Page 3
www.zyxel.com What Could Go Wrong? ..............84 How to Configure IPSec Site to Site VPN while one Site is behind a NAT router ......................86 Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) ....................... 86 Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) ....................
Page 4
www.zyxel.com Test the IPSec VPN Tunnel ..............156 What Could Go Wrong? ..............159 How to Configure IPSec VPN with ZyWALL IPSec VPN Client ....160 Set Up the ZyWALL/USG IPSec VPN Tunnel ........161 Set Up the ZyWALL IPSec VPN Client ..........165 Test the IPSec VPN Tunnel ..............
Page 5
www.zyxel.com Set up the Failover Command Line (ZyWALL/USG HQ) ....238 Test the IPSec VPN Tunnel ..............239 What Could Go Wrong? ..............241 How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind a NAT router....................243 Set Up the L2TP VPN Tunnel on the ZyWALL/USG_HQ ......
Page 6
www.zyxel.com Set Up the L2TP VPN Tunnel on the iOS Mobile Device ....303 Test the L2TP over IPSec VPN Tunnel ..........306 What Could Go Wrong? ..............308 How to Configure 2 factor for VPN connection? ........309 Set up the ZyWALL/USG IPSec VPN Tunnel ........310 Set up the ZyWALL IPSec VPN Client ..........
Page 7
www.zyxel.com Set Up the SSL VPN Tunnel on the ZyWALL/USG ....... 358 Set Up the SSL VPN Tunnel on the Apple MAC OS X 10.10 Operating System ....................361 Test the SSL VPN Tunnel ..............365 What Could Go Wrong? ..............368 How To Configure SSL VPN for Remote Access Mobile Devices ..
Page 8
www.zyxel.com How to block HTTPS websites by Domain Filter without applying SSL Inspection ....................415 Set Up the Content Filter on the ZyWALL/USG ......... 416 Set Up the Security Policy on the ZyWALL/USG ....... 419 Set Up the System Policy on the ZyWALL/USG ......... 419 Test the Result ..................
Page 9
www.zyxel.com Set Up the ZyWALL/USG Email Logs Setting ........449 Test the Email Log ................450 What Could Go Wrong? ..............451 How to Setup and send logs to a Syslog Server ........452 Set Up the Syslog Server (Use Papertrail syslog in this example) ..452 Set Up the ZyWALL/USG Remote Server Setting ........
Page 10
www.zyxel.com Check the Capture Files ..............497 How to Automatically Reboot the ZyWALL/USG by Schedule ..... 498 Set Up the Shell Script ................499 Set Up the Schedule Run ..............500 Check the Reboot Status ..............502 How To Schedule YouTube Access ............504 Set Up the Schedule on the ZyWALL/USG ........
Page 11
www.zyxel.com Test the Result ..................536 What Could Go Wrong? ..............537 How To Block Facebook ................538 Set Up the Content Filter on the ZyWALL/USG ........539 Set Up the SSL Inspection on the ZyWALL/USG ......... 539 Set Up the Security Policy on the ZyWALL/USG ......... 541 Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System ................
Page 12
www.zyxel.com Test the Result ..................578 What Could Go Wrong? ..............579 How does Anti-Malware work ..............580 Enable Anti-Malware function to protecting your traffic ....581 Test the result ..................582 Additional configuration ................582 What can go wrong ................583 How to Configure an Email Security Policy with Mail Scan and DNSBL584 Set Up the Email Security on ATP Series ..........
Page 13
www.zyxel.com Set Up the Bandwidth Management for BitTorrent on the ZyWALL/USG ..................611 Set Up the Bandwidth Management Global Setting on the ZyWALL/USG ..................613 Test the Result ..................613 What Could Go Wrong? ..............614 How to Configure a Trunk for WAN Load Balancing with a Static or Dynamic IP Address .................
Page 14
www.zyxel.com Upload the Configuration Files from the ZyWALL/USG ....636 What Could Go Wrong? ..............636 How to Manage ZyWALL/USG Firmware ..........637 Download the Current Firmware Version from ZyXEL.com ..... 638 Upload the Firmware on the ZyWALL/USG ........639 What Could Go Wrong? ..............
Page 15
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG ....... 673 Test the Result ..................674 What Could Go Wrong? ..............674 How to Set Up a WiFi Network with ZyXEL APs ........676 Set Up the AP Management on the ZyWALL/USG ......677 Test the Result ..................
Page 16
www.zyxel.com How to Set Up an IPv6 6to4 Tunnel ............718 Set Up the LAN IPv6 Interface on the ZyWALL/USG ......719 Set Up the 6to4 Tunnel on the ZyWALL/USG ........721 Test the Result ..................722 What Could Go Wrong? ..............723 How to Set Up an IPv6-in-IPv4 Tunnel .............
Page 17
www.zyxel.com How to setup Two-Factor Authentication for admin login ....748 Setup SMTP function on your device ..........748 Create admin type user on device ..........749 Setup Two-Factor Authentication for admin on your device ..750 Test the Result ..................751 What Can Go Wrong? ...............
Page 18
www.zyxel.com What Can Go Wrong? ................ 779 How to Configure Schedule Reboot in Device HA ........ 781 Configurations ..................781 Verification ..................782 What could go wrong ................ 782 How to Configure Reputation Filter- DNS Filter ........784 Set Up the DNS Filter on ATP Series ............ 785 Test the Result ..................
www.zyxel.com How to Configure Site-to-site IPSec VPN with Amazon VPC This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and an Amazon VPC platform. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
www.zyxel.com Set Up the IPSec VPN Tunnel on the Amazon VPC Sign into the Amazon AWS Management Console. Go to Networking > VPC. Amazon AWS Management Console > Networking > VPC In the upper left-hand of the screen, click Start VPC Wizard. Amazon VPC Management Console >...
Page 21
www.zyxel.com Select a VPC Configuration > VPC with a Private Subnet Only and Hardware VPN Access VPC with a Private Subnet Only and Hardware VPN, add your IP CIDR block and Private subnet. Click Next. VPC with a Private Subnet Only and Hardware VPN 21/810...
Page 22
www.zyxel.com Configure your VPN, add your ZyWALL/USG public IP address into Customer Gateway IP. Name your Customer Gateway name and VPN Connection name. Click Create VPC at the bottom of the blade. Configure your VPN In the VPC Dashboard, go to VPN Connections. Select Download Configuration from the upper bar.
Page 23
www.zyxel.com VPC Dashboard > VPN Connections Open the downloaded configuration txt. file, it displays IKE SA, IPSec SA and Gateway IP address. Please make sure all the settings match your ZyWALL/USG’s setting. Configuration txt. File 23/810...
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the Amazon VPC. Click Next. Quick Setup >...
Page 25
www.zyxel.com Choose Advanced to create a VPN rule with the customize phase 1, phase 2 settings and authentication method. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 26
www.zyxel.com Then, configure the Secure Gateway IP as the peer Amazon VPC’s Gateway IP address (in the example, 52.39.135.203); select My Address to be the interface connected to the Internet. Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time which Amazon VPC supports.
Page 27
www.zyxel.com Continue to Phase 2 Settings to select the Encapsulation, Encryption, Authentication, and SA Life Time settings which Amazon VPC supports. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the Amazon VPC.
Page 29
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
www.zyxel.com Ping from Local LAN to AWS VPC private Subnet for verification: What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the Amazon VPC IKE Phase 1 setup list.
www.zyxel.com How to Configure Site-to-site IPSec VPN with Microsoft (MS) Azure This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and a Microsoft (MS) Azure platform. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the MS Azure. Click Next. Quick Setup >...
Page 34
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the peer MS Azure’s Gateway IP address (in the example, 13.75.42.148);...
Page 35
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 1 Setting) Note: For more information about the IPsec Parameters supported in MS Azure, see the Microsoft Azure Documentation About VPN devices for Site-to-Site VPN Gateway connections.
Page 36
www.zyxel.com Continue to Phase 2 Settings to select the Encapsulation, Encryption, Authentication, and SA Life Time settings which MS Azure supports. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the MS Azure.
Page 37
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Set Up the IPSec VPN Tunnel on the MS Azure Sign into the Windows Azure Management Portal. In the upper left-hand corner of the screen, click +New >...
Page 39
www.zyxel.com Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create. New > Networking > Virtual Network > Select a deployment model On the Create virtual network page, enter the NAME for the VPN network. For example, VPN_Vnet_to_USG.
Page 40
www.zyxel.com Then, click the Create button. After clicking Create, you will see a tile on your dashboard that will reflect the progress of your VNet. The tile will change as the VNet is being created. New > Networking > Virtual Network > Create virtual network In the portal, navigate to the virtual network to which you just created.
Page 41
www.zyxel.com GatewaySubnet. You should not name it anything else, or the gateway will not work. Add the IP Address range for your gateway. Click OK at the bottom of the blade to create the subnet. VPN Vnet_to_USG > Settings > Subnet > Add subnet In the portal, go to New, then Networking.
Page 42
www.zyxel.com For Gateway type, select VPN. For VPN type, select Policy-based. For Resource Group, the resource group is determined by the Virtual Network that you select. For Location, make sure it's showing the location that both your Resource Group and VNet exist in. New >...
Page 43
www.zyxel.com gateway, you can use the same location as the virtual network gateway. But, this is not required. The local network gateway can be in a different location. Click Create to create the local network gateway. New > Networking > Local network gateway 43/810...
Page 44
www.zyxel.com Locate your virtual network gateway (VPN_Connection_to_USG in this example) and click Settings > Connection > Add connection, Name your connection. For Connection type, select Site-to-site (IPSec). For Virtual network gateway, the value is fixed because you are connecting from this gateway (VPN_GW_to_USG in this example).
www.zyxel.com When the connection is complete, you'll see it appear in the Connections blade for your Gateway. VPN_Connection_to_USG > Settings > Connections Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar.
Page 46
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. MONITOR > VPN Monitor > IPSec Go to Azure_Vnet_USG > Settings to check the tunnel DATA IN and DATA OUT. VPN >...
Page 47
www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access. PC behind ZyWALL/USG > Window 7 > cmd > ping 10.1.0.33 PC behind MS Azure>...
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the MS Azure IKE Phase 1 setup list. MONITOR > Log If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings.
www.zyxel.com How to Configure GRE over IPSec VPN Tunnel This example shows how to use the VPN Setup Wizard to create a GRE over IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site. When the GRE over IPSec VPN tunnel is configured, each site can be accessed securely.
www.zyxel.com Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next. Quick Setup >...
Page 51
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 111.250.184.80).
Page 52
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 53
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
www.zyxel.com Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next. Quick Setup >...
Page 56
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the HQ’s WAN IP address (in the example, 61.228.245.247).
Page 57
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 58
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
www.zyxel.com CONFIGURATION > Network > Interface > Tunnel > Add Test the GRE over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound (Bytes)/Outbound (Bytes) Traffic. MONITOR > VPN Monitor > IPSec What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings.
www.zyxel.com How to Configure Site-to-site IPSec VPN Where the Peer has a Static IP Address This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with the Peer has a Static IP Address. The example instructs how to configure the VPN tunnel between each site.
Page 63
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type 63/810...
Page 64
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) 64/810...
Page 65
www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZyWALL/USG.
Page 66
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next.
Page 68
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 69
www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG.
Page 70
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
www.zyxel.com Test the IPSec VPN Tunnel Go to ZYWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
www.zyxel.com PC at Branch Office > Window 7 > cmd > ping 192.168.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre- Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 73
www.zyxel.com MONITOR > Log Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
www.zyxel.com How to Configure Site-to-site IPSec VPN Where the Peer has a Dynamic IP Address This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with the Peer has a Dynamic IP Address. The example instructs how to configure the VPN tunnel between each site.
Page 75
www.zyxel.com (HQ) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method.
Page 76
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site with Dynamic Peer. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Type a secure Pre-Shared Key (8-32 characters).
Page 77
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 78
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
www.zyxel.com (Branch has a Dynamic IP Address) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings to create a Site-to-site VPN Rule Name. Quick Setup > VPN Setup Wizard > WelcomeQuick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key.
Page 80
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68).
Page 81
www.zyxel.com Set Local Policy to be the ZyWALL/USG local IP address that can use the VPN tunnel and set Remote Policy to the peer ZyWALL/USG local IP address that can use the VPN tunnel. Click OK. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel.
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 83
www.zyxel.com Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic.
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre- Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 85
www.zyxel.com MONITOR > Log Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
www.zyxel.com How to Configure IPSec Site to Site VPN while one Site is behind a NAT router This example shows how to use the VPN Setup Wizard to create a IPSec Site to Site VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while one Site is behind a NAT router.
Page 87
www.zyxel.com Network (HQ) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next. Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method.
Page 88
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.30.40). Then, type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).
Page 89
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 91
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 92
www.zyxel.com Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.20.30). Then, type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).
Page 93
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set Up the NAT Router (Using ZyWALL USG device in this example) Go to CONFIGURATION > Network > NAT > Add. Select the Incoming Interface on which packets for the NAT rule must be received.
Page 95
www.zyxel.com Defined Original IP field and Type the translated destination IP address that this NAT rule supports. CONFIGURATION > Network > NAT > Add Go to CONFIGURATION > Security Policy > Policy Control. IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports: IP protocol = 50 →...
www.zyxel.com CONFIGURATION > Security Policy > Policy Control Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC behind ZyWALL/USG (HQ) > Window 7 > cmd > ping 192.168.20.33 PC behind ZyWALL/USG (Branch) >...
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR >...
www.zyxel.com With just two branch offices, you could just manually set up VPN tunnels between HQ and the branches. With many branches it's best to use the VPN Concentrator to set up branch-HQ tunnels automatically. ZyWALL/USG Hub-and-Spoke VPN Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
Page 100
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 101
www.zyxel.com Then, configure the Secure Gateway IP as the Branch A’s Gateway IP address (in the example, 172.16.20.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Branch A’s Pre-Shared Key. Set Local Policy to be the IP address range of the network connected to the Hub_HQ and Remote Policy to be the IP address range of the network connected to the Branch A.
Page 102
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
www.zyxel.com Hub_HQ-to-Branch_B In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome 103/810...
Page 104
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 105
www.zyxel.com Then, configure the Secure Gateway IP as the Branch B’s Gateway IP address (in the example, 172.16.30.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Branch B’s Pre-Shared Key. Set Local Policy to be the IP address range of the network connected to the Hub_HQ and Remote Policy to be the IP address range of the network connected to the Branch B.
Page 106
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
www.zyxel.com Hub_HQ Concentrator In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > Concentrator, add a VPN Concentrator rule. Select VPN tunnels to be in the same member group and click Save. 107/810...
www.zyxel.com Spoke_Branch_A In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome 108/810...
Page 109
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 110
www.zyxel.com Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key. Set Local Policy to be the IP address range of the network connected to the Spoke_Branch_A and Remote Policy to be the IP address range of the network connected to the Hub_HQ.
Page 111
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 112
www.zyxel.com Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_A to Spoke_Branch_B. Click Create new Object and set Address to be the local network behind the Spoke_Branch_B. Select Source Address to be the local network behind the 112/810...
www.zyxel.com Spoke_Branch_A. Then, scroll down the Destination Address list to choose the newly created Spoke_Branch_B_LOCAL address. Click OK. Network > Routing > Policy Route Spoke_Branch_B In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 114
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 115
www.zyxel.com Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key. Set Local Policy to be the IP address range of the network connected to the Spoke_Branch_B and Remote Policy to be the IP address range of the network connected to the Hub_HQ.
Page 116
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 117
www.zyxel.com Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_B to Spoke_Branch_A. Click Create new Object and set Address to be the local network behind the Spoke_Branch_A. Select Source Address to be the local network behind the 117/810...
www.zyxel.com Spoke_Branch_B. Then, scroll down the Destination Address list to choose the newly created Spoke_Branch_A_LOCAL address. Click OK. Network > Routing > Policy Route Test the IPSec VPN Tunnel 118/810...
Page 119
www.zyxel.com Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection Spoke_Branch_A >...
www.zyxel.com Spoke_Branch_B > MONITOR > VPN Monitor > IPSec What Could Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 123
www.zyxel.com If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check ZyWALL/USG and SonicWALL Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. Make sure the all ZyWALL/USG units’...
www.zyxel.com Set Up the IPSec VPN Tunnel of ZyWALL/USG without Using VPN Concentrator Hub_HQ-to-Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Branch A’s Gateway IP address (in the example, 172.16.20.1).
Page 125
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 125/810...
Page 126
www.zyxel.com Click Create new Object on the upper bar to add the address range of the local network behind Hub_HQ to Branch_B and an address of local network behind Branch A. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be HQ-to-Branch_B and Remote Policy to Branch_A which are...
www.zyxel.com Hub_HQ-to-Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Branch B’s Gateway IP address (in the example, 172.16.30.1).
Page 128
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 128/810...
Page 129
www.zyxel.com Click Create new Object on the upper bar to add the address range of the local network behind Hub_HQ to Branch_A and an address of local network behind Branch B. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be HQ-to-Branch_B and Remote Policy to Branch_B which are...
www.zyxel.com Spoke_Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK.
Page 131
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 131/810...
Page 132
www.zyxel.com Click Create new Object on the upper bar to add the address of the local network behind Branch A and the address range of the local network behind Hub_HQ to Branch_B. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be Branch_A and Remote Policy to HQ-to-Branch_B which are...
www.zyxel.com Spoke_Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK.
Page 134
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 134/810...
Page 135
www.zyxel.com Click Create new Object on the upper bar to add the address of local network behind Branch B and address range of local network behind Hub_HQ to Branch_A. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be Branch_B and Remote Policy to HQ-to-Branch_A which are...
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection Spoke_Branch_A >...
Page 137
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_A Hub_HQ >...
www.zyxel.com What Could Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 140
www.zyxel.com If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check ZyWALL/USG and SonicWALL Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. Make sure the all ZyWALL/USG units’...
www.zyxel.com How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN Concentrator This is an example of using Dual-WAN to perform fail-over on a hub-and-spoke VPN with the HQ ZyWALL/USG as the hub and spoke VPNs to Branches A and B. When the VPN tunnel is configured, traffic passes between branches via the hub (HQ).
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG Hub_HQ-to- Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Branch A’s wan1 IP address (in the example, 172.16.20.1) and Secondary Gateway IP as the Branch A’s wan2 IP address (in the example, 172.100.120.1).
Page 143
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 143/810...
Page 144
www.zyxel.com Click Create new Object to add the address of local network behind Hub_HQ and an address of local network behind Branch A. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be Hub_HQ and Remote Policy to Branch_A which are newly created.
www.zyxel.com Hub_HQ-to-Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Branch B’s wan1 IP address (in the example, 172.16.30.1) and Secondary Gateway IP as the Branch B’s wan2 IP address (in the example, 172.100.130.1).
Page 146
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to enable VPN Connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 146/810...
