193 Chapter 4 Create Site-to-Site VPN Tunnels Figure 447 CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway Click Create new Object to add the address of local network behind Branch A and an address of local network behind Hub_HQ Figure 448 CONFIGURATION >...
Page 194: Spoke_Branch_B
Chapter 4 Create Site-to-Site VPN Tunnels Figure 450 Network > Routing > Policy Route Figure 451 4.9.6 Spoke_Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Hub_HQ’s wan1 IP address (in the example, 172.16.10.1) and Secondary Gateway IP as the Hub_HQ’s wan2 IP address (in the example, 172.100.110.1).
Page 195 Chapter 4 Create Site-to-Site VPN Tunnels Figure 452 CONFIGURATION > VPN > IPSec VPN > VPN Gateway Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
Page 196 Chapter 4 Create Site-to-Site VPN Tunnels Figure 454 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Spoke_Branch_B_LOCAL and Remote Policy to Hub_HQ which are newly created. Click OK. Figure 455 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy Go to Network >...
Page 197: Test The Ipsec Vpn Tunnel
Chapter 4 Create Site-to-Site VPN Tunnels Figure 457 4.9.7 Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Figure 458 Hub_HQ >...
Page 198 Chapter 4 Create Site-to-Site VPN Tunnels Figure 461 Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_A Figure 462 Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_B Figure 463 Spoke_Branch_A > MONITOR > VPN Monitor > IPSec ZyWALL/USG Series User’s Guide...
Page 199: What Can Go Wrong
Chapter 4 Create Site-to-Site VPN Tunnels Figure 464 Spoke_Branch_B > MONITOR > VPN Monitor > IPSec 4.9.8 What Can Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 200: Create Client-To-Site Vpn Tunnels
H A PT ER Create Client-to-Site VPN Tunnels 5.1 How to Configure IPSec VPN with ZyWALL IPSec VPN Client This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and a ZyWALL IPSec VPN Client. The example instructs how to configure the VPN tunnel between each site.
Page 201 Chapter 5 Create Client-to-Site VPN Tunnels Figure 468 Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre- shared key to be the authentication method. Click Next. Figure 469 Quick Setup >...
Page 202 Chapter 5 Create Client-to-Site VPN Tunnels Figure 471 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-2 This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 472 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-3 Now the rule is configured on the ZyWALL/USG.
Page 203: Set Up The Zywall Ipsec Vpn Client
Chapter 5 Create Client-to-Site VPN Tunnels Figure 474 CONFIGURATION > Object > User/Group > Add A User Go to CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning. In the General Settings section, select the Enable Configuration Provisioning. Then, go to the Configuration section and click Add to bind a configured VPN Connection to Allowed User.
Page 204 Chapter 5 Create Client-to-Site VPN Tunnels Figure 477 CONFIGURATION > Get from Server Enter the WAN IP address or URL for the ZyWALL/USG in the Gateway Address. If you changed the default HTTPS Port on the ZyWALL/USG, and then enter the new one here. Enter the Login user name and Password exactly as configured on the ZyWALL or external authentication server.
Page 205: Test The Ipsec Vpn Tunnel
Chapter 5 Create Client-to-Site VPN Tunnels Figure 480 CONFIGURATION > Get from Server > Configuration successful Go to VPN Configuration > IKEv1, right click the WIZ_VPN_PROVISIONING and select Open tunnel. You will see the Tunnel opened on the bottom right of the screen. Figure 481 VPN CONFIGURATION >...
Page 206: What Can Go Wrong
Chapter 5 Create Client-to-Site VPN Tunnels To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). Figure 484 PC with ZyWALL IPSec VPN Client installed > Window 7 > cmd > ping 192.168.1.33 Figure 485 PC behind ZyWALL/USG >...
Page 207: How To Configure L2Tp Vpn With Android 5.0 Mobile Devices
Chapter 5 Create Client-to-Site VPN Tunnels Figure 488 MONITOR > Log If you see [alert] log message as below, please make sure you create a user account for the ZyWALL IPSec VPN Client user on ZyWALL/USG or the external authentication server. Or please check your password matches the settings in the user account.
Page 208: Set Up The L2Tp Vpn Tunnel On The Zywall/Usg
Chapter 5 Create Client-to-Site VPN Tunnels 5.2.1 Set Up the L2TP VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the remote Android Mobile Devices.
