Page 1 ZyWALL USG 300 Unified Security Gateway Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com Firmware Version 2.20 Edition 2, 9/2010 www.zyxel.com Copyright © 2010 ZyXEL Communications Corporation...
Page 3: About This User's Guide
• To find specific information in this guide, use the Contents Overview, the Table of Contents, the Index, or search the PDF file. E-mail techwriters@zyxel.com.tw if you cannot find the information you require. Related Documentation • Quick Start Guide The Quick Start Guide is designed to show you how to make the ZyWALL hardware connections and access the Web Configurator wizards.
Page 4 • Knowledge Base If you have a specific question about your product, the answer may be here. This is a collection of answers to previously asked questions about ZyXEL products. • Forum This contains discussions on ZyXEL products. Learn from others who use ZyXEL products and share your experiences as well.
Page 5 About This User's Guide See http://www.zyxel.com/web/contact_us.php for contact information. Please have the following information ready when you contact an office. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it.
Page 6: Document Conventions
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 7 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 300 User’s Guide...
Page 8: Safety Warnings
Safety Warnings Safety Warnings • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. •...
Page 9: Table Of Contents
Contents Overview Contents Overview User’s Guide ........................... 31 Introducing the ZyWALL ......................33 Features and Applications ......................39 Web Configurator ........................47 Installation Setup Wizard ......................65 Quick Setup ..........................75 Configuration Basics ........................93 Tutorials ...........................117 L2TP VPN Example ......................... 185 Technical Reference ......................
Page 10 Contents Overview Content Filtering ........................659 Content Filter Reports ......................683 Anti-Spam ..........................691 Device HA ..........................709 User/Group ..........................731 Addresses ..........................747 Services ........................... 753 Schedules ..........................759 AAA Server ..........................765 Authentication Method ......................775 Certificates ..........................781 ISP Accounts ...........................
Page 11: Table Of Contents
Table of Contents Table of Contents About This User's Guide ......................3 Document Conventions......................6 Safety Warnings........................8 Contents Overview ........................9 Table of Contents........................11 Part I: User’s Guide................31 Chapter 1 Introducing the ZyWALL ......................33 1.1 Overview and Key Default Settings ..................33 1.2 Rack-mounted Installation ....................
Page 12 Table of Contents 3.3.2 Navigation Panel ......................51 3.3.3 Main Window ......................57 3.3.4 Tables and Lists ......................59 Chapter 4 Installation Setup Wizard ....................... 65 4.1 Installation Setup Wizard Screens ..................65 4.1.1 Internet Access Setup - WAN Interface ..............66 4.1.2 Internet Access: Ethernet ..................
Page 13 Table of Contents 6.3 Terminology in the ZyWALL ....................97 6.4 Packet Flow ......................... 98 6.4.1 ZLD 2.20 Packet Flow Enhancements ............... 98 6.4.2 Routing Table Checking Flow Enhancements ............99 6.4.3 NAT Table Checking Flow ..................100 6.5 Feature Configuration Overview ..................101 6.5.1 Feature ........................
Page 14 Table of Contents 7.1.2 Configure Zones ......................118 7.1.3 Configure Port Grouping ...................119 7.2 How to Configure a Cellular Interface ................120 7.3 How to Configure Load Balancing ..................122 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces ..........123 7.3.2 Configure the WAN Trunk ..................124 7.4 How to Set Up a Wireless LAN ..................
Page 15 Table of Contents 7.14.1 Create the Public IP Address Range Object ............176 7.14.2 Configure the Policy Route ..................177 7.15 How to Use Active-Passive Device HA ................177 7.15.1 Before You Start ..................... 178 7.15.2 Configure Device HA on the Master ZyWALL ............179 7.15.3 Configure the Backup ZyWALL ................
Page 16 Table of Contents 10.4 The Traffic Statistics Screen .................... 247 10.5 The Session Monitor Screen ..................250 10.6 The DDNS Status Screen ....................252 10.7 IP/MAC Binding Monitor ....................253 10.8 The Login Users Screen ....................254 10.9 WLAN Interface Station Monitor Screen ................255 10.10 Cellular Status Screen ....................
Page 17 Table of Contents 13.1 Interface Overview ......................295 13.1.1 What You Can Do in this Chapter ................295 13.1.2 What You Need to Know ..................296 13.2 Port Grouping ......................... 299 13.2.1 Port Grouping Overview ..................299 13.2.2 Port Grouping Screen .................... 299 13.3 Ethernet Summary Screen ....................
Page 18 Table of Contents 15.1 Policy and Static Routes Overview .................. 379 15.1.1 What You Can Do in this Chapter ................379 15.1.2 What You Need to Know ..................380 15.2 Policy Route Screen ......................382 15.2.1 Policy Route Edit Screen ..................385 15.3 IP Static Route Screen ....................
Page 19 Table of Contents 19.2.1 The NAT Add/Edit Screen ..................422 19.3 NAT Technical Reference ....................425 Chapter 20 HTTP Redirect ........................429 20.1 Overview .......................... 429 20.1.1 What You Can Do in this Chapter ................429 20.1.2 What You Need to Know ..................430 20.2 The HTTP Redirect Screen .....................
Page 20 Table of Contents 24.1.2 What You Need to Know ..................458 24.1.3 Firewall Rule Example Applications ............... 460 24.1.4 Firewall Rule Configuration Example ..............463 24.2 The Firewall Screen ......................465 24.2.1 Configuring the Firewall Screen ................466 24.2.2 The Firewall Add/Edit Screen ................. 469 24.3 The Session Limit Screen ....................
Page 21 Table of Contents 27.4 Bookmarking the ZyWALL ....................538 27.5 Logging Out of the SSL VPN User Screens ..............538 Chapter 28 SSL User Application Screens .................... 541 28.1 SSL User Application Screens Overview ................ 541 28.2 The Application Screen ....................541 Chapter 29 SSL User File Sharing ......................
Page 22 Table of Contents 32.2 Application Patrol General Screen .................. 569 32.3 Application Patrol Applications ..................570 32.3.1 The Application Patrol Edit Screen ................ 571 32.3.2 The Application Patrol Policy Edit Screen ............. 575 32.4 The Other Applications Screen ..................578 32.4.1 The Other Applications Add/Edit Screen ..............
Page 23 Table of Contents 34.8.2 Custom Signature Example ................... 628 34.8.3 Applying Custom Signatures .................. 630 34.8.4 Verifying Custom Signatures .................. 631 34.9 IDP Technical Reference ....................632 Chapter 35 ADP ............................637 35.1 Overview .......................... 637 35.1.1 ADP and IDP Comparison ..................637 35.1.2 What You Can Do in this Chapter .................
Page 24 Table of Contents 38.1 Overview .......................... 691 38.1.1 What You Can Do in this Chapter ................691 38.1.2 What You Need to Know ..................691 38.2 Before You Begin ......................693 38.3 The Anti-Spam General Screen ..................693 38.3.1 The Anti-Spam Policy Add or Edit Screen .............. 695 38.4 The Anti-Spam Black List Screen ..................
Page 25 Table of Contents 41.1 Overview .......................... 747 41.1.1 What You Can Do in this Chapter ................747 41.1.2 What You Need To Know ..................747 41.2 Address Summary Screen ....................747 41.2.1 Address Add/Edit Screen ..................749 41.3 Address Group Summary Screen ..................750 41.3.1 Address Group Add/Edit Screen ................
Page 26 Table of Contents 45.1.1 What You Can Do in this Chapter ................775 45.1.2 Before You Begin ....................775 45.1.3 Example: Selecting a VPN Authentication Method ..........775 45.2 Authentication Method Objects ..................776 45.2.1 Creating an Authentication Method Object ............777 Chapter 46 Certificates ..........................
Page 27 Table of Contents 49.2 Endpoint Security Screen ....................817 49.3 Endpoint Security Add/Edit ....................819 Chapter 50 System ..........................825 50.1 Overview .......................... 825 50.1.1 What You Can Do in this Chapter ................825 50.2 Host Name ........................826 50.3 USB Storage ........................827 50.4 Date and Time ........................
Page 28 Table of Contents 50.11.1 Supported MIBs ....................868 50.11.2 SNMP Traps ......................868 50.11.3 Configuring SNMP ....................868 50.12 Dial-in Management ...................... 870 50.12.1 Configuring Dial-in Mgmt ..................871 50.13 Vantage CNM ....................... 872 50.13.1 Configuring Vantage CNM ................... 873 50.14 Language Screen ......................
Page 29 Table of Contents Chapter 54 Reboot............................ 915 54.1 Overview .......................... 915 54.1.1 What You Need To Know ..................915 54.2 The Reboot Screen ......................915 Chapter 55 Shutdown..........................917 55.1 Overview .......................... 917 55.1.1 What You Need To Know ..................917 55.2 The Shutdown Screen .....................
Page 30 Table of Contents ZyWALL USG 300 User’s Guide...
Page 31: User's Guide
User’s Guide...
Page 33: Introducing The Zywall
H A P T E R Introducing the ZyWALL This chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is a comprehensive security device.
Page 34: Rack-Mounted Installation Procedure
Chapter 1 Introducing the ZyWALL Use a #2 Phillips screwdriver to install the screws. Note: Failure to use the proper screws may damage the unit. 1.2.1 Rack-Mounted Installation Procedure Align one bracket with the holes on one side of the ZyWALL and secure it with the included bracket screws (smaller than the rack-mounting screws).
Page 35: Front Panel
Chapter 1 Introducing the ZyWALL 1.3 Front Panel This section introduces the ZyWALL’s front panel. Figure 3 ZyWALL Front Panel 1.3.1 Front Panel LEDs The following table describes the LEDs. Table 1 Front Panel LEDs COLOR STATUS DESCRIPTION The ZyWALL is turned off. Green The ZyWALL is turned on.
Page 36 Chapter 1 Introducing the ZyWALL Web Configurator The Web Configurator allows easy ZyWALL setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. Figure 4 Managing the ZyWALL: Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port.
Page 37: Starting And Stopping The Zywall
Chapter 1 Introducing the ZyWALL 1.5 Starting and Stopping the ZyWALL Here are some of the ways to start and stop the ZyWALL. Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt.
Page 38 Chapter 1 Introducing the ZyWALL ZyWALL USG 300 User’s Guide...
Page 39: Features And Applications
H A P T E R Features and Applications This chapter introduces the main features and applications of the ZyWALL. 2.1 Features The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates.
Page 40 Chapter 2 Features and Applications Firewall The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 41: Applications
Chapter 2 Features and Applications Anti-Virus Scanner With the anti-virus packet scanner, your ZyWALL scans files transmitting through the enabled interfaces into the network. The ZyWALL helps stop threats at the network edge before they reach the local host computers. Anti-Spam The anti-spam feature can mark or discard spam.
Page 42: Vpn Connectivity
Chapter 2 Features and Applications 2.2.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service. Figure 5 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote...
Page 43: Full Tunnel Mode
Chapter 2 Features and Applications You do not have to install additional client software on the remote user computers for access. Figure 6 Network Access Mode: Reverse Proxy LAN (192.168.1.X) https;// Web Mail File Share Web-based Application 2.2.2.2 Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network.
Page 44: User-Aware Access Control
Chapter 2 Features and Applications 2.2.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 8 Applications: User-Aware Access Control 2.2.4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports.
Page 45: Device Ha
Chapter 2 Features and Applications 2.2.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network. Figure 10 Applications: Device HA ZyWALL USG 300 User’s Guide...
Page 46 Chapter 2 Features and Applications ZyWALL USG 300 User’s Guide...
Page 47: Web Configurator
H A P T E R Web Configurator The ZyWALL Web Configurator allows easy ZyWALL setup and management using an Internet browser. 3.1 Web Configurator Requirements In order to use the Web Configurator, you must • Use Internet Explorer 7 or later, or Firefox 1.5 or later •...
Page 48 Chapter 3 Web Configurator Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears. Figure 11 Login Screen Type the user name (default: “admin”) and password (default: “1234”).
Page 49: Web Configurator Screens Overview
Chapter 3 Web Configurator The screen above appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore. Follow the directions in this screen. If you change the default password, the Login screen (Figure 11 on page 48) appears after you click Apply.
Page 50: Title Bar
Chapter 3 Web Configurator 3.3.1 Title Bar The title bar provides some icons in the upper right corner. Figure 14 Title Bar The icons provide the following functions. Table 4 Title Bar: Web Configurator Icons LABEL DESCRIPTION Logout Click this to log out of the Web Configurator. Help Click this to open the help page for the current screen.
Page 51: Navigation Panel
Chapter 3 Web Configurator The following table describes labels that can appear in this screen. Table 5 About LABEL DESCRIPTION Boot Module This shows the version number of the software that handles the booting process of the ZyWALL. Current This shows the firmware version of the ZyWALL. Version Released Date This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the...
Page 52: Monitor Menu
Chapter 3 Web Configurator 3.3.2.2 Monitor Menu The monitor menu screens display status and statistics information. Table 6 Monitor Menu Screens Summary FOLDER OR LINK FUNCTION System Status Port Statistics Displays packet statistics for each physical port. Interface Status Displays general interface information and packet statistics.
Page 53: Configuration Menu
Chapter 3 Web Configurator 3.3.2.3 Configuration Menu Use the configuration menu screens to configure the ZyWALL’s features. Table 7 Configuration Menu Screens Summary FOLDER OR FUNCTION LINK Quick Setup Quickly configure WAN interfaces or VPN connections. Licensing Registration Registration Register the device and activate trial services. Service View the licensed service status and upgrade licensed services.
Page 54: Summary
Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR FUNCTION LINK Configure SIP, H.323, and FTP pass-through settings. IP/MAC Summary Configure IP to MAC address bindings for devices Binding connected to each supported interface. Exempt List Configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding.
Page 55 Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR FUNCTION LINK General Display and manage ADP bindings. Profile Create and manage ADP profiles. Content Filter General Create and manage content filter policies. Filter Profile Create and manage the detailed filtering rules for content filtering policies.
Page 56 Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR FUNCTION LINK ISP Account Create and manage ISP account information for PPPoE/PPTP interfaces. Create SSL web application or file sharing objects. Application Endpoint Create Endpoint Security (EPS) objects. Security System Host Name...
Page 57: Main Window
Chapter 3 Web Configurator 3.3.2.4 Maintenance Menu Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the ZyWALL. Table 8 Maintenance Menu Screens Summary FOLDER OR FUNCTION LINK File Manager Configuration Manage and upload configuration files for the File ZyWALL.
Page 58 Chapter 3 Web Configurator 3.3.3.2 Site Map Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen’s link to go to that screen. Figure 18 Site Map 3.3.3.3 Object Reference Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object.
Page 59: Tables And Lists
Chapter 3 Web Configurator The fields vary with the type of object. The following table describes labels that can appear in this screen. Table 9 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed.
Page 60: Tables And Lists
Chapter 3 Web Configurator 3.3.4.1 Manipulating Table Display Here are some of the ways you can manipulate the Web Configurator tables. Click a column heading to sort the table’s entries according to that column’s criteria. Figure 21 Sorting Table Entries by a Column’s Criteria Click the down arrow next to a column heading for more options about how to display the entries.
Page 61 Chapter 3 Web Configurator Select a column heading cell’s right border and drag to re-size the column. Figure 23 Resizing a Table Column Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location.
Page 62: Working With Table Entries
Chapter 3 Web Configurator 3.3.4.2 Working with Table Entries The tables have icons for working with table entries. A sample is shown next. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. Figure 26 Common Table Icons Here are descriptions for the most common table icons.
Page 63 Chapter 3 Web Configurator you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 27 Working with Lists ZyWALL USG 300 User’s Guide...
Page 64 Chapter 3 Web Configurator ZyWALL USG 300 User’s Guide...
Page 65: Installation Setup Wizard
H A P T E R Installation Setup Wizard 4.1 Installation Setup Wizard Screens If you log into the Web Configurator when the ZyWALL is using its default configuration, the first Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services.
Page 66: Internet Access Setup - Wan Interface
Chapter 4 Installation Setup Wizard 4.1.1 Internet Access Setup - WAN Interface Use this screen to set how many WAN interfaces to configure and the first WAN interface’s type of encapsulation and method of IP address assignment. The screens vary depending on the encapsulation type. Refer to information provided by your ISP to know what to enter in each field.
Page 67 Chapter 4 Installation Setup Wizard Note: Enter the Internet access information exactly as given to you by your ISP. Figure 30 Internet Access: Ethernet Encapsulation • Encapsulation: This displays the type of Internet connection you are configuring. • First WAN Interface: This is the number of the interface that will connect with your ISP.
Page 68: Internet Access: Pppoe
Chapter 4 Installation Setup Wizard 4.1.3 Internet Access: PPPoE Note: Enter the Internet access information exactly as given to you by your ISP. Figure 31 Internet Access: PPPoE Encapsulation 4.1.3.1 ISP Parameters • Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server.
Page 69: Internet Access: Pptp
Chapter 4 Installation Setup Wizard 4.1.3.2 WAN IP Address Assignments • WAN Interface: This is the name of the interface that will connect with your ISP. • Zone: This is the security zone to which this interface and Internet connection will belong.
Page 70 Chapter 4 Installation Setup Wizard • CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by the remote node. • CHAP - Your ZyWALL accepts CHAP only. • PAP - Your ZyWALL accepts PAP only. • MSCHAP - Your ZyWALL accepts MSCHAP only. •...
Page 71: Internet Access Setup - Second Wan Interface
Chapter 4 Installation Setup Wizard 4.1.6 Internet Access Setup - Second WAN Interface If you selected I have two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 4.1.1 on page 66).
Page 72: Device Registration
Chapter 4 Installation Setup Wizard Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Next and use the following screen to perform a basic registration (see Section 4.2 on page 72).
Page 73 Chapter 4 Installation Setup Wizard • Select existing myZyXEL.com account if you already have an account at myZyXEL.com and enter your user name and password in the fields below to register your ZyWALL. • Enter a User Name for your myZyXEL.com account. Use from six to 20 alphanumeric characters (and the underscore).
Page 74 Chapter 4 Installation Setup Wizard ZyWALL USG 300 User’s Guide...
Page 75: Quick Setup
H A P T E R Quick Setup 5.1 Quick Setup Overview The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information.
Page 76: Wan Interface Quick Setup
Chapter 5 Quick Setup 5.2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to connect to the internet. Click Next. Figure 38 WAN Interface Quick Setup Wizard 5.2.1 Choose an Ethernet Interface Select the Ethernet interface that you want to configure for a WAN connection and...
Page 77: Configure Wan Settings
Chapter 5 Quick Setup Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP. Figure 40 WAN Interface Setup: Step 2 The screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.
Page 78: Wan And Isp Connection Settings
Chapter 5 Quick Setup • IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static If the ISP assigned a fixed IP address. 5.2.4 WAN and ISP Connection Settings Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you set the IP Address Assignment to Static.
Page 79 Chapter 5 Quick Setup Table 11 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION Authentication Use the drop-down list box to select an authentication protocol for Type outgoing calls. Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node.
Page 80: Quick Setup Interface Wizard: Summary
Chapter 5 Quick Setup Table 11 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION First DNS These fields only display for an interface with a static IP address. Server Enter the DNS server IP address(es) in the field(s) to the right. Second DNS Server Leave the field as 0.0.0.0 if you do not want to configure DNS...
Page 81: Vpn Quick Setup
Chapter 5 Quick Setup Table 12 Interface Wizard: Summary WAN LABEL DESCRIPTION Server IP This field only appears for a PPTP interface. It displays the IP address of the PPTP server. User Name This is the user name given to you by your ISP. Nailed-Up If No displays the connection will not time out.
Page 82: Vpn Setup Wizard: Wizard Type
Chapter 5 Quick Setup 5.4 VPN Setup Wizard: Wizard Type A VPN (Virtual Private Network) tunnel is a secure connection to another computer or network. Use this screen to select which type of VPN connection you want to configure. Figure 45 VPN Setup Wizard: Wizard Type Express: Use this wizard to create a VPN connection with another ZLD-based ZyWALL using a pre-shared key and default security settings.
Page 83: Vpn Express Wizard - Scenario
Chapter 5 Quick Setup 5.5 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 45 on page 82 to display the following screen. Figure 46 VPN Express Wizard: Step 2 Rule Name: Type the name used to identify this VPN connection (and VPN gateway).
Page 84: Vpn Express Wizard - Configuration
Chapter 5 Quick Setup 5.5.1 VPN Express Wizard - Configuration Figure 47 VPN Express Wizard: Step 3 • Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario. If this field is configurable, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name.
Page 85: Vpn Express Wizard - Summary
Chapter 5 Quick Setup 5.5.2 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’s configuration and also commands that you can copy and paste into another ZLD-based ZyWALL’s command line interface to configure it. Figure 48 VPN Express Wizard: Step 4 •...
Page 86: Vpn Express Wizard - Finish
Chapter 5 Quick Setup 5.5.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. Figure 49 VPN Express Wizard: Step 6 Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard.
Page 87: Vpn Advanced Wizard - Scenario
Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 45 on page 82 to display the following screen. Figure 50 VPN Advanced Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway).
Page 88: Vpn Advanced Wizard - Phase 1 Settings
Chapter 5 Quick Setup • Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange).
Page 89 Chapter 5 Quick Setup that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses a 256-bit key.
Page 90: Vpn Advanced Wizard - Phase 2
Chapter 5 Quick Setup 5.5.6 VPN Advanced Wizard - Phase 2 Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 52 VPN Advanced Wizard: Step 4 • Active Protocol: ESP is compatible with NAT, AH is not. •...
Page 91: Vpn Advanced Wizard - Summary
Chapter 5 Quick Setup • Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 5.5.7 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings.
Page 92: Vpn Advanced Wizard - Finish
Chapter 5 Quick Setup 5.5.8 VPN Advanced Wizard - Finish Now you can use the VPN tunnel. Figure 54 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard.
Page 93: Configuration Basics
H A P T E R Configuration Basics This information is provided to help you configure the ZyWALL effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you configure various features in the ZyWALL. •...
Page 94: Zones, Interfaces, And Physical Ports
Chapter 6 Configuration Basics objects whenever the interface’s IP address settings change. For example, if you change an Ethernet interface’s IP address, the ZyWALL automatically updates the rules or settings that use the interface-based, LAN subnet address object. You can use the Configuration > Objects screens to create objects before you configure features that use them.
Page 95: Interface Types
Chapter 6 Configuration Basics 6.2.1 Interface Types There are many types of interfaces in the ZyWALL. In addition to being used in various features, interfaces also describe the network that is directly connected to the ZyWALL. • Ethernet interfaces are the foundation for defining other interfaces and network policies.
Page 96: Default Interface And Zone Configuration
Chapter 6 Configuration Basics 6.2.2 Default Interface and Zone Configuration This section introduces the ZyWALL’s default zone member physical interfaces and the default configuration of those interfaces. The following figure uses letters to denote public IP addresses or part of a private IP address. Figure 56 Default Network Topology Table 14 Default Port, Interface, and Zone Configuration IP ADDRESS AND DHCP...
Page 97: Terminology In The Zywall
Chapter 6 Configuration Basics • The WAN zone contains the ge2 and ge3 interfaces (physical ports 2 and 3). They use public IP addresses to connect to the Internet. • The DMZ zone contains the ge4 and ge5 interfaces (physical ports 4 and 5). The DMZ zone has servers that are available to the public.
Page 98: Packet Flow
Chapter 6 Configuration Basics 6.4 Packet Flow Here is the order in which the ZyWALL applies its features and checks. Figure 57 Packet Flow 6.4.1 ZLD 2.20 Packet Flow Enhancements ZLD version 2.20 has been enhanced to simplify configuration. The packet flow has been changed as follows: •...
Page 99: Routing Table Checking Flow Enhancements
Chapter 6 Configuration Basics • You do not need to set up policy routes for 1:1 NAT entries. • You can create Many 1:1 NAT entries to translate a range of private network addresses to a range of public IP addresses •...
Page 100: Nat Table Checking Flow
Chapter 6 Configuration Basics Policy Routes: These are the user-configured policy routes. Configure policy routes to send packets through the appropriate interface or VPN tunnel. See Chapter 15 on page 379 for more on policy routes. 1 to 1 and Many 1 to 1 NAT: These are the 1 to 1 NAT and many 1 to 1 NAT rules.
Page 101: Feature Configuration Overview
Chapter 6 Configuration Basics ZyWALL stops checking the packets against the NAT table and moves on to bandwidth management. Figure 59 NAT Table Checking Flow SNAT defined in the policy routes. This was already in ZLD 2.1x. 1 to 1 SNAT (including Many 1 to 1) is also included in the NAT table. NAT loopback is now included in the NAT table instead of requiring a separate policy route.
Page 102: Feature
Chapter 6 Configuration Basics 6.5.1 Feature This provides a brief description. See the appropriate chapter(s) in this User’s Guide for more information about any feature. This shows you the sequence of menu items and tabs you should click to find the main screen(s) for this feature. See the web help or the MENU ITEM(S) related User’s Guide chapter for information about each screen.
Page 103: Interface
Chapter 6 Configuration Basics subscription to update the anti-virus and IDP/application patrol signatures You must have Internet access to myZyXEL.com. Configuration > Licensing > Update MENU ITEM(S) Registration (for anti-virus and IDP/application patrol), Internet PREREQUISITES access to myZyXEL.com 6.5.4 Interface Section 6.2 on page 94 for background information.
Page 104 Chapter 6 Configuration Basics and general NAT on the source address. You have to set up the criteria, next-hops, and NAT settings first. Configuration > Network > Routing > Policy Route MENU ITEM(S) Criteria: users, user groups, interfaces (incoming), IPSec VPN (incoming), addresses (source, destination), address groups (source, destination), schedules, services, service groups Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks,...
Page 105: Static Routes
Chapter 6 Configuration Basics 6.5.7 Static Routes Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL. Configuration > Network > Routing > Static Route MENU ITEM(S) Interfaces PREREQUISITES 6.5.8 Zones Section 6.2 on page 94 for background information.
Page 106: Http Redirect
Chapter 6 Configuration Basics The ZyWALL only checks regular (through-ZyWALL) firewall rules for packets that are redirected by NAT, it does not check the to-ZyWALL firewall rules. Configuration > Network > NAT MENU ITEM(S) Interfaces, addresses (HOST) PREREQUISITES Example: Suppose you have an FTP server with a private IP address connected to a DMZ port.
Page 107: Alg
Chapter 6 Configuration Basics Name the entry. Select the interface from which you want to redirect incoming HTTP requests (ge1). Specify the IP address of the HTTP proxy server. Specify the port number to use for the HTTP traffic that you forward to the proxy server.
Page 108: Ipsec Vpn
Chapter 6 Configuration Basics Example: Suppose you have a SIP proxy server connected to the DMZ zone for VoIP calls. You could configure a firewall rule to allow VoIP sessions from the SIP proxy server on DMZ to the LAN so VoIP users on the LAN can receive calls. Create a VoIP service object for UDP port 5060 traffic (Configuration >...
Page 109: L2Tp Vpn
Chapter 6 Configuration Basics Policy routes, zones WHERE USED Example: See Chapter 7 on page 117. 6.5.17 L2TP VPN Use L2TP VPN to let remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL.
Page 110: Anti-Virus
Chapter 6 Configuration Basics Note: With this example, Bob would have to log in using his account. If you do not want him to have to log in, you might create an exception policy with Bob’s computer IP address as the source. 6.5.19 Anti-Virus Use anti-virus to detect and take action on viruses.
Page 111: Anti-Spam
Chapter 6 Configuration Basics Create a user account for Bill if you have not done so already (Configuration > Object > User/Group). Create a schedule for the work day (Configuration > Object > Schedule). Click Configuration > Anti-X > Content Filter > Filter Profile. Click the Add icon to go to the screen where you can configure a category-based profile.
Page 112: Objects
Chapter 6 Configuration Basics 6.6 Objects Objects store information and are referenced by other features. If you update this information in response to changes, the ZyWALL automatically propagates the change through the features that use the object. Move your cursor over a configuration object that has a magnifying-glass icon (such as a user group, address, address group, service, service group, zone, or schedule) to display basic information about the object.
Page 113: System
Chapter 6 Configuration Basics Table 20 User Types TYPE ABILITIES guest Access network services ext-user The same as a user or a guest except the ZyWALL looks for the specific type in an external authentication server. If the type is not available, the ZyWALL applies default settings.
Page 114: Logs And Reports
Chapter 6 Configuration Basics Create an address object for the administrator’s computer (Configuration > Object > Address). Click Configuration > System > WWW to configure the HTTP management access. Enable HTTPS and add an administrator service control entry. • Select the address object for the administrator’s computer. •...
Page 115 Chapter 6 Configuration Basics Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. Maintenance > Shutdown MENU ITEM(S) ZyWALL USG 300 User’s Guide...
Page 116 Chapter 6 Configuration Basics ZyWALL USG 300 User’s Guide...
Page 117: Tutorials
H A P T E R Tutorials Here are examples of using the Web Configurator to set up features in the ZyWALL. See also Chapter 8 on page 185 for an example of configuring L2TP VPN. Note: The tutorials featured here require a basic understanding of connecting to and using the Web Configurator, see Chapter 3 on page 47 for details.
Page 118: Configure A Wan Ethernet Interface
Chapter 7 Tutorials • You want to be able to apply security settings specifically for all VPN tunnels so you create a new VPN zone. Figure 60 Ethernet Interface, Port Grouping, and Zone Configuration Example 7.1.1 Configure a WAN Ethernet Interface You need to assign the ZyWALL’s ge2 interface a static IP address of 1.2.3.4.
Page 119: Configure Port Grouping
Chapter 7 Tutorials Click Configuration > Network > Zone and then the Add icon. Enter VPN as the name, select Default_L2TP_VPN_Connection and move it to the Member box and click OK. Figure 62 Configuration > Network > Zone > WAN Edit 7.1.3 Configure Port Grouping Here is how to combine physical ports P4 and P5 into the ge4 interface port group.
Page 120: How To Configure A Cellular Interface