Page 147
www.zyxel.com Click Create new Object to add an address of local network behind Hub_HQ and an address of local network behind Branch B. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be Hub_HQ and Remote Policy to Branch_B which are newly created.
www.zyxel.com Hub_HQ Concentrator In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > Concentrator, add a VPN Concentrator rule. Select VPN tunnels to the same member group and click Save. 148/810...
www.zyxel.com Spoke_Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Hub_HQ’s wan1 IP address (in the example, 172.16.10.1) and Secondary Gateway IP as the Hub_HQ’s wan2 IP address (in the example, 172.100.110.1).
Page 150
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 150/810...
Page 151
www.zyxel.com Click Create new Object to add the address of local network behind Branch A and an address of local network behind Hub_HQ CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Local Policy Remote Policy Set Local Policy to be Spoke_Branch_A_LOCAL and Remote Policy to Hub_HQ which are newly created.
www.zyxel.com Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_A to Spoke_Branch_B. Click Create new Object and set the address to be the local network behind the Spoke_Branch_B. Select Source Address to be the local network behind the Spoke_Branch_A.
Page 153
www.zyxel.com address (in the example, 172.100.110.1). Select Fall back to Primary Peer Gateway when possible and set desired Fall Back Check Interval time. Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK. CONFIGURATION >...
Page 154
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway Click Create new Object to add the address of local network behind Branch B and an address of local network behind Hub_HQ.
Page 155
www.zyxel.com Set Local Policy to be Spoke_Branch_B_LOCAL and Remote Policy to Hub_HQ which are newly created. Click OK. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_B to Spoke_Branch_A.
Page 156
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection Spoke_Branch_A >...
Page 157
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_A Hub_HQ >...
Page 159
www.zyxel.com What Could Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 160
www.zyxel.com How to Configure IPSec VPN with ZyWALL IPSec VPN Client This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and a ZyWALL IPSec VPN Client. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 161
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings for Configuration Provisioning wizard to create a VPN rule that can be used with the ZyWALL IPSec VPN Client. Click Next. Quick Setup >...
Page 162
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-1 Type a secure Pre-Shared Key (8-32 characters).
Page 163
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-3 Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 164
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning. In the General Settings section, select the Enable Configuration Provisioning. Then, go to the Configuration section and click Add to bind a configured VPN Connection to Allowed User. Click Activate and Apply to save the configuration. CONFIGURATION >...
Page 165
www.zyxel.com Set Up the ZyWALL IPSec VPN Client Download ZyWALL IPSec VPN Client software from ZyXEL Download Library: http://www.zyxel.com/support/download_landing.shtml Open ZyWALL IPSec VPN Client, select CONFIGURATION > Get from Server. CONFIGURATION > Get from Server Enter the WAN IP address or URL for the ZyWALL/USG in the Gateway Address. If you changed the default HTTPS Port on the ZyWALL/USG, and then enter the new one here.
Page 166
www.zyxel.com CONFIGURATION > Get from Server > Step 1: Authentication CONFIGURATION > Get from Server > Step 2: Processing 166/810...
Page 167
www.zyxel.com Then, you will see the Configuration successful page, click OK to exit the wizard. CONFIGURATION > Get from Server > Configuration successful 167/810...
Page 168
www.zyxel.com Go to VPN Configuration > IKEv1, right click the WIZ_VPN_PROVISIONING and select Open tunnel. You will see the Tunnel opened on the bottom right of the screen. VPN CONFIGURATION > IKE V1 > WIZ_VPN_PROVISIONING > Open tunnel Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION >...
Page 169
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic. MONITOR > VPN Monitor > IPSec To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other.
Page 170
www.zyxel.com What Can Go Wrong? If you see [info] log message such as below, please make sure both ZyWALL/USG and ZyWALL IPSec VPN Client use the same Pre-Shared Key to establish the IKE MONITOR > Log If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 171
www.zyxel.com Make sure the service HTTPS Port on IPSec VPN Client application is available. Make sure the To-ZyWALL security policies allow IPSec VPN traffic to the ZyWALL/USG. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
Page 172
www.zyxel.com How to Configure Site-to-site IPSec VPN with FortiGate This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a FortiGate router. The example instructs how to configure the VPN tunnel between each site. The example instructs how to configure the VPN tunnel between each site.
Page 173
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next. Quick Setup >...
Page 174
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the FortiGate’s WAN IP address (in the example, 172.100.30.40).
Page 175
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 176
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 177
www.zyxel.com Type the Name used to identify this VPN connection, configure Remote Gateway IP as the peer ZyWALL/USG’s WAN IP address. Select the Interface which is connected to the Internet. VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) > Network Go to Authentication section, enter Pre-shared Key and choose negotiation Mode the same as the peer ZyWALL/USG’s.
Page 178
www.zyxel.com Configure Phase 1 Proposal and Diffie-Hellman Group as the peer ZyWALL/USG Advanced Settings’ Phase 1 Settings > Proposal and Key Group. VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) > Phase 1 Proposal Go to Phase 2 Selectors > Advanced and configure Phase 2 Proposal as the peer ZyWALL/USG Advanced Settings’...
Page 180
www.zyxel.com This screen provides a summary of the VPN tunnel. Click OK to exit the configuration page. VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) 180/810...
Page 181
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 182
www.zyxel.com PC behind FortiGate> Window 7 > cmd > ping 192.168.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and FortiGate must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 183
www.zyxel.com please check ZyWALL/USG and FortiGate Phase 2 Settings. Both ZyWALL/USG and FortiGate must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR > Log Make sure the both ZyWALL/USG and FortiGate security policies allow IPSec VPN traffic.
Page 184
www.zyxel.com How to Configure Site-to-site IPSec VPN with WatchGuard This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a WatchGuard router. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 185
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the WatchGuard. Click Next. Quick Setup >...
Page 186
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the WatchGuard’s WAN IP address (in the example, 172.100.30.63).
Page 187
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 188
www.zyxel.com your ZyWALL/USG’s WAN IP Address (in the example, 172.101.30.73). Then, configure Authentication > Remote ID Type as IPv4 and set the Content as your WatchGuard’s External IP Address (in the example, 172.100.30.63). Click OK. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication >...
Page 189
www.zyxel.com In the WatchGuard VPN > Branch Office VPN > Gateway > General Settings create a Site-to-site VPN Gateway Name and set a secure Pre-Shared Key. VPN > Branch Office VPN > Gateway > General Settings > Credential Method To add a Gateway Endpoint, click Add. VPN >...
Page 191
www.zyxel.com Then, go to VPN > Branch Office VPN > Gateway > Phase 1 Settings to select negotiation Mode the same as your ZyWALL/USG’s Phase 1 Settings. Make sure you enable both NAT Traversa and Dead Peer Detection options if both options are enabled in the ZyWALL/USG.
Page 192
www.zyxel.com Then, go to VPN > Branch Office VPN > Tunnel to add a Tunnel Route Settings. In the Local IP section, set the Network IP to be the IP address range of the network connected to the WatchGuard. In the Remote IP section, set the Network IP to be the IP address range of the network connected to the ZyWALL/USG.
Page 193
www.zyxel.com Go to VPN > Branch Office VPN > Tunnel > Phase 2 Settings to create a Tunnel Name. Then, select the Gateway. Make sure you enable Perfect Forward Secrecy and select Diffie-Hellman Group 2. Then, scroll down Phase 2 Proposals and add the encryption types to match your ZyWALL/USG’s VPN Connection >...
Page 194
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 195
www.zyxel.com PC behind ZyWALL/USG > Window 7 > cmd > ping 192.168.10.33 PC behind WatchGuard> Window 7 > cmd > ping 192.168.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings.
Page 196
www.zyxel.com please check ZyWALL/USG and WatchGuard Phase 2 Settings. Both ZyWALL/USG and WatchGuard must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR > Log Make sure the both ZyWALL/USG and WatchGuard security policies allow IPSec VPN traffic.
Page 197
www.zyxel.com How to Configure Site-to-site IPSec VPN with Cisco This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a Cisco router. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 198
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the Cisco. Click Next. Quick Setup >...
Page 199
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the Cisco’s Gateway IP address (in the example, 172.100.30.80);...
Page 200
www.zyxel.com Continue to Phase 2 Settings to select the desired Encapsulation, Encryption, Authentication, and Perfect Forward Secrecy (PFS) settings. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the Cisco.
Page 201
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) 201/810...
Page 202
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 203
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 204
www.zyxel.com Go to VPN > Site-to-site > IKE Policies, click Add to create a new IKE Policy Name. Then, select Encryption, Hash, Pre-shared Key and D-H Group to match your ZyWALL/USG’s VPN Gateway > Phase 1 Settings. Set Lifetime to 24 hours and click OK then click Save to exit the IKE Policies page.
Page 205
www.zyxel.com Go to VPN > Site-to-site > Transform Sets, click Add to create a new Transform Set name. Then, select Integrity and Encryption to match your ZyWALL/USG’s VPN Connection > Phase 2 Settings. Click OK and click Save to exit the Transform Sets page.
Page 206
www.zyxel.com address range of the network connected to the ZyWALL/USG (Address Object created in Step 1) VPN > Site-to-site > IPsec Policies > Basic Settings Then, go to Advanced Settings enable PFS and DPD if you enable both options in the ZyWALL/USG.
Page 208
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 209
www.zyxel.com To test whether a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC behind ZyWALL/USG > Window 7 > cmd > ping 192.168.75.33 PC behind Cisco>...
Page 210
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and Cisco must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 211
www.zyxel.com How to Configure Site-to-site IPSec VPN with a SonicWALL router This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a SonicWALL router. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 212
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the SonicWALL. Click Next. Quick Setup >...
Page 213
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the SonicWALL’s Gateway IP address (in the example, 172.100.20.23);...
Page 214
www.zyxel.com Continue to Phase 2 Settings to select the desired Encapsulation, Encryption, Authentication, and SA Life Time settings. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the SonicWALL.
Page 215
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) 215/810...
Page 216
www.zyxel.com Note: The Phase 1 and Phase 2 settings established here must match the Phase 1 and Phase 2 settings configured later in the SonicWALL. 216/810...
Page 217
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 218
www.zyxel.com Go to VPN Gateway > Show Advanced Settings > Authentication to configure your Local ID Type and Peer ID Type to match your SonicWALL’s VPN > Settings > VPN Policies > General > IKE Authentication > Local IKE ID and Peer IKE ID. VPN Gateway >...
Page 219
www.zyxel.com Set Up the IPSec VPN Tunnel on the SonicWALL In the SonicWALL VPN > Settings > VPN Policies, click Add to create a new VPN policy. Select Policy Type to be the Site to Site, select Authentication Method to 219/810...
Page 220
www.zyxel.com be the IKE using Preshared Secret. Type the ZyWALL/USG's WAN IP Address to be the IPsec Primary Gateway Name or Address (in the example, 172.10.120.11). In the IKE Authentication section, set the Shared Secret to be the same as your ZyWALL/USG’s Pre-Shared Key.
Page 221
www.zyxel.com Go to Remote Network and create a new address IP address range of the network connected to the ZyWALL/USG. Then, scroll down the list to choose the newly created Address Object to be the Remote Network. VPN > Settings > VPN Policies > Network 221/810...
Page 222
www.zyxel.com In the SonicWALL VPN > Settings > VPN Policies > Proposals > IKE (Phase 1) Proposal and set Exchange, DH Group, Encryption and Authentication to match your ZyWALL/USG’s VPN Gateway > Show Advanced Settings > Phase 1 Settings. Go to IKE (Phase 2) Proposal and set the Protocol, Encryption and Authentication to match your ZyWALL/USG’s VPN Connection >...
Page 223
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 224
www.zyxel.com Go to SonicWALL VPN > VPN Settings > VPN Policies, the status green light is on. VPN > VPN Settings > VPN Policies Go to SonicWALL VPN > VPN Settings > Currently Active VPN Tunnels > VPN Tunnel Statics to check Tunnel valid time, Bytes In (Incoming Data) and Bytes Out (Outgoing Data).
Page 225
www.zyxel.com PC behind SonicWALL> Window 7 > cmd > ping 192.168.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and SonicWALL must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 226
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG and SonicWALL Phase 2 Settings. Both ZyWALL/USG and SonicWALL must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR >...
Page 228
www.zyxel.com How to Configure IPSec VPN Failover This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with failover. The example instructs how to configure the VPN tunnel between each site if one site has multi-WAN. When the multi-WAN VPN failover is configured, IPSec VPN tunnels automatically fail over to a backup WAN interface if the primary WAN interface becomes unavailable.
Page 229
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next.
Page 230
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54).
Page 231
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 232
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Page 233
www.zyxel.com In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key.
Page 234
www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG.
Page 235
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 236
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Go to Configuration > VPN > IPSec VPN > VPN Gateway > Gateway Settings. Set My Address to be Domain Name/IP “0.0.0.0” (ZyWALL/USG will dial-up with the active WAN interface first).
Page 237
www.zyxel.com Set up the WAN Trunk (ZyWALL/USG_HQ) Go to CONFIGURATION > Interface > Trunk > User Configuration > Add. Select wan1 and wan2 into the trunk Member and set wan2 Mode to be Passive. CONFIGURATION > Interface > Trunk > User Configuration > Add Go to CONFIGURATION >...
Page 238
www.zyxel.com Set up the Failover Command Line (ZyWALL/USG HQ) Go to CONFIGURATION > Security Policy > Policy Control and add a To ZyWALL rule to allow SSH service. CONFIGURATION > Security Policy > Policy Control > Add corresponding 238/810...
www.zyxel.com If the Security Policy is created but still cannot access to ZyWALL, please go to CONFIGURAITON > System > SSH to check do you Enable the General Settings and make sure the Service Port is correct and the same in your terminal program. Then, check the Service Control Action should be Accept.
Page 240
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic. MONITOR > VPN Monitor > IPSec Go to ZyWALL/USG_Branch MONITOR > Log. Try to disconnect WAN1 interface (172.1.1.30.68) and you will see the VPN tunnel failover to WAN2 interface (172.100.20.78).
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre- Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
www.zyxel.com How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind a NAT router This example shows how to use the VPN Setup Wizard to create a L2TP over IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while the ZyWALL/USG is behind a NAT router.
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG_HQ In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the remote Android Mobile Devices.
Page 245
www.zyxel.com Assign the remote users IP addresses range from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click Next. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) 15 This screen provides a read-only summary of the VPN tunnel.
Page 246
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 247
www.zyxel.com Go to CONFIGURATION > VPN Connection > Policy > Local Policy, select it be to the NAT router’s WAN IP address (in the example, 172.100.20.30). CONFIGURATION > VPN Connection > Policy > Local Policy 247/810...
www.zyxel.com Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example). CONFIGURATION > VPN > L2TP VPN > Create new Object > User Set Up the NAT Router (Using ZyWALL USG device in this example) Go to CONFIGURATION >...
Page 249
www.zyxel.com CONFIGURATION > Network > NAT > Add Go to CONFIGURATION > Object > Address > Add, create an address object as the ZyWALL/USU_HQ’s WAN IP address (in the example, 192.168.1.33). CONFIGURATION > Object > Address Go to CONFIGURATION > Object > Service > Service Group, create a service group for the following UDP ports: UDP Port Number = 1701 →...
Page 250
www.zyxel.com CONFIGURATION > Service > Service Group Go to CONFIGURATION > Security Policy > Policy Control, add corresponding rule to allow L2TP services. CONFIGURATION > Security Policy > Policy Control 250/810...
www.zyxel.com Test the L2TP over IPSec VPN Tunnel Use a smartphone or a PC to establish a L2TP VPN connection to the ZyWALL/USG. Configure the NAT's public IP address as the L2TP server address on the client. In this example using iOS device to test the result: To configure L2TP VPN in an iOS 8.4 device, go to Menu >...
Page 252
www.zyxel.com After you create a VPN configuration, slide the button right to the on position to initiate L2TP VPN session. Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
Page 253
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users Go to iOS mobile device Menu > Settings > VPN > ZyXEL_L2TP and verify the Assigned IP Address and Connect Time.
www.zyxel.com Menu > Settings > VPN > ZyXEL_L2TP What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. 254/810...
Page 255
www.zyxel.com If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. iOS Mobile users must use the same Secret as configured in ZyWALL/USG to establish the IKE SA. If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings.
www.zyxel.com How to Configure L2TP VPN with Android 5.0 Mobile Devices This example shows how to use the VPN Setup Wizard to create a L2TP VPN between a ZyWALL/USG and an Android 5.0 Mobile Device. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely and allow traffic from L2TP clients to go to the Internet.
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the remote Android Mobile Devices.
Page 258
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the remote users IP addresses range from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click Next. Quick Setup >...
Page 259
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 260
www.zyxel.com CONFIGURATION > VPN > L2TP VPN > Create new Object > User If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection.
www.zyxel.com CONFIGURATION > Network > Routing > Policy Route Set Up the L2TP VPN Tunnel on the Android Device To configure L2TP VPN on an Android device, go to Menu > Settings > Wireless & Networks > VPN settings > Add VPN > Add L2TP/IPSec PSK VPN and configure as follows.
Page 262
www.zyxel.com Set VPN server to the ZyWALL/USG’s WAN IP address. Set IPSec pre-shared key to the pre-shared key of the IPSec VPN gateway the ZyWALL/USG uses for L2TP VPN over IPSec (zyx12345 in this example). 262/810...
Page 263
www.zyxel.com Leave Enable L2TP secret disabled as default and turn on DNS search domains if you need to use the internal DNS servers once your connection is made, enter the DNS server address here. Click Save. Click the VPN rule ZyXEL_L2TP to begin the VPN connection. 263/810...
www.zyxel.com When dialing the L2TP VPN, the user will have to enter Username/Password. They are the same as Allowed User created in ZyWALL/USG (L2TP_Remote_Users/zyx168 in this example). Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected.
Page 265
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Hub_HQ > MONITOR > VPN Monitor > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session.
www.zyxel.com Go to Android mobile device Menu > Settings > Wireless & Networks > VPN and verify the connection status. Menu > Settings > Wireless & Networks > VPN What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings.
Page 267
www.zyxel.com If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings. ZyWALL/USG unit must set correct Local Policy to establish the IKE SA. Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use.
www.zyxel.com How to Configure L2TP VPN with iOS 8.4 Mobile Devices This example shows how to use the VPN Setup Wizard to create a L2TP VPN between a ZyWALL/USG and an iOS 8.4 Mobile Device. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely and allow traffic from L2TP clients to go to the Internet.
Page 269
www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the remote users IP addresses range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 270
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN >...
Page 271
www.zyxel.com Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example). 271/810...
Page 272
www.zyxel.com CONFIGURATION > VPN > L2TP VPN > Create new Object > User If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection.
www.zyxel.com Set Up the L2TP VPN Tunnel on the iOS Device To configure L2TP VPN in an iOS 8.4 device, go to Menu > Settings > VPN > Add VPN Configuration and configure as follows. Description is for you to identify the VPN configuration. Set Server to the ZyWALL/USG’s WAN IP address (172.124.163.150 in this example).
www.zyxel.com After you create a VPN configuration, slide the button right to the on position to initiate L2TP VPN session. Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected.
Page 276
www.zyxel.com Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users 276/810...