Page 209 Chapter 5 Create Client-to-Site VPN Tunnels Figure 493 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 494 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG.
Page 210 Chapter 5 Create Client-to-Site VPN Tunnels Figure 496 CONFIGURATION > VPN > L2TP VPN > Create new Object > User Figure 497 If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk.
Page 211: Set Up The L2Tp Vpn Tunnel On The Android Device
Chapter 5 Create Client-to-Site VPN Tunnels Figure 498 CONFIGURATION > Network > Routing > Policy Route 5.2.2 Set Up the L2TP VPN Tunnel on the Android Device To configure L2TP VPN on an Android device, go to Menu > Settings > Wireless & Networks > VPN settings >...
Page 212 Chapter 5 Create Client-to-Site VPN Tunnels Figure 501 Leave Enable L2TP secret disabled as default and turn on DNS search domains if you need to use the internal DNS servers once your connection is made, enter the DNS server address here. Click Save.
Page 213: Test The L2Tp Vpn Tunnel
Chapter 5 Create Client-to-Site VPN Tunnels Figure 504 5.2.3 Test the L2TP VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. Figure 505 CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 214: What Can Go Wrong
Chapter 5 Create Client-to-Site VPN Tunnels Go to Android mobile device Menu > Settings > Wireless & Networks > VPN and verify the connection status. Figure 508 Menu > Settings > Wireless & Networks > VPN 5.2.4 What Can Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings.
Page 215: How To Configure L2Tp Vpn With Ios 8.4 Mobile Devices
Chapter 5 Create Client-to-Site VPN Tunnels Verify that the Zone is set correctly in the Zone object. This should be set to IPSec_VPN Zone so that security policies are applied properly. 5.3 How to Configure L2TP VPN with iOS 8.4 Mobile Devices This example shows how to use the VPN Setup Wizard to create a L2TP VPN between a ZyWALL/ USG and an iOS 8.4 Mobile Device.
Page 216 Chapter 5 Create Client-to-Site VPN Tunnels Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Figure 514 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the remote users IP addresses range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 217 Chapter 5 Create Client-to-Site VPN Tunnels Figure 517 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Summary > Wizard Completed Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters).
Page 218: Set Up The L2Tp Vpn Tunnel On The Ios Device
Chapter 5 Create Client-to-Site VPN Tunnels If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection.
Page 219: Test The L2Tp Vpn Tunnel
Chapter 5 Create Client-to-Site VPN Tunnels Figure 521 After you create a VPN configuration, slide the button right to the on position to initiate L2TP VPN session. Figure 522 5.3.3 Test the L2TP VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected.
Page 220 Chapter 5 Create Client-to-Site VPN Tunnels Figure 524 Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. Figure 525 MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users Go to iOS mobile device Menu >...
Page 221: What Can Go Wrong
Chapter 5 Create Client-to-Site VPN Tunnels 5.3.4 What Can Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN.
Page 222: Set Up The L2Tp Vpn Tunnel On The Zywall/Usg
Chapter 5 Create Client-to-Site VPN Tunnels Figure 530 ZyWALL/USG L2TP VPN with Remote Windows 10 Client Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: 4.13) and Windows 10 Pro (Version: 10.0.10240) 5.4.1 Set Up the L2TP VPN Tunnel on the ZyWALL/USG...
Page 223 Chapter 5 Create Client-to-Site VPN Tunnels Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click OK. Figure 533 Quick Setup >...
Page 224 Chapter 5 Create Client-to-Site VPN Tunnels Figure 536 CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN > Authentication > Certificate Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example).
Page 225: Export A Certificate From Zywall/Usg And Import It To Windows 10 Operating System
Chapter 5 Create Client-to-Site VPN Tunnels Figure 539 CONFIGURATION > Network > Routing > Policy Route 5.4.2 Export a Certificate from ZyWALL/USG and Import it to Windows 10 Operating System Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit.
Page 226 Chapter 5 Create Client-to-Site VPN Tunnels Figure 542 default.p12 In Windows 10 Operating System, go to Start Menu > Search Box. Type mmc and press Enter. Figure 543 Start Menu > Search Box > mmc In the mmc console window, click File > Add/Remove Snap-in... Figure 544 File >...
