Page 1 User’s Guide ZyWALL USG Series Default Login Details Version 4.35 Edition 1, 08/2019 LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 Copyright © 2019 Zyxel Communications Corporation...
Page 2 IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a User’s Guide for a series of products. Not all products support all firmware features. Screenshots and graphics in this book may differ slightly from your product due to differences in product features or web configurator brand style.
Page 3: Document Conventions
Document Conventions Warnings and Notes These are how warnings and notes are shown in this guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 4: Table Of Contents
Contents Overview Contents Overview Introduction ............................28 Initial Setup Wizard ..........................53 Hardware, Interfaces and Zones ......................68 Easy Mode ............................. 82 Quick Setup Wizards ........................... 149 Dashboard ............................182 Monitor ..............................196 Licensing .............................. 266 Wireless ..............................273 Interfaces ............................. 296 Routing ..............................
Page 5 Contents Overview Anti-Spam ............................751 SSL Inspection ............................769 Device HA ............................778 Object ..............................794 System ..............................906 Log and Report ........................... 964 File Manager ............................982 Diagnostics ............................996 Packet Flow Explore ........................1017 Shutdown ............................1025 Troubleshooting ..........................1026 ZyWALL USG Series User’s Guide...
Page 6: Table Of Contents
Table of Contents Table of Contents Document Conventions ........................3 Contents Overview ..........................4 Table of Contents ..........................6 Part I: User’s Guide..................27 Chapter 1 Introduction ............................28 1.1 Overview ............................28 1.2 Registration at myZyxel ........................29 1.2.1 Grace Period ......................... 30 1.3 Applications ............................
Page 7 Table of Contents Chapter 3 Hardware, Interfaces and Zones ......................68 3.1 Hardware Overview ........................68 3.1.1 Front Panels ..........................68 3.1.2 Rear Panels ..........................72 3.2 Mounting ............................74 3.2.1 Rack-mounting ........................74 3.2.2 USG2200-VPN/USG2200 Rack Mounting ................75 3.2.3 Wall-mounting ........................78 3.3 Default Zones, Interfaces, and Ports ....................
Page 8 Table of Contents 4.7 VPN Settings for Configuration Provisioning Wizard: Wizard Type ......... 117 4.7.1 Configuration Provisioning Express Wizard - VPN Settings ..........118 4.7.2 Configuration Provisioning VPN Express Wizard - Configuration ......... 119 4.7.3 VPN Settings for Configuration Provisioning Express Wizard - Summary ..... 120 4.7.4 VPN Settings for Configuration Provisioning Express Wizard - Finish ......
Page 9 Table of Contents 5.3.4 VPN Express Wizard - Configuration ................. 159 5.3.5 VPN Express Wizard - Summary ..................160 5.3.6 VPN Express Wizard - Finish ....................161 5.3.7 VPN Advanced Wizard - Scenario ................... 161 5.3.8 VPN Advanced Wizard - Phase 1 Settings ..............163 5.3.9 VPN Advanced Wizard - Phase 2 ..................
Page 10 Table of Contents Part II: Technical Reference................. 195 Chapter 7 Monitor ..............................196 7.1 Overview ............................196 7.1.1 What You Can Do in this Chapter ..................196 7.2 The Port Statistics Screen ......................198 7.2.1 The Port Statistics Graph Screen ..................199 7.3 Interface Status Screen ........................
Page 11 Table of Contents 7.32 The Content Filter Screen ......................248 7.33 The IDP Screen ..........................250 7.34 The Anti-Virus Screen ........................252 7.35 The Anti-Spam Screens ......................254 7.35.1 Anti-Spam Summary ......................254 7.35.2 The Anti-Spam Status Screen ................... 256 7.36 The SSL Inspection Screens ......................
Page 12 Table of Contents 9.7.2 Load Balancing ........................295 Chapter 10 Interfaces............................296 10.1 Interface Overview ........................296 10.1.1 What You Can Do in this Chapter ................... 296 10.1.2 What You Need to Know ....................297 10.1.3 What You Need to Do First ....................301 10.2 Port Role ............................
Page 13 Table of Contents 10.14.1 Configuring a User-Defined Trunk ................. 398 10.14.2 Configuring the System Default Trunk ................400 10.15 Interface Technical Reference ....................401 Chapter 11 Routing ..............................406 11.1 Policy and Static Routes Overview ................... 406 11.1.1 What You Can Do in this Chapter ................... 406 11.1.2 What You Need to Know ....................
Page 14 Table of Contents Chapter 14 Redirect Service ..........................447 14.1 Overview ............................. 447 14.1.1 HTTP Redirect ........................447 14.1.2 SMTP Redirect ........................447 14.1.3 What You Can Do in this Chapter ................... 448 14.1.4 What You Need to Know ....................448 14.2 The Redirect Service Screen .....................
Page 15 Table of Contents Chapter 18 Layer 2 Isolation ..........................480 18.1 Overview ............................. 480 18.1.1 What You Can Do in this Chapter ................... 480 18.2 Layer-2 Isolation General Screen ..................... 480 18.3 White List Screen ......................... 481 18.3.1 Add/Edit White List Rule ....................482 Chapter 19 DNS Inbound LB ..........................484 19.1 DNS Inbound Load Balancing Overview .................
Page 16 Table of Contents 21.4 The Billing > Billing Profile Screen ....................525 21.4.1 The Account Generator Screen ..................526 21.4.2 The Account Redeem Screen ..................529 21.4.3 The Billing Profile Add/Edit Screen ................... 531 21.5 The Billing > Discount Screen ..................... 532 21.5.1 The Discount Add/Edit Screen ..................
Page 17 Table of Contents 25.3.1 Adding/Editing a Walled Garden URL ................562 25.4 Walled Garden > Domain/IP Base Screen ................563 25.4.1 Adding/Editing a Walled Garden Domain or IP ............564 25.4.2 Walled Garden Login Example ..................564 Chapter 26 Advertisement Screen ........................566 26.1 Advertisement Overview ......................
Page 18 Table of Contents 30.1.1 What You Can Do in this Chapter ................... 607 30.1.2 What You Need to Know ....................607 30.1.3 Before You Begin ....................... 610 30.2 The VPN Connection Screen ..................... 610 30.2.1 The VPN Connection Add/Edit Screen ................612 30.3 The VPN Gateway Screen ......................
Page 19 Table of Contents 32.7.8 Uploading a File ........................ 661 32.8 SecuExtender Screen ........................ 662 32.8.1 Installing the SecuExtender Client ................... 662 Chapter 33 Zyxel Device SecuExtender (Windows) ..................665 33.1 The Zyxel Device SecuExtender Icon ..................665 33.2 Status ............................665 33.3 View Log ............................
Page 20 Table of Contents 37.1.3 Before You Begin ....................... 697 37.2 Content Filter Profile Screen ...................... 697 37.2.1 Content Filter Add Profile Category Service ..............699 37.2.2 Content Filter Add Filter Profile Custom Service ............707 37.3 Content Filter Trusted Web Sites Screen ................. 710 37.4 Content Filter Forbidden Web Sites Screen ................
Page 21 Table of Contents 40.1.2 What You Need to Know ....................751 40.2 Before You Begin ........................752 40.3 The Anti-Spam Profile Screen ....................753 40.3.1 The Anti-Spam Profile Add or Edit Screen ..............754 40.4 The Mail Scan Screen ......................... 756 40.5 The Anti-Spam Black List Screen ....................
Page 22 Table of Contents 43.1.2 The Zone Screen ........................ 795 43.2 User/Group Overview ........................ 797 43.2.1 What You Need To Know ....................797 43.2.2 User/Group User Summary Screen .................. 799 43.2.3 User/Group Group Summary Screen ................803 43.2.4 User/Group Setting Screen ..................... 804 43.2.5 User/Group MAC Address Summary Screen ..............
Page 23 Table of Contents 43.11.1 Before You Begin ......................869 43.11.2 Example: Selecting a VPN Authentication Method ........... 869 43.11.3 Authentication Method Objects ................... 870 43.11.4 Two-Factor Authentication VPN Access ..............872 43.11.5 Two-Factor Authentication Admin Access ..............875 43.12 Certificate Overview ........................ 877 43.12.1 What You Need to Know ....................
Page 24 Table of Contents 44.6.13 Editing a Security Option Control .................. 920 44.6.14 Adding a DNS Service Control Rule ................921 44.7 WWW Overview .......................... 922 44.7.1 Service Access Limitations ....................922 44.7.2 System Timeout ........................923 44.7.3 HTTPS ........................... 923 44.7.4 Configuring WWW Service Control .................
Page 25 Table of Contents 45.3.1 Log Setting Summary ......................966 45.3.2 Edit System Log Settings ....................967 45.3.3 Edit Log on USB Storage Setting ..................972 45.3.4 Edit Remote Server Log Settings ..................974 45.3.5 Log Category Settings Screen ..................977 Chapter 46 File Manager ............................982 46.1 Overview .............................
Page 26 Table of Contents 48.3 The SNAT Status Screen ......................1022 Chapter 49 Shutdown ............................1025 49.1 Overview ........................... 1025 49.1.1 What You Need To Know ....................1025 49.2 The Shutdown Screen ......................1025 Chapter 50 Troubleshooting..........................1026 50.1 Resetting the Zyxel Device ...................... 1038 50.2 Getting More Troubleshooting Help ..................
Page 27: Part I: User's Guide
User’s Guide...
Page 28: Introduction
H A P T E R Introduction 1.1 Overview Zyxel Device refers to these models as outlined below. • ZyWALL • ZyWALL USG (Unified Security Gateway) • ZyWALL 110 • USG40W • USG210 • USG2200 • ZyWALL 310 • USG60 •...
Page 29: Registration At Myzyxel
Chapter 1 Introduction UTM (Unified Threat Management) features include the following: Note: Some models do not support all features listed below (see Table 1 on page 28). • Application Patrol (AP) • Intrusion Detection & Prevention (IDP) • Anomaly Detection & Prevention (ADP) •...
Page 30: Grace Period
Chapter 1 Introduction Figure 1 myZyxel Login 1.2.1 Grace Period UTM licenses have a 15-day grace period after a license expires. Services will continue to work in this period during which you will receive notifications to renew your license(s). New license(s) are valid for 1 year from the date of purchase.
Page 31 Chapter 1 Introduction IPv6 Routing The Zyxel Device supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6 policy routes and IPv6 objects. The Zyxel Device can also route IPv6 packets through IPv4 networks using different tunneling methods. Figure 3 Applications: IPv6 Routing VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to...
Page 32 Chapter 1 Introduction Figure 5 SSL VPN With Full Tunnel Mode LAN (192.168.1.X) Non-Web Web Mail File Share https:// Application Server Web-based Application User-Aware Access Control Set up security policies to restrict access to sensitive information and shared resources based on the user who is trying to access it.
Page 33: Management Overview
Chapter 1 Introduction 1.4 Management Overview You can manage the Zyxel Device in the following ways. Web Configurator If you log into the Zyxel Device for the first time, the Choose A Mode To Start screen appears. See Chapter 4 on page 82 for the differences between Easy Mode and Expert Mode.
Page 34 Chapter 1 Introduction Figure 9 Managing the Zyxel Device: Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the Zyxel Device. Access it using remote management (for example, SSH or Telnet) or via the physical or Web Configurator console port. See the Command Reference Guide for CLI details.
Page 35: Web Configurator
Chapter 1 Introduction • An external LDAP server • Certificates 1.5 Web Configurator In order to use the Web Configurator, you must: • Use one of the following web browser versions or later: • Internet Explorer 10.x, 11.x • Chrome latest version (45 or above) •...
Page 36 Chapter 1 Introduction Click Login. After you log in for the first time using the default user name and password, you must change the default admin password in the Update Admin Info screen. Enter a new password of from 1 to 64 characters.
Page 37 Chapter 1 Introduction If you select Never and you later want to bring this screen back, use these commands (note the space before the underscore). Router> enable Router# Router# configure terminal Router(config)# Router(config)# service-register _setremind after-10-days after-180-days after-30-days every-time never Router(config)# service-register _setremind every-time Router(config)# See the Command Line Interface (CLI) Reference Guide (RG) for details on all supported commands.
Page 38: Web Configurator Screens Overview
Chapter 1 Introduction 1.5.2 Web Configurator Screens Overview The Web Configurator screen is divided into these parts (as illustrated on page 37): • A - title bar • B - navigation panel • C - main window Title Bar Figure 10 Title Bar The title bar icons in the upper right corner provide the following functions.
Page 39 Chapter 1 Introduction Table 3 Title Bar: Web Configurator Icons (continued) LABEL DESCRIPTION Site Map Click this to see an overview of links to the Web Configurator screens. Forum Go to https://businessforum.zyxel.com for product discussions. Help Click this to open the help page for the current screen. About Click this to display basic information about the Zyxel Device.
Page 40 Chapter 1 Introduction Table 4 References (continued) LABEL DESCRIPTION Service This is the type of setting that references the selected object. Click a service’s name to display the service’s configuration screen in the main window. Priority If it is applicable, this field lists the referencing configuration item’s position in its list, otherwise N/A displays.
Page 41: Navigation Panel
Chapter 1 Introduction Figure 14 Site Map About Click About to display basic information about the Zyxel Device. Figure 15 About Table 5 About LABEL DESCRIPTION Current Version This shows the firmware version of the Zyxel Device. Released Date This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the firmware is released. Click this to close the screen.
Page 42 Chapter 1 Introduction Figure 16 Navigation Panel Dashboard The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See the Web Help for details on the dashboard. Monitor Menu The monitor menu screens display status and statistics information.
Page 43 Chapter 1 Introduction Table 6 Monitor Menu Screens Summary (continued) FOLDER OR LINK FUNCTION UPnP Port Status Port Statistics Displays details about UPnP connections going through the Zyxel Device. USB Storage Storage Displays details about USB device connected to the Zyxel Device. Information Ethernet Ethernet...
Page 44 Chapter 1 Introduction Table 6 Monitor Menu Screens Summary (continued) FOLDER OR LINK FUNCTION View Log Lists log entries. View AP Log Lists AP log entries. Dynamic Display the Zyxel Device’s dynamic guest account log messages. Users Log Configuration Menu Use the configuration menu screens to configure the Zyxel Device’s features.
Page 45 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK FUNCTION Interface Port Use the Port Role screen to set the Zyxel Device’s flexible ports such as LAN, OPT, WLAN, or DMZ. Port Role/Port Configuration Use the Port Configuration screen to configure settings for individual Zyxel Device ports.
Page 46 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK FUNCTION Billing General Configure the general billing settings, such as the accounting method. Billing Profile Configure the billing profiles for the web-based account generator and each button on the connected statement printer. Discount Configure discount price plans.
Page 47 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK FUNCTION Content Filter Profile Create and manage the detailed filtering rules for content filtering profiles and then apply to a traffic flow using a security policy. Trusted Web Sites Create a list of allowed web sites that bypass content filtering policies.
Page 48 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK FUNCTION MON Profile MON Profile Create and manage rogue AP monitoring files that can be associated with different APs. ZyMesh Profile ZyMesh Profile Create and manage ZyMesh files that can be associated with different APs.
Page 49 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK FUNCTION Configure FTP server settings. SNMP SNMP Configure SNMP communities and services. Auth. Server Auth. Server Configure the Zyxel Device to act as a RADIUS server. Notification Mail Server Configure a mail server with authentication to send reports and password expiration notification emails.
Page 50: Tables And Lists
Chapter 1 Introduction Table 8 Maintenance Menu Screens Summary (continued) FOLDER FUNCTION OR LINK Packet Routing Status Check how the Zyxel Device determines where to route a packet. Flow SNAT Status View a clear picture on how the Zyxel Device converts a packet’s source IP Explore address and check the related settings.
Page 51 Chapter 1 Introduction Figure 19 Resizing a Table Column Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location. Figure 20 Moving Columns Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time.
Page 52 Chapter 1 Introduction Table 9 Common Table Icons (continued) LABEL DESCRIPTION Inactivate To turn off an entry, select it and click Inactivate. Connect To connect an entry, select it and click Connect. Disconnect To disconnect an entry, select it and click Disconnect. References Select an entry and click References to check which settings use the entry.
Page 53: Initial Setup Wizard
H A P T E R Initial Setup Wizard 2.1 Initial Setup Wizard Screens When you log into the Web Configurator for the first time or when you reset the Zyxel Device to its default configuration, the Initial Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services.
Page 54: Internet Access Setup - Wan Interface
Chapter 2 Initial Setup Wizard 2.1.1 Internet Access Setup - WAN Interface Use this screen to set how many WAN interfaces to configure and the first WAN interface’s type of encapsulation and method of IP address assignment. The screens vary depending on the encapsulation type. Refer to information provided by your ISP to know what to enter in each field.
Page 55 Chapter 2 Initial Setup Wizard • IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen. The following fields display if you selected static IP address assignment. •...
Page 56: Internet Access: Pppoe
Chapter 2 Initial Setup Wizard 2.1.3 Internet Access: PPPoE 2.1.3.1 ISP Parameters • Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and -_@$./ characters, and it can be up to 64 characters long.
Page 57: Internet Access: Pptp
Chapter 2 Initial Setup Wizard Figure 27 Internet Access: PPPoE Encapsulation 2.1.4 Internet Access: PPTP 2.1.4.1 ISP Parameters • Authentication Type - Select an authentication protocol for outgoing calls. Options are: • Chap/PAP - Your Zyxel Device accepts either CHAP or PAP when requested by the remote node. •...
Page 58 Chapter 2 Initial Setup Wizard 2.1.4.3 WAN IP Address Assignments • First WAN Interface: This is the connection type on the interface you are configuring to connect with your ISP. • Zone This is the security zone to which this interface and Internet connection will belong. •...
Page 59: Internet Access: L2Tp
Chapter 2 Initial Setup Wizard 2.1.5 Internet Access: L2TP 2.1.5.1 ISP Parameters • Authentication Type - Select an authentication protocol for outgoing connection requests. Options are: • Chap/PAP - Your Zyxel Device accepts either CHAP or PAP when requested by the remote node. •...
Page 60: Internet Access Setup - Second Wan Interface
Chapter 2 Initial Setup Wizard Figure 29 Internet Access: L2TP Encapsulation 2.1.6 Internet Access Setup - Second WAN Interface If you selected I have two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 2.1.1 on page 54).
Page 61: Internet Access: Congratulations
Chapter 2 Initial Setup Wizard 2.1.7 Internet Access: Congratulations You have set up your Zyxel Device to access the Internet. A screen displays with your settings. Click Connection Test to check that you can access the Internet. If you cannot, click Back and confirm that you entered the settings correctly.
Page 62: Register Device
Chapter 2 Initial Setup Wizard Figure 32 Date and Time Settings 2.1.9 Register Device Click the Register button in this screen to register your device at portal.myzyxel.com. Note: The Zyxel Device must be connected to the Internet in order to register. Figure 33 Register Device You may need the Zyxel Device’s serial number and LAN MAC address to register it at myZyxel if you have not already done so.
Page 63: Activate Service
Chapter 2 Initial Setup Wizard Figure 34 myZyxel Login Click Refresh or use the Configuration > Licensing > Registration screen to update your Zyxel Device registration status. Figure 35 Registered Device 2.1.10 Activate Service After you register your Zyxel Device, you can register for the services supported by your model. Examples of services are: •...
Page 64: Wireless Settings: Ap Controller
Chapter 2 Initial Setup Wizard Click Refresh and wait a few moments for the registration information to update in this screen. If the page does not refresh, make sure the Internet connection is working and click Refresh again. To check your Internet connection, try to access the Internet from a computer connected to a LAN port on the Zyxel Device.
Page 65: Wireless Settings: Ssid & Security
Chapter 2 Initial Setup Wizard Figure 38 Wireless Settings: AP Controller 2.1.12 Wireless Settings: SSID & Security Configure SSID and wireless security in this screen. SSID Setting • SSID - Enter a descriptive name of up to 32 printable characters for the wireless LAN. •...
Page 66: Remote Management
Chapter 2 Initial Setup Wizard Figure 39 Wireless Settings: SSID & Security 2.1.13 Remote Management Select this to allow access to the Zyxel Device using HTTP or HTTPS from the Internet. Figure 40 Remote Management HTTPS is added to the Default_Allow_WAN_to_ZyWALL rule in Object > Service > Service Group screen when you enable Remote Management.
Page 67 Chapter 2 Initial Setup Wizard Figure 41 Object > Service > Service Group - HTTPS ZyWALL USG Series User’s Guide...
Page 68: Hardware, Interfaces And Zones
3.1.1 Front Panels The LED indicators are located on the front panel. Figure 42 ZyWALL 110 / USG110 / USG210 Front Panel Figure 43 ZyWALL 310 / ZyWALL 1100 / USG310 / USG1100 / USG1900 Front Panel Figure 44 USG20-VPN Front Panel Figure 45 USG20W-VPN Front Panel ZyWALL USG Series User’s Guide...
Page 69 Chapter 3 Hardware, Interfaces and Zones Figure 46 USG40 Front Panel Figure 47 USG40W Front Panel Figure 48 USG60 Front Panel Figure 49 USG60W Front Panel Figure 50 USG2200-VPN Front Panel Figure 51 USG2200 Front Panel ZyWALL USG Series User’s Guide...
Page 70 Chapter 3 Hardware, Interfaces and Zones The following table describes the front panel LEDs. Table 10 LED Descriptions COLOR STATUS DESCRIPTION The Zyxel Device is turned off. Green The Zyxel Device is turned on. There is a hardware component failure. Shut down the device, wait for a few minutes and then restart the device.
Page 71 Chapter 3 Hardware, Interfaces and Zones Table 11 USG2200-VPN/USG2200 LED Descriptions (continued) COLOR STATUS DESCRIPTION P5-P16 Green There is no connection on this port. (WAN/ This port has a successful 10/100Mbps link. LAN)) Blinking The Zyxel Device is sending or receiving packets on this port. Orange There is no connection on this port.
Page 72: Rear Panels
3.1.2 Rear Panels The connection ports are located on the rear panel. Figure 52 ZyWALL 110 / USG110 / USG210 Rear Panel Figure 53 ZyWALL 310 / ZyWALL 1100 / USG310 / USG1100 / USG1900 Rear Panel ZyWALL USG Series User’s Guide...
Page 73 Chapter 3 Hardware, Interfaces and Zones Figure 54 USG20-VPN / USG20W-VPN Rear Panel Figure 55 USG40 / USG40W Rear Panel Figure 56 USG60 / USG60W Rear Panel Figure 57 USG2200-VPN / USG2200 Rear Panel The following table describes the items on the rear panel. Table 14 Rear Panel Items LABEL DESCRIPTION...
Page 74: Mounting
Ethernet device at the other end can support. 3.2 Mounting Some models can be mounted in a rack, and some can be mounted on a wall and some, both. Table 15 Mounting Method RACK-MOUNTING WALL-MOUNTING • ZyWALL 110 • USG20-VPN • ZyWALL 310 • USG20W-VPN •...
Page 75: Usg2200-Vpn/Usg2200 Rack Mounting
Chapter 3 Hardware, Interfaces and Zones After attaching both mounting brackets, position the Zyxel Device in the rack and match up the bracket holes with the rack holes. Secure the Zyxel Device to the rack with the rack-mounting screws. 3.2.2 USG2200-VPN/USG2200 Rack Mounting 3.2.2.1 Installation Requirements •...
Page 76 Chapter 3 Hardware, Interfaces and Zones Note: Failure to use the proper screws may damage the unit. 3.2.2.2 Procedure Connect the front brackets to the USG2200-VPN/USG2200 using the M3 bracket screws. To separate the inner and outer railings, press tab B (white) and slide out the outer railing. ZyWALL USG Series User’s Guide...
Page 77 Chapter 3 Hardware, Interfaces and Zones Connect the inner railing to the USG2200-VPN/USG2200 as shown. Align the holes on the inner rail with the screws on the side of the USG2200-VPN/USG2200 and slide until it clicks in place. Do the same for the other inner rail on the other side of the USG2200-VPN/USG2200.
Page 78: Wall-Mounting
Chapter 3 Hardware, Interfaces and Zones 3.2.3 Wall-mounting Do the following to attach the USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W Zyxel Devices to a wall. Drill two holes 3 mm ~ 4 mm (0.12" ~ 0.16") wide, 20 mm ~ 30 mm (0.79” ~ 1.18”) deep and 174 mm (6.85”) apart, into a wall.
Page 79: Default Zones, Interfaces, And Ports
Chapter 3 Hardware, Interfaces and Zones Note: Make sure the screws are securely fixed to the wall and strong enough to hold the weight of the Zyxel Device with the connection cables. Figure 59 Gap for Cables Use the holes on the Zyxel Device to hang the Zyxel Device on the screws. Wall-mount the Zyxel Device horizontally.
Page 80 PORT / INTERFACE • USG60 wan1 wan2 lan1 lan1 lan1 lan1 • USG60W wan1 wan2 lan1 lan1 lan1 lan1 • ZyWALL 110 wan1 wan2 lan1 lan1 lan1 • USG110 • USG210 • ZyWALL 310 • ZyWALL 1100 • USG310 • USG1100 •...
Page 81: Stopping The Zyxel Device
Chapter 3 Hardware, Interfaces and Zones Table 19 Default Zone - Interface Mapping USG2200-VPN/USG2200 ZONE / INTERFACE LAN1 LAN2 DEFAULT ZONE • USG2200-VPN GE5, GE5_PPP GE9, GE10 TE1, TE1_PPP GE1, GE1_PPP • USG2200 TE2, TE2_PPP GE2, GE2_PPP GE3, GE3_PPP GE4, GE4_PPP GE7_PPP GE8_PPP GE9_PPP...
Page 82: Easy Mode
H A P T E R Easy Mode 4.1 Overview Easy Mode contains wizards that help you configure the Zyxel Device, links to portals and the advanced menus in Expert Mode. Note: See Section 1.1 on page 28 to see which models support Easy Mode wizards. Use the Easy Mode screens if you have a relatively simple network environment with one WAN (WAN1) and one LAN (LAN1) connections.
Page 83: Wizards And Links
Chapter 4 Easy Mode Go back to Easy Mode to edit your settings on EZ_ rules. If you edit an EZ_ rule in Expert Mode, the corresponding policies created in Easy Mode may work differently. You cannot delete EZ_ objects or rules if they are used in a policy. To delete an EZ_ object or rule, you need to delete all corresponding policies.
Page 84: Easy Mode Settings
Chapter 4 Easy Mode • Initial Setup Wizard for Internet access - you should have your Internet access account information at hand • VPN Wizard for a site-to-site tunnel between Zyxel Device networks, a tunnel from a remote client using the Zyxel client VPN software to the Zyxel Device network, or a tunnel from a remote client using other VPN software to the Zyxel Device network •...
Page 85: Easy Mode Dashboard
Chapter 4 Easy Mode 4.1.4 Easy Mode Dashboard Cloud Helper Click the Cloud Helper icon to check if there is new firmware available at myZyxel. If there is new firmware available at myZyxel, then the icon displays a red N .
Page 86 Chapter 4 Easy Mode Figure 64 Easy Mode Dashboard The Easy Mode dashboard contains the following. • System information, such as firmware version, the length of time the Zyxel Device has been on, date and time. • Internet information such as Internet connection type, WAN IP address and a button to test the connection.
Page 87: Initial Setup Wizard - Language And Overview
Chapter 4 Easy Mode Click the settings icon to manage clients. Click + to add a new network client. In the pop-up screen, you can add a new client by entering its interface (LAN1 or Guest), IP Address, MAC Address and Name.
Page 88 Chapter 4 Easy Mode Choose the language for the Easy Mode and Expert Mode screens. The initial wizard helps you set up basic options as shown in the screen. At the end, you will have the choice of finishing the wizard or continuing the wizard to configure the optional features as listed. If you choose to finish the wizard, you can configure the optional features later using their own separate links in the Easy Mode main screen.
Page 89: Initial Setup Wizard - Internet
Chapter 4 Easy Mode 4.2.1 Initial Setup Wizard - Internet Figure 66 Initial Setup Wizard Connect to Internet This screen displays the Internet settings if the Zyxel Device can detect them automatically. ZyWALL USG Series User’s Guide...
Page 90: Initial Setup Wizard - Internet Access Errors
Chapter 4 Easy Mode If the Zyxel Device cannot detect the Internet settings automatically, then you have to enter them manually. • Choose DHCP if you were not given a specific IP address for the Zyxel Device. This allows the Zyxel Device to be able to get one automatically.
Page 91: Initial Setup Wizard - Date And Time
Chapter 4 Easy Mode subnet mask and gateway address exactly as given. If it fails again, check with your Internet service provider for correct IP address, subnet mask and gateway address and other WAN settings. 4.2.3 Initial Setup Wizard - Date and Time Figure 67 Initial Setup Wizard Date and Time It’s important to have correct date and time values in the logs.
Page 92: Initial Setup Wizard - Register Device
Chapter 4 Easy Mode 4.2.4 Initial Setup Wizard - Register Device Figure 68 Initial Setup Wizard Non-Registered Device Figure 69 Initial Setup Wizard Registered Device ZyWALL USG Series User’s Guide...
Page 93 Chapter 4 Easy Mode • For Zyxel Devices that already have firmware version 4.25 or later, you have to register your Zyxel Device and activate the corresponding service at myZyxel (through your Zyxel Device). • For Zyxel Devices upgrading to firmware version 4.25, you may skip registering your Zyxel Device and activating the corresponding service at myZyxel.
Page 94: Initial Setup Wizard - Activate Services
Chapter 4 Easy Mode 4.2.5 Initial Setup Wizard - Activate Services Figure 70 Initial Setup Wizard Non-Activated Services ZyWALL USG Series User’s Guide...
Page 95 Chapter 4 Easy Mode Figure 71 Initial Setup Wizard Activated Services After you register your Zyxel Device, you can activate the services supported by your model if you have service licenses. Examples of services are: • Content Filter (to block websites by category, such as Gambling) •...
Page 96: Initial Setup Wizard - Wi-Fi
Chapter 4 Easy Mode 4.2.6 Initial Setup Wizard - Wi-Fi Figure 72 Initial Setup Wizard Wi-Fi Select Enable Wi-Fi Network if you want wireless devices to be able to wirelessly access the Zyxel Device and all resources connected to the Zyxel Device. Configure a descriptive name of from 1 to 32 alpha- numeric characters, hyphens or underscores (a-z A-Z 0-9 -_) for the wireless network name (Wi-Fi).
Page 97 Chapter 4 Easy Mode Figure 73 Remote Management HTTPS is added to the Default_Allow_WAN_to_ZyWALL rule in Object > Service > Service Group screen when you enable Remote Management. Figure 74 Object > Service > Service Group - HTTPS ZyWALL USG Series User’s Guide...
Page 98: Initial Setup Wizard - Congratulations
Chapter 4 Easy Mode 4.2.8 Initial Setup Wizard - Congratulations Figure 75 Initial Setup Wizard Congratulations This screen shows if your Internet access is successfully configured. You can save changes and exit the Initial Wizard here by clearing Security Service, Port Forwarding, Guest LAN and VPN service selections and clicking Finish.
Page 99: Initial Setup Wizard - Security Service
Chapter 4 Easy Mode 4.3 Initial Setup Wizard - Security Service Figure 76 Initial Setup Wizard Security Service Configure licensed (non-grayed-out) services in this screen. After you buy a license for a service, you must activate it at myZyxel. Make sure the Zyxel Device Internet connection is working correctly. Select Enable Content Filter to block websites by category, such as Chat websites.
Page 100 Chapter 4 Easy Mode • Instant Messaging: Sites that enable logging in to instant messaging services such as ICQ, AOL Instant Messenger, IRC, MSN, Jabber, Yahoo Messenger, and the like. For example, www.meebo.com, www.aim.com, www. ebuddy.com. • Job Search: Sites containing job listings, career information, assistance with job searches (such as resume writing, interviewing tips, etc.), employment agencies or head hunters.
Page 101: Initial Setup Wizard - Port Forwarding
Chapter 4 Easy Mode 4.4 Initial Setup Wizard - Port Forwarding Figure 77 Initial Setup Wizard Port Forwarding NAT port forwarding allows the Zyxel Device to direct incoming traffic from the Internet to the correct virtual server in your network. For example, if you have a NAS server in your network that you or other people need access to from outside your network, select the IP address of the NAS from Client.
Page 102: Initial Setup Wizard - Guest Lan
Chapter 4 Easy Mode A client or device in your network acting as a server for forwarded services (for example, the NAS) needs to have a static address. If the client selected does not have a static IP address, the IP address may change when the client reboots, so the Zyxel Device may not be able to find it.
Page 103 Chapter 4 Easy Mode Select Enable Guest Network (for wired clients) to convert the OPT or P6 port (depending on your model) to be a guest port and isolate it from the LAN/DMZ ports. Devices connected to the guest port are allowed Internet access only and do not have access to networks connected to the other ports.
Page 104: Connecting Ap Scenarios
Chapter 4 Easy Mode 4.5.1 Connecting AP Scenarios If you connect an AP to a LAN port, then users can use the AP’s SSID to wirelessly access all wired resources connected to the LAN ports and Internet access. ZyWALL USG Series User’s Guide...
Page 105 Chapter 4 Easy Mode If you connect an AP to the Guest port, then users can use the AP’s SSID to wirelessly access all wired resources connected to the Guest port (only) and Internet access. You must select both Enable Guest Wi-Fi Network and Guest LAN (Wired Network).
Page 106: Initial Setup Wizard - Vpn
Chapter 4 Easy Mode 4.6 Initial Setup Wizard - VPN Figure 79 Initial Setup Wizard VPN A VPN is a secure, private connection between two end points. An end point could be a VPN gateway like the Zyxel Device itself or a computer with VPN software installed. Select a VPN wizard type and click Launch to begin that wizard and end the Initial Setup Wizard with changes saved.
Page 107: Vpn Setup Wizard: Wizard Type
Chapter 4 Easy Mode • Select VPN Settings for L2TP VPN Settings to create a secure, private connection between the Zyxel Device and a computer with L2TP VPN software installed. Many computer operating systems come with L2TP installed. See your computer’s help to see how to configure it. The L2TP computer and the Zyxel Device will then communicate securely with each other.
Page 108 Chapter 4 Easy Mode Figure 81 VPN Express Wizard: Scenario IKE (Internet Key Exchange) Version: IKE is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.
Page 109 Chapter 4 Easy Mode Select the scenario that best describes your intended VPN connection. The figure on the left of the screen changes to match the scenario you select. SITE-TO-SITE WITH REMOTE ACCESS REMOTE ACCESS (CLIENT SITE-TO-SITE DYNAMIC PEER (SERVER ROLE) ROLE) •...
Page 110: Vpn Express Wizard - Configuration
Chapter 4 Easy Mode 4.6.3 VPN Express Wizard - Configuration Figure 82 VPN Express Wizard: Configuration • My Address (interface): Select an interface from the drop-down list box to use on your Zyxel Device. • Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name.
Page 111: Vpn Express Wizard - Finish
Chapter 4 Easy Mode Figure 83 VPN Express Wizard: Summary • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: IP address or domain name of the remote IPSec device. If this field displays Any, only the remote IPSec device can initiate the VPN connection. •...
Page 112: Vpn Advanced Wizard - Scenario
Chapter 4 Easy Mode Figure 84 VPN Express Wizard: Finish Click Close to exit the wizard. 4.6.6 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 80 on page 107 to display the following screen. Figure 85 VPN Advanced Wizard: Scenario ZyWALL USG Series User’s Guide...
Page 113: Vpn Advanced Wizard - Phase 1 Settings
Chapter 4 Easy Mode IKE (Internet Key Exchange) Version: IKE is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived. IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth.
Page 114: Vpn Advanced Wizard - Phase 2
Chapter 4 Easy Mode • Negotiation Mode: This displays Main or Aggressive: • Main encrypts the ZyWALL/USG’s and remote IPSec router’s identities but takes more time to establish the IKE SA • Aggressive is faster but does not encrypt the identities. The ZyWALL/USG and the remote IPSec router must use the same negotiation mode.
Page 115: Vpn Advanced Wizard - Summary
Chapter 4 Easy Mode Figure 87 VPN Advanced Wizard: Phase 2 Settings • Active Protocol: ESP is compatible with NAT, AH is not. • Encapsulation: Tunnel is compatible with NAT, Transport is not. • Encryption Algorithm: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput).
Page 116: Vpn Advanced Wizard - Finish
Chapter 4 Easy Mode Figure 88 VPN Advanced Wizard: Summary • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: IP address or domain name of the remote IPSec device. • Pre-Shared Key: VPN tunnel password. •...
Page 117: Vpn Settings For Configuration Provisioning Wizard: Wizard Type
Chapter 4 Easy Mode Figure 89 VPN Wizard: Finish Click Close to exit the wizard. 4.7 VPN Settings for Configuration Provisioning Wizard: Wizard Type Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved with the Zyxel Device IPSec VPN Client.
