ZyXEL Communications ZYWALL USG 1000 Support Notes

ZyXEL Communications ZYWALL USG 1000 Support Notes

Internet security appliance
Hide thumbs Also See for ZYWALL USG 1000:
Table of Contents

Advertisement

Quick Links

ZyWALL USG 1000 Support Notes
ZyWALL USG 1000
Internet Security Appliance
Support Notes
Revision 2.02
August. 2007
1
All contents copyright (c) 2007 ZyXEL Communications Corporation.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ZYWALL USG 1000 and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications ZYWALL USG 1000

  • Page 1 ZyWALL USG 1000 Support Notes ZyWALL USG 1000 Internet Security Appliance Support Notes Revision 2.02 August. 2007 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 2: Table Of Contents

    2.1.1 Why bother with managing IM/P2P applications? ........199 2.1.2 What does ZyWALL USG provide for managing IM/P2P applications?..200 2.1.3 Configuration Example .................. 200 2.2 Zone-based Anti-Virus Protection................209 2.2.1 Applying Zone-Based Anti-Virus to ZyWALL USG........209 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 3 B. Registration FAQ......................310 B01. Why do I need to do the Device Registration?..........310 B02. Why do I need to activate services? ..............310 B03. Why can’t I active trial service? ................ 310 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 4 WWW? ..................... 323 F08. Why can’t I ping to the, Internet, after I shutdown the primary WAN interface?323 F09. Why the virtual server or port trigger does not work?........323 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 5 J03. When I want to configure the packet inspection (signatures), the GUI becomes very slow........................333 J04. After I select "Auto Update" for IDP, when will it update the signatures?..333 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 6 O01. When I use "Flush Data" in Report, not all the statistic data are cleared..343 O02. Why isn't the statistic data of "Report" exact? ..........343 O03. Does Report collect the traffic from/to ZyWALL itself?........343 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 7 P09. What kinds of protocol are currently supported on ZyWALL USG Anti-Virus engine? ........................345 P10. If the Anti-Virus engine detects a virus, what action it may take? Can it cure the file?........................345 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 8: Deploying Vpn

    Typically, an administrator has to configure many site-to-site VPN connections to allow a truly global VPN network. VPN connection management is made easily using the VPN concentrator. The VPN All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 9 VPN network with less effort but stronger security and management possibilities. For SMB customer, ZyXEL provides a total VPN solution from a personal client to a 500+ people firewall where all of these devices have the VPN connection ability.
  • Page 10: Extended Intranets

    ZyWALL USG 1000 Support Notes 1.1 Extended Intranets The ZyXEL VPN solutions primarily can be used to extend the intranet and deliver increased connectivity between operation sites. The branch office subnet will be considered a part of main office internet. Therefore, user behind branch office also can use the internal network resources as if he was in the main office.
  • Page 11 IP and 167.35.4.3. 3) Repeat the step1 & 2 to configure the Remote ZyWALL USG. The Local ID Type & content and Peer ID Type & content are reverse to the Local ZyWALL USG. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 12 The Next-Hop type is VPN tunnel. Then choose the corresponding VPN connection rule from the VPN tunnel drop down menu. Now, the VPN tunnel and routing is configured and user can start to test it. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 13 [12] peer-id type ip 167.35.4.3 [13] peer-id type ip 167.35.4.3 [14] xauth type server default deactivate [15] group1 [16] exit Remote Gateway: [0] isakmp policy RemoteSite [1] mode main [2] transform-set des-md5 [3] lifetime 86400 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 14: Site To Site Vpn Solutions (Zywall Usg 1000 Zywall Usg 300)

    VPN connection is used to extend and join local networks of both sites into a single intranet. There are two kinds of connection interface. Static IP and dynamic DNS. Configure ZyWALL USG with Static IP address: All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 15 8) Repeat the step1 & 2 to configure the Remote ZyWALL USG 300. The Local ID Type & content and Peer ID Type & content are reverse to the Local ZyWALL USG 1000. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 16 The Next-Hop type is VPN tunnel. Then choose the corresponding VPN connection rule from the VPN tunnel drop down menu. Now, the VPN tunnel and routing is configured and user can start to test it. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 17 [12] peer-id type ip 167.35.4.3 [13] peer-id type ip 167.35.4.3 [14] xauth type server default deactivate [15] group1 [16] exit Remote Gateway: [0] isakmp policy RemoteSite [1] mode main [2] transform-set des-md5 [3] lifetime 86400 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 18 8. Select the correct interface for VPN connection. 9. The Local and Peer ID type and content must the opposite and contain the same. Make sure the VPN policy route has been configured in ZyWALL USG 1000. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 19: Extranet Deployment

    The ZyWALL USG 1000 can be placed as a VPN gateway in the central site. It can communicate with other ZyXEL’s VPN-capable products as well as VPN products from other major vendors in the network device industry, e.g. Cisco PIX/IOS VPN products, Check Point...
  • Page 20: Site To Site Vpn Solutions (Zywall Usg 1000 To Zywall70)