Page 277
www.zyxel.com Go to iOS mobile device Menu > Settings > VPN > ZyXEL_L2TP and verify the Assigned IP Address and Connect Time. Menu > Settings > VPN > ZyXEL_L2TP 277/810...
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 279
www.zyxel.com Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Verify that the Zone is set correctly in the Zone object. This should be set to IPSec_VPN Zone so that security policies are applied properly.
www.zyxel.com How to Import ZyWALL/USG Certificate for L2TP over IPsec in Windows 10 This is an example of using the L2TP VPN and VPN client software included in Windows 10 operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from a Windows 10 computer.
Page 281
www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 283
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 284
www.zyxel.com CONFIGURATION > VPN > L2TP VPN > Create new Object > User If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection.
www.zyxel.com CONFIGURATION > Network > Routing > Policy Route Export a Certificate from ZyWALL/USG and Import it to Windows 10 Operating System Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. CONFIGURATION >...
Page 286
www.zyxel.com Export default certificate from ZyWALL/USG. CONFIGURATION > Object > Certificate > default > Edit > Export Certificate Only Save default certificate as *.crt file to Windows 10 computer. In Windows 10 Operating System, go to Start Menu > Search Box. Type mmc and press Enter.
Page 287
www.zyxel.com In the Available snap-ins, select Certificates click Add. Then, click Finished. Press OK to close the Snap-ins window. Available snap-ins > Certificates > Add In the mmc console window, go to Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… 287/810...
Page 288
www.zyxel.com Click Next. Click Browse..., and locate the .crt file you downloaded earlier. Then, click Next. 288/810...
Page 289
www.zyxel.com Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
www.zyxel.com Set Up the L2TP VPN Tunnel on the Windows 10 To configure L2TP VPN in Windows 10 operating system, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in).
Page 291
www.zyxel.com Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. 291/810...
www.zyxel.com Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 295
www.zyxel.com Go to Window 10 operating system Start > Settings > Network & Internet > VPN and show Connected status. Menu > Settings > VPN > ZyXEL_L2TP 295/810...
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 297
www.zyxel.com Verify that the Zone is set correctly in the VPN Connection rule. This should be set to IPSec_VPN Zone so that security policies are applied properly. 297/810...
www.zyxel.com How to Import ZyWALL/USG Certificate for L2TP over IPsec in IOS mobile phone This is an example of using the L2TP VPN and VPN client software included in Android mobile phone operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from an iOS mobile phone.
Page 299
www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 300
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen.
Page 301
www.zyxel.com Go to CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN, change Authentication method to be Certificate and select the certificate which ZyWALL/USG uses to identify itself to the Android mobile phone. CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN > Authentication > Certificate Go to CONFIGURATION >...
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to iOS Mobile Phone Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. CONFIGURATION > Object > Certificate > default Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) CONFIGURATION >...
Page 304
www.zyxel.com Configure Connection name for you to identify the VPN configuration. Set Server name or address to be the ZyWALL/USG’s WAN IP address (172.124.163.150 in this example). Select VPN type to Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec). Enter User name and Password which the same as Allowed User created in ZyWALL/USG (L2TP_Remote_Users/zyx168 in this example).
Page 306
www.zyxel.com Go to Network & Internet Settings window, click Connect. Test the L2TP over IPSec VPN Tunnel 1. Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION >...
Page 307
www.zyxel.com 2. Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN 3.
Page 308
www.zyxel.com What Could Go Wrong? 1. If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. 2.
Page 309
www.zyxel.com 6. Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. 7. Verify that the Zone is set correctly in the VPN Connection rule. This should be set to IPSec_VPN Zone so that security policies are applied properly.
Page 310
www.zyxel.com Set up the ZyWALL/USG IPSec VPN Tunnel In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings for Configuration Provisioning wizard to create a VPN rule that can be used with the ZyWALL IPSec VPN Client. Click Next. Quick Setup >...
Page 311
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-1 Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-2 This screen provides a read-only summary of the VPN tunnel.
Page 312
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 313
www.zyxel.com Select the address object for mode config VPN IP address Pool. Go to CONFIGURATION > Object > User/Group > Add A User and create a user account for the ZyWALL IPSec VPN Client user. Type one or more valid email addresses and valid mobile telephone number for this user so that messages can be sent to this user for 2 factor authentication.
Page 314
www.zyxel.com CONFIGURATION > Object > User/Group > Add A User Go to CONFIGURATION > VPN > IPSec VPN > Gateway, enable X-Auth for VPN client authentication. Go to CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning. In the General Settings section, select the Enable Configuration Provisioning. Then, go to 314/810...
Page 315
www.zyxel.com the Configuration section and click Add to bind a configured VPN Connection to Allowed User. Click Activate and Apply to save the configuration. CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning Set up the ZyWALL IPSec VPN Client Download ZyWALL IPSec VPN Client software from ZyXEL Download Library: http://www.zyxel.com/support/download_landing.shtml Open ZyWALL IPSec VPN Client, select CONFIGURATION >...
Page 316
www.zyxel.com Enter the WAN IP address or URL for the ZyWALL/USG in the Gateway Address. If you changed the default HTTPS Port on the ZyWALL/USG, and then enter the new one here. Enter the Login user name and Password exactly as configured on the ZyWALL or external authentication server.
Page 317
www.zyxel.com CONFIGURATION > Get from Server > Step 2: Processing 317/810...
Page 318
www.zyxel.com Then, you will see the Configuration successful page, click OK to exit the wizard. CONFIGURATION > Get from Server > Configuration successful VPN CONFIGURATION > IKE V1 > WIZ_VPN_PROVISIONING > Advanced, type Login account and password for authentication. 318/810...
Page 319
www.zyxel.com Set up notification for 2 factor authentication In the ZyWALL/USG, go to CONFIGURATION > System > Notification > Mail Server Type the name or IP address of the SMTP server. Enter the service port for SMTP. Type the e-mail address from which the outgoing e-mail is delivered. Select this check box if it is necessary to provide a user name and password to the SMTP server.
Page 320
www.zyxel.com Set up authentication for 2 factor VPN connection In the ZyWALL/USG, go to CONFIGURATION > Object > Auth.Method > Two-factor Authentication. Select the check box “Enable” to enable 2 factor authentications. Enter the maximum time (in minutes) that the user must click or tap the authorization link in the SMS or email in order to get authorization for the VPN connection.
Page 321
www.zyxel.com Test the Result Go to VPN Configuration > IKEv1, right click the WIZ_VPN_PROVISIONING and select Open tunnel. You will see the Tunnel opened on ZyWALL IPSec VPN client The VPN tunnel is created from the ZyWALL IPSec VPN client to the ZyWALL/USG, but we are still unable to access Intranet behind the ZyWALL/USG.
Page 322
www.zyxel.com use of the VPN tunnel (factor 2). If user does not click the link, then the Zyxel Device terminates the VPN connection. client should access the authorization link sent via SMS or email by the Cloud SMS system within a specified deadline (Valid Time). If the authorization is correct and received on time, then the client can have VPN access to the secured network.
Page 323
www.zyxel.com Authorized by SMS Received authorization SMS with authorize link. Click the SMS link to authorized, after we see “VPN connection has been authorized”, we can access the secured network behind the ZyWALL/USG. 323/810...
Page 324
www.zyxel.com What could went wrong If you see below log message “Mail server authentication failed.”, please check “CONFIGURATION > System > Notification > SMTP Server”, Make sure your password is correct for mail authentication MONITOR > Log If you see below log message “Cannot resolve mail server address smtp.pchome.com.t”...
Page 325
www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: 4.25) and Android (Version: 10.0.10240) Set Up the L2TP VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to Quick Setup >...
Page 326
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 327
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 328
www.zyxel.com CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN > Authentication > Certificate Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example).
Page 329
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to Android Mobile Phone Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. CONFIGURATION > Object > Certificate > default Export default certificate from ZyWALL/USG. CONFIGURATION >...
Page 330
www.zyxel.com Save default certificate as *.crt file to Android mobile phone computer. Set Up the L2TP VPN Tunnel on the Android Mobile Device To configure L2TP VPN in Android, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in).
Page 331
www.zyxel.com Select VPN type to Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec). Enter User name and Password which the same as Allowed User created in ZyWALL/USG (L2TP_Remote_Users/zyx168 in this example). 331/810...
Page 332
www.zyxel.com Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. 332/810...
Page 334
www.zyxel.com Go to Network & Internet Settings window, click Connect. Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION >...
Page 335
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR >...
Page 336
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Android users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 337
www.zyxel.com If you cannot access devices in the local network, verify that the devices in the local network set the USG’s IP as their default gateway to utilize the L2TP tunnel. Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
Page 338
www.zyxel.com How to Configure the L2TP VPN with Apple MAC OS X 10.11 Operating System This is an example of using the L2TP VPN and VPN client software included in Apple MAC OS X 10.11 El Capitan operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from an Apple computer.
Page 339
www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings 339/810...
Page 340
www.zyxel.com Configure the L2TP users’ IP address range from 192.168.30.10 to 192.168.30.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN. Click OK. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Continue to the next page to review your Summary and click Save. Quick Setup >...
Page 341
www.zyxel.com Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example). CONFIGURATION > VPN > L2TP VPN > Create new Object > User 341/810...
Page 343
www.zyxel.com Set Up the L2TP VPN Tunnel on the Apple MAC OS X 10.11 El Capitan Operating System To configure L2TP VPN in OS X 10.11 operation system, go to System Preferences… > Network, click the "+" button at the bottom left of the connections to add a new connection and configure as follows.
Page 344
www.zyxel.com Configure Server Address to be the ZyWALL/USG’s WAN IP address (172.124.163.150 in this example). Enter Account Name which should be the same as Allowed User created in ZyWALL/USG (L2TP_Remote_Users in this example). Then, click Authentication Settings..In the User Authentication section, enter Password which should be the same as Allowed User created in ZyWALL/USG (zyx123 in this example).
Page 345
www.zyxel.com Go back to Configuration and click Advanced…. Select Send all traffic over VPN connection to allow the L2TP/IPSec VPN traffic between ZyWALL/USG and MAC OS X system. 345/810...
Page 346
www.zyxel.com Go back to Configuration and click Connect. Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 347
www.zyxel.com 功能有問題無法截圖, connectivity check fail Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users Go to MAC OS X System Preferences… > Network and show Connected status, Connect Time and assigned IP Address.
Page 348
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Apple MAC OS X El Capitan operating system users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN.
Page 349
www.zyxel.com If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings. ZyWALL/USG unit must set correct Local Policy to establish the IKE SA. Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use.
Page 350
www.zyxel.com How to configure if I want user can only see SSL VPN Login button in web portal login page This example shows how to strict portal access for SSL VPN clients. The example instructs how to allow end users to only see the SSL VPN Login button in the web portal login screen and the administrator can only manage the device from LAN.
Page 351
www.zyxel.com Set Up the DNS Service In this scenario, you need to have a DNS host to fulfill the requirement. In this example, go to https://www.noip.com/ to register an account and create a DNS host. The following mapping IP address is the public IP of the ZyWALL/USG's WAN IP address.
Page 352
www.zyxel.com Set Up the ZyWALL/USG System Setting Go to CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1. Set the address access action as Deny for ALL address in WAN. CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1 352/810...
Page 353
www.zyxel.com Test the SSL VPN Type in the URL (https://sslvpnzyxeltest.ddns.net) and you will only see the SSL VPN Login button in the web portal screen. Type in the URL (https://sslvpnzyxeltest.ddns.net) Login to the device via the WAN interface with the administrator's user name and password.
Page 354
www.zyxel.com Login to the device via the WAN interface Login to the device via the LAN interface with the administrator's user name and password. The management portal will be displayed. 354/810...
Page 355
www.zyxel.com Login to the device via the LAN interface 355/810...
Page 356
www.zyxel.com Go to MONITOR > Log. You can see that the admin login has been denied access from the WAN interface but it is allowed from the LAN interface. MONITOR > 356/810...
Page 357
www.zyxel.com How to Deploy SSL VPN with Apple Mac OS X 10.10 Operating System This is an example of using the ZyWALL/USG SSL VPN client software in Apple MAC OS X 10.10 Yosemite operating systems for secure connections to the network behind the ZyWALL/USG.
Page 358
www.zyxel.com Set Up the SSL VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > VPN > SSL VPN > Access Privilege to add an Access Policy. Configure a Name for you to identify the SSL VPN configuration. CONFIGURATION >...
Page 359
www.zyxel.com Go to Create new Object > Application to add servers you allow SSL_VPN_1_Users to access, click OK. CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Application Go to Create new Object > Address to add the IP address pool for SSL_VPN_1_Users.
Page 360
www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > User/Group & SSL Application Scroll down to Network Extension (Optional) to select Enable Network Extension to allow SSL VPN users to access the resources behind the ZyWALL/USG local network.
Page 361
www.zyxel.com Set Up the SSL VPN Tunnel on the Apple MAC OS X 10.10 Operating System Download SSL VPN Client software: ZyWALL SecuExtender for MAC from the ZyXEL Global Website and double-click on the downloaded file to install it. 361/810...
Page 362
www.zyxel.com Go to ZyWALL SecuExtender > Preferences, click the "+" button at the bottom left to add a new SSL VPN connection. 362/810...
Page 363
www.zyxel.com Configure the Connection Name for you to identify the SSL VPN configuration. Then, set the Remote Server Address to be the WAN IP of ZyWALL/USG (172.16.1.33 in this example). Click Save. 363/810...
Page 364
www.zyxel.com Here are two methods to initiate SSL VPN connections: From ZyWALL SecuExtender From a Web Browser From ZyWALL SecuExtender Go to ZyWALL SecuExtender > Connect > SSL_VPN, to display the username and password dialog box. Set Username and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example).
Page 365
www.zyxel.com Test the SSL VPN Tunnel Go to ZyWALL/USG MONITOR > VPN Monitor > SSL and verify the tunnel Login Address, Connected Time and the Inbound(Bytes)/Outbound(Bytes) traffic. MONITOR > VPN Monitor > SSL > SSL_VPN_1_Users Go to ZyWALL SecuExtender > Details and check Traffic Graph, Network Traffic Statics and Log Details.
Page 368
www.zyxel.com What Could Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. MAC OS X 10.10 Yosemite users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
Page 369
www.zyxel.com If you uploaded a logo to show in the SSL VPN user screens but it does not display properly, check that the logo graphic is in GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed. The ZyWALL/USG automatically resizes a graphic of a different resolution to 103 x 29 pixels.
Page 370
www.zyxel.com How To Configure SSL VPN for Remote Access Mobile Devices This is an example of using the ZyWALL/USG SSL VPN for remote access mobile devices to securely connect to the File Sharing Server behind the ZyWALL/USG. ZyWALL/USG SSL VPN for Secure External Access to Network Resources Note: All network IP addresses and subnet masks are used as examples in this article.
Page 371
www.zyxel.com Set Up the SSL VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > VPN > SSL VPN > Access Privilege to add an Access Policy. Configure a Name for you to identify the SSL VPN configuration. CONFIGURATION >...
Page 372
www.zyxel.com Go to Create new Object > Application to add servers that you will allow SSL_VPN_1_Users to access. Click OK. 372/810...
Page 373
www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Application Then, move the just created address object to Selected User/Group Objects. Similarly, in SSL Application List (Optional) move the servers you want available to SSL users to Selected Application Objects.
Page 374
www.zyxel.com Test the SSL VPN Tunnel Type the ZyWALL/USG’s WAN IP into the browser, then the login screen appears. Enter User Name and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example).
Page 375
www.zyxel.com Click the File Sharing folder you want to access, enter User Name/ Password of your File Sharing server and click Login. Now you can securely access the files. 375/810...
Page 376
www.zyxel.com What Could Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
Page 377
www.zyxel.com How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1) on the Windows 10 Operating System Set up the SSL VPN Tunnel with Windows 10 Please download SecuExtender version 4.0.0.1 from the download library of ZyXEL’s official website. Before you start installing the SecuExtender, it is required to install the “Visual C++ 2015 Redistributable”...
Page 381
www.zyxel.com Double-click the shortcut icon on your desktop. It is the same as the SSL VPN standalone software on MAC OS X. Enter the server’s IP or domain name, user name, and password to connect to the server. The example below shows that the client IP is 7.7.7.1 and you can also check the traffic statistic in the Status screen.
Page 382
www.zyxel.com If you have uploaded a logo to show on the SSL VPN user screens but it does not display properly, check if the logo graphic is in GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed.
Page 383
www.zyxel.com How to redirect multiple LAN interface traffic to the VPN tunnel This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with multiple LAN access to the VPN tunnel. The example instructs how to configure the VPN tunnel between each site and redirect multiple LAN interface traffic to the VPN tunnel.
Page 384
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next.
Page 385
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1- 31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54).
Page 386
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 387
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Page 388
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 389
www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG.
Page 390
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Page 391
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set up the Policy Route (ZyWALL/USG_HQ) Go to ZyWALL/USG_HQ CONFIGURATION > Network > Routing > Add. Set Source Address to be the subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel.
Page 392
www.zyxel.com CONFIGURATION > Network > Routing > Add Set up the Policy Route (ZyWALL/USG_Branch) Go to ZyWALL/USG_Branch CONFIGURATION > Network > Routing > Add, create Address to be the remote LAN subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. CONFIGURATION >...
Page 393
www.zyxel.com Go to ZyWALL/USG_Branch CONFIGURATION > Network > Routing > Add. Set Source Address to be the local subnet (192.168.10.0/24 in this example). Set Destination Address to be the remote LAN subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. CONFIGURATION >...
Page 394
www.zyxel.com Test the IPSec VPN Tunnel Go to ZYWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 395
www.zyxel.com PC at Branch Office > Window 7 > cmd > ping 192.168.2.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre- Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 396
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR >...
Page 397
www.zyxel.com How to Create VTI and Configure VPN Failover with VTI This example illustrates how to create a VTI object and configure a policy route with the VTI. Furthermore, it applies the VTI to the WAN trunk to achieve VPN load balancing.
Page 398
www.zyxel.com Set Up the ZyWALL/USG VTI of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add to create the VPN gateway HQ1 with wan1. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add In the same screen, create the VPN gateway HQ2 with wan2.
Page 399
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add and configure a VPN tunnel for the VPN gateway HQ1. Select VPN Tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add In the same screen, create a VPN tunnel for the VPN gateway HQ2.
Page 400
www.zyxel.com Go to CONFIGURATION > Network > Interface > VTI > Add to create a VTI for the VPN tunnel HQ1. Enable the connectivity check. Enter the IP address of vti1, which is configured on USG2. CONFIGURATION > Network > Interface > VTI > Add CONFIGURATION >...
Page 401
www.zyxel.com CONFIGURATION > Network > Interface > VTI > vti2 > Connectivity Check Go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add to create a new trunk. Add vti1 and vti2 to the new trunk. CONFIGURATION >...
Page 402
www.zyxel.com Connect the VPN tunnels when the VTIs are ready. Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to connect the VPN tunnels. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Connect Go to CONFIGURATION > Network > Interface > VTI. You will see that the status of the VTI is up when the corresponding VPN tunnel is established.