Page 227 Chapter 5 Create Client-to-Site VPN Tunnels Figure 546 Click Next. Figure 547 Click Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. Figure 548 10 Type zyx123 in the Password field and click Next. ZyWALL/USG Series User’s Guide...
Page 228: Set Up The L2Tp Vpn Tunnel On The Windows 10
Chapter 5 Create Client-to-Site VPN Tunnels Figure 549 11 Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Figure 550 Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 229 Chapter 5 Create Client-to-Site VPN Tunnels Figure 551 Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. Figure 552 ZyWALL/USG Series User’s Guide...
Page 230: Test The L2Tp Over Ipsec Vpn Tunnel
Chapter 5 Create Client-to-Site VPN Tunnels Figure 553 Figure 554 Go to Network & Internet Settings window, click Connect. Figure 555 5.4.4 Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected.
Page 231: What Can Go Wrong
Chapter 5 Create Client-to-Site VPN Tunnels Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Figure 557 Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR >...
Page 232: How To Configure The L2Tp Vpn With Apple Mac Os X 10.11 Operating System
Chapter 5 Create Client-to-Site VPN Tunnels Figure 560 If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. Windows 10 operating system users must use the same Pre-Shared Key as configured in ZyWALL/ USG to establish the IKE SA.
Page 233: Set Up The L2Tp Vpn Tunnel On The Zywall/Usg
Chapter 5 Create Client-to-Site VPN Tunnels Figure 563 ZyWALL/USG L2TP VPN with Apple MAC OS X 10.11 El Capitan 5.5.1 Set Up the L2TP VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the MAC OS X clients.
Page 234 Chapter 5 Create Client-to-Site VPN Tunnels Figure 566 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Continue to the next page to review your Summary and click Save. Figure 567 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Summary Figure 568 Quick Setup >...
Page 235 Chapter 5 Create Client-to-Site VPN Tunnels Figure 569 CONFIGURATION > VPN > L2TP VPN > Create new Object > User Figure 570 If some of the traffic from the L2TP clients needs to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk.
Page 236: Set Up The L2Tp Vpn Tunnel On The Apple Mac Os X 10.11 El Capitan Operating System
Chapter 5 Create Client-to-Site VPN Tunnels Figure 571 CONFIGURATION > Network > Routing > Policy Route 5.5.2 Set Up the L2TP VPN Tunnel on the Apple MAC OS X 10.11 El Capitan Operating System To configure L2TP VPN in OS X 10.11 operation system, go to System Preferences… > Network, and configure as click the "+"...
Page 237 Chapter 5 Create Client-to-Site VPN Tunnels In the User Authentication section, enter Password which should be the same as Allowed User created in ZyWALL/USG (zyx123 in this example). In the Machine Authentication section, enter Shared Secret to be the pre-shared key of the IPSec VPN gateway the ZyWALL/USG uses for L2TP VPN over IPSec (zyx12345 in this example).
Page 238: Test The L2Tp Vpn Tunnel
Chapter 5 Create Client-to-Site VPN Tunnels 5.5.3 Test the L2TP VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. Figure 578 CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 239: What Can Go Wrong
Chapter 5 Create Client-to-Site VPN Tunnels Figure 581 System Preferences… > Network 5.5.4 What Can Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Apple MAC OS X El Capitan operating system users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN.
Page 240: How To Deploy Ssl Vpn With Apple Mac Os X 10.10 Operating System
Chapter 5 Create Client-to-Site VPN Tunnels Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Verify that the Zone is set correctly in the Zone object. This should be set to IPSec_VPN Zone so that security policies are applied properly.
Page 241 Chapter 5 Create Client-to-Site VPN Tunnels Go to Create new Object > User to add User Name (SSL_VPN_1_Users in this example) and Password (4-24 characters, zyx168 in this example), click OK. Figure 587 CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object >...
Page 242 Chapter 5 Create Client-to-Site VPN Tunnels Figure 589 CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Address Then, move the just created address object to Selected User/Group Objects. Similarly, in SSL Application List (Optional) move the servers you want available to SSL users to Selected Appellation Objects.