Chapter 7 Tutorials Drag physical port 5 onto representative interface ge4 and click Apply Figure 63 Configuration > Network > Interface > Port Grouping Example Click Dashboard, and look at the Interface Status Summary. Ethernet interface ge4 has a status of Port Group Up if it is connected or Port Group Down if it is not connected.
Page 121 Chapter 7 Tutorials Click Configuration > Network > Interface > Cellular. Select the 3G device’s entry and click Edit. Figure 65 Configuration > Network > Interface > Cellular Enable the interface and add it to a zone. It is highly recommended that you set the Zone to WAN to apply your WAN zone security settings to this 3G connection.
Page 122: How To Configure Load Balancing
Chapter 7 Tutorials Go to the Dashboard. The Interface Status Summary section should contain a “cellular” entry. When its connection status is Connected you can use the 3G connection to access the Internet. Figure 67 Status The ZyWALL automatically adds the cellular interface to the system default WAN trunk.
Page 123: Set Up Available Bandwidth On Ethernet Interfaces
Chapter 7 Tutorials You do not have to change many of the ZyWALL’s settings from the defaults to set up this trunk. You only have to set up the outgoing bandwidth on each of the WAN interfaces and configure the WAN_TRUNK trunk’s load balancing settings. 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces Here is how to set a limit on how much traffic the ZyWALL tries to send out through each WAN interface.
Page 124: Configure The Wan Trunk
Chapter 7 Tutorials 7.3.2 Configure the WAN Trunk Click Configuration > Network > Interface > Trunk. Click the Add icon. Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin. Add ge2 and enter 2 in the Weight column. Add ge3 and enter 1 in the Weight column.
Page 125: How To Set Up A Wireless Lan
Chapter 7 Tutorials Select the trunk as the default trunk and click Apply. Figure 71 Configuration > Network > Interface > Trunk 7.4 How to Set Up a Wireless LAN You can install a wireless LAN card (IEEE 802.11b/g) in the PCIMCIA slot (see Table 272 on page 939 for the supported cards).
Page 126: Create The Wlan Interface
Chapter 7 Tutorials Click Configuration > Object > User/Group > User and the Add icon. Set the User Name to wlan_user. Enter (and re-enter) the user’s password. Click OK. Figure 72 Configuration > Object > User/Group > User > Add Use the Add icon in the Configuration >...
Page 127 Chapter 7 Tutorials Edit this screen as follows. A (internal) name for the WLAN interface displays. You can modify it if you want The ZyWALL’s security settings are configured by zones. Select to which security zone you want the WLAN interface to belong (the WLAN zone in this example). This determines which security settings the ZyWALL applies to the WLAN interface.
Page 128 Chapter 7 Tutorials Figure 73 Configuration > Network > Interface > WLAN > Add ZyWALL USG 300 User’s Guide...
Page 129: Set Up The Wireless Clients To Use The Wlan Interface
The following sections show you how to have a wireless client (not included with the ZyWALL) use the wireless network. 7.4.3.1 Configure the ZyXEL Wireless Client Utility This example covers how to configure ZyXEL’s wireless client utility (not included with the ZyWALL) to use the WLAN interface. See Section 7.4.3.2 on page 133 instead for how to use Funk Odyssey’s wireless client software if you want the...
Page 130 Figure 75 ZyXEL Wireless Client Add a new profile. This example uses “ZYXEL_WPA” as the name. It is also the SSID (name) of the wireless network. Select Infrastructure and click Next. Figure 76 ZyXEL Wireless Client > Profile ZyWALL USG 300 User’s Guide...
Page 131 Chapter 7 Tutorials Select WPA2 as the security type and click Next. Figure 77 ZyXEL Wireless Client > Profile: Security Type Set the encryption type to TKIP and the EAP type to TTLS. Configure wlan_user as the Login Name and enter the account’s password (also wlan_user in this example.
Page 132 Chapter 7 Tutorials Confirm your settings and click Save. Figure 79 ZyXEL Wireless Client > Profile: Save Click Activate Now. Figure 80 ZyXEL Wireless Client > Profile: Activate ZyWALL USG 300 User’s Guide...
Page 133 Chapter 7 Tutorials The ZYXEL_WPA profile displays in your list of profiles. Figure 81 ZyXEL Wireless Client > Profile: Activate Since the ZyXEL utility does not have the wireless client validate the ZyWALL’s certificate, you can go to Section 7.4.3.4 on page 141.
Page 134 Chapter 7 Tutorials Name the profile (this example uses ZYXEL_WPA). In the User Info tab, configure wlan_user as the Login name. In the Password sub-tab, select Prompt for long name and password. Figure 83 Odyssey Access Client Manager > Profiles > User Info Click the Authentication tab and select Validate server certificate.
Page 135 Chapter 7 Tutorials Click the TTLS tab and select PAP. Then click OK. Figure 85 Odyssey Access Client Manager > Profiles > Authentication Click Networks > Add. Figure 86 Odyssey Access Client Manager > Networks ZyWALL USG 300 User’s Guide...
Page 136 Chapter 7 Tutorials Enter the name of the wireless network (“ZYXEL_WPA” in this example) or click Scan to look for it. Then select Authenticate using profile and select the profile you configured (“ZYXEL_WPA” in this example). Click OK. Figure 87 Odyssey Access Client Manager > Networks > Add Use the next section to import the ZyWALL’s certificate into the wireless client.
Page 137 Chapter 7 Tutorials In Internet Explorer, click Tools > Internet Options > Content and click the Certificates button. Figure 88 Internet Explorer: Tools > Internet Options > Content Click Import. Figure 89 Internet Explorer: Tools > Internet Options > Content > Certificates ZyWALL USG 300 User’s Guide...
Page 138 Chapter 7 Tutorials Use the wizard screens to import the certificate. You may need to change the Files of Type setting to All Files in order to see the certificate file. Figure 90 Internet Explorer Certificate Import Wizard File Open Screen When you get to the Certificate Store screen, select the option to automatically select the certificate store based on the type of certificate.
Page 139 Chapter 7 Tutorials If you get a security warning screen, click Yes to proceed. Figure 92 Internet Explorer Certificate Import Certificate Warning Screen ZyWALL USG 300 User’s Guide...
Page 140 Chapter 7 Tutorials The Internet Explorer Certificates screen remains open after the import is done. You can see the newly imported certificate listed in the Trusted Root Certification Authorities tab. The values in the Issued To and Issued By fields should match those in the ZyWALL’s My Certificates screen’s Subject and Issuer fields (respectively).
Page 141: How To Set Up An Ipsec Vpn Tunnel
Chapter 7 Tutorials 7.4.3.4 Wireless Clients Use the WLAN Interface A login screen displays when the wireless client attempts to connect to the wireless interface. Enter the username and password and click OK. Figure 95 Funk Odyssey Access Wireless Client Login Example 7.5 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see...
Page 142: Set Up The Vpn Gateway
Chapter 7 Tutorials 7.5.1 Set Up the VPN Gateway The VPN gateway manages the IKE SA. You do not have to set up any other objects before you configure the VPN gateway because this VPN tunnel does not use any certificates or extended authentication. Click Configuration >...
Page 143 Chapter 7 Tutorials Click Configuration > Object > Address. Click the Add icon. Give the new address object a name (“VPN_REMOTE_SUBNET”), change the Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK. Figure 98 Configuration >...
Page 144: Configure Security Policies For The Vpn Tunnel
Chapter 7 Tutorials 7.5.3 Configure Security Policies for the VPN Tunnel You configure security policies based on zones. Assign the new VPN connection to a zone to be able to apply security policies (firewall rules, IDP, and so on) to the VPN connection.
Page 145 Chapter 7 Tutorials • My Address: 10.0.0.2 • Primary Remote Gateway: 10.0.0.1 Network Policy (Phase 2) • Local Network: 192.168.167.0/255.255.255.0 • Remote Network: 192.168.168.0~192.168.169.255 Headquarters (USG ZyWALL or ZyWALL 1050): VPN Gateway (VPN Tunnel 1): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.2 VPN Connection (VPN Tunnel 1): •...
Page 146: How To Configure User-Aware Access Control
Chapter 7 Tutorials 7.6.0.1 Hub-and-spoke VPN Requirements and Suggestions Consider the following when implementing a hub-and-spoke VPN. • This example uses a wide range for the ZyNOS-based ZyWALL’s remote network, to use a narrower range, see Section 25.4.1 on page 499 for an example of configuring a VPN concentrator.
Page 147: Set Up User Accounts
Chapter 7 Tutorials Table 21 User-aware Access Control Example (continued) LAN-TO-DMZ GROUP (USER) BANDWIDTH MSN SURFING ACCESS Guest (guest) Others The users are authenticated by an external RADIUS server at 192.168.1.200. First, set up the user accounts and user groups in the ZyWALL. Then, set up user authentication using the RADIUS server.
Page 148: Set Up User Groups
Chapter 7 Tutorials 7.7.2 Set Up User Groups Set up the user groups and assign the users to the user groups. Click Configuration > Object > User/Group > Group. Click the Add icon. Enter the name of the group that is used in Table 21 on page 146.
Page 149 Chapter 7 Tutorials Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Configure the RADIUS server’s address authentication port (1812 if you were not told otherwise), key, and click Apply. Figure 103 Configuration > Object > AAA Server > RADIUS > Add Click Configuration >...
Page 150: Web Surfing Policies With Bandwidth Restrictions
Chapter 7 Tutorials Note: The users will have to log in using the Web Configurator login screen before they can use HTTP or MSN. Figure 105 Configuration > Object > User/Group > Setting > Add (Force User Authentication Policy) When the users try to browse the web (or use any HTTP/HTTPS application), the Login screen appears.
Page 151 Chapter 7 Tutorials Click Configuration > AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply. Figure 106 Configuration > AppPatrol > General Click the Common tab and double-click the http entry. Figure 107 Configuration > AppPatrol > Common ZyWALL USG 300 User’s Guide...
Page 152 Chapter 7 Tutorials Double-click the Default policy. Figure 108 Configuration > AppPatrol > Common > http Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. Figure 109 Configuration > AppPatrol > Common > http > Edit Default ZyWALL USG 300 User’s Guide...
Page 153: Set Up Msn Policies
Chapter 7 Tutorials Click the Add icon in the policy list. In the new policy, select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fields. Click OK. Repeat this process to add exceptions for all the other user groups that are allowed to browse the web.
Page 154: Set Up Firewall Rules
Chapter 7 Tutorials Give the schedule a descriptive name. Set up the days (Monday through Friday) and the times (8:30 - 18:00) when Sales is allowed to use MSN. Click OK. Figure 111 Configuration > Object > Schedule > Add (Recurring) Follow the steps in Section 7.7.4 on page 150 to set up the appropriate policies for...
Page 155: How To Use A Radius Server To Authenticate User Accounts Based On Groups
Chapter 7 Tutorials Click the Add icon again and create a rule for one of the user groups that is allowed to access the DMZ. Figure 113 Configuration > Firewall > Add Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ.
Page 156 Chapter 7 Tutorials Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Besides configuring the RADIUS server’s address, authentication port, and key; set the Group Membership Attribute field to the attribute that the ZyWALL is to check to determine to which group a user belongs. This example uses Class.
Page 157: How To Use Endpoint Security And Authentication Policies
Chapter 7 Tutorials Now you add ext-group-user user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click Configuration > Object > User/Group > User. Click the Add icon.
Page 158 Chapter 7 Tutorials • Select Endpoint must have Personal Firewall installed and move the Kaspersky Internet Security entries to the allowed list (you can double-click an entry to move it). • Select Endpoint must have Anti-Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti-Virus anti-virus software entries to the allowed list.
Page 159: Configure The Authentication Policy
Chapter 7 Tutorials Repeat as needed to create endpoint security objects for other Windows operating system versions. 7.9.2 Configure the Authentication Policy Click Configuration > Auth. Policy > Add to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy to use endpoint security objects.
Page 160: How To Configure Service Control
Chapter 7 Tutorials Turn on authentication policy and click Apply. Figure 118 Configuration > Auth. Policy The following figure shows an error message example when a user’s computer does not meet an endpoint security object’s requirements. Click Close to return to the login screen.
Page 161: Allow Https Administrator Access Only From The Lan
Chapter 7 Tutorials user access (logging into SSL VPN for example). See Chapter 50 on page 825 more on service control. The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to the ZyWALL. They do not distinguish between administrator management access and user access.
Page 162 Chapter 7 Tutorials Select the new rule and click the Add icon. Figure 122 Configuration > System > WWW (First Example Admin Service Rule Configured) In the Zone field select ALL and set the Action to Deny. Click OK. Figure 123 Configuration > System > WWW > Service Control Rule Edit ZyWALL USG 300 User’s Guide...
Page 163: How To Allow Incoming H.323 Peer-To-Peer Calls
Chapter 7 Tutorials Click Apply. Figure 124 Configuration > System > WWW (Second Example Admin Service Rule Configured) Now administrator access to the Web Configurator can only come from the LAN zone. Non-admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL’s zones (to use SSL VPN for example).
Page 164: Turn On The Alg
Chapter 7 Tutorials for ge2 IP address 10.0.0.8 to a H.323 device located on the LAN and using IP address 192.168.1.56. Figure 125 WAN to LAN H.323 Peer-to-peer Calls Example 192.168.1.56 10.0.0.8 7.11.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable H.323 ALG and Enable H.323 transformations and click Apply.
Page 165 Chapter 7 Tutorials Use Configuration > Object > Address > Add to create an address object for the public WAN IP address (called WAN_IP-for-H323 here). Then use it again to create an address object for the H.323 device’s private LAN IP address (called LAN_H323 here).
Page 166: Set Up A Firewall Rule For H.323
Chapter 7 Tutorials Click Configuration > Network > NAT > Add. Configure a name for the rule (WAN-LAN_H323 here). You want the LAN H.323 device to receive peer-to-peer calls from the WAN and also be able to initiate calls to the WAN so you set the Classification to NAT 1:1. Set the Incoming Interface to ge2.
Page 167: How To Allow Public Access To A Web Server
Chapter 7 Tutorials Click Configuration > Firewall > Add. In the From field select WAN. In the To field select LAN. Configure a name for the rule (WAN-to-LAN_H323 here). Set the Destination to the H.323 device’s LAN IP address object (LAN_H323). LAN_H323 is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule.
Page 168: Create The Address Objects
Chapter 7 Tutorials 7.12.1 Create the Address Objects Use Configuration > Object > Address > Add to create the address objects. Create a host address object named DMZ_HTTP for the HTTP server’s private IP address of 192.168.3.7. Figure 131 Creating the Address Object for the HTTP Server’s Private IP Address Create a host address object named Public_HTTP_Server_IP for the public WAN IP address 1.1.1.1.
Page 169: Set Up A Firewall Rule
Chapter 7 Tutorials • Keep Enable NAT Loopback selected to allow users connected to other interfaces to access the HTTP server (see NAT Loopback on page 425 details). Figure 133 Creating the NAT Entry 7.12.3 Set Up a Firewall Rule The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server.
Page 170: How To Use An Ippbx On The Dmz
Chapter 7 Tutorials Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Set the Destination to the HTTP server’s DMZ IP address object (DMZ_HTTP). DMZ_HTTP is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule.
Page 171 Chapter 7 Tutorials address 1.1.1.2 that you will use on the ge3 interface and map to the IPPBX’s private IP address of 192.168.3.7. The local SIP clients are on the LAN. Figure 135 IPPBX Example Network Topology ZyWALL USG 300 User’s Guide...
Page 172: Turn On The Alg
Chapter 7 Tutorials 7.13.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable SIP ALG and Enable SIP Transformations and click Apply. Figure 136 Configuration > Network > ALG 7.13.2 Create the Address Objects Use Configuration > Object > Address > Add to create the address objects. Create a host address object named IPPBX-DMZ for the IPPBX’s private DMZ IP address of 192.168.3.9.
Page 173: Setup A Nat Policy For The Ippbx
Chapter 7 Tutorials Create a host address object named IPPBX-Public for the public WAN IP address 1.1.1.2. Figure 138 Creating the Public IP Address Object 7.13.3 Setup a NAT Policy for the IPPBX Click Configuration > Network > NAT > Add. •...
Page 174: Set Up A Wan To Dmz Firewall Rule For Sip
Chapter 7 Tutorials • Click OK. Figure 139 Configuration > Network > NAT > Add 7.13.4 Set Up a WAN to DMZ Firewall Rule for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send SIP traffic to the IPPBX.
Page 175: Set Up A Dmz To Lan Firewall Rule For Sip
Chapter 7 Tutorials Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Set the Destination to the IPPBX’s DMZ IP address object (DMZ_SIP). IPPBX_DMZ is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule.
Page 176: How To Use Multiple Static Public Wan Ip Addresses For Lan To Wan Traffic
Chapter 7 Tutorials Click Configuration > Firewall > Add. Set the From field as DMZ and the To field as LAN. Set the Destination to the IPPBX’s DMZ IP address object (DMZ_SIP). Set the to IPPBX_DMZ. Leave the Access field to allow Source and click OK.
Page 177: Configure The Policy Route
Chapter 7 Tutorials 7.14.2 Configure the Policy Route Now you need to configure a policy route that has the ZyWALL use the range of public IP addresses as the source address for WAN to LAN traffic. Click Configuration > Network > Routing > Add. Although adding a description is optional, it is recommended.
Page 178: Before You Start
Chapter 7 Tutorials An Ethernet switch connects both ZyWALLs’ ge1 interfaces to the LAN. Whichever ZyWALL is functioning as the master uses the default gateway IP address of the LAN computers (192.168.1.1) for its ge1 interface and the static public IP address (1.1.1.1) for its ge2 interface.
Page 179: Configure Device Ha On The Master Zywall
Chapter 7 Tutorials 7.15.2 Configure Device HA on the Master ZyWALL Log into ZyWALL A (the master) and click Configuration > Device HA > Active- Passive Mode. Double-click ge1’s entry. Configure 192.168.1.3 as the Management IP and 255.255.255.0 as the Manage IP Subnet Mask.
Page 180 Chapter 7 Tutorials Set the Device Role to Master. This example focuses on the connection from the LAN (ge1) to the Internet through the ge2 interface, so select the ge1 and ge2 interfaces and click Activate. Enter a Synchronization Password (“mySyncPassword”...
Page 181: Configure The Backup Zywall
Chapter 7 Tutorials 7.15.3 Configure the Backup ZyWALL Connect a computer to ZyWALL B’s ge1 interface and log into its Web Configurator. Connect ZyWALL B to the Internet and subscribe it to the same subscription services (like content filtering and anti-virus) to which ZyWALL A is subscribed.
Page 182 Chapter 7 Tutorials Set the Device Role to Backup. Activate monitoring for the ge1 and ge2 interfaces. Set the Synchronization Server Address to 192.168.1.1, the Port to 21, and the Password to “mySyncPassword”. Select Auto Synchronize and set the Interval to 60. Click Apply. Figure 150 Configuration >...
Page 183: Deploy The Backup Zywall
Chapter 7 Tutorials 7.15.4 Deploy the Backup ZyWALL Connect ZyWALL B’s ge1 interface to the LAN network. Connect ZyWALL B’s ge2 interface to the same router that ZyWALL A’s ge2 interface uses for Internet access. ZyWALL B copies A’s configuration (and re-synchronizes with A every hour).
Page 184 Chapter 7 Tutorials ZyWALL USG 300 User’s Guide...
Page 185: L2Tp Vpn Example
H A P T E R L2TP VPN Example Here is how to create a basic L2TP VPN tunnel. 8.1 L2TP VPN Example This example uses the following settings in creating a basic L2TP VPN tunnel. Figure 152 L2TP VPN Example 172.16.1.2 L2TP_POOL: 192.168.10.10~192.168.10.20...
Page 186 Chapter 8 L2TP VPN Example • Configure the My Address setting. This example uses interface ge2 with static IP address 172.16.1.2. Note: If it is possible that the remote user’s public IP address could be in the same subnet as the specified My Address, click Configure > Network > Routing > Policy Route >...
Page 187: Configuring The Default L2Tp Vpn Connection Example
Chapter 8 L2TP VPN Example 8.3 Configuring the Default L2TP VPN Connection Example Click Configuration > VPN > Network > IPSec VPN to open the screen that lists the VPN connections. Double-click the Default_L2TP_VPN_Connection entry. Click the Show Advanced Settings button. Configure and enforce the local and remote policies.
Page 188: Configuring The L2Tp Vpn Settings Example
Chapter 8 L2TP VPN Example Select the Default_L2TP_VPN_Connection entry and click Activate and then Apply to turn on the entry. Figure 156 Configuration > VPN > IPSec VPN > VPN Connection (Enable) 8.4 Configuring the L2TP VPN Settings Example Click Configuration > VPN > L2TP VPN and configure the following. •...
Page 189: Configuring L2Tp Vpn In Windows Vista, Xp, Or 2000
Chapter 8 L2TP VPN Example • The other fields are left to the defaults in this example, click Apply. Figure 157 Configuration > VPN > L2TP VPN Example 8.5 Configuring L2TP VPN in Windows Vista, XP, or 2000 The following sections cover how to configure L2TP in remote user computers using Windows Vista, XP, and 2000.
Page 190 Chapter 8 L2TP VPN Example Select Connect to a workplace and click Next. Figure 158 Set up a connection or network: Chose a connection type Select Use my Internet connection (VPN). Figure 159 Connect to a workplace: How do you want to connect? ZyWALL USG 300 User’s Guide...
Page 191 Chapter 8 L2TP VPN Example Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). For the Destination Name, enter L2TP to ZyWALL. Select Don’t connect now, just set it up so I can connect later and click Next.
Page 192 Chapter 8 L2TP VPN Example Click Close. Figure 162 Connect to a workplace: The connection is ready to use In the Network and Sharing Center screen, click Connect to a network. Right-click the L2TP VPN connection and select Properties. Figure 163 Connect L2TP to ZyWALL ZyWALL USG 300 User’s Guide...
Page 193 Chapter 8 L2TP VPN Example Click Security, select Advanced (custom settings) and click Settings. Figure 164 Connect L2TP to ZyWALL: Security Set Data encryption to Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes.
Page 194 Chapter 8 L2TP VPN Example inside it. The L2TP tunnel itself does not need encryption since it is inside the encrypted IPSec VPN tunnel. Figure 166 Connect ZyWALL L2TP: Security > Advanced > Warning 11 Click Networking. Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings.
Page 195 Chapter 8 L2TP VPN Example 13 Select the L2TP VPN connection and click Connect. Figure 169 L2TP to ZyWALL Properties: Networking 14 Enter the user name and password of your ZyWALL user account. Click Connect. Figure 170 Connect L2TP to ZyWALL ZyWALL USG 300 User’s Guide...
Page 196 Chapter 8 L2TP VPN Example 15 A window appears while the user name and password are verified and notifies you when the connection is established. Figure 171 Connecting to L2TP to ZyWALL 16 If a window appears asking you to select a location for the network, you can select Work if you want your computer to be discoverable by computers behind the ZyWALL.
Page 197 Chapter 8 L2TP VPN Example 17 After the network location has been set, click Close. Figure 173 Set Network Location Successful 18 After the connection is up a connection icon displays in your system tray. Click it and then the L2TP connection to open a status screen. Figure 174 Connection System Tray Icon ZyWALL USG 300 User’s Guide...
Page 198 Chapter 8 L2TP VPN Example 19 Click the L2TP connection’s View status link to open a status screen. Figure 175 Network and Sharing Center 20 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20).
Page 199: Configuring L2Tp In Windows Xp
Chapter 8 L2TP VPN Example 8.5.2 Configuring L2TP in Windows XP In Windows XP do the following to establish an L2TP VPN connection. Click Start > Control Panel > Network Connections > New Connection Wizard. Click Next in the Welcome screen. Select Connect to the network at my workplace and click Next.
Page 200 Chapter 8 L2TP VPN Example Type L2TP to ZyWALL as the Company Name. Figure 179 New Connection Wizard: Connection Name Select Do not dial the initial connection and click Next. Figure 180 New Connection Wizard: Public Network ZyWALL USG 300 User’s Guide...
Page 201 Chapter 8 L2TP VPN Example Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). Figure 181 New Connection Wizard: VPN Server Selection 172.16.1.2 Click Finish.
Page 202 Chapter 8 L2TP VPN Example 10 Click Security, select Advanced (custom settings) and click Settings. Figure 183 Connect L2TP to ZyWALL: Security 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes.
Page 203 Chapter 8 L2TP VPN Example 12 Click IPSec Settings. Figure 185 L2TP to ZyWALL Properties > Security 13 Select the Use pre-shared key for authentication check box and enter the pre- shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN.
Page 204 Chapter 8 L2TP VPN Example 14 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. Figure 187 L2TP to ZyWALL Properties: Networking 15 Enter the user name and password of your ZyWALL account. Click Connect. Figure 188 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified.
Page 205: Configuring L2Tp In Windows 2000
Chapter 8 L2TP VPN Example 18 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 190 ZyWALL-L2TP Status: Details 19 Access a server or other network resource behind the ZyWALL to make sure your access works.
Page 206 Chapter 8 L2TP VPN Example Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\P arameters. Figure 192 Registry Key Right-click Parameters and select New > DWORD Value. Figure 193 New DWORD Value Enter ProhibitIpSec as the name. And make sure the Data displays as 0’s. Figure 194 ProhibitIpSec DWORD Value Restart the computer and continue with the next section.
Page 207 Chapter 8 L2TP VPN Example 8.5.3.2 Configure the Windows 2000 IPSec Policy After you have created the registry entry and restarted the computer, use these directions to configure an IPSec policy for the computer to use. Click Start > Run. Type mmc and click OK. Figure 195 Run mmc Click Console >...
Page 208 Chapter 8 L2TP VPN Example Click Add > IP Security Policy Management >Add > Finish. Click Close > Figure 197 Add > IP Security Policy Management > Finish Right-click IP Security Policies on Local Machine and click Create IP Security Policy.
Page 209 Chapter 8 L2TP VPN Example Name the IP security policy L2TP to ZyWALL, and click Next. Figure 199 IP Security Policy: Name Clear the Activate the default response rule check box and click Next. Figure 200 IP Security Policy: Request for Secure Communication ZyWALL USG 300 User’s Guide...
Page 210 Chapter 8 L2TP VPN Example Leave the Edit Properties check box selected and click Finish. Figure 201 IP Security Policy: Completing the IP Security Policy Wizard In the properties dialog box, click Add > Next. Figure 202 IP Security Policy Properties > Add ZyWALL USG 300 User’s Guide...
Page 211 Chapter 8 L2TP VPN Example Select This rule does not specify a tunnel and click Next. Figure 203 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next. Figure 204 IP Security Policy Properties: Network Type ZyWALL USG 300 User’s Guide...
Page 212 Chapter 8 L2TP VPN Example 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 205 IP Security Policy Properties: Authentication Method 12 Click Add. Figure 206 IP Security Policy Properties: IP Filter List ZyWALL USG 300 User’s Guide...
Page 213 Chapter 8 L2TP VPN Example 13 Type ZyWALL WAN_IP in the Name field. Clear the Use Add Wizard check box and click Add. Figure 207 IP Security Policy Properties: IP Filter List > Add 14 Configure the following in the Addressing tab. Select My IP Address in the Source address drop-down list box.
Page 214 Chapter 8 L2TP VPN Example 15 Configure the following in the Filter Properties window’s Protocol tab. Set the protocol type to UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 209 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next.
Page 215 Chapter 8 L2TP VPN Example 17 Select Require Security and click Next. Then click Finish and Close. Figure 211 IP Security Policy Properties: IP Filter List 18 In the Console window, right-click L2TP to ZyWALL and select Assign. Figure 212 Console: L2TP to ZyWALL Assign 8.5.3.3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy, use these directions to create a network connection.
Page 216 Chapter 8 L2TP VPN Example Click Start > Settings > Network and Dial-up connections > Make New Connection. In the wizard welcome screen, click Next. Figure 213 Start New Connection Wizard Select Connect to a private network through the Internet and click Next. Figure 214 New Connection Wizard: Network Connection Type Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN.
Page 217 Chapter 8 L2TP VPN Example Select For all users and click Next. Figure 216 New Connection Wizard: Connection Availability Name the connection L2TP to ZyWALL and click Finish. Figure 217 New Connection Wizard: Naming the Connection Click Properties. Figure 218 Connect L2TP to ZyWALL ZyWALL USG 300 User’s Guide...
Page 218 Chapter 8 L2TP VPN Example Click Security and select Advanced (custom settings) and click Settings. Figure 219 Connect L2TP to ZyWALL: Security Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes.
Page 219 Chapter 8 L2TP VPN Example Click Networking and select Layer 2 Tunneling Protocol (L2TP) from the drop-down list box. Click OK. Figure 221 Connect L2TP to ZyWALL: Networking 10 Enter your user name and password and click Connect. It may take up to one minute to establish the connection and register on the network.
Page 220 Chapter 8 L2TP VPN Example 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 224 L2TP to ZyWALL Status: Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works.
Page 221 Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide...
Page 222 Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide...
Page 223: Technical Reference
Technical Reference...
Page 225: Dashboard
H A P T E R Dashboard 9.1 Overview Use the Dashboard screens to check status information about the ZyWALL. 9.1.1 What You Can Do in this Chapter Use the Dashboard screens for the following. • Use the main Dashboard screen (see Section 9.2 on page 225) to see the ZyWALL’s general device information, system status, system resource usage,...
Page 226 Chapter 9 Dashboard interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. Figure 225 Dashboard The following table describes the labels in this screen. Table 22 Dashboard LABEL DESCRIPTION Widget Setting Use this link to re-open closed widgets.
Page 227 Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION The following front and rear panel labels display when you hover your cursor over a connected interface or slot. Name This field displays the name of each interface. Slot This field displays the name of each extension slot. Device This field displays the name of the device connected to the extension slot (or none if no device is detected).
Page 228 Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Device This identifies a device installed in one of the ZyWALL’s extension slots or USB ports. Device Information System This field displays the name used to identify the ZyWALL on any Name network.
Page 229 Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface is enabled but not connected.
Page 230: System Uptime
Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION IP Address This field displays the current IP address assigned to the interface. If the IP address is 0.0.0.0, the interface is disabled or did not receive an IP address and subnet mask via DHCP. If this interface is a member of an active virtual router, this field displays the IP address it is currently using.
Page 231 Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Boot Status This field displays details about the ZyWALL’s startup state. OK - The ZyWALL started up successfully. Firmware update OK - A firmware update was successful. Problematic configuration after firmware update - The application of the configuration failed after a firmware upgrade.
Page 232: The Cpu Usage Screen
Chapter 9 Dashboard Table 22 Dashboard (continued) LABEL DESCRIPTION Signature The signature name identifies a specific intrusion pattern. Name Type This column displays when you display the entries by Signature Name. It shows the categories of intrusions. See Table 164 on page 612 more information.
Page 233: The Memory Usage Screen
Chapter 9 Dashboard 9.2.2 The Memory Usage Screen Use this screen to look at a chart of the ZyWALL’s recent memory (RAM) usage. To access this screen, click Memory Usage in the dashboard. Figure 227 Dashboard > Memory Usage The following table describes the labels in this screen. Table 24 Dashboard >...
Page 234: The Session Usage Screen
Chapter 9 Dashboard 9.2.3 The Session Usage Screen Use this screen to look at a chart of the ZyWALL’s recent traffic session usage. To access this screen, click Session Usage in the dashboard. Figure 228 Dashboard > Session Usage The following table describes the labels in this screen. Table 25 Dashboard >...
Page 235: The Vpn Status Screen
Chapter 9 Dashboard 9.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in the dashboard. Figure 229 Dashboard > VPN Status The following table describes the labels in this screen. Table 26 Dashboard >...
Page 236: The Number Of Login Users Screen
Chapter 9 Dashboard The following table describes the labels in this screen. Table 27 Dashboard > DHCP Table LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific entry. Interface This field identifies the interface that assigned an IP address to a DHCP client.
Page 237 Chapter 9 Dashboard The following table describes the labels in this screen. Table 28 Dashboard > Number of Login Users LABEL DESCRIPTION This field is a sequential value and is not associated with any entry. User ID This field displays the user name of each user who is currently logged in to the ZyWALL.
Page 238 Chapter 9 Dashboard ZyWALL USG 300 User’s Guide...