    Security Gateway Address field set the remote gateway IP to 167.35.4.3. The Local ID Type and content are IP and 210.110.7.1, Peer ID Type and content are IP and 167.35.4.3. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 21 6) In ZyWALL70, VPN is a rule based VPN. This means that whether the traffic is going to the tunnel or not will depend on the local and remote policies. In this example, All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 22 > Route > Policy Route and add a new policy route, the source and destination address are the local and remote subnet and the Next-Hop type is a VPN tunnel. Then choose the corresponding VPN connection rule from the VPN tunnel drop down menu. Now, the VPN All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 23 9) After configuring both sides of the VPN, click the Dial up VPN tunnel icon to test the VPN connectivity. 10) “VPN tunnel establishment successful,” message appears. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 24 [13] xauth type server default deactivate [14] group1 [15] exit ZyWALL USG VPN Connection: [0] crypto map RemoteTunnel [1] ipsec-isakmp LocalSite [2] encapsulation tunnel [3] transform-set esp-des-sha [4] set security-association lifetime seconds 86400 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 25 4. The Local and Peer ID type and content must be the opposite and not of the same content. 5. Make sure the VPN policy route had been setup in ZyWALL USG. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 26: Interoperability - Vpn With Other Vendors

    ZyWALL FortiGate WAN: 210.110.7.1 WAN: 167.35.4.3 LAN: 192.168.1.0/24 LAN: 192.168.2.0/24 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 27 4) Fill-in the VPN phase1 setting according to the table listed. We don’t have to setup the ID type and content because the FortiGate accepts any peer ID. Make sure both the pre-shares key and proposal are the same as in the ZyWALL USG 1000. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 28 Advanced… button to edit the phase 2 proposal and source and destination address. Please make sure the phase 2 proposal is the same as in ZyWALL USG phase 2. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 29 Using the “Create New” button to create a new address object. 9) Switch to Firewall > Policy and click “Insert Policy Before” icon to add new policy for the VPN traffic from FortiGate to ZyWALL. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 30 Schedule and service type are always and ANY to ensure that all kinds of traffic can pass through the VPN tunnel at any time. Select “ACCEPT” as an action this time All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 31 2. Make sure both IKE and IPSec proposal are the same in both local and remote gateways. 3. Make sure the VPN policy route has been configured in ZyWALL USG 1000. 4. Make sure the Firewall rule has been configured in FortiGate. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 32: Zywall With Netscreen Vpn Tunneling

    Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 33 After configuring a static IP address in untrust interface, switch to Network -> Routing -> Routing Entries to edit a default Gateway IP address. In this example, the Gateway IP address is 167.35.4.1. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 34 ZyWALL's WAN IP address. In this example, we select Static IP Address option and enter IP 210.110.7.1 in the text box. Enter the key string 123456789 in Preshared Key text box, and then press Advanced button to edit the advanced settings. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 35 Key, group1, DES for Encryption Algorithm and MD5 for Authentication Algorithm. Select Main (ID Protection) option for Mode (Initiator). Then, press Return button, and press OK button on next page to save your settings. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 36 10) Give a name for the VPN, for example “ToZyWALL IPSec”. In Remote Gateway, choose the Predefined option and select the ToZyWALL rule. Then, press Advanced button to edit the advanced settings. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 37 Encryption Algorithm to DES and Authentication Algorithm to SHA1. Check the VPN Monitor check box so that you can monitor your VPN tunnels. Then, press Return button and OK button on next page to save the settings. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 38 13) Switch to Policies to set up policy rules for VPN traffic. In the field From choose Trust and in the field To choose Untrust (it means from LAN to WAN). Then press the New button to edit the policy rules. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 39 VPN policy for the opposite direction. Then, press OK button to save your settings. 15) After applying the settings, the new policy rules will be displayed in the Policies page. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 40 17) Ping the remote host and switch to VPNs > Monitor Status to check the VPN link status. If the Link status is Up, it means the VPN tunnel between ZyWALL and NetScreen has been successfully built. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 41: Zywall With Sonicwall Vpn Tunneling

    Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 42 2) Using a web browser, login SonicWall by entering the LAN IP address of SonicWall in the URL field. The default username and password is admin/password. 3) Switch to menu Network > Interfaces and configure the WAN/LAN IP address to WAN: 167.35.4.3 LAN: 192.168.2.1/24. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 43 4) Switch to VPN > Settings, check Enable VPN check box and press Add button. This will bring the VPN settings. Note: The VPN Policy Wizard is an alternative way to set up the VPN rules. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 44 Address is the ZyWALL's WAN IP Address (IP address of the remote gateway). In this example, we use 210.110.7.1 in IPSec Primary Gateway Name or Address text box. Then, enter the key string 123456789 in the text box Shared Secret. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 45 Therefore, we have to create a new address object in the remote network drop down list. Then a new address object window will pop-up. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 46 Network text box and then type 255.255.255.0 in Subnet Mask text box. Then press OK. Now after the address object successfully configured, the new address object “Remote_Subnet” can be selected from the destination network drop down list. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 47 8) Switch to Proposals tab. In IKE (Phase1) proposal settings, select Main mode, set DH Group to Group1, Encryption to DES and Authentication to MD5. In IPSec (Phase2) proposal settings, select ESP Protocol, Encryption to DES and Authentication to SHA1. Then press the OK button. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 48 9) Switch to Advanced tab. In the setting VPN policy bound to select Interface WAN. Then press the OK button. 10) The VPN status page will show a new VPN rule. Make sure the rule has been enabled. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 49 11) Ping the remote host to dial up the tunnel. We can check the connected VPN status in the VPN status page. The VPN tunnel should appear in the Currently Active VPN Tunnels page. It should show that the tunnel had been successfully built-up. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 50: Remote Access Vpn