Page 118: Configuration Provisioning Express Wizard - Vpn Settings
Chapter 4 Easy Mode • AH active protocol • NULL encryption • SHA512 authentication • A subnet or range remote policy Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre- shared key.
Page 119: Configuration Provisioning Vpn Express Wizard - Configuration
Chapter 4 Easy Mode Figure 91 VPN for Configuration Provisioning Express Wizard: Settings Scenario IKE (Internet Key Exchange) Version: IKE is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.
Page 120: Vpn Settings For Configuration Provisioning Express Wizard - Summary
Chapter 4 Easy Mode Figure 92 VPN for Configuration Provisioning Express Wizard: Configuration • My Address (interface): Select an interface from the drop-down list box to use on your Zyxel Device. • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
Page 121: Vpn Settings For Configuration Provisioning Express Wizard - Finish
Chapter 4 Easy Mode Figure 93 VPN for Configuration Provisioning Express Wizard: Summary • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client. •...
Page 122: Vpn Settings For Configuration Provisioning Advanced Wizard - Scenario
Chapter 4 Easy Mode Figure 94 VPN for Configuration Provisioning Express Wizard: Finish Click Close to exit the wizard. 4.7.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario Click the Advanced radio button as shown in the screen shown in Figure 90 on page 118 to display the following screen.
Page 123: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 1 Settings
Chapter 4 Easy Mode Figure 95 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings IKE (Internet Key Exchange) Version: IKE is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.
Page 124: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 2
Chapter 4 Easy Mode Figure 96 VPN for Configuration Provisioning Advanced Wizard: Phase 1 Settings • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client. •...
Page 125: Vpn Settings For Configuration Provisioning Advanced Wizard - Summary
Chapter 4 Easy Mode Figure 97 VPN for Configuration Provisioning Advanced Wizard: Phase 2 Settings • Active Protocol: ESP is compatible with NAT. AH is not available in this wizard. • Encapsulation: Tunnel is compatible with NAT, Transport is not. •...
Page 126 Chapter 4 Easy Mode Figure 98 VPN for Configuration Provisioning Advanced Wizard: Summary Summary • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
Page 127 Chapter 4 Easy Mode • Main encrypts the ZyWALL/USG’s and remote IPSec router’s identities but takes more time to establish the IKE SA • Aggressive is faster but does not encrypt the identities. The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Page 128: Vpn Settings For Configuration Provisioning Advanced Wizard- Finish
Chapter 4 Easy Mode Click Save to save the VPN rule. 4.7.9 VPN Settings for Configuration Provisioning Advanced Wizard- Finish Now the rule is configured on the Zyxel Device. The Phase 1 rule settings appear in the VPN > IPSec VPN >...
Page 129: Vpn Settings For L2Tp Vpn Settings Wizard
Chapter 4 Easy Mode 4.8 VPN Settings for L2TP VPN Settings Wizard Use VPN Settings for L2TP VPN Settings to set up an L2TP VPN rule. Click Configuration > Quick Setup > VPN Settings and select VPN Settings for L2TP VPN Settings to see the following screen. Figure 100 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings Click Next to continue the wizard.
Page 130: L2Tp Vpn Settings 2
Chapter 4 Easy Mode • Rule Name: Type the name used to identify this L2TP VPN connection (and L2TP VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. •...
Page 131: Vpn Settings For L2Tp Vpn Setting Wizard - Summary
Chapter 4 Easy Mode Note: DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The Zyxel Device uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.
Page 132: Vpn Settings For L2Tp Vpn Setting Wizard Completed
Chapter 4 Easy Mode 4.8.4 VPN Settings for L2TP VPN Setting Wizard Completed Figure 104 VPN Settings for L2TP VPN Settings Wizard: Finish Now the rule is configured on the Zyxel Device. The L2TP VPN rule settings appear in the VPN > L2TP VPN screen and also in the VPN >...
Page 133: Port Forwarding
Chapter 4 Easy Mode 4.9 Port Forwarding Figure 105 Port Forwarding > Wizard 1 NAT port forwarding allows the Zyxel Device to direct incoming traffic from the Internet to the correct virtual server in your network. Even though the NAS is in your local network receiving the protection of the Zyxel Device, you can still access that NAS using these services from anywhere outside your network.
Page 134: Port Forwarding > Add Client
Chapter 4 Easy Mode 4.9.1 Port Forwarding > Add Client Click the Edit icon next to Client List if you cannot see the client in the list. In the pop-up screen, you can add a new client by entering its Name, IP Address and MAC Address. A client or device in your network acting as a server for forwarded services (for example, the NAS) needs to have a static address.
Page 135: Wi-Fi And Guest Network Wizard
Chapter 4 Easy Mode Click Finish to complete the Port Forwarding Wizard. 4.10 Wi-Fi and Guest Network Wizard Figure 106 Wi-Fi and Guest Network Setup ZyWALL USG Series User’s Guide...
Page 136: Guest Lan (Wired Network)
Chapter 4 Easy Mode Select Enable Wi-Fi Network if you want wireless devices to be able to wirelessly access the Zyxel Device and all resources connected to the Zyxel Device. Configure a descriptive name of from 1 to 32 alpha- numeric characters, hyphens or underscores (a-z A-Z 0-9 -_) for the wireless network name (Wi-Fi).
Page 137 Chapter 4 Easy Mode Select Enable Guest Network (for wired clients) to convert the OPT or P6 port (depending on your model) to be a guest port and isolate it from the LAN/DMZ ports. Devices connected to the guest port are allowed Internet access only and do not have access to networks connected to the other ports.
Page 138: Connecting Ap Scenarios
Chapter 4 Easy Mode 4.10.2 Connecting AP Scenarios If you connect an AP to a LAN port, then users can use the AP’s SSID to wirelessly access all wired resources connected to the LAN ports and Internet access. ZyWALL USG Series User’s Guide...
Page 139: Security Service Wizard
Chapter 4 Easy Mode If you connect an AP to the Guest port, then users can use the AP’s SSID to wirelessly access all wired resources connected to the Guest port (only) and Internet access. You must select both Enable Guest Wi-Fi Network and Guest LAN (Wired Network).
Page 140 Chapter 4 Easy Mode Figure 109 Security Service Wizard 1 - Service License Status This screen shows if you have registered your Zyxel Device at portal.myzyxel.com. After you register your Zyxel Device, you can register for the services supported by your model. For example, some models only support content filtering.
Page 141: Security Service Wizard 2 - Content Filter Categories
Chapter 4 Easy Mode 4.11.1 Security Service Wizard 2 - Content Filter Categories Figure 110 Security Service Wizard 2 - Content Filter Categories Configure licensed (non-grayed-out) services in this screen. After you buy a license for a service, you must activate it at myZyxel. Make sure the Zyxel Device Internet connection is working correctly. Select Enable Content Filter with following contents blocked to block websites by category, such as Chat websites.
Page 142 Chapter 4 Easy Mode • Streaming Media & Downloads: Sites that deliver streaming content, such as Internet radio, Internet TV or MP3 and live or archived media download sites. Includes fan sites, or official sites run by musicians, bands, or record labels. For example, www.youtube.com, pfp.sina.com.cn, my.xunlei.com.
Page 143: Security Service Wizard 3 - Websites
Chapter 4 Easy Mode • Job Search: Sites containing job listings, career information, assistance with job searches (such as resume writing, interviewing tips, etc.), employment agencies or head hunters. For example, www.104.com.tw, www.1111.com.tw, www.yes123.com.tw. • Advertisements & Pop-Ups: Sites that provide advertising graphics or other ad content files such as banners and pop-ups.
Page 144: Security Service Wizard 4 - Exemptions
Chapter 4 Easy Mode 4.11.3 Security Service Wizard 4 - Exemptions Figure 112 Security Wizard 4 - Exemptions Select devices which are exempted from content file category and trusted/forbidden web site policies. Click Add Client Address under Client List if you cannot see the client to exempt in the list. In the pop-up screen, you can add a new client by entering its Name, IP Address and MAC Address.
Page 145: Security Service Wizard 5 - Idp/Av
Chapter 4 Easy Mode 4.11.4 Security Service Wizard 5 - IDP/AV Figure 113 Security Wizard 5 - IDP/AV IDP (Intrusion, Detection and Prevention) consists of a set of signatures which examine packet content for known malicious data. You need to subscribe for IDP service in order to be able to download new signatures.
Page 146: Myzyxel Portal
Chapter 4 Easy Mode 4.12 MyZyxel Portal Figure 114 MyZyxel Portal myZyxel is Zyxel’s online services center where you can register your Zyxel Device and manage subscription services available for the Zyxel Device. To update signature files or use a subscription service, you have to register the Zyxel Device and activate the corresponding service at myZyxel (through the Zyxel Device).
Page 147: One Security Portal
Chapter 4 Easy Mode 4.13 One Security Portal Figure 115 One Security Portal OneSecurity is a website with guidance on configuration walkthroughs, troubleshooting, and other information. In the Zyxel Device advanced menus, you will see icons that link to OneSecurity walkthroughs, troubleshooting and so on as shown in the following table.
Page 148 Chapter 4 Easy Mode Table 21 OneSecurity Links (continued) ONESECURITY ICON SCREEN Anti-Virus Click this icon for more information on Anti-Virus, which checks traffic flows through your network for known virus and spyware signature patterns. Anti-Spam Click this icon for more information on Anti-Spam which can mark or discard spam (unsolicited commercial or junk e-mail) and e-mail from certain servers suspect of being used by spammers.
Page 149: Quick Setup Wizards
H A P T E R Quick Setup Wizards 5.1 Quick Setup Overview The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information.
Page 150: Wan Interface Quick Setup
Chapter 5 Quick Setup Wizards • Wizard Help If the help does not automatically display when you run the wizard, click the arrow to display it. 5.2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen.
Page 151: Select Wan Type
Chapter 5 Quick Setup Wizards Figure 118 Choose an Ethernet Interface 5.2.2 Select WAN Type WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE, PPTP or L2TP for a dial-up connection according to the information from your ISP.
Page 152: Configure Wan Ip Settings
Chapter 5 Quick Setup Wizards 5.2.3 Configure WAN IP Settings Use this screen to select whether the interface should use a fixed or dynamic IP address. Figure 120 WAN Interface Setup: Step 2 Ethernet Dynamic IP Figure 121 WAN Interface Setup: Step 2 Ethernet Static IP •...
Page 153: Isp And Wan And Isp Connection Settings
Chapter 5 Quick Setup Wizards 5.2.4 ISP and WAN and ISP Connection Settings Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you select Ethernet and set the IP Address Assignment to Auto. If you set the IP Address Assignment to static and/or select PPTP or PPPoE, enter the Internet access information exactly as your ISP gave it to you.
Page 154 Chapter 5 Quick Setup Wizards Figure 123 WAN and ISP Connection Settings: (PPPoE) Figure 124 WAN and ISP Connection Settings: (L2TP) • ISP Parameter: This section appears if the interface uses a PPPoE or PPTP Internet connection. • Encapsulation: This displays the type of Internet connection you are configuring. •...
Page 155: Quick Setup Interface Wizard: Summary
Chapter 5 Quick Setup Wizards • Authentication Type: Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: • CHAP/PAP - Your Zyxel Device accepts either CHAP or PAP when requested by this remote node. •...
Page 156: Vpn Setup Wizard
Chapter 5 Quick Setup Wizards Figure 125 Interface Wizard: Summary WAN • Encapsulation: This displays what encapsulation this interface uses to connect to the Internet. • Service Name: This field only appears for a PPPoE interface. It displays the PPPoE service name specified in the ISP account.
Page 157: Welcome
Chapter 5 Quick Setup Wizards Figure 126 VPN Setup Wizard 5.3.1 Welcome Use wizards to create Virtual Private Network (VPN) rules. After you complete the wizard, the Phase 1 rule settings appear in the Configuration > VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the Configuration >...
Page 158: Vpn Express Wizard - Scenario
Chapter 5 Quick Setup Wizards Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device. Figure 128 VPN Setup Wizard: Wizard Type 5.3.3 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 128 on page 158 to display the following screen.
Page 159: Vpn Express Wizard - Configuration
Chapter 5 Quick Setup Wizards IKE (Internet Key Exchange) Version: IKEv1 and IKEv2 • IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.
Page 160: Vpn Express Wizard - Summary
Chapter 5 Quick Setup Wizards • Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name.
Page 161: Vpn Express Wizard - Finish
Chapter 5 Quick Setup Wizards • Remote Policy: IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel. If this field displays Any, only the remote IPSec device can initiate the VPN connection.
Page 162 Chapter 5 Quick Setup Wizards Figure 133 VPN Advanced Wizard: Scenario IKE (Internet Key Exchange) Version: IKEv1 and IKEv2 • IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.
Page 163: Vpn Advanced Wizard - Phase 1 Settings
Chapter 5 Quick Setup Wizards 5.3.8 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association). Figure 134 VPN Advanced Wizard: Phase 1 Settings •...
Page 164: Vpn Advanced Wizard - Phase 2
Chapter 5 Quick Setup Wizards • NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices). Note: The remote IPSec device must also have NAT traversal enabled. See the help in the main IPSec VPN screens for more information.
Page 165: Vpn Advanced Wizard - Summary
Chapter 5 Quick Setup Wizards • Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the Zyxel Device automatically renegotiate the IPSec SA when the SA life time expires. 5.3.10 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings.
Page 166: Vpn Advanced Wizard - Finish
Chapter 5 Quick Setup Wizards • Copy and paste the Configuration for Remote Gateway commands into another ZLD-based Zyxel Device’s command line interface. • Click Save to save the VPN rule. 5.3.11 VPN Advanced Wizard - Finish Now the rule is configured on the Zyxel Device. The Phase 1 rule settings appear in the VPN > IPSec VPN >...
Page 167: Vpn Settings For Configuration Provisioning Wizard: Wizard Type
Chapter 5 Quick Setup Wizards 5.4 VPN Settings for Configuration Provisioning Wizard: Wizard Type Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved with the Zyxel Device IPSec VPN Client. VPN rules for the Zyxel Device IPSec VPN Client have certain restrictions. They must not contain the following settings: •...
Page 168: Configuration Provisioning Vpn Express Wizard - Configuration
Chapter 5 Quick Setup Wizards Figure 139 VPN for Configuration Provisioning Express Wizard: Settings Scenario • IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.
Page 169: Vpn Settings For Configuration Provisioning Express Wizard - Summary
Chapter 5 Quick Setup Wizards Figure 140 VPN for Configuration Provisioning Express Wizard: Configuration • My Address (interface): Select an interface from the drop-down list box to use on your Zyxel Device. • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
Page 170: Vpn Settings For Configuration Provisioning Express Wizard - Finish
Chapter 5 Quick Setup Wizards Figure 141 VPN for Configuration Provisioning Express Wizard: Summary • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
Page 171: Vpn Settings For Configuration Provisioning Advanced Wizard - Scenario
Chapter 5 Quick Setup Wizards Figure 142 VPN for Configuration Provisioning Express Wizard: Finish Click Close to exit the wizard. 5.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario Click the Advanced radio button as shown in the screen shown in Figure 138 on page 167 to display the following screen.
Page 172: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 1 Settings
Chapter 5 Quick Setup Wizards Figure 143 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings • IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.
Page 173: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 2
Chapter 5 Quick Setup Wizards Figure 144 VPN for Configuration Provisioning Advanced Wizard: Phase 1 Settings • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client. •...
Page 174: Vpn Settings For Configuration Provisioning Advanced Wizard - Summary
Chapter 5 Quick Setup Wizards Figure 145 VPN for Configuration Provisioning Advanced Wizard: Phase 2 Settings • Active Protocol: ESP is compatible with NAT. AH is not available in this wizard. • Encapsulation: Tunnel is compatible with NAT, Transport is not. •...
Page 175 Chapter 5 Quick Setup Wizards Figure 146 VPN for Configuration Provisioning Advanced Wizard: Summary Summary • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
Page 176: Vpn Settings For Configuration Provisioning Advanced Wizard- Finish
Chapter 5 Quick Setup Wizards • Encryption Algorithm: This displays the encryption method used. The longer the key, the higher the security, the lower the throughput (possibly). • DES uses a 56-bit key. • 3DES uses a 168-bit key. • AES128 uses a 128-bit key •...
Page 177: Vpn Settings For L2Tp Vpn Settings Wizard
Chapter 5 Quick Setup Wizards VPN > IPSec VPN > VPN Connection screen. Enter the IP address of the Zyxel Device in the Zyxel Device IPSec VPN Client to get all these VPN settings automatically from the Zyxel Device. Figure 147 VPN for Configuration Provisioning Advanced Wizard: Finish Click Close to exit the wizard.
Page 178: L2Tp Vpn Settings
Chapter 5 Quick Setup Wizards Figure 148 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings Click Next to continue the wizard. 5.5.1 L2TP VPN Settings Figure 149 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings ZyWALL USG Series User’s Guide...
Page 179: L2Tp Vpn Settings
Chapter 5 Quick Setup Wizards • Rule Name: Type the name used to identify this L2TP VPN connection (and L2TP VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. •...
Page 180: Vpn Settings For L2Tp Vpn Setting Wizard - Summary
Chapter 5 Quick Setup Wizards Click Next to continue the wizard. Note: DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Page 181: Vpn Settings For L2Tp Vpn Setting Wizard Completed
Chapter 5 Quick Setup Wizards 5.5.4 VPN Settings for L2TP VPN Setting Wizard Completed Figure 152 VPN Settings for L2TP VPN Settings Wizard: Finish Now the rule is configured on the Zyxel Device. The L2TP VPN rule settings appear in the Configuration > VPN >...
Page 182: Dashboard
H A P T E R Dashboard 6.1 Overview Use the Dashboard screens to check status information about the Zyxel Device. 6.1.1 What You Can Do in this Chapter Use the main Dashboard screen to see the Zyxel Device’s general device information, system status, system resource usage, licensed service status, and interface status.
Page 183 Chapter 6 Dashboard Figure 153 Zyxel Device Dashboard The following table describes the labels in this screen. Table 22 Dashboard LABEL DESCRIPTION Widget Settings Use this link to open or close widgets by selecting/clearing the associated checkbox. Up Arrow (B) Click this to collapse a widget.
Page 184: Device Information Screen
Chapter 6 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Name This field displays the name of each interface. Status This field displays the current status of each interface or device installed in a slot. The possible values depend on what type of interface it is. Inactive - The Ethernet interface is disabled.
Page 185: System Status Screen
Chapter 6 Dashboard This table describes the fields in the above screen. Table 23 Dashboard > Device Information LABEL DESCRIPTION Device Information This identifies a device installed in one of the Zyxel Device’s extension slots, the Security Extension Module slot, or USB ports. For an installed SEM (Security Extension Module) card, this field displays what kind of SEM card is installed.
Page 186: Dhcp Table Screen
Chapter 6 Dashboard Table 24 Dashboard > System Status (continued) LABEL DESCRIPTION DHCP Table Click this to look at the IP addresses currently assigned to the Zyxel Device’s DHCP clients and the IP addresses reserved for specific MAC addresses. See Section 6.2.3 on page 186.
Page 187: Number Of Login Users Screen
Chapter 6 Dashboard This table describes the fields in the above screen. Table 25 Dashboard > System Status > DHCP Table LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific entry. Interface This field identifies the interface that assigned an IP address to a DHCP client. IP Address This field displays the IP address currently assigned to a DHCP client or reserved for a specific MAC address.
Page 188: System Resources Screen
Chapter 6 Dashboard Table 26 Dashboard > System Status > Number of Login Users (continued) LABEL DESCRIPTION This field displays how much longer the account can use to log into the Zyxel Device or access the Internet through the Zyxel Device. This shows N/A for an administrator account.
Page 189: Extension Slot Screen
Chapter 6 Dashboard Table 27 Dashboard > System Resources (continued) LABEL DESCRIPTION USB Storage Usage This field shows how much storage in the USB device connected to the Zyxel Device is in use. Active Sessions This field shows how many sessions, established and non-established, that pass through/from/to/within the ZyWALL.
Page 190: Interface Status Summary Screen
Chapter 6 Dashboard 6.2.7 Interface Status Summary Screen Interfaces per Zyxel Device model vary. Figure 160 Dashboard > Interface Status Summary This table describes the fields in the above screen. Table 29 Dashboard > Interface Status Summary LABEL DESCRIPTION Name This field displays the name of each interface.
Page 191: Secured Service Status Screen
Chapter 6 Dashboard Table 29 Dashboard > Interface Status Summary (continued) LABEL DESCRIPTION HA Status This field displays the status of the interface in the virtual router. Active - This interface is the master interface in the virtual router. Stand-By - This interface is a backup interface in the virtual router. Fault - This VRRP group is not functioning in the virtual router right now.
Page 192: Content Filter Statistics Screen
Chapter 6 Dashboard Table 30 Dashboard > Secured Service Status LABEL DESCRIPTION Version This field displays the version number of the services. Remaining Days This field displays the number of days remaining before the license expires. Click Activate to connect with the myZyxel server and activate the license. 6.2.9 Content Filter Statistics Screen Configure Configuration >...
Page 193: Top 5 Intrusions Screen
Chapter 6 Dashboard This table describes the fields in the above screen. Table 32 Dashboard > Top 5 Viruses LABEL DESCRIPTION This is the entry’s rank in the list of the most commonly detected viruses. Virus Name This is the name of a detected virus. Hits This is how many times the Zyxel Device has detected the event described in the entry.
Page 194: The Latest Alert Logs Screen
Chapter 6 Dashboard Table 34 Dashboard > Top 5 IPv4/IPv6 Security Policy Rules that Blocked Traffic LABEL DESCRIPTION Description This field displays the descriptive name (if any) of the triggered security policy. Hits This field displays how many times the security policy was triggered. 6.2.13 The Latest Alert Logs Screen Figure 166 Dashboard >...
Page 195: Part Ii: Technical Reference
Technical Reference...
Page 196: Monitor
H A P T E R Monitor 7.1 Overview Use the Monitor screens to check status and statistics information. 7.1.1 What You Can Do in this Chapter Use the Monitor screens for the following. • Use the System Status > Port Statistics screen (see Section 7.2.1 on page 199) to look at packet statistics for each physical port.
Page 197 Chapter 7 Monitor • Use the Wireless > AP Information > AP List screen (Section 7.16 on page 222) to display which APs are currently connected to the Zyxel Device. • Use the Wireless > AP Information > Radio List screen (Section 7.17 on page 228) to display statistics about the wireless radio transmitters in each of the APs connected to the Zyxel Device.
Page 198: The Port Statistics Screen
Chapter 7 Monitor • Use the Log > View Log screen (see Section 7.37.1 on page 260) to view the Zyxel Device’s current log messages. You can change the way the log is displayed, you can e-mail the log, and you can also clear the log in this screen.
Page 199: The Port Statistics Graph Screen
Chapter 7 Monitor Table 36 Monitor > System Status > Port Statistics (continued) LABEL DESCRIPTION RxPkts This field displays the number of packets received by the Zyxel Device on the physical port since it was last connected. Collisions This field displays the number of collisions on the physical port since it was last connected. Tx B/s This field displays the transmission speed, in bytes per second, on the physical port in the one- second interval before the screen updated.
Page 200: Interface Status Screen
Chapter 7 Monitor Table 37 Monitor > System Status > Port Statistics > Switch to Graphic View (continued) LABEL DESCRIPTION The y-axis represents the speed of transmission or reception. time The x-axis shows the time period over which the transmission or reception occurred This line represents traffic transmitted from the Zyxel Device on the physical port since it was last connected.
Page 201 Chapter 7 Monitor Each field is described in the following table. Table 38 Monitor > System Status > Interface Status LABEL DESCRIPTION Interface Status If an Ethernet interface does not have any physical ports associated with it, its entry is displayed in light gray text. Name This field displays the name of each interface.
Page 202 Chapter 7 Monitor Table 38 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION IP Assignment This field displays how the interface gets its IP address. • Static - This interface has a static IP address. • DHCP Client - This interface gets its IP address from a DHCP server. Services This field lists which services the interface provides to the network.
Page 203 Chapter 7 Monitor Table 38 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: • Inactive - The Ethernet interface is disabled.
Page 204: The Traffic Statistics Screen
Chapter 7 Monitor Table 38 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Status This field displays the current status of the interface. • Down - The interface is not connected. • Speed / Duplex - The interface is connected. This field displays the port speed and duplex setting (Full or Half).
Page 205 Chapter 7 Monitor Figure 170 Monitor > System Status > Traffic Statistics There is a limit on the number of records shown in the report. Please see Table 40 on page 206 for more information. The following table describes the labels in this screen. Table 39 Monitor >...
Page 206 Chapter 7 Monitor Table 39 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION IP Address/ This field displays the IP address or user in this record. User Amount This field displays how much traffic was sent or received from the indicated IP address or user. If the Direction is Ingress, a red bar is displayed;...
Page 207: The Session Monitor Screen
Chapter 7 Monitor Table 40 Maximum Values for Reports (continued) LABEL DESCRIPTION Byte Count Limit bytes; this is just less than 17 million terabytes. Hit Count Limit hits; this is over 1.8 x 10 hits. 7.5 The Session Monitor Screen The Session Monitor screen displays all established sessions that pass through the Zyxel Device for debugging or statistical analysis.
Page 208 Chapter 7 Monitor The following table describes the labels in this screen. Table 41 Monitor > System Status > Session Monitor LABEL DESCRIPTION View Select how you want the established sessions that passed through the Zyxel Device to be displayed. Choices are: •...
Page 209: Igmp Statistics
Chapter 7 Monitor Table 41 Monitor > System Status > Session Monitor (continued) LABEL DESCRIPTION Destination This field displays the destination IP address and port in each active session. If you are looking at the sessions by destination IP report, click + or - to display or hide details about a destination IP address’s sessions.
Page 210: The Ddns Status Screen
Chapter 7 Monitor 7.7 The DDNS Status Screen The DDNS Status screen shows the status of the Zyxel Device’s DDNS domain names. Click Monitor > System Status > DDNS Status to open the following screen. Figure 173 Monitor > System Status > DDNS Status The following table describes the labels in this screen.
Page 211: The Login Users Screen
Chapter 7 Monitor The following table describes the labels in this screen. Table 44 Monitor > System Status > IP/MAC Binding LABEL DESCRIPTION Interface Select a Zyxel Device interface that has IP/MAC binding enabled to show to which devices it has assigned an IP address. This field is a sequential value, and it is not associated with a specific IP/MAC binding entry.
Page 212: The Dynamic Guest Screen
Chapter 7 Monitor Table 45 Monitor > System Status > Login Users (continued) LABEL DESCRIPTION Remaining Quota (T/ This field displays the remaining amount of data that can be transmitted or received by U/D) each account. You can see the amount of either data in both directions (Total) or upstream data (Upload) and downstream data (Download).
Page 213 Chapter 7 Monitor specified time unit. Use this screen to look at a list of dynamic guest user accounts on the Zyxel Device’s local database. To access this screen, click Monitor > System Status > Dynamic Guest. Figure 176 Monitor > System Status > Dynamic Guest The following table describes the labels in this screen.
Page 214: Cellular Status Screen
Chapter 7 Monitor Table 46 Monitor > System Status > Dynamic Guest (continued) LABEL DESCRIPTION User Role This field displays the role of the account. Refresh Click this button to update the information in the screen. The following table describes the icons in this screen. Table 47 Monitor >...
Page 215 Chapter 7 Monitor Table 48 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Status • No device - no mobile broadband device is connected to the Zyxel Device. • No Service - no mobile broadband network is available in the area; you cannot connect to the Internet.
Page 216: More Information
Chapter 7 Monitor Table 48 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Cellular System This field displays what type of cellular network the mobile broadband connection is using. The network type varies depending on the mobile broadband card you inserted and could be UMTS, UMTS/HSDPA, GPRS or EDGE when you insert a GSM mobile broadband card, or 1xRTT, EVDO Rev.0 or EVDO Rev.A when you insert a CDMA mobile broadband card.
Page 217: The Upnp Port Status Screen
Chapter 7 Monitor Table 49 Monitor > System Status > Cellular Status > More Information (continued) LABEL DESCRIPTION Signal Strength This is the Signal Quality measured in dBm. Signal Quality This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your Zyxel Device and the service provider’s base station.
Page 218: Usb Storage Screen
Chapter 7 Monitor Table 50 Monitor > System Status > UPnP Port Status (continued) LABEL DESCRIPTION External Port This field displays the port number that the Zyxel Device “listens” non the WAN port) for connection requests destined for the NAT rule’s Internal Port and Internal Client. The Zyxel Device forwards incoming packets (from the WAN) with this port number to the Internal Client on the Internal Port (on the LAN).
Page 219: Ethernet Neighbor Screen
Chapter 7 Monitor Table 51 Monitor > System Status > USB Storage (continued) LABEL DESCRIPTION Status Ready - you can have the Zyxel Device use the USB storage device. Click Remove Now to stop the Zyxel Device from using the USB storage device so you can remove it.
Page 220: Fqdn Object Screen
Chapter 7 Monitor The following table describes the fields in the previous screen. Table 52 Monitor > System Status > Ethernet Neighbor LABEL DESCRIPTION Local Port (Description) This field displays the port of the Zyxel Device, on which the neighboring device is discovered.
Page 221 Chapter 7 Monitor Figure 182 Monitor > System Status > FQDN Object The following table describes the fields in the previous screen. Table 53 Monitor > System Status > FQDN Object LABEL DESCRIPTION FQDN Object Cache List You must first configure IPv4 FQDN objects in Configuration > Object > Address/Geo IP in the IPv4 Address Configuration field.
Page 222: Ap Information: Ap List
Chapter 7 Monitor Table 53 Monitor > System Status > FQDN Object LABEL DESCRIPTION This field displays the number of seconds the Zyxel Device holds IP address - FQDN object mapping in its cache. The mapping is updated when the TTL (Time To Live) setting expires.
Page 223 Chapter 7 Monitor Table 54 Monitor > Wireless > AP Information > AP List (continued) LABEL DESCRIPTION DCS Now Select one or multiple APs and click this button to use DCS (Dynamic Channel Selection) to allow the AP to automatically find a less-used channel in an environment where there are many APs and there may be interference.
Page 224: Ap List: More Information
Chapter 7 Monitor Table 54 Monitor > Wireless > AP Information > AP List (continued) LABEL DESCRIPTION LED Status This field displays the AP LED status. N/A displays if the AP does not support LED suppression mode and/or have a locator LED to show the actual location of the AP.
Page 225 Chapter 7 Monitor information, port status and station statistics for the connected AP. To access this screen, select an entry and click the More Information button in the AP List screen. Figure 184 Monitor > Wireless > AP Information > AP List > More Information The following table describes the labels in this screen.
Page 226 Chapter 7 Monitor Table 56 Monitor > Wireless > AP Information > AP List > More Information (continued) LABEL DESCRIPTION Status This field displays the current status of each physical port on the AP. Down - The port is not connected. Speed / Duplex - The port is connected.
Page 227: Ap List: Config Ap
Chapter 7 Monitor 7.16.2 AP List: Config AP Select an AP and click the Config AP button in the Monitor > Wireless > AP Information > AP List table to display this screen. Figure 185 Monitor > Wireless > AP Information > AP List > Config AP Each field is described in the following table.
Page 228: Ap Information: Radio List
Chapter 7 Monitor Table 57 Monitor > Wireless > AP Information > AP List > Config AP (continued) LABEL DESCRIPTION Radio 1/2 OP Mode Select the operating mode for radio 1 or radio 2. AP Mode means the AP can receive connections from wireless clients and pass their data traffic through to the Zyxel Device to be managed (or subsequently passed on to an upstream gateway for managing).
Page 229 Chapter 7 Monitor The following table describes the labels in this screen. Table 58 Monitor > Wireless > AP Information > Radio List LABEL DESCRIPTION More Information Click this icon to see the traffic statistics, station count, SSID, Security Mode and VLAN ID information on the AP.
Page 230: Radio List: More Information
Chapter 7 Monitor 7.17.1 Radio List: More Information This screen allows you to view detailed information about a selected radio’s SSID(s), wireless traffic and wireless clients for the preceding 24 hours. To access this window, select an entry and click the More Information button in the Radio List screen.
Page 231: Ap Information: Top N Aps
Chapter 7 Monitor The following table describes the labels in this screen. Table 59 Monitor > Wireless > AP Information > Radio List > More Information LABEL DESCRIPTION MBSSID Detail This list shows information about the SSID(s) that is associated with the radio over the preceding 24 hours.
Page 232 Chapter 7 Monitor Figure 188 Monitor > Wireless > AP Information > Top N APs The following table describes the labels in this screen. Table 60 Monitor > Wireless > AP Information > Top N APs LABEL DESCRIPTION View Select this to view the top five or top ten wireless traffic usage and associated wireless stations for the preceding 24 hours.
Page 233: Ap Information: Single Ap
Chapter 7 Monitor 7.19 AP Information: Single AP Use this screen to view wireless traffic usage and wireless stations for a managed AP. Click Monitor > Wireless > AP Information > Single AP to display the Single AP screen. Figure 189 Monitor > Wireless > AP Information > Single AP The following table describes the labels in this screen.
Page 234: Zymesh
Chapter 7 Monitor 7.20 ZyMesh Use this screen to view the ZyMesh traffic statistics between the managed APs. Click Monitor > Wireless > ZyMesh to display this screen. Figure 190 Monitor > Wireless > ZyMesh The following table describes the labels in this screen. Table 62 Monitor >...
Page 235: Station Info: Station List
Chapter 7 Monitor Figure 191 Monitor > Wireless > SSID Info The following table describes the labels in this screen. Table 63 Monitor > Wireless > SSID Info LABEL DESCRIPTION This is the SSID’s index number in this list. SSID This indicates the name of the wireless network to which the client is connected.
Page 236: Station Info: Top N Stations
Chapter 7 Monitor Table 64 Monitor > Wireless > Station Info > Station List LABEL DESCRIPTION Signal Strength This field displays the signal strength of the station. Channel This field displays the number of the channel used by the station to connect to the network.
Page 237: Station Info: Single Station
Chapter 7 Monitor Table 65 Monitor > Wireless > Station Info > Top N Stations LABEL DESCRIPTION y-axis This axis represents the amount of data moved across stations in megabytes per second. Refresh Click Refresh to update this screen. 7.24 Station Info: Single Station Use this screen to view traffic statistics of the wireless station you specified.
Page 238: Detected Device
Chapter 7 Monitor 7.25 Detected Device Use this screen to view information about wireless devices detected by the AP. Click Monitor > Wireless > Detected Device to access this screen. Note: At least one radio of the APs connected to the Zyxel Device must be set to monitor mode (in the Configuration >...
Page 239: The Printer Status Screen
Chapter 7 Monitor Table 67 Monitor > Wireless > Detected Device (continued) LABEL DESCRIPTION Description This displays the detected device’s description. For more on managing friendly and rogue APs, see the Configuration > Wireless > MON Mode screen. Last Seen This indicates the last time the device was detected by the Zyxel Device.
Page 240: Device Information (For Zyxel Device Server)
Chapter 7 Monitor Figure 197 Monitor > Cloud CNM > SecuDeployer The following table describes the labels in this screen. Table 69 Monitor > Cloud CNM > SecuDeployer LABEL DESCRIPTION SecuDeployer Monitor Index This is the index number of a Zyxel Device SecuDeployer client entry. Connected This displays whether the Zyxel Device SecuDeployer client is connected to the Zyxel Device SecuDeployer server or not.
Page 241 Chapter 7 Monitor Figure 198 Monitor > Cloud CNM > SecuDeployer > Device Information (Zyxel Device in Server Role) The following table describes the labels in this screen. Table 70 Monitor > Cloud CNM > SecuDeployer > Device Information (ZyXEL device in Server Role) LABEL DESCRIPTION Device Information...