Page 239: Monitor
H A P T E R Monitor 10.1 Overview Use the Monitor screens to check status and statistics information. 10.1.1 What You Can Do in this Chapter Use the Monitor screens for the following. • Use the System Status > Port Statistics screen (see Section 10.2.1 on page 242) to look at packet statistics for each physical port.
Page 240: The Port Statistics Screen
Chapter 10 Monitor • Use the VPN Monitor > IPSec screen (Section 10.13 on page 263) to display and manage active IPSec SAs. • Use the VPN Monitor > SSL screen (see Section 10.14 on page 266) to list the users currently logged into the VPN SSL client portal.
Page 241 Chapter 10 Monitor The following table describes the labels in this screen. Table 29 Monitor > System Status > Port Statistics LABEL DESCRIPTION Poll Interval Enter how often you want this window to be updated automatically, and click Set Interval. Set Interval Click this to set the Poll Interval the screen uses.
Page 242: The Port Statistics Graph Screen
Chapter 10 Monitor 10.2.1 The Port Statistics Graph Screen Use this screen to look at a line graph of packet statistics for each physical port. To access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button. Figure 233 Monitor >...
Page 243: Interface Status Screen
Chapter 10 Monitor Table 30 Monitor > System Status > Port Statistics > Switch to Graphic View LABEL DESCRIPTION Last Update This field displays the date and time the information in the window was last updated. System Up This field displays how long the ZyWALL has been running since it last Time restarted or was turned on.
Page 244 Chapter 10 Monitor Each field is described in the following table. Table 31 Monitor > System Status > Interface Status LABEL DESCRIPTION Interface If an Ethernet interface does not have any physical ports associated with Status it, its entry is displayed in light gray text. Expand/Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces.
Page 245 Chapter 10 Monitor Table 31 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface is enabled but not connected.
Page 246 Chapter 10 Monitor Table 31 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Zone This field displays the zone to which the interface is assigned. IP Addr/ This field displays the current IP address and subnet mask assigned to Netmask the interface.
Page 247: The Traffic Statistics Screen
Chapter 10 Monitor 10.4 The Traffic Statistics Screen Click Monitor > System Status > Traffic Statistics to display the Traffic Statistics screen. This screen provides basic information about the following for example: • Most-visited Web sites and the number of times each one was visited. This count may not be accurate in some cases because the ZyWALL counts HTTP GET packets.
Page 248 Chapter 10 Monitor There is a limit on the number of records shown in the report. Please see Table 33 on page 249 for more information. The following table describes the labels in this screen. Table 32 Monitor > System Status > Traffic Statistics LABEL DESCRIPTION Data Collection...
Page 249 Chapter 10 Monitor Table 32 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION These fields are available when the Traffic Type is Service/Port. This field is the rank of each record. The protocols and service ports are sorted by the amount of traffic. Service/Port This field displays the service and port in this record.
Page 250: The Session Monitor Screen
Chapter 10 Monitor 10.5 The Session Monitor Screen The Session Monitor screen displays information about active sessions for debugging or statistical analysis. It is not possible to manage sessions in this screen. The following information is displayed. • User who started the session •...
Page 251 Chapter 10 Monitor The following table describes the labels in this screen. Table 34 Monitor > System Status > Session Monitor LABEL DESCRIPTION View Select how you want the information to be displayed. Choices are: sessions by users - display all active sessions grouped by user sessions by services - display all active sessions grouped by service or protocol sessions by source IP - display all active sessions grouped by source...
Page 252: The Ddns Status Screen
Chapter 10 Monitor Table 34 Monitor > System Status > Session Monitor (continued) LABEL DESCRIPTION Service This field displays the protocol used in each active session. If you are looking at the sessions by services report, click + or - to display or hide details about a protocol’s sessions.
Page 253: Ip/Mac Binding Monitor
Chapter 10 Monitor Table 35 Monitor > System Status > DDNS Status (continued) LABEL DESCRIPTION Last Update This shows whether the last attempt to resolve the IP address for the Status domain name was successful or not. Updating means the ZyWALL is currently attempting to resolve the IP address for the domain name.
Page 254: The Login Users Screen
Chapter 10 Monitor Table 36 Monitor > System Status > IP/MAC Binding (continued) LABEL DESCRIPTION Last Access This is when the device last established a session with the ZyWALL through this interface. Refresh Click this button to update the information in the screen. 10.8 The Login Users Screen Use this screen to look at a list of the users currently logged into the ZyWALL.
Page 255: Wlan Interface Station Monitor Screen
Chapter 10 Monitor 10.9 WLAN Interface Station Monitor Screen The station monitor displays the connection status of the wireless clients connected to (or trying to connect to) a IEEE 802.11b/g card installed in the ZyWALL. To open the station monitor, click Monitor > System Status > WLAN Status. The screen appears as shown.
Page 256: Cellular Status Screen
Chapter 10 Monitor 10.10 Cellular Status Screen This screen displays your 3G connection status. click Monitor > System Status > Cellular Status to display this screen. Figure 241 Monitor > System Status > Cellular Status The following table describes the labels in this screen. Table 39 Monitor >...
Page 257 Chapter 10 Monitor Table 39 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Status No device - no 3G device is connected to the ZyWALL. Device detected - displays when you connect a 3G device. Device error - a 3G device is connected but there is an error. Probe device fail - the ZyWALL’s test of the 3G device failed.
Page 258: Usb Storage Screen
Chapter 10 Monitor Table 39 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Signal Quality This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider’s base station. More Info.
Page 259: Application Patrol Statistics
Chapter 10 Monitor Table 40 Monitor > System Status > USB Storage (continued) LABEL DESCRIPTION Status Ready - you can have the ZyWALL use the USB storage device. Click Remove Now to stop the ZyWALL from using the USB storage device so you can remove it.
Page 260: Application Patrol Statistics: Bandwidth Statistics
Chapter 10 Monitor The following table describes the labels in this screen. Table 41 Monitor > AppPatrol Statistics: General Settings LABEL DESCRIPTION Refresh Select how often you want the statistics display to update. Interval Display Select the protocols for which to display statistics. Protocols Select All selects all of the protocols.
Page 261: Application Patrol Statistics: Protocol Statistics
Chapter 10 Monitor 10.12.3 Application Patrol Statistics: Protocol Statistics The bottom of the Monitor > AppPatrol Statistics screen displays statistics for each of the selected protocols. Figure 245 Monitor > AppPatrol Statistics: Protocol Statistics The following table describes the labels in this screen. Table 42 Monitor >...
Page 262: Application Patrol Statistics: Individual Protocol Statistics By Rule
Chapter 10 Monitor Table 42 Monitor > AppPatrol Statistics: Protocol Statistics (continued) LABEL DESCRIPTION Rule This is a protocol’s rule. Inbound This is the incoming bandwidth usage for traffic that matched this Kbps protocol rule, in kilobits per second. This is the protocol’s traffic that the ZyWALL sends to the initiator of the connection.
Page 263: The Ipsec Monitor Screen
Chapter 10 Monitor The following table describes the labels in this screen. Table 43 Monitor > AppPatrol Statistics > Service LABEL DESCRIPTION Service Name This is the application. Rule Statistics This table displays the statistics for each of the service’s application patrol rules.
Page 264 Chapter 10 Monitor screen appears. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 247 Monitor > VPN Monitor > IPSec Each field is described in the following table. Table 44 Monitor >...
Page 265: Regular Expressions In Searching Ipsec Sas
Chapter 10 Monitor Table 44 Monitor > VPN Monitor > IPSec (continued) LABEL DESCRIPTION Encapsulation This field displays how the IPSec SA is encapsulated. Policy This field displays the content of the local and remote policies for this IPSec SA. The IP addresses, not the address objects, are displayed. Algorithm This field displays the encryption and authentication algorithms used in the SA.
Page 266: The Ssl Connection Monitor Screen
Chapter 10 Monitor 10.14 The SSL Connection Monitor Screen The ZyWALL keeps track of the users who are currently logged into the VPN SSL client portal. Click Monitor > VPN Monitor > SSL to display the user list. Use this screen to do the following: •...
Page 267: L2Tp Over Ipsec Session Monitor Screen
Chapter 10 Monitor 10.15 L2TP over IPSec Session Monitor Screen Click Monitor > VPN Monitor > L2TP over IPSec to open the following screen. Use this screen to display and manage the ZyWALL’s connected L2TP VPN sessions. Figure 249 Monitor > VPN Monitor > L2TP over IPSec The following table describes the fields in this screen.
Page 268: The Anti-Virus Statistics Screen
Chapter 10 Monitor 10.16 The Anti-Virus Statistics Screen Click Monitor > Anti-X Statistics > Anti-Virus to display the following screen. This screen displays anti-virus statistics. Figure 250 Monitor > Anti-X Statistics > Anti-Virus: Virus Name The following table describes the labels in this screen. Table 47 Monitor >...
Page 269 Chapter 10 Monitor Table 47 Monitor > Anti-X Statistics > Anti-Virus (continued) LABEL DESCRIPTION Top Entry By Use this field to have the following (read-only) table display the top anti- virus entries by Virus Name, Source IP or Destination IP. Select Virus Name to list the most common viruses that the ZyWALL has detected.
Page 270: The Idp Statistics Screen
Chapter 10 Monitor 10.17 The IDP Statistics Screen Click Monitor > Anti-X Statistics > IDP to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. Figure 253 Monitor > Anti-X Statistics > IDP: Signature Name The following table describes the labels in this screen. Table 48 Monitor >...
Page 271 Chapter 10 Monitor Table 48 Monitor > Anti-X Statistics > IDP (continued) LABEL DESCRIPTION Top Entry By Use this field to have the following (read-only) table display the top IDP entries by Signature Name, Source or Destination. Select Signature Name to list the most common signatures that the ZyWALL has detected.
Page 272: The Content Filter Statistics Screen
Chapter 10 Monitor 10.18 The Content Filter Statistics Screen Click Monitor > Anti-X Statistics > Content Filter to display the following screen. This screen displays content filter statistics. Figure 256 Monitor > Anti-X Statistics > Content Filter The following table describes the labels in this screen. Table 49 Monitor >...
Page 273: Content Filter Cache Screen
Chapter 10 Monitor Table 49 Monitor > Anti-X Statistics > Content Filter (continued) LABEL DESCRIPTION Web Pages This is the number of web pages that matched an external database Warned by content filtering category selected in the ZyWALL and for which the Category ZyWALL displayed a warning before allowing users access.
Page 274 Chapter 10 Monitor You can remove individual entries from the cache. When you do this, the ZyWALL queries the external content filtering database the next time someone tries to access that web site. This allows you to check whether a web site’s category has been changed.
Page 275 Chapter 10 Monitor Table 50 Anti-X > Content Filter > Cache (continued) LABEL DESCRIPTION Category This field shows whether access to the web site’s URL was blocked or allowed. Click the column heading to sort the entries. Point the triangle up to display the blocked URLs before the URLs to which access was allowed.
Page 276: The Anti-Spam Statistics Screen
Chapter 10 Monitor 10.20 The Anti-Spam Statistics Screen Click Monitor > Anti-X Statistics > Anti-Spam to display the following screen. This screen displays spam statistics. Figure 258 Monitor > Anti-X Statistics > Anti-Spam The following table describes the labels in this screen. Table 51 Monitor >...
Page 277 Chapter 10 Monitor Table 51 Monitor > Anti-X Statistics > Anti-Spam (continued) LABEL DESCRIPTION Spam Mails This is the number of e-mails that the ZyWALL has determined to be spam. Spam Mails This is the number of e-mails that matched an entry in the ZyWALL’s anti- Detected by spam black list.
Page 278: The Anti-Spam Status Screen
Chapter 10 Monitor 10.21 The Anti-Spam Status Screen Click Monitor > Anti-X Statistics > Anti-Spam > Status to display the Anti- Spam Status screen. Use the Anti-Spam Status screen to see how many e-mail sessions the anti- spam feature is scanning and statistics for the DNSBLs. Figure 259 Monitor >...
Page 279: Log Screen
Chapter 10 Monitor 10.22 Log Screen Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regular log, you can look at all the log messages by selecting All Logs, or you can select a specific category of log messages (for example, firewall or user).
Page 280 Chapter 10 Monitor The following table describes the labels in this screen. Table 53 Monitor > Log LABEL DESCRIPTION Show Filter / Click this button to show or hide the filter settings. Hide Filter If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear Log fields are available.
Page 281 Chapter 10 Monitor Table 53 Monitor > Log (continued) LABEL DESCRIPTION Priority This field displays the priority of the log message. It has the same range of values as the Priority field above. Category This field displays the log that generated the log message. It is the same value used in the Display and (other) Category fields.
Page 282 Chapter 10 Monitor ZyWALL USG 300 User’s Guide...
Page 283: Registration
This section introduces the topics covered in this chapter. myZyXEL.com myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. To update signature files or use a subscription service, you have to register the ZyWALL and activate the corresponding service at myZyXEL.com (through the ZyWALL).
Page 284 • After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and enter the PIN number (license key) in the Registration > Service screen. You must use the ZyXEL anti-virus iCard for the ZyXEL anti- virus engine and the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine.
Page 285: The Registration Screen
Chapter 11 Registration 11.2 The Registration Screen Use this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next. Figure 261 Configuration >...
Page 286 The ZyWALL’s anti-virus packet scanner uses the signature files on Service the ZyWALL to detect virus files. Select ZyXEL’s anti-virus engine or the Kaspersky anti-virus engine. During the trial you can use these fields to change from one anti-virus engine to the other.
Page 287: The Service Screen
Chapter 11 Registration Note: If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated (if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Service screen to update your service subscription status.
Page 288 Chapter 11 Registration The following table describes the labels in this screen. Table 55 Configuration > Licensing > Registration > Service LABEL DESCRIPTION License Status This is the entry’s position in the list. Service This lists the services that available on the ZyWALL. Status This field displays whether a service is activated (Licensed) or not (Not Licensed) or expired (Expired).
Page 289: Signature Update
H A P T E R Signature Update 12.1 Overview This chapter shows you how to update the ZyWALL’s signature packages. 12.1.1 What You Can Do in this Chapter • Use the Configuration > Licensing > Update > Anti-virus screen (Section 12.2 on page 290) to update the anti-virus signatures.
Page 290: The Antivirus Update Screen
The following fields display information on the current signature set that Information the ZyWALL is using. Anti-Virus This field displays whether the ZyWALL is set to use ZyXEL’s anti-virus Engine Type engine or the one powered by Kaspersky. Upgrading the ZyWALL to firmware version 2.11 and updating the anti- virus signatures automatically upgrades the ZyXEL anti-virus engine to v2.0.
Page 291: The Idp/Apppatrol Update Screen
Chapter 12 Signature Update LABEL DESCRIPTION Signature Use these fields to have the ZyWALL check for new signatures at Update myZyXEL.com. If new signatures are found, they are then downloaded to the ZyWALL. Update Now Click this button to have the ZyWALL check for new signatures immediately.
Page 292 Chapter 12 Signature Update signatures from myZyXEL.com (see the Registration screens). Use the Update IDP /AppPatrol screen to schedule or immediately download IDP signatures. Figure 265 Configuration > Licensing > Update > IDP/AppPatrol The following table describes the fields in this screen. Table 56 Configuration >...
Page 293: The System Protect Update Screen
Chapter 12 Signature Update Table 56 Configuration > Licensing > Update > IDP/AppPatrol (continued) LABEL DESCRIPTION Daily Select this option to have the ZyWALL check for new IDP signatures everyday at the specified time. The time format is the 24 hour clock, so ‘23’...
Page 294 Chapter 12 Signature Update The following table describes the fields in this screen. Table 57 Configuration > Licensing > Update > System Protect LABEL DESCRIPTION Signature The following fields display information on the current signature set that Information the ZyWALL is using. Current This field displays the system protect signature and anomaly rule set Version...
Page 295: Interfaces
H A P T E R Interfaces 13.1 Interface Overview Use the Interface screens to configure the ZyWALL’s interfaces. You can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. •...
Page 296: What You Need To Know
Chapter 13 Interfaces • Use the Virtual Interface screen (Section 13.11 on page 362) to create virtual interfaces on top of Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces.
Page 297 Chapter 13 Interfaces • Trunks manage load balancing between interfaces. Port groups, trunks, and the auxiliary interface have a lot of characteristics that are specific to each type of interface. See Section 13.2 on page 299, Chapter 14 on page 369, and Section 13.10 on page 360 for details.
Page 298 Chapter 13 Interfaces Table 59 Relationships Between Different Types of Interfaces (continued) REQUIRED PORT / INTERFACE INTERFACE VLAN interface Ethernet interface bridge interface Ethernet interface* VLAN interface* PPP interface Ethernet interface* VLAN interface* bridge interface virtual interface (virtual Ethernet Ethernet interface* interface) VLAN interface* (virtual VLAN interface)
Page 299: Port Grouping
Chapter 13 Interfaces 13.2 Port Grouping This section introduces port groups and then explains the screen for port groups. 13.2.1 Port Grouping Overview Use port grouping to create port groups and to assign physical ports and port groups to Ethernet interfaces. Each physical port is assigned to one Ethernet interface.
Page 300: Ethernet Summary Screen
Chapter 13 Interfaces Each section in this screen is described below. Table 60 Configuration > Network > Interface > Port Grouping Role LABEL DESCRIPTION Representative These are Ethernet interfaces. To add a physical port to a Interface (ge1, representative interface, drag the physical port onto the ge2, ge3, ...) corresponding representative interface.
Page 301 Chapter 13 Interfaces Figure 268 Configuration > Network > Interface > Ethernet Each field is described in the following table. Table 61 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 302: Ethernet Edit
Chapter 13 Interfaces 13.3.1 Ethernet Edit The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP settings, OSPF settings, DHCP settings, connectivity check, and MAC address settings. To access this screen, click an Edit icon in the Ethernet Summary screen.
Page 303 Chapter 13 Interfaces Figure 269 Configuration > Network > Interface > Ethernet > Edit ZyWALL USG 300 User’s Guide...
Page 304 Chapter 13 Interfaces This screen’s fields are described in the table below. Table 62 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 305 Chapter 13 Interfaces Table 62 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Use Fixed IP This option appears when Interface Properties is External or Address General. Select this if you want to specify the IP address, subnet mask, and gateway manually.
Page 306 Chapter 13 Interfaces Table 62 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Check Period Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.
Page 307 Chapter 13 Interfaces Table 62 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.
Page 308 Chapter 13 Interfaces Table 62 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION IP Address Enter the IP address to assign to a device with this entry’s MAC address. MAC Address Enter the MAC address to which to assign this entry’s IP address. Description Enter a description to help identify this static DHCP entry.
Page 309: Object References
Chapter 13 Interfaces Table 62 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Text This field is available if the Authentication is Text. Type the Authentication password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to eight characters long.
Page 310: Ppp Interfaces
Chapter 13 Interfaces Figure 270 Object References The following table describes labels that can appear in this screen. Table 63 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window.
Page 311: Ppp Interface Summary
Chapter 13 Interfaces Figure 271 Example: PPPoE/PPTP Interfaces PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available. There are two main differences between PPPoE/PPTP interfaces and other interfaces.
Page 312 Chapter 13 Interfaces Figure 272 Configuration > Network > Interface > PPP Each field is described in the table below. Table 64 Configuration > Network > Interface > PPP LABEL DESCRIPTION User The ZyWALL comes with the (non-removable) System Default PPP Configuration / interfaces pre-configured.
Page 313: Ppp Interface Add Or Edit
Chapter 13 Interfaces Table 64 Configuration > Network > Interface > PPP (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. The connect icon is lit when the interface is connected and dimmed when it is disconnected.
Page 314 Chapter 13 Interfaces Figure 273 Configuration > Network > Interface > PPP > Add Each field is explained in the following table. Table 65 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 315 Chapter 13 Interfaces Table 65 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Enable Select this to enable this interface. Clear this to disable this interface. Interface Interface Properties Interface Specify a name for the interface. It can use alphanumeric characters, Name hyphens, and underscores, and it can be up to 11 characters long.
Page 316 Chapter 13 Interfaces Table 65 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Interface Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the Bandwidth ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576.
Page 317: Cellular Configuration Screen (3G)
Chapter 13 Interfaces Table 65 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 13.5 Cellular Configuration Screen (3G) 3G (Third Generation) is a digital, packet-switched wireless technology.
Page 318 Chapter 13 Interfaces If the signal strength of a 3G network is too low, the 3G card may switch to an available 2.5G or 2.75G network. See the following table for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies. Table 66 2G, 2.5G, 2.75G, 3G and 3.5G Wireless Technologies MOBILE PHONE AND DATA STANDARDS DATA...
Page 319: Cellular Add/Edit Screen
Chapter 13 Interfaces Figure 274 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. Table 67 Configuration > Network > Interface > Cellular LABEL DESCRIPTION Click this to create a new cellular interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 320 Chapter 13 Interfaces Figure 275 Configuration > Network > Interface > Cellular > Add ZyWALL USG 300 User’s Guide...
Page 321 Chapter 13 Interfaces The following table describes the labels in this screen. Table 68 Configuration > Network > Interface > Cellular > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 322 Chapter 13 Interfaces Table 68 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Dial String Enter the dial string if your ISP provides a string, which would include the APN, to initialize the 3G card. You can enter up to 63 ASCII printable characters. Spaces are allowed.
Page 323 Chapter 13 Interfaces Table 68 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Egress Enter the maximum amount of traffic, in kilobits per second, the Bandwidth ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576.
Page 324 Chapter 13 Interfaces Table 68 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Select this option If your ISP did not assign you a fixed IP address. Automatically This is the default selection. Use Fixed IP Select this option If the ISP assigned a fixed IP address.
Page 325 Chapter 13 Interfaces Table 68 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Data Budget Select this and specify how much downstream and/or upstream data (in Mega bytes) can be transmitted via the 3G connection within one month.
Page 326: Wlan Interface General Screen
Chapter 13 Interfaces Table 68 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 13.6 WLAN Interface General Screen The following figure provides an example of a wireless network.
Page 327 Chapter 13 Interfaces Click Configuration > Network > Interface > WLAN to open the following screen. See Appendix E on page 1045 for more details on wireless LANs. Figure 277 Configuration > Network > Interface > WLAN The following table describes the labels in this screen. Table 69 Configuration >...
Page 328 Chapter 13 Interfaces Table 69 Configuration > Network > Interface > WLAN LABEL DESCRIPTION 802.11 Band Select whether you will let wireless clients connect to the ZyWALL using IEEE 802.11b, IEEE 802.11g, or both. Select b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the ZyWALL.
Page 329: Wlan Add/Edit Screen
Chapter 13 Interfaces Table 69 Configuration > Network > Interface > WLAN LABEL DESCRIPTION IP Address This field displays the current IP address of the WLAN interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet. This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP).
Page 330 Chapter 13 Interfaces Figure 278 Configuration > Network > Interface > WLAN > Add (No Security) ZyWALL USG 300 User’s Guide...
Page 331 Chapter 13 Interfaces The following table describes the general wireless LAN labels in this screen. Table 71 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 332 Chapter 13 Interfaces Table 71 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.
Page 333: Add
Chapter 13 Interfaces Table 71 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.
Page 334 Chapter 13 Interfaces Table 71 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information.
Page 335: Wlan Add/Edit: Wep Security
Chapter 13 Interfaces Table 71 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 13.6.2 WLAN Add/Edit: WEP Security WEP provides a mechanism for encrypting data using encryption keys.
Page 336: Wlan Add/Edit: Wpa-Psk/Wpa2-Psk Security
Chapter 13 Interfaces The following table describes the WEP-related wireless LAN security labels. See Table 71 on page 331 for information on the 802.1x fields. Table 72 Configuration > Network > Interface > WLAN > Add (WEP Security) LABEL DESCRIPTION WEP (Wired Equivalent Privacy) provides data encryption to prevent Encryption unauthorized wireless stations from accessing data transmitted over the...
Page 337: Wlan Add/Edit: Wpa/Wpa2 Security
Chapter 13 Interfaces The following table describes the WPA-PSK/WPA2-PSK-related wireless LAN security labels. Table 73 Configuration > Network > Interface > WLAN > Add (WPA-PSK, WPA2- PSK, or WPA/WPA2-PSK Security) LABEL DESCRIPTION Pre Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same.
Page 338 Chapter 13 Interfaces Figure 281 Configuration > Network > Interface > WLAN > Add (WPA/WPA2 Security) The following table describes the WPA/WPA2-related wireless LAN security labels. Table 74 Configuration > Network > Interface > WLAN > Add (WPA/WPA2 Security) LABEL DESCRIPTION Authentication Select what the ZyWALL uses to authenticate the wireless clients.
Page 339: Wlan Interface Mac Filter
Chapter 13 Interfaces Table 74 Configuration > Network > Interface > WLAN > Add (WPA/WPA2 Security) LABEL DESCRIPTION Radius Server Enter the RADIUS server’s listening port number (the default is 1812). Port Radius Server Enter a password (up to 31 alphanumeric characters) as the key to be Secret shared between the external authentication server and the ZyWALL.
Page 340 Chapter 13 Interfaces Figure 282 Network > Interface > WLAN > MAC Filter The following table describes the labels in this screen. Table 75 Configuration > Network > Interface > WLAN > MAC Filter LABEL DESCRIPTION Enable MAC Select or clear the check box to enable or disable MAC address filtering. Filter Enable MAC address filtering to have the router allow or deny access to wireless stations based on MAC addresses.
Page 341: Vlan Interfaces
Chapter 13 Interfaces 13.8 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 283 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C.
Page 342 Chapter 13 Interfaces • Traffic inside each VLAN is layer-2 communication (data link layer, MAC addresses). It is handled by the switches. As a result, the new switch is required to handle traffic inside VLAN 2. Traffic is only broadcast inside each VLAN, not each physical network.
Page 343: Vlan Summary Screen
Chapter 13 Interfaces 13.8.1 VLAN Summary Screen This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces. To access this screen, click Configuration > Network > Interface > VLAN. Figure 285 Configuration > Network > Interface > VLAN Each field is explained in the following table.
Page 344: Vlan Add/Edit
Chapter 13 Interfaces Table 76 Configuration > Network > Interface > VLAN (continued) LABEL DESCRIPTION Mask This field displays the interface’s subnet mask in dot decimal notation. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 13.8.2 VLAN Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface.
Page 345 Chapter 13 Interfaces Figure 286 Configuration > Network > Interface > VLAN > Edit ZyWALL USG 300 User’s Guide...
Page 346 Chapter 13 Interfaces Each field is explained in the following table. Table 77 Configuration > Network > Interface > VLAN > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 347 Chapter 13 Interfaces Table 77 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority.
Page 348 Chapter 13 Interfaces Table 77 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION DHCP Select what type of DHCP service the ZyWALL provides to the network. Choices are: None - the ZyWALL does not provide any DHCP services. There is already a DHCP server on the network.
Page 349 Chapter 13 Interfaces Table 77 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP...
Page 350 Chapter 13 Interfaces Table 77 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION OSPF Setting Section 16.3 on page 397 for more information about OSPF. Area Select the area in which this interface belongs. Select None to disable OSPF in this interface.
Page 351: Bridge Interfaces
Chapter 13 Interfaces 13.9 Bridge Interfaces This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces. Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments.
Page 352 Chapter 13 Interfaces If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly. Table 79 Example: Bridge Table After Computer B Responds to Computer A MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A...
Page 353: Bridge Summary
Chapter 13 Interfaces 13.9.1 Bridge Summary This screen lists every bridge interface and virtual interface created on top of bridge interfaces. To access this screen, click Configuration > Network > Interface > Bridge. Figure 287 Configuration > Network > Interface > Bridge Each field is described in the following table.
Page 354: Bridge Add/Edit
Chapter 13 Interfaces 13.9.2 Bridge Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen.
Page 355 Chapter 13 Interfaces Figure 288 Configuration > Network > Interface > Bridge > Add ZyWALL USG 300 User’s Guide...
Page 356 Chapter 13 Interfaces Each field is described in the table below. Table 82 Configuration > Network > Interface > Bridge > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 357 Chapter 13 Interfaces Table 82 Configuration > Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Gateway This field is enabled if you select Use Fixed IP Address. Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination.
Page 358 Chapter 13 Interfaces Table 82 Configuration > Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION IP Pool Start Enter the IP address from which the ZyWALL begins allocating IP Address addresses. If you want to assign a static IP address to a specific computer, click Add Static DHCP.
Page 359 Chapter 13 Interfaces Table 82 Configuration > Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This field is a sequential value, and it is not associated with a specific entry.
Page 360: Auxiliary Interface
Chapter 13 Interfaces 13.10 Auxiliary Interface This section introduces the auxiliary interface and then explains the screen for it. 13.10.1 Auxiliary Interface Overview Use the auxiliary interface to dial out from the ZyWALL’s auxiliary port. For example, you might use this interface as a backup WAN interface. You have to connect an external modem to the ZyWALL’s auxiliary port to use the auxiliary interface.
Page 361 Chapter 13 Interfaces Figure 289 Configuration > Network > Interface > Auxiliary Each field is described in the table below. Table 83 Configuration > Network > Interface > Auxiliary LABEL DESCRIPTION General Settings Enable Select this to turn on the auxiliary dial up interface. The interface Interface does not dial out, however, unless it is part of a trunk and load- balancing conditions are satisfied.
Page 362: Virtual Interfaces
Chapter 13 Interfaces Table 83 Configuration > Network > Interface > Auxiliary (continued) LABEL DESCRIPTION Phone Number Enter the phone number to dial here. You can use 1-20 numbers, commas (,), or plus signs (+). Use a comma to pause during dialing. Use a plus sign to tell the external modem to make an international call.