Page 243: Set Up The Ssl Vpn Tunnel On The Apple Mac Os X 10.10 Operating System
Chapter 5 Create Client-to-Site VPN Tunnels Figure 591 CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Network Extension (Optional) 5.6.2 Set Up the SSL VPN Tunnel on the Apple MAC OS X 10.10 Operating System Download SSL VPN Client software: ZyWALL SecuExtender for MAC from the ZyXEL Global Website and double-click on the downloaded file to install it.
Page 244 Chapter 5 Create Client-to-Site VPN Tunnels Figure 592 Go to ZyWALL SecuExtender > Preferences, click the "+" button at the bottom left to add a new SSL VPN connection. ZyWALL/USG Series User’s Guide...
Page 245 Chapter 5 Create Client-to-Site VPN Tunnels Figure 593 Configure the Connection Name for you to identify the SSL VPN configuration. Then, set the Remote Server Address to be the WAN IP of ZyWALL/USG (172.16.1.33 in this example). Click Save. Figure 594 Here are two methods to initiate SSL VPN connections: From ZyWALL SecuExtender From a Web Browser...
Page 246: Test The Ssl Vpn Tunnel
Chapter 5 Create Client-to-Site VPN Tunnels Figure 595 From a Web Browser Type ZyWALL/USG’s WAN IP into the browser, to display the login screen. Enter User Name and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example).
Page 247 Chapter 5 Create Client-to-Site VPN Tunnels Figure 598 ZyWALL SecuExtender > Details > Traffic Graph Figure 599 ZyWALL SecuExtender > Details > Network Traffic Statics ZyWALL/USG Series User’s Guide...
Page 248: What Can Go Wrong
Chapter 5 Create Client-to-Site VPN Tunnels Figure 600 ZyWALL SecuExtender > Details > Log Details 5.6.4 What Can Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. MAC OS X 10.10 Yosemite users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
Page 249: How To Deploy Ssl Vpn With Windows 10 Operating System
Chapter 5 Create Client-to-Site VPN Tunnels 5.7 How to Deploy SSL VPN with Windows 10 Operating System This is an example of using the ZyWALL/USG SSL VPN client software in Windows 10 operating systems for secure connections to the network behind the ZyWALL/USG. When the VPN tunnel is configured, users can securely access the network from a Windows 10 computer.
Page 250 Chapter 5 Create Client-to-Site VPN Tunnels Figure 604 CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > User Go to Create new Object > Application to add servers that you will allow SSL_VPN_1_Users to access, click OK.
Page 251 Chapter 5 Create Client-to-Site VPN Tunnels Figure 606 CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Address Then, move the just created address object to Selected User/Group Objects. Similarly, in SSL Application List (Optional) move the servers you want available to SSL users to Selected Appellation Objects.
Page 252: Set Up The Ssl Vpn Tunnel On The Windows 10 Operating System
Chapter 5 Create Client-to-Site VPN Tunnels Figure 608 CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Network Extension (Optional) 5.7.2 Set Up the SSL VPN Tunnel on the Windows 10 Operating System Type the ZyWALL/USG’s WAN IP into the browser, then the login screen appears. Enter User Name and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example).
Page 253 Chapter 5 Create Client-to-Site VPN Tunnels Figure 611 The ZyWALL SecuExtender Setup Wizard dialog box appears. Click Next and Install to complete the installation. Then, click Yes to restart your system with the configuration changes or No if you plan to manually restart later. Figure 612 ZyWALL/USG Series User’s Guide...
Page 254: Test The Ssl Vpn Tunnel
Chapter 5 Create Client-to-Site VPN Tunnels After restart your system. Type ZyWALL/USG’s WAN IP into the browser, to display the login screen. Enter User Name and Password to be the same as your ZyWALL/USG SSL VPN Selected User/ Group name and password (SSL_VPN_1_Users/zyx168 in this example). Click SSL VPN. Click Allow if you see Internet Explorer Security warning.
Page 255: What Can Go Wrong
Chapter 5 Create Client-to-Site VPN Tunnels 5.7.4 What Can Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
Page 256: Set Up The Ssl Vpn Tunnel On The Zywall/Usg
Chapter 5 Create Client-to-Site VPN Tunnels Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG1900 (Firmware Version: ZLD 4.13). 5.8.1 Set Up the SSL VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 257: Test The Ssl Vpn Tunnel