Page 242: Device Information (For Zyxel Device Client)
Chapter 7 Monitor Table 70 Monitor > Cloud CNM > SecuDeployer > Device Information (ZyXEL device in Server Role) LABEL DESCRIPTION Profile Template This displays the name of the SecDeployer template being used by the Zyxel Device SecuDeployer client. Interface The fields below display interface related details on the Zyxel Device SecuDeployer client.
Page 243 Chapter 7 Monitor Figure 199 Monitor > Cloud CNM > SecuDeployer > Device Information (ZyXEL device in Client Role) The following table describes the labels in this screen. Table 71 Monitor > Cloud CNM > SecuDeployer > Device Information (ZyXEL device in Client Role) LABEL DESCRIPTION Device Information...
Page 244: The Ipsec Screen
Chapter 7 Monitor Table 71 Monitor > Cloud CNM > SecuDeployer > Device Information (ZyXEL device in Client Role) LABEL DESCRIPTION Algorithm This displays the encryption, authentication algorithm, and key group the IPSec VPN profile is using. IKE Version This displays the IKE version the IPSec VPN profile is using. Routing The fields below display static route related details on the Zyxel Device SecuDeployer client.
Page 245: The Ssl Screen
Chapter 7 Monitor Table 72 Monitor > VPN Monitor > IPSec (continued) LABEL DESCRIPTION Connection Check Select an IPSec SA and click this button to check the connection. This field is a sequential value, and it is not associated with a specific SA. Serial Number This field displays the serial number of this ZyXEL device.
Page 246: The L2Tp Over Ipsec Screen
Chapter 7 Monitor • Log out individual users and delete related session information. Once a user logs out, the corresponding entry is removed from the screen. Figure 201 Monitor > VPN Monitor > SSL The following table describes the labels in this screen. Table 73 Monitor >...
Page 247: The App Patrol Screen
Chapter 7 Monitor The following table describes the fields in this screen. Table 74 Monitor > VPN Monitor > L2TP over IPSec LABEL DESCRIPTION Disconnect Select a connection and click this button to disconnect it. Refresh Click Refresh to update this screen. This field is a sequential value, and it is not associated with a specific L2TP VPN session.
Page 248: The Content Filter Screen
Chapter 7 Monitor Table 75 Monitor > UTM Statistics > App Patrol LABEL DESCRIPTION Reset Click Reset to return the screen to its last-saved settings. Refresh Click this button to update the report display. Flush Data Click this button to discard all of the screen’s statistics and update the report display. App Patrol Statistics This field is a sequential value, and it is not associated with a specific App Patrol session.
Page 249 Chapter 7 Monitor Figure 204 Monitor > UTM Statistics > Content Filter The following table describes the labels in this screen. Table 76 Monitor > UTM Statistics > Content Filter LABEL DESCRIPTION General Settings Collect Statistics Select this check box to have the Zyxel Device collect content filtering statistics. The collection starting time displays after you click Apply.
Page 250: The Idp Screen
Chapter 7 Monitor Table 76 Monitor > UTM Statistics > Content Filter (continued) LABEL DESCRIPTION Security Threat This is the number of requested web pages that the Zyxel Device’s content filtering service identified as posing a security threat to users. Managed Web Pages This is the number of requested web pages that the Zyxel Device’s content filtering service identified as belonging to a category that was selected to be managed.
Page 251 Chapter 7 Monitor The following table describes the labels in this screen. Table 77 Monitor > UTM Statistics > IDP LABEL DESCRIPTION Collect Statistics Select this check box to have the Zyxel Device collect IDP statistics. The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here.
Page 252: The Anti-Virus Screen
Chapter 7 Monitor Figure 206 Monitor > UTM Statistics > IDP: Source The statistics display as follows when you display the top entries by destination. Figure 207 Monitor > UTM Statistics > IDP: Destination 7.34 The Anti-Virus Screen Click Monitor > UTM Statistics > Anti-Virus to display the following screen. This screen displays anti-virus statistics.
Page 253 Chapter 7 Monitor Table 78 Monitor > UTM Statistics > Anti-Virus (continued) LABEL DESCRIPTION Total Viruses Detected This field displays the number of different viruses that the Zyxel Device has detected. Top Entries By Use this field to have the following (read-only) table display the top anti-virus log entries by Virus Name, Source IP, Destination IP, Source IPv6 and Destination IPv6.
Page 254: The Anti-Spam Screens
Chapter 7 Monitor Figure 211 Monitor > UTM Statistics > Anti-Virus: Destination IP The statistics display as follows when you display the top entries by destination IPv6. Figure 212 Monitor > UTM Statistics > Anti-Virus: Destination IPv6 7.35 The Anti-Spam Screens The Anti-Spam menu contains the Summary and Status screens.
Page 255 Chapter 7 Monitor Figure 213 Monitor > UTM Statistics > Anti-Spam > Summary The following table describes the labels in this screen. Table 79 Monitor > UTM Statistics > Anti-Spam > Summary LABEL DESCRIPTION Collect Statistics Select this check box to have the Zyxel Device collect anti-spam statistics. The collection starting time displays after you click Apply.
Page 256: The Anti-Spam Status Screen
Chapter 7 Monitor Table 79 Monitor > UTM Statistics > Anti-Spam > Summary (continued) LABEL DESCRIPTION Spam Mails Detected by This is the number of e-mails that the Zyxel Device has determined to be spam by IP IP Reputation Reputation. Spam or Unwanted Bulk Email is determined by the sender’s IP address. Spam Mails Detected by This is the number of e-mails that the Zyxel Device has determined to have malicious Mail Content...
Page 257 Chapter 7 Monitor Use the Anti-Spam Status screen to see how many e-mail sessions the anti-spam feature is scanning and statistics for the DNSBLs. Figure 214 Monitor > UTM Statistics > Anti-Spam > Status The following table describes the labels in this screen. Table 80 Monitor >...
Page 258: The Ssl Inspection Screens
Chapter 7 Monitor Table 80 Monitor > UTM Statistics > Anti-Spam > Status (continued) LABEL DESCRIPTION Avg. Response Time (sec) This is the average for how long it takes to receive a reply from this DNSBL. No Response This is how many DNS queries the Zyxel Device sent to this DNSBL without receiving a reply.
Page 259: Certificate Cache List
Chapter 7 Monitor Table 81 Monitor > UTM Statistics > SSL Inspection > Summary (continued) LABEL DESCRIPTION Maximum Concurrent This shows the maximum number of simultaneous SSL Inspection sessions allowed for Sessions your Zyxel Device model. Concurrent Sessions This shows the actual number of simultaneous SSL Inspection sessions in progress. Summary Total SSL Sessions This is the total of SSL sessions inspected and number of sessions blocked and number...
Page 260: Log Screens
Chapter 7 Monitor The following table describes the labels in this screen. Table 82 Monitor > UTM Statistics > SSL Inspection > Certificate Cache List LABEL DESCRIPTION Certificate Cache List Add to Exclude list Select and item in the list and click this icon to add the common name (CN) to the Exclude List.
Page 261 Chapter 7 Monitor again to reverse the sort order. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. Figure 217 Monitor > Log > View Log The following table describes the labels in this screen. Table 83 Monitor >...
Page 262: View Ap Log
Chapter 7 Monitor Table 83 Monitor > Log > View Log (continued) LABEL DESCRIPTION Destination Address This displays when you show the filter. Type the IP address of the destination of the incoming packet when the log message was generated. Do not include the port in this filter.
Page 263 Chapter 7 Monitor Figure 218 Monitor > Log > View AP Log The following table describes the labels in this screen. Table 84 Monitor > Log > View AP Log LABEL DESCRIPTION Show Filter Click this button to show or hide the filter settings. If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear Log fields are available.
Page 264: Dynamic Users Log
Chapter 7 Monitor Table 84 Monitor > Log > View AP Log (continued) LABEL DESCRIPTION Destination Address Type the IP ad re ss of the destination. Destination Interface Select the destination interface from the pull down menu. Zyxel Device Keyword Type a keyword of the policy service available from to search for a log.
Page 265 Chapter 7 Monitor The following table describes the labels in this screen. Table 85 Monitor > Log > Dynamic Users Log LABEL DESCRIPTION Begin/End Date Select the first and last dates to specify a time period. The Zyxel Device displays log messages only for the accounts created during the specified time period after you click Search.
Page 266: Licensing
H A P T E R Licensing 8.1 Registration Overview Use the Configuration > Licensing > Registration screens to register your Zyxel Device and manage its service subscriptions. • Use the Registration screen (see Section 8.1.2 on page 266) to refresh Zyxel Device registration, go to portal.myZyxel.com to register your Zyxel Device and activate a service, such as content filtering.
Page 267: Service Screen
Chapter 8 Licensing Figure 220 Configuration > Licensing > Registration 8.1.3 Service Screen Use this screen to display the status of your service registrations and upgrade licenses. To activate or extend a standard service subscription, purchase an iCard and enter the iCard’s PIN number (license key) at myZyxel.
Page 268 Chapter 8 Licensing Table 86 Configuration > Licensing > Registration > Service (continued) LABEL DESCRIPTION IDP/AppPatrol Signature This is a license for signatures for Intrusion Detection and Prevention attacks and Service Application Patrol inspection. Anti-Virus This is a license for signatures to detect virus patterns in files. Anti-Spam Service This is a license for signatures to recognize unsolicited commercial or junk e-mail suspect of being sent by spammers.
Page 269: Signature Update
Chapter 8 Licensing Table 86 Configuration > Licensing > Registration > Service (continued) LABEL DESCRIPTION Expiration Date This field displays the date your service license expires or the date the grace period expires if the license has already expired. You can continue to use IDP/AppPatrol, Anti-Virus (AV), Content Filter, Anti-Spam (AS) during the grace period.
Page 270: The Idp/Apppatrol Update Screen
Chapter 8 Licensing Figure 222 Configuration > Licensing > Signature Update >Anti-Virus The following table describes the labels in this screen. Table 87 Configuration > Licensing > Signature Update >Anti-Virus LABEL DESCRIPTION Signature Information The following fields display information on the current signature set that the Zyxel Device is using.
Page 271 Chapter 8 Licensing The Zyxel Device comes with signatures for the IDP and application patrol features. These signatures are continually updated as new attack types evolve. New signatures can be downloaded to the Zyxel Device periodically if you have subscribed for the IDP/AppPatrol signatures service. You need to create an account at myZyxel, register your Zyxel Device and then subscribe for IDP service in order to be able to download new packet inspection signatures from myZyxel (see the Registration screens).
Page 272 Chapter 8 Licensing Table 88 Configuration > Licensing > Signature Update > IDP/AppPatrol (continued) LABEL DESCRIPTION Weekly Select this option to have the Zyxel Device check for new IDP signatures once a week on the day and at the time specified. Apply Click this button to save your changes to the Zyxel Device.
Page 273: Wireless
H A P T E R Wireless 9.1 Overview Use the Wireless screens to configure how the Zyxel Device manages supported Access Points (APs). Supported APs should be in managed mode. See the product page Licenses tab for a list of supported APs.
Page 274: Ap Management Screens
Chapter 9 Wireless Each field is described in the following table. Table 89 Configuration > Wireless > Controller LABEL DESCRIPTION Country Code Select the country code of APs that are connected to the Zyxel Device to be the same as where the Zyxel Device is located/installed.
Page 275 Chapter 9 Wireless Each field is described in the following table. Table 90 Configuration > Wireless > AP Management > Mgnt. AP List LABEL DESCRIPTION Edit Select an AP and click this button to edit its properties. Remove Select an AP and click this button to remove it from the list. Note: If in the Configuration >...
Page 276 Chapter 9 Wireless 9.3.1.1 Edit AP List Select an AP and click the Edit button in the Configuration > Wireless > AP Management table to display this screen. Figure 226 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List ZyWALL USG Series User’s Guide...
Page 277 Chapter 9 Wireless Each field is described in the following table. Table 91 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List LABEL DESCRIPTION Create new Object Use this menu to create a new Radio Profile object to associate with this AP. This displays the MAC address of the selected AP.
Page 278: Ap Policy
Chapter 9 Wireless Table 91 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List (continued) LABEL DESCRIPTION Override Group SSID Select this option to overwrite the AP SSID profile setting with the setting you configure here. Setting This section allows you to associate an SSID profile with the radio.
Page 279: Ap Group
Chapter 9 Wireless Each field is described in the following table. Table 92 Configuration > Wireless > AP Management > AP Policy LABEL DESCRIPTION Force Override AC IP Select this to have the Zyxel Device change the AP controller’s IP address on the managed Config on AP AP(s) to match the configuration in this screen.
Page 280 Chapter 9 Wireless Each field is described in the following table. Table 93 Configuration > Wireless > AP Management > AP Group LABEL DESCRIPTION Group Setting Default Group Select a group that is used as the default group. Any AP that is not configured to associate with a specific AP group belongs to the default group automatically.
Page 281 Chapter 9 Wireless 9.3.3.1 Add/Edit AP Group Click Add or select an AP group and click the Edit button in the Configuration > Wireless > AP Management > AP Group table to display this screen. ZyWALL USG Series User’s Guide...
Page 282 Chapter 9 Wireless Figure 229 Configuration > Wireless > AP Management > AP Group > Add/Edit ZyWALL USG Series User’s Guide...
Page 283 Chapter 9 Wireless Each field is described in the following table. Table 94 Configuration > Wireless > AP Management > AP Group > Add/Edit LABEL DESCRIPTION General Settings Group Name Enter a name for this group. You can use up to 31 alphanumeric characters. Dashes and underscores are also allowed.
Page 284 Chapter 9 Wireless Table 94 Configuration > Wireless > AP Management > AP Group > Add/Edit (continued) LABEL DESCRIPTION OP Mode Select the operating mode for radio 1 or radio 2. AP Mode means the AP can receive connections from wireless clients and pass their data traffic through to the Zyxel Device to be managed (or subsequently passed on to an upstream gateway for managing).
Page 285 Chapter 9 Wireless Table 94 Configuration > Wireless > AP Management > AP Group > Add/Edit (continued) LABEL DESCRIPTION Management VLAN Enter a VLAN ID for this AP. As Native VLAN Select this option to treat this VLAN ID as a VLAN created on the Zyxel Device and not one assigned to it from outside the network.
Page 286: Firmware
Chapter 9 Wireless Table 94 Configuration > Wireless > AP Management > AP Group > Add/Edit (continued) LABEL DESCRIPTION Max Station Enter the threshold number of stations at which an AP begins load balancing its Number connections. Traffic Level Select the threshold traffic level at which the AP begins load balancing its connections (Low, Medium, High).
Page 287 Chapter 9 Wireless • All new APs are supported. Use Check to see if the Zyxel Device has the latest AP firmware. Use Apply to have the Zyxel Device download the latest AP firmware (see More Details for more information on the firmware) from the firmware server.
Page 288: Rogue Ap
Chapter 9 Wireless Table 95 Configuration > Wireless > AP Management > Firmware (continued) LABEL DESCRIPTION Available Firmware This field displays if there is a later AP firmware version available on the firmware server. It displays N/A if the Zyxel Device cannot connect with the firmware server. Check that the Zyxel Device has Internet access if N/A displays and then click the Check button below.
Page 289 Chapter 9 Wireless Figure 231 Configuration > Wireless > Rogue AP Each field is described in the following table. Table 96 Configuration > Wireless > Rogue AP LABEL DESCRIPTION Suspected Rogue AP Click the check boxes (Weak Security (Open, WEP, WPA-PSK), Un-managed AP, Classification Rule Hidden SSID, SSID Keyword) of the characteristics an AP should have for the Zyxel Device to rule it as a rogue AP.
Page 290: Add/Edit Rogue/Friendly List
Chapter 9 Wireless Table 96 Configuration > Wireless > Rogue AP (continued) LABEL DESCRIPTION Dis-Containment Click this button to take the selected AP out of quarantine. An unquarantined AP has normal access to the network. This field is a sequential value, and it is not associated with any interface. Containment This field indicates the selected AP’s containment status.
Page 291: Auto Healing
Chapter 9 Wireless Table 97 Configuration > Wireless > Rogue AP > Add/Edit Rogue/Friendly (continued) LABEL DESCRIPTION Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to close the window with changes unsaved. 9.5 Auto Healing Use this screen to enable auto healing, which allows you to extend the wireless service coverage area of the managed APs when one of the APs fails.
Page 292: Rtls Overview
Chapter 9 Wireless 9.6 RTLS Overview Ekahau RTLS (Real Time Location Service) tracks battery-powered Wi-Fi tags attached to APs managed by the Zyxel Device to create maps, alerts, and reports. The Ekahau RTLS Controller is the centerpiece of the RTLS system. This server software runs on a Windows computer to track and locate Ekahau tags from Wi-Fi signal strength measurements.
Page 293: Configuring Rtls
Chapter 9 Wireless • Ekahau RTLS Controller in blink mode with TZSP Updater enabled • Security policies to allow RTLS traffic if the Zyxel Device security policy control is enabled or the Ekahau RTLS Controller is behind a firewall. For example, if the Ekahau RTLS Controller is behind a firewall, open ports 8550, 8553, and 8569 to allow traffic the APs send to reach the Ekahau RTLS Controller.
Page 294: Technical Reference
Chapter 9 Wireless 9.7 Technical Reference The following section contains additional technical information about wireless features. 9.7.1 Dynamic Channel Selection When numerous APs broadcast within a given area, they introduce the possibility of heightened radio interference, especially if some or all of them are broadcasting on the same radio channel. If the interference becomes too great, then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using (or at least a channel that has a lower level of interference) in order to give the connected stations a minimum degree of interference.
Page 295: Load Balancing
Chapter 9 Wireless Figure 238 An Alternative Four-Channel Deployment 9.7.2 Load Balancing Because there is a hard upper limit on an AP’s wireless bandwidth, load balancing can be crucial in areas crowded with wireless users. Rather than let every user connect and subsequently dilute the available bandwidth to the point where each connecting device receives a meager trickle, the load balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity.
Page 296: Interfaces
H A P T E R Interfaces 10.1 Interface Overview Use the Interface screens to configure the Zyxel Device’s interfaces. You can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. •...
Page 297: What You Need To Know
Chapter 10 Interfaces 10.1.2 What You Need to Know Interface Characteristics Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface). • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Page 298 Chapter 10 Interfaces Table 101 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics (continued) CHARACTERISTICS ETHERNET ETHERNET CELLULAR VLAN BRIDGE VIRTUAL IP Address Assignment Static IP address DHCP client Routing metric Interface Parameters Bandwidth restrictions Packet size (MTU) DHCP DHCP server DHCP relay Connectivity Check...
Page 299 Chapter 10 Interfaces Table 102 Relationships Between Different Types of Interfaces (continued) INTERFACE REQUIRED PORT / INTERFACE virtual interface (virtual Ethernet interface) Ethernet interface* (virtual VLAN interface) VLAN interface* (virtual bridge interface) bridge interface trunk Ethernet interface Cellular interface VLAN interface bridge interface PPP interface Note: * You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface...
Page 300 Chapter 10 Interfaces Link-local Address A link-local address uniquely identifies a device on the local network (the LAN). It is similar to a “private IP address” in IPv4. You can have the same link-local address on multiple interfaces on a device. A link- local unicast address has a predefined prefix of fe80::/10.
Page 301: What You Need To Do First
Chapter 10 Interfaces DHCPv6 The Dynamic Host Configuration Protocol for IPv6 (DHCPv6, RFC 3315) is a server-client protocol that allows a DHCP server to assign and pass IPv6 network addresses, prefixes and other configuration information to DHCP clients. DHCPv6 servers and clients exchange DHCP messages using UDP. Each DHCP client and server has a unique DHCP Unique IDentifier (DUID), which is used for identification when they are exchanging DHCPv6 messages.
Page 302: Port Configuration
Chapter 10 Interfaces The physical Ethernet ports are shown at the top and the Ethernet interfaces and zones are shown at the bottom of the screen. Use the radio buttons to select for which interface (network) you want to use each physical port.
Page 303: Port Group
Chapter 10 Interfaces Each field is described in the following table. Table 104 Configuration > Network > Interface > Port Configuration LABEL DESCRIPTION Edit Select an entry, and click this button to configure the speed and the duplex mode of the Ethernet connection on this port.
Page 304: Ethernet Summary Screen
Chapter 10 Interfaces Ethernet ports. Select a physical port using the mouse, hold, and drag it to a representative interface. Dragging ports (one-by-one) to the same representative interface creates a port group. Port groups have the following characteristics: • There is a layer-2 Ethernet switch between physical ports in the port group. This provides wire-speed throughput but no security.
Page 305 Chapter 10 Interfaces Figure 242 Configuration > Network > Interface > Ethernet Each field is described in the following table. Table 105 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Configuration / IPv6 Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration section Configuration for IPv6 network settings if you connect your Zyxel Device to an IPv6 network.
Page 306: Ethernet Edit
Chapter 10 Interfaces Table 105 Configuration > Network > Interface > Ethernet (continued) LABEL DESCRIPTION IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0 (in the IPv4 network) or :: (in the IPv6 network), the interface does not have an IP address yet. In the IPv4 network, this screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP).
Page 307 Chapter 10 Interfaces 10.5.1.1 IGMP Proxy Internet Group Management Protocol (IGMP) proxy is used for multicast routing. IGMP proxy enables the Zyxel Device to issue IGMP host messages on behalf of hosts that the Zyxel Device discovered on its IGMP-enabled interfaces. The Zyxel Device acts as a proxy for its hosts. Refer to the following figure. •...
Page 308 Chapter 10 Interfaces Figure 244 Configuration > Network > Interface > Ethernet > Edit (External Type) ZyWALL USG Series User’s Guide...
Page 309 Chapter 10 Interfaces ZyWALL USG Series User’s Guide...
Page 310 Chapter 10 Interfaces Configuration > Network > Interface > Ethernet > Edit (External Type ZyWALL USG Series User’s Guide...
Page 311 Chapter 10 Interfaces Figure 245 Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL USG Series User’s Guide...
Page 312 Chapter 10 Interfaces Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL USG Series User’s Guide...
Page 313 Chapter 10 Interfaces ZyWALL USG Series User’s Guide...
Page 314 Chapter 10 Interfaces Figure 246 Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL USG Series User’s Guide...
Page 315 Chapter 10 Interfaces Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL USG Series User’s Guide...
Page 316 Chapter 10 Interfaces These screens’ fields are described in the table below. Table 106 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION IPv4/IPv6 View / IPv4 Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. View / IPv6 View Show Advanced Click this button to display a greater or lesser number of configuration fields.
Page 317 Chapter 10 Interfaces Table 106 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Interface Type This field is configurable for the OPT interface only. Select to which type of network you will connect this interface. When you select internal or external the rest of the screen’s options automatically adjust to correspond.
Page 318 Chapter 10 Interfaces Table 106 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Metric This option appears when Interface Type is external or general. Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority.
Page 319 Chapter 10 Interfaces Table 106 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Address This field displays the combined IPv6 IP address for this interface. Note: This field displays the combined address after you click OK and reopen this screen.
Page 320 Chapter 10 Interfaces Table 106 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Enable Router Select this to enable this interface to send router advertisement messages periodically. See Advertisement IPv6 Router Advertisement on page 300 for more information. Advertised Hosts Select this to have the Zyxel Device indicate to hosts to obtain network settings (such as Get Network...
Page 321 Chapter 10 Interfaces Table 106 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Suffix Enter the ending part of the IPv6 network address plus a slash (/) and the prefix length. The Address Zyxel Device will append it to the selected delegated prefix. The combined address is the network prefix for the network.
Page 322 Chapter 10 Interfaces Table 106 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Probe Succeeds This field applies when you specify two domain names or IP addresses for the connectivity When check. Select any one if you want the check to pass if at least one of the domain names or IP addresses responds.
Page 323 Chapter 10 Interfaces Table 106 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire.
Page 324 Chapter 10 Interfaces Table 106 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information.
Page 325: Proxy Arp
Chapter 10 Interfaces Table 106 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Enable Proxy ARP Select this to allow the Zyxel Device to answer external interface ARP requests on behalf of a device on its internal interface. Interfaces supported are: •...
Page 326 Chapter 10 Interfaces • VLAN • Bridge The Zyxel Device sends its external MAC address to the WAN sender as the destination for the target IP address. From then on the sender will send packets containing that target IP address directly to the external interface of the Zyxel Device.
Page 327: Virtual Interfaces
Chapter 10 Interfaces 10.5.3 Virtual Interfaces Use virtual interfaces to tell the Zyxel Device where to route packets. Virtual interfaces can also be used in VPN gateways (see Chapter 30 on page 605) and VRRP groups (see Chapter 42 on page 778).
Page 328: References
Chapter 10 Interfaces Table 108 Configuration > Network > Interface > Create Virtual Interface (continued) LABEL DESCRIPTION Gateway Enter the IP address of the gateway. The Zyxel Device sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface.
Page 329: Add/Edit Dhcpv6 Request/Release Options
Chapter 10 Interfaces 10.5.5 Add/Edit DHCPv6 Request/Release Options When you configure an interface as a DHCPv6 server or client, you can additionally add DHCPv6 request or lease options which have the Zyxel Device to add more information in the DHCPv6 packets. To open the screen, click Configuration >...
Page 330 Chapter 10 Interfaces Table 110 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options LABEL DESCRIPTION Code This field displays the code number of the selected DHCP option. If you selected User Defined in the Option field, enter a number for the option. This field is mandatory. Type This is the type of the selected DHCP option.
Page 331: Ppp Interfaces
Chapter 10 Interfaces Table 111 DHCP Extended Options (continued) OPTION NAME CODE DESCRIPTION CAPWAP AC CAPWAP Access Controller addresses option The Control And Provisioning of Wireless Access Points Protocol allows a Wireless Termination Point (WTP) to use DHCP to discover the Access Controllers to which it is to connect.
Page 332 Chapter 10 Interfaces Figure 254 Configuration > Network > Interface > PPP Each field is described in the table below. Table 112 Configuration > Network > Interface > PPP LABEL DESCRIPTION User Configuration / The Zyxel Device comes with the (non-removable) System Default PPP interfaces pre- System Default configured.
Page 333: Ppp Interface Add Or Edit
Chapter 10 Interfaces Table 112 Configuration > Network > Interface > PPP (continued) LABEL DESCRIPTION Account Profile This field displays the ISP account used by this PPPoE/PPTP interface. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings.
Page 334 Chapter 10 Interfaces Figure 255 Configuration > Network > Interface > PPP > Add ZyWALL USG Series User’s Guide...
Page 335 Chapter 10 Interfaces Each field is explained in the following table. Table 113 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION IPv4/IPv6 View / IPv4 Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. View / IPv6 View Show Advanced Click this button to display a greater or lesser number of configuration fields.
Page 336 Chapter 10 Interfaces Table 113 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Gateway This field is enabled if you select Use Fixed IP Address. Enter the IP address of the gateway. The Zyxel Device sends packets to the gateway when it does not know how to route the packet to its destination.
Page 337 Chapter 10 Interfaces Table 113 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address. Customized DUID If you want to use a customized DUID, enter it here for the interface. Enable Rapid Select this to shorten the DHCPv6 message exchange process from four to two steps.
Page 338: Cellular Configuration Screen
Chapter 10 Interfaces Table 113 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Check this Select this to specify a domain name or IP address for the connectivity check. Enter that address domain name or IP address in the field next to it. Check Port This field only displays when you set the Check Method to tcp.
Page 339 Chapter 10 Interfaces See the following table for a comparison between 2G, 2.5G, 2.75G, 3G and 4G wireless technologies. Table 114 2G, 2.5G, 2.75G, 3G, 3.5G and 4G Wireless Technologies MOBILE PHONE AND DATA STANDARDS DATA NAME TYPE SPEED GSM-BASED CDMA-BASED Circuit- GSM (Global System for Mobile...
Page 340 Chapter 10 Interfaces Figure 256 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. Table 115 Configuration > Network > Interface > Cellular LABEL DESCRIPTION Click this to create a new cellular interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 341: Cellular Choose Slot
Chapter 10 Interfaces Table 115 Configuration > Network > Interface > Cellular (continued) LABEL DESCRIPTION Mobile You should have registered your Zyxel Device at myZyxel. myZyxel hosts a list of supported Broadband mobile broadband dongle devices. You should have an Internet connection to access this Dongle Support website.
Page 342 Chapter 10 Interfaces Figure 257 Configuration > Network > Interface > Cellular > Add / Edit ZyWALL USG Series User’s Guide...
Page 343 Chapter 10 Interfaces The following table describes the labels in this screen. Table 116 Configuration > Network > Interface > Cellular > Add / Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings General Settings...
Page 344 Chapter 10 Interfaces Table 116 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION User Name This field displays when you select an authentication type other than None. This field is read-only if you selected Device in the profile selection. If this field is configurable, enter the user name for this mobile broadband card exactly as the service provider gave it to you.
Page 345 Chapter 10 Interfaces Table 116 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION Check Period Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure. Check Fail Enter the number of consecutive failures before the Zyxel Device stops routing through the Tolerance...
Page 346 Chapter 10 Interfaces Table 116 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION Network Home network is the network to which you are originally subscribed. Selection Select Home to have the mobile broadband device connect only to the home network. If the home network is down, the Zyxel Device’s mobile broadband Internet connection is also unavailable.
Page 347: Tunnel Interfaces
Chapter 10 Interfaces Table 116 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION Select None to not create a log when the Zyxel Device takes this action, Log to create a log, or Log-alert to create an alert log. If you select Log or Log-alert you can also select recurring every to have the Zyxel Device send a log or alert for this event periodically.
Page 348 Chapter 10 Interfaces IPv6-in-IPv4 Tunneling Use this mode on the WAN of the Zyxel Device if • your Zyxel Device has a public IPv4 IP address given from your ISP, • you want to transmit your IPv6 packets to one and only one remote site whose LAN network is also an IPv6 network.
Page 349: Configuring A Tunnel
Chapter 10 Interfaces Figure 261 6to4 Tunnel IPv6 IPv6 IPv4 Internet IPv6 10.8.1 Configuring a Tunnel This screen lists the Zyxel Device’s configured tunnel interfaces. To access this screen, click Network > Interface > Tunnel. Figure 262 Network > Interface > Tunnel Each field is explained in the following table.
Page 350: Tunnel Add Or Edit Screen
Chapter 10 Interfaces Table 117 Network > Interface > Tunnel (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. Name This field displays the name of the interface. IP Address This is the IP address of the interface.
Page 351 Chapter 10 Interfaces Figure 263 Network > Interface > Tunnel > Add/Edit Each field is explained in the following table. Table 118 Network > Interface > Tunnel > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings General Settings...
Page 352 Chapter 10 Interfaces Table 118 Network > Interface > Tunnel > Add/Edit (continued) LABEL DESCRIPTION Tunnel Mode Select the tunneling protocol of the interface (GRE, IPv6-in-IPv4 or 6to4). See Section 10.8 on page 347 for more information. IP Address This section is available if you are configuring a GRE tunnel. Assignment IP Address Enter the IP address for this interface.
Page 353: Vlan Interfaces
Chapter 10 Interfaces Table 118 Network > Interface > Tunnel > Add/Edit (continued) LABEL DESCRIPTION Interface Parameters Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can send through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management.
Page 354 Chapter 10 Interfaces Figure 264 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs. Figure 265 Example: After VLAN Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways.
Page 355: Vlan Summary Screen
Chapter 10 Interfaces • Between the router and VLAN 1. • Between the router and VLAN 2. • Between the router and VLAN 3. VLAN Interfaces Overview In the Zyxel Device, each VLAN is called a VLAN interface. As a router, the Zyxel Device routes traffic between VLAN interfaces, but it does not route traffic within a VLAN interface.
Page 356: Vlan Add/Edit
Chapter 10 Interfaces Each field is explained in the following table. Table 119 Configuration > Network > Interface > VLAN LABEL DESCRIPTION Configuration Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 / IPv6 network settings if you connect your Zyxel Device to an IPv6 network.
Page 357 Chapter 10 Interfaces Figure 267 Configuration > Network > Interface > VLAN > Add /Edit ZyWALL USG Series User’s Guide...
Page 358 Chapter 10 Interfaces ZyWALL USG Series User’s Guide...
Page 359 Chapter 10 Interfaces Each field is explained in the following table. Table 120 Configuration > Network > Interface > VLAN > Add / Edit LABEL DESCRIPTION IPv4/IPv6 View / IPv4 Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. View / IPv6 View Show Advanced Click this button to display a greater or lesser number of configuration fields.
Page 360 Chapter 10 Interfaces Table 120 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Interface Type Select one of the following option depending on the type of network to which the Zyxel Device is connected or if you want to additionally manually configure some related settings.
Page 361 Chapter 10 Interfaces Table 120 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Metric Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first.
Page 362 Chapter 10 Interfaces Table 120 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Address This field displays the combined IPv6 IP address for this interface. Note: This field displays the combined address after you click OK and reopen this screen.
Page 363 Chapter 10 Interfaces Table 120 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Enable Router Select this to enable this interface to send router advertisement messages periodically. See Advertisement IPv6 Router Advertisement on page 300 for more information.
Page 364 Chapter 10 Interfaces Table 120 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Suffix Enter the ending part of the IPv6 network address plus a slash (/) and the prefix length. The Address Zyxel Device will append it to the selected delegated prefix. The combined address is the network prefix for the network.
Page 365 Chapter 10 Interfaces Table 120 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Probe Succeeds This field applies when you specify two domain names or IP addresses for the connectivity When check. Select any one if you want the check to pass if at least one of the domain names or IP addresses responds.
Page 366 Chapter 10 Interfaces Table 120 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP addresses are valid.
Page 367 Chapter 10 Interfaces Table 120 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION V2-Broadcast This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the Zyxel Device uses multicasting. OSPF Setting Section 11.7 on page 420 for more information about OSPF.
Page 368: Bridge Interfaces
Chapter 10 Interfaces Table 120 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Click Add to create an IPv4 Address, an IPv4 CIDR (for example, 192.168.1.1/24) or an IPv4 Range (for example, 192.168.1.2-192.168.1.100) as the target IP address. The Zyxel Device answers external ARP requests only if they match one of these inputted target IP addresses.