Page 363: Virtual Interfaces Add/Edit
Chapter 13 Interfaces cannot change the MTU. The virtual interface uses the same MTU that the underlying interface uses. Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not verify that the gateway is available. 13.11.1 Virtual Interfaces Add/Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces.
Page 364: Interface Technical Reference
Chapter 13 Interfaces Table 84 Configuration > Network > Interface > Add (continued) LABEL DESCRIPTION Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first.
Page 365 Chapter 13 Interfaces For example, if the ZyWALL gets a packet with a destination address of 100.100.25.25, it routes the packet to interface ge1. If the ZyWALL gets a packet with a destination address of 200.200.200.200, it routes the packet to interface ge2.
Page 366 Chapter 13 Interfaces • Egress bandwidth sets the amount of traffic the ZyWALL sends out through the interface to the network. • Ingress bandwidth sets the amount of traffic the ZyWALL allows in through the interface from the network. If you set the bandwidth restrictions very high, you effectively remove the restrictions.
Page 367 Chapter 13 Interfaces • IP address - If the DHCP client’s MAC address is in the ZyWALL’s static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size.
Page 368 Chapter 13 Interfaces PPPoE/PPTP Overview Point-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages: •...
Page 369: Trunks
H A P T E R Trunks 14.1 Overview Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links.
Page 370: What You Need To Know
Chapter 14 Trunks 14.1.2 What You Need to Know • Add WAN interfaces to trunks to have multiple connections share the traffic load. • If one WAN interface’s connection goes down, the ZyWALL sends traffic through another member of the trunk. •...
Page 371 Chapter 14 Trunks The ZyWALL is using active/active load balancing. So when LAN user A tries to access something on the server, the request goes out through ge3. The server finds that the request comes from ge3’s IP address instead of ge2’s IP address and rejects the request.
Page 372 Chapter 14 Trunks Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL will send the subsequent new session traffic through WAN 2. Table 88 Least Load First Example OUTBOUND LOAD BALANCING INDEX INTERFACE (M/A)
Page 373 Chapter 14 Trunks interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoid overloading the interface. In this example figure, the upper threshold of the first interface is set to 800K. The ZyWALL sends network traffic of new sessions that exceed this limit to the secondary WAN interface.
Page 374: The Trunk Summary Screen
Chapter 14 Trunks 14.2 The Trunk Summary Screen Click Configuration > Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 296 Configuration > Network > Interface > Trunk The following table describes the items in this screen.
Page 375: Configuring A Trunk
Chapter 14 Trunks Table 89 Configuration > Network > Interface > Trunk (continued) LABEL DESCRIPTION Enable Default Select this to have the ZyWALL use the IP address of the outgoing SNAT interface as the source IP address of the packets it sends out through its WAN trunks.
Page 376 Chapter 14 Trunks Each field is described in the table below. Table 90 Configuration > Network > Interface > Trunk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editing an existing trunk. When adding a new trunk, enter a descriptive name for this trunk.
Page 377: Trunk Technical Reference
Chapter 14 Trunks Table 90 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Weight This field displays with the weighted round robin load balancing algorithm. Specify the weight (1~10) for the interface. The weights of the different member interfaces form a ratio.
Page 378 Chapter 14 Trunks ZyWALL USG 300 User’s Guide...
Page 379: Policy And Static Routes
H A P T E R Policy and Static Routes 15.1 Policy and Static Routes Overview Use policy routes and static routes to override the ZyWALL’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the ZyWALL’s LAN interface.
Page 380: What You Need To Know
Chapter 15 Policy and Static Routes • Use the Static Route screens (see Section 15.3 on page 389) to list and configure static routes. 15.1.2 What You Need to Know Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 381 Chapter 15 Policy and Static Routes Policy Routes Versus Static Routes • Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management. • Policy routes are only used within the ZyWALL itself. Static routes can be propagated to other routers using RIP or OSPF.
Page 382: Policy Route Screen
Chapter 15 Policy and Static Routes Finding Out More • See Section 6.5.6 on page 103 for related information on the policy route screens. • See Section 7.14 on page 176 for an example of creating a policy route for using multiple static public WAN IP addresses for LAN to WAN traffic.
Page 383 Chapter 15 Policy and Static Routes The following table describes the labels in this screen. Table 91 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / fields.
Page 384 Chapter 15 Policy and Static Routes Table 91 Configuration > Network > Routing > Policy Route (continued) LABEL DESCRIPTION DSCP Code This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP values or no DSCP marker. default means traffic with a DSCP value of 0.
Page 385: Policy Route Edit Screen
Chapter 15 Policy and Static Routes 15.2.1 Policy Route Edit Screen Click Configuration > Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or edit a policy route. Figure 300 Configuration >...
Page 386 Chapter 15 Policy and Static Routes Table 92 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Incoming Select where the packets are coming from; any, an interface, a tunnel, an SSL VPN, or the ZyWALL itself. For an interface, a tunnel, or an SSL VPN, you also need to select the individual interface, VPN tunnel, or SSL VPN connection.
Page 387 Chapter 15 Policy and Static Routes Table 92 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION VPN Tunnel This field displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the ZyWALL directly.
Page 388 Chapter 15 Policy and Static Routes Table 92 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Source Select none to not use NAT for the route. Network Select outgoing-interface to use the IP address of the outgoing Address interface as the source IP address of the packets that matches this Translation...
Page 389: Ip Static Route Screen
Chapter 15 Policy and Static Routes Table 92 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Maximum Specify the maximum bandwidth (from 1 to 1048576) allowed for the Bandwidth route in kbps. If you enter 0 here, there is no bandwidth limitation for the route.
Page 390: Static Route Add/Edit Screen
Chapter 15 Policy and Static Routes The following table describes the labels in this screen. Table 93 Configuration > Network > Routing > Static Route LABEL DESCRIPTION Click this to create a new static route. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Page 391: Policy Routing Technical Reference
Chapter 15 Policy and Static Routes Table 94 Configuration > Network > Routing > Static Route > Add (continued) LABEL DESCRIPTION Gateway IP Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your ZyWALL's interface(s).
Page 392: Port Triggering
Chapter 15 Policy and Static Routes following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets. Table 95 Assured Forwarding (AF) Behavior Group Class 1 Class 2 Class 3 Class 4 Low Drop Precedence AF11 (10) AF21 (18) AF31 (26) AF41 (34) Medium Drop Precedence...
Page 393: Maximize Bandwidth Usage
Chapter 15 Policy and Static Routes Computer A and game server 1 are connected to each other until the connection is closed or times out. Any other computers (such as B or C) cannot connect to remote server 1 using the same port triggering rule as computer A unless they are using a different next hop (gateway, outgoing interface, VPN tunnel or trunk) from computer A or until the connection is closed or times out.
Page 394 Chapter 15 Policy and Static Routes ZyWALL USG 300 User’s Guide...
Page 395: Routing Protocols
H A P T E R Routing Protocols 16.1 Routing Protocols Overview Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL stores this routing information in the routing table it uses to make routing decisions. In turn, the ZyWALL can also use routing protocols to propagate routing information to other routers.
Page 396: The Rip Screen
Chapter 16 Routing Protocols 16.2 The RIP Screen RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other routers. RIP is a vector-space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest.
Page 397: The Ospf Screen
Chapter 16 Routing Protocols The following table describes the labels in this screen. Table 97 Configuration > Network > Routing Protocol > RIP LABEL DESCRIPTION Authentication Authentication Select the authentication method used in the RIP network. This authentication protects the integrity, but not the confidentiality, of routing updates.
Page 398 Chapter 16 Routing Protocols System (AS). OSPF offers some advantages over vector-space routing protocols like RIP. • OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently. • OSPF filters and summarizes routing information, which reduces the size of routing tables throughout the network.
Page 399 Chapter 16 Routing Protocols Each type of area is illustrated in the following figure. Figure 305 OSPF: Types of Areas This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y.
Page 400 Chapter 16 Routing Protocols • An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF. Table 98 OSPF: Redistribution from Other Sources to Each Type of Area SOURCE \ TYPE OF AREA NORMAL NSSA STUB...
Page 401: Configuring The Ospf Screen
Chapter 16 Routing Protocols to logically connect the area to the backbone. This is illustrated in the following example. Figure 307 OSPF: Virtual Link In this example, area 100 does not have a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10.
Page 402 Chapter 16 Routing Protocols Click Configuration > Network > Routing > OSPF to open the following screen. Figure 308 Configuration > Network > Routing > OSPF The following table describes the labels in this screen. See Section 16.3.2 on page for more information as well.
Page 403 Chapter 16 Routing Protocols Table 99 Configuration > Network > Routing Protocol > OSPF (continued) LABEL DESCRIPTION Type Select how OSPF calculates the cost associated with routing information from static routes. Choices are: Type 1 and Type 2. Type 1 - cost = OSPF AS cost + external cost (Metric) Type 2 - cost = external cost (Metric);...
Page 404: Ospf Area Add/Edit Screen
Chapter 16 Routing Protocols 16.3.2 OSPF Area Add/Edit Screen The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see Section 16.3 on page 397), and click either the Add icon or an Edit icon.
Page 405: Virtual Link Add/Edit Screen
Chapter 16 Routing Protocols Table 100 Configuration > Network > Routing > OSPF > Add (continued) LABEL DESCRIPTION Text This field is available if the Authentication is Text. Type the password Authentication for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 8 characters long.
Page 406: Routing Protocol Technical Reference
Chapter 16 Routing Protocols 404) has the Type set to Normal, a Virtual Link table displays. Click either the Add icon or an entry and the Edit icon to display a screen like the following. Figure 310 Configuration > Network > Routing > OSPF > Add > Add The following table describes the labels in this screen.
Page 407 Chapter 16 Routing Protocols Authentication Types Authentication is used to guarantee the integrity, but not the confidentiality, of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original message.
Page 408 Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide...
Page 409: Zones
H A P T E R Zones 17.1 Zones Overview Set up zones to configure network security and network policies in the ZyWALL. A zone is a group of interfaces and/or VPN tunnels. The ZyWALL uses zones instead of interfaces in many security and policy settings, such as firewall rules, Anti-X, and remote management.
Page 410: What You Need To Know
Chapter 17 Zones 17.1.2 What You Need to Know Effects of Zones on Different Types of Traffic Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic--which are affected differently by zone-based security and policy settings. Intra-zone Traffic •...
Page 411: The Zone Screen
Chapter 17 Zones 17.2 The Zone Screen The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and remove zones. To access this screen, click Configuration > Network > Zone. Figure 312 Configuration > Network > Zone The following table describes the labels in this screen.
Page 412: Zone Edit
Chapter 17 Zones 17.3 Zone Edit The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 17.2 on page 411), and click the Add icon or an Edit icon.
Page 413: Ddns
H A P T E R DDNS 18.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 18.1.1 What You Can Do in this Chapter • Use the DDNS screen (see Section 18.2 on page 414) to view a list of the configured DDNS domain names and their details.
Page 414: The Ddns Screen
Chapter 18 DDNS Note: Record your DDNS account’s user name, password, and domain name to use to configure the ZyWALL. After, you configure the ZyWALL, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. Finding Out More Section 6.5.9 on page 105 for related information on these screens.
Page 415 Chapter 18 DDNS Table 105 Configuration > Network > DDNS (continued) LABEL DESCRIPTION Primary This field displays the interface to use for updating the IP address Interface/IP mapped to the domain name followed by how the ZyWALL determines the IP address for the domain name. from interface - The IP address comes from the specified interface.
Page 416: The Dynamic Dns Add/Edit Screen
Chapter 18 DDNS 18.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen. Figure 315 Configuration >...
Page 417 Chapter 18 DDNS Table 106 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Username Type the user name used when you registered your domain name. You can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed. For a Dynu DDNS entry, this user name is the one you use for logging into the service, not the name recorded in your personal information in the Dynu website.
Page 418 Chapter 18 DDNS Table 106 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION IP Address The options available in this field vary by DDNS provider. Interface -The ZyWALL uses the IP address of the specified interface. This option appears when you select a specific interface in the Backup Binding Address Interface field.
Page 419: Nat
H A P T E R 19.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.
Page 420: What You Need To Know
Chapter 19 NAT 19.1.2 What You Need to Know NAT is also known as virtual server, port forwarding, or port translation. Finding Out More • See Section 6.5.10 on page 105 for related information on these screens. • See Section 19.3 on page 425 for technical background information related to these screens.
Page 421 Chapter 19 NAT Table 107 Configuration > Network > NAT (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate.
Page 422: The Nat Add/Edit Screen
Chapter 19 NAT 19.2.1 The NAT Add/Edit Screen The NAT Add/Edit screen lets you create new NAT rules and edit existing ones. To open this window, open the NAT summary screen. (See Section 19.2 on page 420.) Then, click on an Add icon or Edit icon to open the following screen. Figure 318 Configuration >...
Page 423 Chapter 19 NAT Table 108 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Classification Select what kind of NAT this rule is to perform. Virtual Server - This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL (like the Internet).
Page 424 Chapter 19 NAT Table 108 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Mapped IP This field displays for Many 1:1 NAT. Select to which translated Subnet/Range destination IP address subnet or IP address range this NAT rule forwards packets.
Page 425: Nat Technical Reference
Chapter 19 NAT Table 108 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Firewall By default the firewall blocks incoming connections from external addresses. After you configure your NAT rule settings, click the Firewall link to configure a firewall rule to allow the NAT rule’s traffic to come in. The ZyWALL checks NAT rules before it applies To-ZyWALL firewall rules, so To-ZyWALL firewall rules do not apply to traffic that is forwarded by NAT rules.
Page 426 Chapter 19 NAT For example, a LAN user’s computer at IP address 192.168.1.89 queries a public DNS server to resolve the SMTP server’s domain name (xxx.LAN-SMTP.com in this example) and gets the SMTP server’s mapped public IP address of 1.1.1.1. Figure 319 LAN Computer Queries a Public DNS Server xxx.LAN-SMTP.com = 1.1.1.1 xxx.LAN-SMTP.com = ?
Page 427 Chapter 19 NAT SMTP server replied directly to the LAN user without the traffic going through NAT, the source would not match the original destination address which would cause the LAN user’s computer to shut down the session. Figure 321 LAN to LAN Return Traffic Source 192.168.1.21 Source 1.1.1.1 SMTP...
Page 428 Chapter 19 NAT ZyWALL USG 300 User’s Guide...
Page 429: Http Redirect
H A P T E R HTTP Redirect 20.1 Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN zone wants to open a web page, its HTTP request is redirected to proxy server A first.
Page 430: What You Need To Know
Chapter 20 HTTP Redirect 20.1.2 What You Need to Know Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services. A proxy server can act as a firewall or an ALG (application layer gateway) between the private network and the Internet or other networks.
Page 431: The Http Redirect Screen
Chapter 20 HTTP Redirect • a application patrol rule to allow HTTP traffic between ge4 and ge2. • a policy route to forward HTTP traffic from proxy server A to the Internet. Finding Out More Section 6.5.11 on page 106 for related information on these screens.
Page 432: The Http Redirect Edit Screen
Chapter 20 HTTP Redirect Table 109 Configuration > Network > HTTP Redirect (continued) LABEL DESCRIPTION Port This is the service port number used by the proxy server. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 20.2.1 The HTTP Redirect Edit Screen Click Network >...
Page 433 Chapter 20 HTTP Redirect ZyWALL USG 300 User’s Guide...
Page 434 Chapter 20 HTTP Redirect ZyWALL USG 300 User’s Guide...
Page 435: Alg
H A P T E R 21.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyWALL’s NAT. • SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice and multimedia sessions over Internet. •...
Page 436: What You Need To Know
Chapter 21 ALG 21.1.2 What You Need to Know Application Layer Gateway (ALG), NAT and Firewall The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT and firewall.
Page 437 Chapter 21 ALG • There should be only one SIP server (total) on the ZyWALL’s private networks. Any other SIP servers must be on the WAN. So for example you could have a Back-to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN but not on both.
Page 438 Chapter 21 ALG can receive incoming calls from the Internet, LAN IP addresses B and C can still make calls out to the Internet. Figure 327 VoIP Calls from the WAN with Multiple Outgoing Calls VoIP with Multiple WAN IP Addresses With multiple WAN IP addresses on the ZyWALL, you can configure different firewall and NAT (port forwarding) rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN (or DMZ).
Page 439: Before You Begin
Chapter 21 ALG • See Section 21.3 on page 441 for ALG background/technical information. 21.1.3 Before You Begin You must also configure the firewall and enable NAT in the ZyWALL to allow sessions initiated from the WAN. 21.2 The ALG Screen Click Configuration >...
Page 440 Chapter 21 ALG The following table describes the labels in this screen. Table 111 Configuration > Network > ALG LABEL DESCRIPTION Enable SIP ALG Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the ZyWALL’s NAT. Enabling the SIP ALG also allows you to use the application patrol to detect SIP traffic and manage the SIP traffic’s bandwidth (see Chapter 32 on page...
Page 441: Alg Technical Reference
Chapter 21 ALG Table 111 Configuration > Network > ALG (continued) LABEL DESCRIPTION Enable FTP ALG Turn on the FTP ALG to detect FTP (File Transfer Program) traffic and help build FTP sessions through the ZyWALL’s NAT. Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic and manage the FTP traffic’s bandwidth (see Chapter 32 on page...
Page 442 Chapter 21 ALG connections to the second (passive) interface when the active interface’s connection goes down. When the active interface’s connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface. VoIP clients usually re-register automatically at set intervals or the users can manually force them to re-register.
Page 443: Ip/Mac Binding
H A P T E R IP/MAC Binding 22.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The ZyWALL uses DHCP to assign IP addresses and records to MAC address it assigned each IP address.
Page 444: What You Need To Know
Chapter 22 IP/MAC Binding 22.1.2 What You Need to Know DHCP IP/MAC address bindings are based on the ZyWALL’s dynamic and static DHCP entries. Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN, and WLAN interfaces.
Page 445: Ip/Mac Binding Edit
Chapter 22 IP/MAC Binding Table 112 Configuration > Network > IP/MAC Binding > Summary (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific entry. Status This icon is lit when the entry is active and dimmed when the entry is inactive.
Page 446: Static Dhcp Edit
Chapter 22 IP/MAC Binding Table 113 Configuration > Network > IP/MAC Binding > Edit (continued) LABEL DESCRIPTION Enable Select this option to have the ZyWALL generate a log if a device Logs for IP/ connected to this interface attempts to use an IP address not assigned by the ZyWALL.
Page 447: Ip/Mac Binding Exempt List
Chapter 22 IP/MAC Binding The following table describes the labels in this screen. Table 114 Configuration > Network > IP/MAC Binding > Edit > Add LABEL DESCRIPTION Interface This field displays the name of the interface within the ZyWALL and the Name interface’s IP address and subnet mask.
Page 448 Chapter 22 IP/MAC Binding Table 115 Configuration > Network > IP/MAC Binding > Exempt List (continued) LABEL DESCRIPTION End IP Enter the last IP address in a range of IP addresses for which the ZyWALL does not apply IP/MAC binding. Add icon Click the Add icon to add a new entry.
Page 449: Authentication Policy
H A P T E R Authentication Policy 23.1 Overview Use authentication policies to control who can access the network. You can authenticate users (require them to log in) and even perform Endpoint Security (EPS) checking to make sure users’ computers comply with defined corporate policies before they can access the network.
Page 450: What You Need To Know
Chapter 23 Authentication Policy 23.1.2 What You Need to Know Authentication Policy and VPN Authentication policies are applied based on a traffic flow’s source and destination IP addresses. If VPN traffic matches an authentication policy’s source and destination IP addresses, the user must pass authentication. Multiple Endpoint Security Objects You can set an authentication policy to use multiple endpoint security objects.
Page 451: Edit
Chapter 23 Authentication Policy Click Configuration > Auth. Policy to display the screen. Figure 336 Configuration > Auth. Policy The following table gives an overview of the objects you can configure. Table 116 Configuration > Auth. Policy LABEL DESCRIPTION Enable Select this to turn on the authentication policy feature.
Page 452: Adding Exceptional Services
Chapter 23 Authentication Policy Table 116 Configuration > Auth. Policy (continued) LABEL DESCRIPTION Status This icon is lit when the entry is active and dimmed when the entry is inactive. Priority This is the position of the authentication policy in the list. The priority is important as the policies are applied in order of priority.
Page 453: Creating/Editing An Authentication Policy
Chapter 23 Authentication Policy member services are the right. Select any service that you want to remove from the member list, and click the left arrow button to remove them. Figure 337 Configuration > Auth. Policy > Add Exceptional Service 23.2.2 Creating/Editing an Authentication Policy Click Configuration >...
Page 454 Chapter 23 Authentication Policy Figure 338 Configuration > Auth. Policy > Add The following table gives an overview of the objects you can configure. Table 117 Configuration > Auth. Policy > Add LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this Object screen.
Page 455 Chapter 23 Authentication Policy Table 117 Configuration > Auth. Policy > Add (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies. Otherwise, select none and the rule is always effective. This is none and not configurable for the default policy.
Page 456 Chapter 23 Authentication Policy ZyWALL USG 300 User’s Guide...
Page 457: Firewall
H A P T E R Firewall 24.1 Overview Use the firewall to block or allow services that use static port numbers. Use application patrol (see Chapter 32 on page 559) to control services using flexible/ dynamic port numbers. The firewall can also limit the number of user sessions. This figure shows the ZyWALL’s default firewall rules in action and demonstrates how stateful inspection works.
Page 458: What You Need To Know
Chapter 24 Firewall 24.1.2 What You Need to Know Stateful Inspection The ZyWALL has a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 459 Chapter 24 Firewall To-ZyWALL Rules Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default: • The firewall allows only LAN, WLAN, or WAN computers to access or manage the ZyWALL. • The ZyWALL drops most packets from the WAN zone to the ZyWALL itself, except for VRRP traffic for Device HA and ESP/AH/IKE/NATT/HTTPS services for VPN tunnels, and generates a log.
Page 460: Firewall Rule Example Applications
Chapter 24 Firewall Firewall and Application Patrol To use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. The ZyWALL checks the firewall rules before the application patrol rules for traffic going through the ZyWALL. Firewall and VPN Traffic After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN traffic.
Page 461 Chapter 24 Firewall the firewall rule to always be in effect. The following figure shows the results of this rule. Figure 340 Blocking All LAN to WAN IRC Traffic Example Your firewall would have the following rules. Table 119 Blocking All LAN to WAN IRC Traffic Example USER SOURCE DESTINATION...
Page 462 Chapter 24 Firewall Now you configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO’s computer (192.168.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the firewall rule to always be in effect.
Page 463: Firewall Rule Configuration Example
Chapter 24 Firewall • The first row allows any LAN computer to access the IRC service on the WAN by logging into the ZyWALL with the CEO’s user name. • The second row blocks LAN access to the IRC service on the WAN. •...
Page 464 Chapter 24 Firewall The screen for configuring a service object opens. Configure it as follows and click Figure 344 Firewall Example: Create a Service Object Select From WAN and To LAN1. Enter the name of the firewall rule. Select Dest_1 is selected for the Destination and Doom is selected as the Service.
Page 465: The Firewall Screen
Chapter 24 Firewall The firewall rule appears in the firewall rule summary. Figure 346 Firewall Example: Doom Rule in Summary 24.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL.
Page 466: Configuring The Firewall Screen
Chapter 24 Firewall The ZyWALL then sends it to the computer on the LAN in Subnet 1. Figure 347 Using Virtual Interfaces to Avoid Asymmetrical Routes 24.2.1 Configuring the Firewall Screen Click Configuration > Firewall to open the Firewall screen. Use this screen to enable or disable the firewall and asymmetrical routes, set a maximum number of sessions per host, and display the configured firewall rules.
Page 467 Chapter 24 Firewall • The ordering of your rules is very important as rules are applied in sequence. Figure 348 Configuration > Firewall The following table describes the labels in this screen. Table 122 Configuration > Firewall LABEL DESCRIPTION General Settings Enable Select this check box to activate the firewall.
Page 468 Chapter 24 Firewall Table 122 Configuration > Firewall (continued) LABEL DESCRIPTION From Zone / This is the direction of travel of packets. Select from which zone the To Zone packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of packets to which they apply.
Page 469: The Firewall Add/Edit Screen
Chapter 24 Firewall Table 122 Configuration > Firewall (continued) LABEL DESCRIPTION Service This displays the service object to which this firewall rule applies. Access This field displays whether the firewall silently discards packets (deny), discards packets and sends a TCP reset packet to the sender (reject) or permits the passage of packets (allow).
Page 470: The Session Limit Screen
Chapter 24 Firewall Table 123 Configuration > Firewall > Add (continued) LABEL DESCRIPTION Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. Schedule Select a schedule that defines when the rule applies. Otherwise, select none and the rule is always effective.
Page 471 Chapter 24 Firewall individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. Figure 350 Configuration > Firewall > Session Limit The following table describes the labels in this screen. Table 124 Configuration > Firewall > Session Limit LABEL DESCRIPTION General...
Page 472: The Session Limit Add/Edit Screen
Chapter 24 Firewall Table 124 Configuration > Firewall > Session Limit (continued) LABEL DESCRIPTION This is the index number of a session limit rule. It is not associated with a specific rule. User This is the user name or user group name to which this session limit rule applies.
Page 473 Chapter 24 Firewall Table 125 Configuration > Firewall > Session Limit > Edit (continued) LABEL DESCRIPTION User Select a user name or user group to which to apply the rule. The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out.
Page 474 Chapter 24 Firewall ZyWALL USG 300 User’s Guide...
Page 475: Ipsec Vpn
H A P T E R IPSec VPN 25.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Page 476: What You Need To Know
Chapter 25 IPSec VPN • Use the VPN Gateway screens (see Section 25.2.1 on page 480) to manage the ZyWALL’s VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway.
Page 477 Chapter 25 IPSec VPN Application Scenarios The ZyWALL’s application scenarios make it easier to configure your VPN connection settings. Table 126 IPSec VPN Application Scenarios SITE-TO-SITE WITH REMOTE ACCESS REMOTE ACCESS SITE-TO-SITE DYNAMIC PEER (SERVER ROLE) (CLIENT ROLE) Choose this if the Choose this if the Choose this to allow Choose this to...
Page 478: Before You Begin
Chapter 25 IPSec VPN • See Section 25.5 on page 503 for IPSec VPN background information. • See Section 5.3 on page 81 for the IPSec VPN quick setup wizard. • See Section 7.5 on page 141 for an example of configuring IPSec VPN. •...
Page 479 Chapter 25 IPSec VPN SA). Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 354 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following table.
Page 480: The Vpn Connection Add/Edit (Ike) Screen
Chapter 25 IPSec VPN Table 127 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific connection. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Page 481 Chapter 25 IPSec VPN Figure 355 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 300 User’s Guide...
Page 482 Chapter 25 IPSec VPN Each field is described in the following table. Table 128 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of Settings / Hide configuration fields.
Page 483 Chapter 25 IPSec VPN Table 128 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Policy Local Policy Select the address corresponding to the local network. Use Create new Object if you need to configure a new one. Remote Policy Select the address corresponding to the remote network.
Page 484 Chapter 25 IPSec VPN Table 128 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Encryption This field is applicable when the Active Protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA. Choices are: NULL - no encryption key or algorithm DES - a 56-bit key with the DES encryption algorithm...
Page 485 Chapter 25 IPSec VPN Table 128 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Check Method Select how the ZyWALL checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the ZyWALL regularly ping the address you specify to make sure traffic can still go through the connection.
Page 486 Chapter 25 IPSec VPN Table 128 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Inbound Traffic Source NAT This translation hides the source address of computers in the remote network. Source Select the address object that represents the original source address (or select Create Object to configure a new one).
Page 487: The Vpn Connection Add/Edit Manual Key Screen
Chapter 25 IPSec VPN 25.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one using a manual key. This is useful if you have problems with IKE key management.
Page 488 Chapter 25 IPSec VPN Table 129 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Secure Type the IP address of the remote IPSec router in the IPSec SA. Gateway Address Type a unique SPI (Security Parameter Index) between 256 and 4095. The SPI is used to identify the ZyWALL during authentication.
Page 489 Chapter 25 IPSec VPN Table 129 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Encryption Key This field is applicable when you select an Encryption Algorithm. Enter the encryption key, which depends on the encryption algorithm. DES - type a unique key 8-32 characters long 3DES - type a unique key 24-32 characters long AES128 - type a unique key 16-32 characters long...
Page 490: The Vpn Gateway Screen
Chapter 25 IPSec VPN 25.3 The VPN Gateway Screen The VPN Gateway summary screen displays the IPSec VPN gateway policies in the ZyWALL, as well as the ZyWALL’s address, remote IPSec router’s address, and associated VPN connections for each one. In addition, it also lets you activate and deactivate each VPN gateway.
Page 491: The Vpn Gateway Add/Edit Screen
Chapter 25 IPSec VPN Table 130 Configuration > VPN > IPSec VPN > VPN Gateway (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 25.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one.
Page 492 Chapter 25 IPSec VPN Figure 358 Configuration > VPN > IPSec VPN > VPN Gateway > Edit ZyWALL USG 300 User’s Guide...
Page 493 Chapter 25 IPSec VPN Each field is described in the following table. Table 131 Configuration > VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of Settings / Hide configuration fields.