Chapter 5 Create Client-to-Site VPN Tunnels Figure 620 CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Application Then, move the just created address object to Selected User/Group Objects. Similarly, in SSL Application List (Optional) move the servers you want available to SSL users to Selected Application Objects.
Page 258 Chapter 5 Create Client-to-Site VPN Tunnels Figure 622 The File Sharing server appears. Figure 623 Click the File Sharing folder you want to access, enter User Name/ Password of your File Sharing server and click Login. ZyWALL/USG Series User’s Guide...
Page 259 Chapter 5 Create Client-to-Site VPN Tunnels Figure 624 Now you can securely access the files. Figure 625 ZyWALL/USG Series User’s Guide...
Page 260: What Can Go Wrong
Chapter 5 Create Client-to-Site VPN Tunnels 5.8.3 What Can Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. Windows 8 users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
Page 261 Chapter 5 Create Client-to-Site VPN Tunnels ZyWALL/USG Series User’s Guide...
Page 262: Configure Ipv6
H A PT ER Configure IPv6 6.1 How to Set Up IPv6 Interfaces for Pure IPv6 Routing This example shows how to configure your ZyWALL/USG WAN and LAN interfaces which connects two IPv6 networks. ZyWALL/USG periodically advertises a network prefix of 2002:1111:1111:1111::/64 to the LAN through router advertisements.
Page 263: Set Up The Lan Ipv6 Interface On The Zywall/Usg
Chapter 6 Configure IPv6 Figure 629 CONFIGURATION > Network > Interface > Ethernet > wan1 Note: Your ISP or uplink router should enable router advertisement. 6.1.3 Set Up the LAN IPv6 Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Ethernet > lan1. Select Enable Interface and Enable IPv6.
Page 264: Test The Result
Chapter 6 Configure IPv6 Figure 631 CONFIGURATION > Network > Interface > Ethernet > lan1 > IPv6 Router Advertisement Setting 6.1.4 Test the Result Connect a computer to the ZyWALL/USG’s LAN1. Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt.
Page 265: What Can Go Wrong
Chapter 6 Configure IPv6 Figure 633 Window 7 > cmd > ipconfig 6.1.5 What Can Go Wrong? If your IPv6 connection is not working, please make sure you enable Auto-Configuration on the WAN1 IPv6 interface. If not, you will not have any default route to forward the LAN’s IPv6 packets. In Windows, some IPv6 related tunnels may be enabled by default such as Teredo and 6to4 tunnels.
Page 266: Set Up The Lan Ipv6 Interface On The Zywall/Usg
Chapter 6 Configure IPv6 Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13). 6.2.1 Set Up the LAN IPv6 Interface on the ZyWALL/USG The second and third sets of 16-bit IP address from the left must be converted from wan1 IP (122.100.220.238 in this example).
Page 267: Set Up The 6To4 Tunnel On The Zywall/Usg
Chapter 6 Configure IPv6 Figure 636 CONFIGURATION > Network > Interface > Ethernet > lan1 > IPv6 Router Advertisement Setting 6.2.2 Set Up the 6to4 Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Tunnel > Add, Select Enable.
Page 268: What Can Go Wrong
Chapter 6 Configure IPv6 Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection screen. Your computer should get an IPv6 IP address (starting with 2002:7a64:dcee:1: in this example) from the ZyWALL/USG.
Page 269: Set Up The Lan Ipv6 Interface On The Zywall/Usg
Chapter 6 Configure IPv6 Figure 640 ZyWALL/USG with IPv6-in-IPv4 Tunnel Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13). 6.3.1 Set Up the LAN IPv6 Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 270: Set Up The 6To4 Tunnel On The Zywall/Usg
Chapter 6 Configure IPv6 Figure 642 CONFIGURATION > Network > Interface > Ethernet > lan1 > IPv6 Router Advertisement Setting 6.3.2 Set Up the 6to4 Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Tunnel > Add and select Enable.
Page 271: Test The Result
Chapter 6 Configure IPv6 Figure 644 CONFIGURATION > Network > Routing > Policy Route > IPv6 Configuraiton 6.3.4 Test the Result Connect a computer to the ZyWALL/USG’s LAN1. Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt.
Page 272: What Can Go Wrong
Chapter 6 Configure IPv6 Figure 646 Window 7 > cmd > ping -6 2001:b020:0:71::46 6.3.5 What Can Go Wrong? If your IPv6 connection is not working, please make sure you enable the WAN1 IPv4 interface. In IPv6-in-IPv4, the ZyWALL/USG uses the WAN1 IPv4 interface to forward your 6to4 packets to the IPv4 network.