Page 369 Chapter 10 Interfaces MAC address is not in the table, the bridge broadcasts the packet on every port (except the one on which it was received). In the example above, computer A sends a packet to computer B. Bridge X records the source address 0A:0A:0A:0A:0A:0A and port 2 in the table.
Page 370: Bridge Summary
Chapter 10 Interfaces In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1 is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed. 10.10.1 Bridge Summary This screen lists every bridge interface and virtual interface created on top of bridge interfaces.
Page 371: Bridge Add/Edit
Chapter 10 Interfaces Table 124 Configuration > Network > Interface > Bridge (continued) LABEL DESCRIPTION Status This icon is lit when the entry is active and dimmed when the entry is inactive. Name This field displays the name of the interface. Description This field displays the description of the interface.
Page 372 Chapter 10 Interfaces Figure 269 Configuration > Network > Interface > Bridge > Add / Edit ZyWALL USG Series User’s Guide...
Page 373 Chapter 10 Interfaces ZyWALL USG Series User’s Guide...
Page 374 Chapter 10 Interfaces Each field is described in the table below. Table 125 Configuration > Network > Interface > Bridge > Add / Edit LABEL DESCRIPTION IPv4/IPv6 View / IPv4 Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. View / IPv6 View Show Advanced Click this button to display a greater or lesser number of configuration fields.
Page 375 Chapter 10 Interfaces Table 125 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Description Enter a description of this interface. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Spaces are allowed, but the string can’t start with a space.
Page 376 Chapter 10 Interfaces Table 125 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Enable Stateless Select this to enable IPv6 stateless auto-configuration on this interface. The interface will Address Auto- generate an IPv6 IP address itself from a prefix obtained from an IPv6 router in the network. configuration (SLAAC) Link-Local...
Page 377 Chapter 10 Interfaces Table 125 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others.
Page 378 Chapter 10 Interfaces Table 125 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Router Select the router preference (Low, Medium or High) for the interface. The interface sends Preference this preference in the router advertisements to tell hosts what preference they should use for the Zyxel Device.
Page 379 Chapter 10 Interfaces Table 125 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Ingress This is reserved for future use. Bandwidth Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can receive from the network through the interface.
Page 380 Chapter 10 Interfaces Table 125 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP addresses are valid.
Page 381 Chapter 10 Interfaces Table 125 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Connectivity Check The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the Zyxel Device stops routing to the gateway.
Page 382: Lag
Chapter 10 Interfaces Table 125 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Click Add to create an IPv4 Address, an IPv4 CIDR (for example, 192.168.1.1/24) or an IPv4 Range (for example, 192.168.1.2-192.168.1.100) as the target IP address. The Zyxel Device answers external ARP requests only if they match one of these inputted target IP addresses.
Page 383 Chapter 10 Interfaces Figure 270 Configuration > Network > Interface > LAG Each field is described in the following table. Table 126 Configuration > Network > Interface > LAG LABEL DESCRIPTION Configuration Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 384: Lag Add/Edit
Chapter 10 Interfaces Table 126 Configuration > Network > Interface > LAG (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 10.11.2 LAG Add/Edit This screen lets you configure Interface and LAG parameters for each LAG interface.
Page 385 Chapter 10 Interfaces Each field is described in the following table. Table 127 Configuration > Network > Interface > LAG > Add LABEL DESCRIPTION General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Type Select one of the following option depending on the type of network to which the Zyxel...
Page 386 Chapter 10 Interfaces Table 127 Configuration > Network > Interface > LAG > Add (continued) LABEL DESCRIPTION ARP IP Target This field displays for arp Link Monitoring. Set the IP address of the link to send ARP queries. Available This field displays Ethernet interfaces and VLAN interfaces that can become part of the LAG interface.
Page 387 Chapter 10 Interfaces Table 127 Configuration > Network > Interface > LAG > Add (continued) LABEL DESCRIPTION These fields appear if the Zyxel Device is a DHCP Server. IP Pool Start Enter the IP address from which the Zyxel Device begins allocating IP addresses. If you want Address to assign a static IP address to a specific computer, click Add Static DHCP.
Page 388 Chapter 10 Interfaces Table 127 Configuration > Network > Interface > LAG > Add (continued) LABEL DESCRIPTION Enable Logs for Select this option to have the Zyxel Device generate a log if a device connected to this IP/MAC Binding interface attempts to use an IP address that is bound to another device’s MAC address. Violation Static DHCP Configure a list of static IP addresses the Zyxel Device assigns to computers connected to...
Page 389: Vti
Chapter 10 Interfaces 10.12 VTI IPSec VPN Tunnel Interface (VTI) encrypts or decrypts IPv4 traffic from or to the interface according to the IP routing table. VTI allows static routes to send traffic over the VPN. The IPSec tunnel endpoint is associated with an actual (virtual) interface.
Page 390: Vti Add/Edit
Chapter 10 Interfaces Figure 273 Configuration > Network > Interface > VTI The following table describes the fields in this screen. Table 128 Configuration > Network > Interface > VTI LABEL DESCRIPTION Configuration Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 391 Chapter 10 Interfaces Figure 274 Configuration > Network > Interface > VTI > Add Each field is described in the table below. Table 129 Configuration > Network > Interface > VTI > Add LABEL DESCRIPTION General Settings Enable Select this to enable VTI. Clear this to disable it. Interface Properties Interface Name This field is read-only if you are editing an existing VPN tunnel interface.
Page 392 Chapter 10 Interfaces Table 129 Configuration > Network > Interface > VTI > Add (continued) LABEL DESCRIPTION IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.
Page 393 Chapter 10 Interfaces Table 129 Configuration > Network > Interface > VTI > Add (continued) LABEL DESCRIPTION Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information.
Page 394: Trunk Overview
Chapter 10 Interfaces 10.13 Trunk Overview Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links. Maybe you have two Internet connections with different bandwidths.
Page 395 Chapter 10 Interfaces If link sticking had been configured, the Zyxel Device would have still used wan1 to send LAN user A’s request to the server and server would have given the user A access. Load Balancing Algorithms The following sections describe the load balancing algorithms the Zyxel Device can use to decide which interface the traffic (from the LAN) should use for a session.
Page 396 Chapter 10 Interfaces traffic on that interface. This queue then moves to the back of the list. The next queue is given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used.
Page 397: The Trunk Summary Screen
Chapter 10 Interfaces 10.14 The Trunk Summary Screen Click Configuration > Network > Interface > Trunk to open the Trunk screen. The Trunk Summary screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 278 Configuration >...
Page 398: Configuring A User-Defined Trunk
Chapter 10 Interfaces Table 131 Configuration > Network > Interface > Trunk (continued) LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove a user-configured trunk, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.
Page 399 Chapter 10 Interfaces Table 132 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Load Balancing This field is available if you selected to use the Least Load First or Spillover method. Index(es) Select Outbound, Inbound, or Outbound + Inbound to set the traffic to which the Zyxel Device applies the load balancing method.
Page 400: Configuring The System Default Trunk
Chapter 10 Interfaces Table 132 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. 10.14.2 Configuring the System Default Trunk In the Configuration >...
Page 401: Interface Technical Reference
Chapter 10 Interfaces Table 133 Configuration > Network > Interface > Trunk > Edit (System Default) (continued) LABEL DESCRIPTION Mode This field displays Active if the Zyxel Device always attempt to use this connection. This field displays Passive if the Zyxel Device only use this connection when all of the connections set to active are down.
Page 402 Chapter 10 Interfaces Figure 281 Example: Entry in the Routing Table Derived from Interfaces lan1 wan1 Table 134 Example: Routing Table Entries for Interfaces IP ADDRESS(ES) DESTINATION 100.100.1.1/16 lan1 200.200.200.1/24 wan1 For example, if the Zyxel Device gets a packet with a destination address of 100.100.25.25, it routes the packet to interface lan1.
Page 403 Chapter 10 Interfaces • Egress bandwidth sets the amount of traffic the Zyxel Device sends out through the interface to the network. • Ingress bandwidth sets the amount of traffic the Zyxel Device allows in through the interface from the network.At the time of writing, the Zyxel Device does not support ingress bandwidth management.
Page 404 Chapter 10 Interfaces • IP address - If the DHCP client’s MAC address is in the Zyxel Device’s static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size.
Page 405 Chapter 10 Interfaces PPTP is used to set up virtual private networks (VPN) in unsecured TCP/IP environments. It sets up two sessions. The first one runs on TCP port 1723. It is used to start and manage the second one. The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers.
Page 406: Routing
H A P T E R Routing 11.1 Policy and Static Routes Overview Use policy routes and static routes to override the Zyxel Device’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the Zyxel Device’s LAN interface. The Zyxel Device routes most traffic from A to the Internet through the Zyxel Device’s default gateway (R1).
Page 407: What You Need To Know
Chapter 11 Routing 11.1.2 What You Need to Know Policy Routing Traditionally, routing is based on the destination address only and the Zyxel Device takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Page 408: Policy Route Screen
Chapter 11 Routing traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types. DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow.
Page 409 Chapter 11 Routing Figure 283 Configuration > Network > Routing > Policy Route The following table describes the labels in this screen. Table 137 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Enable BWM...
Page 410 Chapter 11 Routing Table 137 Configuration > Network > Routing > Policy Route (continued) LABEL DESCRIPTION Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Move To change a rule’s position in the numbered list, select the rule and click Move to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
Page 411: Policy Route Edit Screen
Chapter 11 Routing 11.2.1 Policy Route Edit Screen Click Configuration > Network > Routing to open the Policy Route screen. Then click the Add or Edit icon in the IPv4 Configuration or IPv6 Configuration section. The Add Policy Route or Policy Route Edit screen opens.
Page 412 Chapter 11 Routing Figure 285 Configuration > Network > Routing > Policy Route > Add/Edit (IPv6 Configuration) The following table describes the labels in this screen. Table 138 Configuration > Network > Routing > Policy Route > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields.
Page 413 Chapter 11 Routing Table 138 Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL DESCRIPTION DSCP Code Select a DSCP code point value of incoming packets to which this policy route applies or select User Define to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment.
Page 414 Chapter 11 Routing Table 138 Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL DESCRIPTION DSCP Marking Set how the Zyxel Device handles the DSCP value of the outgoing packets that match this route. Select one of the pre-defined DSCP values to apply or select User Define to specify another DSCP value.
Page 415: Ip Static Route Screen
Chapter 11 Routing 11.3 IP Static Route Screen Click Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers.
Page 416 Chapter 11 Routing Figure 287 Configuration > Network > Routing > Static Route > Add (IPv4 Configuration) Figure 288 Configuration > Network > Routing > Static Route > Add (IPv6 Configuration) The following table describes the labels in this screen. Table 140 Configuration >...
Page 417: Policy Routing Technical Reference
Chapter 11 Routing 11.4 Policy Routing Technical Reference Here is more detailed information about some of the features you can configure in policy routing. NAT and SNAT NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network.
Page 418: What You Need To Know
Chapter 11 Routing Routing protocols are usually only used in networks using multiple routers like campuses or large enterprises. • Use the RIP screen (see Section 11.6 on page 418) to configure the Zyxel Device to use RIP to receive and/or send routing information.
Page 419 Chapter 11 Routing Figure 289 Configuration > Network > Routing > RIP The following table describes the labels in this screen. Table 143 Configuration > Network > Routing Protocol > RIP LABEL DESCRIPTION Authentication The transmitting and receiving routers must have the same key. For RIP, authentication is not available in RIP version 1.
Page 420: The Ospf Screen
Chapter 11 Routing Table 143 Configuration > Network > Routing Protocol > RIP (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the Zyxel Device. Reset Click this button to return the screen to its last-saved settings. 11.7 The OSPF Screen OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous System (AS).
Page 421 Chapter 11 Routing Figure 290 OSPF: Types of Areas This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y.
Page 422 Chapter 11 Routing Figure 291 OSPF: Types of Routers In order to reduce the amount of traffic between routers, a group of routers that are directly connected to each other selects a designated router (DR) and a backup designated router (BDR). All of the routers only exchange information with the DR and the BDR, instead of exchanging information with all of the other routers in the group.
Page 423: Configuring The Ospf Screen
Chapter 11 Routing Enable OSPF. Set up the OSPF areas. Configure the appropriate interfaces. See Section 10.5.1 on page 306. Set up virtual links, as needed. 11.7.1 Configuring the OSPF Screen Use the first OSPF screen to specify the OSPF router the Zyxel Device uses in the OSPF AS and maintain the policies for redistribution.
Page 424: Ospf Area Add/Edit Screen
Chapter 11 Routing Table 145 Configuration > Network > Routing Protocol > OSPF (continued) LABEL DESCRIPTION Type Select how OSPF calculates the cost associated with routing information from RIP. Choices are: Type 1 and Type 2. Type 1 - cost = OSPF AS cost + external cost (Metric) Type 2 - cost = external cost (Metric);...
Page 425 Chapter 11 Routing Figure 294 Configuration > Network > Routing > OSPF > Add The following table describes the labels in this screen. Table 146 Configuration > Network > Routing > OSPF > Add LABEL DESCRIPTION Area ID Type the unique, 32-bit identifier for the area in IP address format. Type Select the type of OSPF area.
Page 426: Virtual Link Add/Edit Screen
Chapter 11 Routing Table 146 Configuration > Network > Routing > OSPF > Add (continued) LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.
Page 427: Bgp (Border Gateway Protocol)
Chapter 11 Routing The following table describes the labels in this screen. Table 147 Configuration > Network > Routing > OSPF > Add > Add LABEL DESCRIPTION Peer Router ID Enter the 32-bit ID (in IP address format) of the other ABR in the virtual link. Authentication Select the authentication method the virtual link uses.
Page 428: Allow Bgp Packets To Enter The Zyxel Device
Chapter 11 Routing 11.8.1 Allow BGP Packets to Enter the Zyxel Device You must first allow BGP packets to enter the Zyxel Device from the WAN. Go to Configuration > Object > Service > Service Group Select the Default_Allow_WAN_To_ZyWALL rule and click Edit. Move BGP from Available to Member.
Page 429 Chapter 11 Routing Figure 298 Configuration > Network > Routing > BGP The following table describes the labels in this screen. Table 148 Configuration > Network > Routing Protocol > BGP LABEL DESCRIPTION AS Number Type a number from 1 to 4294967295 in this field. Note: The Zyxel Device can only belong to one AS at a time.
Page 430: The Bgp Neighbors Screen
Chapter 11 Routing Table 148 Configuration > Network > Routing Protocol > BGP (continued) LABEL DESCRIPTION Network This displays the IP address and the number of subnet mask bits for the peer BGP route. Apply Click this button to save your changes to the Zyxel Device. Reset Click this button to return the screen to its last-saved settings.
Page 431: Example Scenario
Chapter 11 Routing Table 149 Configuration > Network > Routing Protocol > BGP (continued) LABEL DESCRIPTION Keepalive Time Keepalive messages are sent by the Zyxel Device to a peer BGP router to inform it that the BGP connection between the two is still active. The Keepalive Time is the interval between each Keepalive message sent by the Zyxel Device.
Page 432 Chapter 11 Routing 11.8.4.2 CE - PE Configuration Process The process for configuring BGP in this scenario is: Configure the AS number for BGP on the Zyxel Device (CE) in Configuration > Network > Routing > BGP. Note: The Zyxel Device can only belong to one AS at a time. Configure the AS number and BGP criteria of the peer BGP routers (PE) in the neighboring AS in Configuration >...
Page 433: Ddns
H A P T E R DDNS 12.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 12.1.1 What You Can Do in this Chapter • Use the DDNS screen (see Section 12.2 on page 434) to view a list of the configured DDNS domain names and their details.
Page 434: The Ddns Screen
Chapter 12 DDNS 12.2 The DDNS Screen The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names.
Page 435: The Dynamic Dns Add/Edit Screen
Chapter 12 DDNS Table 151 Configuration > Network > DDNS (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the Zyxel Device. Reset Click this button to return the screen to its last-saved settings. 12.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the Zyxel Device or to edit the configuration of an existing domain name.
Page 436 Chapter 12 DDNS Figure 303 Configuration > Network > DDNS > Add - Custom The following table describes the labels in this screen. Table 152 Configuration > Network > DDNS > Add LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Enable DDNS Profile...
Page 437 Chapter 12 DDNS Table 152 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION DDNS Settings Domain name Type the domain name you registered. You can use up to 255 characters. Primary Binding Use these fields to set how the Zyxel Device determines the IP address that is mapped to Address your domain name in the DDNS server.
Page 438 Chapter 12 DDNS Table 152 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Mail Exchanger This option is only available with a DynDNS account. DynDNS can route e-mail for your domain name to a mail server (called a mail exchanger).
Page 439: Nat
H A P T E R 13.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.
Page 440: The Nat Screen
Chapter 13 NAT • Well-known ports range from 0 to 1023. • Registered ports range from 1024 to 49151. • Dynamic ports (also called private ports) range from 49152 to 65535. Table 153 Well-known Ports PORT TCP/UDP DESCRIPTION TCP Port Service Multiplexer (TCPMUX) FTP - Data FTP - Control SSH Remote Login Protocol...
Page 441 Chapter 13 NAT login to the Web Configurator and click Configuration > Network > NAT. The following screen appears, providing a summary of the existing NAT rules. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information.
Page 442: The Nat Add/Edit Screen
Chapter 13 NAT Table 154 Configuration > Network > NAT (continued) LABEL DESCRIPTION Source IP This field displays the source IP address (or address object) of traffic that matches this NAT entry. It displays any if there is no restriction on the source IP address. External IP This field displays the external destination IP address (or address object) of traffic that matches this NAT entry.
Page 443 Chapter 13 NAT The following table describes the labels in this screen. Table 155 Configuration > Network > NAT > Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Enable Rule Use this option to turn the NAT rule on or off.
Page 444 Chapter 13 NAT Table 155 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Internal IP Select to which translated destination IP address this NAT rule forwards packets. User Defined - this NAT rule supports a specific IP address, specified in the User Defined field. HOST address - the drop-down box lists all the HOST address objects in the Zyxel Device.
Page 445: Nat Technical Reference
Chapter 13 NAT Table 155 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Security Policy By default the security policy blocks incoming connections from external addresses. After you configure your NAT rule settings, click the Security Policy link to configure a security policy to allow the NAT rule’s traffic to come in.
Page 446 Chapter 13 NAT The LAN user’s computer then sends traffic to IP address 1.1.1.1. NAT loopback uses the IP address of the Zyxel Device’s LAN interface (192.168.1.1) as the source address of the traffic going from the LAN users to the LAN SMTP server.
Page 447: Redirect Service
H A P T E R Redirect Service 14.1 Overview Redirect Service redirects HTTP and SMTP traffic. 14.1.1 HTTP Redirect HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the Zyxel Device) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN1 zone wants to open a web page, its HTTP request is redirected to proxy server A first.
Page 448: What You Can Do In This Chapter
Chapter 14 Redirect Service Figure 311 SMTP Redirect Example 14.1.3 What You Can Do in this Chapter Use the Redirect Service screens (see Section 14.2 on page 450) to display and edit the HTTP and SMTP redirect rules. 14.1.4 What You Need to Know Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Page 449 Chapter 14 Redirect Service Even if you set a policy route to the same incoming interface and service as a HTTP redirect rule, the Zyxel Device checks the HTTP redirect rules first and forwards HTTP traffic to a proxy server if matched. You need to make sure there is no security policy blocking the HTTP requests from the client to the proxy server.
Page 450: The Redirect Service Screen
Chapter 14 Redirect Service For SMTP traffic between lan1 and lan2: • a from LAN1 to LAN2 firewall rule to allow SMTP messages from lan1 to lan2. Responses to this request are allowed automatically. • a SMTP redirect rule to forward SMTP traffic from lan1 to SMTP server A. For SMTP traffic between lan2 and wan1: •...
Page 451: The Redirect Service Edit Screen
Chapter 14 Redirect Service Table 156 Configuration > Network > Redirect Service (continued) LABEL DESCRIPTION Interface This is the interface on which the request must be received. Source Address This is the name of the source IP address object from which the traffic should be sent. If any displays, the rule is effective for every source.
Page 452 Chapter 14 Redirect Service Table 157 Network > Redirect Service > Edit (continued) LABEL DESCRIPTION User Select the user account or user group name to which this rule is applied. Interface Select the interface on which the request must be received for the Zyxel Device to forward it to the specified server.
Page 453: Alg
H A P T E R 15.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the Zyxel Device’s NAT. • SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice and multimedia sessions over Internet.
Page 454 Chapter 15 ALG FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through. If the FTP server is located on the LAN, you must also configure NAT (port forwarding) and security policies if you want to allow access to the server from the WAN.
Page 455 Chapter 15 ALG • You do not need to use TURN (Traversal Using Relay NAT) for VoIP devices behind the Zyxel Device when you enable the SIP ALG. • Configuring the SIP ALG to use custom port numbers for SIP traffic also configures the application patrol (see Chapter 36 on page 689) to use the same port numbers for SIP traffic.
Page 456: Before You Begin
Chapter 15 ALG policy routes to have calls from LAN IP address A go out through WAN IP address and calls from LAN IP address B go out through WAN IP address 2. Figure 317 VoIP with Multiple WAN IP Addresses 15.1.2 Before You Begin You must also configure the security policy and enable NAT in the Zyxel Device to allow sessions initiated from the WAN.
Page 457 Chapter 15 ALG The following table describes the labels in this screen. Table 158 Configuration > Network > ALG LABEL DESCRIPTION Enable SIP ALG Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the Zyxel Device’s NAT.
Page 458: Alg Technical Reference
Chapter 15 ALG Table 158 Configuration > Network > ALG (continued) LABEL DESCRIPTION Enable FTP ALG Turn on the FTP ALG to detect FTP (File Transfer Program) traffic and help build FTP sessions through the Zyxel Device’s NAT. Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic and manage the FTP traffic’s bandwidth (see Chapter 36 on page 689).
Page 459 Chapter 15 ALG H.323 H.323 is a standard teleconferencing protocol suite that provides audio, data and video conferencing. It allows for real-time point-to-point and multipoint communication between client computers over a packet-based network that does not provide a guaranteed quality of service. NetMeeting uses H.323. The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet.
Page 460: Upnp
H A P T E R UPnP 16.1 UPnP and NAT-PMP Overview The Zyxel Device supports both UPnP and NAT-PMP to permit networking devices to discover each other and connect seamlessly. Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 461: Cautions With Upnp And Nat-Pmp
Chapter 16 UPnP 16.2.2 Cautions with UPnP and NAT-PMP The automated nature of NAT traversal applications in establishing their own services and opening security policy ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP or NAT-PMP device joins a network, it announces its presence with a multicast message.
Page 462: Technical Reference
Chapter 16 UPnP The following table describes the fields in this screen. Table 159 Configuration > Network > UPnP LABEL DESCRIPTION Enable UPnP Select this check box to activate UPnP on the Zyxel Device. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the Zyxel Device's IP address (although you must still enter the password to access the web configurator).
Page 463 Chapter 16 UPnP Click Change Advanced Sharing Settings. Select Turn on network discovery and click Save Changes. Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer.
Page 464 Chapter 16 UPnP 16.4.1.1 Auto-discover Your UPnP-enabled Network Device Before you follow these steps, make sure you already have UPnP activated on the Zyxel Device and in your computer. Make sure your computer is connected to a LAN port of the Zyxel Device. Open the Windows Explorer and click Network.
Page 465 Chapter 16 UPnP Figure 321 Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings. Figure 322 Internet Connection Properties: Advanced Settings ZyWALL USG Series User’s Guide...
Page 466: Turn On Upnp In Windows 10 Example
Chapter 16 UPnP Figure 323 Internet Connection Properties: Advanced Settings: Add Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. Click OK. Check the network icon on the system tray to see your Internet connection status. Figure 324 System Tray Icon To see more details about your current Internet connection status, right click on the network icon in the system tray and click Open Network and Sharing Center.
Page 467 Chapter 16 UPnP Click the start icon, Settings and then Network & Internet. Click Network and Sharing Center. Click Change advanced sharing settings. ZyWALL USG Series User’s Guide...
Page 468: Auto-Discover Your Upnp-Enabled Network Device
Chapter 16 UPnP Under Domain, select Turn on network discovery and click Save Changes. Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer. This makes it easier to share files and printers. 16.4.3 Auto-discover Your UPnP-enabled Network Device Before you follow these steps, make sure you already have UPnP activated on the Zyxel Device and in your computer.
Page 469 Chapter 16 UPnP Make sure your computer is connected to the LAN port of the Zyxel Device. Open File Explorer and click Network. Right-click the Zyxel Device icon and select Properties. Figure 326 Network Connections In the Internet Connection Properties window, click Settings to see port mappings. Figure 327 Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings.
Page 470 Chapter 16 UPnP Figure 328 Internet Connection Properties: Advanced Settings Figure 329 Internet Connection Properties: Advanced Settings: Add Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. Click OK. Check the network icon on the system tray to see your Internet connection status. Figure 330 System Tray Icon To see more details about your current Internet connection status, right click the network icon in the system tray and click Open Network &...
Page 471: Web Configurator Easy Access In Windows 7
Chapter 16 UPnP Figure 331 Internet Connection Status 16.4.4 Web Configurator Easy Access in Windows 7 With UPnP, you can access the web-based configurator on the Zyxel Device without finding out the IP address of the Zyxel Device first. This comes helpful if you do not know the IP address of the Zyxel Device. Follow the steps below to access the web configurator.
Page 472 Chapter 16 UPnP Figure 332 Network Connections An icon with the description for each UPnP-enabled device displays under Network Infrastructure. Right-click on the icon for your Zyxel Device and select View device webpage. The web configurator login screen displays. Figure 333 Network Connections: My Network Places Right-click on the icon for your Zyxel Device and select Properties.
Page 473: Web Configurator Easy Access In Windows 10
Chapter 16 UPnP Figure 334 Network Connections: My Network Places: Properties: Example 16.4.5 Web Configurator Easy Access in Windows 10 Follow the steps below to access the Web Configurator. Open File Explorer. Click Network. Figure 335 Network Connections ZyWALL USG Series User’s Guide...
Page 474 Chapter 16 UPnP An icon with the description for each UPnP-enabled device displays under Network Infrastructure. Right-click the icon for your Zyxel Device and select View device webpage. The Web Configurator login screen displays. Figure 336 Network Connections: Network Infrastructure Right-click the icon for your Zyxel Device and select Properties.
Page 475: Ip/Mac Binding
H A P T E R IP/MAC Binding 17.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The Zyxel Device uses DHCP to assign IP addresses and records the MAC address it assigned to each IP address.
Page 476: Ip/Mac Binding Summary
Chapter 17 IP/MAC Binding Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN, and WLAN interfaces. You can also enable or disable IP/MAC binding and logging in an interface’s configuration screen.
Page 477: Static Dhcp Edit
Chapter 17 IP/MAC Binding Figure 340 Configuration > Network > IP/MAC Binding > Edit The following table describes the labels in this screen. Table 161 Configuration > Network > IP/MAC Binding > Edit LABEL DESCRIPTION IP/MAC Binding Settings Interface Name This field displays the name of the interface within the Zyxel Device and the interface’s IP address and subnet mask.
Page 478: Ip/Mac Binding Exempt List
Chapter 17 IP/MAC Binding Figure 341 Configuration > Network > IP/MAC Binding > Edit > Add The following table describes the labels in this screen. Table 162 Configuration > Network > IP/MAC Binding > Edit > Add LABEL DESCRIPTION Interface Name This field displays the name of the interface within the Zyxel Device and the interface’s IP address and subnet mask.
Page 479 Chapter 17 IP/MAC Binding Table 163 Configuration > Network > IP/MAC Binding > Exempt List (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. This is the index number of the IP/MAC binding list entry.
Page 480: Layer 2 Isolation
H A P T E R Layer 2 Isolation 18.1 Overview Layer-2 isolation is used to prevent connected devices from communicating with each other in the Zyxel Device’s local network(s), except for the devices in the white list, when layer-2 isolation is enabled on the Zyxel Device and the local interface(s).
Page 481: White List Screen
Chapter 18 Layer 2 Isolation Figure 344 Configuration > Network > Layer 2 Isolation The following table describes the labels in this screen. Table 164 Configuration > Network > Layer 2 Isolation LABEL DESCRIPTION Enable Layer2 Select this option to turn on the layer-2 isolation feature on the Zyxel Device. Isolation Note: You can enable this feature only when the security policy is enabled.
Page 482: Add/Edit White List Rule
Chapter 18 Layer 2 Isolation Figure 345 Configuration > Network > Layer 2 Isolation > White List The following table describes the labels in this screen. Table 165 Configuration > Network > Layer 2 Isolation > White List LABEL DESCRIPTION Enable White List Select this option to turn on the white list on the Zyxel Device.
Page 483 Chapter 18 Layer 2 Isolation Figure 346 Configuration > Network > Layer 2 Isolation > White List > Add/Edit The following table describes the labels in this screen. Table 166 Configuration > Network > Layer 2 Isolation > White List > Add/Edit LABEL DESCRIPTION Enable...
Page 484: Dns Inbound Lb
H A P T E R DNS Inbound LB 19.1 DNS Inbound Load Balancing Overview Inbound load balancing enables the Zyxel Device to respond to a DNS query message with a different IP address for DNS name resolution. The Zyxel Device checks which member interface has the least load and responds to the DNS query message with the interface’s IP address.
Page 485: The Dns Inbound Lb Screen
Chapter 19 DNS Inbound LB 19.2 The DNS Inbound LB Screen The Inbound LB screen provides a summary of all DNS load balancing rules and the details. You can also use this screen to add, edit, or remove the rules. Click Configuration > Network > Inbound LB to open the following screen.
Page 486: The Dns Inbound Lb Add/Edit Screen
Chapter 19 DNS Inbound LB Table 167 Configuration > Network > DNS Inbound LB (continued) LABEL DESCRIPTION Load Balancing This field displays the member interfaces which the Zyxel Device manages for load Member balancing. Algorithm This field displays the load balancing method the Zyxel Device uses for this DNS load balancing rule.
Page 487 Chapter 19 DNS Inbound LB The following table describes the labels in this screen. Table 168 Configuration > Network > DNS Inbound LB > Add/Edit LABEL DESCRIPTION Create New Object Use this to configure any new setting objects that you need to use in this screen. General Settings Enable Select this to enable this DNS load balancing rule.
Page 488: The Dns Inbound Lb Add/Edit Member Screen
Chapter 19 DNS Inbound LB Table 168 Configuration > Network > DNS Inbound LB > Add/Edit (continued) LABEL DESCRIPTION IP Address This field displays the IP address of the member interface. Monitor Interface This field displays the name of the member interface. The Zyxel Device manages load balancing between the member interfaces.
Page 489 Chapter 19 DNS Inbound LB Table 169 Configuration > Network > DNS Inbound LB > Add/Edit > Add/Edit (continued) LABEL DESCRIPTION Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG Series User’s Guide...
Page 490: Web Authentication
H A P T E R Web Authentication 20.1 Web Auth Overview Web authentication can intercept network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions.
Page 491: What You Need To Know
Chapter 20 Web Authentication 20.1.2 What You Need to Know Single Sign-On A SSO (Single Sign On) agent integrates Domain Controller and Zyxel Device authentication mechanisms, so that users just need to log in once (single) to get access to permitted resources. Forced User Authentication Instead of making users for which user-aware policies have been configured go to the Zyxel Device Login screen manually, you can configure the Zyxel Device to display the Login screen automatically...
Page 492 Chapter 20 Web Authentication Figure 352 Configuration > Web Authentication > General The following table gives an overview of the objects you can configure. Table 170 Configuration > Web Authentication > General LABEL DESCRIPTION Global Setting Enable Web Select the check box to turn on the web authentication feature. Otherwise, clear the check Authentication box to turn it off.
Page 493 Chapter 20 Web Authentication Table 170 Configuration > Web Authentication > General (continued) LABEL DESCRIPTION Exceptional Use this table to list services that users can access without logging in. Services Click Add to change the list’s membership. A screen appears. Available services appear on the left.
Page 494 Chapter 20 Web Authentication Table 170 Configuration > Web Authentication > General (continued) LABEL DESCRIPTION Authentication This field displays the authentication requirement for users when their traffic matches this policy. unnecessary - Users do not need to be authenticated. required - Users need to be authenticated. They must manually go to the login screen or user agreement page.
Page 495 Chapter 20 Web Authentication Figure 355 Configuration > Web Authentication > General > Add Authentication Policy The following table gives an overview of the objects you can configure. Table 171 Configuration > Web Authentication > General > Add Authentication Policy LABEL DESCRIPTION Create new...
Page 496: User-Aware Access Control Example
Chapter 20 Web Authentication Table 171 Configuration > Web Authentication > General > Add Authentication Policy (continued) LABEL DESCRIPTION Single Sign-on This field is available for user-configured policies that require Single Sign-On (SSO). Select this to have the Zyxel Device enable the SSO feature. You can set up this feature in the SSO screen. Force User This field is available for user-configured policies that require authentication.
Page 497 Chapter 20 Web Authentication Figure 356 Configuration > Object > User/Group > User > Add Repeat this process to set up the remaining user accounts. 20.2.1.2 Set Up User Groups Set up the user groups and assign the users to the user groups. Click Configuration >...
Page 498 Chapter 20 Web Authentication 20.2.1.3 Set Up User Authentication Using the RADIUS Server This step sets up user authentication using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and configure the Zyxel Device to use the authentication method.