Page 494 Chapter 25 IPSec VPN Table 131 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Pre-Shared Select this to have the ZyWALL and remote IPSec router use a pre- shared key (password) to identify each other when they negotiate the IKE SA.
Page 495 Chapter 25 IPSec VPN Table 131 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Content This field is read-only if the ZyWALL and remote IPSec router use certificates to identify each other. Type the identity of the ZyWALL during authentication.
Page 496 Chapter 25 IPSec VPN Table 131 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Content This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec router during authentication. The identity depends on the Peer ID Type.
Page 497 Chapter 25 IPSec VPN Table 131 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Negotiation Select the negotiation mode to use to negotiate the IKE SA. Choices Mode Main - this encrypts the ZyWALL’s and remote IPSec router’s identities but takes more time to establish the IKE SA Aggressive - this is faster but does not encrypt the identities The ZyWALL and the remote IPSec router must use the same...
Page 498 Chapter 25 IPSec VPN Table 131 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION NAT Traversal Select this if any of these conditions are satisfied. • This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol.
Page 499: Vpn Concentrator
Chapter 25 IPSec VPN 25.4 VPN Concentrator A VPN concentrator combines several IPSec VPN connections into one secure network. Figure 359 VPN Topologies (Fully Meshed and Hub and Spoke) In a fully-meshed VPN topology (1 in the figure), there is a VPN connection between every pair of routers.
Page 500 Chapter 25 IPSec VPN • Branch office A’s ZyWALL uses one VPN rule to access both the headquarters (HQ) network and branch office B’s network. • Branch office B’s ZyWALL uses one VPN rule to access branch office A’s network only.
Page 501 Chapter 25 IPSec VPN VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.1.0/255.255.255.0 • Remote Policy:192.168.11.0/255.255.255.0 • Disable Policy Enforcement VPN Gateway (VPN Tunnel 2): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.3 VPN Connection (VPN Tunnel 2): • Local Policy: 192.168.1.0/255.255.255.0 •...
Page 502: Vpn Concentrator Screen
Chapter 25 IPSec VPN • The local IP addresses configured in the VPN rules should not overlap. • The concentrator must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel.
Page 503: Ipsec Vpn Background Information
Chapter 25 IPSec VPN Concentrator summary screen (see Section 25.4 on page 499), and click either the Add icon or an Edit icon. Figure 362 Configuration > VPN > IPSec VPN > Concentrator > Edit Each field is described in the following table. Table 133 VPN >...
Page 504: Ike Sa Overview
Chapter 25 IPSec VPN IKE SA Overview The IKE SA provides a secure connection between the ZyWALL and remote IPSec router. It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.
Page 505 Chapter 25 IPSec VPN The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you can only set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA.
Page 506 Chapter 25 IPSec VPN the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt. Authentication Before the ZyWALL and remote IPSec router establish an IKE SA, they have to verify each other’s identity.
Page 507 Chapter 25 IPSec VPN Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you enter does not have to actually exist.
Page 508 Chapter 25 IPSec VPN Negotiation Mode There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Main mode takes six steps to establish an IKE SA. Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL.
Page 509 Chapter 25 IPSec VPN feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Active Protocol on page 510 for more information about active protocols.) If router A does not have an IPSec pass-thru or if the active protocol is AH, you can solve this problem by enabling NAT traversal.
Page 510: Ipsec Sa Overview
Chapter 25 IPSec VPN • The local and peer ID type and content come from the certificates. Note: You must set up the certificates for the ZyWALL and remote IPSec router first. IPSec SA Overview Once the ZyWALL and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks.
Page 511 Chapter 25 IPSec VPN These modes are illustrated below. Figure 367 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Data Header Transport Mode Packet IP Header AH/ESP Data Header Header Tunnel Mode Packet IP Header AH/ESP IP Header TCP Data Header Header...
Page 512 Chapter 25 IPSec VPN Additional Topics for IPSec SA This section provides more information about IPSec SA in your ZyWALL. IPSec SA using Manual Keys You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting.
Page 513 Chapter 25 IPSec VPN Each kind of translation is explained below. The following example is used to help explain each one. Figure 368 VPN Example: NAT for Inbound and Outbound Traffic Source Address in Outbound Packets (Outbound Traffic, Source NAT) This translation lets the ZyWALL route packets from computers that are not part of the specified local network (local policy) through the IPSec SA.
Page 514 Chapter 25 IPSec VPN • SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address. Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) You can set up this translation if you want the ZyWALL to forward some packets from the remote network to a specific computer in the local network.
Page 515 Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide...
Page 516 Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide...
Page 517: Ssl Vpn
H A P T E R SSL VPN 26.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VPN router or VPN client software. 26.1.1 What You Can Do in this Chapter •...
Page 518 Chapter 26 SSL VPN You do not have to install additional client software on the remote user computers for access. Figure 369 Network Access Mode: Reverse Proxy Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network.
Page 519 Chapter 26 SSL VPN changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects are not removed. Table 136 Objects OBJECT OBJECT DESCRIPTION TYPE SCREEN User Accounts User Configure a user account or user group to which you want Account/ to apply this SSL access policy.
Page 520: The Ssl Access Privilege Screen
Chapter 26 SSL VPN 26.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. Figure 371 VPN > SSL VPN > Access Privilege The following table describes the labels in this screen. Table 137 VPN >...
Page 521 Chapter 26 SSL VPN Table 137 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Apply Click Apply to save the settings. Reset Click Reset to discard all changes. ZyWALL USG 300 User’s Guide...
Page 522: The Ssl Access Policy Add/Edit Screen
Chapter 26 SSL VPN 26.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. Figure 372 VPN > SSL VPN > Access Privilege > Add/Edit ZyWALL USG 300 User’s Guide...
Page 523 Chapter 26 SSL VPN The following table describes the labels in this screen. Table 138 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this Object screen.
Page 524: The Ssl Global Setting Screen
Chapter 26 SSL VPN Table 138 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION SSL Application The Selectable Application Objects list displays the name(s) of the List (Optional) SSL application(s) you can select for this SSL access policy. To associate an SSL application to this SSL access policy, select a name and click >>...
Page 525: Ssl Vpn
ZyWALL’s DDNS entries. You can specify up to two domain names so you could use one domain name for each of two WAN ports. Do not include the host. For example, www.zyxel.com is a fully qualified domain name where “www” is the host; so you would just use “zyxel.com”.
Page 526: How To Upload A Custom Logo
Upload Click Upload to transfer the specified graphic file from your computer to the ZyWALL. Reset Logo to Click Reset Logo to Default to display the ZyXEL company logo on the Default remote user’s web browser. Apply Click Apply to save the changes and/or start the logo file upload process.
Page 527: Establishing An Ssl Vpn Connection
Chapter 26 SSL VPN The following shows an example logo on the remote user screen. Figure 374 Example Logo Graphic Display 26.4 Establishing an SSL VPN Connection After you have configured the SSL VPN settings on the ZyWALL, use the ZyWALL login screen’s SSL VPN button to establish an SSL VPN connection.
Page 528 Chapter 26 SSL VPN SSL VPN connection starts. This may take several minutes depending on your network connection. Once the connection is up, you should see the client portal screen. The following shows an example. Figure 376 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated”...
Page 529 Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide...
Page 530 Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide...
Page 531: Ssl User Screens
H A P T E R SSL User Screens 27.1 Overview This chapter introduces the remote user SSL VPN screens. The following figure shows a network example where a remote user (A) logs into the ZyWALL from the Internet to access the web server (WWW) on the local network. Figure 377 Network Example Internet 27.1.1 What You Need to Know...
Page 532: Remote User Login
Chapter 27 SSL User Screens System Requirements Here are the browser and computer system requirements for remote user access. • Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit) • Internet Explorer 7 and above or Firefox 1.5 and above •...
Page 533 Chapter 27 SSL User Screens Open a web browser and enter the web site address or IP address of the ZyWALL. For example, “http://sslvpn.mycompany.com”. Figure 378 Enter the Address in a Web Browser Click OK or Yes if a security screen displays. Figure 379 Login Security Screen A login screen displays.
Page 534 Chapter 27 SSL User Screens Your computer starts establishing a secure connection to the ZyWALL after a successful login. This may take up to two minutes. If you get a message about needing Java, download and install it and restart your browser and re-login. If a certificate warning screen displays, click OK, Yes or Continue.
Page 535 Chapter 27 SSL User Screens The ZyWALL tries to install the SecuExtender client. You may need to click a pop- up to get your browser to allow this. In Internet Explorer, click Install. Figure 383 SecuExtender Blocked by Internet Explorer The ZyWALL tries to run the “ssltun”...
Page 536 Chapter 27 SSL User Screens 10 If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender client on your computer. Figure 386 Hardware Installation Warning 11 The Application screen displays showing the list of resources available to you. Figure 387 on page 537 for a screen example.
Page 537: The Ssl Vpn User Screens
Chapter 27 SSL User Screens 27.3 The SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 387 Remote User Screen The following table describes the various parts of a remote user screen. Table 140 Remote User Screen Overview DESCRIPTION Click on a menu tab to go to the Application or File Sharing screen.
Page 538: Bookmarking The Zywall
Chapter 27 SSL User Screens 27.4 Bookmarking the ZyWALL You can create a bookmark of the ZyWALL by clicking the Add to Favorite icon. This allows you to access the ZyWALL using the bookmark without having to enter the address every time. In any remote user screen, click the Add to Favorite icon.
Page 539 Chapter 27 SSL User Screens An information screen displays to indicate that the SSL VPN connection is about to terminate. Figure 390 Logout: Connection Termination Progress ZyWALL USG 300 User’s Guide...
Page 540 Chapter 27 SSL User Screens ZyWALL USG 300 User’s Guide...
Page 541: Ssl User Application Screens
H A P T E R SSL User Application Screens 28.1 SSL User Application Screens Overview Use the Application screen to access web-based applications (such as web sites and e-mail) on the network through the SSL VPN connection. Which applications you can access depends on the ZyWALL’s configuration.
Page 542 Chapter 28 SSL User Application Screens ZyWALL USG 300 User’s Guide...
Page 543: Ssl User File Sharing
H A P T E R SSL User File Sharing 29.1 Overview The File Sharing screen lets you access files on a file server through the SSL VPN connection. 29.1.1 What You Need to Know Use the File Sharing screen to display and access shared files/folders on a file server.
Page 544: The Main File Sharing Screen
Chapter 29 SSL User File Sharing 29.2 The Main File Sharing Screen The first File Sharing screen displays the name(s) of the shared folder(s) available. The following figure shows an example with one file share. Figure 392 File Sharing 29.3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer.
Page 545 Chapter 29 SSL User File Sharing If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue. Figure 393 File Sharing: Enter Access User Name and Password ZyWALL USG 300 User’s Guide...
Page 546: Downloading A File
Chapter 29 SSL User File Sharing A list of files/folders displays. Click on a file to open it in a separate browser window. You can also click a folder to access it. For this example, click on a .doc file to open the Word document. Figure 394 File Sharing: Open a Word File 29.3.1 Downloading a File You are prompted to download a file which cannot be opened using a web browser.
Page 547: Saving A File
Chapter 29 SSL User File Sharing 29.3.2 Saving a File After you have opened a file in a web browser, you can save a copy of the file by clicking File > Save As and following the on-screen instructions. Figure 395 File Sharing: Save a Word File 29.4 Creating a New Folder To create a new folder in the file share location, click the New Folder icon.
Page 548: Renaming A File Or Folder
Chapter 29 SSL User File Sharing 29.5 Renaming a File or Folder To rename a file or folder, click the Rename icon next to the file/folder. Figure 397 File Sharing: Rename A popup window displays. Specify the new name and/or file extension in the field provided.
Page 549: Uploading A File
Chapter 29 SSL User File Sharing 29.7 Uploading a File Follow the steps below to upload a file to the file server. Log into the remote user screen and click the File Sharing tab. Specify the location and/or name of the file you want to upload. Or click Browse to locate it.
Page 550 Chapter 29 SSL User File Sharing ZyWALL USG 300 User’s Guide...
Page 551: Zywall Secuextender
H A P T E R ZyWALL SecuExtender The ZyWALL automatically loads the ZyWALL SecuExtender client program to your computer after a successful login. The ZyWALL SecuExtender lets you: • Access servers, remote desktops and manage files as if you were on the local network.
Page 552: Statistics
Chapter 30 ZyWALL SecuExtender 30.2 Statistics Right-click the ZyWALL SecuExtender icon in the system tray and select Status to open the Status screen. Use this screen to view the ZyWALL SecuExtender’s statistics. Figure 401 ZyWALL SecuExtender Status The following table describes the labels in this screen. Table 141 ZyWALL SecuExtender Statistics LABEL DESCRIPTION...
Page 553: View Log
Chapter 30 ZyWALL SecuExtender Table 141 ZyWALL SecuExtender Statistics LABEL DESCRIPTION Transmitted This is how many bytes and packets the computer has sent through the SSL VPN connection. Received This is how many bytes and packets the computer has received through the SSL VPN connection.
Page 554: Stop The Connection
30.6 Uninstalling the ZyWALL SecuExtender Do the following if you need to remove the ZyWALL SecuExtender. Click start > All Programs > ZyXEL > ZyWALL SecuExtender > Uninstall. In the confirmation screen, click Yes. Figure 403 Uninstalling the ZyWALL SecuExtender Confirmation Windows uninstalls the ZyWALL SecuExtender.
Page 555: L2Tp Vpn
H A P T E R L2TP VPN 31.1 Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL. The remote users do not need their own IPSec gateways or VPN client software.
Page 556 Chapter 31 L2TP VPN • Use transport mode. • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN.
Page 557: L2Tp Vpn Screen
Chapter 31 L2TP VPN Finding Out More • See Section 6.5.17 on page 109 for related information on these screens. • See Chapter 8 on page 185 for an example of how to create a basic L2TP VPN tunnel. 31.2 L2TP VPN Screen Click Configuration >...
Page 558 Chapter 31 L2TP VPN Table 142 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION VPN Connection Select the IPSec VPN connection the ZyWALL uses for L2TP VPN. All of the configured VPN connections display here, but the one you use must meet the requirements listed in IPSec Configuration Required for L2TP VPN on page...
Page 559: Application Patrol
H A P T E R Application Patrol 32.1 Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Page 560: What You Need To Know
Chapter 32 Application Patrol 32.1.2 What You Need to Know If you want to use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. Note: The ZyWALL checks firewall rules before it checks application patrol rules for traffic going through the ZyWALL.
Page 561 Chapter 32 Application Patrol numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP traffic. DiffServ and DSCP Marking QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority.
Page 562 Chapter 32 Application Patrol • The outbound traffic flows from the connection initiator to the connection responder. • The inbound traffic flows from the connection responder to the connection initiator. For example, a LAN to WAN connection is initiated from LAN and goes to the WAN. •...
Page 563 Chapter 32 Application Patrol • Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN so inbound means the traffic traveling from the WAN to the LAN. Figure 409 LAN to WAN, Outbound 200 kbps, Inbound 500 kbps Inbound Outbound Outbound...
Page 564 Chapter 32 Application Patrol outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and policy B for server B’s traffic. Figure 410 Bandwidth Management Behavior 1000 kbps 1000 kbps 1000 kbps Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate.
Page 565: Application Patrol Bandwidth Management Examples
Chapter 32 Application Patrol So server A gets its configured rate of 300 kbps plus 250 kbps for a total of 550 kbps. Server B gets its configured rate of 200 kbps plus 250 kbps for a total of 450 kbps. Table 145 Maximize Bandwidth Usage Effect POLICY CONFIGURED RATE...
Page 566: Sip Any To Wan Bandwidth Management Example
Chapter 32 Application Patrol • HTTP traffic needs to be given priority over FTP traffic. • FTP traffic from the WAN to the DMZ must be limited so it does not interfere with SIP and HTTP traffic. • FTP traffic from the LAN to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but it must be the lowest priority and limited so it does not interfere with SIP and HTTP traffic.
Page 567: Sip Wan To Any Bandwidth Management Example
Chapter 32 Application Patrol • Enable maximize bandwidth usage so the SIP traffic can borrow unused bandwidth. Figure 412 SIP Any to WAN Bandwidth Management Example Outbound: 200 kbps Inbound: 200 kbps 32.1.3.3 SIP WAN to Any Bandwidth Management Example You also create a policy for calls coming in from the SIP server on the WAN.
Page 568: Ftp Wan To Dmz Bandwidth Management Example
Chapter 32 Application Patrol 32.1.3.5 FTP WAN to DMZ Bandwidth Management Example • ADSL supports more downstream than upstream so you allow remote users 300 kbps for uploads to the DMZ FTP server (outbound) but only 100 kbps for downloads (inbound). •...
Page 569: Application Patrol General Screen
Chapter 32 Application Patrol 32.2 Application Patrol General Screen Use this screen to enable and disable application patrol. It also lists the registration status and details about the signature set the ZyWALL is using. Note: You must register for the IDP/AppPatrol signature service (at least the trial) before you can use it.
Page 570: Application Patrol Applications
Chapter 32 Application Patrol Table 147 Configuration > App Patrol > General (continued) LABEL DESCRIPTION Enable Select this to maximize the throughput of SIP traffic to improve SIP- Highest based VoIP call sound quality. This has the ZyWALL immediately send Bandwidth SIP traffic upon identifying it.
Page 571: The Application Patrol Edit Screen
Chapter 32 Application Patrol Click Configuration > App Patrol > Common to open the following screen. Figure 417 Configuration > App Patrol > Common The following table describes the labels in this screen. See Section 32.3.1 on page for more information as well. Table 148 Configuration >...
Page 572 Chapter 32 Application Patrol Streaming screen and click an application’s Edit icon. The screen displayed here is for the MSN instant messenger service. Figure 418 Application Edit The following table describes the labels in this screen. Table 149 Application Edit LABEL DESCRIPTION Service...
Page 573 Chapter 32 Application Patrol Table 149 Application Edit (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific entry. Note: The ZyWALL checks ports in the order they appear in the list. While this sequence does not affect the functionality, you might improve the performance of the ZyWALL by putting more commonly used ports at the top of the list.
Page 574 Chapter 32 Application Patrol Table 149 Application Edit (continued) LABEL DESCRIPTION Access This field displays what the ZyWALL does with packets for this application that match this policy. forward - the ZyWALL routes the packets for this application. Drop - the ZyWALL does not route the packets for this application and does not notify the client of its decision.
Page 575: The Application Patrol Policy Edit Screen
Chapter 32 Application Patrol Table 149 Application Edit (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 32.3.2 The Application Patrol Policy Edit Screen The Application Policy Edit screen allows you to edit a group of settings for an application.
Page 576 Chapter 32 Application Patrol Table 150 Application Policy Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 43 on page 759 for details). Otherwise, select none to make the policy always effective. User Select a user name or user group to which to apply the policy.
Page 577 Chapter 32 Application Patrol Table 150 Application Policy Edit (continued) LABEL DESCRIPTION Action Block For some applications, you can select individual uses of the application that the policy will have the ZyWALL block. These fields only apply when Access is set to forward. Login - Select this option to block users from logging in to a server for this application.
Page 578: The Other Applications Screen
Chapter 32 Application Patrol Table 150 Application Policy Edit (continued) LABEL DESCRIPTION Priority This field displays when the inbound or outbound bandwidth management is not set to 0. Enter a number between 1 and 7 to set the priority for this application’s traffic that matches this policy. The smaller the number, the higher the priority.
Page 579 Chapter 32 Application Patrol Click AppPatrol > Other to open the Other (applications) screen. Figure 420 AppPatrol > Other The following table describes the labels in this screen. See Section 32.4.1 on page for more information as well. Table 151 AppPatrol > Other LABEL DESCRIPTION Click this to create a new entry.
Page 580 Chapter 32 Application Patrol Table 151 AppPatrol > Other (continued) LABEL DESCRIPTION Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. Protocol This is the protocol of the traffic to which this policy applies. Access This field displays what the ZyWALL does with packets that match this policy.
Page 581: The Other Applications Add/Edit Screen
Chapter 32 Application Patrol Table 151 AppPatrol > Other (continued) LABEL DESCRIPTION Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this policy. See Chapter 51 on page 877 for more on logs.
Page 582 Chapter 32 Application Patrol Table 152 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 43 on page 759 for details). Otherwise, select any to make the policy always effective.
Page 583 Chapter 32 Application Patrol Table 152 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Inbound Type how much inbound bandwidth, in kilobits per second, this policy kbps allows the traffic to use. Inbound refers to the traffic the ZyWALL sends to a connection’s initiator.
Page 584 Chapter 32 Application Patrol Table 152 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 300 User’s Guide...
Page 585: Anti-Virus
H A P T E R Anti-Virus 33.1 Overview Use the ZyWALL’s anti-virus feature to protect your connected network from virus/ spyware infection. The ZyWALL checks traffic going in the direction(s) you specify for signature matches. In the following figure the ZyWALL is set to check traffic coming from the WAN zone (which includes two interfaces) to the LAN zone.
Page 586: What You Need To Know
Registration screen. After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and register it in the Registration > Service screen. You must use the ZyXEL anti-virus iCard for the ZyXEL anti-virus engine and the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine. See Chapter 11 on page 283 for details.
Page 587 Chapter 33 Anti-Virus If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets. The scanning engine checks the contents of the packets for virus. If a virus pattern is matched, the ZyWALL removes the infected portion of the file along with the rest of the file.
Page 588: Before You Begin
Chapter 33 Anti-Virus 33.1.3 Before You Begin • Before using anti-virus, see Chapter 11 on page 283 for how to register for the anti-virus service. • You may need to customize the zones (in the Network > Zone) used for the anti-virus scanning direction.
Page 589 Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 153 Configuration > Anti-X > Anti-Virus > General LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 590 The following fields display information on the current signature set that Information the ZyWALL is using. Anti-Virus This field displays whether the ZyWALL is set to use ZyXEL’s anti-virus Engine Type engine or the one powered by Kaspersky. Upgrading the ZyWALL to firmware version 2.11 and updating the anti- virus signatures automatically upgrades the ZyXEL anti-virus engine to v2.0.
Page 591: Anti-Virus Policy Add Or Edit Screen
Chapter 33 Anti-Virus 33.2.1 Anti-Virus Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Virus > General screen to display the configuration screen as shown next. Figure 424 Configuration > Anti-X > Anti-Virus > General > Add The following table describes the labels in this screen.
Page 592 Chapter 33 Anti-Virus Table 154 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Actions When Matched Destroy infected When you select this check box, if a virus pattern is matched, the file ZyWALL overwrites the infected portion of the file (and the rest of the file) with zeros.
Page 593: Anti-Virus Black List
Chapter 33 Anti-Virus Table 154 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Destroy Note: When you select this option, the ZyWALL deletes ZIP files compressed files that could that use password encryption. not be decompressed Select this check box to have the ZyWALL delete any ZIP files that it is not able to unzip.
Page 594: Anti-Virus Black List Or White List Add/Edit
Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 155 Configuration > Anti-X > Anti-Virus > Black/White List > Black List LABEL DESCRIPTION Enable Black Select this check box to log and delete files with names that match the List black list patterns.
Page 595: Anti-Virus White List
Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 156 Configuration > Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION Enable If this is a black list entry, select this option to have the ZyWALL apply this entry when using the black list.
Page 596: Signature Searching
Chapter 33 Anti-Virus column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 427 Configuration > Anti-X > Anti-Virus > Black/White List > White List The following table describes the labels in this screen. Table 157 Configuration >...
Page 597 Chapter 33 Anti-Virus If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria.
Page 598 Chapter 33 Anti-Virus The following table describes the labels in this screen. Table 158 Configuration > Anti-X > Anti-Virus > Signature LABEL DESCRIPTION Signatures Select the criteria on which to perform the search. Search Select By Name from the drop down list box and type the name or part of the name of the signature(s) you want to find.
Page 599: Anti-Virus Technical Reference
Chapter 33 Anti-Virus 33.7 Anti-Virus Technical Reference Types of Computer Viruses The following table describes some of the common computer viruses. Table 159 Common Computer Virus Types TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program. A file infector is able to copy and attach itself to other programs that are executed on an infected computer.
Page 600 Chapter 33 Anti-Virus A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in the network. It inspects files for virus patterns as they are moved in and out of the hard drive. However, host-based anti-virus scanners cannot eliminate all viruses for a number of reasons: •...
Page 601: Idp
H A P T E R 34.1 Overview This chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic flow, custom signatures and updating signatures. An IDP system can detect malicious or suspicious packets and respond instantaneously.
Page 602: Before You Begin
Chapter 34 IDP IDP Profiles An IDP profile is a set of related IDP signatures that you can activate as a set and configure common log and action settings. You can apply IDP profiles to traffic flowing from one zone to another. For example, apply the default LAN_IDP profile to any traffic going to the LAN zone in order to protect your LAN computers.
Page 603: The Idp General Screen
Chapter 34 IDP 34.2 The IDP General Screen Click Configuration > Anti-X > IDP > General to open this screen. Use this screen to turn IDP on or off, bind IDP profiles to traffic directions, and view registration and signature information. Note: You must register in order to use packet inspection signatures.
Page 604 Chapter 34 IDP Table 160 Configuration > Anti-X > IDP > General (continued) LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate.
Page 605: Introducing Idp Profiles
Chapter 34 IDP Table 160 Configuration > Anti-X > IDP > General (continued) LABEL DESCRIPTION Current Version This field displays the IDP signature set version number. This number gets larger as the set is enhanced. Signature This field displays the number of IDP signatures in this set. This Number number usually gets larger as the set is enhanced.
Page 606: Base Profiles
Chapter 34 IDP 34.3.1 Base Profiles The ZyWALL comes with several base profiles. You use base profiles to create new profiles. In the Configuration > Anti-X > IDP > Profile screen, click Add to display the following screen. Figure 430 Base Profiles The following table describes this screen.
Page 607: The Profile Summary Screen
Chapter 34 IDP Table 161 Base Profiles (continued) BASE DESCRIPTION PROFILE This profile is most suitable for networks containing your servers. Signatures for common services such as DNS, FTP, HTTP, ICMP, IMAP, MISC, NETBIOS, POP3, RPC, RSERVICE, SMTP, SNMP, SQL, TELNET, Oracle, MySQL are enabled.
Page 608: Creating New Profiles
Chapter 34 IDP Table 162 Configuration > Anti-X > IDP > Profile (continued) LABEL DESCRIPTION Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created. 34.5 Creating New Profiles You may want to create a new profile if not all signatures in a base profile are applicable to your network.
Page 609: Profiles: Packet Inspection
Chapter 34 IDP 34.6 Profiles: Packet Inspection Select Configuration > Anti-X > IDP > Profile and then add a new or edit an existing profile select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer-4 to layer-7. 34.6.1 Profile >...
Page 610 Chapter 34 IDP The following table describes the fields in this screen. Table 163 Configuration > Anti-X > IDP > Profile > Group View LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 611 Chapter 34 IDP Table 163 Configuration > Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL takes when a packet matches a signature, select the signature and use the Action icon. none: Select this action on an individual signature or a complete service group to have the ZyWALL take no action when a packet matches the signature(s).
Page 612: Policy Types
Chapter 34 IDP Table 163 Configuration > Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION These are the log options. To edit this, select an item and use the Log icon. Action This is the action the ZyWALL should take when a packet matches a signature here.
Page 613: Idp Service Groups
Chapter 34 IDP Table 164 Policy Types (continued) POLICY TYPE DESCRIPTION Scan A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels. A network scan occurs at layer-3.
Page 614: Profile > Query View Screen
Chapter 34 IDP Table 165 IDP Service Groups (continued) SNMP SMTP RSERVICES POP3 POP2 ORACLE NNTP NETBIOS MYSQL MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC IMAP ICMP FINGER The following figure shows the WEB_PHP service group that contains signatures related to attacks on web servers using PHP exploits. PHP (PHP: Hypertext Preprocessor) is a server-side HTML embedded scripting language that allows web developers to build dynamic websites.
Page 615 Chapter 34 IDP signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions. Figure 434 Configuration > Anti-X > IDP > Profile: Query View The following table describes the fields specific to this screen’s query view. Table 166 Configuration >...
Page 616 Chapter 34 IDP Table 166 Configuration > Anti-X > IDP > Profile: Query View (continued) LABEL DESCRIPTION Severity Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections. These are the severities as defined in the ZyWALL. The number in brackets is the number you use if using commands.
Page 617: Query Example
Chapter 34 IDP 34.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attack Type: DDoS • Platform: Windows 2000 and Windows XP computers • Service: Any ZyWALL USG 300 User’s Guide...
Page 618 Chapter 34 IDP • Actions: Any Figure 435 Query Example Search Criteria Figure 436 Query Example Search Results ZyWALL USG 300 User’s Guide...
Page 619: Introducing Idp Custom Signatures
Chapter 34 IDP 34.7 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures.
Page 620: Configuring Custom Signatures
Chapter 34 IDP Table 167 IP v4 Packet Headers (continued) HEADER DESCRIPTION Time To Live This is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. It is used to prevent accidental routing loops. Protocol The protocol indicates the type of transport packet being carried, for example, 1 = ICMP;...
Page 621 Chapter 34 IDP Note: The ZyWALL checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the ZyWALL applies the more restrictive action (reject-both, reject-receiver or reject-sender, drop, none in this order).