Page 403
www.zyxel.com Set Up the ZyWALL/USG VTI of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add to create the VPN gateway BO1 with wan1. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add In the same screen, create the VPN gateway BO2 with wan2.
Page 404
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add and configure a VPN tunnel for the VPN gateway BO1. Select VPN Tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add 404/810...
Page 405
www.zyxel.com In the same screen, create a VPN tunnel for the VPN gateway BO2. Select VPN tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add Go to CONFIGURATION > Network > Interface > VTI > Add to create a VTI for the VPN tunnel BO1.
Page 406
www.zyxel.com CONFIGURATION > Network > Interface > VTI > vti1 > Connectivity Check In the same screen, create a VTI for the VPN tunnel BO2. Be aware that the IP address of this VTI must be in the same subnet as vti2 on USG1. In this example, the IP address and subnet mask of vti2 on USG1 is 10.10.11.10 and 255.255.255.0 respectively.
Page 407
www.zyxel.com CONFIGURATION > Network > Interface > VTI > vti1 > Connectivity Check Go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add to create a new trunk. Add vti1 and vti2 to the new trunk. CONFIGURATION >...
Page 408
www.zyxel.com Go to CONFIGURATION > Network > Routing > Policy Route > Add to configure a policy route. Source Address: LAN1_SUBNET (192.168.11.0/24) Destination Address: HQ_subnet (192.168.1.0/24) Next-Hop: BO_vti_trunk SNAT: none CONFIGURATION > Network > Routing > Policy Route > Add Connect the VPN tunnels when the VTIs are ready.
Page 409
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Connection > Connect Go to CONFIGURATION > Network > Interface > VTI. You will see that the status of the VTI is up when the corresponding VPN tunnel is established. CONFIGURATION > Network > Interface > VTI Test the IPSec VPN Tunnel To test whether or not a tunnel is working, ping from a PC in LAN1 of USG1 to a PC in LAN1 of USG2 and vice versa.
Page 410
www.zyxel.com PC of USG2 (192.168.11.33) > Window 7 > cmd > ping 192.168.1.34 To test whether or not VPN failover is working, unplug wan1 of USG1. Then ping from a PC in LAN1 of USG1 to a PC in LAN1 of USG2 and vice versa. Check the VPN status of the USG1 in the MONITOR >...
Page 411
www.zyxel.com Check the VPN status of the USG2 in the MONITOR > VPN Monitor > IPSec screen. PC of USG2 (192.168.11.33) > Window 7 > cmd > ping 192.168.1.34 What Can Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings.
Page 412
www.zyxel.com MONITOR > Log Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
Page 413
www.zyxel.com How to configure the USG when using a Cloud Based SIP system This example shows how to configure USG when there is a Cloud Based SIP system. The IP phones are more and more popular nowadays. USG supports the scenario as IP phones located in LAN and connect to internet to register the SIP server.
Page 414
www.zyxel.com Set Up the SIP ALG Go to CONFIGURATION > Network > ALG, and check “Enable SIP ALG”. Also, check the “Enable SIP Transformations” if the SIP content which is needed to be transform. Then click “Apply”. CONFIGURATION > Network > ALG Direct-media and Direct-signalling are activated after ZLD 4.25.
Page 415
www.zyxel.com Check the SIP register status on PBX. What could go wrong? SIP phone does not support transform itself, but the “SIP Transformations” does not be checked. SIP phone will contact with outside as not direct-signalling and direct media, but the default setting on USG is on How to block HTTPS websites by Domain Filter without applying SSL Inspection...
Page 416
www.zyxel.com (SNI) extension fields in server FQDN. Using the SNI to query category from Commtouch engine, then take action when it matches the block category in Content Filter profile. ZyWALL/USG Domain Filter Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 417
www.zyxel.com Profile > Test Web Site Category. Type URL to test the category and click Test Against Content Filter Category Server. You will see the category recorded in the external content filter server’s database for both HTTP and HTTPS Domain you specified. Go to CONFIGURATION >...
Page 418
www.zyxel.com Scroll down to the Managed Categories section, select categories in this section to control access to specific types of Internet content. You must have the Content Filtering license to filter these categories. 418/810...
Page 419
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Social_Net_Block in this example). Set Up the System Policy on the ZyWALL/USG Go to CONFIGURATION >...
Page 420
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. HTTP traffic log matches (Content Filter) and HTTPS traffic log matches (HTTPS Domain Filter) in message field. 420/810...
Page 422
www.zyxel.com How to Configure Content Filter 2.0 with Geo IP Blocking The Content Filter 2.0 - Geo IP blocking offers identify the country based on IP address, it allows you to block the client accessing to certain country based on organizational policy.
Page 423
www.zyxel.com Set Up the Address Objet with Geo IP on the ZyWALL/USG Go to CONFIGURATION > Object > Address/Geo IP > Address > Add Address Rule. Go to CONFIGURATION > Object > Address/Geo IP > Address, you can see the customized GEOGRAPHY address.
Page 424
www.zyxel.com Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Set Geo IP traffic from WAN to LAN allow source from local country (geo_allow_policy in this example). Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile.
Page 425
www.zyxel.com Type http://csosuppport.ddns.net/ into the browser, and the http can be reached. Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. Traffic matches Geo IP policy will be blocked and shows in message field. What Could Go Wrong? 1.
Page 426
www.zyxel.com How to Configure Content Filter 2.0 with HTTPs Domain Filter Application Scenario The Content Filter with HTTPs Domain Filter allows you to block HTTPs websites by category service without SSL-Inspection. The filtering feature is based on 64 categories built in ZyWALL/USG such as pornography, gambling, hacking, etc. When user makes HTTPS request, the information contains a Server Name Indication (SNI) extension fields in server FQDN.
Page 427
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG Go to CONFIGURATION > UTM Profile> Content Filter > Profile > General Settings. Select Enable HTTPS Domain Filter for HTTPS traffic. Go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter Profile >...
Page 428
www.zyxel.com You will see the category recorded in the external content filter server’s database for both HTTP and HTTPS Domain you specified. Go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter File > Custom Service. Configure a Name for you to identify the Content Filter Profile and select Enable Content Filter Category Service.
Page 429
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Social_Net_Block in this example). 429/810...
Page 430
www.zyxel.com Set Up the System Policy on the ZyWALL/USG Go to CONFIGURATION > System > WWW > Show Advanced Settings > Other, click Enable Content Filter HTTPS Domain Filter Block/Warn Page. 430/810...
Page 431
www.zyxel.com Test the Result Type http://www.facebook.com/ or https://www.facebook.com/ into the browser, the error message occurs. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. HTTP traffic log matches (Content Filter) and HTTPS traffic log matches (HTTPS Domain Filter) in message field.
Page 432
www.zyxel.com HTTPs traffic will pass. How to block the client accessing to certain country using Geo IP and Content Filter The Content Filter with Geo IP offers identify the country based on IP address, it allows you to block the client accessing to certain country based on organizational policy. When user makes HTTP or HTTPS request, ZyWALL/USG query IP address from MaxMind database, then take action when it matches the block country in Content Filter profile.
Page 433
www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: 4.25) Check Geo IP License Status on the ZyWALL/USG Go to CONFIGURATION >...
Page 434
www.zyxel.com Set Up the Address Objet with Geo IP on the ZyWALL/USG Go to CONFIGURATION > Object > Address/Geo IP > Address > Add Address Rule. Go to CONFIGURATION > Object > Address/Geo IP > Address, you can see the customized GEOGRAPHY address.
Page 435
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Set deny Geo IP traffic from LAN to WAN (geo_block_policy in this example). 435/810...
Page 436
www.zyxel.com Test the Result Type http://www.pku.edu.cn/ https://www.rwth-aachen.de/ into the browser, sites can’t be reached. 436/810...
Page 437
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. Traffic matches Geo IP policy will be blocked and shows in message field. 437/810...
Page 439
www.zyxel.com How to Restrict Web Portal access from the Internet This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with multiple LAN access to the VPN tunnel. The example instructs how to configure the VPN tunnel between each site and redirect multiple LAN interface traffic to the VPN tunnel.
Page 440
www.zyxel.com Test the Web Access Login to the device via the WAN interface with the administrator's user name and password. The screen will show Login denied. Login to the device via the WAN interface 440/810...
Page 441
www.zyxel.com Login to the device via the LAN interface with the administrator's user name and password. The management portal will be displayed. Login to the device via the LAN interface Go to MONITOR > Log. You can see that the admin login has been denied access from the WAN interface but it is allowed from the LAN interface.
Page 443
www.zyxel.com How to Setup and Configure Daily Report This example shows how to set up the data collection and view various statistics about traffic passing through your ZyWALL/USG. When the Daily Report is configured, you will receive statistics report every day. ZyWALL/USG Setup and Configure Daily Report Note: All network IP addresses and subnet masks are used as examples in this article.
Page 444
www.zyxel.com Set Up the ZyWALL/USG Email Daily Report Setting Go to CONFIGURATION > Log & Report > Email Daily Report > General Settings. Select Enable Email Daily Report to send reports by e-mail every day. CONFIGURATION > Log & Report > Email Daily Report > General Settings Type the SMTP server name or IP address.
Page 445
www.zyxel.com Select the information to include in the report. Types of information include System Resource Usage, Wireless Report, Threat Report, and Interface Traffic Statistics. Select Reset counters after sending report successfully if you only want to see statistics for a 24 hour period. CONFIGURATION >...
Page 446
www.zyxel.com You will receive a daily report mail. ZyXEL Daily Report Mail 446/810...
Page 447
www.zyxel.com What Could Go Wrong? Make sure your Email settings are all correct. CONFIGURATION > Log & Report > Email Daily Report > Email Settings 447/810...
Page 448
www.zyxel.com Make sure your ZyWALL to WAN security policy allow. How to Setup and Configure Email Logs This example shows how to set up the e-mail profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to e-mail, and where and how often to e-mail them.
Page 449
www.zyxel.com Set Up the ZyWALL/USG Email Logs Setting 1. Go to CONFIGURATION > Log & Report > Log Settings > System Log > Edit > E-mail Server 1. Select Active. Type the SMTP server name or IP address. In Mail From, type the e-mail address from which the outgoing e-mail is delivered.
Page 450
www.zyxel.com CONFIGURATION > Log & Report > Log Settings > System Log > Edit > Active Log and Alert. Test the Email Log You will receive a log mail depends on the time you set in the E-mail Server. ZyXEL Log Mail 450/810...
Page 451
www.zyxel.com What Could Go Wrong? Make sure your Email settings are all correct. CONFIGURATION > Log & Report > Email Daily Report > Email Settings Make sure your ZyWALL to WAN security policy allow. 451/810...
Page 452
www.zyxel.com How to Setup and send logs to a Syslog Server This example shows how to set up the syslog server profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to syslog server. When the syslog server is configured, you will receive the real time system logs.
Page 453
www.zyxel.com Go to Dashboard > Add Systems. Dashboard > Add Systems Select Not shown here? and My syslog daemon only sends to port 514. Dashboard > Add Systems > I’m using Select My syslogd only uses the default port, set ZyWALL/USG public IP address (111.250.188.9 in this example) and name the log system.
Page 454
www.zyxel.com Write down the Papertrail-provided domain name (logs.papertrialpp.com in this example). Dashboard > Add Systems > > I’m using > Choose your situation > System Created 454/810...
Page 455
www.zyxel.com Set Up the ZyWALL/USG Remote Server Setting 1. Go to CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit. Set Log Format to be CEF/Syslog. Type the Server Address to be the Papertrail- provided domain name (logs.papertrialpp.com in this example). 2.
Page 456
www.zyxel.com Test the Remote Server You will receive a log mail depends on the time you set in the E-mail Server. ZyXEL Log Mail 456/810...
Page 457
www.zyxel.com What Could Go Wrong? Make sure your Log settings for Remote Server are all correct. CONFIGURATION > Log & Report > Log Settings > Remote Server Make sure your ZyWALL to WAN security policy allow traffic to log server. 457/810...
Page 458
www.zyxel.com How to Setup and send logs to a Vantage Reports Server This example shows how to set up the Vantage Report Server profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to Vantage Report Server. When the Vantage Report Server is configured, you will receive the real time system logs.
Page 459
www.zyxel.com Set Up the VRPT Server 1. The Vantage Report server must have register an account in http://www.myZyXEL.com. 2. Install VRPT software: http://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=M- 01339&md=VRPT 4. Unzipped the file and click Vantage Reeport.exe to start installing Vantage Report. Then, the Vantage Report installation wizard appears. Click Next. 459/810...
Page 460
www.zyxel.com 5. Enter the port number you want Vantage Report to use for web services. Make sure this port number does not conflict with the other services in your network. Click Next. Check if any applications also use port 3316 (TCP), 514 (UDP) or 8080 (UDP) by entering “netstat -a”...
Page 461
www.zyxel.com Xxxx is the port number you entered during installation (10.251.30.61:8080/vrpt/ in this example). In the login screen, enter default login User Name and Password: root. Go to Dashboard > License Information > Manage Device, click Add Device, the Add Device screen appears on the left side. Enter the Name of the device you want to add to Vantage Report.
Page 462
www.zyxel.com Set Up the ZyWALL/USG Remote Server Setting Go to CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit. Set Log Format to be VRPT/Syslog. Type the Server Address to be the Vantage Report server IP address (10.251.30.61 in this example). Use the System Log drop-down list to change the log settings for all of the log categories.
Page 463
www.zyxel.com Test the Remote Server In the VRPT Sever, go to Logs > Log Viewer, click Search. The screen displays the device log information. (It may take 5 - 10 minutes to display the log after just added the device) VRPT Server >...
Page 464
www.zyxel.com Make sure your Log settings for Remote Server are all correct. CONFIGURATION > Log & Report > Log Settings > Remote Server Make sure your ZyWALL to WAN security policy allow traffic to log server. How to Setup and send logs to the USB storage This example shows how to use the USB device to store the system log information.
Page 465
www.zyxel.com ZyWALL/USG enable and send logs to the USB storage Note: Only connect one USB device. It must allow writing (it cannot be read- only) and use the FAT16, FAT32, EXT2, or EXT3 file system. This example was tested using USG110 (Firmware Version: ZLD 4.25). Set Up the USB System Settings Go to CONFIGURATION >...
Page 466
www.zyxel.com Set Up the USB Log Storage Go to CONFIGURATION > Log & Report > Log Settings, select USB Storage and click Activate. Click Apply to save your changes. CONFIGURATION > Log & Report > Log Settings Go to CONFIGURATION > Log & Report > Log Settings > USB Storage > Edit. Select Duplicate logs to USB storage (if ready) to have the ZyWALL/USG save a copy of its system logs to a connected USB storage device.
Page 467
www.zyxel.com Check the USG Log Files Connect the USB to PC and you can find the files in the following path:\Model Name_dir\centralized_log\YYYY-MM-DD.log How to Activate a Free Access Hotspot Some hotels need to provide free Internet services to hundreds of guests on a daily 467/810...
Page 468
www.zyxel.com basis, and managing the Internet access for so many people can be very complicated without the right equipment. With web authentication methods such as user agreement and web portal, hotel guests are redirected to a web-based authentication portal upon the first attempt to access the network. In some countries, the law requires the identification and tracking of users who use public Internet access.
Page 469
www.zyxel.com • WAN: 10.251.31.112 • LAN 1: 192.168.1.1/255.255.255.0 • User’s laptop: 192.168.1.33 Set up the Free Access Hotspot Configurations on the USG1100 The user agreement of this feature allows clients to access the Internet without a guest account. An advertisement webpage is used as the first page when an authenticated user attempts to access the Internet.
Page 470
www.zyxel.com Go to Configuration > Hotspot > Advertisement. (1) Select Enable Advertisement. (2) Add the URL of the website that you want to advertise. Test the User Agreement and Advertisement Webpage 1. When a client attempts to access the Internet via a browser, he/she will be 470/810...
Page 471
www.zyxel.com redirected to the user agreement page. 2. The advertisement webpage will be displayed in a new window and it is the first page that appears whenever the user connects to the Internet. 471/810...
Page 472
www.zyxel.com What could Go Wrong? If users can access the internet without any Authentication, please make sure the Source Address is configured on the correct the subnet. For example, if you want users to be controlled via authentication in Subnet 192.168.1.0/24, you need to make sure the Source Address should be 192.168.1.0/24 Set up Enable the Free Time Feature 472/810...
Page 473
www.zyxel.com Configurations on the USG1100 On the USG1100, you need to enable the SMS service and select SMS as the delivery method in the Free Time feature. 1. Register for a ViaNett account at http://www.vianett.com. 2. Enter all the required information. 3.
Page 475
www.zyxel.com 4. Enter the activation code and proceed to make the payment. 5. Fill-in the credit card information to complete the payment. 475/810...
Page 476
www.zyxel.com The payment is complete. 6. After the ViaNett account is ready, go to the USG1100’s Configuration > Hotspot > SMS screen. (1)Enable SMS. (2)Fill-in your local phone country code as the default country code. (3) Add authentication policy for every source. 476/810...
Page 477
www.zyxel.com 7. Go to Configuration > Hotspot > Free Time. (1) Select Enable Free Time and set up the free time period. By default, the Reset Time is at AM 00:00. You can also set up how many times a MAC address can access the Internet.
Page 478
www.zyxel.com 9. Select Enable Policy, Force User Authentication, and then select default-web- portal as the Authentication Type. Test Free Time Feature 1. The user will be redirected to the Login screen before he/she is permitted to access the Internet. Click on the link to get a free account. 478/810...
Page 479
www.zyxel.com Select Free Time as the service plan. Then submit your country code and mobile phone number. 3. The account and password will be sent to your mobile phone. 479/810...
Page 480
www.zyxel.com 4. Check your account information. 5. Fill-in the account information received on your mobile phone and click Login. 480/810...
Page 481
www.zyxel.com 6. Now the client can start accessing the Internet. What Can Go Wrong? If client cannot get the SMS message from ViaNett, please make sure the Country code, Username and Password are all correct. 481/810...
Page 483
www.zyxel.com How to Setup IPv6 Interfaces for Pure IPv6 Routing This example shows how to configure your USG Z’s WAN and LAN interfaces which connects two IPv6 networks. USG Z periodically advertises a network prefix of 2006:1111:1111:1111::/64 to the LAN through router advertisements. ZyWALL/USG access the internet via IPv6 Note: Instead of using router advertisement, you can use DHCPv6 to pass the...
Page 484
www.zyxel.com Setting Up the IPv6 Interface 1. In the CONFIGURATION > Network > Interface > Ethernet screen’s IPv6 Configuration section, double-click the wan1. 2. The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6. Select Enable Auto-Configuration. Click OK. Note: Your ISP or uplink router should enable router advertisement.
Page 485
www.zyxel.com 3. Using command line ipconfig to check. 485/810...
Page 486
www.zyxel.com Set up the Prefix Delegation and Router Advertisement This example shows how to configure prefix delegation on the ZyWALL’s WAN and router advertisement on the LAN. Apply a network Prefix From Your ISP First of all, you have to apply a network prefix from your ISP or the uplink router’s administrator.