Page 273 Chapter 6 Configure IPv6 ZyWALL/USG Series User’s Guide...
Page 274: Manage Your Network Traffic
H A PT ER Manage Your Network Traffic 7.1 How to Configure Bandwidth Management for FTP and HTTP Traffic This is an example of using ZyWALL/USG Bandwidth Management (BWM) to control the bandwidth allocation for FTP and HTTP traffic. You can use source interface, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions to allocate bandwidth for the matching packets.
Page 275: Set Up The Bandwidth Management For Http On The Zywall/Usg
Chapter 7 Manage Your Network Traffic Figure 648 CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). 7.1.2 Set Up the Bandwidth Management for HTTP on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 276: Set Up The Bandwidth Management Global Setting On The Zywall/Usg
Chapter 7 Manage Your Network Traffic Figure 649 CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). 7.1.3 Set Up the Bandwidth Management Global Setting on the ZyWALL/ In the ZyWALL/USG, go to CONFIGURATION >...
Page 277: What Can Go Wrong
Chapter 7 Manage Your Network Traffic Figure 651 Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Figure 652 Monitor > Log 7.1.5 What Can Go Wrong? If the “outbound” in the guaranteed bandwidth settings apply to traffic going from the connection initiator to the outgoing interface.
Page 278: Set Up The Application Patrol Profile On The Zywall/Usg
Chapter 7 Manage Your Network Traffic Figure 653 ZyWALL/USG with Bandwidth Management for Peer-to-Peer Traffic Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. The total available bandwidth assumption is 1,600 kbps.
Page 279: Set Up The Bandwidth Management For Bittorrent On The Zywall/Usg
Chapter 7 Manage Your Network Traffic 7.2.2 Set Up the Bandwidth Management for BitTorrent on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type BitTorrent Any-to-Any as the policy’s Description. Leave the Incoming Interface to any and select the Outgoing Interface to be wan1.
Page 280: Test The Result
Chapter 7 Manage Your Network Traffic Figure 657 CONFIGURATION > BWM > BWM Global Setting 7.2.4 Test the Result Download BitTorrent application for testing the result: http://www.bittorrent.com/downloads In this example, an 826 MB file is downloading, the Down Speed limited to maximum 65 kB/s. Figure 658 Go to the ZyWALL/USG Monitor >...
Page 281: How To Configure A Trunk For Wan Load Balancing With A Static Or Dynamic Ip Address
Chapter 7 Manage Your Network Traffic 7.3 How to Configure a Trunk for WAN Load Balancing with a Static or Dynamic IP Address This is an example of using ZyWALL/USG Trunk for two WAN connections to the Internet. The available bandwidth for the connections is 1000 kbps (wan1 with static IP address) and 512 Kbps (wan2 with dynamic IP address) respectively.
Page 282: Set Up The Available Bandwidth On Wan2 Interfaces On The Zywall/Usg
Chapter 7 Manage Your Network Traffic Figure 662 CONFIGURATION > Interface > Ethernet > WAN1 7.3.2 Set Up the Available Bandwidth on WAN2 Interfaces on the ZyWALL/ In the ZyWALL/USG, go to CONFIGURATION > Interface > Ethernet > WAN2 > Egress Bandwidth and enter the available bandwidth (512 kbps) in the Egress Bandwidth field.
Page 283: Set Up The Wan Trunk On The Zywall/Usg
Chapter 7 Manage Your Network Traffic Figure 663 CONFIGURATION > Interface > Ethernet > WAN2 7.3.3 Set Up the WAN Trunk on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Interface > Trunk > User Configuration > Add Trunk. Configure a Name for you to identify the Trunk profile and set the Load Balancing Algorithm field to be the Weighted Round Robin.
Page 284: Test The Result
Chapter 7 Manage Your Network Traffic Figure 665 CONFIGURATION > Interface > Trunk > Default WAN Trunk 7.3.4 Test the Result Browse any website to test the result. The Weighted Round Robin (WRR) algorithm is best suited for situations where the bandwidths set for the two WAN interfaces are different.
Page 285 Chapter 7 Manage Your Network Traffic Figure 667 ZyWALL/USG with DNS Inbound Load Balancing Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13).
Page 286: Set Up The Nat Rule On The Zywall/Usg
Chapter 7 Manage Your Network Traffic Figure 670 CONFIGURATION > Network > DNS Inbound LB Go to the Global Setting page to select Enable DNS Load Balancing. Figure 671 CONFIGURATION > Network > DNS Inbound LB 7.4.1 Set Up the NAT Rule on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 287: Test The Result