Page 622: Creating Or Editing A Custom Signature
Chapter 34 IDP Table 168 Configuration > Anti-X > IDP > Custom Signatures (continued) LABEL DESCRIPTION Customer Use this part of the screen to import custom signatures (previously saved Signature Rule to your computer) to the ZyWALL. Importing Note: The name of the complete custom signature file on the ZyWALL is ‘custom.rules’.
Page 623 Chapter 34 IDP Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. Figure 439 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit ZyWALL USG 300 User’s Guide...
Page 624 Chapter 34 IDP The following table describes the fields in this screen. Table 169 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 625 Chapter 34 IDP Table 169 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Fragmentation A fragmentation flag identifies whether the IP datagram should be fragmented, not fragmented or is a reserved bit. Some intrusions can be identified by this flag.
Page 626 Chapter 34 IDP Table 169 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Flow If selected, the signature only applies to certain directions of the traffic flow and only to clients or servers. Select Flow and then select the identifying options.
Page 627 Chapter 34 IDP Table 169 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overflows Select the check box, then select Equal, Smaller or Greater and then type the payload size.
Page 628: Custom Signature Example
Chapter 34 IDP Table 169 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Click this button to save your changes to the ZyWALL and return to the summary screen. Cancel Click this button to return to the summary screen without saving any changes.
Page 629 Chapter 34 IDP 34.8.2.2 Analyze Packets Use the packet capture screen (see Section 53.3 on page 907) and a packet analyzer (also known as a network or protocol analyzer) such as Wireshark or Ethereal to investigate some more. Figure 440 DNS Query Packet Details From the details about DNS query you see that the protocol is UDP and the port is 53.
Page 630: Applying Custom Signatures
Chapter 34 IDP The final custom signature should look like as shown in the following figure. Figure 441 Example Custom Signature 34.8.3 Applying Custom Signatures After you create your custom signature, it becomes available in the IDP service group category in the Configuration > Anti-X > IDP > Profile > Edit screen. Custom signatures have an SID from 9000000 to 9999999.
Page 631: Verifying Custom Signatures
Chapter 34 IDP You can activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile. Then bind the profile to a zone. Figure 442 Example: Custom Signature in IDP Profile 34.8.4 Verifying Custom Signatures Configure the signature to create a log when traffic matches the signature.
Page 632: Idp Technical Reference
Chapter 34 IDP destination port is the service port (53 for DNS in this case) that the attack tries to exploit. Figure 443 Custom Signature Log 34.9 IDP Technical Reference This section contains some background information on IDP. Host Intrusions The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer.
Page 633 Chapter 34 IDP Network Intrusions Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/ server.
Page 634 Chapter 34 IDP Table 170 ZyWALL - Snort Equivalent Terms (continued) ZYWALL TERM SNORT EQUIVALENT TERM Same IP sameip Transport Protocol Transport Protocol: TCP Port (In Snort rule header) Flow flow Flags flags Sequence Number Ack Number Window Size window Transport Protocol: UDP (In Snort rule header) Port...
Page 635 Chapter 34 IDP ZyWALL USG 300 User’s Guide...
Page 636 Chapter 34 IDP ZyWALL USG 300 User’s Guide...
Page 637: Adp
H A P T E R 35.1 Overview This chapter introduces ADP (Anomaly Detection and Prevention), anomaly profiles and applying an ADP profile to a traffic direction. ADP protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans.
Page 638: Before You Begin
Chapter 35 ADP Protocol Anomalies Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated when you upload new firmware. ADP Profile An ADP profile is a set of traffic anomaly rules and protocol anomaly rules that you can activate as a set and configure common log and action settings.
Page 639: The Adp General Screen
Chapter 35 ADP 35.2 The ADP General Screen Click Configuration > Anti-X > ADP > General. Use this screen to turn anomaly detection on or off and apply anomaly profiles to traffic directions. Figure 444 Configuration > Anti-X > ADP > General The following table describes the screens in this screen.
Page 640: The Profile Summary Screen
Chapter 35 ADP Table 171 Configuration > Anti-X > ADP > General (continued) LABEL DESCRIPTION From, To This is the direction of travel of packets to which an anomaly profile is bound. Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to.
Page 641: Base Profiles
Chapter 35 ADP 35.3.1 Base Profiles The ZyWALL comes with base profiles. You use base profiles to create new profiles. In the Configuration > Anti-X > ADP > Profile screen, click Add to display the following screen. Figure 445 Base Profiles These are the default base profiles at the time of writing.
Page 642: Creating New Adp Profiles
Chapter 35 ADP The following table describes the fields in this screen. Table 173 Anti-X > ADP > Profile LABEL DESCRIPTION Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it.
Page 643 Chapter 35 ADP belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 447 Profiles: Traffic Anomaly ZyWALL USG 300 User’s Guide...
Page 644 Chapter 35 ADP The following table describes the fields in this screen. Table 174 Configuration > ADP > Profile > Traffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 645: Protocol Anomaly Profiles
Chapter 35 ADP Table 174 Configuration > ADP > Profile > Traffic Anomaly (continued) LABEL DESCRIPTION Name This is the name of the traffic anomaly rule. Click the Name column heading to sort in ascending or descending order according to the rule name.
Page 646 Chapter 35 ADP Figure 448 Profiles: Protocol Anomaly ZyWALL USG 300 User’s Guide...
Page 647 Chapter 35 ADP The following table describes the fields in this screen. Table 175 Configuration > ADP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 648 Chapter 35 ADP Table 175 Configuration > ADP > Profile > Protocol Anomaly (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL takes when a packet matches a signature, select the signature and use the Action icon. original setting: Select this action to return each signature in a service group to its previously saved configuration.
Page 649: Adp Technical Reference
Chapter 35 ADP Table 175 Configuration > ADP > Profile > Protocol Anomaly (continued) LABEL DESCRIPTION Click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page. Cancel Click Cancel to return to the profile summary page without saving any changes.
Page 650 Chapter 35 ADP Decoy Port Scans Decoy port scans are scans where the attacker has spoofed the source address. These are some decoy scan types: • TCP Decoy Portscan • UDP Decoy Portscan • IP Decoy Portscan Distributed Port Scans Distributed port scans are many-to-one port scans.
Page 651 Chapter 35 ADP • ICMP Filtered • TCP Filtered Distributed • UDP Filtered Portsweep Portscan Distributed Portscan • IP Filtered Distributed Portscan Flood Detection Flood attacks saturate a network with useless data, use up all available bandwidth, and therefore make communications in the network impossible. ICMP Flood Attack An ICMP flood is broadcasting many pings or UDP packets so that so much data is sent to the system, that it slows it down or locks it up.
Page 652 Chapter 35 ADP the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. Figure 450 TCP Three-Way Handshake A SYN flood attack is when an attacker sends a series of SYN packets. Each packet causes the receiver to reply with a SYN-ACK response. The receiver then waits for the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses on a backlog queue.
Page 653 Chapter 35 ADP UDP Flood Attack UDP is a connection-less protocol and it does not require any connection setup procedure to transfer data. A UDP flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port.
Page 654 Chapter 35 ADP Table 176 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION DOUBLE-ENCODING This rule is IIS specific. IIS does two passes through the ATTACK request URI, doing decodes in each one. In the first pass, IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is done.
Page 655 Chapter 35 ADP Table 176 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION WEBROOT-DIRECTORY- This is when a directory traversal traverses past the web TRAVERSAL ATTACK server root directory. This generates much fewer false positives than the directory option, because it doesn’t alert on directory traversals that stay within the web server directory structure.
Page 656 Chapter 35 ADP Table 176 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION TRUNCATED-HEADER This is when an ICMP packet is sent which has an ICMP ATTACK datagram length of less than the ICMP header length. This may cause some applications to crash. TRUNCATED- This is when an ICMP packet is sent which has an ICMP TIMESTAMP-HEADER...
Page 657 Chapter 35 ADP ZyWALL USG 300 User’s Guide...
Page 658 Chapter 35 ADP ZyWALL USG 300 User’s Guide...
Page 659: Content Filtering
H A P T E R Content Filtering 36.1 Overview Use the content filtering feature to control access to specific web sites or web content. 36.1.1 What You Can Do in this Chapter • Use the General screens (Section 36.2 on page 661) to configure global content filtering settings, configure content filtering policies, and check the content filtering license status.
Page 660 URL. For example, with the URL www.zyxel.com.tw/news/ pressroom.php, the domain name is www.zyxel.com.tw. The file path is the characters that come after the first slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the file path is news/pressroom.php. ZyWALL USG 300 User’s Guide...
Page 661: Before You Begin
For example, with the URL www.zyxel.com.tw/news/pressroom.php, the ZyWALL would find “tw” in the domain name (www.zyxel.com.tw). It would also find “news” in the file path (news/pressroom.php) but it would not find “tw/news”.
Page 662: Content Filtering
Chapter 36 Content Filtering your list of content filter policies, create a denial of access message or specify a redirect URL and check your external web filtering service registration status. Figure 452 Configuration > Anti-X > Content Filter > General The following table describes the labels in this screen.
Page 663: Content Filtering
Chapter 36 Content Filtering Table 177 Configuration > Anti-X > Content Filter > General (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed.
Page 664: Content Filter Policy Add Or Edit Screen
Chapter 36 Content Filtering Table 177 Configuration > Anti-X > Content Filter > General (continued) LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration. Not Licensed displays if you have not successfully registered and activated the service.
Page 665 Chapter 36 Content Filtering filter policy. A content filter policy defines which content filter profile should be applied, when it should be applied, and to whose web access it should be applied. Figure 453 Configuration > Anti-X > Content Filter > General > Add l The following table describes the labels in this screen.
Page 666: Content Filter Profile Screen
Chapter 36 Content Filtering 36.4 Content Filter Profile Screen Click Configuration > Anti-X > Content Filter > Filter Profile to open the Filter Profile screen. A content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied. Figure 454 Configuration >...
Page 667 Chapter 36 Content Filtering Chapter 37 on page 683 for how to view content filtering reports. Figure 455 Configuration > Anti-X > Content Filter > Filter Profile > Add ZyWALL USG 300 User’s Guide...
Page 668 Chapter 36 Content Filtering The following table describes the labels in this screen. Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Add LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration. Not Licensed displays if you have not successfully registered and activated the service.
Page 669 Chapter 36 Content Filtering Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Action for Unsafe Web Select Pass to allow users to access web pages that match the Pages unsafe categories that you select below. Select Block to prevent users from accessing web pages that match the unsafe categories that you select below.
Page 670 Chapter 36 Content Filtering Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Action When Category Select Pass to allow users to access any requested web page if Server Is Unavailable the external content filtering database is unavailable. Select Block to block access to any requested web page if the external content filtering database is unavailable.
Page 671 Chapter 36 Content Filtering Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Spyware/Malware This category includes pages which distribute spyware and other Sources malware. Spyware and malware are defined as software which takes control of your computer, modifies computer settings, collects or reports personal information, or misrepresents itself by tricking users to install, download, or enter personal...
Page 672 Chapter 36 Content Filtering Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Nudity This category includes pages containing nude or seminude depictions of the human body. These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature.
Page 673 Chapter 36 Content Filtering Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Arts/Entertainment This category includes pages that promote and provide information about motion pictures, videos, television, music and programming guides, books, comics, movie theatres, galleries, artists or reviews on entertainment.
Page 674 Chapter 36 Content Filtering Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Government/Legal This category includes pages sponsored by or which provide information on government, government agencies and government services such as taxation and emergency services. It also includes pages that discuss or explain laws of various governmental entities.
Page 675 Chapter 36 Content Filtering Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Religion This category includes pages that promote and provide information on conventional or unconventional religious or quasi-religious subjects, as well as churches, synagogues, or other houses of worship.
Page 676 Chapter 36 Content Filtering Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Sports/Recreation/ This category includes pages that promote or provide Hobbies information about spectator sports, recreational activities, or hobbies. This includes pages that discuss or promote camping, gardening, and collecting.
Page 677 Chapter 36 Content Filtering Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Alcohol Sites that promote, offer for sale, glorify, review, or in any way advocate the use or creation of alcoholic beverages, including but not limited to beer, wine, and hard liquors.
Page 678: Content Filter Blocked And Warning Messages
Chapter 36 Content Filtering Table 180 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Placeholders This category includes pages that are under construction, parked domains, search-bait or otherwise generally having no useful value. Test Web Site Category URL to test You can check which category a web page belongs to.
Page 679: Content Filter Customization Screen
Chapter 36 Content Filtering 36.6 Content Filter Customization Screen Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword.
Page 680 Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, and so on. You can also enter just a top level domain. For example, enter .com to allow all .com domains.
Page 681: Content Filter Technical Reference
Chapter 36 Content Filtering Table 181 Configuration > Anti-X > Content Filter > Filter Profile > Customization LABEL DESCRIPTION Forbidden Web Sites This list displays the forbidden web sites already added. Enter host names such as www.bad-site.com into this text field.
Page 682 Chapter 36 Content Filtering External Content Filter Server Lookup Procedure The content filter lookup process is described below. Figure 458 Content Filter Lookup Procedure A computer behind the ZyWALL tries to access a web site. The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache.
Page 683: Content Filter Reports
H A P T E R Content Filter Reports 37.1 Overview You can view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 11 on page 283 on how to create a myZyXEL.com account, register your device and activate the subscription services.
Page 684 Chapter 37 Content Filter Reports Fill in your myZyXEL.com account information and click Login. Figure 459 myZyXEL.com: Login ZyWALL USG 300 User’s Guide...
Page 685 Chapter 37 Content Filter Reports A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename...
Page 686 Chapter 37 Content Filter Reports In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 461 myZyXEL.com: Service Management In the Web Filter Home screen, click the Reports tab. Figure 462 Content Filter Reports Main Screen ZyWALL USG 300 User’s Guide...
Page 687 Chapter 37 Content Filter Reports Select items under Global Reports to view the corresponding reports. Figure 463 Content Filter Reports: Report Home Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Page 688 Chapter 37 Content Filter Reports A chart and/or list of requested web site categories display in the lower half of the screen. Figure 464 Global Report Screen Example ZyWALL USG 300 User’s Guide...
Page 689 Chapter 37 Content Filter Reports You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 465 Requested URLs Example ZyWALL USG 300 User’s Guide...
Page 690 Chapter 37 Content Filter Reports ZyWALL USG 300 User’s Guide...
Page 691: Anti-Spam
H A P T E R Anti-Spam 38.1 Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
Page 692: Anti-Spam
Chapter 38 Anti-Spam Black List Configure black list entries to identify spam. The black list entries have the ZyWALL classify any e-mail that is from or forwarded by a specified IP address or uses a specified header field and header value as being spam. If an e-mail does not match any of the white list entries, the ZyWALL checks it against the black list entries.
Page 693: Before You Begin
Chapter 38 Anti-Spam E-mail Header Buffer Size The ZyWALL has a 5 K buffer for an individual e-mail header. If an e-mail’s header is longer than 5 K, the ZyWALL only checks up to the first 5 K. DNSBL A DNS Black List (DNSBL) is a server that hosts a list of IP addresses known or suspected of having sent or forwarded spam.
Page 694 Chapter 38 Anti-Spam spam policies. You can also select the action the ZyWALL takes when the mail sessions threshold is reached. Figure 466 Configuration > Anti-X > Anti-Spam > General The following table describes the labels in this screen. Table 182 Configuration > Anti-X > Anti-Spam > General LABEL DESCRIPTION Show Advance...
Page 695: The Anti-Spam Policy Add Or Edit Screen
Chapter 38 Anti-Spam Table 182 Configuration > Anti-X > Anti-Spam > General LABEL DESCRIPTION Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that...
Page 696 Chapter 38 Anti-Spam check, which e-mail protocols to scan, the scanning options, and the action to take on spam traffic. Figure 467 Configuration > Anti-X > Anti-Spam > General > Add The following table describes the labels in this screen. Table 183 Configuration >...
Page 697: The Anti-Spam Black List Screen
Chapter 38 Anti-Spam Table 183 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Check White Select this check box to check e-mail against the white list. The ZyWALL List classifies e-mail that matches a white list entry as legitimate (not spam).
Page 698 Chapter 38 Anti-Spam specific subject text. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 468 Configuration > Anti-X > Anti-Spam > Black/White List > Black List The following table describes the labels in this screen.
Page 699: The Anti-Spam Black Or White List Add/Edit Screen
Chapter 38 Anti-Spam 38.4.1 The Anti-Spam Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the following screen. Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create entries based on specific subject text, or the sender’s or relay’s IP address or e-mail address.
Page 700: Regular Expressions In Black Or White List Entries
Chapter 38 Anti-Spam Table 185 Configuration > Anti-X > Anti-Spam > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION Sender or Mail This field displays when you select the IP type. Enter an IP address in Relay IP dotted decimal notation.
Page 701: The Anti-Spam White List Screen
Chapter 38 Anti-Spam 38.5 The Anti-Spam White List Screen Click Configuration > Anti-X > Anti-Spam > Black/White List and then the White List tab to display the Anti-Spam White List screen. Configure the white list to identify legitimate e-mail. You can create white list entries based on the sender’s or relay’s IP address or e-mail address.
Page 702: The Dnsbl Screen
Chapter 38 Anti-Spam Table 186 Configuration > Anti-X > Anti-Spam > Black/White List > White List LABEL DESCRIPTION Type This field displays whether the entry is based on the e-mail’s subject, source or relay IP address, source e-mail address, or a header. Content This field displays the subject content, source or relay IP address, source e-mail address, or header value for which the entry checks.
Page 703 Chapter 38 Anti-Spam The following table describes the labels in this screen. Table 187 Configuration > Anti-X > Anti-Spam > DNSBL LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 704: Anti-Spam Technical Reference
Chapter 38 Anti-Spam Table 187 Configuration > Anti-X > Anti-Spam > DNSBL (continued) LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate.
Page 705 Chapter 38 Anti-Spam Here is an example of an e-mail classified as spam based on DNSBL replies. Figure 472 DNSBL Spam Detection Example DNSBL A IPs: a.a.a.a b.b.b.b a.a.a.a? DNSBL B b.b.b.b? DNSBL C The ZyWALL receives an e-mail that was sent from IP address a.a.a.a and relayed by an e-mail server at IP address b.b.b.b.
Page 706 Chapter 38 Anti-Spam Here is an example of an e-mail classified as legitimate based on DNSBL replies. Figure 473 DNSBL Legitimate E-mail Detection Example DNSBL A IPs: c.c.c.c d.d.d.d c.c.c.c? DNSBL B d.d.d.d? d.d.d.d Not spam DNSBL C The ZyWALL receives an e-mail that was sent from IP address c.c.c.c and relayed by an e-mail server at IP address d.d.d.d.
Page 707 Chapter 38 Anti-Spam If the ZyWALL receives conflicting DNSBL replies for an e-mail routing IP address, the ZyWALL classifies the e-mail as spam. Here is an example. Figure 474 Conflicting DNSBL Replies Example DNSBL A IPs: a.b.c.d w.x.y.z a.b.c.d? DNSBL B w.x.y.z? a.b.c.d Spam! DNSBL C...
Page 708 Chapter 38 Anti-Spam ZyWALL USG 300 User’s Guide...
Page 709: Device Ha
H A P T E R Device HA 39.1 Overview Device HA lets a backup ZyWALL (B) automatically take over if the master ZyWALL (A) fails. Figure 475 Device HA Backup Taking Over for the Master 39.1.1 What You Can Do in this Chapter •...
Page 710: Before You Begin
Chapter 39 Device HA • Legacy mode allows for more complex relationships between the master and backup ZyWALLs, such as active-active or using different ZyWALLs as the master ZyWALL for individual interfaces. Legacy mode configuration involves a greater degree of complexity. Active-passive mode is recommended for general failover deployments.
Page 711: Device Ha General
Chapter 39 Device HA 39.2 Device HA General The Configuration > Device HA General screen lets you enable or disable device HA, and displays which device HA mode the ZyWALL is set to use along with a summary of the monitored interfaces. Figure 476 Configuration >...
Page 712: The Active-Passive Mode Screen
Chapter 39 Device HA Table 188 Configuration > Device HA > General (continued) LABEL DESCRIPTION HA Status The text before the slash shows whether the device is configured as the master or the backup role. This text after the slash displays the monitored interface’s status in the virtual router.
Page 713 Chapter 39 Device HA B form a virtual router that uses cluster ID 1. ZyWALLs C and D form a virtual router that uses cluster ID 2. Figure 478 Cluster IDs for Multiple Virtual Routers Monitored Interfaces in Active-Passive Mode Device HA You can select which interfaces device HA monitors.
Page 714: Configuring Active-Passive Mode Device Ha
Chapter 39 Device HA 192.168.1.5 and ZyWALL B has its own LAN management IP address of 192.168.1.6. These do not change when ZyWALL B becomes the master. Figure 479 Management IP Addresses 192.168.1.1 192.168.1.5 192.168.1.1 192.168.1.6 39.3.1 Configuring Active-Passive Mode Device HA The Device HA Active-Passive Mode screen lets you configure general active- passive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup ZyWALLs.
Page 715 Chapter 39 Device HA The following table describes the labels in this screen. See Section 39.4 on page for more information as well. Table 189 Configuration > Device HA > Active-Passive Mode LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 716 Chapter 39 Device HA Table 189 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Monitored This table shows the status of the device HA settings and status of the Interface ZyWALL’s interfaces. Summary Edit Select an entry and click this to be able to modify it. Activate To turn on an entry, select it and click Activate.
Page 717: Configuring An Active-Passive Mode Monitored Interface
Chapter 39 Device HA Table 189 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Password Enter the password used for verification during synchronization. Every ZyWALL in the virtual router must use the same password. If you leave this field blank in the master ZyWALL, no backup ZyWALLs can synchronize from it.
Page 718 Chapter 39 Device HA A bridge interface’s device HA settings are not retained if you delete the bridge interface. Figure 481 Configuration > Device HA > Active-Passive Mode > Edit The following table describes the labels in this screen. Table 190 Configuration > Device HA > Active-Passive Mode > Edit LABEL DESCRIPTION Enable...
Page 719: The Legacy Mode Screen
Chapter 39 Device HA 39.5 The Legacy Mode Screen Virtual Router Redundancy Protocol (VRRP) Legacy mode device HA uses Virtual Router Redundancy Protocol (VRRP) to create redundant backup gateways to ensure that a default gateway is always available. The ZyWALL uses a custom VRRP implementation and is not compatible with standard VRRP.
Page 720: Configuring The Legacy Mode Screen
Chapter 39 Device HA 39.6 Configuring the Legacy Mode Screen The Device HA Legacy Mode screen lets you configure general legacy mode HA settings including link monitoring, configure the VRRP group and synchronize backup ZyWALLs. To access this screen, click Configuration > Device HA > Legacy Mode.
Page 721 Chapter 39 Device HA Table 191 Configuration > Device HA > Legacy Mode (continued) LABEL DESCRIPTION Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Activating a VRRP group has the ZyWALL monitor the connection of the group’s interface.
Page 722 Chapter 39 Device HA Table 191 Configuration > Device HA > Legacy Mode (continued) LABEL DESCRIPTION Auto Select this to get configuration and subscription service updates Synchronize automatically from the specified ZyWALL according to the specified Interval. The first synchronization begins after the specified Interval; the ZyWALL does not synchronize immediately.
Page 723 Chapter 39 Device HA The following table describes the labels in this screen. Table 192 Configuration > Device HA > Legacy Mode > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 724: Device Ha Technical Reference
Chapter 39 Device HA Table 192 Configuration > Device HA > Legacy Mode > Add (continued) LABEL DESCRIPTION VRID Type the virtual router ID number. Virtual Router This is the interface’s IP address and subnet mask in the virtual router. IP (VRIP) / Subnet Mask Authentication...
Page 725 Chapter 39 Device HA Make sure the bridge interfaces of the master ZyWALL (A) and the backup ZyWALL (B) are not connected. Configure the bridge interface on the master ZyWALL, set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Configure the bridge interface on the backup ZyWALL, set the bridge interface as a monitored interface, and activate device HA.
Page 726 Chapter 39 Device HA Connect the ZyWALLs. Br0 {ge4, ge5} Br0 {ge4, ge5} Second Option for Connecting the Bridge Interfaces on Two ZyWALLs Another option is to disable the bridge interfaces, connect the bridge interfaces, activate device HA, and finally reactivate the bridge interfaces as shown in the following example.
Page 727 Chapter 39 Device HA Configure a corresponding disabled bridge interface on the backup ZyWALL. Then set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Disabled Br0 {ge4, ge5} Disabled Enable the bridge interface on the master ZyWALL and then on the backup ZyWALL.
Page 728 Chapter 39 Device HA Legacy Mode ZyWALL VRRP Application In VRRP, a virtual router represents a number of ZyWALLs associated with one IP address, the IP address of the default gateway. Each virtual router is identified by a unique 8-bit identification number called a Virtual Router ID (VR ID). In the example below, ZyWALL A and ZyWALL B are part of virtual router 10 with IP address 192.168.10.254.
Page 729 Chapter 39 Device HA If ZyWALL A becomes available again, ZyWALL A preempts ZyWALL B and becomes the master again (the network returns to the state shown in Figure 484 on page 728). Synchronization During synchronization, the master ZyWALL sends the following information to the backup ZyWALL.
Page 730 Chapter 39 Device HA ZyWALL USG 300 User’s Guide...
Page 731: User/Group
H A P T E R User/Group 40.1 Overview This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 732 Chapter 40 User/Group Table 193 Types of User Accounts (continued) TYPE ABILITIES LOGIN METHOD(S) limited-admin Look at ZyWALL configuration (web, CLI) WWW, TELNET, SSH, Console, Dial-in Perform basic diagnostics (CLI) Access Users user Access network services WWW, TELNET, SSH Browse user-mode commands (CLI) guest Access network services ext-user...
Page 733 Chapter 40 User/Group Setting up User Attributes in an External Server on page 745 for a list of attributes and how to set up the attributes in an external server. Ext-Group-User Accounts Ext-Group-User accounts work are similar to ext-user accounts but allow you to group users by the value of the group membership attribute configured for the AD or LDAP server.
Page 734: User Summary Screen
Chapter 40 User/Group 40.2 User Summary Screen The User screen provides a summary of all user accounts. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group. Figure 486 Configuration > Object > User/Group The following table describes the labels in this screen.
Page 735 • sync • uucp • zyxel To access this screen, go to the User screen (see Section 40.2 on page 734), and click either the Add icon or an Edit icon. Figure 487 Configuration > User/Group > User > Add...
Page 736 Chapter 40 User/Group The following table describes the labels in this screen. Table 195 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 737: User Group Summary Screen
Chapter 40 User/Group Table 195 Configuration > User/Group > User > Add (continued) LABEL DESCRIPTION Reauthentication This field is not available if you select the ext-group-user type. Time Type the number of minutes this user can be logged into the ZyWALL in one session before the user has to log in again.
Page 738: Group Add/Edit Screen
Chapter 40 User/Group Table 196 Configuration > Object > User/Group > Group (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific user group. Group Name This field displays the name of each user group. Description This field displays the description for each user group.
Page 739: Setting Screen
Chapter 40 User/Group Table 197 Configuration > User/Group > Group > Add (continued) LABEL DESCRIPTION Member List The Member list displays the names of the users and user groups that have been added to the user group. The order of members is not important.
Page 740 Chapter 40 User/Group To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Setting. Figure 490 Configuration > Object > User/Group > Setting The following table describes the labels in this screen. Table 198 Configuration > Object > User/Group > Setting LABEL DESCRIPTION User Authentication...
Page 741 Chapter 40 User/Group Table 198 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION User Type These are the kinds of user account the ZyWALL supports. • admin - this user can look at and change the configuration of the ZyWALL •...
Page 742: Default User Authentication Timeout Settings Edit Screens
Chapter 40 User/Group Table 198 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION Limit the number of Select this check box if you want to set a limit on the number simultaneous logons of simultaneous logins by admin users. If you do not select for administration this, admin users can login as many times as they want at the account...
Page 743 Chapter 40 User/Group To access this screen, go to the Configuration > Object > User/Group > Setting screen (see Section 40.4 on page 739), and click one of the Default Authentication Timeout Settings section’s Edit icons. Figure 491 Configuration > Object > User/Group > Setting > Edit The following table describes the labels in this screen.
Page 744: User Aware Login Example
Chapter 40 User/Group 40.4.2 User Aware Login Example Access users cannot use the Web Configurator to browse the configuration of the ZyWALL. Instead, after access users log into the ZyWALL, the following screen appears. Figure 492 Web Configurator for Non-Admin Users The following table describes the labels in this screen.
Page 745: User /Group Technical Reference
Chapter 40 User/Group 40.5 User /Group Technical Reference This section provides some information on users who use an external authentication server in order to log in. Setting up User Attributes in an External Server To set up user attributes, such as reauthentication time, in LDAP or RADIUS servers, use the following keywords in the user configuration file.
Page 746 Chapter 40 User/Group ZyWALL USG 300 User’s Guide...
Page 747: Addresses
H A P T E R Addresses 41.1 Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. 41.1.1 What You Can Do in this Chapter •...
Page 748 Chapter 41 Addresses • RANGE - a range address is defined by a Starting IP Address and an Ending IP Address. • SUBNET - a network address is defined by a Network IP address and Netmask subnet mask. The Address screen provides a summary of all addresses in the ZyWALL. To access this screen, click Configuration >...