Page 499 Chapter 20 Web Authentication Figure 359 Configuration > Object > Auth. method > Edit Click Configuration > Web Authentication. In the Web Authentication > General screen, select Enable Web Authentication to turn on the web authentication feature and click Apply. Figure 360 Configuration >...
Page 500 Chapter 20 Web Authentication Figure 361 Configuration > Web Authentication: General: Add When the users try to browse the web (or use any HTTP application), the login screen appears. They have to log in using the user name and password in the RADIUS server. 20.2.1.4 User Group Authentication Using the RADIUS Server The previous example showed how to have a RADIUS server authenticate individual user accounts.
Page 501 Chapter 20 Web Authentication Figure 362 Configuration > Object > AAA Server > RADIUS > Add Now you add ext-group-user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click Configuration > Object > User/ Group >...
Page 502: Authentication Type Screen
Chapter 20 Web Authentication Figure 363 Configuration > Object > User/Group > User > Add Repeat this process to set up the remaining groups of user accounts. 20.2.2 Authentication Type Screen Use this screen to view, create and manage the authentication type profiles on the Zyxel Device. An authentication type profile decides which type of web authentication pages to be used for user authentication.
Page 503 Chapter 20 Web Authentication Table 172 Configuration > Web Authentication > Authentication Type (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. This field is a sequential value, and it is not associated with a specific entry. Name This field displays the name of the profile.
Page 504 Chapter 20 Web Authentication Figure 366 Configuration > Web Authentication > Authentication Type: Add/Edit (User Agreement) The following table describes the labels in this screen. Table 173 Configuration > Web Authentication > Authentication Type: Add/Edit LABEL DESCRIPTION Type Select the type of the web authentication page through which users authenticate their connections.
Page 505 Chapter 20 Web Authentication Table 173 Configuration > Web Authentication > Authentication Type: Add/Edit (continued) LABEL DESCRIPTION External Web Select this to use a custom login page from an external web portal instead of the one Portal uploaded to the Zyxel Device. You can configure the look and feel of the web portal page. Login URL Specify the login page’s URL;...
Page 506: Custom Web Portal / User Agreement File Screen
Chapter 20 Web Authentication Table 173 Configuration > Web Authentication > Authentication Type: Add/Edit (continued) LABEL DESCRIPTION Welcome URL Specify the welcome page’s URL; for example, http://IIS server IP Address/welcome.html. The Internet Information Server (IIS) is the web server on which the user agreement files are installed.
Page 507: Facebook Wi-Fi Screen
Chapter 20 Web Authentication Figure 368 Configuration > Web Authentication > Custom User Agreement File The following table describes the labels in this screen. Table 174 Configuration > Web Authentication > Custom Web Portal / User Agreement File LABEL DESCRIPTION Remove Click a file’s row to select it and click Remove to delete it from the Zyxel Device.
Page 508 Chapter 20 Web Authentication • created an authentication policy in the Configuration > Web Authentication: General screen to redirect the matched users to the Facebook page before they can have free Internet access. Note: If you disable Facebook Wi-Fi or reset the Facebook page settings later, the Zyxel Device automatically logs out existing users who have authenticated their connections via Facebook Wi-Fi.
Page 509 Chapter 20 Web Authentication 20.2.4.1 How to Configure Facebook for Facebook Wi-Fi This section shows you what to do if you have not yet set up a Facebook fan page and see the following message ‘This device is not paired with facebook. Please configure this device’. Click Configure.
Page 510 Chapter 20 Web Authentication 20.2.4.2 How to use the Zyxel Device’s Facebook Wi-Fi This section shows how users use Facebook Wi-Fi to access the Internet for free after you enable and set up Facebook Wi-Fi on the Zyxel Device. Connect to the Zyxel Device’s wireless or LAN network. Open a web browser from the connected computer or mobile device.
Page 511: Sso Overview
Chapter 20 Web Authentication 20.3 SSO Overview The SSO (Single Sign-On) function integrates Domain Controller and Zyxel Device authentication mechanisms, so that users just need to log in once (single login) to get access to permitted resources. In the following figure, U user logs into a Domain Controller (DC) which passes the user’s login credentials to the SSO agent.
Page 512: Sso - Zyxel Device Configuration
Chapter 20 Web Authentication User Domain Controller Single Sign-On agent Active Directory Install the SSO Agent on one of the following platforms: • Windows 7 Professional (32-bit and 64-bit) • Windows Server 2008 Enterprise (32-bit and 64-bit) • Windows 2008 R2 (64-bit) •...
Page 513: Configuration Overview
Chapter 20 Web Authentication 20.4.1 Configuration Overview These are the screens you need to configure: • Configure the Zyxel Device to Communicate with SSO on page 513 • Enable Web Authentication on page 514 • Create a Security Policy on page 515 •...
Page 514: Enable Web Authentication
Chapter 20 Web Authentication Table 177 Configuration > Web Authentication > SSO LABEL DESCRIPTION Secondary Agent Port Type the same port number here as in the Agent Listening Port field on the backup (Optional) SSO agent if there is one. Type a number ranging from 1025 to 65535. Apply Click this button to save your changes to the Zyxel Device.
Page 515: Create A Security Policy
Chapter 20 Web Authentication Table 170 on page 492 Table 171 on page 495 for more information on configuring these screens. 20.4.4 Create a Security Policy Configure a Security Policy for SSO traffic source and destination direction in order to prevent the security policy from blocking this traffic.
Page 516: Configure User Information
Chapter 20 Web Authentication 20.4.5 Configure User Information Configure a User account of the ext-group-user type. Configure Group Identifier to be the same as Group Membership on the SSO agent. ZyWALL USG Series User’s Guide...
Page 517: Configure An Authentication Method
Chapter 20 Web Authentication 20.4.6 Configure an Authentication Method Configure Active Directory (AD) for authentication with SSO. Choose group ad as the authentication server for SSO. 20.4.7 Configure Active Directory You must configure an Active Directory (AD) server in AAA Setup to be the same as AD configured on the SSO agent.
Page 518: Sso Agent Configuration
Chapter 20 Web Authentication 20.5 SSO Agent Configuration This section shows what you have to do on the SSO agent in order to work with the Zyxel Device. After you install the SSO agent, you will see an icon in the system tray (bottom right of the screen) ZyWALL USG Series User’s Guide...
Page 519 Chapter 20 Web Authentication Right-click the SSO icon and select Configure Zyxel SSO Agent. Configure the Agent Listening Port, AD server exactly as you have done on the Zyxel Device. Add the Zyxel Device IP address as the Gateway. Make sure the Zyxel Device and SSO agent are able to communicate with each other.
Page 520 Chapter 20 Web Authentication Configure the Server Address, Port, Base DN, Bind DN, Login Name Attribute and Group Membership for the AD server settings exactly as you have done on the Zyxel Device. Group Membership is called Group Identifier on the Zyxel Device. LDAP/AD Server Configuration ZyWALL USG Series User’s Guide...
Page 521 Chapter 20 Web Authentication Configure the Gateway IP address, Gateway Port and PreShareKey exactly as you have done in the Zyxel Device Configuration > Web Authentication > SSO screen. If you want to use Generate Key to have the SSO create a random password, select Check to show PreShareKey as clear Text so as to see the password, then copy and paste it to the Zyxel Device.
Page 522: Hotspot
H A P T E R Hotspot 21.1 Overview Section 1.1 on page 28 to see which models support Hotspot management. 21.2 Billing Overview You can use the built-in billing function to setup billing profiles. A billing profile describes how to charge users.
Page 523: The Billing > General Screen
Chapter 21 Hotspot 21.3 The Billing > General Screen Use this screen to configure the general billing settings, such as the accounting method, currency unit and the SSID profiles to which the settings are applied. Click Configuration > Hotspot > Billing > General to open the following screen.
Page 524 Chapter 21 Hotspot The following table describes the labels in this screen. Table 178 Configuration > Hotspot > Billing > General LABEL DESCRIPTION General Settings Unused account Enter the number and select a time unit from the drop-down list box to specify how long to wait will be deleted before the Zyxel Device deletes an account that has not been used.
Page 525: The Billing > Billing Profile Screen
Chapter 21 Hotspot Table 178 Configuration > Hotspot > Billing > General (continued) LABEL DESCRIPTION Hotspot Service Status Service Status This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired.
Page 526: The Account Generator Screen
Chapter 21 Hotspot Table 179 Configuration > Hotspot > Billing > Billing Profile (continued) LABEL DESCRIPTION Preview Click this button to open the Account Generator screen, where you can generate a dynamic guest account and print the account information using a statement printer connected to the Zyxel Device (see Section 21.4.1 on page 526 for more information).
Page 527 Chapter 21 Hotspot Figure 374 Account Generator The following table describes the labels in this screen. Table 180 Account Generator LABEL DESCRIPTION Account Select a button and specify how many units of billing period to be charged for new account in Generator the Button x Unit field.
Page 528 Chapter 21 Hotspot Table 180 Account Generator (continued) LABEL DESCRIPTION Default Thermal Select a statement printer that is attached to the Zyxel Device. It displays n/a if there is no Printer printer attached. Summary Total This shows the total price for the account before sales tax is added. This shows the tax rate.
Page 529: The Account Redeem Screen
Chapter 21 Hotspot The Printer screen shows a printout preview example. Click Printer to print this subscriber statement. Click Cancel to close this window when you are finished viewing it. 21.4.2 The Account Redeem Screen The Account Redeem screen allows you to send SMS messages for certain accounts. Click the Account Redeem tab in the Account Generator screen to open this screen.
Page 530 Chapter 21 Hotspot Figure 375 Account Redeem The following table describes the labels in this screen. Table 181 Account Redeem LABEL DESCRIPTION Query Account Information Phone Number Enter the country code and mobile phone number and click Query to display only the account(s) that has the specified phone number.
Page 531: The Billing Profile Add/Edit Screen
Chapter 21 Hotspot Table 181 Account Redeem (continued) LABEL DESCRIPTION Cancel Click Cancel to exit this screen without saving. Logout Click Logout to log out of the web configurator. This button is available only when you open this screen by logging in with the guest-manager account. 21.4.3 The Billing Profile Add/Edit Screen The Billing Profile Add/Edit screen allows you to create a new billing profile or edit an existing one.
Page 532: The Billing > Discount Screen
Chapter 21 Hotspot Table 182 Configuration > Hotspot > Billing > Billing Profile > Add/Edit (continued) LABEL DESCRIPTION Quota Type The quota settings section is NOT available when you set Accounting Method to Time to Finish in the Billing > General screen. Set a limit for the user accounts.
Page 533 Chapter 21 Hotspot Figure 377 Configuration > Hotspot > Billing > Discount The following table describes the labels in this screen. Table 183 Configuration > Hotspot > Billing > Discount LABEL DESCRIPTION Discount Settings Enable Discount Select the check box to activate the discount price plan. Button Select Select a button from the drop-down list box to assign the base charge.
Page 534: The Discount Add/Edit Screen
Chapter 21 Hotspot 21.5.1 The Discount Add/Edit Screen The Discount Add/Edit screen allows you to create a new discount level or edit an existing one. Click Configuration > Hotspot > Billing > Discount and then an Add or Edit icon to open this screen. Figure 378 Configuration >...
Page 535 Chapter 21 Hotspot Figure 379 Configuration > Hotspot > Billing > Payment Service > General The following table describes the labels in this screen. Table 185 Configuration > Hotspot > Billing > Payment Service > General LABEL DESCRIPTION General Setting Enable Payment Select the check box to use PayPal to authorize credit card payments.
Page 536: The Payment Service > Desktop / Mobile View Screen
Chapter 21 Hotspot Table 185 Configuration > Hotspot > Billing > Payment Service > General (continued) LABEL DESCRIPTION Delivery Method Specify how the Zyxel Device provides dynamic guest account information after the user’s online payment is done. Select On-Screen to display the user account information in the web screen. Select SMS to use Short Message Service (SMS) to send account information in a text message to the user’s mobile device.
Page 537 Chapter 21 Hotspot Figure 380 Configuration > Hotspot > Billing > Payment Service > Desktop View ZyWALL USG Series User’s Guide...
Page 538 Chapter 21 Hotspot Figure 381 Configuration > Hotspot > Billing > Payment Service > Mobile View ZyWALL USG Series User’s Guide...
Page 539 Chapter 21 Hotspot The following table describes the labels in this screen. Table 186 Configuration > Hotspot > Billing > Payment Service > Desktop View or Mobile View LABEL DESCRIPTION Select Type Use Default Page Select this to use the default online payment service page built into the device. If you later create a custom online payment service page, you can still return to the Zyxel Device’s default page as it is saved indefinitely.
Page 540: Printer Manager
Chapter 22 Printer Manager H A P T E R Printer Manager 22.1 Printer Manager Overview You can create dynamic guest accounts and print guest account information by pressing the button on an external statement printer, such as SP350E. Make sure that the printer is connected to the appropriate power and the Zyxel Device, and that there is printing paper in the printer.
Page 541 Figure 382 Configuration > Hotspot > Printer Manager > General The following table describes the labels in this screen. Table 187 Configuration > Hotspot > Printer Manager > General LABEL DESCRIPTION General Setting Enable Printer Select the check box to allow the Zyxel Device to manage and monitor the printer status. Manager Printer Settings Encryption...
Page 542 Chapter 22 Printer Manager Table 187 Configuration > Hotspot > Printer Manager > General (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with any entry. Status This icon is lit when the entry is active and dimmed when the entry is inactive. Click the Connection icon for the Zyxel Device connect to the printer.
Page 543: Add Printer Rule
Chapter 22 Printer Manager 22.2.1 Add Printer Rule Click the Add icon to open the following screen. Use this screen to add a new printer. Figure 383 Configuration > Hotspot > Printer Manager > General: Add The following table describes the labels in this screen. Table 188 Configuration >...
Page 544: Discover Printer
Chapter 22 Printer Manager The following table describes the labels in this screen. Table 189 Configuration > Hotspot > Printer Manager > General: Edit LABEL DESCRIPTION Enable Printer Select this option to turn on this entry in order to allow the Zyxel Device to manage this printer. Manager Nickname Type an optional friendly name for the printer.
Page 545 Chapter 22 Printer Manager General > Add to manually configure a printer’s IP address and add it to the managed printer list when the printer is not detected or connected to the Zyxel Device. Figure 385 Configuration > Hotspot > Printer Manager > General: Discover Printer The following table describes the labels in this screen.
Page 546: Edit Printer Manager (Discover Printer)
Chapter 22 Printer Manager 22.2.4 Edit Printer Manager (Discover Printer) Select an entry in the Printer Manager > General > Discover Printer screen and click the Edit icon to open the following screen. Use this screen to modify the printer’s nickname and IP address. Figure 386 Configuration >...
Page 547: The Printout Configuration Screen
Chapter 22 Printer Manager 22.3 The Printout Configuration Screen Use this screen to customize the account printout. Click Configuration > Hotspot > Printer Manager > Printout Configuration to open the following screen. Figure 387 Configuration > Hotspot > Printer Manager > Printout Configuration The following table describes the labels in this screen.
Page 548: Printer Reports Overview
Chapter 22 Printer Manager 22.4 Printer Reports Overview The SP350E allows you to print status reports about the guest accounts and general Zyxel Device system information. Simply press a key combination on the SP350E to print a report instantly without accessing the web configurator.
Page 549: Monthly Account Summary
Chapter 22 Printer Manager Figure 388 Daily Account Example Daily Account ---------------------------- 2013/05/10 Username Price ---------------------------- p2m6pf52 1.00 s4pcms28 2.00 ---------------------------- TOTAL ACCOUNTS: 2 TOTAL PRICE: $ 3.00 ---------------------------- 2013/05/10 20:00:00 ---End--- 22.4.3 Monthly Account Summary The monthly account report lists the accounts printed during the current month, the current month’s total number of accounts and the total charge.
Page 550: System Status
Chapter 22 Printer Manager For example, if 2030 accounts (each priced at $1) have been created from 2013/05/01 00:00:00 to 2013/ 05/31 19:59:59, the monthly account report includes the latest 2000 accounts, so the total would be $2,000 instead of $2,030. Use the Monitor >...
Page 551 Chapter 22 Printer Manager Table 194 System Status (continued) LABEL DESCRIPTION WAIP This field displays the IP address of the WAN port on the Zyxel Device. LAIP This field displays the IP address of the LAN port on the Zyxel Device. WLIP This field displays the IP address of the wireless LAN interface on the Zyxel Device.
Page 552: Free Time
H A P T E R Free Time 23.1 Free Time Overview With Free Time, the Zyxel Device can create dynamic guest accounts that allow users to browse the Internet free of charge for a specified period of time. 23.1.1 What You Can Do in this Chapter Use the Free Time screen (see Section 23.2 on page 552) to turn on this feature to allow users to get a...
Page 553 Chapter 23 Free Time The following table describes the labels in this screen. Table 195 Configuration > Hotspot > Free Time LABEL DESCRIPTION Enable Free Time Select the check box to turn on the free time feature. Note: After you set up web authentication policies and enable the free time feature on the Zyxel Device, a link displays in the login screen when users try to access the Internet.
Page 554 Chapter 23 Free Time Table 195 Configuration > Hotspot > Free Time (continued) LABEL DESCRIPTION Service Status This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired.
Page 555 Chapter 23 Free Time If you enable both online payment service and free time feature on the Zyxel Device, the link description in the login screen will be mainly for online payment service. You can still click the link to get a free account.
Page 556 The guest account information then displays in the screen and/or is sent to the configured mobile phone number. ZyWALL USG Series User’s Guide...
Page 557: Ipnp
Chapter 24 IPnP H A P T E R IPnP 24.1 IPnP Overview IP Plug and Play (IPnP) allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, even when the IP addresses of the computer and the Zyxel Device are not in the same subnet.
Page 558: What You Can Do In This Chapter
24.1.1 What You Can Do in this Chapter Use the IP screen (Section 24.1.2 on page 558) to enable IPnP on the Zyxel Device and the internal interface(s). 24.1.2 IPnP Screen This screen allows you to enable IPnP on the Zyxel Device and specific internal interface(s). To access this screen click Configuration >...
Page 559 Chapter 24 IPnP Table 196 Configuration > Hotspot > IPnP (continued) LABEL DESCRIPTION Service Type This shows whether you have a trial or standard license or none (Trial, Standard, None). Expiration This shows when your hotspot license will expire. Date Register Now Click the link to go to myZyxel where you can register your Zyxel Device and activate the service.
Page 560: Walled Garden
H A P T E R Walled Garden 25.1 Walled Garden Overview A user must log in before the Zyxel Device allows the user’s access to the Internet. However, with a walled garden, you can define one or more web site addresses that all users can access without logging in.
Page 561: Walled Garden > Url Base Screen
Chapter 25 Walled Garden Table 197 Configuration > Hotspot > Walled Garden: General (continued) LABEL DESCRIPTION Service Status This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired.
Page 562: Adding/Editing A Walled Garden Url
Chapter 25 Walled Garden Table 198 Configuration > Hotspot > Walled Garden: URL Based (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate.
Page 563: Walled Garden > Domain/Ip Base Screen
Chapter 25 Walled Garden Table 199 Configuration > Hotspot > Walled Garden: URL Base: Add/Edit (continued) LABEL DESCRIPTION Enter the URL of the web site. Use “http://” or “https://” followed by up to 262 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://www.example.com or http://172.16.1.35. Preview Click this button to open the specified web site in a new frame.
Page 564: Adding/Editing A Walled Garden Domain Or Ip
Chapter 25 Walled Garden Table 200 Configuration > Hotspot > Walled Garden: Domain/IP Based (continued) LABEL DESCRIPTION Domain Name/IP This field displays the domain name or IP address and subnet mask of the web site. Address Apply Click this button to save your changes to the Zyxel Device. Reset Click this button to return the screen to its last-saved settings.
Page 565 Chapter 25 Walled Garden Figure 399 Walled Garden Login Example ZyWALL USG Series User’s Guide...
Page 566: Advertisement Screen
H A P T E R Advertisement Screen 26.1 Advertisement Overview Use this screen to set the Zyxel Device to display an advertisement web page as the first web page whenever the user connects to the Internet. Click Configuration > Hotspot > Advertisement to display the screen. Figure 400 Configuration >...
Page 567: Adding/Editing An Advertisement Url
Chapter 26 Advertisement Screen Table 202 Configuration > Hotspot > Advertisement (continued) LABEL DESCRIPTION Name This field displays the descriptive name of web site. This field displays the address of web site. Hotspot Service Status Service Status This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired).
Page 568 Chapter 26 Advertisement Screen The following table gives an overview of the objects you can configure. Table 203 Configuration > Hotspot > Advertisement > Add/Edit LABEL DESCRIPTION Name Enter a descriptive name for the advertisement web site. You can use up to 31 alphanumeric characters (A-Z, a-z, 0-9) and underscores (_). Spaces are not allowed.
Page 569: Security Policy
H A P T E R Security Policy 27.1 Overview A security policy is a template of security settings that can be applied to specific traffic at specific times. The policy can be applied: • to a specific direction of travel of packets (from / to) •...
Page 570: One Security
Chapter 27 Security Policy 27.2 One Security OneSecurity is a website with guidance on configuration walkthroughs, troubleshooting, and other information. This is an example of a port forwarding configuration walkthrough. Figure 403 Example of a Port Forwarding Configuration Walkthrough. This is an example of L2TP over IPSec VPN Troubleshooting troubleshooting. ZyWALL USG Series User’s Guide...
Page 571 Chapter 27 Security Policy Figure 404 Example of L2TP over IPSec Troubleshooting - 1 ZyWALL USG Series User’s Guide...
Page 572 Chapter 27 Security Policy Figure 405 Example of L2TP over IPSec Troubleshooting - 2 In the Zyxel Device, you will see icons that link to OneSecurity walkthroughs, troubleshooting and so on in certain screens. For example, at the time of writing, these are the OneSecurity icons you can see. Table 204 OneSecurity Icons ONESECURITY ICON SCREEN...
Page 573: What You Can Do In This Chapter
Chapter 27 Security Policy Table 204 OneSecurity Icons (continued) ONESECURITY ICON SCREEN Click this icon for more information on Application Patrol, which identifies traffic that passes through the Zyxel Device, so you can decide what to do with specific types of traffic.
Page 574: What You Need To Know
Chapter 27 Security Policy 27.3.1 What You Need to Know Stateful Inspection The Zyxel Device uses stateful inspection in its security policies. The Zyxel Device restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 575: The Security Policy Screen
Chapter 27 Security Policy Global Security Policies Security Policies with from any and/or to any as the packet direction are called global Security Policies. The global Security Policies are the only Security Policies that apply to an interface that is not included in a zone.
Page 576: Configuring The Security Policy Control Screen
Chapter 27 Security Policy A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the WAN. The Zyxel Device reroutes the packet to gateway A, which is in Subnet 2. The reply from the WAN goes to the Zyxel Device. The Zyxel Device then sends it to the computer on the LAN1 in Subnet 1.
Page 577 Chapter 27 Security Policy Figure 407 Configuration > Security Policy > Policy Control The following table describes the labels in this screen. Table 206 Configuration > Security Policy > Policy Control LABEL DESCRIPTION Show Filter/Hide Click Show Filter to display IPv4 and IPv6 (if enabled) security policy search filters. Filter IPv4 / IPv6 Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies based on...
Page 578 Chapter 27 Security Policy Table 206 Configuration > Security Policy > Policy Control (continued) LABEL DESCRIPTION IPv4 / IPv6 Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 destination Destination address object used. •...
Page 579: The Security Policy Control Add/Edit Screen
Chapter 27 Security Policy Table 206 Configuration > Security Policy > Policy Control (continued) LABEL DESCRIPTION Name This is the name of the Security policy. From / To This is the direction of travel of packets. Select from which zone the packets come and to which zone they go.
Page 580 Chapter 27 Security Policy Figure 408 Configuration > Security Policy > Policy Control > Add The following table describes the labels in this screen. Table 207 Configuration > Security Policy > Policy Control > Add LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this screen. Object Enable Select this check box to activate the Security policy.
Page 581: Anomaly Detection And Prevention Overview
Chapter 27 Security Policy Table 207 Configuration > Security Policy > Policy Control > Add (continued) LABEL DESCRIPTION User This field is not available when you are configuring a to-Zyxel Device policy. Select a user name or user group to which to apply the policy. The Security Policy is activated only when the specified user logs into the system and the policy will be disabled when the user logs out.
Page 582: The Anomaly Detection And Prevention General Screen
Chapter 27 Security Policy Traffic Anomalies Traffic anomaly policies look for abnormal behavior or events such as port scanning, sweeping or network flooding. They operate at OSI layer-2 and layer-3. Traffic anomaly policies may be updated when you upload new firmware. Protocol Anomalies Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments).
Page 583: Creating New Adp Profiles
Chapter 27 Security Policy Table 208 Configuration > Security Policy > ADP > General LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate.
Page 584: Traffic Anomaly Profiles
Chapter 27 Security Policy Figure 410 Configuration > Security Policy > ADP > Profile The following table describes the labels in this screen. Table 209 Configuration > Security Policy > ADP > Profile LABEL DESCRIPTION Profile Management Create ADP profiles here and then apply them in the Configuration > Security Policy >...
Page 585 Chapter 27 Security Policy Figure 411 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly The following table describes the labels in this screen. Table 210 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly LABELS DESCRIPTION Name A name is automatically generated that you can edit.
Page 586 Chapter 27 Security Policy Table 210 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly (continued) LABELS DESCRIPTION Scan/Flood Detection Scan detection, such as port scanning, tries to find attacks where an attacker scans device(s) to determine what types of network protocols or services a device supports.
Page 587: Protocol Anomaly Profiles
Chapter 27 Security Policy 27.5.4 Protocol Anomaly Profiles Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes: • TCP Decoder • UDP Decoder • ICMP Decoder • IP Decoder Teardrop When an IP packet is larger than the Maximum Transmission Unit (MTU) configured in the Zyxel Device, it is fragmented using the TCP or ICMP protocol.
Page 588 Chapter 27 Security Policy Figure 412 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly ZyWALL USG Series User’s Guide...
Page 589 Chapter 27 Security Policy The following table describes the labels in this screen. Table 211 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly LABEL DESCRIPTION Name A name is automatically generated that you can edit. The name must be the same in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile.
Page 590: The Session Control Screen
Chapter 27 Security Policy Table 211 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly LABEL DESCRIPTION Name This is the name of the anomaly policy. Click the Name column heading to sort in ascending or descending order according to the protocol anomaly policy name. These are the log options.
Page 591: The Session Control Add/Edit Screen
Chapter 27 Security Policy The following table describes the labels in this screen. Table 212 Configuration > Security Policy > Session Control LABEL DESCRIPTION General Settings UDP Session Time Set how many seconds the Zyxel Device will allow a UDP session to remain idle (without UDP traffic) before closing it.
Page 592: Security Policy Example Applications
Chapter 27 Security Policy Figure 414 Configuration > Security Policy > Session Control > Edit The following table describes the labels in this screen. Table 213 Configuration > Security Policy > Session Control > Add / Edit LABEL DESCRIPTION Create new Use to configure new settings for User or Address objects that you need to use in this Object screen.Click on the down arrow to see the menu.
Page 593 Chapter 27 Security Policy Figure 415 Blocking All LAN to WAN IRC Traffic Example Your Security Policy would have the following settings. Table 214 Blocking All LAN to WAN IRC Traffic Example USER SOURCE DESTINATION SCHEDULE UTM PROFILE ACTION Deny Allow •...
Page 594 Chapter 27 Security Policy Figure 416 Limited LAN to WAN IRC Traffic Example Your security policy would have the following configuration. Table 215 Limited LAN1 to WAN IRC Traffic Example 1 USER SOURCE DESTINATION SCHEDULE UTM PROFILE ACTION 172.16.1.7 Allow Deny Allow •...
Page 595: Cloud Cnm
H A P T E R Cloud CNM 28.1 Cloud CNM Overview You need a SecuManager license to get a CNM ID with which you can access the SecuManager server. It is independent from the Zyxel Devices.The SecuReporter license must be activated on each Zyxel Device.
Page 596 Chapter 28 Cloud CNM Figure 417 Cloud CNM SecuManager Example Network Topology Cloud CNM SecuManager features include: • Batch import of managed devices at one time using one CSV file • See an overview of all managed devices and system information in one place •...
Page 597 Chapter 28 Cloud CNM Figure 418 Configuration > Cloud CNM > SecuManager The following table describes the labels in this screen. Table 217 Configuration > Cloud CNM > SecuManager LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Enable...
Page 598: Cloud Cnm Secureporter
Chapter 28 Cloud CNM Table 217 Configuration > Cloud CNM > SecuManager (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. Note: See the Cloud CNM SecuManager User’s Guide for more information on Cloud CNM SecuManager.
Page 599 Chapter 28 Cloud CNM How to activate and enable SecuReporter Does Service Status displays Activated in the Configuration > Cloud CNM > SecuReporter screen? If not, you have to log in to myZyxel.com and activate the SecuReporter license for this Zyxel Device. The Zyxel Device must be able to communicate with the myZyxel server.
Page 600 Chapter 28 Cloud CNM SecuReporter Banner The SecuReporter banner appears when: SecuReporter hasn’t been enabled before. The Zyxel Device is not added to an organization yet. Figure 421 SecuReporter Banner Click the Continue button in the SecuReporter banner to configure the SecuReporter settings. •...
Page 601 Chapter 28 Cloud CNM Figure 422 SecuReporter Banner Settings Click Configuration > Cloud CNM > SecuReporter to open the following screen. Figure 423 Configuration > Cloud CNM > SecuReporter ZyWALL USG Series User’s Guide...
Page 602 Chapter 28 Cloud CNM The following table describes the labels in this screen. Table 218 Configuration > Cloud CNM > SecuReporter LABEL DESCRIPTION Enable SecuReporter Security-related logs are sent to the SecuReporter portal. Click the General Data Protection Regulation (GDPR) privacy link below to see the Zyxel privacy policy. This must be selected to have SecuReporter collect and analyze logs from this Zyxel Device.
Page 603: Amazon Vpc
H A P T E R Amazon VPC 29.1 Overview Use this feature if you want to transmit traffic from a Customer Gateway (CG, the Zyxel Device)through an IPSec tunnel to the Amazon VPC (Virtual Private Cloud). Note: At the time of writing, you can use the web configurator to configure Amazon VPC on ZyWALL USG20-VPN/USG20W-VPN/USG2200-VPN.
Page 604 Chapter 29 Amazon VPC • Your Customer Gateway ID: cgw-57b10356 Two tunnels are used to connect the Zyxel Device to the Amazon VPC. One is redundant and only takes over if the first one fails. There are 2 routing types for Amazon VPC. •...
Page 605: Ipsec Vpn
H A P T E R IPSec VPN 30.1 Virtual Private Networks (VPN) Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing.
Page 606 Chapter 30 IPSec VPN shared key (shared secret), signatures, or public key encryption. Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers, but Aggressive Mode does not. During Phase 2, the remote IPSec routers use the secure channel established in Phase 1 to negotiate Security Associations for IPSec.
Page 607: What You Can Do In This Chapter
Chapter 30 IPSec VPN L2TP VPN L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, or Windows operating systems for secure connections to the network behind the Zyxel Device. The remote users do not need their own IPSec gateways or third-party VPN client software. For example, configure sales representatives’...
Page 608 Chapter 30 IPSec VPN Figure 429 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA.
Page 609 Chapter 30 IPSec VPN Application Scenarios The Zyxel Device’s application scenarios make it easier to configure your VPN connection settings. Table 219 IPSec VPN Application Scenarios SITE-TO-SITE WITH REMOTE ACCESS REMOTE ACCESS VPN TUNNEL SITE-TO-SITE DYNAMIC PEER (SERVER ROLE) (CLIENT ROLE) INTERFACE Choose this if the Choose this if the...
Page 610: Before You Begin
Chapter 30 IPSec VPN 30.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel. •...
Page 611 Chapter 30 IPSec VPN Figure 430 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following table. Table 220 Configuration > VPN > IPSec VPN > VPN Connection LABEL DESCRIPTION Global Setting The following two fields are for all IPSec VPN policies. Click on the VPN icon to go to the Zyxel VPN Client product page at the Zyxel website.
Page 612: The Vpn Connection Add/Edit Screen
Chapter 30 IPSec VPN Table 220 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate.
Page 613 Chapter 30 IPSec VPN Figure 431 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit ZyWALL USG Series User’s Guide...
Page 614 Chapter 30 IPSec VPN Each field is described in the following table. Table 221 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create new Object...
Page 615 Chapter 30 IPSec VPN Table 221 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION Application Select the scenario that best describes your intended VPN connection. Scenario Site-to-site - Choose this if the remote IPSec router has a static IP address or a domain name.
Page 616 Chapter 30 IPSec VPN Table 221 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION First DNS Server The Domain Name System (DNS) maps a domain name to an IP address and vice versa. (optional) The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN.
Page 617 Chapter 30 IPSec VPN Table 221 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION Encryption This field is applicable when the Active Protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA. Choices are: NULL - no encryption key or algorithm DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm...
Page 618 Chapter 30 IPSec VPN Table 221 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION Check Port This field displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. Check Period Enter the number of seconds between connection check attempts.
Page 619: The Vpn Gateway Screen
Chapter 30 IPSec VPN Table 221 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed.
Page 620: The Vpn Gateway Add/Edit Screen
Chapter 30 IPSec VPN Each field is discussed in the following table. See Section 30.3.1 on page 620 for more information. Table 222 Configuration > VPN > IPSec VPN > VPN Gateway LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 621 Chapter 30 IPSec VPN Figure 433 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit ZyWALL USG Series User’s Guide...
Page 622 Chapter 30 IPSec VPN Each field is described in the following table. Table 223 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create New Object...
Page 623 Chapter 30 IPSec VPN Table 223 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Pre-Shared Key Select this to have the Zyxel Device and remote IPSec router use a pre-shared key (password) of up to 128 characters to identify each other when they negotiate the IKE SA. Type the pre-shared key in the field to the right.
Page 624 Chapter 30 IPSec VPN Table 223 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Peer ID Type Select which type of identification is used to identify the remote IPSec router during authentication. Choices are: IP - the remote IPSec router is identified by an IP address DNS - the remote IPSec router is identified by a domain name E-mail - the remote IPSec router is identified by the string specified in this field...
Page 625 Chapter 30 IPSec VPN Table 223 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This field is a sequential value, and it is not associated with a specific proposal.