Page 487
www.zyxel.com Click Add in the DHCPv6 Request Options table and select the DHCPv6 request object you just created. You cannot see the prefix your ISP gave you in the Value field until you click OK and then come back to this screen again. It is 2001:b050:2d::/48 in this example. Note: Your ISP or a DHCPv6 server in the same network as the WAN should assign an IPv6 IP address for the WAN interface.
Page 488
www.zyxel.com Setting Up the WAN IPv6 Interface 1. In the Configuration > Network > Interface > Ethernet screen, double-click the lan interface in the IPv6 Configuration section. 2. The Edit Ethernet screen appears. Click Show Advanced Settings to display more settings on this screen.
Page 490
www.zyxel.com 1. Navigate to IPv6 Router Advertisement Setting, enable Router Advertisement, it would advertise the prefix to the Lan host, also enable Adviertised Hosts Get Other Configuration From DHCPv6, Lan hosts will get the DNS address from USG. 2. Configure Advertised Prefix from DHCPv6 Prefix Delegation, the Lan hosts will get the Prefix from USG, Suffix address can set 0~F Test 1.
Page 491
www.zyxel.com 4. Open a web browser and type http://www.kame.net. If your IPv6 settings are correct, you can see a dancing turtle in the website. What Can Go Wrong? 1. If you forgot to enable Auto-Configuration on the WAN1 IPv6 interface, you will not have any default route to forward the LAN’s IPv6 packets.
Page 492
www.zyxel.com Select DHCPv6 Lease and DNS server as lease type. For example set the Google DNS IPv6 address 2001:4860:4860::8888 2. Select the drop-down list DHCPv6 as server type, add the DNS server object in DHCPv6 lease options and enable Router Advertisement. 492/810...
Page 493
www.zyxel.com Test You can use command “netsh interface ipv6 show dnsservers” to check the DNS server IP. How to Perform and Use the Packet Capture Feature on the ZyWALL/USG This example shows how to use the Packet Capture feature to capture network traffic going through the ZyWALL/USG’s interfaces.
Page 494
www.zyxel.com ZyWALL/USG Packet Capture Feature Settings Note: New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this. This example was tested using USG110 (Firmware Version: ZLD 4.25). Set Up the Packet Capture Feature Go to MAINTENANCE >...
Page 495
www.zyxel.com Go to MAINTENANCE > Diagnostics > Packet Capture > Capture > Filter. Select IP Version (IPv4 or IPv6) for which to capture packets or select any to capture packets for all IP versions. Select the Protocol Type of traffic for which to capture packets. Select any to capture packets for all types of traffic.
Page 496
www.zyxel.com 11 Click Capture. 12 Click Stop when collection is done. 496/810...
Page 497
www.zyxel.com Check the Capture Files Go to MAINTENANCE > Diagnostics > Packet Capture > Files, select the .cap file and click Download. Open .cap files with Wireshark 497/810...
Page 498
www.zyxel.com How to Automatically Reboot the ZyWALL/USG by Schedule 498/810...
Page 499
www.zyxel.com This example shows how to use shell script and schedule run to reboot device automatically for maintenance purpose. ZyWALL/USG Auto Schedule Reboot Settings Note: This example was tested using USG110 (Firmware Version: ZLD 4.25). Set Up the Shell Script Run Windows Notepad application and input below command: 499/810...
Page 500
www.zyxel.com Save this file as "reboot_device.zysh" In the ZyWALL/USG, go to MAINTENANCE > File Manager > Shell Script. Click Browse... to find the reboot_device.zysh file. Click Upload to begin the upload process. Set Up the Schedule Run Login the device via console/telnet/SSH (using PuTTY in this example) 500/810...
Page 501
www.zyxel.com Issuing below commands based on three different (daily, weekly and monthly) user scenarios: a. Router(config)# schedule-run 1 reboot_device.zysh daily 10:00 (The device will reboot at 10:00 everyday) b. Router(config)# schedule-run 1 reboot_device.zysh weekly 10:00 sun (The device will reboot at 10:00 every Sunday) 501/810...
Page 502
www.zyxel.com c. Router(config)# schedule-run 1 reboot_device.zysh monthly 10:00 23 (The device will reboot at 10:00 every month on 23th) Check the Reboot Status Login the device via console/telnet/SSH, the reboot runs as scheduled Go to Configuration > System> Date/Time, check Current Date/Time. Figure Configuration >...
Page 504
www.zyxel.com How To Schedule YouTube Access This is an example of using the ZyWALL/USG UTM Profile and Security Policy to control access to the network. If an application should not have network access during certain hours, you can use Application Patrol, SSL Inspection and Schedule settings to make sure that these applications cannot access the Internet.
Page 505
www.zyxel.com Create the Application Objects on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > Application > Add Application Rule. Configure a Name for you to identify the Application Profile. Then, click Add to create an Application Object. CONFIGURATION >...
Page 506
www.zyxel.com Then, select the CA Certificate to be the certificate used in this profile. Select Block to select Log type to be log alert. Leave Action for Connection with SSL v3 and other actions as default settings. CONFIGURATION > UTM Profile > SSL Inspection > Add rule Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 507
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 508
www.zyxel.com CONFIGURATION > Object > Certificate > default CONFIGURATION > Object > Certificate > default > Edit > Export Certificate Only Save default certificate as *crt file to Windows 7 Operation System. In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter.
Page 509
www.zyxel.com In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window.
Page 510
www.zyxel.com In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Click Next, Then, Browse..., and locate the .crt file you downloaded earlier. Then, click Next. 510/810...
Page 511
www.zyxel.com Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to the default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 512
www.zyxel.com Test the Result Type http://www.youtube.com/ or https://www.youtube.com/ into the browser. An error message occurs. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. What Could Go Wrong? If you are not be able to configure any Application Patrol policies or it’s not working, there are two possible reasons: You have not subscribed for the Application Patrol service.
Page 513
www.zyxel.com the portal page (https://portal.myzyxel.com/) to register or extend your Application Patrol license. After you apply the Application Patrol service, the running session will continue till it’s finished. 513/810...
Page 514
www.zyxel.com How to continuously run a ZySH script This example shows how to use shell script and continuously run a ZySH script automatically for maintenance purpose. ZyWALL/USG continuously run a ZySH script Settings Note: This example was tested using USG110 (Firmware Version: ZLD 4.25). Set Up the Shell Script Run Windows Notepad application and input below command: 514/810...
Page 515
www.zyxel.com Save this file as "disable_firewall.zysh" Run Windows Notepad application and input below command: Save this file as "enable_firewall.zysh" In the ZyWALL/USG, go to MAINTENANCE > File Manager > Shell Script. Click Browse... to find the disable_firewall.zysh and enable_firewall.zysh file. Click Upload to begin the upload process.
Page 516
www.zyxel.com Set Up the Schedule Run Issuing below commands: Router> configure terminal Router(config)# schedule-run 1 disable_firewall.zysh daily 15:15 Check the Result In the ZyWALL/USG, go to DASHBOARD. DASHBOARD 516/810...
Page 517
www.zyxel.com How To Register Your Device and Services at myZyXEL.com myZyXEL.com is ZyXEL’s online services center where you can register your ZyXEL device and manage subscription services available for the device. To update signature files or use a subscription service, you have to register the device and activate the corresponding service at myZyXEL.com.
Page 518
www.zyxel.com Account Creation After you click the link from the Registration screen of your ZyXEL device’s Web Configurator or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/), the Sign In screen displays. CONFIGURATION > Licensing > Registration 518/810...
Page 519
www.zyxel.com Click Not a Member Yet to open the Sign Up screen where you can create an account. myZyXEL.com > Not a Member Yet Select Registration Type to create an Individual account or a Business account. Individual account is for non-commercial, end user of ZyXEL products. Business account is for commercial users;...
Page 520
www.zyxel.com After you click Submit, myZyXEL.com 2.0 will send you an account activation notification e-mail. Click the URL link from the e-mail to activate your account and log into myZyXEL.com 2.0. After E-mail activate, sign in myZyXEL.com 2.0 to register or mange your devices and services.
Page 521
www.zyxel.com Service Registration (In the Case of Standard License) Click Service Registration in the navigation panel to open the screen. Fill in the License Key as shown on E-iCard License. Go to the Service Management page and click the Link button. Select the device then click the Activate button to initiate the services license.
Page 522
www.zyxel.com Device Management (In the Case of Registering Bundled Licenses) Go to Device Management and click on the MAC Address hyper link of your device. In the Linked Services page, click the Activate button to initiate the services license. You will get a Service Activation Notice Email when you activate a new service.
Page 523
www.zyxel.com Refresh Service After service activated, please go to the ZyWALL/USG CONFIGURATION > Licensing > Registration > Service and click the Service License Refresh button to update the Status. What Could Go Wrong? If you can’t activate your device’s service license, please check if you entered a correct license key.
Page 524
www.zyxel.com If you forget your registered email address on myZyXEL.com, please go to the link below and submit a request to ZyXEL support team for further support: http://www.zyxel.com/form/Support_Feedback.shtml 524/810...
Page 525
www.zyxel.com How To Exempt Specific Users From Security Control This is an example of using a ZyWALL/USG Security Policy to exempt three corporate executives from security control, while controlling Internet access for other employees’ accounts. Exempt Specific Users from Security Control Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 526
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Employees In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address range for employees. CONFIGURATION > Object > Address > Add Address Rule Set up Security Policy for employees, go to CONFIGURATION >...
Page 527
www.zyxel.com Scroll down to UTM Profile, select the general policy that allows employees to access the Internet. (Using built-in Office profile in this example blocks the non- productive services, such as Advertisement & Pop-Ups, Gambling and Peer to Peer services…etc.). CONFIGURATION >...
Page 528
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Executives In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > Add A User to create User Name/Password for each executive. CONFIGURATION > Object > User/Group > Add A User 528/810...
Page 529
www.zyxel.com Then, go to CONFIGURATION > Object > User/Group > Group > Add Group to create a Group Members’ Name and move the just created executives user object to Member. CONFIGURATION > Object > Address Group > Add Address Group Rule Set up Security Policy for executives, go to CONFIGURATION >...
Page 530
www.zyxel.com Leave all UTM Profiles disabled. CONFIGURATION > Security Policy > Policy Control > Add corresponding > Employees_Security Test the Result Connect to the Internet from two computers: one from executive_1 and one from an employee address (192.168.30.9). Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below.
Page 531
www.zyxel.com Monitor > Log What Could Go Wrong? If you are not be able to configure any UTM policies or it’s not working, there are two possible reasons: You have not subscribed for the UTM service. You have subscribed for the UTM service but the license is expired. You can click the link from the CONFIGURATION >...
Page 532
www.zyxel.com How To Detect and Prevent TCP Port Scanning with ADP This is an example of using a ZyWALL/USG ADP (Anomaly Detection and Prevention) Profile to protect against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal traffic flows such as port scans.
Page 533
www.zyxel.com Set Up the ADP Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > ADP > Profile, click the Add icon. A pop-up screen will appear allowing you to choose a base profile. Select a base profile to go to the profile details screen. CONFIGURATION >...
Page 534
www.zyxel.com In the Flood Detection section, set Block Period for the duration applies blocking to the destination IP address. Set a Threshold number (the number of packets per second that match the flood detection criteria) for your network. Click OK. CONFIGURATION >...
Page 535
www.zyxel.com Go to CONFIGURATION > Security Policy > ADP > General, select Enable Anomaly 535/810...
Page 536
www.zyxel.com Detection and Prevention. Then, select the just created Anomaly Profile and click Apply. CONFIGURATION > Security Policy > ADP > General Test the Result Download Nmap free security scanner for testing the result: https://nmap.org/download.html Open the Nmap GUI, set the Target to be the WAN IP of ZyWALL/USG (172.124.163.150 in this example) and set Profile to be Intense Scan.
Page 537
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [warn] log message such as below. Monitor > Log What Could Go Wrong? You may find that certain rules are triggering too many false positives or false negatives. A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the ZyWALL/USG.
Page 538
www.zyxel.com How To Block Facebook This is an example of using a ZyWALL/USG UTM Profile in a Security Policy to block access to a specific social network service. You can use Content Filter, SSL Inspection and Policy Control to make sure that a certain web page cannot be accessed through both HTTP and HTTPS protocols.
Page 539
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter File > Custom Service. Configure a Name for you to identify the Content Filter Profile and select Enable Custom Service. CONFIGURATION >...
Page 540
www.zyxel.com Block to Action for Connection with SSL v3 and select Log type to be log alert. Leave other actions as default settings. CONFIGURATION > UTM Profile > SSL Inspection > Add rule 540/810...
Page 541
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Select the Schedule that defines when the policy applies (Facebook_Block in this example).
Page 542
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 543
www.zyxel.com In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter. Start Menu > Search Box > mmc In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... 543/810...
Page 544
www.zyxel.com In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window. Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate >...
Page 545
www.zyxel.com Click Next. Then, Browse..., and locate the .crt file you downloaded earlier. Then, click Next. 545/810...
Page 546
www.zyxel.com Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 547
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to configure any Content Filter policies or it’s not working, there are two possible reasons: You have not subscribed for the Content Filter service.
Page 548
www.zyxel.com How To Exempt Specific Users From a Blocked Website This is an example of using a ZyWALL/USG Security Policy to exempt three corporate executives from a blocked Website, while controlling Internet access for other employees’ accounts. With executives connect to a blocked Website using PCs with static IP addresses, you could set up address group to allow their traffic.
Page 549
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Employees In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address range for employees. CONFIGURATION > Object > Address > Add Address Rule Set up Security Policy for employees, go to CONFIGURATION >...
Page 550
www.zyxel.com Scroll down to UTM Profile, select the general policy that allows employees to access the Internet. (Using built-in Office profile in this example blocks the non- productive services, such as Advertisement & Pop-Ups, Gambling and Peer to Peer services…etc.). CONFIGURATION >...
Page 551
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Executives In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address for each executives. CONFIGURATION > Object > Address > Add Address Rule Then, go to CONFIGURATION >...
Page 552
www.zyxel.com address object to Member. CONFIGURATION > Object > Address Group > Add Address Group Rule Set up Security Policy for executives, go to CONFIGURATION > Security Policy > Policy Control > Add corresponding, configure a Name for you to identify the executives’...
Page 554
www.zyxel.com Test the Result Connect to the Internet from two computers: one from executive_2 address (192.168.10.2) and one from an employee address (192.168.20.1) and both access to https://hangouts.google.com/. Go to the ZyWALL/USG Monitor > Log, you will see [notice] and [info] log message such as below.
Page 555
www.zyxel.com What Could Go Wrong? If you are not be able to configure any UTM policies or it’s not working, there are two possible reasons: You have not subscribed for the UTM service. You have subscribed for the UTM service but the license is expired. You can click the link from the CONFIGURATION >...
Page 556
www.zyxel.com How To Control Access To Google Drive This is an example of using a ZyWALL/USG UTM Profile in a Security Policy to block access to a specific file transfer service. You can use Application Patrol and Policy Control to make sure that a certain file transfer service cannot be accessed through both HTTP and HTTPS protocols.
Page 557
www.zyxel.com Set Up the SSL Inspection on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > SSL Inspection > Add rule, configure a Name for you to identify the SSL Inspection profile. Then, select the CA Certificate to be the certificate used in this profile. Select Block to select Log type to be log alert.
Page 558
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Facebook_Block in this example).
Page 559
www.zyxel.com Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 560
www.zyxel.com In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window.
Page 561
www.zyxel.com In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Click Next. Then, Browse..., and locate the .crt file you downloaded earlier. Then, click Next. 561/810...
Page 562
www.zyxel.com Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 563
www.zyxel.com Test the Result Type http://drive.google.com/ https://drive.google.com/ into the browser, the error message occurs. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log 563/810...
Page 564
www.zyxel.com What Could Go Wrong? If you are not be able to configure any Application Patrol policies or it’s not working, there are two possible reasons: You have not subscribed for the Application Patrol service. You have subscribed for the Application Patrol service but the license is expired.
Page 565
www.zyxel.com How To Block HTTPS Websites Using Content Filtering and SSL Inspection This is an example of using a ZyWALL/USG Content Filtering, SSL Inspection and Security Policy to block access to malicious or not business-related websites. ZyWALL/USG with Block HTTPS Websites Using Content Filtering and SSL Inspection Settings Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 566
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter File > Category Service. Configure a Name for you to identify the Content Filter Profile and select Enable Custom Service. CONFIGURATION >...
Page 567
www.zyxel.com CONFIGURATION > UTM Profile> Content Filter > Profile > Profile Management > Add Filter File > Category Service > Managed Categories If you are not sure which category a web page belongs to, you can enter a web site URL in the text box of Test Web Site Category. CONFIGURATION >...
Page 568
www.zyxel.com traffic bound to this policy here. Select desired Log type whether to have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches this policy. CONFIGURATION > UTM Profile > SSL Inspection > Add rule 568/810...
Page 569
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Office_profile in this example).
Page 570
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 571
www.zyxel.com In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter. Start Menu > Search Box > mmc In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... In the Available snap-ins, select the Certificates and click Add button. Select Computer account >...
Page 572
www.zyxel.com Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Click Next. Then, Browse..., and locate the .crt file you downloaded earlier. Then, click Next.
Page 573
www.zyxel.com Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 574
www.zyxel.com Test the Result Type http://www.bittorrent.com/ or http://us.battle.net/d3/en/ into the browser. The error message occurs. Go to the ZyWALL/USG Monitor > Log to see [alert] log message such as below. Monitor > Log 574/810...
Page 575
www.zyxel.com What Could Go Wrong? If you are not be able to configure any Content Filter policies or it’s not working, there are two possible reasons: You have not subscribed for the Content Filter service. You have subscribed for the Content Filter service but the license is expired.
Page 576
www.zyxel.com How To Block the Spotify Music Streaming Service This is an example of using a ZyWALL/USG IDP Profile to block DNS query packet. When the Spotify software launches, it will send a DNS query for Spofity's public server. In this example, you can create a custom IDP to block DNS query packet if this packet includes the Spotify signature.
Page 577
www.zyxel.com Set Up IDP Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > IDP > Custom Signatures > Add Custom Signatures, configure a Name for you to identify the IDP Profile. Select medium as the Severity level. Select all Platform. Select Policy Type to be Access-Control here to limit access network resources such as servers.
Page 578
www.zyxel.com CONFIGURATION > UTM Profile > IDP > Profile > Base Profile Configure a Name for you to identify the IDP Profile. Activate the newly created IDP Profile and select Action to be drop. Select Log type to be log alert in order to view the result later.
Page 579
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [crit] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to configure any IDP policies or it’s not working, there are two possible reasons: You have not subscribed for the IDP service.
Page 580
www.zyxel.com How does Anti-Malware work There are many virus exist on the internet. And it may auto-downloaded on unexpected situation when you surfing between websites. The Anti- Malware is a good choose to protecting your computer to downloads unsafe application or files. After you enabled Anti-Malware function, it will enabled “Cloud Threat Anti-Malware Signature Database”...