Chapter 7 Manage Your Network Traffic Figure 673 7.4.2 Test the Result Open the browser and query http://zyxel.for-our.info/. Create a Security Policy in order to view the testing result. Set Destination to be the Internal Server IP address (192.168.1.33 in this example) and set Log type to be the Log Alert. Go to the ZyWALL/USG Monitor >...
Page 288: Set Up The Sip Alg On The Zywall/Usg
Chapter 7 Manage Your Network Traffic Figure 675 ZyWALL/USG with Voice Traffic Management Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13).
Page 289: Set Up The Bandwidth Management For P2P On The Zywall/Usg
Chapter 7 Manage Your Network Traffic Figure 677 CONFIGURATION > BWM > BWM Global Settings > Enable BWM 7.5.3 Set Up the Bandwidth Management for P2P on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type P2P Any-to-WAN as the policy’s Description.
Page 290: Set Up The Bandwidth Management For Ftp On The Zywall/Usg
Chapter 7 Manage Your Network Traffic 7.5.4 Set Up the Bandwidth Management for FTP on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type FTP Any-to-Any as the policy’s Description. Leave the Incoming Interface to any and select the Outgoing Interface to be WAN1.
Page 291: What Can Go Wrong
Chapter 7 Manage Your Network Traffic Figure 680 CONFIGURATION > BWM > Configuration > Add Policy Dial Phone Number 1001 (192.168.10.2 in this example) from Phone Number 1002 (192.168.100.2 in this example), go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below.
Page 292: Maintain Your Device
H A PT ER Maintain Your Device 8.1 How to Manage ZyWALL/USG Configuration Files This is an example of how to rename, download, copy, apply and upload configuration files. Once your ZyWALL/USG is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes.
Page 293: Download The Configuration Files On The Zywall/Usg
Chapter 8 Maintain Your Device Figure 685 MAINTENANCE > File Manager > Configuration File Figure 686 MAINTENANCE > File Manager > Configuration File > Rename 8.1.2 Download the Configuration Files on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select the configuration file and click Download to back up your configuration file from ZyWALL/USG to your computer.
Page 294: Apply The Configuration Files On The Zywall/Usg
Chapter 8 Maintain Your Device Figure 688 MAINTENANCE > File Manager > Configuration File Figure 689 MAINTENANCE > File Manager > Configuration File > Copy 8.1.4 Apply the Configuration Files on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select a specific configuration file to have ZyWALL/USG use it.
Page 295: Upload The Configuration Files From The Zywall/Usg
Chapter 8 Maintain Your Device Figure 691 MAINTENANCE > File Manager > Configuration File > Apply Configuration File Note: Do not shut down the ZyWALL/USG while the configuration file is being applied. 8.1.5 Upload the Configuration Files from the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE >...
Page 296: How To Manage Zywall/Usg Firmware
Chapter 8 Maintain Your Device 8.2 How to Manage ZyWALL/USG Firmware This is an example of using ZyWALL/USG to check your current firmware version and upload firmware to the ZyWALL/USG. You can upload firmware to be the Running firmware or Standby firmware.
Page 297: What Can Go Wrong
Chapter 8 Maintain Your Device Figure 696 MAINTENANCE > File Manager > Firmware Package > Upload File > (1) Figure 697 MAINTENANCE > File Manager > Firmware Package > Upload File > (2) Note: The default Running system space is (1), the Standby system space is (2). If you select the Standby firmware and click Reboot now or you upload file to Standby system space (2) and select Boot Options to be Reboot now.

This manual is also suitable for:

Usg40 Zywall 310 Zywall 1100 Usg60 Usg110 Usg60w ... Show all

ZyXEL Communications ZyWALL 110 Handbook

Chapter 1 Set up Your Network

Chapter 2 Set up Wifi

Chapter 3 Protect Your Network with UTM

Chapter 4 Create Site-To-Site VPN Tunnels

Chapter 5 Create Client-To-Site VPN Tunnels

Chapter 6 Configure Ipv6

Chapter 7 Manage Your Network Traffic

Chapter 8 Maintain Your Device

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ZyXEL Communications ZyWALL 110

Summary of Contents for ZyXEL Communications ZyWALL 110