Page 626 Chapter 30 IPSec VPN Table 223 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION X-Auth This displays when using IKEv1. When different users use the same VPN tunnel to connect to the Zyxel Device (telecommuters sharing a tunnel for example), use X-auth to enforce a user name and password check.
Page 627: Vpn Concentrator
Chapter 30 IPSec VPN 30.4 VPN Concentrator A VPN concentrator combines several IPSec VPN connections into one secure network. Figure 434 VPN Topologies (Fully Meshed and Hub and Spoke) In a fully-meshed VPN topology (1 in the figure), there is a VPN connection between every pair of routers.
Page 628: Vpn Concentrator Screen
Chapter 30 IPSec VPN 30.4.2 VPN Concentrator Screen The VPN Concentrator summary screen displays the VPN concentrators in the Zyxel Device. To access this screen, click Configuration > VPN > IPSec VPN > Concentrator. Figure 435 Configuration > VPN > IPSec VPN > Concentrator Each field is discussed in the following table.
Page 629: Zyxel Device Ipsec Vpn Client Configuration Provisioning
Chapter 30 IPSec VPN Figure 436 Configuration > VPN > IPSec VPN > Concentrator > Add/Edit Each field is described in the following table. Table 225 VPN > IPSec VPN > Concentrator > Add/Edit LABEL DESCRIPTION Name Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 630 Chapter 30 IPSec VPN • A subnet or range remote policy The following VPN Gateway rules configured on the Zyxel Device cannot be provisioned to the IPSec VPN Client: • IPv4 rules with IKEv2 version • IPv4 rules with User-based PSK authentication Note: You must enable IPv6 in System >...
Page 631: Ipsec Vpn Background Information
Chapter 30 IPSec VPN Table 226 Configuration > VPN > IPSec VPN > Configuration Provisioning (continued) LABEL DESCRIPTION Click Add to bind a configured VPN rule to a user or group. Only that user or group may then retrieve the specified VPN rule settings. If you click Add without selecting an entry in advance then the new entry appears as the first entry.
Page 632 Chapter 30 IPSec VPN Note: Both routers must use the same negotiation mode. These modes are discussed in more detail in Negotiation Mode. Main mode is used in various examples in the rest of this section. The Zyxel Device supports IKEv1 and IKEv2. See Section 30.1 on page 605 for more information.
Page 633 Chapter 30 IPSec VPN • Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively tripling the strength of DES. • Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a secret key.
Page 634 Chapter 30 IPSec VPN Figure 440 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued) Step 5: pre-shared key Zyxel Device identity, consisting of - ID type - content Step 6: pre-shared key Remote IPSec router identity, consisting of - ID type - content You have to create (and distribute) a pre-shared key.
Page 635 Chapter 30 IPSec VPN Table 228 VPN Example: Mismatching ID Type and Content ZYXEL DEVICE REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.20 Peer ID content: tom@yourcompany.com It is also possible to configure the Zyxel Device to ignore the identity of the remote IPSec router.
Page 636 Chapter 30 IPSec VPN Figure 441 VPN/NAT Example If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel.
Page 637 Chapter 30 IPSec VPN Certificates It is possible for the Zyxel Device and remote IPSec router to authenticate each other with certificates. In this case, you do not have to set up the pre-shared key, local identity, or remote identity because the certificates provide this information instead.
Page 638 Chapter 30 IPSec VPN Figure 442 VPN: Transport and Tunnel Mode Encapsulation Transport Mode Packet IP Header AH/ESP TCP Header Data Header Tunnel Mode Packet IP Header AH/ESP IP Header TCP Header Data Header In tunnel mode, the Zyxel Device uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: •...
Page 639 Chapter 30 IPSec VPN NAT for Inbound and Outbound Traffic The Zyxel Device can translate the following types of network addresses in IPSec SA. • Source address in outbound packets - this translation is necessary if you want the Zyxel Device to route packets from computers outside the local network through the IPSec SA.
Page 640 Chapter 30 IPSec VPN • Source - the original source address; the remote network (B). • Destination - the original destination address; the local network (A). • SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address.
Page 641: Ssl Vpn
H A P T E R SSL VPN 31.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login. The remote users do not need a VPN router or VPN client software. 31.1.1 What You Can Do in this Chapter •...
Page 642: The Ssl Access Privilege Screen
Chapter 31 SSL VPN SSL Access Policy Objects The SSL access policies reference the following objects. If you update this information, in response to changes, the Zyxel Device automatically propagates the changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects are not removed. Table 229 Objects OBJECT OBJECT TYPE...
Page 643: The Ssl Access Privilege Policy Add/Edit Screen
Chapter 31 SSL VPN The following table describes the labels in this screen. Table 230 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Access Policy This screen shows a summary of SSL VPN policies created. Summary Click on the VPN icon to go to the Zyxel VPN Client product page at the Zyxel website. Click this to create a new entry.
Page 644 Chapter 31 SSL VPN Figure 447 VPN > SSL VPN > Add/Edit The following table describes the labels in this screen. Table 231 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this screen. Object Configuration Enable Policy...
Page 645 Chapter 31 SSL VPN Table 231 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION Name Enter a descriptive name to identify this policy. You can enter up to 31 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed. Zone Select the zone to which to add this SSL access policy.
Page 646: The Ssl Global Setting Screen
Chapter 31 SSL VPN Table 231 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION Network List To allow user access to local network(s), select a network name in the Selectable Address Objects list and click the right arrow button to add to the Selected Address Objects list. You can select more than one network.
Page 647: How To Upload A Custom Logo
Chapter 31 SSL VPN Table 232 VPN > SSL VPN > Global Setting (continued) LABEL DESCRIPTION SSL VPN Login Domain Name SSL VPN Login Specify a full domain name for users to use for SSL VPN login. The domain name must be Domain Name 1/2 registered to one of the Zyxel Device’s IP addresses or be one of the Zyxel Device’s DDNS entries.
Page 648: Zyxel Device Secuextender
Chapter 31 SSL VPN Figure 449 Example Logo Graphic Display 31.4 Zyxel Device SecuExtender The Zyxel Device automatically loads the Zyxel Device SecuExtender client program to your computer after a successful login to an SSL VPN tunnel with network extension support enabled. The Zyxel Device SecuExtender lets you: •...
Page 649: Example: Configure Zyxel Device For Secuextender
Chapter 31 SSL VPN The following table describes the labels in this screen. Table 233 Configuration > VPN > SSL VPN > SecuExtender LABEL DESCRIPTION Latest Version This displays the latest version of the Zyxel Device Security SecuExtender that is available.
Page 650 Chapter 31 SSL VPN Figure 452 Create an SSL VPN Access Privilege Policy Then create File Sharing and Web Application SSL Application objects. Using the Zyxel Device web configurator, go to Configuration > Object > SSL Application > Add and select the Type accordingly. Substitute your information for the information shown in the following example.
Page 651 Chapter 31 SSL VPN Figure 454 Create a Web Application SSL Application Object ZyWALL USG Series User’s Guide...
Page 652: Ssl User Screens
H A P T E R SSL User Screens 32.1 Overview This chapter introduces the remote user SSL VPN screens. The following figure shows a network example where a remote user (A) logs into the Zyxel Device from the Internet to access the web server (WWW) on the local network.
Page 653: Remote Ssl User Login
Chapter 32 SSL User Screens • Internet Explorer 7 and above or Firefox 1.5 and above • Using RDP requires Internet Explorer • Sun’s Runtime Environment (JRE) version 1.6 or later installed and enabled. Required Information A remote user needs the following information from the network administrator to log in and access network resources.
Page 654 Chapter 32 SSL User Screens Figure 457 Login Security Screen A login screen displays. Enter the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field. Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources.
Page 655: The Ssl Vpn User Screens
Chapter 32 SSL User Screens 32.3 The SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 460 Remote User Screen The following table describes the various parts of a remote user screen. Table 234 Remote User Screen Overview DESCRIPTION Click on a menu tab to go to the corresponding screen.
Page 656: Logging Out Of The Ssl Vpn User Screens
Chapter 32 SSL User Screens In any remote user screen, click the Add to Favorite icon. A screen displays. Accept the default name in the Name field or enter a descriptive name to identify this link. Click OK to create a bookmark in your web browser. Figure 461 Add Favorite 32.5 Logging Out of the SSL VPN User Screens To properly terminate a connection, click on the Logout icon in any remote user screen.
Page 657: Ssl User File Sharing
Chapter 32 SSL User Screens Figure 463 Application 32.7 SSL User File Sharing The File Sharing screen lets you access files on a file server through the SSL VPN connection. Use it to display and access shared files/folders on a file server. You can also perform the following actions: •...
Page 658: Opening A File Or Folder
Chapter 32 SSL User Screens Figure 464 File Sharing 32.7.2 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer. Log in as a remote user and click the File Sharing tab. Click on a file share icon.
Page 659: Downloading A File
Chapter 32 SSL User Screens A list of files/folders displays. Double click a file to open it in a separate browser window or select a file and click Download to save it to your computer. You can also click a folder to access it. For this example, click on a .doc file to open the Word document.
Page 660: Creating A New Folder
Chapter 32 SSL User Screens Figure 467 File Sharing: Save a Word File 32.7.5 Creating a New Folder To create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add. Note: Make sure the length of the folder name does not exceed the maximum allowed on the file server.
Page 661: Deleting A File Or Folder
Chapter 32 SSL User Screens A popup window displays. Specify the new name and/or file extension in the field provided. You can enter up to 356 characters. Then click Apply. Note: Make sure the length of the name does not exceed the maximum allowed on the file server.
Page 662: Secuextender Screen
Chapter 32 SSL User Screens Note: Uploading a file with the same name and file extension replaces the existing file on the file server. No warning message is displayed. 32.8 SecuExtender Screen Use the SecuExtender tab’s screen to download the client and see the latest SecuExtender versions available for Windows (latest version of Windows) and Mac (latest version of Mac), as well as the Current Version of the SecuExtender client that you have.
Page 663 Chapter 32 SSL User Screens Click SecuExtenderSetup.exe to begin the installation. There are some prerequisites to first install. Next install SecuExtender. Follow the wizard prompts. Click Install if you see a security warning. ZyWALL USG Series User’s Guide...
Page 664 Chapter 32 SSL User Screens Next run and log into the SecuExtender client. ZyWALL USG Series User’s Guide...
Page 665: Zyxel Device Secuextender (Windows)
H A P T E R Zyxel Device SecuExtender (Windows) The Zyxel Device automatically loads the Zyxel Device SecuExtender for Windows client program to your computer after a successful login to an SSL VPN tunnel with network extension support enabled. Note: For information on using the Zyxel Device SecuExtender for Mac client program, please see its User’s Guide at the download library on the Zyxel website.
Page 666: View Log
Chapter 33 Zyxel Device SecuExtender (Windows) Figure 474 Zyxel Device SecuExtender Status The following table describes the labels in this screen. Table 235 Zyxel Device SecuExtender Status LABEL DESCRIPTION Connection Status SecuExtender IP This is the IP address the Zyxel Device assigned to this remote user computer for an SSL VPN Address connection.
Page 667: Suspend And Resume The Connection
Chapter 33 Zyxel Device SecuExtender (Windows) Figure 475 Zyxel Device SecuExtender Log Example ################################################################################## ############## [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Build Datetime: Feb 24 2009/ 10:25:07 [ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] rasphone.pbk: C:\Documents and Settings\11746\rasphone.pbk [ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] SecuExtender.log: C:\Documents and Settings\11746\SecuExtender.log [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL]...
Page 668 Chapter 33 Zyxel Device SecuExtender (Windows) Figure 476 Uninstalling the Zyxel Device SecuExtender Confirmation Windows uninstalls the Zyxel Device SecuExtender. Figure 477 Zyxel Device SecuExtender Uninstallation ZyWALL USG Series User’s Guide...
Page 669: L2Tp Vpn
H A P T E R L2TP VPN 34.1 Overview L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, Windows or Mac OS X operating systems for secure connections to the network behind the Zyxel Device. The remote users do not need their own IPSec gateways or third-party VPN client software.
Page 670: L2Tp Vpn Screen
Chapter 34 L2TP VPN • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. Using the Quick Setup VPN Setup Wizard The VPN Setup Wizard is an easy and convenient way to configure the L2TP VPN settings. Click Configuration >...
Page 671 Chapter 34 L2TP VPN Figure 480 Configuration > VPN > L2TP VPN The following table describes the fields in this screen. Table 236 Configuration > VPN > L2TP VPN LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create new...
Page 672: Example: L2Tp And Zyxel Device Behind A Nat Router
Chapter 34 L2TP VPN Table 236 Configuration > VPN > L2TP VPN (continued) LABEL DESCRIPTION Allowed User The remote user must log into the Zyxel Device to use the L2TP VPN tunnel. Select a user or user group that can use the L2TP VPN tunnel. Use Create new Object if you need to configure a new user account.
Page 673 Chapter 34 L2TP VPN Select Remote Access (Server Role) as the VPN scenario for the remote client. Select the NAT router WAN IP address object as the Local Policy. Go to Configuration > VPN > L2TP VPN and select the VPN Connection just configured. ZyWALL USG Series User’s Guide...
Page 674: Bwm (Bandwidth Management)
H A P T E R BWM (Bandwidth Management) 35.1 Overview Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video.
Page 675 Chapter 35 BWM (Bandwidth Management) In the following example, you configure a Per user bandwidth management rule for radius-users to limit outgoing traffic to 300 kbs. Then all radius-users (A, B and C) can send 300 kbps of traffic. Figure 482 Bandwidth Management Per User Type DiffServ and DSCP Marking QoS is used to prioritize source-to-destination traffic flows.
Page 676 Chapter 35 BWM (Bandwidth Management) LAN1 Figure 483 to WAN Connection and Packet Directions Outbound and Inbound Bandwidth Limits You can limit an application’s outbound or inbound bandwidth. This limit keeps the traffic from using up too much of the out-going interface’s bandwidth. This way you can make sure there is bandwidth for other applications.
Page 677 Chapter 35 BWM (Bandwidth Management) Maximize Bandwidth Usage Maximize bandwidth usage allows applications with maximize bandwidth usage enabled to “borrow” any unused bandwidth on the out-going interface. After each application gets its configured bandwidth rate, the Zyxel Device uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications that need more bandwidth and have maximize bandwidth usage enabled.
Page 678: The Bandwidth Management Configuration
Chapter 35 BWM (Bandwidth Management) Priority Effect Here the configured rates total more than the available bandwidth. Because server A has higher priority, it gets up to it’s configured rate (800 kbps), leaving only 200 kbps for server B. Table 238 Priority Effect POLICY CONFIGURED RATE MAX.
Page 679 Chapter 35 BWM (Bandwidth Management) The default bandwidth management policy is the one with the priority of “default”. It is the last policy the Zyxel Device checks if traffic does not match any other bandwidth management policies you have configured. You cannot remove, activate, deactivate or move the default bandwidth management policy.
Page 680 Chapter 35 BWM (Bandwidth Management) Table 241 Configuration > Bandwidth Management LABEL DESCRIPTION Outgoing Interface This is the destination interface of the traffic to which this policy applies. Source This is the source address or address group, including geographic address and FQDN (group) objects, for whom this policy applies.
Page 681: The Bandwidth Management Add/Edit Screen
Chapter 35 BWM (Bandwidth Management) 35.2.1 The Bandwidth Management Add/Edit Screen The Configuration > Bandwidth Management Add/Edit screen allows you to create a new condition or edit an existing one. 802.1P Marking Use 802.1P to prioritize outgoing traffic from a VLAN interface. The Priority Code is a 3-bit field within a 802.1Q VLAN tag that’s used to prioritize associated outgoing VLAN traffic.
Page 682 Chapter 35 BWM (Bandwidth Management) Figure 488 Configuration > Bandwidth Management > Add/Edit The following table describes the labels in this screen. Table 245 Configuration > Bandwidth Management > Add/Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration Enable Select this check box to turn on this policy.
Page 683 Chapter 35 BWM (Bandwidth Management) Table 245 Configuration > Bandwidth Management > Add/Edit LABEL DESCRIPTION BWM Type This field displays the below types of BWM rule: • Shared, when the policy is set for all users • Per User, when the policy is set for an individual user or a user group •...
Page 684 Chapter 35 BWM (Bandwidth Management) Table 245 Configuration > Bandwidth Management > Add/Edit LABEL DESCRIPTION Inbound kbps Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the Zyxel Device sends to a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the Zyxel Device sends to the initiator.
Page 685 Chapter 35 BWM (Bandwidth Management) 35.2.1.1 Adding Objects for the BWM Policy Objects are parameters to which the Policy rules are built upon. There are three kinds of objects you can add/edit for the BWM policy, they are User, Schedule and Address objects. Click Configuration > BWM > Add >...
Page 686 Chapter 35 BWM (Bandwidth Management) Table 246 Configuration > BWM > Create New Object > Add User LABEL DESCRIPTION Password Type a password for the user object. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ‘ \ () ), and it can be up to eight characters long.
Page 687 Chapter 35 BWM (Bandwidth Management) Figure 490 Configuration > BWM > Create New Object > Add Schedule The following table describes the fields in the above screen. Table 247 Configuration > BWM > Create New Object > Add Schedule LABEL DESCRIPTION Name Enter a name for the schedule object of the rule.
Page 688 Chapter 35 BWM (Bandwidth Management) Figure 491 Configuration > BWM > Create New Object > Add Address The following table describes the fields in the above screen. Table 248 Configuration > BWM > Create New Object > Add Address LABEL DESCRIPTION Name Enter a name for the Address object of the rule.
Page 689: Application Patrol
H A P T E R Application Patrol 36.1 Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to- peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Page 690: Application Patrol Profile
Chapter 36 Application Patrol specific applications. Usually, this occurs at the beginning of a connection, when the payload is more consistent across connections, and the Zyxel Device examines several packets to make sure the match is correct. Before confirmation, packets are forwarded by App Patrol with no action taken. The number of packets inspected before confirmation varies by signature.
Page 691 Chapter 36 Application Patrol Figure 492 Configuration > UTM Profile > App Patrol > Profile The following table describes the labels in this screen. Table 249 Configuration > UTM Profile > App Patrol > Profile LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Page 692: The Application Patrol Profile Add/Edit Screen
Chapter 36 Application Patrol Table 249 Configuration > UTM Profile > App Patrol > Profile LABEL DESCRIPTION Current Version This field displays the App Patrol signature set version number. This number gets larger as the set is enhanced. Released Date This field displays the date and time the set was released.
Page 693: The Application Patrol Profile Rule Add Application Screen
Chapter 36 Application Patrol Table 250 Configuration > UTM Profile > App Patrol > Profile > Add/Edit (continued) LABEL DESCRIPTION Profile Management Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Page 694 Chapter 36 Application Patrol Table 251 Configuration > UTM Profile > App Patrol > Profile > Profile Management > Add/Edit LABEL DESCRIPTION Action Select the default action for all signatures in this category. forward - the Zyxel Device routes packets that matches these signatures. drop - the Zyxel Device silently drops packets that matches these signatures without notification.
Page 695: Content Filtering
H A P T E R Content Filtering 37.1 Overview Use the content filtering feature to control access to specific web sites or web content. 37.1.1 What You Can Do in this Chapter • Use the Filter Profile screens (Section 37.2 on page 697) to set up content filtering profiles.
Page 696 Chapter 37 Content Filtering • Restrict Web Features The Zyxel Device can disable web proxies and block web features such as ActiveX controls, Java applets and cookies. • Customize Web Site Access You can specify URLs to which the Zyxel Device blocks access. You can alternatively block access to all URLs except ones that you specify.
Page 697: Before You Begin
Chapter 37 Content Filtering Finding Out More • See Section 37.5 on page 712 for content filtering background/technical information. 37.1.3 Before You Begin • You must configure an address object, a schedule object and a filtering profile before you can set up a content security policy.
Page 698 Chapter 37 Content Filtering The following table describes the labels in this screen. Table 252 Configuration > UTM Profile > Content Filter > Profile LABEL DESCRIPTION General Settings Enable Content Filter Select this check box to have the Zyxel Device collect category-based content Report Service filtering statistics.
Page 699: Content Filter Add Profile Category Service
Chapter 37 Content Filtering Table 252 Configuration > UTM Profile > Content Filter > Profile (continued) LABEL DESCRIPTION Service Type This read-only field displays what kind of service registration you have for the content- filtering database. None displays if you have not successfully registered and activated the service. Standard displays if you have successfully registered the Zyxel Device and activated the service.
Page 700 Chapter 37 Content Filtering Figure 496 Content Filter > Profile > Add Filter Profile > Category Service ZyWALL USG Series User’s Guide...
Page 701 Chapter 37 Content Filtering The following table describes the labels in this screen. Table 253 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service LABEL DESCRIPTION Service Status This read-only field displays the status of your content-filtering database service registration.
Page 702 Chapter 37 Content Filtering Table 253 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service (continued) LABEL DESCRIPTION Action for Security Threat Select Pass to allow users to access web pages that match the Security Threat Web Pages categories that you select below.
Page 703 Chapter 37 Content Filtering Table 253 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service (continued) LABEL DESCRIPTION Security Threat Thees are the categories of web pages that are known to pose a security threat to users or their computers.
Page 704 Chapter 37 Content Filtering Table 254 Managed Category Descriptions (continued) Alcohol & Tobacco Sites that promote or sell alcohol- or tobacco-related products or services. For example, www.drinks.com.tw, www.p9.com.tw, beer.ttl.com.tw. Arts Sites with artistic content or relating to artistic institutions such as theaters, museums, galleries, dance companies, photography, and digital graphic resources.
Page 705 Chapter 37 Content Filtering Table 254 Managed Category Descriptions (continued) General Sites that do not clearly fall into other categories, for example, blank Web pages. For example, bs.serving-sys.com, simg.sinajs.cn, i0.itc.cn. Government Sites run by governmental organizations, departments, or agencies, including police departments, fire departments, customs bureaus, emergency services, civil defense, counter-terrorism organizations, military and hospitals.
Page 706 Chapter 37 Content Filtering Table 254 Managed Category Descriptions (continued) Personal Sites Sites about or hosted by personal individuals, including those hosted on commercial sites. For example, blog.yam.com, www.wretch.cc, blog.xuite.net. Politics Sites that promote political parties or political advocacy, or provide information about political parties, interest groups, elections, legislation or lobbying.
Page 707: Content Filter Add Filter Profile Custom Service
Chapter 37 Content Filtering Table 254 Managed Category Descriptions (continued) Transportation Sites that provide information about motor vehicles such as cars, motorcycles, boats, trucks, RVs and the like. Includes manufacturer sites, dealerships, review sites, pricing,, online purchase sites, enthusiasts clubs, etc. For example, www.toyota.com.tw, www.ford.com.tw, www.sym.com.tw.
Page 708 Chapter 37 Content Filtering Figure 497 Configuration > UTM Profile > Content Filter > Filter Profile > Custom Service The following table describes the labels in this screen. Table 255 Configuration > UTM Profile > Content Filter > Profile > Custom Service LABEL DESCRIPTION Name...
Page 709 Chapter 37 Content Filtering Table 255 Configuration > UTM Profile > Content Filter > Profile > Custom Service (continued) LABEL DESCRIPTION Allow Web traffic for trusted web When this box is selected, the Zyxel Device blocks Web access to sites that are sites only not on the Trusted Web Sites list.
Page 710: Content Filter Trusted Web Sites Screen
Chapter 37 Content Filtering Table 255 Configuration > UTM Profile > Content Filter > Profile > Custom Service (continued) LABEL DESCRIPTION This displays the index number of the forbidden web sites. Forbidden Web Sites This list displays the forbidden web sites already added. Enter host names such as www.bad-site.com into this text field.
Page 711: Content Filter Forbidden Web Sites Screen
Chapter 37 Content Filtering Figure 498 Configuration > UTM Profile > Content Filter > Trusted Web Sites The following table describes the labels in this screen. Table 256 Configuration > UTM Profile > Content Filter > Trusted Web Sites LABEL DESCRIPTION Common Trusted Web Sites These are sites that you want to allow access to, regardless of their content...
Page 712: Content Filter Technical Reference
Chapter 37 Content Filtering Figure 499 Configuration > UTM Profile > Content Filter > Forbidden Web Sites The following table describes the labels in this screen. Table 257 Configuration > UTM Profile > Content Filter > Forbidden Web Sites LABEL DESCRIPTION Forbidden Web Site List Sites that you want to block access to, regardless of their content rating, can be...
Page 713 Chapter 37 Content Filtering Figure 500 Content Filter Lookup Procedure A computer behind the Zyxel Device tries to access a web site. The Zyxel Device looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the Zyxel Device’s cache.
Page 714: Idp
H A P T E R 38.1 Overview This chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic flow, custom signatures and updating signatures. An IDP system can detect malicious or suspicious packets and respond instantaneously. IDP on the Zyxel Device protects against network-based intrusions.
Page 715: The Idp Profile Screen
Chapter 38 IDP 38.2 The IDP Profile Screen An IDP profile is a set of packet inspection signatures. Click Configuration > UTM Profile > IDP > Profile to open this screen. Use this screen to view registration and signature information. Note: You must register in order to update packet inspection signatures.
Page 716: Base Profiles
Chapter 38 IDP Table 258 Configuration > UTM Profile > IDP > Profile (continued) LABEL DESCRIPTION Clone Use Clone to create a new entry by modifying an existing one. • Select an existing entry. • Click Clone. • A configuration copy of the selected entry pops up. You must at least change the name as duplicate entry names are not allowed.
Page 717: Adding / Editing Profiles
Chapter 38 IDP Figure 502 Base Profiles The following table describes this screen. Table 259 Base Profiles BASE PROFILE DESCRIPTION none All signatures are disabled. No logs are generated nor actions are taken. All signatures are enabled. Signatures with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped.
Page 718: Profile > Group View Screen
Chapter 38 IDP You could create a new ‘monitor profile’ that creates logs but all actions are disabled. Observe the logs over time and try to eliminate the causes of the false alarms. When you’re satisfied that they have been reduced to an acceptable level, you could then create an ‘inline profile’...
Page 719 Chapter 38 IDP The following table describes the fields in this screen. Table 260 Configuration > UTM Profile> IDP > Profile > Add > Group View LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 720 Chapter 38 IDP Table 260 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued) LABEL DESCRIPTION Action To edit what action the Zyxel Device takes when a packet matches a signature, select the signature and use the Action icon. none: Select this action on an individual signature or a complete service group to have the Zyxel Device take no action when a packet matches the signature(s).
Page 721: Add Profile > Query View
Chapter 38 IDP Table 260 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued) LABEL DESCRIPTION To edit an item’s log option, select it and use the Log icon. These are the log options: no: Select this option on an individual signature or a complete service group to have the Zyxel Device create no log when a packet matches a signature(s).
Page 722 Chapter 38 IDP Policy Types This table describes Policy Types as categorized in the Zyxel Device. Table 261 Policy Types POLICY TYPE DESCRIPTION Access Control Access control refers to procedures and controls that limit or detect access. Access control attacks try to bypass validation checks in order to access network resources such as servers, directories, and files.
Page 723 Chapter 38 IDP Table 261 Policy Types (continued) POLICY TYPE DESCRIPTION SPAM Spam is unsolicited “junk” e-mail sent to large numbers of people to promote products or services. Stream Media A Stream Media attack occurs when a malicious network node downloads an overwhelming amount of media stream data that could potentially exhaust the entire system.
Page 724 Chapter 38 IDP Figure 504 Configuration > UTM Profile> IDP > Profile: Query View The following table describes the fields specific to this screen’s query view. Table 263 Configuration > UTM Profile > IDP > Profile: Query View LABEL DESCRIPTION Name This is the name of the profile that you created in the IDP >...
Page 725: Query Example
Chapter 38 IDP Table 263 Configuration > UTM Profile > IDP > Profile: Query View (continued) LABEL DESCRIPTION Severity Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections. These are the severities as defined in the Zyxel Device. The number in brackets is the number you use if using commands.
Page 726: Idp Custom Signatures
Chapter 38 IDP Figure 505 Query Example Search 38.3 IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures. IP Packet Header These are the fields in an Internet Protocol (IP) version 4 packet header.
Page 727 Chapter 38 IDP Figure 506 IP v4 Packet Headers The header fields are discussed in the following table. Table 264 IP v4 Packet Headers HEADER DESCRIPTION Version The value 4 indicates IP version 4. IP Header Length is the number of 32 bit words forming the total length of the header (usually five).
Page 728 Chapter 38 IDP signature or click the Edit icon to edit an existing signature. You can also delete custom signatures here or save them to your computer. Note: The Zyxel Device checks all signatures and continues searching even after a match is found.
Page 729: Add / Edit Custom Signatures
Chapter 38 IDP Table 265 Configuration > UTM Profile> IDP > Custom Signatures (continued) LABEL DESCRIPTION Customer Use this part of the screen to import custom signatures (previously saved to your computer) to Signature Rule the Zyxel Device. Importing Note: The name of the complete custom signature file on the Zyxel Device is ‘custom.rules’.
Page 730 Chapter 38 IDP Figure 508 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit ZyWALL USG Series User’s Guide...
Page 731 Chapter 38 IDP The following table describes the fields in this screen. Table 266 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 732 Chapter 38 IDP Table 266 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION IP Options IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed by the datagram), Timestamp (have each...
Page 733: Custom Signature Example
Chapter 38 IDP Table 266 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overflows Select the check box, then select Equal, Smaller or Greater and then type the payload size.
Page 734 Chapter 38 IDP 38.3.2.1 Understand the Vulnerability Check the Zyxel Device logs when the attack occurs. Use web sites such as Google or Security Focus to get as much information about the attack as you can. The more specific your signature, the less chance it will cause false positives.
Page 735: Applying Custom Signatures
Chapter 38 IDP From the details about DNS query you see that the protocol is UDP and the port is 53. The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as the first pattern.
Page 736: Idp Technical Reference
Chapter 38 IDP The Priority column shows warn for signatures that are configured to generate a log only. It shows critical for signatures that are configured to generate a log and alert. All IDP signatures come under the IDP category. The Note column displays ACCESS FORWARD when no action is configured for the signature. It displays ACCESS DENIED if you configure the signature action to drop the packet.
Page 737 Chapter 38 IDP Snort Signatures You may want to refer to open source Snort signatures when creating custom Zyxel Device ones. Most Snort rules are written in a single line. Snort rules are divided into two logical sections, the rule header and the rule options as shown in the following example: alert tcp any any ->...
Page 738 Chapter 38 IDP Table 267 Zyxel Device - Snort Equivalent Terms (continued) ZYXEL DEVICE TERM SNORT EQUIVALENT TERM Payload Options (Snort rule options) Payload Size dsize Offset (relative to start of payload) offset Relative to end of last match distance Content content Case-insensitive...
Page 739: Anti-Virus
H A P T E R Anti-Virus 39.1 Overview Use the Zyxel Device’s anti-virus feature to protect your connected network from virus/spyware infection. The Zyxel Device checks traffic going in the direction(s) you specify for signature matches. In the following figure the Zyxel Device is set to check traffic coming from the WAN zone (which includes two interfaces) to the LAN zone.
Page 740 Chapter 39 Anti-Virus Anti-Virus Licensing The Zyxel Device downloads signature sets after it is registered and the anti-virus license is activated at myZyxel. A signature is a unique string of bits, or binary pattern, of a virus. A signature acts as a fingerprint that can be used to detect and identify a specific virus.
Page 741: What You Can Do In This Chapter
Chapter 39 Anti-Virus • Encrypted traffic. This could be password-protected files or VPN traffic where the Zyxel Device is not the endpoint (pass-through VPN traffic). • Traffic through custom (non-standard) ports. The Zyxel Device scans whatever port number is specified for FTP in the ALG screen. •...
Page 742 Chapter 39 Anti-Virus Figure 513 Configuration > UTM Profile > Anti-Virus > Profile The following table describes the labels in this screen. Table 268 Configuration > UTM Profile > Anti-Virus > Profile LABEL DESCRIPTION General Setting Scan and detect Select this option to have the Zyxel Device check for the EICAR test file and treat it in the EICAR test virus same way as a real virus file.
Page 743: Anti-Virus Profile Add Or Edit
Chapter 39 Anti-Virus Table 268 Configuration > UTM Profile > Anti-Virus > Profile (continued) LABEL DESCRIPTION Service Status This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired.
Page 744 Chapter 39 Anti-Virus Figure 514 Configuration > UTM Profile > Anti-Virus > Profile: Profile Management > Add The following table describes the labels in this screen. Table 269 Configuration > UTM > Anti-Virus > Profile: Profile Management > Add LABEL DESCRIPTION Configuration Name...
Page 745: Anti-Virus Black List
Chapter 39 Anti-Virus Table 269 Configuration > UTM > Anti-Virus > Profile: Profile Management > Add (continued) LABEL DESCRIPTION Enable file Select this check box to have the Zyxel Device scan a compressed file (the file does not decompression (ZIP need to have a “zip”...
Page 746: Anti-Virus Black List Or White List Add/Edit
Chapter 39 Anti-Virus The following table describes the labels in this screen. Table 270 Configuration > UTM Profile > Anti-Virus > Black/White List > Black List LABEL DESCRIPTION Enable Black List Select this check box to log and delete files with names that match the black list patterns. Use the black list to log and delete files with names that match the black list patterns.
Page 747: Anti-Virus Black/White List
Chapter 39 Anti-Virus The following table describes the labels in this screen. Table 271 Configuration > UTM Profile > Anti-Virus > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION Enable If this is a black list entry, select this option to have the Zyxel Device apply this entry when using the black list.
Page 748: Av Signature Searching
Chapter 39 Anti-Virus Figure 517 Configuration > UTM Profile > Anti-Virus > Black/White List > White List The following table describes the labels in this screen. Table 272 Configuration > UTM Profile > Anti-Virus > Black/White List > White List LABEL DESCRIPTION Enable White List...
Page 749: Anti-Virus Technical Reference
Chapter 39 Anti-Virus Figure 518 Configuration > UTM Profile > Anti-Virus > Signature The following table describes the labels in this screen. Table 273 Configuration > UTM > Anti-Virus > Signature LABEL DESCRIPTION Signatures Search Enter the name, part of the name or keyword of the signature(s) you want to find. This search is not case-sensitive and accepts numerical strings.