Page 581
www.zyxel.com Enable Anti-Malware function to protecting your traffic Go to CONFIGURATION > Security Service > Anti-Malware > Tick in enable checkbox to enable Anti-Malware function. Configuration > Security Service > Anti-Malware > Tick in enable checkbox Note: The Anti-Malware license is required. So you must enabled Anti-Malware function on your myzyxel.com account.
Page 582
www.zyxel.com Test the result After you enabled Anti-Malware function and your PC downloaded the virus file from internet. You device will detected it and drop the file directly. Then your file is unable opened or replaced by “0”. Additional configuration White List: You can use wildcard to allowing specific type files.
Page 583
www.zyxel.com What can go wrong The Anti-Malware service license is required The Anti-Malware is able decompress the file. But it is not support multi- layer zip files. In the default setting, could thread batabase is enabled. You can use the CLI command to activate/deactivate cloud base service. It means the scanning priority will been changed.
Page 584
www.zyxel.com How to Configure an Email Security Policy with Mail Scan and DNSBL This is an example of using ATP Series’ UTM Profile to mark or discard spam (unsolicited commercial or junk e-mail). Use the Email Security white list to identify legitimate e-mail. Use the Email Security black list to identify spam e-mail.
Page 585
www.zyxel.com CONFIGURATION > Security Service > Email Security 1. Register the device to myZyxel.com. 2. Activate Application Security. 585/810...
Page 586
www.zyxel.com 3. Go to CONFIGURATION > Security Service> Email Security>Enable Check Black List to have the ATP Series treat e-mail that matches (an active) black list entry as spam. 4. Continue to Rule Summary on Black/White List, click the Add icon. A pop-up screen will appear allowing you to configure Content (Subject, IP/IPv6 Address, E-Mail Address and Mail Header), Use wildcards (*) to configure Mail Subject Keyword.
Page 587
www.zyxel.com Test the result 1. Send the mail subject with “sell”. 2. You will receive the mail subject with [Spam] tag. 587/810...
Page 588
www.zyxel.com What can go wrong 1. If Email Security is not working, there are two possible reasons: You have not subscribed for the Email Security service. You have subscribed for the Email Security service but the license (Application Security) is expired. 2.
Page 589
www.zyxel.com How to Configure Botnet Filter on ATP series? Botnets are organized groups of infected computers. Those infected PCs will try to connect to the command-and-control server and ask for commands. When the attacker sends command to the command-and-control server, it will relay those commands to the clients (infected computers) and perform attacks on particular targets.
Page 590
www.zyxel.com Prerequisites before setting up Botnet Filter function 1. License status check 2. Update the Botnet Filter signature License activation Before setting up the Botnet Filter function, users need to make sure their licenses are purchased and activated. To check the license activation status: Go to configuration >...
Page 591
www.zyxel.com Then the device will redirect users to the “Service Status” page. Click on the cloud icon and the device will start signature downloading process Once the signature updating process was done. The GUI will pop up the following message to notify users. Now the Botnet Filtering function is ready to go.
Page 592
www.zyxel.com Set Up the IP Blocking on the ATP series Go to Configuration > Security Service > Botnet Filter. Select the Enable IP Blocking check box. There’re some actions can be selected “reject-both”, user can decide if they’d like to “forward”, “reject-sender” or “reject- receiver”...
Page 593
www.zyxel.com Set up the URL Blocking on the ATP series Go to Configuration > Security Service > Botnet Filter. Select the Enable URL Blocking check box, check the categories that need to be blocked. Users can only check those categories as their requirement. Choose the Action the device will take (In this example we select “block”...
Page 595
www.zyxel.com How to Use Sandboxing to Detect Unknown Malware The traditional security service such as Anti-Virus and IDP are signature- based solution, so they have no chance to detect unknown threats. ZyWALL ATP enhances UTM service and integrates Sandbox solution as a second layer of defense to detect and mitigate advanced threats.
Page 596
www.zyxel.com Set Up Sandboxing on ATP 1. Register the device to myZyxel.com. 2. Activate Sandboxing license. 3. In the ATP, go to CONFIGURATION > Security Service > Sandboxing > File Submission Options, the default supported file types are listed. Use the command to check the status of each file type. If the status is “no”, the file type is not scanned by Sandboxing.
Page 597
www.zyxel.com Use the following commands to make Sandboxing access and check a certain file type. Router> configure terminal Router(config)# sandbox file-type eicar Router(config)# write 4. Go to CONFIGURATION > Security Service > Sandboxing > General, enable Sandboxing and select action and log for malicious and suspicious files to monitor the result.
Page 598
www.zyxel.com 5. Enable Collect Statistics to monitor the scan results and statistics. MONITOR > Security Statistics > Sandboxing Test the Result Go to http://www.eicar.org/85-0-Download.html to download eicar_com.zip file. 598/810...
Page 599
www.zyxel.com When you download eicar_com.zip for the first time, it is considered to be an unknown malware. The file is allowed to pass and a copy of eicar_com.zip will be sent to Sandbox for further scan. MONITOR > Log > View Log > Sandboxing The eicar_com.zip file is detected by Sandbox as a malicious file.
Page 600
www.zyxel.com Note: Disable anti-virus software on your laptop in order to test Sandbox. Download eicar_com.zip file again. ZyWALL ATP destroyed the eicar_com.zip file at the second time when you download the file and generate the log. MONITOR > Log > View Log > Sandboxing MONITOR >...
Page 601
www.zyxel.com What Can Go Wrong? SSL inspection needs to be enabled and applied to the corresponding security policy rule for HTTPS traffic. Only Windows (Win XP, Win 7, Win 10) and Mac OSX operating system are supported. The local cache of the analysis result will be deleted when the device reboots.
Page 602
www.zyxel.com How to Configure Bandwidth Management for FTP and HTTP Traffic This is an example of using ZyWALL/USG Bandwidth Management (BWM) to control the bandwidth allocation for FTP and HTTP traffic. You can use source interface, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions to allocate bandwidth for the matching packets.
Page 603
www.zyxel.com Set Up the Bandwidth Management for FTP on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type FTP Any-to-WAN as the policy’s Description. Leave the Incoming Interface to any and select the Outgoing Interface to be wan1.
Page 604
www.zyxel.com CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). Set Up the Bandwidth Management for HTTP on the 604/810...
Page 605
www.zyxel.com ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type HTTP Any-to-WAN as the policy’s Description (Optional). Leave the Incoming Interface to any and select the Outgoing Interface to be wan1. Select Service Type to be the Service Object and select HTTP from the list box.
Page 606
www.zyxel.com Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). Set Up the Bandwidth Management Global Setting on the 606/810...
Page 607
www.zyxel.com ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > BWM Global Setting, select Enable. CONFIGURATION > BWM > BWM Global Setting Test the Result Access the Internet to generate FTP traffic and HTTP traffic. In this example, a 123 MB file is downloading from an FTP server.
Page 608
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log What Could Go Wrong? If the “outbound” in the guaranteed bandwidth settings apply to traffic going from the connection initiator to the outgoing interface. “Inbound” refers to the reverse direction.
Page 609
www.zyxel.com How to Limit BitTorrent or Other Peer-to-Peer Traffic This is an example of using ZyWALL/USG Bandwidth Management (BWM) to control the bandwidth allocation for peer-to-peer traffic. You can use source interface, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions to allocate bandwidth for the matching packets.
Page 610
www.zyxel.com Set Up the Application Patrol Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > Application > Add Application Rule. Configure a Name for you to identify the Application Profile. Then, click Add to create an Application Object. CONFIGURATION >...
Page 611
www.zyxel.com Set Up the Bandwidth Management for BitTorrent on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type BitTorrent Any-to-Any as the policy’s Description. Leave the Incoming Interface to any and select the Outgoing Interface to be wan1.
Page 612
www.zyxel.com CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). 612/810...
Page 613
www.zyxel.com Set Up the Bandwidth Management Global Setting on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > BWM Global Setting, select Enable. CONFIGURATION > BWM > BWM Global Setting Test the Result Download BitTorrent application for testing the result: http://www.bittorrent.com/downloads In this example, an 826 MB file is downloading, the Down Speed limited to maximum 65 kB/s.
Page 614
www.zyxel.com What Could Go Wrong? If the “outbound” in the guaranteed bandwidth settings apply to traffic going from the connection initiator to the outgoing interface. “Inbound” refers to the reverse direction. Make sure you have registered the Application Patrol service on the ZyWALL/USG to use Application Object as the Service Type in the bandwidth management rules.
Page 615
www.zyxel.com How to Configure a Trunk for WAN Load Balancing with a Static or Dynamic IP Address This is an example of using ZyWALL/USG Trunk for two WAN connections to the Internet. The available bandwidth for the connections is 1000 kbps (wan1 with static IP address) and 512 Kbps (wan2 with dynamic IP address) respectively.
Page 616
www.zyxel.com Set Up the Available Bandwidth on WAN1 Interfaces on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Interface > Ethernet > WAN1 > Egress Bandwidth and enter the available bandwidth (1000 kbps) in the Egress Bandwidth field. Click OK. CONFIGURATION >...
Page 617
www.zyxel.com Set Up the Available Bandwidth on WAN2 Interfaces on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Interface > Ethernet > WAN2 > Egress Bandwidth and enter the available bandwidth (512 kbps) in the Egress Bandwidth field. Click OK. CONFIGURATION >...
Page 618
www.zyxel.com CONFIGURATION > Interface > Trunk > User Configuration > Add Trunk In the Configuration screen, go to Default WAN Trunk section, select User Configured Trunk and select the newly created Trunk from the list box. Click Apply. CONFIGURATION > Interface > Trunk > Default WAN Trunk Test the Result Browse any website to test the result.
Page 619
www.zyxel.com What Could Go Wrong? If there is no traffic passing through either WAN1 or WAN2 interfaces, check that the Mode of both WAN1 & WAN2 should be Active. If a trunk is in Passive mode, the ZyWALL/USG will use this connection only when all of the connections set to Active mode are down.
Page 620
www.zyxel.com How to Configure DNS Inbound Load Balancing to balance DNS Queries Among Interfaces This is an example of using the ZyWALL/USG dynamically responding to DNS query messages with its least loaded interface’s IP address. The DNS query senders will then transmit packets to that interface instead of an interface that has a heavy load.
Page 621
www.zyxel.com Set Up the DNS Inbound Load Balancing on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > DNS Inbound LB. Edit the Query Domain Name, set the Load Balancing Algorithm field to be the Least Load - Total. Click Add to create a new Load Balancing Member. CONFIGURATION >...
Page 622
www.zyxel.com CONFIGURATION > Network > DNS Inbound LB Go to the Global Setting page to select Enable DNS Load Balancing. CONFIGURATION > Network > DNS Inbound LB Set Up the NAT Rule on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > NAT. Configure the Virtual 622/810...
Page 623
www.zyxel.com Server to forward the traffic from WAN to Internal Server (192.168.1.33). Click OK. CONFIGURATION > Network > NAT Test the Result Open the browser and query http://zyxel.for-our.info/. 623/810...
Page 624
www.zyxel.com Create a Security Policy in order to view the testing result. Set Destination to be the Internal Server IP address (192.168.1.33 in this example) and set Log type to be the Log Alert. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below.
Page 625
www.zyxel.com How to Manage Voice Traffic This is an example of using Application Layer Gateway (ALG) to allow the SIP (Session Initiation Protocol) voice traffic through the ZyWALL/USG. To achieve high-quality voice transmissions, use ZyWALL/USG provides Bandwidth Management (BWM) function to effectively manage bandwidth according to flexible criteria.
Page 626
www.zyxel.com Set Up the SIP ALG on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > SIP > SIP Settings, select Enable SIP ALG, Enable SIP Transformations (optional), Restrict Peer to Peer Signaling Connection and Restrict Peer to Peer Media Connection. Make sure the SIP Signaling Port is configured the same as your VoIP phone SIP signaling port.
Page 627
www.zyxel.com Enable BWM and Enable Highest Bandwidth Priority for SIP Traffic. CONFIGURATION > BWM > BWM Global Settings > Enable BWM Set Up the Bandwidth Management for P2P on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type P2P Any-to-WAN as the policy’s Description.
Page 628
www.zyxel.com CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Shaping, the highest priority is (1) the lowest priority is (7). Set Up the Bandwidth Management for FTP on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type FTP Any-to-Any as the policy’s Description.
Page 629
www.zyxel.com Leave the Incoming Interface to any and select the Outgoing Interface to be WAN1. Select Service Type to be the Service Object and select FTP from the list box. Set the Guaranteed Bandwidth Inbound to 150 (kbps) and set Priority 5. Set the Maximum to 200 (kbps).
Page 630
www.zyxel.com Test the Result Add a Security Policy rule to view the SIP log: CONFIGURATION > BWM > Configuration > Add Policy Dial Phone Number 1001 (192.168.10.2 in this example) from Phone Number 1002 (192.168.100.2 in this example), go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below.
Page 631
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, the voice traffic is blocked by the priority 1 Security Policy. The ZyWALL/USG checks the security policy in order and applies the first security policy the traffic matches. If the voice traffic matches a policy that comes earlier in the list, it may be unexpectedly blocked.
Page 632
www.zyxel.com How to Manage ZyWALL/USG Configuration Files This is an example of how to rename, download, copy, apply and upload configuration files. Once your ZyWALL/USG is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes.
Page 633
www.zyxel.com Note: This example was using USG310 (Firmware Version: ZLD 4.25). Rename the Configuration Files from the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select the configuration file and click Rename. A pop-up screen will appear allowing you to edit the Target file name.
Page 634
www.zyxel.com MAINTENANCE > File Manager > Configuration File Copy the Configuration Files on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select the configuration file and click Copy. A pop-up screen will appear allowing you to edit the Target file name.
Page 635
www.zyxel.com Apply the Configuration Files on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select a specific configuration file to have ZyWALL/USG use it. For example, select the system-default.conf file and click Apply to reset all of the ZyWALL/USG settings to the factory defaults.
Page 636
www.zyxel.com Note: Do not shut down the ZyWALL/USG while the configuration file is being applied. Upload the Configuration Files from the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File > Upload Configuration File, select Browse to upload a new or previously saved configuration file from your computer to your ZyWALL/USG.
Page 637
www.zyxel.com configuration file. In this example, the [alert] log message shows the configuration file has an incomplete static DHCP address so that the device can't apply it. MAINTENANCE > File Manager > Configuration File > Apply Configuration File Monitor > Log How to Manage ZyWALL/USG Firmware This is an example of using ZyWALL/USG to check your current firmware version and upload firmware to the ZyWALL/USG.
Page 638
www.zyxel.com Note: The firmware update can take up to five minutes. Do not turn off or reset the ZyWALL/USG while the firmware update is in progress. This example was using USG110 (Firmware Version: ZLD 4.25). Download the Current Firmware Version from ZyXEL.com Go to www.zyxel.com/support/download_landing.shtml and download the...
Page 639
www.zyxel.com Extract firmware zip file. Upload the Firmware on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Firmware Package > Upload File. Click the To upload image file in system space pull-down menu and select (1) or (2). The default Standby system space is (2), so if you want to upload new firmware to be the Running firmware, then select the Running system space 639/810...
Page 640
www.zyxel.com (1). The ZyWALL/USG will reboot automatically. If you upload firmware to the Standby system space (2), you have the option to select Reboot now or Don’t Reboot. MAINTENANCE > File Manager > Firmware Package > Upload File > (1) MAINTENANCE >...
Page 641
www.zyxel.com Note: The default Running system space is (1), the Standby system space is (2). If you select the Standby firmware and click Reboot now or you upload file to Standby system space (2) and select Boot Options to be Reboot now. After reboot process complete, the Running system space will be (2).
Page 642
www.zyxel.com What Could Go Wrong? If you cannot download the firmware, please check if you enable the Destroy compressed files that could not be decompressed function in Anti-Virus. ZyWALL/USG firmware package is ZIP file, the ZyWALL/USG classifies the firmware package as not being able to decompress will delete it. Please disable this option while downloading the firmware package.
Page 643
www.zyxel.com How to Get Started Using the Wizards When you log into the Web Configurator for the first time or when you reset the ZyWALL/USG to its default configuration, the Installation Setup Wizard screen displays. This is an example of using ZyWALL/USG Wizards to configure Internet connection settings, wireless settings and device registration services.
Page 644
www.zyxel.com ) or hide (≫) the help. Installation Setup Wizard > Welcome In the Internet Access page, you can configure Internet connections from two 644/810...
Page 645
www.zyxel.com Internet service providers (ISPs). Connect your ISP devices to your ZyWALL/USG WAN port, select I have two ISPs if you want to configure two Internet connections or leave it cleared to configure just one. Choose the Encapsulation option to be Ethernet, leave Zone as default setting Internet connection belongs to the WAN zone.
Page 646
www.zyxel.com your ISP or network administrator. First/Second DNS Servers are optional. Click Next. Installation Setup Wizard > Welcome > Internet Access The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface or continue to the Wireless Settings page.
Page 647
www.zyxel.com Set Up the Internet Access (PPPoE) Wizard on the ZyWALL/USG In the ZyWALL/USG Installation Setup Wizard Welcome page, click Next to start configuring for Internet. Click the double arrow in the upper right corner to display (≪) or hide (≫) the help. Installation Setup Wizard >...
Page 648
www.zyxel.com Assignment section to be the Auto and click Next. Installation Setup Wizard > Welcome > Internet Access Select the Authentication Type to be the authentication method by the remote node. Enter the User Name and Password exactly as given by your ISP or network administrator.
Page 649
www.zyxel.com The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed 649/810...
Page 650
www.zyxel.com Set Up the Internet Access (PPTP) Wizard on the ZyWALL/USG In the ZyWALL/USG Installation Setup Wizard Welcome page, click Next to start configuring for Internet. Click the double arrow in the upper right corner to display (≪) or hide (≫) the help. Installation Setup Wizard >...
Page 651
www.zyxel.com In the Internet Access page, you can configure Internet connections from two Internet service providers (ISPs). Connect your ISP devices to your ZyWALL/USG WAN port, select I have two ISPs if you want to configure two Internet connections or leave it cleared to configure just one. Choose the Encapsulation option to be the PPTP, leave Zone as default setting Internet connection belongs to the WAN zone.
Page 652
www.zyxel.com Select the Authentication Type to be the authentication method by the remote node. Enter the User Name and Password exactly as given by your ISP or network administrator. Select Nailed-UP if you want to keep the connection always up or type the desired Idle Timeout value in seconds. Click Next. Enter the Base IP Address, IP Subnet Mask, Gateway IP Address assigned to you by your ISP.
Page 653
www.zyxel.com The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed 653/810...
Page 654
www.zyxel.com Set Up the Wireless Settings Wizard on the ZyWALL/USG In the Wireless Settings page, select Yes if you want the ZyWALL/USG to enable AP Controller feature in your network; select No if you want to skip this setting. Click Next.