Page 749: Address Add/Edit Screen
Chapter 41 Addresses 41.2.1 Address Add/Edit Screen The Configuration > Address Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 41.2 on page 747), and click either the Add icon or an Edit icon. Figure 496 Configuration >...
Page 750: Address Group Summary Screen
Chapter 41 Addresses Table 203 Configuration > Object > Address > Address > Edit (continued) LABEL DESCRIPTION Interface If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the Address Type, use this field to select the interface of the network that this address object represents.
Page 751: Address Group Add/Edit Screen
Chapter 41 Addresses 41.3.1 Address Group Add/Edit Screen The Address Group Add/Edit screen allows you to create a new address group or edit an existing one. To access this screen, go to the Address Group screen (see Section 41.3 on page 750), and click either the Add icon or an Edit icon.
Page 752 Chapter 41 Addresses ZyWALL USG 300 User’s Guide...
Page 753: Services
H A P T E R Services 42.1 Overview Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 42.1.1 What You Can Do in this Chapter •...
Page 754: The Service Summary Screen
Chapter 42 Services Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number. Some port numbers have been standardized and are used by low- level system processes; many others have no particular meaning. Unlike TCP and UDP, Internet Control Message Protocol (ICMP, IP protocol 1) is mainly used to send error messages or to investigate problems.
Page 755 Chapter 42 Services entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 499 Configuration > Object > Service > Service The following table describes the labels in this screen. Table 206 Configuration > Object > Service > Service LABEL DESCRIPTION Click this to create a new entry.
Page 756: The Service Add/Edit Screen
Chapter 42 Services 42.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. To access this screen, go to the Service screen (see Section 42.2 on page 754), and click either the Add icon or an Edit icon. Figure 500 Configuration >...
Page 757 Chapter 42 Services To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service Group. Figure 501 Configuration > Object > Service > Service Group The following table describes the labels in this screen. See Section 42.3.1 on page for more information as well.
Page 758: The Service Group Add/Edit Screen
Chapter 42 Services 42.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. To access this screen, go to the Service Group screen (see Section 42.3 on page 756), and click either the Add icon or an Edit icon.
Page 759: Schedules
H A P T E R Schedules 43.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. The ZyWALL supports one- time and recurring schedules. One-time schedules are effective only once, while recurring schedules usually repeat.
Page 760: The Schedule Summary Screen
Chapter 43 Schedules Finding Out More • See Section 6.6 on page 112 for related information on these screens. • See Section 50.4 on page 828 for information about the ZyWALL’s current date and time. 43.2 The Schedule Summary Screen The Schedule summary screen provides a summary of all schedules in the ZyWALL.
Page 761: The One-Time Schedule Add/Edit Screen
Chapter 43 Schedules Table 210 Configuration > Object > Schedule (continued) LABEL DESCRIPTION Recurring Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Page 762: The Recurring Schedule Add/Edit Screen
Chapter 43 Schedules Table 211 Configuration > Object > Schedule > Edit (One Time) (continued) LABEL DESCRIPTION Date Time StartDate Specify the year, month, and day when the schedule begins. Year - 1900 - 2999 Month - 1 - 12 Day - 1 - 31 (it is not possible to specify illegal dates, such as February 31.) Hour - 0 - 23...
Page 763 Chapter 43 Schedules (see Section 43.2 on page 760), and click either the Add icon or an Edit icon in the Recurring section. Figure 505 Configuration > Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen.
Page 764 Chapter 43 Schedules ZyWALL USG 300 User’s Guide...
Page 765: Aaa Server
H A P T E R AAA Server 44.1 Overview You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory, LDAP, or RADIUS server. Use the AAA Server screens to create and manage objects that contain settings for using AAA servers.
Page 766: Radius Server
Chapter 44 AAA Server 44.1.2 RADIUS Server RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device.
Page 767: What You Need To Know
Chapter 44 AAA Server • Use the Configuration > Object > AAA Server > RADIUS screen (Section 44.3 on page 771) to configure the default external RADIUS server to use for user authentication. 44.1.5 What You Need To Know AAA Servers Supported by the ZyWALL The following lists the types of authentication server the ZyWALL supports.
Page 768 Chapter 44 AAA Server organizational boundaries. The following figure shows a basic directory structure branching from countries to organizations to organizational units to individuals. Figure 508 Basic Directory Structure Sales Sprint Root Sales Japan Countries Organizations Organization Units Unique Common Name (cn) Distinguished Name (DN) A DN uniquely identifies an entry in a directory.
Page 769: Active Directory Or Ldap Server Summary
Address Base DN This specifies a directory. For example, o=ZyXEL, c=US 44.2.1 Adding an Active Directory or LDAP Server Click Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. Click the Add icon or an Edit icon to display the...
Page 770 Chapter 44 AAA Server following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 510 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add The following table describes the labels in this screen. Table 214 Configuration >...
Page 771: Radius Server Summary
LABEL DESCRIPTION Base DN Specify the directory (up to 127 alphanumerical characters). For example, o=ZyXEL, c=US Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server(s). Search time Specify the timeout period (between 1 and 300 seconds) before the limit ZyWALL disconnects from the AD or LDAP server.
Page 772 This is the address of the AD or LDAP server. Address Base DN This specifies a directory. For example, o=ZyXEL, c=US Host Enter the IP address (in dotted decimal notation) or the domain name (up to 63 alphanumeric characters) of a RADIUS server.
Page 773: Adding A Radius Server
Chapter 44 AAA Server 44.3.1 Adding a RADIUS Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 512 Configuration >...
Page 774 Chapter 44 AAA Server Table 216 Configuration > Object > AAA Server > RADIUS > Add (continued) LABEL DESCRIPTION Timeout Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the RADIUS server. In this case, user authentication fails.
Page 775: Authentication Method
H A P T E R Authentication Method 45.1 Overview Authentication method objects set how the ZyWALL authenticates wireless, HTTP/ HTTPS clients, peer IPSec routers (extended authentication), and L2TP VPN clients. Configure authentication method objects to have the ZyWALL use the local user database, and/or the authentication servers and authentication server groups specified by AAA server objects.
Page 776: Authentication Method Objects
Chapter 45 Authentication Method Click Show Advance Setting and select Enable Extended Authentication. Select Server Mode and select an authentication method object from the drop- down list box. Click OK to save the settings. Figure 513 Example: Using Authentication Method in VPN 45.2 Authentication Method Objects Click Configuration >...
Page 777: Creating An Authentication Method Object
Chapter 45 Authentication Method Table 217 Configuration > Object > Auth. Method (continued) LABEL DESCRIPTION This field displays the index number. Method Name This field displays a descriptive name for identification purposes. Method List This field displays the authentication method(s) for this entry. Add icon Click Add to add a new entry.
Page 778 Chapter 45 Authentication Method Click OK to save the settings or click Cancel to discard all changes and return to the previous screen. Figure 515 Configuration > Object > Auth. Method > Add The following table describes the labels in this screen. Table 218 Configuration >...
Page 779 Chapter 45 Authentication Method Table 218 Configuration > Object > Auth. Method > Add (continued) LABEL DESCRIPTION Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. Click OK to save the changes.
Page 780 Chapter 45 Authentication Method ZyWALL USG 300 User’s Guide...
Page 781: Certificates
H A P T E R Certificates 46.1 Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
Page 782 Chapter 46 Certificates Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. Tim uses his private key to sign the message and sends it to Jenny.
Page 783: Verifying A Certificate
Chapter 46 Certificates Factory Default Certificate The ZyWALL generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. Certificate File Formats Any certificate that you want to import has to be in one of these file formats: •...
Page 784 Chapter 46 Certificates Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 516 Remote Host Certificates Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.
Page 785: The My Certificates Screen
Chapter 46 Certificates 46.2 The My Certificates Screen Click Configuration > Object > Certificate > My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Figure 518 Configuration > Object > Certificate > My Certificates The following table describes the labels in this screen.
Page 786: The My Certificates Add Screen
Chapter 46 Certificates Table 219 Configuration > Object > Certificate > My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate.
Page 787 Chapter 46 Certificates ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 519 Configuration > Object > Certificate > My Certificates > Add ZyWALL USG 300 User’s Guide...
Page 788 Chapter 46 Certificates The following table describes the labels in this screen. Table 220 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 789 Chapter 46 Certificates Table 220 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Create a Select this to have the ZyWALL generate and store a request for a certification certificate. Use the My Certificate Details screen to view the request and save it certification request and copy it to send to the certification authority.
Page 790 Chapter 46 Certificates Table 220 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Request When you select Create a certification request and enroll for a Authentication certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request.
Page 791: The My Certificates Edit Screen
Chapter 46 Certificates 46.2.2 The My Certificates Edit Screen Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. Figure 520 Configuration >...
Page 792 Chapter 46 Certificates The following table describes the labels in this screen. Table 221 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Certification Path This field displays for a certificate, not a certification request.
Page 793 Chapter 46 Certificates Table 221 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Page 794: The My Certificates Import Screen
Chapter 46 Certificates Table 221 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. You can only change the name. Cancel Click Cancel to quit and return to the My Certificates screen. 46.2.3 The My Certificates Import Screen Click Configuration >...
Page 795: The Trusted Certificates Screen
Chapter 46 Certificates Table 222 Configuration > Object > Certificate > My Certificates > Import (continued) LABEL DESCRIPTION Password This field only applies when you import a binary PKCS#12 format file. Type the file’s password that was created when the PKCS #12 file was exported. Click OK to save the certificate on the ZyWALL.
Page 796: The Trusted Certificates Edit Screen
Chapter 46 Certificates Table 223 Configuration > Object > Certificate > Trusted Certificates (continued) LABEL DESCRIPTION Object You cannot delete certificates that any of the ZyWALL’s features are References configured to use. Select an entry and click Object References to open a screen that shows which settings use the entry.
Page 797 Chapter 46 Certificates authority’s list of revoked certificates before trusting a certificate issued by the certification authority. Figure 523 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL USG 300 User’s Guide...
Page 798 Chapter 46 Certificates The following table describes the labels in this screen. Table 224 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 799 Chapter 46 Certificates Table 224 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority).
Page 800: The Trusted Certificates Import Screen
Chapter 46 Certificates Table 224 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.
Page 801: Certificates Technical Reference
Chapter 46 Certificates The following table describes the labels in this screen. Table 225 Configuration > Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 802 Chapter 46 Certificates ZyWALL USG 300 User’s Guide...
Page 803: Isp Accounts
H A P T E R ISP Accounts 47.1 Overview Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/PPTP interfaces. An ISP account is a profile of settings for Internet access using PPPoE or PPTP. Finding Out More •...
Page 804: Isp Account Edit
Chapter 47 ISP Accounts The following table describes the labels in this screen. See the ISP Account Edit section below for more information as well. Table 226 Configuration > Object > ISP Account LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Page 805 Chapter 47 ISP Accounts The following table describes the labels in this screen. Table 227 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you are editing an existing account. Type in the profile name of the ISP account.
Page 806: Stac Compression
Chapter 47 ISP Accounts Table 227 Configuration > Object > ISP Account > Edit (continued) LABEL DESCRIPTION Compression Select On button to turn on stac compression, and select Off to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about four.
Page 807: Ssl Application
H A P T E R SSL Application 48.1 Overview You use SSL application objects in SSL VPN. Configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access. You can apply one or more SSL application objects in the VPN >...
Page 808: Example: Specifying A Web Site For Access
Chapter 48 SSL Application Remote Desktop Connections Use SSL VPN to allow remote users to manage LAN computers. Depending on the functions supported by the remote desktop software, they can install or remove software, run programs, change settings, and open, copy, create, and delete files. This is useful for troubleshooting, support, administration, and remote access to files and programs.
Page 809: The Ssl Application Screen
Chapter 48 SSL Application Click the Add button and select Web Application in the Type field. In the Server Type field, select Web Server. Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”. In the Address field, enter “http://info”. Select Web Page Encryption to prevent users from saving the web content.
Page 810: Creating/Editing A Web-Based Ssl Application Object
Chapter 48 SSL Application The following table describes the labels in this screen. Table 228 Configuration > Object > SSL Application LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
Page 811 Chapter 48 SSL Application The following table describes the labels in this screen. Table 229 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Show Advance This displays for VNC or RDP type web application objects. Click this Settings / Hide button to display a greater or lesser number of configuration fields.
Page 812: Creating/Editing A File Sharing Ssl Application Object
Chapter 48 SSL Application Table 229 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Server This field displays if the Server Type is set to RDP or VNC. Address(es) Specify the IP address or Fully-Qualified Domain Name (FQDN) of the computer(s) that you want to allow the remote users to manage.
Page 813 Chapter 48 SSL Application The following table describes the labels in this screen. Table 230 Configuration > Object > SSL Application > Add/Edit: File Sharing LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this Object screen.
Page 814 Chapter 48 SSL Application ZyWALL USG 300 User’s Guide...
Page 815: Endpoint Security
H A P T E R Endpoint Security 49.1 Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel. After a successful user authentication, a user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access.
Page 816: What You Can Do In This Chapter
Chapter 49 Endpoint Security 49.1.1 What You Can Do in this Chapter Use the Configuration > Object > Endpoint Security screens (Section 49.2 on page 817) to create and manage endpoint security objects. 49.1.2 What You Need to Know What Endpoint Security Can Check The settings endpoint security can check vary depending on the OS of the user’s computer.
Page 817: Endpoint Security Screen
Chapter 49 Endpoint Security 49.2 Endpoint Security Screen The Endpoint Security screen displays the endpoint security objects you have configured on the ZyWALL. Click Configuration > Object > Endpoint Security to display the screen. Figure 533 Configuration > Object > Endpoint Security The following table gives an overview of the objects you can configure.
Page 818 Chapter 49 Endpoint Security Table 231 Configuration > Object > Endpoint Security (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 300 User’s Guide...
Page 819: Endpoint Security Add/Edit
Chapter 49 Endpoint Security 49.3 Endpoint Security Add/Edit Click Configuration > Object > Endpoint Security and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint security object. ZyWALL USG 300 User’s Guide...
Page 820 Chapter 49 Endpoint Security Figure 534 Configuration > Object > Endpoint Security > Add ZyWALL USG 300 User’s Guide...
Page 821 Chapter 49 Endpoint Security The following table gives an overview of the objects you can configure. Table 232 Configuration > Object > Endpoint Security > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields.
Page 822 Chapter 49 Endpoint Security Table 232 Configuration > Object > Endpoint Security > Add (continued) LABEL DESCRIPTION Checking Item If you selected Windows as the operating system, you can select whether - Personal or not the user’s computer is required to have personal firewall software Firewall installed.
Page 823 Chapter 49 Endpoint Security Table 232 Configuration > Object > Endpoint Security > Add (continued) LABEL DESCRIPTION Checking Item If you selected Windows or Linux as the operating system, you can use - File this table to check details of specific files on the user’s computer. Information Use the Operation field to set whether the size or version of the file on the user’s computer has to be equal to (==), greater than (>), less than...
Page 824 Chapter 49 Endpoint Security ZyWALL USG 300 User’s Guide...
Page 825: System
H A P T E R System 50.1 Overview Use the system screens to configure general ZyWALL settings. 50.1.1 What You Can Do in this Chapter • Use the System > Host Name screen (see Section 50.2 on page 826) to configure a unique name for the ZyWALL in your network.
Page 826: Host Name
870) to configure the external serial modem. • Vantage CNM (Centralized Network Management) is a browser-based global management tool that allows an administrator to manage ZyXEL devices. Use the System > Vantage CNM screen (see Section 50.13 on page 872) to allow your ZyWALL to be managed by the Vantage CNM server.
Page 827: Usb Storage
Chapter 50 System Table 233 Configuration > System > Host Name (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 50.3 USB Storage The ZyWALL can use a connected USB device to store the system log and other diagnostic information.
Page 828: Date And Time
Chapter 50 System 50.4 Date and Time For effective scheduling and logging, the ZyWALL system time must be accurate. The ZyWALL’s Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server.
Page 829 Chapter 50 System Table 235 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Manual Select this radio button to enter the time and date manually. If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered.
Page 830: Pre-Defined Ntp Time Servers List
Chapter 50 System Table 235 Configuration > System > Date and Time (continued) LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The at field uses the 24 hour format.
Page 831: Time Server Synchronization
Chapter 50 System 50.4.2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field. When the Please Wait... screen appears, you may have to wait up to one minute. Figure 538 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful.
Page 832: Console Port Speed
Chapter 50 System Under Time and Date Setup, enter a Time Server Address (Table 236 on page 830). Click Apply. 50.5 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program.
Page 833: Dns Server Address Assignment
Chapter 50 System 50.6.1 DNS Server Address Assignment The ZyWALL can get the DNS server addresses in the following ways. • The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.
Page 834 (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Page 835 Chapter 50 System Table 238 Configuration > System > DNS (continued) LABEL DESCRIPTION DNS Server This is the IP address of a DNS server. This field displays N/A if you have the ZyWALL get a DNS server IP address from the ISP dynamically but the specified interface is not active.
Page 836: Address Record
An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com” is the top level domain.
Page 837: Domain Zone Forwarder
For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Page 838: Mx Record
For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address. Enter * if all domain zones are served by the specified DNS server(s).
Page 839: Adding A Mx Record
Chapter 50 System 50.6.9 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 543 Configuration > System > DNS > MX Record Add The following table describes the labels in this screen. Table 241 Configuration >...
Page 840: Www Overview
Chapter 50 System The following table describes the labels in this screen. Table 242 Configuration > System > DNS > Service Control Rule Add LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in Object this screen.
Page 841: Service Access Limitations
Chapter 50 System • See To-ZyWALL Rules on page 459 for more on To-ZyWALL firewall rules. • See Section 7.10 on page 160 for an example of configuring service control to block administrator HTTPS access from all zones except the LAN. To stop a service from accessing the ZyWALL, clear Enable in the corresponding service screen.
Page 842: Configuring Www Service Control
Chapter 50 System It relies upon certificates, public keys, and private keys (see Chapter 46 on page for more information). HTTPS on the ZyWALL is used so that you can securely access the ZyWALL using the Web Configurator. The SSL protocol specifies that the HTTPS server (the ZyWALL) must always authenticate itself to the HTTPS client (the computer which requests the HTTPS connection with the ZyWALL), whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select...
Page 843 Chapter 50 System Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the ZyWALL (logging into SSL VPN for example). Figure 547 Configuration > System > WWW > Service Control The following table describes the labels in this screen.
Page 844 Chapter 50 System Table 243 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Server Port The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the ZyWALL, for example 8443, then you must notify people who need to access the ZyWALL Web Configurator to use “https://ZyWALL IP Address:8443”...
Page 845 Chapter 50 System Table 243 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION HTTP Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using HTTP connections.
Page 846: Service Control Rules
Chapter 50 System Table 243 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 50.7.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule.
Page 847 Chapter 50 System also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet. See Chapter 40 on page for more on access user accounts. Figure 549 Configuration > System > WWW > Login Page ZyWALL USG 300 User’s Guide...
Page 848 Chapter 50 System The following figures identify the parts you can customize in the login and access pages. Figure 550 Login Page Customization Title Logo Message (color of all text) Background Note Message (last line of text) Figure 551 Access Page Customization Logo Title Message...
Page 849 Chapter 50 System • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color. • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. •...
Page 850: Https Example
Chapter 50 System Table 245 Configuration > System > WWW > Login Page LABEL DESCRIPTION Note Message Enter a note to display below the title. Use up to 64 printable ASCII characters. Spaces are allowed. Window Set how the window’s background looks. Background To use a graphic, select Picture and upload a graphic.
Page 851: Netscape Navigator Warning Messages
Chapter 50 System 50.7.7.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL.
Page 852: Login Screen
Chapter 50 System • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities. The issuing certificate authority of the ZyWALL's factory default certificate is the ZyWALL itself since the certificate is a self-signed certificate. •...
Page 853 Chapter 50 System Apply for a certificate from a Certification Authority (CA) that is trusted by the ZyWALL (see the ZyWALL’s Trusted CA Web Configurator screen). Figure 556 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s).
Page 854 Chapter 50 System 50.7.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next Click Next to begin the wizard.
Page 855 Chapter 50 System Enter the password given to you by the CA. Figure 560 Personal Certificate Import Wizard 3 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.
Page 856: Using A Certificate When Accessing The Zywall Example
Chapter 50 System Click Finish to complete the wizard and begin the import process. Figure 562 Personal Certificate Import Wizard 5 You should see the following screen when the certificate is correctly installed on your computer. Figure 563 Personal Certificate Import Wizard 6 50.7.7.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS.
Page 857: Ssh
Chapter 50 System When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example. Figure 565 SSL Client Authentication You next see the Web Configurator login screen.
Page 858: How Ssh Works
Chapter 50 System SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session. Figure 567 SSH Communication Over the WAN Example 50.8.1 How SSH Works The following figure is an example of how a secure connection is established...
Page 859: Ssh Implementation On The Zywall
Chapter 50 System Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server.
Page 860 Chapter 50 System Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 569 Configuration > System > SSH The following table describes the labels in this screen. Table 246 Configuration > System > SSH LABEL DESCRIPTION Enable...
Page 861: Secure Telnet Using Ssh Examples
Chapter 50 System Table 246 Configuration > System > SSH (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
Page 862: Telnet
Chapter 50 System Enter the password to log in to the ZyWALL. The CLI screen displays next. 50.8.5.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions. Test whether the SSH service is available on the ZyWALL.
Page 863: Configuring Telnet
Chapter 50 System 50.9.1 Configuring Telnet Click Configuration > System > TELNET to configure your ZyWALL for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come.
Page 864: Ftp
Chapter 50 System Table 247 Configuration > System > TELNET (continued) LABEL DESCRIPTION This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the ZyWALL’s (non- configurable) default policy. The ZyWALL applies this to traffic that does not match any other configured rule.
Page 865 Chapter 50 System be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 574 Configuration > System > FTP The following table describes the labels in this screen. Table 248 Configuration > System > FTP LABEL DESCRIPTION Enable...
Page 866: Snmp
Chapter 50 System Table 248 Configuration > System > FTP (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
Page 867 Chapter 50 System and version two (SNMPv2c). The next figure illustrates an SNMP management operation. Figure 575 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL).
Page 868: Supported Mibs
50.11.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The ZyWALL also supports private MIBs (zywall.mib and zyxel-zywall-ZLD- Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
Page 869 Chapter 50 System settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 576 Configuration > System > SNMP The following table describes the labels in this screen. Table 250 Configuration >...
Page 870: Dial-In Management
Chapter 50 System Table 250 Configuration > System > SNMP (continued) LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 244 on page 846 details on the screen that opens.
Page 871: Configuring Dial-In Mgmt
Chapter 50 System Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH. Response Strings The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the serial modem.
Page 872: Vantage Cnm
Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the Web Configurator or commands) without notifying the Vantage CNM administrator.
Page 873: Configuring Vantage Cnm
If the Vantage CNM server is behind a firewall, you may have to create a rule on the firewall to allow UDP port 11864 traffic through to the Vantage CNM server (most (new) ZyXEL firewalls automatically allow this). ZyWALL USG 300 User’s Guide...
Page 874 Chapter 50 System Table 252 Configuration > System > Vantage CNM (continued) LABEL DESCRIPTION Transfer Select whether the Vantage CNM sessions should use regular HTTP Protocol connections or secure HTTPS connections. Note: HTTPS is recommended. The Vantage CNM server must use the same setting. Device Select Auto to have the ZyWALL allow Vantage CNM sessions to connect Management...
Page 875: Language Screen
Chapter 50 System 50.14 Language Screen Click Configuration > System > Language to open the following screen. Use this screen to select a display language for the ZyWALL’s Web Configurator screens. Figure 579 Configuration > System > Language The following table describes the labels in this screen. Table 253 Configuration >...
Page 876 Chapter 50 System ZyWALL USG 300 User’s Guide...
Page 877: Log And Report
H A P T E R Log and Report 51.1 Overview Use these screens to configure daily reporting and log settings. 51.1.1 What You Can Do In this Chapter • Use the Email Daily Report screen (Section 51.2 on page 877) to configure where and how to send daily reports and what reports to send.
Page 878 Chapter 51 Log and Report Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day. Figure 580 Configuration > Log & Report > Email Daily Report ZyWALL USG 300 User’s Guide...
Page 879: Log Setting Screens
Chapter 51 Log and Report The following table describes the labels in this screen. Table 254 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Select this to send reports by e-mail every day. Daily Report Mail Server Type the name or IP address of the outgoing SMTP server.
Page 880: Log Setting Summary
Chapter 51 Log and Report ZyWALL store system logs on a connected USB storage device. The other four logs are stored on specified syslog servers. The Log Setting tab also controls what information is saved in each log. For the system log, you can also specify which log messages are e-mailed, where they are e-mailed, and how often they are e-mailed.
Page 881: Edit System Log Settings
Log Format This field displays the format of the log. Internal - system log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. Summary This field is a summary of the settings for each log. Please see Section 51.3.2 on page 881...
Page 882 Chapter 51 Log and Report Figure 582 Configuration > Log & Report > Log Setting > Edit (System Log) ZyWALL USG 300 User’s Guide...
Page 883 Chapter 51 Log and Report The following table describes the labels in this screen. Table 256 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section.
Page 884 Chapter 51 Log and Report Table 256 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-mail Server 1 Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories. Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings.
Page 885 Chapter 51 Log and Report Table 256 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION Active Select this to activate log consolidation. Log consolidation aggregates multiple log messages that arrive within the specified Log Consolidation Interval. In the View Log tab, the text “[count=x]”, where x is the number of original log messages, is appended at the end of the Message field, when multiple log messages were aggregated.
Page 886: Edit Log On Usb Storage Setting
Chapter 51 Log and Report 51.3.3 Edit Log on USB Storage Setting The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device. Go to the Log Setting Summary screen (see Section 51.3.1 on page 880), and click the USB storage Edit icon.
Page 887 Chapter 51 Log and Report The following table describes the labels in this screen. Table 257 Configuration > Log & Report > Log Setting > Edit (USB Storage) LABEL DESCRIPTION Duplicate logs Select this to have the ZyWALL save a copy of its system logs to a to USB storage connected USB storage device.
Page 888: Edit Remote Server Log Settings
Chapter 51 Log and Report 51.3.4 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 51.3.1 on page 880), and click a remote server Edit icon.
Page 889 Active Log section. Log Format This field displays the format of the log information. It is read-only. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. Server Type the server name or the IP address of the syslog server to which to Address send log information.
Page 890: Active Log Summary Screen
Chapter 51 Log and Report 51.3.5 Active Log Summary Screen The Active Log Summary screen allows you to view and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let you change other log settings (for example, where and how often log information is e-mailed or remote server names).To access this screen, go to the Log Settings Summary screen (see Section 51.3.1 on page...
Page 891 Chapter 51 Log and Report The following table describes the fields in this screen. Table 259 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION System Log Use the System Log drop-down list to change the log settings for all of the log categories.
Page 892 Chapter 51 Log and Report Table 259 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION Remote Server For each remote server, use the Selection drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not send the remote server logs for any log category.