Page 750 Chapter 39 Anti-Virus Computer Virus Infection and Prevention The following describes a simple life cycle of a computer virus. A computer gets a copy of a virus from a source such as the Internet, e-mail, file sharing or any removable storage media. The virus is harmless until the execution of an infected program. The virus spreads to other files and programs on the computer.
Page 751: Anti-Spam
H A P T E R Anti-Spam 40.1 Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The Zyxel Device can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
Page 752: Before You Begin
Chapter 40 Anti-Spam SMTP and POP3 Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard. It controls the sending of e-mail messages between servers. E-mail clients (also called e-mail applications) then use mail server protocols such as POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) to retrieve e- mail.
Page 753: The Anti-Spam Profile Screen
Chapter 40 Anti-Spam 40.3 The Anti-Spam Profile Screen Click Configuration > UTM Profile > Anti-Spam to open the Anti-Spam Profile screen. Use this screen to turn the anti-spam feature on or off and manage anti-spam policies. You can also select the action the Zyxel Device takes when the mail sessions threshold is reached.
Page 754: The Anti-Spam Profile Add Or Edit Screen
Chapter 40 Anti-Spam Table 275 Configuration > UTM Profile > Anti-Spam > Profile LABEL DESCRIPTION Description This is some optional extra information on the rule. Scan Options This shows which types (protocols) of traffic to scan for spam. Reference This shows how many objects are referenced in the rule. Service Service Status This field displays whether a service license is enabled at myZyxel (Activated) or not (Not...
Page 755 Chapter 40 Anti-Spam Figure 520 Configuration > UTM Profile > Anti-Spam > Profile > Add The following table describes the labels in this screen. Table 276 Configuration > UTM Profile > Anti-Spam > Profile > Add LABEL DESCRIPTION General Settings Name Enter a descriptive name for this anti-spam rule.
Page 756: The Mail Scan Screen
Chapter 40 Anti-Spam Table 276 Configuration > UTM Profile > Anti-Spam > Profile > Add (continued) LABEL DESCRIPTION Check Mail Select this to identify Spam Email by content, such as malicious content. Content Check Virus Select this to scan emails for attached viruses. Outbreak Check DNSBL Select this check box to check e-mail against the Zyxel Device’s configured DNSBL...
Page 757 Chapter 40 Anti-Spam Figure 521 Configuration > UTM Profile > Anti-Spam > Mail Scan The following table describes the labels in this screen. Table 277 Configuration > UTM Profile > Anti-Spam > Mail Scan LABEL DESCRIPTION Sender Reputation Enable Sender Select this to have the Zyxel Device scan for spam e-mail by IP Reputation.
Page 758: The Anti-Spam Black List Screen
Chapter 40 Anti-Spam Table 277 Configuration > UTM Profile > Anti-Spam > Mail Scan LABEL DESCRIPTION Enable Virus This scans emails for attached viruses. Outbreak Detection Virus Outbreak Tag Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of e-mails that are determined have an attached viruses.
Page 759 Chapter 40 Anti-Spam Figure 522 Configuration > UTM Profile > Anti-Spam > Black/White List > Black List The following table describes the labels in this screen. Table 278 Configuration > UTM Profile > Anti-Spam > Black/White List > Black List LABEL DESCRIPTION General Settings...
Page 760: The Anti-Spam Black Or White List Add/Edit Screen
Chapter 40 Anti-Spam 40.5.1 The Anti-Spam Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the following screen. Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create entries based on specific subject text, or the sender’s or relay’s IP address or e-mail address.
Page 761: Regular Expressions In Black Or White List Entries
Chapter 40 Anti-Spam Table 279 Configuration > UTM Profile > Anti-Spam > Black/White List > Black/White List > Add LABEL DESCRIPTION Mail Header Field This field displays when you select the Mail Header type. Name Type the name part of an e-mail header (the part that comes before the colon). Use up to 63 ASCII characters.
Page 762 Chapter 40 Anti-Spam Figure 524 Configuration > UTM Profile > Anti-Spam > Black/White List > White List The following table describes the labels in this screen. Table 280 Configuration > UTM Profile > Anti-Spam > Black/White List > White List LABEL DESCRIPTION General Settings...
Page 763: The Dnsbl Screen
Chapter 40 Anti-Spam 40.7 The DNSBL Screen Click Configuration > UTM Profile > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to configure the Zyxel Device to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs).
Page 764 Chapter 40 Anti-Spam The following table describes the labels in this screen. Table 281 Configuration > UTM Profile > Anti-Spam > DNSBL LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Enable DNS Black List Select this to have the Zyxel Device check the sender and relay IP addresses in e-mail...
Page 765: Anti-Spam Technical Reference
Chapter 40 Anti-Spam Table 281 Configuration > UTM Profile > Anti-Spam > DNSBL (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. This is the entry’s index number in the list. DNSBL Domain This is the name of a domain that maintains DNSBL servers.
Page 766 Chapter 40 Anti-Spam Figure 526 DNSBL Spam Detection Example DNSBL A IPs: a.a.a.a b.b.b.b a.a.a.a? DNSBL B b.b.b.b? DNSBL C The Zyxel Device receives an e-mail that was sent from IP address a.a.a.a and relayed by an e-mail server at IP address b.b.b.b. The Zyxel Device sends a separate query to each of its DNSBL domains for IP address a.a.a.a.
Page 767 Chapter 40 Anti-Spam Figure 527 DNSBL Legitimate E-mail Detection Example DNSBL A IPs: c.c.c.c d.d.d.d c.c.c.c? DNSBL B d.d.d.d? d.d.d.d Not spam DNSBL C The Zyxel Device receives an e-mail that was sent from IP address c.c.c.c and relayed by an e-mail server at IP address d.d.d.d.
Page 768 Chapter 40 Anti-Spam Figure 528 Conflicting DNSBL Replies Example DNSBL A IPs: a.b.c.d w.x.y.z a.b.c.d? DNSBL B w.x.y.z? a.b.c.d Spam! DNSBL C The Zyxel Device receives an e-mail that was sent from IP address a.b.c.d and relayed by an e-mail server at IP address w.x.y.z.
Page 769: Ssl Inspection
H A P T E R SSL Inspection 41.1 Overview Secure Socket Layer (SSL) traffic, such as https://www.google.com/HTTPS, FTPs, POP3s, SMTPs, etc. is encrypted, and cannot be inspected using Unified Threat Management (UTM) profiles such as App Patrol, Content Filter, Intrusion, Detection and Prevention (IDP), or Anti-Virus. The Zyxel Device uses SSL Inspection to decrypt SSL traffic, sends it to the UTM engines for inspection, then encrypts traffic that passes inspection and forwards it to the destination server, such as Google.
Page 770: Before You Begin
Chapter 41 SSL Inspection • 3DES • AES (Advanced Encryption Standard) • SSLv3/TLS1.0 (Transport Layer Security) Support • SSLv3/TLS1.0 is currently supported with option to pass or block SSLv2 traffic • Traffic using TLS1.1 (Transport Layer Security) or TLS1.2 is downgraded to TLS1.0 for SSL Inspection •...
Page 771: Add / Edit Ssl Inspection Profiles
Chapter 41 SSL Inspection Table 282 Configuration > UTM Profile > SSL Inspection > Profile (continued) LABEL DESCRIPTION References Select an entry and click References to open a screen that shows which settings use the entry. Click Refresh to update information on this screen. This is the entry’s index number in the list.
Page 772 Chapter 41 SSL Inspection Table 283 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit (continued) LABEL DESCRIPTION Severity Level Select a severity level and these use the icons to enable/disable and configure logs and actions for all signatures of that level. Action for SSL Inspection supports SSLv3 and TLS1.0.
Page 773: Exclude List Screen
Chapter 41 SSL Inspection Table 283 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit (continued) LABEL DESCRIPTION Action To edit what action the Zyxel Device takes when a packet matches a signature, select the signature and use the Action icon. none: Select this action on an individual signature or a complete service group to have the Zyxel Device take no action when a packet matches the signature(s).
Page 774 Chapter 41 SSL Inspection Figure 532 Configuration > UTM Profile > SSL Inspection > Exclude List (> Add/Edit) The following table describes the fields in this screen. Table 284 Configuration > UTM Profile > SSL Inspection > Exclude List LABEL DESCRIPTION General Settings Enable Logs for...
Page 775: Certificate Update Screen
Chapter 41 SSL Inspection 41.4 Certificate Update Screen Use this screen to update the latest certificates of servers using SSL connections to the Zyxel Device network. User U sends an SSL request to destination server D (1), via the Zyxel Device, Z. D replies (2); Z intercepts the response from D and checks if the certificate has been previously signed.
Page 776: Install A Ca Certificate In A Browser
Chapter 41 SSL Inspection Table 285 Configuration > UTM Profile > SSL Inspection > Certificate Update (continued) LABEL DESCRIPTION Auto Update Select this to automatically have the Zyxel Device update the certificate set when a new one becomes available on myZyxel. Apply Click Apply to save your settings to the Zyxel Device.
Page 777 Chapter 41 SSL Inspection 41.5.0.1 Firefox Browser If you’re using a Firefox browser, in addition to the above you need to do the following to import a certificate into the browser. Click Tools > Options > Advanced > Encryption > View Certificates, click Import and enter the filename of the certificate you want to import.
Page 778: Device Ha
H A P T E R Device HA 42.1 Device HA Overview Device HA lets a backup (or passive) Zyxel Device (B) automatically take over if the master (or active) Zyxel Device (A) fails. Figure 535 Device HA Backup Taking Over for the Master 42.1.1 Device HA and Device HA Pro Differences The following table displays the feature differences between Device HA and Device HA Pro.
Page 779: What You Can Do In These Screens
Chapter 42 Device HA Table 286 Device HA Vs Device HA Pro FEATURE DEVICE HA DEVICE HA PRO Maximum 5 (default) to 50. Can be reset by command. Failover Count Best case 10~30 seconds to rebuild 0~1 seconds. Failover delay connections.
Page 780: Before You Begin
Chapter 42 Device HA 42.2.1 Before You Begin • Configure a static IP address for each interface that you will have Device HA monitor. Note: Subscribe to services on the backup Zyxel Device before synchronizing it with the master Zyxel Device. Synchronization includes updates for services to which the master and backup Zyxel Devices are both subscribed.
Page 781 Chapter 42 Device HA The following table describes the labels in this screen. Table 287 Configuration > Device HA > General LABEL DESCRIPTION Enable Device Select this to turn the Zyxel Device’s Device HA feature on. System > FTP is enabled automatically when you enable Device HA Pro.
Page 782: The Device Ha Screen
Chapter 42 Device HA Table 287 Configuration > Device HA > General (continued) LABEL DESCRIPTION Register Now Click the link to go to myZyxel where you can register your Zyxel Device and activate the service. This link is available only when the service is not activated yet. Apply Click Apply to save your changes back to the Zyxel Device.
Page 783: Configuring Device Ha
Chapter 42 Device HA Monitored Interfaces in Device HA You can select which interfaces Device HA monitors. If a monitored interface on the Zyxel Device loses its connection, Device HA has the backup Zyxel Device take over. Enable monitoring for the same interfaces on the master and backup Zyxel Devices. Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master Zyxel Device.
Page 784 Chapter 42 Device HA Figure 541 Configuration > Device HA > Device HA ZyWALL USG Series User’s Guide...
Page 785 Chapter 42 Device HA The following table describes the labels in this screen. See Section 42.3.2 on page 786 for more information as well. Table 288 Configuration > Device HA > Device HA LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Device Role...
Page 786: Device Ha Edit Monitored Interface
Chapter 42 Device HA Table 288 Configuration > Device HA > Device HA LABEL DESCRIPTION Management This field displays the interface’s management IP address and subnet mask. You can use this IP / Netmask IP address and subnet mask to access the Zyxel Device whether it is in master or backup mode.
Page 787 Chapter 42 Device HA If you configure Device HA settings for an Ethernet interface and later add the Ethernet interface to a bridge, the Zyxel Device retains the interface’s Device HA settings and uses them again if you later remove the interface from the bridge. If the bridge is later deleted or the interface is removed from it, Device HA will recover the interface’s setting.
Page 788: Device Ha Technical Reference
Chapter 42 Device HA 42.3.3 Device HA Technical Reference Device HA with Bridge Interfaces Here are two ways to avoid a broadcast storm when you connect the bridge interfaces on two Zyxel Devices. First Option for Connecting the Bridge Interfaces on Two Zyxel Devices The first way is to activate Device HA before connecting the bridge interfaces as shown in the following example.
Page 789 Chapter 42 Device HA Connect the Zyxel Devices. Br0 {ge4, ge5} Br0 {ge4, ge5} Second Option for Connecting the Bridge Interfaces on Two Zyxel Devices Another option is to disable the bridge interfaces, connect the bridge interfaces, activate Device HA, and finally reactivate the bridge interfaces as shown in the following example.
Page 790 Chapter 42 Device HA Br0 {ge4, ge5} Br0 {ge4, ge5} Synchronization During synchronization, the master Zyxel Device sends the following information to the backup Zyxel Device. • Startup configuration file (startup-config.conf) • AV signatures • IDP and application patrol signatures •...
Page 791: Device Ha > Device Ha Pro
Chapter 42 Device HA 42.4 Device HA > Device HA Pro Active and Passive Devices Device HA Pro uses a dedicated heartbeat link between an active device (‘master’) and a passive device (‘backup’) for status syncing and backup to the passive device. On the passive device, all ports are disabled except for the port with the heartbeat link.
Page 792: Configuring Device Ha Pro
Chapter 42 Device HA Note: If both Zyxel Devices are turned on at the same time with Device HA enabled, then they may send the heartbeat at the same time. In this case, the Zyxel Device with the bigger MAC address becomes the passive Zyxel Device. When using Device HA Pro to synchronize firmware, the location of the running firmware must be the same in both active and passive Zyxel Devices.
Page 793 Chapter 42 Device HA Table 290 Configuration > Device HA > Device HA Pro LABEL DESCRIPTION Enable Configuration Select this to have a passive Zyxel Device copy the active Zyxel Device’s Provisioning From Active configuration, signatures (anti-virus, IDP/application patrol, and system protect), Device.
Page 794: Object
H A P T E R Object 43.1 Zones Overview Set up zones to configure network security and network policies in the Zyxel Device. A zone is a group of interfaces and/or VPN tunnels. The Zyxel Device uses zones instead of interfaces in many security and policy settings, such as Secure Policies rules, UTM Profile, and remote management.
Page 795: The Zone Screen
Chapter 43 Object Intra-zone Traffic • Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, in Figure 546 on page 794, traffic between VLAN 2 and the Ethernet is intra-zone traffic. Inter-zone Traffic Inter-zone traffic is traffic between interfaces or VPN tunnels in different zones. For example, in Figure 546 on page 794, traffic between VLAN 1 and the Internet is inter-zone traffic.
Page 796 Chapter 43 Object Table 291 Configuration > Object > Zone (continued) LABEL DESCRIPTION Member This field displays the names of the interfaces that belong to each zone. Reference This field displays the number of times an Object Reference is used in a policy. 43.1.2.1 Zone Edit The Zone Edit screen allows you to add or edit a zone.
Page 797: User/Group Overview
Chapter 43 Object 43.2 User/Group Overview This section describes how to set up user accounts, user groups, and user settings for the Zyxel Device. You can also set up rules that control when users have to log in to the Zyxel Device before the Zyxel Device routes traffic for them.
Page 798 Chapter 43 Object Ext-User Accounts Set up an ext-user account if the user is authenticated by an external server and you want to set up specific policies for this user in the Zyxel Device. If you do not want to set up policies for this user, you do not have to set up an ext-user account.
Page 799: User/Group User Summary Screen
Chapter 43 Object User Groups User groups may consist of user accounts or other user groups. Use user groups when you want to create the same rule for several user accounts, instead of creating separate rules for each one. Note: You cannot put access users and admin users in the same user group. Note: You cannot put the default admin account into any user group.
Page 800 Chapter 43 Object Table 294 Configuration > Object > User/Group > User (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References to open a screen that shows which settings use the entry. This field is a sequential value, and it is not associated with a specific user.
Page 801 Chapter 43 Object • operator • radius-users • root • shutdown • sshd • sync • uucp • zyxel To access this screen, go to the User screen (see Section 43.15.1 on page 902), and click either the Add icon or an Edit icon. Figure 550 Configuration >...
Page 802 Chapter 43 Object Table 295 Configuration > Object > User/Group > User > Add (continued) LABEL DESCRIPTION Group Identifier This field is available for a ext-group-user type user account. Specify the value of the AD or LDAP server’s Group Membership Attribute that identifies the group to which this user belongs.
Page 803: User/Group Group Summary Screen
Chapter 43 Object Table 295 Configuration > Object > User/Group > User > Add (continued) LABEL DESCRIPTION Reauthentication If you select Use Default Settings in the Authentication Timeout Settings field, the default Time lease time is shown. If you select Use Manual Settings, you need to type the number of minutes this user can be logged into the Zyxel Device in one session before the user has to log in again.
Page 804: User/Group Setting Screen
Chapter 43 Object Table 296 Configuration > Object > User/Group > Group (continued) LABEL DESCRIPTION Member This field lists the members in the user group. Each member is separated by a comma. Reference This displays the number of times an object reference is used in a profile. 43.2.3.1 Group Add/Edit Screen The Group Add/Edit screen allows you to create a new user group or edit an existing one.
Page 805 Chapter 43 Object To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Setting. Figure 555 Configuration > Object > User/Group > Setting The following table describes the labels in this screen. Table 298 Configuration > Object > User/Group > Setting LABEL DESCRIPTION User Authentication Timeout Settings...
Page 806 Chapter 43 Object Table 298 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION User Type These are the kinds of user account the Zyxel Device supports. • admin - this user can look at and change the configuration of the Zyxel Device •...
Page 807 Chapter 43 Object Table 298 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION Limit the number of Select this check box if you want to set a limit on the number of simultaneous simultaneous logons for logins by admin users. If you do not select this, admin users can login as many administration account times as they want at the same time using the same or different IP addresses.
Page 808 Chapter 43 Object The following table describes the labels in this screen. Table 299 Configuration > Object > User/Group > Setting > Edit LABEL DESCRIPTION User Type This read-only field identifies the type of user account for which you are configuring the default settings.
Page 809: User/Group Mac Address Summary Screen
Chapter 43 Object The following table describes the labels in this screen. Table 300 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined Access users can specify a lease time shorter than or equal to the one that you specified. The lease time (max default value is the lease time that you specified.
Page 810: User /Group Technical Reference
Chapter 43 Object Table 301 Configuration > Object > User/Group > MAC Address (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. MAC Address/ This field displays the MAC address or OUI (Organizationally Unique Identifier of computer hardware manufacturers) of wireless clients using MAC authentication with the Zyxel Device local user database.
Page 811: Ap Profile Overview
Chapter 43 Object Setting up User Attributes in an External Server To set up user attributes, such as reauthentication time, in LDAP or RADIUS servers, use the following keywords in the user configuration file. Table 303 LDAP/RADIUS: Keywords for User Attributes KEYWORD CORRESPONDING ATTRIBUTE IN WEB CONFIGURATOR type...
Page 812: Radio Screen
Chapter 43 Object • Radio - This profile type defines the properties of an AP’s radio transmitter. You can have a maximum of 32 radio profiles on the Zyxel Device. • SSID - This profile type defines the properties of a single wireless network signal broadcast by an AP. Each radio on a single AP can broadcast up to 8 SSIDs.
Page 813 Chapter 43 Object Figure 562 Configuration > Object > AP Profile > Radio The following table describes the labels in this screen. Table 304 Configuration > Object > AP Profile > Radio LABEL DESCRIPTION Click this to add a new radio profile. Edit Click this to edit the selected radio profile.
Page 814 Chapter 43 Object 43.3.1.1 Add/Edit Radio Profile This screen allows you to create a new radio profile or edit an existing one. To access this screen, click the Add button or select a radio profile from the list and click the Edit button. Figure 563 Configuration >...
Page 815 Chapter 43 Object Table 305 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION 802.11 Band Select how to let wireless clients connect to the AP. • 11b/g: allows either IEEE 802.11b or IEEE 802.11g compliant WLAN devices to associate with the AP.
Page 816 Chapter 43 Object Table 305 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION 2.4 GHz Channel This field is available when you set Channel Selection to DCS. Selection Method Select auto to have the AP search for available channels automatically in the 2.4 GHz band.
Page 817 Chapter 43 Object Table 305 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION Enable A-MSDU Select this to enable A-MSDU aggregation. Aggregation Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header.
Page 818: Ssid Screen
Chapter 43 Object Table 305 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. 43.3.2 SSID Screen The SSID screens allow you to configure three different types of profiles for your networked APs: an SSID list, which can assign specific SSID configurations to your APs;...
Page 819 Chapter 43 Object Table 306 Configuration > Object > AP Profile > SSID List (continued) LABEL DESCRIPTION SSID This field indicates the SSID name as it appears to wireless clients. Security Profile This field indicates which (if any) security profile is associated with the SSID profile. This field indicates the QoS type associated with the SSID profile.
Page 820 Chapter 43 Object Table 307 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile (continued) LABEL DESCRIPTION MAC Filtering Select a MAC filtering profile from the list to associate with this SSID. If none exist, you can use Profile the Create new Object menu to create one.
Page 821 Chapter 43 Object Table 307 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile (continued) LABEL DESCRIPTION Hidden SSID Select this if you want to “hide” your SSID from wireless clients. This tells any wireless clients in the vicinity of the AP using this SSID profile not to display its SSID name as a potential connection.
Page 822 Chapter 43 Object Table 308 Configuration > Object > AP Profile > SSID > Security List (continued) LABEL DESCRIPTION Profile Name This field indicates the name assigned to the security profile. Security Mode This field indicates this profile’s security mode (if any). ZyWALL USG Series User’s Guide...
Page 823 Chapter 43 Object 43.3.2.4 Add/Edit Security Profile This screen allows you to create a new security profile or edit an existing one. To access this screen, click the Add button or select a security profile from the list and click the Edit button. Note: This screen’s options change based on the Security Mode selected.
Page 824 Chapter 43 Object The following table describes the labels in this screen. Table 309 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile LABEL DESCRIPTION Profile Name Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes.
Page 825 Chapter 43 Object Table 309 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile LABEL DESCRIPTION Idle Timeout Enter the idle interval (in seconds) that a client can be idle before authentication is discontinued. Authentication Type Select a WEP authentication method.
Page 826 Chapter 43 Object 43.3.2.5 MAC Filter List This screen allows you to create and manage security configurations that can be used by your SSIDs. To access this screen click Configuration > Object > AP Profile > SSID > MAC Filter List. Note: You can have a maximum of 32 MAC filtering profiles on the Zyxel Device.
Page 827: Mon Profile
Chapter 43 Object 43.3.2.6 Add/Edit MAC Filter Profile This screen allows you to create a new MAC filtering profile or edit an existing one. To access this screen, click the Add button or select a MAC filter profile from the list and click the Edit button. Figure 569 SSID >...
Page 828: Configuring Mon Profile
Chapter 43 Object The MON Profile screen (Section 43.4.2 on page 828) creates preset monitor mode configurations that can be used by the APs. 43.4.1.1 What You Need To Know The following terms and concepts may help as you read this chapter. Active Scan An active scan is performed when an 802.11-compatible wireless monitoring device is explicitly triggered to scan a specified channel or number of channels for other wireless devices broadcasting on...
Page 829: Add/Edit Mon Profile
Chapter 43 Object Table 312 Configuration > Object > MON Profile (continued) LABEL DESCRIPTION Profile Name This field indicates the name assigned to the monitor profile. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 43.4.3 Add/Edit MON Profile This screen allows you to create a new monitor mode profile or edit an existing one.
Page 830: Technical Reference
Chapter 43 Object The following table describes the labels in this screen. Table 313 Configuration > Object > MON Profile > Add/Edit MON Profile LABEL DESCRIPTION Activate Select this to activate this monitor mode profile. Profile Name This field indicates the name assigned to the monitor mode profile. Channel dwell time Enter the interval (in milliseconds) before the AP switches to another channel for monitoring.
Page 831: Zymesh Overview
Chapter 43 Object Figure 572 Rogue AP Example In the example above, a corporate network’s security is compromised by a rogue AP (RG) set up by an employee at his workstation in order to allow him to connect his notebook computer wirelessly (A). The company’s legitimate wireless network (the dashed ellipse B) is well-secured, but the rogue AP uses inferior security that is easily broken by an attacker (X) running readily available encryption-cracking software.
Page 832 Chapter 43 Object Note: All managed APs should be connected to the Zyxel Device directly to get the configuration file before being deployed to build a ZyMesh. Ensure you restart the managed AP after you change its operating mode using the Configuration > Wireless > AP Management screen (see Section 9.3 on page 274 •...
Page 833: Zymesh Profile
Chapter 43 Object 43.5.1 ZyMesh Profile This screen allows you to manage and create ZyMesh profiles that can be used by the APs. To access this screen, click Configuration > Object > ZyMesh Profile. Figure 573 Configuration > Object > ZyMesh Profile The following table describes the labels in this screen.
Page 834: Add/Edit Zymesh Profile
Chapter 43 Object Table 314 Configuration > Object > ZyMesh Profile (continued) LABEL DESCRIPTION Profile Name This field indicates the name assigned to the profile. ZyMesh SSID This field shows the SSID specified in this ZyMesh profile. 43.5.2 Add/Edit ZyMesh Profile This screen allows you to create a new ZyMesh profile or edit an existing one.
Page 835 Chapter 43 Object Table 316 Categories of Applications • Database • Games • Network Management • Remote Access • Bypass Proxies and • Terminals Tunnels • Security Update • Web IM • TCP/UDP traffic • Business • Network Protocols • Mobile •...
Page 836 Chapter 43 Object The Application screen allows you to create application objects consisting of service signatures as well as view license and signature information. To access this screen click Configuration > Object > Application > Application. Figure 576 Configuration > Object > Application > Application The following table describes the labels in this screen.
Page 837: Add Application Rule
Chapter 43 Object Table 317 Configuration > Object > Application > Application (continued) LABEL DESCRIPTION Released This field shows the date (YYYY-MM-DD) and time the current signature version was released. Date Update If your signature set is not the most recent, click this to go to Configuration > Licensing > Signatures Signature Update >...
Page 838 Chapter 43 Object 43.6.1.1 Add Application Object by Category or Service Click Add in Configuration > Object > Application > Application > Add Application Rule to choose the signatures that should go into this object. Figure 578 Configuration > Object > Application > Application > Add Application Rule > Add By Category Figure 579 Configuration >...
Page 839: Application Group Screen
Chapter 43 Object The following table describes the labels in this screen. Table 319 Configuration > Object > Application > Application > Add Application Rule > Add Application Object LABEL DESCRIPTION Query Search Choose signatures in one of the following ways: •...
Page 840 Chapter 43 Object Table 320 Configuration > Object > Application > Application Group (continued) LABEL DESCRIPTION Name This field indicates the name assigned to the application group. Description You may type some extra information on the application group here. Member This field shows the application objects in this application group.
Page 841: Address/Geo Ip Overview
Chapter 43 Object Table 321 Configuration > Object > Application > Application > Add Application Group Rule LABEL DESCRIPTION Member List The Member list displays the names of the application and application group objects that have been added to the application group. The order of members is not important. Select items from the Available list that you want to be members and move them to the Member list.
Page 842 Chapter 43 Object FQDN - the object uses a FQDN (Fully Qualified Domain Name). An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com” is the top level domain. mail.myZyxel.com.tw is also an FQDN, where “mail”...
Page 843 Chapter 43 Object The following table describes the labels in this screen. See Section 43.7.2.1 on page 843 for more information as well. Table 323 Configuration > Object > Address/Geo IP > Address LABEL DESCRIPTION IPv4 Address Configuration Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Page 844 Chapter 43 Object The following table describes the labels in this screen. Table 324 Configuration > Object > Address/GeoIP > Address > Add/Edit (IPv4) LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 845: Address Group Summary Screen
Chapter 43 Object The following table describes the labels in this screen. Table 325 Configuration > Object > Address/GeoIP > Address > Add/Edit (IPv6) LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 846 Chapter 43 Object The following table describes the labels in this screen. See Section 43.7.3.1 on page 846 for more information as well. Table 326 Configuration > Object > Address/Geo IP > Address Group LABEL DESCRIPTION IPv4 Address Group Configuration Click this to create a new entry.
Page 847: Geo Ip Summary Screen
Chapter 43 Object Figure 586 IPv4/IPv6 Address Group Configuration > Add The following table describes the labels in this screen. Table 327 IPv4/IPv6 Address Group Configuration > Add LABEL DESCRIPTION Name Enter a name for the address group. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 848 Chapter 43 Object objects. You can then use geographic address objects in security policies to forward or deny traffic to whole countries or regions. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
Page 849 Chapter 43 Object The following table describes the labels in this screen. Table 328 Configuration > Object > Address/Geo IP > Geo IP LABEL DESCRIPTION Country Database Update Latest Version This is the latest country-to-IP address database version on myZyxel. You need to have a registered Content Filter Service license.
Page 850: Service Overview
Chapter 43 Object Figure 588 Geo IP > Add The following table describes the labels in this screen. Table 329 Geo IP > Add LABEL DESCRIPTION Region Select the country or continent that maps to this IP address. Address Type Select the type of address you want to create.
Page 851: The Service Summary Screen
Chapter 43 Object Computers use Transmission Control Protocol (TCP, IP protocol 6) and User Datagram Protocol (UDP, IP protocol 17) to exchange data with each other. TCP guarantees reliable delivery but is slower and more complex. Some uses are FTP, HTTP, SMTP, and TELNET. UDP is simpler and faster but is less reliable. Some uses are DHCP, DNS, RIP, and SNMP.
Page 852 Chapter 43 Object Figure 589 Configuration > Object > Service > Service The following table describes the labels in this screen. Table 330 Configuration > Object > Service > Service LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Page 853: The Service Group Summary Screen
Chapter 43 Object Table 331 Configuration > Object > Service > Service > Edit (continued) LABEL DESCRIPTION Starting Port This field appears if the IP Protocol is TCP or UDP. Specify the port number(s) used by this service. If you fill in one of these fields, the service uses that port. If you fill in both fields, the service uses Ending Port the range of ports.
Page 854 Chapter 43 Object Table 332 Configuration > Object > Service > Service Group (continued) LABEL DESCRIPTION Family This field displays the Server Group supported type, which is according to your configurations in the Service Group Add/Edit screen. There are 3 types of families: •...
Page 855: Schedule Overview
Chapter 43 Object Table 333 Configuration > Object > Service > Service Group > Edit (continued) LABEL DESCRIPTION Member List The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not important. Select items from the Available list that you want to be members and move them to the Member list.
Page 856 Chapter 43 Object Figure 593 Configuration > Object > Schedule The following table describes the labels in this screen. See Section 43.9.2.1 on page 856 Section 43.9.2.2 on page 857 for more information as well. Table 334 Configuration > Object > Schedule LABEL DESCRIPTION One Time...
Page 857 Chapter 43 Object Figure 594 Configuration > Object > Schedule > Edit (One Time) The following table describes the labels in this screen. Table 335 Configuration > Object > Schedule > Edit (One Time) LABEL DESCRIPTION Configuration Name Type the name used to refer to the one-time schedule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 858: The Schedule Group Screen
Chapter 43 Object Figure 595 Configuration > Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen. The following table describes the remaining labels in this screen. Table 336 Configuration >...
Page 859 Chapter 43 Object Figure 596 Configuration > Object > Schedule > Schedule Group The following table describes the fields in the above screen. Table 337 Configuration > Object > Schedule > Schedule Group LABEL DESCRIPTION Configuration Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Page 860: Aaa Server Overview
Chapter 43 Object Figure 597 Configuration > Schedule > Schedule Group > Add The following table describes the fields in the above screen. Table 338 Configuration > Schedule > Schedule Group > Add LABEL DESCRIPTION Group Members Name Type the name used to refer to the recurring schedule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 861: Directory Service (Ad/Ldap)
Chapter 43 Object configuring ext-group-user user objects and authentication method objects (see Chapter 43 on page 869). 43.10.1 Directory Service (AD/LDAP) LDAP/AD allows a client (the Zyxel Device) to connect to a server to retrieve information from a directory. A network example is shown next. Figure 598 Example: Directory Service Client and Server The following describes the user authentication procedure via an LDAP/AD server.
Page 862: What You Need To Know
Chapter 43 Object server software and physical OTP tokens (PIN generators). Do the following to use OTP. See the documentation included on the ASAS’ CD for details. Install the ASAS server software on a computer. Create user accounts on the Zyxel Device and in the ASAS server. Import each token’s database file (located on the included CD) into the server.
Page 863: Active Directory Or Ldap Server Summary
Chapter 43 Object Figure 600 Basic Directory Structure Sales Sprint Root Sales Japan Countries (c) Organizations (o) Organization Units (ou) Unique Common Name (cn) Distinguished Name (DN) A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas.
Page 864 Chapter 43 Object Figure 601 Configuration > Object > AAA Server > Active Directory (or LDAP) The following table describes the labels in this screen. Table 339 Configuration > Object > AAA Server > Active Directory (or LDAP) LABEL DESCRIPTION Click this to create a new entry.
Page 865 Chapter 43 Object Figure 602 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add ZyWALL USG Series User’s Guide...
Page 866 Chapter 43 Object The following table describes the labels in this screen. Table 340 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add LABEL DESCRIPTION Name Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes. Description Enter the description of each server, if any.
Page 867: Radius Server Summary
Chapter 43 Object Table 340 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add (continued) LABEL DESCRIPTION Realm Enter the realm FQDN. This is only for Active Directory. NetBIOS Name Type the NetBIOS name. This field is optional. NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN which allows local computers to find computers on the remote network and vice versa.
Page 868 Chapter 43 Object Figure 604 Configuration > Object > AAA Server > RADIUS > Add The following table describes the labels in this screen. Table 342 Configuration > Object > AAA Server > RADIUS > Add LABEL DESCRIPTION Name Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes. Description Enter the description of each server, if any.
Page 869: Auth. Method Overview
Chapter 43 Object Table 342 Configuration > Object > AAA Server > RADIUS > Add (continued) LABEL DESCRIPTION Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the Zyxel Device. The key is not sent over the network.
Page 870: Authentication Method Objects