Page 655
www.zyxel.com Configure descriptive SSID name (1-32 characters) for the wireless LAN. Select Pre- Shared Key (8-63 characters) to add security on this wireless network. Otherwise, select None to allow any wireless client to associate this network without authentication. Select Hidden SSID to hide the SSID from site tool scanning. Select Enable Intra-BSS Traffic blocking if you want to prevent crossover traffic from within the same wireless network.
Page 656
www.zyxel.com in the AP wireless network. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed > Wireless Settings Set Up the Device Registration on the ZyWALL/USG The ZyWALL/USG must be connected to the Internet in order to register. Click portal.myzyxel.com to register the device, you need the ZyWALL/USG’s serial number and LAN MAC address to register it.
Page 657
www.zyxel.com Services at myZyXEL.com for more details. Use the Configuration > Licensing > Registration > Service screen to update your service subscription status. Click Finish. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed > Wireless Settings > Device Registration 657/810...
Page 658
www.zyxel.com How to Configure the 3G/LTE Interface on the ZyWALL/USG as a WAN Backup This is an example of using ZyWALL/USG to configure 3G/LTE interface as a WAN backup that ensures the ZyWALL/USG provides the continuously Internet connections when the primary WAN interface is down. After configuration, it can provide additional mobile broadband WAN connectivity or a redundant link for maximum reliability.
Page 659
www.zyxel.com Set Up the 3G/LTE Interface on the ZyWALL/USG Connect a compatible mobile broadband USB device to use a cellular connection. In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Cellular, the connected device will automatically display in the Cellular Interface Summary. Click Activate and then the Apply button at the bottom of this page.
Page 660
www.zyxel.com Set Up the Trunk on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add Trunk, configure a Name for you to identify the Trunk profile and set the Load Balancing Algorithm field to be the Weighted Round Robin. Add wan1 and enter 3 in the Weight column.
Page 661
www.zyxel.com Test the Result Check the Interface Statistics when wan1 and wan2 connections are up. You can see both wan1 and wan2 Status are up, Tx B/s displays the transmission speed and Rx B/s displays the reception speed; cellular1 Status is connected but there is no traffic going through this interface.
Page 662
www.zyxel.com After disconnecting both wan1 and wan2, you can see both wan1 and wan2 Status are Down and no traffic goes through these two interfaces. The backup cellular1 Status is connected and all the traffic is going through this interface. MONITOR >...
Page 663
www.zyxel.com How to Configure Two Different WAN Interfaces with Different IP Addresses in the Same VLAN This is an example of using ZyWALL/USG to configure two different WAN interfaces with different IP addresses in the same VLAN. After configuration, you can have the same VLAN ID for two different WAN interfaces.
Page 664
www.zyxel.com Set Up the Port Grouping on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Port Grouping, select the ports that you want to assign to a representative Interface (in this example, Port 4 and Port 5 are configured as ge5). CONFIGURATION >...
Page 665
www.zyxel.com In the Configuration page, select the vlan1 entry and click Create Virtual Interface on the upper bar. Configure the Fixed IP address (192.168.15.33/24 in this example). Click OK. CONFIGURATION > Network > Interface > VLAN > vlan1 CONFIGURATION > Network > Interface > VLAN > vlan1:1 665/810...
Page 666
www.zyxel.com Set Up the Routing on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Routing, set Next-Hop Type to be Interface and set Interface to be the vlan1. CONFIGURATION > Network > Routing Test the Result Check the Interface Statistics, you can see vlan1 Status is up, Tx B/s displays the transmission speed and Rx B/s displays the reception speed.
Page 667
www.zyxel.com What Could Go Wrong? If you cannot configure a particular VLAN interface on top of an Ethernet interface, please whether this VLAN has just been created on top of other Ethernet interface. How to Let a Server Use the Same Public IP Address as the WAN Interface Using the Bridge Interface This is an example of using ZyWALL/USG to configure an internal server in bridge mode without applying network address translation (NAT).
Page 668
www.zyxel.com reach this server directly by its public IP address. ZyWALL/USG with Bridge Interface Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.25).
Page 669
www.zyxel.com Bridge, select Interface Type to be the general type, select Zone to be the LAN zone. In the Member Configuration, select internal server (IntServer1 interface in this example) and public IP address (Public WAN interface in this example) to be in the same member group.
Page 670
www.zyxel.com Test the Result Check the Interface Statistics, you can see br1 Status is up, Tx B/s displays the transmission speed and Rx B/s displays the reception speed. IntServer1 and PublicWAN are configured in the same vlan1 but using different IP address. MONITOR >...
Page 671
www.zyxel.com What Could Go Wrong? If you cannot configure a particular bridge IP address, please check is this IP address already created on other Ethernet interface. How to Allow Public Access to a Server Behind ZyWALL/USG This is an example of using ZyWALL/USG to configure a securely access to internal server behind ZyWALL/USG with network address translation (NAT).
Page 672
www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.25). Set Up the NAT on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 673
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control > add corresponding, select Enable. Configure a Name for your to identify the security policy (http_server_access in this example). Set From: WAN and To: LAN1. Set Destination to the lan subnet where your server is (LAN_SUBNET_GE3 in this example).
Page 674
www.zyxel.com Test the Result Type http://172.251.31.90/ into the browser, it displays the HTTP service page. What Could Go Wrong? If you cannot access your server via public IP address, please make sure all your public IP addresses are routing properly. To do one by one assign them to the ZyWALL’s WAN port.
Page 675
www.zyxel.com routing for the public IPs. If you see [notice] log message as below, the HTTPS traffic is blocked by the priority 1 Security Policy. The ZyWALL/USG checks the security policy in order and applies the first security policy the traffic matches. If the HTTPS traffic matches a policy that comes earlier in the list, it may be unexpectedly blocked.
Page 676
www.zyxel.com How to Set Up a WiFi Network with ZyXEL APs This is an example of using ZyWALL/USG to manage the Access Points (APs) and allow wireless access to the network. ZyWALL/USG as AP Controller Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
Page 677
www.zyxel.com Set Up the AP Management on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Wireless > Controller > Configuration, set Registration Type to Manual. This is recommended as the registration mechanism cannot automatically differentiate between friendly and rogue APs. CONFIGURATION >...
Page 678
www.zyxel.com Go to CONFIGURATION > Object > AP Profile > SSID > Security List to select the Security Mode to be the wpa2. Then, set a Pre-Shared Key (8-63 characters) and select the Cipher Type to be the auto to have ZyWALL/USG automatically chooses the best available cipher based on the cipher currently in use by the wireless network.
Page 679
www.zyxel.com Test the Result Go to the ZyWALL/USG Monitor > Wireless > AP Information > AP List, you can check the list of APs which are currently connected to it and the details information such as Registration type, Model and Recent On-line Time /Last Off- line Time.
Page 680
www.zyxel.com the mobile device and the mobile device can access the Internet. MONITOR > Log What Could Go Wrong? If you can’t see AP information in the AP List, please check the number of APs connected to the ZyWALL/USG has exceeded the maximum Managed AP number it can support.
Page 681
www.zyxel.com How to Set Up Guest WiFi Network Accounts This is an example of using ZyWALL/USG to configure guest WiFi accounts to allow limited wireless access to the Internet using only HTTP, HTTPS, and DNS protocols. For the wireless network setup, please see the tutorial about How to Set Up WiFi with ZyXEL AP.
Page 682
www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.25). Set Up the WiFi Guest Account, Address Range and Service Rule on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 683
www.zyxel.com Set the Authentication Timeout Settings to be Use Manual Settings to enter the number of minutes this user has to renew the current session before the user is logged out. CONFIGURATION > Object > User/Group > User > Add A User In the ZyWALL/USG, go to CONFIGURATION >...
Page 684
www.zyxel.com Add Service Group Rule to create the allowed protocols for guest Wi-Fi user. Configure the Name for you to identify the Service Group. Set HTTP, HTTPS and DNS to be in the same member group and click OK. CONFIGURATION > Object > Service > Service Group > Add Service Group Rule Set Up the Web Authentication on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 685
www.zyxel.com In the ZyWALL/USG, go to CONFIGURATION > Web Authentication > General Settings and select Enable Web Authentication. CONFIGURATION > Web Authentication > General Settings Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy > Add corresponding.
Page 686
www.zyxel.com Test the Result Using a mobile device to connect to the AP which is connected to the ZyWALL/USG. When you try to access the Internet, it will redirect to the user login screen. 686/810...
Page 687
www.zyxel.com Type the Wi-Fi guest User Name and Password, click Login. 687/810...
Page 688
www.zyxel.com The access session page will appear. Go to the ZyWALL/USG Monitor > System Status > Login Users, you will see current login user list shown as below. Monitor > System Status > Login Users Attempt to access FTP server (prohibited service in this example) and it gets an error message.
Page 689
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message shown as below. The access to FTP service port 21 is blocked in this example. Monitor > Log What Could Go Wrong? If you see [notice] log shown as below, the Wi-Fi guest traffic is blocked by the priority 1 Security Policy.
Page 690
www.zyxel.com Note: The default setting of Security Policy is without log notification (except PolicyDefault), if you want to check which policy may potentially block the traffic, please select this policy and set the Log matched traffic to be log or log alert. 690/810...
Page 691
www.zyxel.com How to create a Wi-Fi VLAN interfaces to separate staff network and Guest network This example shows how to create Wi-Fi VLAN interfaces to separate staff network and Guest network. Suppose there should be no limitation for the staff network, but restrict the guests not access the USG.
Page 692
www.zyxel.com Set up Wi-Fi VLAN interfaces Create VLAN interfaces Go to CONFIGURATION > Object > Zone. Create a zone for the guest. CONFIGURATION > Object > Zone Go to CONFIGURATION > Network > Interface > VLAN. Create VLAN16 for Staff_WiFi and VLAN17 for Guest_WiF CONFIGURATION >...
Page 694
www.zyxel.com There will be two VLAN interfaces. CONFIGURATION > Network > Interface > VLAN Set Up the User Go to Configuration > Object > User/Group > User, and create users for the staff and the guest Configuration > Object > User/Group > User > staff 694/810...
Page 695
www.zyxel.com Configuration > Object > User/Group > User > guest There will be two users. 695/810...
Page 696
www.zyxel.com Set Up the AP Profile Go to CONFIGURATION > Object > AP Profile > SSID > Security List, and create two security profiles. CONFIGURATION > Object > AP Profile > SSID > Security List > Guest_WPA2 CONFIGURATION > Object > AP Profile > SSID > Security List > Staff_WPA2 696/810...
Page 697
www.zyxel.com Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, and create two SSID profiles. CONFIGURATION > Object > AP Profile > SSID > SSID List > Staff_Wifi 697/810...
Page 698
www.zyxel.com CONFIGURATION > Object > AP Profile > SSID > SSID List > Guest_Wifi 698/810...
Page 699
www.zyxel.com Go to CONFIGURATION > Wireless > AP Management > AP Group, and add an AP Group as WiFi. CONFIGURATION > Wireless > AP Management > AP Group 699/810...
Page 700
www.zyxel.com Go to CONFIGURATION > Wireless > AP Management > Mgnt. AP List, and Edit the AP List. Change the Group setting as WiFi CONFIGURATION > Wireless > AP Management > Mgnt. AP List, Set Up the Security policy rule 700/810...
Page 701
www.zyxel.com Go to CONFIGURATION > Security Policy > Policy Control > Policy. Add one rule to restrict Guest access USG, and another one to allow to access internet. CONFIGURATION > Security Policy > Policy Control > Policy > Guest_ZyWALL CONFIGURATION > Security Policy > Policy Control > Policy > Guest_Internet 701/810...
Page 702
www.zyxel.com Test result Connect to the SSID Staff_WiFi, and ping the USG interface. 702/810...
Page 703
www.zyxel.com Connect to the SSID Guest_WiFi, and ping the USG interface 703/810...
Page 704
www.zyxel.com What could go wrong Choose the wrong zone for the Guest VLAN interface. Not change the AP to the correct group 704/810...
Page 706
www.zyxel.com How to Set Up WiFi Networks with Microsoft Active Directory Authentication This is an example of using ZyWALL/USG to configure guest WiFi accounts with Microsoft Active Directory (AD) to authenticate your WiFi guests. For the wireless network setup, please go to How to Set Up WiFi with ZyXEL AP. ZyWALL/USG with AD Guest WiFi Accounts Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 707
www.zyxel.com Set Up the Wi-Fi Guest Account and Authentication Method on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > User > ad- users, set the Authentication Timeout Settings to Use Manual Settings and enter the number of minutes this user has to renew the current session before the user is logged out.
Page 708
www.zyxel.com In the ZyWALL/USG, go to CONFIGURATION > Web Authentication > General Settings and select Enable Web Authentication. CONFIGURATION > Web Authentication > General Settings Set Up the Active Directory Server Account on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > AAA Server > Active Directory >...
Page 709
www.zyxel.com user name (wifi_guest in this example) in the Username field and click Test. A pop- up screen will appear allowing you to view the test result. Click OK to save the configuration. CONFIGURATION > Object > AAA Server > Active Directory > Add Active Directory Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 710
www.zyxel.com Test the Result Using a mobile device to connect to the AP which is connected to the ZyWALL/USG. When you try to access the Internet, it will redirect to the user login screen. 710/810...
Page 711
www.zyxel.com Type the Wi-Fi guest User Name and Password, click Login. The access session page will appear. 711/810...
Page 712
www.zyxel.com Go to the ZyWALL/USG Monitor > System Status > Login Users, you will see current login user list as below. Monitor > System Status > Login Users What Could Go Wrong? If you see [notice] log shown as below, the Wi-Fi guest traffic is blocked by the priority 1 Security Policy.
Page 713
www.zyxel.com If you see [alert] log message shown as below, the Wi-Fi guest traffic failed. Please make sure you enable Web Authentication and check your AD server is working properly. Monitor > Log Note: The default setting of Security Policy is without log notification (except PolicyDefault), if you want to check which policy may potentially block the traffic, please select this policy and set the Log matched traffic to be log or log alert.
Page 714
www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.25). Enable the IPv6 on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 715
www.zyxel.com Set Up the WAN IPv6 Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Ethernet > wan1. Select Enable Interface and Enable IPv6. Select Enable Stateless Address Auto-configuration (SLAAC). Click OK. CONFIGURATION > Network > Interface > Ethernet > wan1 Note: Your ISP or uplink router should enable router advertisement.
Page 716
www.zyxel.com Click OK. CONFIGURATION > Network > Interface > Ethernet > lan1 > General Settings CONFIGURATION > Network > Interface > Ethernet > lan1 > IPv6 Router Advertisement Setting Test the Result Connect a computer to the ZyWALL/USG’s LAN1. 716/810...
Page 717
www.zyxel.com Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection screen Your computer should get an IPv6 IP address (starting with 2002:1111:1111:1111: for this example) from the ZyWALL/USG.
Page 718
www.zyxel.com What Could Go Wrong? If your IPv6 connection is not working, please make sure you enable Auto- Configuration on the WAN1 IPv6 interface. If not, you will not have any default route to forward the LAN’s IPv6 packets. In Windows, some IPv6 related tunnels may be enabled by default such as Teredo and 6to4 tunnels.
Page 719
www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.25). Set Up the LAN IPv6 Interface on the ZyWALL/USG The second and third sets of 16-bit IP address from the left must be converted from wan1 IP (122.100.220.238 in this example).
Page 720
www.zyxel.com 2002:7a64:dcee:1::111/128. In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Ethernet > lan1, Select Enable Interface and Enable IPv6. Type 2002:7a64:dcee:1::111/128 in the IPv6 Address/Prefix Length field for the LAN1’s IP address. Enable Router Advertisement. Then click Add in the Advertised Prefix Table to add 2002:7a64:dcee:1::/64.
Page 721
www.zyxel.com Set Up the 6to4 Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Tunnel > Add, Select Enable. Enter tunnel0 as the Interface Name and select 6to4 as the Tunnel Mode. In the 6to4 Tunnel Parameter section, this example just simply uses the default 6to4 Prefix, 2002:://16.
Page 722
www.zyxel.com Test the Result Connect a computer to the ZyWALL/USG’s LAN1. Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection screen.
Page 723
www.zyxel.com What Could Go Wrong? If your IPv6 connection is not working, please make sure you disable Auto- Configuration on the LAN1 IPv6 interface. Enabling it will cause two default routes, however, the ZyWALL/USG only needs a default route generated by your relay router setting.
Page 724
www.zyxel.com Set Up the LAN IPv6 Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Ethernet > lan1. Select Enable Interface and Enable IPv6. Type 2002:7a64:dcee:1::111/128 in the IPv6 Address/Prefix Length field for the LAN1’s IP address. Enable Router Advertisement.
Page 725
www.zyxel.com CONFIGURATION > Network > Interface > Ethernet > lan1 > General Settings CONFIGURATION > Network > Interface > Ethernet > lan1 > IPv6 Router Advertisement Setting Set Up the 6to4 Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Tunnel > Add and select Enable.
Page 726
www.zyxel.com CONFIGURATION > Network > Interface > Tunnel Set Up the Policy Route on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Routing > IPv6 Configuration > Add, click Create New Object to create an IPv6 address object with the address prefix of 2002:7a64:dcee:1::/64.
Page 727
www.zyxel.com Test the Result Connect a computer to the ZyWALL/USG’s LAN1. Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection screen.
Page 728
www.zyxel.com Use the ping -6 [IPv6 IP address] command in a Command Prompt to test whether you can ping a computer behind ZyWALL/USG_Y. You should get a response. Window 7 > cmd > ping -6 2001:b020:0:71::46 What Could Go Wrong? If your IPv6 connection is not working, please make sure you enable the WAN1 IPv4 interface.
Page 729
www.zyxel.com How to Update Firmware Automatically from a USB Storage This example illustrates how to update the ZyWALL/USG’s firmware automatically from a USB storage. With this feature, it is more efficient for users to upgrade the firmware for numerous devices without Internet or GUI access. The user can also downgrade the firmware by using this feature.
Page 730
www.zyxel.com Enable the USB Firmware Upgrade Function by CLI Command For security concerns, the function is disabled by default. The administrator needs to enable the function by the following CLI command: Router(config)# usb-storage update-firmware enable Save the Firmware on the USB There are two ways to create the firmware folder on the USB storage.
Page 731
www.zyxel.com Firmware Folder is Created Automatically Plug the USB into the Device Once the .bin file in the firmware folder is detected, the device will copy it to the RAM. Plug the USB storage into the USB port The following message shows on the console if the device fails to copy the .bin file. Router>...
Page 732
www.zyxel.com Check model ID: If incompatible, the device deletes the firmware in the RAM. If compatible, the device checks the firmware version. Check firmware version: If it is the same as the running firmware, the device deletes the firmware in the RAM.
Page 733
www.zyxel.com MONITOR > Log > View log What Can Go Wrong? The USB storage must use the FAT16, FAT32, EXT2, or EXT3 file system. Otherwise, it may not be detected by the ZyWALL/USG. The device only checks the firmware under the specific folder. Therefore, make sure the firmware is saved in the correct folder under the root directory: \ProductName_dir\firmware.