Page 893: File Manager
H A P T E R File Manager 52.1 Overview Configuration files define the ZyWALL’s settings. Shell scripts are files of commands that you can store on the ZyWALL and run when you need them. You can apply a configuration file or run a shell script without the ZyWALL restarting. You can store multiple configuration files and shell script files on the ZyWALL.
Page 894: Comments In Configuration Files Or Shell Scripts
Chapter 52 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 586 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...
Page 895 Chapter 52 File Manager Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode. Note: “exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode.
Page 896: The Configuration File Screen
Chapter 52 File Manager 52.2 The Configuration File Screen Click Maintenance > File Manager > Configuration File to open the Configuration File screen. Use the Configuration File screen to store, run, and name configuration files. You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL.
Page 897 Chapter 52 File Manager The following table describes the labels in this screen. Table 261 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the ZyWALL. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and startup- config.conf files.
Page 898 Chapter 52 File Manager Table 261 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a configuration file on the ZyWALL. Click a configuration file’s row to select it and click Copy to open the Copy File screen.
Page 899 Chapter 52 File Manager Table 261 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Apply Use this button to have the ZyWALL use a specific configuration file. Click a configuration file’s row to select it and click Apply to have the ZyWALL use that configuration file.
Page 900: The Firmware Package Screen
Chapter 52 File Manager Table 261 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION File Name This column displays the label that identifies a configuration file. You cannot delete the following configuration files or change their file names. The system-default.conf file contains the ZyWALL’s default settings.
Page 901 See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”.
Page 902: The Shell Script Screen
Chapter 52 File Manager After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 592 Firmware Upload In Process Note: The ZyWALL automatically reboots after a successful upload. The ZyWALL automatically restarts causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Page 903 Chapter 52 File Manager Note: You should include commands in your scripts. If you do not use the write command, the changes will be lost when the ZyWALL restarts. You could write use multiple commands in a long script. write Figure 595 Maintenance >...
Page 904 Chapter 52 File Manager Table 263 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a shell script file on the ZyWALL. Click a shell script file’s row to select it and click Copy to open the Copy File screen.
Page 905: Diagnostics
H A P T E R Diagnostics 53.1 Overview Use the diagnostics screens for troubleshooting. 53.1.1 What You Can Do in this Chapter • Use the screens (see Section 53.2 on page 905) to Maintenance > Diagnostics generate files containing the ZyWALL’s configuration and diagnostic information if you need to provide it to customer support for troubleshooting.
Page 906: The Diagnostics Files Screen
Chapter 53 Diagnostics Click Maintenance > Diagnostics to open the Diagnostic screen. Figure 598 Maintenance > Diagnostics The following table describes the labels in this screen. Table 264 Maintenance > Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file. Last modified This is the date and time that the last diagnostic file was created.
Page 907: The Packet Capture Screen
Chapter 53 Diagnostics The following table describes the labels in this screen. Table 265 Maintenance > Diagnostics > Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete.
Page 908 Chapter 53 Diagnostics Note: New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this. Figure 600 Maintenance > Diagnostics > Packet Capture The following table describes the labels in this screen. Table 266 Maintenance >...
Page 909 Chapter 53 Diagnostics Table 266 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Save data to Select this to have the ZyWALL only store packet capture entries onboard storage on the ZyWALL. only Save data to USB Select this to have the ZyWALL store packet capture entries only storage on a USB storage device connected to the ZyWALL.
Page 910: The Packet Capture Files Screen
Chapter 53 Diagnostics Table 266 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Capture Click this button to have the ZyWALL capture packets according to the settings configured in this screen. You can configure the ZyWALL while a packet capture is in progress although you cannot modify the packet capture settings.
Page 911: Example Of Viewing A Packet Capture File
Chapter 53 Diagnostics Table 267 Maintenance > Diagnostics > Packet Capture > Files (continued) LABEL DESCRIPTION This column displays the number for each packet capture file entry. The total number of packet capture files that you can save depends on the file sizes and the available flash storage space.
Page 912: Core Dump Screen
Chapter 53 Diagnostics 53.4 Core Dump Screen Use the Core Dump screen to have the ZyWALL save a process’s core dump to an attached USB storage device if the process terminates abnormally (crashes). You may need to send this file to customer support for troubleshooting. Click Maintenance >...
Page 913: The System Log Screen
Chapter 53 Diagnostics connected USB storage device. You may need to send these files to customer support for troubleshooting. Figure 604 Maintenance > Diagnostics > Core Dump > Files The following table describes the labels in this screen. Table 269 Maintenance > Diagnostics > Core Dump > Files LABEL DESCRIPTION Remove...
Page 914 Chapter 53 Diagnostics storage device. The files are in comma separated value (csv) format. You can download them to your computer and open them in a tool like Microsoft’s Excel. Figure 605 Maintenance > Diagnostics > System Log The following table describes the labels in this screen. Table 270 Maintenance >...
Page 915: Reboot
H A P T E R Reboot 54.1 Overview Use this to restart the device (for example, if the device begins behaving erratically). See also Section 1.5 on page 37 for information on different ways to start and stop the ZyWALL. 54.1.1 What You Need To Know If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot.
Page 916 Chapter 54 Reboot ZyWALL USG 300 User’s Guide...
Page 917: Shutdown
H A P T E R Shutdown 55.1 Overview Use this to shutdown the device in preparation for disconnecting the power. See also Section 1.5 on page 37 for information on different ways to start and stop the ZyWALL. Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power.
Page 918: Chapter 55 Shutdown
Chapter 55 Shutdown ZyWALL USG 300 User’s Guide...
Page 919: Troubleshooting
H A P T E R Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Chapter 10 on page 279). For individual log descriptions, Appendix A on page 947.
Page 920: Troubleshooting
Chapter 56 Troubleshooting • If you’ve forgotten the ZyWALL’s IP address, you can use the commands through the console port to check it. Connect your computer to the CONSOLE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed.
Page 921 Chapter 56 Troubleshooting I downloaded updated anti-virus or IDP/application patrol signatures. Why has the ZyWALL not re-booted yet? The ZyWALL does not have to reboot when you upload new signatures. The content filter category service is not working. • Make sure your ZyWALL has the content filter category service registered and that the license is not expired.
Page 922 Chapter 56 Troubleshooting • The format of interface names other than the Ethernet interface names is very strict. Each name consists of 2-4 letters (interface type), followed by a number (x, limited by the maximum number of each type of interface). For example, VLAN interfaces are vlan0, vlan1, vlan2, ...;...
Page 923 Chapter 56 Troubleshooting created a cellular interface but cannot connect through it. • Make sure you have a compatible 3G device installed or connected. See Chapter 57 on page 939 for details. • Make sure you have the cellular interface enabled. •...
Page 924 Chapter 56 Troubleshooting The ZyWALL is not applying an interface’s configured ingress bandwidth limit. At the time of writing, the ZyWALL does not support ingress bandwidth management. The ZyWALL is not applying my application patrol bandwidth management settings. Bandwidth management in policy routes has priority over application patrol bandwidth management.
Page 925 Chapter 56 Troubleshooting The ZyWALL is deleting some zipped files. The anti-virus policy may be set to delete zipped files that the ZyWALL cannot unzip. The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip.
Page 926 Chapter 56 Troubleshooting The ZyWALL’s performance seems slower after configuring ADP. Depending on your network topology and traffic load, applying an anomaly profile to each and every packet direction may affect the ZyWALL’s performance. The ZyWALL routes and applies SNAT for traffic from some interfaces but not from others.
Page 927 If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both ZyXEL IPSec routers and check the settings in each field methodically and slowly. Make sure both the ZyWALL and remote IPSec router have the same security settings for the VPN tunnel.
Page 928 Chapter 56 Troubleshooting Here are some general suggestions. See also Chapter 25 on page 475. • The system log can often help to identify a configuration problem. • If you enable NAT traversal, the remote IPSec device must also have NAT traversal enabled.
Page 929 Chapter 56 Troubleshooting • If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you are using). • If you have the ZyWALL and remote IPSec router use certificates to authenticate each other, You must set up the certificates for the ZyWALL and remote IPSec router first and make sure they trust each other’s certificates.
Page 930 Chapter 56 Troubleshooting If you have the Configuration > VPN > IPSec VPN > VPN Connection screen’s Use Policy Route to control dynamic IPSec rules option enabled, check the routing policies to see if they are sending traffic elsewhere instead of through the VPN tunnels.
Page 931 Chapter 56 Troubleshooting option. The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it. You can upload the firmware package to the ZyWALL with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package.
Page 932 Chapter 56 Troubleshooting Device HA is not working. • You may need to disable STP (Spanning Tree Protocol). • The master and its backups must all use the same device HA mode (either active-passive or legacy). • Configure a static IP address for each interface that you will have device HA monitor.
Page 933 Chapter 56 Troubleshooting user, the authentication attempt will always fail. (This is related to AAA servers and authentication methods, which are discussed in Chapter 44 on page 765 Chapter 45 on page 775, respectively.) I cannot add the admin users to a user group with access users. You cannot put access users and admin users in the same user group.
Page 934 Chapter 56 Troubleshooting For My Certificates, you can import a certificate that matches a corresponding certification request that was generated by the ZyWALL. You can also import a certificate in PKCS#12 format, including the certificate’s public and private keys. You must remove any spaces from the certificate’s filename before you can import the certificate.
Page 935 Chapter 56 Troubleshooting I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. I uploaded a logo to use as the screen or window background but it does not display properly.
Page 936: Resetting The Zywall
Chapter 56 Troubleshooting I cannot get the firmware uploaded using the commands. The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.
Page 937: Getting More Troubleshooting Help
Release the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. 56.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL USG 300 User’s Guide...
Page 938 Chapter 56 Troubleshooting ZyWALL USG 300 User’s Guide...
Page 939: Product Specifications
Extension Card Slot Slot for optional hardware accessories PCMCIA slot for a wireless LAN or cellular (3G) card. Compatible PCMCIA Cards ZyXEL’s G-170S IEEE 802.11g wireless card. Sierra Wireless AC850, AC860, AC880 or AC881 3G card Power Requirements 100-240 V AC, 50/60 Hz, 0.3 ~ 0.55 A...
Page 940: Static Routes
Chapter 57 Product Specifications Table 272 Hardware Specifications (continued) FEATURE SPECIFICATION Storage Environment Temperature: -30 C to 60 C Humidity: 20% to 95% (non-condensing) MTBF Mean Time Between Failures: 180,382 hours Dimensions 430 (W) x 201.2 (D) x 42.0 (H) mm Weight 2.8 kg Rack-mounting...
Page 941 Chapter 57 Product Specifications Table 273 ZyWALL USG 300 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.20 FEATURE APPLICATION PATROL Maximum Rules for Other Protocols Maximum Rules for Each Protocol Allowed Ports Default Ports USER PROFILES Maximum Local Users Maximum Admin Users Maximum User Groups Maximum Users in One User Group...
Page 942 Chapter 57 Product Specifications Table 273 ZyWALL USG 300 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.20 FEATURE Maximum Number of VPN Tunnels Maximum Number of VPN Concentrators CERTIFICATES Certificate Buffer Size 256K 256K 256K BUILT-IN SERVICES A record NS record MX record Maximum Number of Service Control...
Page 943 Chapter 57 Product Specifications Table 273 ZyWALL USG 300 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.20 FEATURE Maximum Number of Concurrent Mail Sessions Maximum Number of Anti-Spam Rules Maximum Number of White List Entries Maximum Number of Black List Entries Maximum Number of DNSBLs Maximum Number of Anti-Spam...
Page 944 Chapter 57 Product Specifications The following table, which is not exhaustive, lists standards referenced by ZyWALL features. Table 274 Standards Referenced by Features FEATURE STANDARDS REFERENCED Interface-Bridge A subset of the ANSI/IEEE 802.1d standard Interface RFCs 2131, 2132, 1541 Interface-PPP RFCs 1144, 1321, 1332, 1334, 1661, 1662, 2472 Interface-PPTP RFCs 2637, 3078...
Page 945: Pcmcia Card Installation
Chapter 57 Product Specifications 57.1 3G PCMCIA Card Installation Only insert a compatible 3G card. Slide the connector end of the card into the slot. Note: Do not force, bend or twist the card. ZyWALL USG 300 User’s Guide...
Page 946 Chapter 57 Product Specifications ZyWALL USG 300 User’s Guide...
Page 947: Appendix A Log Descriptions
P P E N D I X Log Descriptions This appendix provides descriptions of example log messages for the ZLD-based ZyWALLs. The logs do not all apply to all of the ZLD-based ZyWALLs. You will not unnecessarily see all of these logs in your device. Table 275 Content Filter Logs LOG MESSAGE DESCRIPTION...
Page 948 Appendix A Log Descriptions Table 277 Blocked Web Site Logs LOG MESSAGE DESCRIPTION The rating server responded that the web site is in a specified %s :%s category and access was blocked according to a content filter profile. 1st %s: website host 2nd %s: website category The rating server responded that the web site cannot be %s: Unrated...
Page 949 Appendix A Log Descriptions Table 277 Blocked Web Site Logs (continued) LOG MESSAGE DESCRIPTION The system detected a proxy connection and blocked access %s: Proxy mode is according to a profile. detected %s: website host %s: Forbidden Web site The web site is in forbidden web site list. %s: website host The web content matched a user defined keyword.
Page 950 Appendix A Log Descriptions Table 278 Anti-Spam Logs (continued) LOG MESSAGE DESCRIPTION The anti-spam black list has been turned on. Black List checking has been activated. The anti-spam black list has been turned off. Black List checking has been deactivated. The anti-spam black list rule with the specified index number Black List rule %d has (%d) has been added.
Page 951 Appendix A Log Descriptions Table 279 SSL VPN Logs LOG MESSAGE DESCRIPTION A user has logged into SSL VPN. %s %s from %s has logged in SSLVPN The first %s is the type of user account. The second %s is the user’s user name. The third %s is the name of the service the user is using (HTTP or HTTPS).
Page 952 Appendix A Log Descriptions Table 279 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION The listed address object (first %s) is not the right kind to be The %s address-object specified as a network in the listed SSL VPN policy (second is wrong type for %s).
Page 953 Appendix A Log Descriptions Table 279 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION The listed SSL VPN access was used to send and receive the %s %s is accessed. listed numbers of bytes. sent=<bytes> rcvd=<bytes> The first %s is the type of SSL VPN access (web application, file sharing, or network extension).
Page 954 Appendix A Log Descriptions Table 280 L2TP Over IPSec Logs LOG MESSAGE DESCRIPTION The L2TP over IPSec configuration has been modified. The configuration of L2TP over IPSec has been changed. L2TP over IPSec does not support manual key management. L2TP over IPSec may not L2TP over IPSec may not work because the IPSec VPN work since Crypto Map connection it uses (Crypto Map %s) has been set to use...
Page 955 Appendix A Log Descriptions The ZySH logs deal with internal system errors. Table 281 ZySH Logs LOG MESSAGE DESCRIPTION Invalid message queue. Maybe someone starts another zysh daemon. 1st:pid num ZySH daemon is instructed to reset by System integrity error! Group OPS cannot close property group...
Page 956 Appendix A Log Descriptions Table 281 ZySH Logs (continued) LOG MESSAGE DESCRIPTION 1st:zysh list name Can't remove %s Table OPS 1st:zysh table name %s: cannot retrieve entries from table! 1st:zysh table name %s: index is out of range! 1st:zysh table name,2st: zysh entry num %s: cannot set entry 1st:zysh table name %s: table is full!
Page 957 Appendix A Log Descriptions Table 282 ADP Logs LOG MESSAGE DESCRIPTION The ZyWALL detected an anomaly in traffic traveling from <zone> to <zone> between the specified zones. [type=<type>] <message> , Action: <action>, The <type> = {scan-detection(<attack>) | flood- Severity: <severity> detection(<attack>) | http-inspection(<attack>) | tcp- decoder(<attack>)}.
Page 958 Appendix A Log Descriptions Table 283 Anti-Virus Logs LOG MESSAGE DESCRIPTION The ZyWALL failed to initialize the anti-virus signatures due Initializing Anti-Virus to an internal error. signature reference table has failed. The ZyWALL failed to reload the anti-virus signatures due to Reloading Anti-Virus an internal error.
Page 959 Appendix A Log Descriptions Table 283 Anti-Virus Logs (continued) LOG MESSAGE DESCRIPTION The anti-virus signatures update did not succeed. AV signature update has failed. Can not update last update time. Anti-virus signatures update failed because the ZyWALL was AV signature update has not able to replace the old set of anti-virus signatures with failed.
Page 960 Appendix A Log Descriptions Table 283 Anti-Virus Logs (continued) LOG MESSAGE DESCRIPTION The anti-virus rule of the specified number has been Anti-Virus rule %d has changed. been modified. An anti-virus rule has been inserted. %d is the number of Anti-Virus rule %d has the new rule.
Page 961 Appendix A Log Descriptions Table 284 User Logs LOG MESSAGE DESCRIPTION A user logged into the ZyWALL. %s %s from %s has logged in ZyWALL 1st %s: The type of user account. 2nd %s: The user’s user name. 3rd %s: The name of the service the user is using (HTTP, HTTPS, FTP, Telnet, SSH, or console).
Page 962 Appendix A Log Descriptions Table 284 User Logs (continued) LOG MESSAGE DESCRIPTION A login attempt came from an IP address that the ZyWALL Failed login attempt to has locked out. ZyWALL from %s (login on a lockout address) %u.%u.%u.%u: the source address of the user’s login attempt The ZyWALL blocked a login because the maximum login Failed login attempt to...
Page 963 Appendix A Log Descriptions Table 285 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device received an incomplete response from the Registration has myZyXEL.com server and it caused a parsing error for the failed. Because of device. lack must fields. Trail service activation failed for the specified service, an error %s:Trial service message returned by the MyZyXEL.com server will be activation has...
Page 964 Appendix A Log Descriptions Table 285 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device started device registration. Do device register. The device started trail service activation. Do trial service activation. The device started standard service activation. Do standard service activation. The device started the service expiration day check.
Page 965 Appendix A Log Descriptions Table 285 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device already has the latest version of the signature file Device has latest so no update is needed. signature file; no need to update The device cannot connect to the update server. Connect to update server has failed.
Page 966 Appendix A Log Descriptions Table 285 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device sent packets to the server, but did not receive a Get server response response. The root cause may be that the connection is has failed. abnormal. The daily check for service expiration failed, an error message Expiration daily- returned by the MyZyXEL.com server will be appended to this...
Page 967 Appendix A Log Descriptions Table 285 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Verification of a server’s certificate failed because it is self- Self signed signed. certificate. Verification of a server’s certificate failed because there is a Self signed self-signed certificate in the server’s certificate chain. certificate in certificate chain.
Page 968 Appendix A Log Descriptions Table 286 IDP Logs (continued) LOG MESSAGE DESCRIPTION The device turned on the IDP engine. Enable IDP engine succeeded. The device turned off the IDP engine. Disable IDP engine succeeded. The IDP service could has not been turned on and the IDP IDP service is not signatures will not be updated because the IDP service is registered.
Page 969 Appendix A Log Descriptions Table 286 IDP Logs (continued) LOG MESSAGE DESCRIPTION An attempt to add a custom IDP signature failed because Add custom signature the signature’s contents were too long. error: signature <sid> is over length. An attempt to edit a custom IDP signature failed because Edit custom signature the signature’s contents were too long.
Page 970 Appendix A Log Descriptions Table 286 IDP Logs (continued) LOG MESSAGE DESCRIPTION The ZyWALL detected an intrusion in traffic traveling from <zone> to <zone> between the specified zones. [type=<type>] <message> , Action: <action>, The <type> = {scan-detection(<attack>) | flood- Severity: <severity> detection(<attack>) | http-inspection(<attack>) | tcp- decoder(<attack>)}.
Page 971 Appendix A Log Descriptions Table 286 IDP Logs (continued) LOG MESSAGE DESCRIPTION The listed signature ID is duplicated at the listed line Duplicate sid <sid> in number in the signature file. import file at line <linenum>. The listed IDP rule has been removed. IDP rule <num>...
Page 972 Appendix A Log Descriptions Table 287 Application Patrol (continued) MESSAGE EXPLANATION The listed protocol has been turned on in the application Protocol %s has been patrol. enabled. The listed protocol has been turned off in the application Protocol %s has been patrol.
Page 973 Appendix A Log Descriptions Table 288 IKE Logs LOG MESSAGE DESCRIPTION The remote IPSec router has not announced its dead peer Peer has not announced detection (DPD) capability to this device. DPD capability Cannot find SA according to the cookie. [COOKIE] Invalid cookie, no sa found The device’s DPD feature has not detected a response from...
Page 974 Appendix A Log Descriptions Table 288 IKE Logs (continued) LOG MESSAGE DESCRIPTION %s is the tunnel name. When negotiating Phase-1, the packet [SA] : Tunnel [%s] was not a ISKAMP packet in the protocol field. Phase 1 invalid protocol %s is the tunnel name. When negotiating Phase-1, the [SA] : Tunnel [%s] transform ID was invalid.
Page 975 Appendix A Log Descriptions Table 288 IKE Logs (continued) LOG MESSAGE DESCRIPTION %s is the tunnel name. The manual key tunnel cannot be Could not dial manual dialed. key tunnel "%s" When receiving a DPD response with invalid ID ignored. DPD response with invalid ID When receiving a DPD response with no active query.
Page 976 Appendix A Log Descriptions Table 288 IKE Logs (continued) LOG MESSAGE DESCRIPTION %s is the gateway name. An administrator enabled the VPN VPN gateway %s was gateway. enabled %s is the my xauth name. This indicates that my name is XAUTH fail! My name: invalid.
Page 977 Appendix A Log Descriptions Table 289 IPSec Logs (continued) LOG MESSAGE DESCRIPTION When outgoing packet need to be transformed, the engine Get outbound transform cannot obtain the transform context. fail After encryption or hardware accelerated processing, the Inbound transform hardware accelerator dropped a packet (resource shortage, operation fail corrupt packet, invalid MAC, and so on).
Page 978 Appendix A Log Descriptions Table 290 Firewall Logs (continued) LOG MESSAGE DESCRIPTION 1st %s is from zone, 2nd %s is to zone, %d is the index of Firewall %s %s rule %d the rule was %s. 3rd %s is appended/inserted/modified 1st %s is from zone, 2nd %s is to zone, 1st %d is the old Firewall %s %s rule %d index of the rule...
Page 979 Appendix A Log Descriptions Table 292 Policy Route Logs (continued) LOG MESSAGE DESCRIPTION Use an empty object group. The policy route %d uses empty user group! %d: the policy route rule number Use an empty object group. The policy route %d uses empty source %d: the policy route rule number address group!
Page 980 Appendix A Log Descriptions Table 293 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An administrator changed the port number for HTTPS. HTTPS port has been changed to port %s. %s is port number An administrator changed the port number for HTTPS back to HTTPS port has been the default (443).
Page 981 Appendix A Log Descriptions Table 293 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An administrator changed the console port baud rate back to Console baud has been the default (115200). reset to %d. %d is default baud rate If interface is stand-by mode for device HA, DHCP server can't DHCP Server on be run.
Page 982 Appendix A Log Descriptions Table 293 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An administrator moved the rule %u to index %d. DNS access control rule %u has been moved %u is previous index to %d. %d variable is current index The default record DNS servers is more than 128.
Page 983 Appendix A Log Descriptions Table 293 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An access control rule was modified successfully. Access control rule %u of %s was modified. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. An access control rule was removed successfully.
Page 984 Appendix A Log Descriptions Table 294 System Logs (continued) LOG MESSAGE DESCRIPTION DHCP Server executed with cautious mode disabled. DHCP Server executed with cautious mode disabled A packet was received but it is not an ARP response packet. Received packet is not an ARP response packet The device received an ARP response.
Page 985 Appendix A Log Descriptions Table 294 System Logs (continued) LOG MESSAGE DESCRIPTION An administrator restarted the device. Device is rebooted by administrator! Cannot allocate system memory. Insufficient memory. Cannot connect to members.dyndns.org to update DDNS. Connect to dyndns server has failed. Update profile failed because the response was strange, %s is Update the profile %s the profile name.
Page 986 Appendix A Log Descriptions Table 294 System Logs (continued) LOG MESSAGE DESCRIPTION Update profile failed because the feature requested is only Update the profile %s available to donators, %s is the profile name. has failed because the feature requested is only available to donators.
Page 987 Appendix A Log Descriptions Table 294 System Logs (continued) LOG MESSAGE DESCRIPTION The profile is paused by Device-HA, because the VRRP status The profile %s has of that HA iface is standby, %s is the profile name. been paused because the HA interface of VRRP status was standby.
Page 988 Appendix A Log Descriptions Table 295 Connectivity Check Logs LOG MESSAGE DESCRIPTION Cannot recover routing status which is link-down. Can't open link_up2 Cannot open connectivity check process ID file. Can not open %s.pid %s: interface name Cannot open configuration file for connectivity check process. Can not open %s.arg %s: interface name The link status of interface is still activate after check of...
Page 989 Appendix A Log Descriptions Table 295 Connectivity Check Logs (continued) LOG MESSAGE DESCRIPTION The connectivity check process can't use multicast address to Can't use MULTICAST IP check link-status. for destination The connectivity check process can't use broadcast address to The destination is check link-status.
Page 990 Appendix A Log Descriptions Table 296 Device HA Logs (continued) LOG MESSAGE DESCRIPTION There is no file to be synchronized from the Master when %s file not existed, syncing a object (AV/AS/IDP/Certificate/System Skip syncing it for %s Configuration), But in fact, there should be something in the Master for the device to synchronize with, 1st %s: The syncing object, 2ed %s: The feature name for the syncing object.
Page 991 Appendix A Log Descriptions Table 296 Device HA Logs (continued) LOG MESSAGE DESCRIPTION A VRRP group’s Authentication Type (Md5 or IPSec AH) Device HA configuration may not match between the Backup and the authentication type Master. %s: The name of the VRRP group. for VRRP group %s maybe wrong.
Page 992 Appendix A Log Descriptions Table 297 Routing Protocol Logs LOG MESSAGE DESCRIPTION Device-HA is currently running on the interface %s, so all the RIP on interface %s local service have to be stopped including RIP. %s: Interface has been stopped Name because Device-HA binds this interface.
Page 993 Appendix A Log Descriptions Table 297 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION RIP md5 authentication id and key have been deleted. RIP md5 authentication id and key have been deleted. RIP global version has been deleted. RIP global version has been deleted.
Page 994 Appendix A Log Descriptions Table 297 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION Virtual-link %s authentication has been set to same-as-area Invalid OSPF virtual- but the area has invalid authentication configuration. %s: link %s authentication Virtual-Link ID of area %s. Invalid OSPF md5 authentication is set on interface %s.
Page 995 Appendix A Log Descriptions Table 298 NAT Logs (continued) LOG MESSAGE DESCRIPTION SIP ALG apply signal port failed. Register SIP ALG signal port=%d failed. %d: Port number H323 ALG apply additional signal port failed. Register H.323 ALG extra port=%d failed. %d: Port number H323 ALG apply signal port failed.
Page 996 Appendix A Log Descriptions Table 299 PKI Logs (continued) LOG MESSAGE DESCRIPTION The device used SCEP to enroll a certificate. 1st %s is a SCEP enrollment "%s" request name, 2nd %s is the CA name, 3rd %s is the URL . successfully, CA "%s", URL "%s"...
Page 997 Appendix A Log Descriptions Table 299 PKI Logs (continued) LOG MESSAGE DESCRIPTION The device exported a x509 format certificate from Trusted Export X509 Certificates. %s is the certificate request name. certificate "%s" from "Trusted Certificate" successfully The device was not able to export a x509 format certificate Export X509 from My Certificates.
Page 998 Appendix A Log Descriptions CODE DESCRIPTION Database method failed due to timeout. Database method failed. Path was not verified. Maximum path length reached. Table 300 Interface Logs LOG MESSAGE DESCRIPTION An administrator deleted an interface. %s is the interface Interface %s has been name.
Page 999 Appendix A Log Descriptions Table 300 Interface Logs (continued) LOG MESSAGE DESCRIPTION An administrator enabled an interface. %s: interface name. Interface %s is enabled. An administrator disabled an interface. %s: interface name. Interface %s is disabled. An administrator configured a PPP interface, PPP interface %s MTU >...
Page 1000 Appendix A Log Descriptions Table 300 Interface Logs (continued) LOG MESSAGE DESCRIPTION MS-CHAP authentication failed (the server must support MS- Interface %s connect CHAP and verify that the authentication failed, this does not failed: MS-CHAP include cases where the server does not support MS-CHAP). authentication %s: interface name.
Page 1001 Appendix A Log Descriptions Table 300 Interface Logs (continued) LOG MESSAGE DESCRIPTION You entered the correct PUK code and unlocked the SIM card "SIM card has been for the cellular device associated with the listed cellular successfully unlocked interface (%d). by PUK code on interface cellular%d.
Page 1002 Appendix A Log Descriptions Table 300 Interface Logs (continued) LOG MESSAGE DESCRIPTION The cellular device (identified by its manufacturer and model) "Cellular device [%s has been removed from the specified slot. %s] has been removed from %s. You need to manually enter the password for the listed Interface cellular%d cellular interface (%d).
Page 1003 Appendix A Log Descriptions Table 301 WLAN Logs (continued) LOG MESSAGE DESCRIPTION A wireless client with the specified MAC address (second %s) Station association failed to connect to the specified WLAN interface (first %s) has failed. Maximum because the WLAN interface already has its maximum associations have number of wireless clients.

This manual is also suitable for:

Usg 300

ZyXEL Communications USG-300 - V2.20 ED 2 Manual

About this User's Guide

Document Conventions

Safety Warnings

Contents Overview

Table of Contents

User's Guide

PART I User's Guide

Chapter 1 Introducing the Zywall

Chapter 2 Features and Applications

Chapter 3 Web Configurator

Ssl Vpn

Chapter 4 Installation Setup Wizard

Chapter 5 Quick Setup

Chapter 6 Configuration Basics

Chapter 7 Tutorials

Chapter 8 L2TP VPN Example

Technical Reference

Part II: Technical Reference

Chapter 9 Dashboard

Chapter 10 Monitor

Chapter 11 Registration

Chapter 12 Signature Update

Chapter 13 Interfaces

Add

Chapter 14 Trunks

Chapter 15

Policy and Static Routes

Chapter 16 Routing Protocols

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications USG-300 - V2.20 ED 2

Summary of Contents for ZyXEL Communications USG-300 - V2.20 ED 2