Chapter 43 Object Select Server Mode and select an authentication method object from the drop-down list box. Click OK to save the settings. Figure 605 Example: Using Authentication Method in VPN 43.11.3 Authentication Method Objects Click Configuration > Object > Auth. Method to display the screen as shown. Note: You can create up to 16 authentication method objects.
Page 871 Chapter 43 Object Click Add. Specify a descriptive name for identification purposes in the Name field. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, “My_Device”. Click Add to insert an authentication method in the table.
Page 872: Two-Factor Authentication Vpn Access
Chapter 43 Object Table 344 Configuration > Object > Auth. Method > Add (continued) LABEL DESCRIPTION This field displays the index number. Method List Select a server object from the drop-down list box. You can create a server object in the AAA Server screen.
Page 873 Chapter 43 Object Via a VPN tunnel A user runs a VPN client and logs in with the user name and password for this VPN tunnel. The VPN tunnel is created from the VPN client device to the Zyxel Device. The Zyxel Device requests the user’s user-name, password and mobile phone number or email address from the Active Directory, RADIUS server or local Zyxel Device database in order to authenticate this user's use of the VPN tunnel (factor 1).
Page 874 Chapter 43 Object • Add HTTP, HTTPS, SSH, and/or, TELNET in the Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL service group. Two-Factor authentication may fail if one of the above is not configured or one of the below occurred. •...
Page 875: Two-Factor Authentication Admin Access
Chapter 43 Object The following table describes the labels in this screen. Table 345 Configuration > Object > Auth. Method > Two-factor Authentication > VPN Access LABEL DESCRIPTION General Settings Enable Select the check box to require double-layer security to access a secured network behind the Zyxel Device via a VPN tunnel.
Page 876 Chapter 43 Object Go to Configuration > Object > Auth. Method > Two-factor Authentication > Admin Access and configure the following screen as shown. Figure 610 Configuration > Object > Auth. Method > Two-factor Authentication > Admin Access The following table describes the labels in this screen. Table 346 Configuration >...
Page 877: Certificate Overview
Chapter 43 Object Table 346 Configuration > Object > Auth. Method > Two-factor Authentication > Admin Access LABEL DESCRIPTION Deliver Authorize Select one or both methods: Link Method: • SMS: Object > User/Group > User must contain a valid mobile telephone number. A valid mobile telephone number can be up to 20 characters in length, including the numbers 1~9 and the following characters in the square brackets [+*#()-].
Page 878 Chapter 43 Object Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny’s public key to verify the message. The Zyxel Device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection.
Page 879: Verifying A Certificate
Chapter 43 Object • Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the Zyxel Device.
Page 880: The My Certificates Screen
Chapter 43 Object Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 43.12.3 The My Certificates Screen Click Configuration >...
Page 881 Chapter 43 Object Table 347 Configuration > Object > Certificate > My Certificates (continued) LABEL DESCRIPTION Download Click this and the following screen will appear. Type the selected certificate’s password and save the selected certificate to your computer. Figure 614 Download a Certificate ZyWALL USG Series User’s Guide...
Page 882 Chapter 43 Object Table 347 Configuration > Object > Certificate > My Certificates (continued) LABEL DESCRIPTION Email Click this to email the selected certificate to the configured email address(es) for SSL connection establishment. This enables you to establish an SSL connection on your laptops, tablets, or smartphones.
Page 883 Chapter 43 Object Table 347 Configuration > Object > Certificate > My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate.
Page 884 Chapter 43 Object Figure 616 Configuration > Object > Certificate > My Certificates > Add The following table describes the labels in this screen. Table 348 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 885 Chapter 43 Object Table 348 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Town (City) Identify the town or city where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. State, (Province) Identify the state or province where the certificate owner is located.
Page 886 Chapter 43 Object Figure 617 Configuration > Object > Certificate > My Certificates > Edit The following table describes the labels in this screen. Table 349 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 887 Chapter 43 Object Table 349 Configuration > Object > Certificate > My Certificates > Edit (continued) LABEL DESCRIPTION Certificate These read-only fields display detailed information about the certificate. Information Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate.
Page 888 Chapter 43 Object Table 349 Configuration > Object > Certificate > My Certificates > Edit (continued) LABEL DESCRIPTION Export Certificate Use this button to save a copy of the certificate without its private key. Click this button and Only then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.
Page 889: The Trusted Certificates Screen
Chapter 43 Object Table 350 Configuration > Object > Certificate > My Certificates > Import (continued) LABEL DESCRIPTION Password This field only applies when you import a binary PKCS#12 format file. Type the file’s password that was created when the PKCS #12 file was exported. Click OK to save the certificate on the Zyxel Device.
Page 890 Chapter 43 Object Table 351 Configuration > Object > Certificate > Trusted Certificates (continued) LABEL DESCRIPTION Valid From This field displays the date that the certificate becomes applicable. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.
Page 891 Chapter 43 Object Figure 620 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL USG Series User’s Guide...
Page 892 Chapter 43 Object The following table describes the labels in this screen. Table 352 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 893 Chapter 43 Object Table 352 Configuration > Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Signature Algorithm This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm).
Page 894: Certificates Technical Reference
Chapter 43 Object Figure 621 Configuration > Object > Certificate > Trusted Certificates > Import The following table describes the labels in this screen. Table 353 Configuration > Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 895 Chapter 43 Object Figure 622 Configuration > Object > ISP Account The following table describes the labels in this screen. See the ISP Account Add/Edit section below for more information as well. Table 354 Configuration > Object > ISP Account LABEL DESCRIPTION Click this to create a new entry.
Page 896 Chapter 43 Object Figure 623 Configuration > Object > ISP Account > Edit The following table describes the labels in this screen. Table 355 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you are editing an existing account. Type in the profile name of the ISP account.
Page 897: Ssl Application Overview
Chapter 43 Object Table 355 Configuration > Object > ISP Account > Edit (continued) LABEL DESCRIPTION Server IP If this ISP account uses the PPPoE protocol, this field is not displayed. If this ISP account uses the PPTP protocol, type the IP address of the PPTP server. Connection ID This field is available if this ISP account uses the PPTP protocol.
Page 898 Chapter 43 Object Remote User Screen Links Available SSL application names are displayed as links in remote user screens. Depending on the application type, remote users can simply click the links or follow the steps in the pop-up dialog box to access.
Page 899: The Ssl Application Screen
Chapter 43 Object Click the Add button and select Web Application in the Type field. In the Server Type field, select Web Server. Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”. In the URL Address field, enter “http://my-info”. Select Web Page Encryption to prevent users from saving the web content.
Page 900 Chapter 43 Object The following table describes the labels in this screen. Table 356 Configuration > Object > SSL Application LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Page 901 Chapter 43 Object Figure 628 Configuration > Object > SSL Application > Add/Edit: File Sharing The following table describes the labels in this screen. Table 357 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this screen.
Page 902: Dhcpv6 Overview
Chapter 43 Object Table 357 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing LABEL DESCRIPTION Preview This field only appears when you choose Web Application or File Sharing as the object type. This field displays if the Server Type is set to Web Server, OWA or Weblink. Note: If your Internet Explorer or other browser screen doesn’t show a preview, it may be due to your web browser security settings.
Page 903 Chapter 43 Object Figure 629 Configuration > Object > DHCPv6 > Request The following table describes the labels in this screen. Table 358 Configuration > Object > DHCPv6 > Request LABEL DESCRIPTION Configuration Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 904: The Dhcpv6 Lease Screen
Chapter 43 Object Table 359 Configuration > DHCPv6 > Request > Add (continued) LABEL DESCRIPTION Interface Select the interface for this request object. Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. 43.15.2 The DHCPv6 Lease Screen The Lease screen allows you to add, edit, and remove DHCPv6 lease type objects.
Page 905 Chapter 43 Object Figure 632 Configuration > DHCPv6 > Lease > Add The following table describes the labels in this screen. Table 361 Configuration > DHCPv6 > Lease > Add/Edit LABEL DESCRIPTION Name Type the name for this lease object. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 906: System
H A P T E R System 44.1 Overview Use the system screens to configure general Zyxel Device settings. 44.1.1 What You Can Do in this Chapter • Use the System > Host Name screen (see Section 44.2 on page 907) to configure a unique name for the Zyxel Device in your network.
Page 907: Host Name
Chapter 44 System • Use the System > IPv6 screen (see Section 44.16 on page 958) to enable or disable IPv6 support on the Zyxel Device. • Use the System > ZON screen (see Section 44.17 on page 958) to enable or disable the Zyxel One Network (ZON) utility that uses Zyxel Discovery Protocol (ZDP) for discovering and configuring ZDP- aware Zyxel devices in the same network as the computer on which ZON is installed.
Page 908: Date And Time
Chapter 44 System Figure 634 Configuration > System > USB Storage The following table describes the labels in this screen. Table 363 Configuration > System > USB Storage LABEL DESCRIPTION Activate USB Select this if you want to use the connected USB device(s). storage service Disk full warning Set a number and select a unit (MB or %) to have the Zyxel Device send a warning message...
Page 909 Chapter 44 System Figure 635 Configuration > System > Date and Time The following table describes the labels in this screen. Table 364 Configuration > System > Date and Time LABEL DESCRIPTION Current Time and Date Current Time This field displays the present time of your Zyxel Device. Current Date This field displays the present date of your Zyxel Device.
Page 910 Chapter 44 System Table 364 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Get from Time Select this radio button to have the Zyxel Device get the time and date from the time server Server you specify below. The Zyxel Device requests time and date settings from the time server under the following circumstances.
Page 911: Pre-Defined Ntp Time Servers List
Chapter 44 System Table 364 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 44.4.1 Pre-defined NTP Time Servers List When you turn on the Zyxel Device for the first time, the date and time start at 2003-01-01 00:00:00.
Page 912: Console Port Speed
Chapter 44 System Enter the Zyxel Device’s date in the New Date field. Under Time Zone Setup, select your Time Zone from the list. As an option you can select the Enable Daylight Saving check box to adjust the Zyxel Device clock for daylight savings.
Page 913: Dns Overview
Chapter 44 System 44.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
Page 914 Chapter 44 System Figure 638 Configuration > System > DNS The following table describes the labels in this screen. Table 367 Configuration > System > DNS LABEL DESCRIPTION Address/PTR This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. Record An FQDN consists of a host and domain name.
Page 915 Chapter 44 System Table 367 Configuration > System > DNS (continued) LABEL DESCRIPTION FQDN This is a host’s fully qualified domain name. IP Address This is the IP address of a host. CNAME Record This record specifies an alias for a FQDN. Use this record to bind all subdomains with the same IP address as the FQDN without having to update each one individually, which increases chance for errors.
Page 916: Ipv6) Address Record
Chapter 44 System Table 367 Configuration > System > DNS (continued) LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.
Page 917: Ptr Record
Chapter 44 System The Zyxel Device allows you to configure address records about the Zyxel Device itself or another device. This way you can keep a record of DNS names and addresses that people on your network may use frequently. If the Zyxel Device receives a DNS query for an FQDN for which the Zyxel Device has an address record, the Zyxel Device can send the IP address in a DNS response without having to query a DNS name server.
Page 918: Adding A Cname Record
Chapter 44 System For example, the domain name zyxel.com is hooked up to a record named A which translates it to 11.22.33.44. You also have several subdomains, like mail.zyxel.com, ftp.zyxel.com and you want this subdomain to point to your main domain zyxel.com. Edit the IP Address in record A and all subdomains will follow automatically.
Page 919: Mx Record
Chapter 44 System Figure 641 Configuration > System > DNS > Domain Zone Forwarder Add The following table describes the labels in this screen. Table 370 Configuration > System > DNS > Domain Zone Forwarder Add LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host.
Page 920: Adding A Mx Record
Chapter 44 System 44.6.11 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 642 Configuration > System > DNS > MX Record Add The following table describes the labels in this screen. Table 371 Configuration >...
Page 921: Adding A Dns Service Control Rule
Chapter 44 System Figure 643 Configuration > System > DNS > Security Option Control Edit (Customize) The following table describes the labels in this screen. Table 372 Configuration > System > DNS > Security Option Control Edit (Customize) LABEL DESCRIPTION Name You may change the name for the customized security option control policy.
Page 922: Www Overview
Chapter 44 System Figure 644 Configuration > System > DNS > Service Control Rule Add The following table describes the labels in this screen. Table 373 Configuration > System > DNS > Service Control Rule Add LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this screen.
Page 923: System Timeout
Chapter 44 System The IP address (address object) in the Service Control table is not in the allowed zone or the action is set to Deny. There is a security policy rule that blocks it. 44.7.2 System Timeout There is a lease timeout for administrators. The Zyxel Device automatically logs you out if the management session remains idle for longer than this timeout period.
Page 924: Configuring Www Service Control
Chapter 44 System Figure 645 HTTP/HTTPS Implementation Note: If you disable HTTP in the WWW screen, then the Zyxel Device blocks all HTTP connection attempts. 44.7.4 Configuring WWW Service Control Click Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the Zyxel Device using HTTP or HTTPS.
Page 925 Chapter 44 System Figure 646 Configuration > System > WWW > Service Control The following table describes the labels in this screen. Table 374 Configuration > System > WWW > Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device Web Configurator using secure HTTPs connections.
Page 926 Chapter 44 System Table 374 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Redirect HTTP to HTTPS To allow only secure Web Configurator access, select this to redirect all HTTP connection requests to the HTTPS server. Admin/User Service Admin Service Control specifies from which zones an administrator can use HTTPS to Control manage the Zyxel Device (using the Web Configurator).
Page 927: Service Control Rules
Chapter 44 System Table 374 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION This is the index number of the service control rule. The entry with a hyphen (-) instead of a number is the Zyxel Device’s (non-configurable) default policy.
Page 928: Customizing The Www Login Page
Chapter 44 System The following table describes the labels in this screen. Table 375 Configuration > System > Service Control Rule > Edit LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this screen. Object Address Object Select ALL to allow or deny any computer to communicate with the Zyxel Device using this...
Page 929 Chapter 44 System Figure 648 Configuration > System > WWW > Login Page (Desktop View) ZyWALL USG Series User’s Guide...
Page 930 Chapter 44 System Figure 649 Configuration > System > WWW > Login Page (Mobile View) The following figures identify the parts you can customize in the login and access pages. ZyWALL USG Series User’s Guide...
Page 931 Chapter 44 System Figure 650 Login Page Customization Title Logo Message (color of all text) Background Note Message (last line of text) Figure 651 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways:...
Page 932 Chapter 44 System • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
Page 933: Https Example
Chapter 44 System Table 376 Configuration > System > WWW > Login Page (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 44.7.7 HTTPS Example If you haven’t changed the default HTTPS port on the Zyxel Device, then in your browser enter “https:// Zyxel Device IP Address/”...
Page 934 Chapter 44 System Figure 653 Security Certificate 1 (Firefox) Figure 654 Security Certificate 2 (Firefox) 44.7.7.3 Avoiding Browser Warning Messages Here are the main reasons your browser displays warnings about the Zyxel Device’s HTTPS server certificate and what you can do to avoid seeing the warnings: •...
Page 935 Chapter 44 System Figure 655 Login Screen (Internet Explorer) 44.7.7.5 Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the Zyxel Device. You must have imported at least one trusted CA to the Zyxel Device in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Page 936 Chapter 44 System Figure 657 CA Certificate Example Click Install Certificate and follow the wizard as shown earlier in this appendix. 44.7.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 937 Chapter 44 System Figure 658 Personal Certificate Import Wizard 1 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 659 Personal Certificate Import Wizard 2 Enter the password given to you by the CA.
Page 938 Chapter 44 System Figure 660 Personal Certificate Import Wizard 3 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 661 Personal Certificate Import Wizard 4 Click Finish to complete the wizard and begin the import process.
Page 939 Chapter 44 System Figure 662 Personal Certificate Import Wizard 5 You should see the following screen when the certificate is correctly installed on your computer. Figure 663 Personal Certificate Import Wizard 6 44.7.7.6 Using a Certificate When Accessing the Zyxel Device Example Use the following procedure to access the Zyxel Device via HTTPS.
Page 940: Ssh
Chapter 44 System Figure 665 SSL Client Authentication You next see the Web Configurator login screen. Figure 666 Secure Web Configurator Login Screen 44.8 SSH You can use SSH (Secure SHell) to securely access the Zyxel Device’s command line interface. Specify which zones allow SSH access and from which IP address the access can come.
Page 941: How Ssh Works
Chapter 44 System Figure 667 SSH Communication Over the WAN Example 44.8.1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1. Figure 668 How SSH v1 Works Example Host Identification The SSH client sends a connection request to the SSH server.
Page 942: Ssh Implementation On The Zyxel Device
Chapter 44 System Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server. 44.8.2 SSH Implementation on the Zyxel Device Your Zyxel Device supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish).
Page 943: Secure Telnet Using Ssh Examples
Chapter 44 System Table 377 Configuration > System > SSH (continued) LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Certificate Select the certificate whose corresponding private key is to be used to identify the Zyxel Device for SSH connections.
Page 944 Chapter 44 System Figure 670 SSH Example 1: Store Host Key Enter the password to log in to the Zyxel Device. The CLI screen displays next. 44.8.5.2 Example 2: Linux This section describes how to access the Zyxel Device using the OpenSSH client program that comes with most Linux distributions.
Page 945: Telnet
Chapter 44 System 44.9 Telnet You can use Telnet to access the Zyxel Device’s command line interface. Specify which zones allow Telnet access and from which IP address the access can come. 44.9.1 Configuring Telnet Click Configuration > System > TELNET to configure your Zyxel Device for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the Zyxel Device.
Page 946: Ftp
Chapter 44 System Table 378 Configuration > System > TELNET (continued) LABEL DESCRIPTION This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the Zyxel Device’s (non-configurable) default policy. The Zyxel Device applies this to traffic that does not match any other configured rule. It is not an editable rule.
Page 947: Snmp
Chapter 44 System The following table describes the labels in this screen. Table 379 Configuration > System > FTP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device using this service.
Page 948: Snmpv3 And Security
Chapter 44 System Figure 675 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the Zyxel Device). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 949: Supported Mibs
Chapter 44 System Security can be further enhanced by encrypting the SNMP messages sent from the managers. Encryption protects the contents of the SNMP messages. When the contents of the SNMP messages are encrypted, only the intended recipients can read them. 44.11.2 Supported MIBs The Zyxel Device supports MIB II that is defined in RFC-1213 and RFC-1215.
Page 950 Chapter 44 System Figure 676 Configuration > System > SNMP The following table describes the labels in this screen. Table 381 Configuration > System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device using this service.
Page 951: Add Snmpv3 User
Chapter 44 System Table 381 Configuration > System > SNMP (continued) LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Page 952: Authentication Server
Chapter 44 System Figure 677 Configuration > System > SNMP(v3) > Add The following table describes the labels in this screen. Table 382 Configuration > System > SNMP(v3) > Add LABEL DESCRIPTION User Specify the username of a login account on the Zyxel Device. The associated password is used in authentication algorithms and encryption methods.
Page 953 Chapter 44 System Figure 678 Configuration > System > Auth. Server The following table describes the labels in this screen. Table 383 Configuration > System > Auth. Server LABEL DESCRIPTION Enable Select the check box to have the Zyxel Device act as a RADIUS server. Authentication Server Authentication...
Page 954: Add/Edit Trusted Radius Client
Chapter 44 System 44.12.1 Add/Edit Trusted RADIUS Client Click Configuration > System > Auth. Server to display the Auth. Server screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new entry or edit an existing one. Figure 679 Configuration >...
Page 955 Chapter 44 System Figure 680 Configuration > System > Notification > Mail Server The following table describes the labels in this screen. Table 385 Configuration > System > Notification > Mail Server LABEL DESCRIPTION Mail Server Type the name or IP address of the outgoing SMTP server. Mail Subject Go to Configuration >...
Page 956: Notification > Sms
Chapter 44 System Table 385 Configuration > System > Notification > Mail Server (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 44.14 Notification > SMS The Zyxel Device supports Short Message Service (SMS) to send short text messages to mobile phone devices.
Page 957: Language Screen
Chapter 44 System Table 386 Configuration > System > Notification > SMS (continued) LABEL DESCRIPTION Provider Enter the domain name of your SMS service provider. The domain name can be of up to 252 Domain characters. Select auto append to "Mail to" to add the domain name of your SMS service provider after the mobile phone number in the Mail To field.
Page 958: Ipv6 Screen
Chapter 44 System 44.16 IPv6 Screen Click Configuration > System > IPv6 to open the following screen. Use this screen to enable IPv6 support for the Zyxel Device’s Web Configurator screens. Figure 683 Configuration > System > IPv6 The following table describes the labels in this screen. Table 388 Configuration >...
Page 959: Run The Zon Utility
Chapter 44 System • Window 10 (both 32-bit / 64-bit versions) Note: To check for your Windows operating system version, right-click on My Computer > Properties. You should see this information in the General tab. Hardware Here are the minimum hardware requirements to use the ZON Utility on your computer. •...
Page 960 Chapter 44 System Select the network adapter to which your supported devices are connected. Figure 685 Network Adapter Click the Go button for the ZON Utility to discover all supported devices in your network. Figure 686 Discovering Devices The ZON Utility screen shows the devices discovered. ZyWALL USG Series User’s Guide...
Page 961 Chapter 44 System Figure 687 ZON Utility Screen Select a device and then use the icons to perform actions. Note: Some functions may not be available for your devices. The following table describes the icons numbered from left to right in the ZON Utility screen. Table 389 ZON Utility Icons ICON DESCRIPTION...
Page 962: Zyxel One Network (Zon) System Screen
Chapter 44 System Table 389 ZON Utility Icons ICON DESCRIPTION 9 Configure NCC You must have Internet access to use this feature. Use this icon to enable or disable Discovery Nebula Control Center (NCC) discovery on the selected device. If it’s enabled, the selected device will try to connect to the NCC.
Page 963 Chapter 44 System Figure 688 Configuration > System > ZON The following table describes the labels in this screen. Table 391 Configuration > System > ZON LABEL DESCRIPTION Zyxel Discovery Protocol (ZDP) is the protocol that the Zyxel One Network (ZON) utility uses for discovering and configuring ZDP-aware Zyxel devices in the same broadcast domain as the computer on which ZON is installed.
Page 964: Log And Report
H A P T E R Log and Report 45.1 Overview Use these screens to configure daily reporting and log settings. 45.1.1 What You Can Do In this Chapter • Use the Email Daily Report screen (Section 45.2 on page 964) to configure where and how to send daily reports and what reports to send.
Page 965 Chapter 45 Log and Report Figure 689 Configuration > Log & Report > Email Daily Report The following table describes the labels in this screen. Table 392 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Daily Select this to send reports by e-mail every day.
Page 966: Log Setting Screens
Chapter 45 Log and Report Table 392 Configuration > Log & Report > Email Daily Report (continued) LABEL DESCRIPTION Reset All Counters Click this to discard all report data and start all of the counters over at zero. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings.
Page 967: Edit System Log Settings
Chapter 45 Log and Report Figure 690 Configuration > Log & Report > Log Setting The following table describes the labels in this screen. Table 393 Configuration > Log & Report > Log Setting LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify it. Activate To turn on an entry, select it and click Activate.
Page 968 Chapter 45 Log and Report Figure 691 Configuration > Log & Report > Log Setting > Edit (System Log - E-mail Servers) ZyWALL USG Series User’s Guide...
Page 969 Chapter 45 Log and Report Figure 692 Configuration > Log & Report > Log Setting > Edit (System Log - AC) ZyWALL USG Series User’s Guide...
Page 970 Chapter 45 Log and Report Figure 693 Configuration > Log & Report > Log Setting > Edit (System Log - AP) The following table describes the labels in this screen. Table 394 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2...
Page 971 Chapter 45 Log and Report Table 394 Configuration > Log & Report > Log Setting > Edit (System Log) (continued) LABEL DESCRIPTION SMTP Select this check box if it is necessary to provide a user name and password to the SMTP Authentication server.
Page 972: Edit Log On Usb Storage Setting
Chapter 45 Log and Report Table 394 Configuration > Log & Report > Log Setting > Edit (System Log) (continued) LABEL DESCRIPTION E-mail Server 1 Select whether each category of events should be included in the log messages when it is e-mailed (green check mark) and/or in alerts (red exclamation point) for the e-mail settings specified in E-Mail Server 1.
Page 973 Chapter 45 Log and Report Figure 694 Configuration > Log & Report > Log Setting > Edit (USB Storage) The following table describes the labels in this screen. Table 395 Configuration > Log & Report > Log Setting > Edit (USB Storage) LABEL DESCRIPTION Duplicate logs to...
Page 974: Edit Remote Server Log Settings
Chapter 45 Log and Report Table 395 Configuration > Log & Report > Log Setting > Edit (USB Storage) (continued) LABEL DESCRIPTION Selection Select what information you want to log from each Log Category (except All Logs; see below). Choices are: disable all logs (red X) - do not log any information from this category enable normal logs (green check mark) - log regular information and alerts from this category enable normal logs and debug logs (yellow check mark) - log regular information, alerts, and...
Page 975 Chapter 45 Log and Report Figure 695 Configuration > Log & Report > Log Setting > Edit (Remote Server - AC) ZyWALL USG Series User’s Guide...
Page 976 Chapter 45 Log and Report Configuration > Log & Report > Log Setting > Edit (Remote Server - AP) The following table describes the labels in this screen. Table 396 Configuration > Log & Report > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for...
Page 977: Log Category Settings Screen
Chapter 45 Log and Report Table 396 Configuration > Log & Report > Log Setting > Edit (Remote Server) (continued) LABEL DESCRIPTION Selection Use the Selection drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not send the remote server logs for any log category. enable normal logs (green check mark) - send the remote server log messages and alerts for all log categories.
Page 978 Chapter 45 Log and Report Figure 696 Log Category Settings AC ZyWALL USG Series User’s Guide...
Page 979 Chapter 45 Log and Report Figure 697 Log Category Settings AP This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 45.3.2 on page 967, where this process is discussed. (The Default category includes debugging messages generated by open source software).
Page 980 Chapter 45 Log and Report Table 397 Configuration > Log & Report > Log Setting > Log Category Settings (continued) LABEL DESCRIPTION E-mail Server 1 Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories.
Page 981 Chapter 45 Log and Report Table 397 Configuration > Log & Report > Log Setting > Log Category Settings (continued) LABEL DESCRIPTION Remote Server For each remote server, select what information you want to log from each Log Category (except All Logs; see below). Choices are: disable all logs (red X) - do not log any information from this category enable normal logs (green check mark) - log regular information and alerts from this category enable normal logs and debug logs (yellow check mark) - log regular information, alerts, and...
Page 982: File Manager
H A P T E R File Manager 46.1 Overview Configuration files define the Zyxel Device’s settings. Shell scripts are files of commands that you can store on the Zyxel Device and run when you need them. You can apply a configuration file or run a shell script without the Zyxel Device restarting.
Page 983 Chapter 46 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 698 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...
Page 984: The Configuration File Screen
Chapter 46 File Manager Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface ge1 # this interface is a DHCP client Lines 1 and 2 are comments.
Page 985 Chapter 46 File Manager Configuration File Flow at Restart • If there is not a startup-config.conf when you restart the Zyxel Device (whether through a management interface or by physically turning the power off and back on), the Zyxel Device uses the system-default.conf configuration file with the Zyxel Device’s default settings.
Page 986 Chapter 46 File Manager The following table describes the labels in this screen. Table 399 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the Zyxel Device. You can only rename manually saved configuration files.
Page 987 Chapter 46 File Manager Table 399 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Apply Use this button to have the Zyxel Device use a specific configuration file. Click a configuration file’s row to select it and click Apply to have the Zyxel Device use that configuration file.
Page 988: Firmware Management
Chapter 46 File Manager Table 399 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Last Modified This column displays the date and time that the individual configuration files were last changed or saved. Upload The bottom part of the screen allows you to upload a new or previously saved configuration Configuration File file from your computer to your Zyxel Device You cannot upload a configuration file named system-default.conf or lastgood.conf.
Page 989: Cloud Helper
Chapter 46 File Manager become the active device. Don’t select the Reboot prompt after uploading firmware to the passive device if you want the passive device to remain passive when new firmware is uploaded. Alternatively, disable Device HA Pro if you want to just upload firmware to the active Zyxel Device. 46.3.2 Cloud Helper Cloud Helper lets you know if there is a later firmware available on the Cloud Helper server and lets you download it if there is.
Page 990 Chapter 46 File Manager The following table explains the Upgrade icons in the web configurator. Table 400 Cloud Helper Firmware Icons Cloud Helper New A later firmware is available on the Cloud Helper Server. Click this icon to display a What’s New pop-up screen. You need a Firmware Upgrade license to upgrade the firmware.
Page 991: The Firmware Management Screen
Chapter 46 File Manager 46.3.3 The Firmware Management Screen Click Maintenance > File Manager > Firmware Management to open the Firmware Management screen. Figure 703 Maintenance > File Manager > Firmware Management The following table describes the labels in this screen. Table 401 Maintenance >...
Page 992 Chapter 46 File Manager Table 401 Maintenance > File Manager > Firmware Management (continued) LABEL DESCRIPTION Version This is the firmware version and the date created. Released Date This is the date that the version of the firmware was created. Upgrade A cloud helper icon displays if there is a later firmware on the Cloud Server than the firmware in the partition.
Page 993: Firmware Upgrade Via Usb Stick
Chapter 46 File Manager If the upload was not successful, the following message appears in the status bar at the bottom of the screen. Figure 706 Firmware Upload Error 46.3.4 Firmware Upgrade via USB Stick In addition to uploading firmware via the web configurator or console port (see the CLI Reference Guide), you can also upload firmware directly from a USB stick connected to the Zyxel Device.
Page 994 Chapter 46 File Manager Click Maintenance > File Manager > Shell Script to open the Shell Script screen. Use the Shell Script screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the Zyxel Device at the same time.
Page 995 Table 402 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a shell script file on the Zyxel Device. Click a shell script file’s row to select it and click Copy to open the Copy File screen. Figure 709 Maintenance >...
Page 996: Diagnostics
Chapter 47 Diagnostics H A P T E R Diagnostics 47.1 Overview Use the diagnostics screens for troubleshooting. 47.1.1 What You Can Do in this Chapter • Use the Diagnostics screens (see Section 47.2 on page 996) to generate a file containing the Zyxel Device’s configuration and diagnostic information if you need to provide it to customer support during troubleshooting.
Page 997: The Diagnostics Collect Screen
Chapter 47 Diagnostics 47.2.1 The Diagnostics Collect Screen When you click Collect Now, a series of commands are run to display information about the Zyxel Device. This is an example of a default script with interface diagnostic commands. debug interface ifconfig debug interface show event_sink debug interface show interface_obj debug switch table...
Page 998: The Diagnostics Collect On Ap Screen
Chapter 47 Diagnostics Table 403 Maintenance > Diagnostics > Collect (continued) LABEL DESCRIPTION Size This is the size of the most recently created diagnostic file. Upload the cmd file as the Select this to upload a customized shell script to display information about the Zyxel customized script Device.
Page 999: The Diagnostics Files Screen
Chapter 47 Diagnostics The following table describes the labels in this screen. Table 404 Maintenance > Diagnostics > Collect on AP LABEL DESCRIPTION AP General Setting Available APs This text box lists the managed APs that are connected and available. Select the managed APs that you want the Zyxel Device to generate a diagnostic file containing their configuration, and click the right arrow button to add them.
Page 1000: The Packet Capture Screen
Chapter 47 Diagnostics Table 405 Maintenance > Diagnostics > Files (continued) LABEL DESCRIPTION File Name This column displays the label that identifies the file. Size This column displays the size (in bytes) of a file. Last Modified This column displays the date and time that the individual files were saved. 47.3 The Packet Capture Screen Use this screen to capture network traffic going through the Zyxel Device’s interfaces.

This manual is also suitable for:

Zywall 310 Zywall 1110 Usg20-vpn Usg2200 Usg20w-vpn Usg2200-vpn ... Show all

ZyXEL Communications ZyWall 110 User Manual

Document Conventions

Contents Overview

Table of Contents

Part I: User's Guide

Chapter 1 Introduction

Chapter 2 Initial Setup Wizard

Chapter 3 Hardware, Interfaces and Zones

Chapter 4 Easy Mode

Chapter 5 Quick Setup Wizards

Chapter 6 Dashboard

Part II: Technical Reference

Chapter 7 Monitor

Chapter 8 Licensing

Chapter 9 Wireless

Chapter 10 Interfaces

Chapter 11 Routing

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWall 110

Summary of Contents for ZyXEL Communications ZyWall 110