Page 734
www.zyxel.com Console Message MONITOR > Log > View log Make sure the version of the USB firmware is different from that of the running partition. The device writes logs on the console and device log if the firmware version is the same as the running firmware. Console Message MONITOR >...
Page 735
www.zyxel.com Device HA Pro function activated. When using USB firmware upgrade on a device HA or in a device HA Pro scenario, make sure you plug the USB storage to the passive device for firmware upgrade first. After the passive device has finished firmware upgrading through the USB, plug the USB storage to the active device for firmware upgrade.
Page 736
www.zyxel.com Figure 1 DHCP Option 60 Vendor Class Identifier DHCP Option 60 Deployment Flow Enable the WAN ports as DHCP clients (enabled by default). Navigate to the WAN interface configuration screen. Type in user defined option 60 string in the Advance setting section. Setting Up DHCP Option 60 on the Web GUI In the ZyWALL/USG’s navigation panel, go to Configuration >...
Page 737
www.zyxel.com Click the Ethernet tab, go to WAN > Edit. Enter the VCI string in the Advance section of DHCP Option 60. Setting Up DHCP Option 60 on the CLI Under the specific interface path, use these commands to: Enable option 60 Router(config-if-wan1)# ip address dhcp option-60 {VCI_STRING} 737/810...
Page 738
www.zyxel.com Disable option 60 Router(config-if-wan1)# no ip address dhcp option-60 Test DHCP Option 60 To test the DHCP option 60 function, use a packet capture software to check if option 60 string exists in the DHCP discover message sent from the ZyWALL/USG WAN port. What Can Go Wrong? Avoid using the same option 60 string on two or more DHCP servers.
Page 739
www.zyxel.com How to Configure Device HA Pro The Device HA feature acts as a failover when one of the devices in the network is dead or can’t access the Internet. Therefore, this is a popular feature for network environments. In the previous firmware version, the USG supports AP (Activate- Passive/Master-Backup) mode.
Page 740
www.zyxel.com Device HA Pro License The Device HA Pro feature is license required. You must register both of your devices on the myZyXEL.com server first. Then make sure the Device HA Pro license is available on both of your devices. Behavior of the Device HA Pro The behavior of the Device HA Pro includes a heartbeat link to monitor the “activate”...
Page 741
www.zyxel.com This function is for the secondary device. If you are configuring the primary device, this function is unnecessary. B. Serial number of the licensed device for license synchronization Entering the serial number of license from the myZyXEL.com server. C. Configure the Device HA Pro interface Enter the management IP address of the active and passive devices.
Page 742
www.zyxel.com The Main Function of the Device HA Pro Heartbeat Link The heartbeat port is a new physical port on the device. After you have enabled Device HA Pro, the devices will transmit multicast packets (UDP 694) to check each device’s status. When the passive device is working properly, the system LED light will be on.
Page 743
www.zyxel.com How do I Configure Device HA Pro in My Current Environment? License The Device HA Pro feature is license required. Please go to register both of your devices on myZyXEL.com and make sure the devices have the license after syncing with the myZyXEL.com server.
Page 744
www.zyxel.com Configurations on the Primary Device 1. Go to the Configuration > Device HA > Device HA Pro screen. 2. Enter the device’s license serial number from the myZyXEL.com server. 3. Enter the management IP address after enabling the Device HA Pro feature. 4.
Page 745
www.zyxel.com Configurations on the Secondary Device Go to the Configuration > Device HA > Device-HA Pro screen. Select Enable Configuration Provisioning from Active Device. Click Apply. 745/810...
Page 746
www.zyxel.com Go to the Configuration > Device HA > General screen. Select Enable Device HA and click Apply. Before the Device HA Pro feature is enabled on the secondary device, a warning message will pop-up for you to confirm. Click OK to enable it. Connecting the Device HA Pro Port The Device HA Pro port is a new physical port on the DUT.
Page 747
www.zyxel.com What can go wrong? Why I can’t see correct license status from myzyxel.com server? On the Device-HA Pro setting, there is a function “Serial number of the licensed device for license synchronization”. You should entering device’s S/N which with licenses.
Page 748
www.zyxel.com How to setup Two-Factor Authentication for admin login 2 Factor Authentication is a function can prevent your device login by hacker. It needs additional verification code after logged into WebGUI/SSH/Telnet You can follow these steps to setup 2 factor authentication when logging to system.
Page 749
www.zyxel.com Note: Must make sure SMTP Server configuration is correct otherwise user will unable receive mail successfully. Create admin type user on device Go to Configuration > Object > User/Group > User Click Add button to create an user and user type is admin. And also entered email address of this user.
Page 750
www.zyxel.com Setup Two-Factor Authentication for admin on your device Go to Configuration > Object > Auth Method > Two-Factor Authentication > Admin Access Enable the function and add admin user which you added in step2 in the rule, and you can select what services are 2 Factor authentication needed. 750/810...
Page 751
www.zyxel.com Test the Result After setup these steps and login to device by admin user, the verification code is required. Web Service: SSH Service: 751/810...
Page 752
www.zyxel.com You will receive verification code by Email. 752/810...
Page 753
www.zyxel.com What Can Go Wrong? Must make sure SMTP server configuration is correct. If you would like to add “admin” into the 2FA rule, you must do verify admin email first 2-1 Enter Email address and click “send code” button 2.2 After clicked “Send Code”, you will receive code by Email.
Page 755
www.zyxel.com How to configure Email Security for Phishing mail? (This feature is only supported on ATP series) The following depicts a sample configuration of Email security for Phishing mail. Phishing is a type of online scam where criminals send an email with a fake website and asking you to provide sensitive information.
Page 756
www.zyxel.com embedded URLs. Figure 2 Phishing mail example Set up Phishing on ATP In the ATP, Go to Configuration > Security Service > Email Security to enable Check Mail Phishing that allows gateway inspects the embed URLs in the email 756/810...
Page 757
www.zyxel.com Test the Result Go to Monitor > Security Statistics > Email Security to observe mail phishing logs Monitor > Security Statistics > Email Security Go to Monitor > Security Statistics > Email Security to collect Email security statistics What Can Go Wrong? Make sure the Anti-Spam default service port is SMTP or POP3 by CLI Router# show utm-manager anti-spam defaultport 757/810...
Page 758
www.zyxel.com It does not support SSL inspection. The ATP can inspect email up to 50KB. If the mail size greater than 50KB, gateway will inspect the first 50KB from the header 758/810...
Page 759
www.zyxel.com How to setup Email to SMS The Email to SMS function can help to send the SMS to client. The SMS message is initialed from device to SMS provider, and then SMS provider send the SMS to client. This function can help to make sure user receives SMS if client without Internet connection.
Page 760
www.zyxel.com Note: Must make sure SMTP Server configuration is correct otherwise message will unable send to SMS provider successfully. Setup Email to SMS Provider configuration Go to “Configuration > system > Notification > SMS Select “SMS Provider” as Email to SMS Provider. Enter SMS Provider Email server domain name. And configuring sender mail address in “Mail From”...
Page 761
www.zyxel.com Create admin type user on device Go to Configuration > Object > User/Group > User Click Add button to create an user and user type is admin. And also entered phone number of this user. Setup Two-Factor Authentication for admin on your device Go to Configuration >...
Page 762
www.zyxel.com Test the Result After setup these steps and login to device by admin user, the verification code is required. Web Service: SSH Service: 762/810...
Page 763
www.zyxel.com You will receive verification code by SMS. 763/810...
Page 764
www.zyxel.com What Can Go Wrong? Must make sure SMTP server configuration is correct. Must make sure your SMS provider is supported Mail to SMS function. Make sure your email address is allowed by your SMS provider. 764/810...
Page 765
www.zyxel.com How to Use IP Reputation to Detect Threats (This feature is only supported on ATP series) As cyber threats such as scanners, botnets, phishing, etc. grow increasingly, how to identify suspect IP addresses of threats efficiently becomes a crucial task. With regularly updated IP database, ATP prevents threats by blocking connection to/from known IP addresses based on signature database.
Page 766
www.zyxel.com Activating Reputation Filter Service Register ATP gateway to myZyxel.com. Activate Reputation Filter license. On ATP, go to CONFIGURATION > Licensing > Signature Update. Click the Update icon to check for new signatures. Enabling IP Blocking on ATP Go to CONFIGURATION > Security Service > Reputation Filter > IP Reputation > General.
Page 767
www.zyxel.com Selecting specific type of IP addresses to block In Types of Cyber Threats Coming From The Internet, select the type of threats that are known to pose a security threat for incoming traffic. In Types of Cyber Threats Coming From The Internet And Local Networks, select the type of threats that are known to pose a security threat for both incoming and outgoing traffic.
Page 768
www.zyxel.com Monitoring statistics for IP detection Enable Collect Statistics to monitor the scanned result and detected IP. MONITOR > Security Statistics > Reputation Filter Test the Result Select Anonymous Proxies for detecting incoming traffic and Botnet for outgoing traffic. 768/810...
Page 769
www.zyxel.com For incoming traffic, set a NAT rule and add a security policy rule for allowing traffic from WAN to LAN. For outgoing traffic, ping an IP address in the threat category "Botnets" from LAN. Check statistics for detected IPs. MONITOR >...
Page 770
www.zyxel.com On dashboard, you can find top 5 countries that are detected the most by IP Reputation. Dashboard > Advanced Threat Protection What Can Go Wrong? 1. For device HA or HA Pro, signature synchronization is required. 2. Cloud query is not supported. 3.
Page 771
www.zyxel.com How to Use Two Factor with Google Authenticator for Admin Access? In previous firmware versions, USG supports pin code by SMS/Email as two-factor authentication method. However, SMS-based two-factor authentication is not safe. Compared to SMS-based method, Google authenticator is the most secure method to receive verification code for 2-factor authentication.
Page 772
www.zyxel.com Two Factor with Google Authenticator Flow 1. Enable Google Authentication on specific admin user 2. Set up Google Authenticator 3. Configure valid time and login service types. Enable Google Authentication on specific admin user Select a specific admin user and switch to Two-factor Authentication tab. CONFIGURATION >...
Page 773
www.zyxel.com Set up Google Authenticator 773/810...
Page 774
www.zyxel.com 1. Download and install Google Authenticator on your mobile device. Apple Store Google Play 2. Register the admin account to Google Authenticator. Open Google Authenticator App and scan the barcode on Web GUI. 774/810...
Page 775
www.zyxel.com 3. Enter the token code which displays on Google Authenticator to “Step 3” and click “Verify code and finish” to submit and verify the code. 775/810...
Page 776
www.zyxel.com The pop-up window message informs the verification result. 4. After 2FA registration is set up successfully, there are backup codes on web GUI. The backup codes are for device login in the case you don't have access to the application on your mobile device.
Page 777
www.zyxel.com Configure valid time and login service types Enable two factor authentication for admin access. Configure valid time and select which services require two-factor authentication for admin user. The valid time is the deadline that admin needs to submit the two-factor authentication code to get the access.
Page 778
www.zyxel.com Test the Result 1. Login with the admin account "testadmin". 2. A pop-up window appears for administrator to enter the verification code. 3. Enter the code shown on Google Authenticator and click "Verify". You can also enter the backup code if you don’t have mobile device on hand. 778/810...
Page 779
www.zyxel.com 4. Authorize with username, password and the token code successfully. MONITOR > Log > View Log > Category and select "Authentication Server" What Can Go Wrong? 1. An admin user only can be registered on one Google Authenticator. If you would like to use another mobile device to authenticate the same admin user, click “Revoke”...
Page 780
www.zyxel.com 2. Each admin user has 5 backup codes and each backup code could be used only once for login. 780/810...
Page 781
www.zyxel.com How to Configure Schedule Reboot in Device HA In ZLD 4.60, user can schedule device reboot one time, daily, weekly or monthly. We can apply schedule reboot to enhance device’s stability. The following figure depicts Device HA scenario. Note: Assuming Device HA had been setting ready and works perfectly for a period of time.
Page 782
www.zyxel.com Verification When you enable schedule reboot in Device HA mode, the active device will send reboot request to passive device first. After passive device reboot successfully, the passive device changes to active role. The original active device then reboots and changes to passive role afterward. If the passive device fails to reboot, the active device will reject the reboot process and show a log: “schedule reboot, device-HA reboot sync fail”...
Page 784
www.zyxel.com How to Configure Reputation Filter- DNS Filter DNS Filter is a mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address. The controlled IP address points to a sinkhole server defined by the administrator.
Page 785
www.zyxel.com Set Up the DNS Filter on ATP Series In the ATP Series, go to CONFIGURATION > Security Service> Reputation Filter>DNS Filter; Enable this feature on General Settings page. Select Redirect on Action field. If user select the redirect, when client hit DNS Filter, the page will be redirect to our blocked page or a custom IP address.
Page 786
www.zyxel.com Using Web Browser to access the malicious site. The gateway will redirect you to blocked page. Go to Monitor>Log, select DNS Filter category. Log message will be appeared after the profile of DNS Filter be hit. 786/810...
Page 787
www.zyxel.com What Could Go Wrong? 1. If DNS Filter is not working, there are two possible reasons: You have not subscribed for the DNS Filter service. You have subscribed for the DNS Filter service but the license (Gold Security Pack Standard) is expired. 2.
Page 788
www.zyxel.com How to customize external block list in Reputation Filter Reputation Filter function support importing customize block list from external server. You can configure system update block list by schedule automatically. You can list unsafe WebSite or IP address as multiple “.txt” files on your HTTP server. It can easily and quickly to deploy the lists to multiple devices in the same time.
Page 789
www.zyxel.com Configure Block list in .txt file IP Reputation format 1.1.1.1 (IPv4 Single Host) 1.1.1.0/24 (IPv4 CIDR) 1.1.1.10-1.1.1.20 (IPv4 Range) 2001:0DB8:02de:0000:0000:0000:0000:0e13 (IPv6 Single Host) 2001:DB8:2de::e14/32 (IPv6 CIDR) URL Threat Filter format https://example.com (URL) www.example.com (Hostname) example.com (Domain name) *.example.com (Wildcard domain name) After configured list completely, you can save your .txt file on your HTTP server.
Page 790
www.zyxel.com URL Threat Filter Go to Configuration > Security Service > Reputation Filter > URL Threat Filter > External Black List. Click Add button to download source on your HTTP Server. 790/810...
Page 791
www.zyxel.com Check External Block List update status IP Reputation URL Threat Filter 791/810...
Page 792
www.zyxel.com Note: Please must make sure block list format in your “.txt” file correct. Otherwise the data will unable import to system completely. You can check “Signature Number” if amount is the same as your list. Verification IP Reputation block page If client traffic is blocked by IP Reputation, website will unable to access to will display IP Reputation Log 792/810...
Page 793
www.zyxel.com URL Threat Filter If client traffic is blocked by URL Threat Filter, website will unable to access to will display it. URL Threat Filter Log What Can Go Wrong 1. Must make sure IP/FDQN format in Block List file. Otherwise system will stop to import data into system.
Page 794
www.zyxel.com How to set up Link Aggregation Group (LAG) A Link Aggregation Group (LAG) allows you to combine a number of physical ports together to create a single high bandwidth data path. It helps to implement the traffic to perform load balancing or failover features, depending on the situation of the actual case.
Page 795
www.zyxel.com Only the USG needs to be configured. You do not need to change any settings on the switch. On the USG, go to Configuration > Network > Interface > LAG. Choose the proper interface type and zone depending on the case. Also, select the slave ports that will be added in the LAG interface.
Page 796
www.zyxel.com The USG should be connected to only one switch and its settings should be the same as the switch. This utilizes all slave network interfaces in the active aggregator group according to the 802.3ad specification. 796/810...
Page 797
www.zyxel.com Xmit Hash Policy: Xmit Hash policy: Select layer2 or layer2+3. Select layer 2 if the LAG interface is connect to a layer 2 subnet. Select layer 2+3 if the LAG interface is connect to a network with a router or a L3 switch. 797/810...
Page 798
www.zyxel.com LACP rate: The interval can be fast (every second) or slow (every 30 seconds). Balance-alb Mode: (Does not require configuration on the switch and one or multiple switches can be used.) Set up the balance-alb mode. The VLAN interface is cross-connected to different switches and the link statuses on both switches are active.
Page 799
www.zyxel.com In this case, the LAG interface mode must be set to Balance-alb. The VLAN interface is cross-connected to different switches (fault tolerance). Only one link connection is up and the other is down. In this case, you will need to use the active-backup mode.
Page 800
www.zyxel.com You can find the LAG interface in the VLAN interface. Test the Result After the deployment you can see the interface status through Monitor>interface Status Below we are using 802.3ad LAG interface with Vlan66 for the example, unplug one of the network cable during the ping, the connection should still alive after one ping lost.
Page 801
www.zyxel.com What can go wrong 1. Configure all the related setting on LAG interface before you connect the link. 2. Make sure you have the corresponding setting on your switch if using 802.3ad (LACP). 3. Check the Xmit Hash policy or the link monitoring method. To adjust the sensitivity of the updelay and downdelay when using active-backup or blance-alb mode.
Page 802
www.zyxel.com Remote access VPN Wizard The following is a sample configuration how to build up VPN tunnel with the remote access VPN wizard. Remote access VPN Wizard is an easy way to quick set up VPN tunnel. Do not need complex configuration to build up VPN tunnel, all you need is to follow the steps on the VPN Wizard.
Page 803
www.zyxel.com 2. Select remote VPN scenarios, ZyXEL VPN Client(SecuExtender IPSec) or L2TP over IPSec client (IOS, Windows,Android). Here is an example of L2TP over IPSec VPN deployment. 3. Configure the VPN configuration (1) Enter the Pre-Shard Key (2) Choose the Incoming interface (3) Select the tunnel type, L2TP over IPSec VPN only support full tunnel type.
Page 804
www.zyxel.com 4. Configure the IP Address Pool for the client The IP address pool will auto select none use subnet on the device to avoid to set up the same subnet on the device. The auto IP address Pool will begin at 192.168.50.1 If there is 192.168.50.1 subnet exist in the settings, the IP address pool will change to 192.168.51.1 subnet.
Page 805
www.zyxel.com 5. Allow local user to access the device If you do not create any users before set up VPN tunnel, you can set up the user here to allow the user to access the device through the VPN tunnel. 805/810...
Page 806
www.zyxel.com 6. After done all the steps in the wizard, you can check the settings at the final step, if there is any settings wrong, you can click back to reset the configuration. If the settings are all correct, click save to go next step. 7.
Page 807
www.zyxel.com 8. Download the scripts to quick build up VPN tunnel to the device on the client. Note: Script file on windows support for Window8/ Window10 807/810...
Page 808
www.zyxel.com Test the result 1. Extract the download script on windows, and run the scripts 2. Using PowerShell to run the scripts 3. It will generate a site to connect to the device 808/810...
Page 809
www.zyxel.com 4. Double click the icon and sign in the username and password Now you can successfully build up the VPN tunnel What can go wrong 1. If you’re using Window7 to run the scripts, you’re unable to run the scripts, the scripts only support Windows8 / Windows10 809/810...