    ZyWALL USG’s remote gateway setting it represents “any IPs”. On the other end, the teleworker use ZyWALL VPN client on their notebooks to establish IPSec VPN with the main office. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 51 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 52 Gateway should be set as dynamic, 0.0.0.0. Also, the VPN peers should keep consistence with each other for other parameters, such as Pre-Shared Key, ID Type, Encryption and Authentication proposal and so on. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 53 4) To create a VPN rule, go to Configuration > Network > IPSec VPN > VPN Connection. Set Policy as defined in step 1 and step 2. Remote policy should be a dynamic host address. We put VPN Gateway as dynamic as was defined in step 3. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 54 ZyWALL USG 1000 Support Notes 5) Go to remote host to configure ZyXEL VPN Client. We create a Net Connection set remote access subnet to 192.168.2.x. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 55 ZyWALL USG 1000 Support Notes In My Identity, select local ID type as Any. Note: Do not forget to enter Pre-Shared Key by clicking the button Pre-Shared Key. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 56 ZyWALL USG 1000 Support Notes The last step is to go to Security Policy to configure parameters for Phase1 and Phase 2. After saving the configuration, the VPN connection should be initialed from the host site. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 57 [5] dpd [6] local-ip interface ge2 [7] peer-ip 0.0.0.0 0.0.0.0 [8] authentication pre-share [9] keystring 123456789 [10] local-id type ip 0.0.0.0 [11] peer-id type any [12] xauth type server default deactivate [13] group1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 58 4. The Local and Peer ID type and content must the opposite and not of the same content. 5. The Local Policy of ZyWALL USG should be ‘dynamic single host with the value 0.0.0.0’. The VPN tunnel should be initialed from the remote host site. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 59: Ssl Vpn Application - Reverse Proxy

    ZyWALL USG by http://192.168.1.1. Configure the ZyWALL USG’s LAN and WAN interface with proper IP address. 2) Go to menu VPN > SSL VPN, create one access privilege rule by clicking the Add icon. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 60 Then continue to create user or group objects. Here we create one user by click the “Add” button. Then continue to create one application object. Here we create one for reverse proxy rule using web application by click the “Add” button. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 61 Step 2. Enter the ID/password, check the “log into SSL VPN” and click Login button. Step 3. Click the Yes buttons until you see the following page, which is the ZW_http link available in the application list. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 62 Connect your NB at ZyWALL USG’s LAN (ge1). Get the IP address by DHCP and login to ZyWALL USG by http://192.168.1.1. Configure the ZyWALL USG’s LAN and WAN interface with proper IP address. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 63 Switch to menu Objects > Address and click Add icon to add new address. Configure a network subnet 192.168.1.0/24. Step 4. Modify the SSL rule we created for LAB1 by clicking the modify icon. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 64 Config your NB with IP address 10.1.1.33 and connect it to ZyWALL USG’s WAN site (ge2). Initial a browser and try to connect to https://10.1.1.1 Step 2. Enter the ID/password, check the “log into SSL VPN” and click Login button. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 65 ZyWALL USG 1000 Support Notes Step 3. Click Yes buttons until you see the following page. You can find a small window is processing about the security extender rule (for network extension). All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 66 You will see the routing information accordingly as below by typing ‘route print’. Step 6. Still try to connect the ZW_http link. You should be able to access the ZyWALL login page then. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 67: Using Two-Factor Authentication To Provide Stronger Password Security

    4. Assign users to OTP tokens (on the ASAS server)/ 5. Configure the ASAS as a RADIUS server in the ZyWALL’s Object > AAA Server screens. 6. Give the OTP tokens to (local or remote) users. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 68: Network Topology

    1) Move to Object > User/Group and click “Add” button to create a new user account. 2) Enter the user’s name and select user type as “Ext-User” in the User Configuration page. 3) Click on OK button to finish configuration in this page. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 69 1) Navigate to ZyWALL > VPN > SSL VPN and click “Add” to create a SSL VPN Application policy. Select the new created user reflecting to the desired SSL VPN application. 2) Click OK button to finish the configuration. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 70 1) Click ZyWALL > Object > AAA Server from the left panel and then navigate to the RADIUS page. 2) Enter the IP address of ASAS Server in the “Host” and enter the Shared Secret in “Key”. STEP 6: Configure the Authentication Method All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 71 1) Login to the ASAS server and starting to add a new user via. Manage Users > Add User. 2) Fill in the user name in the “Login ID”. 3) Click “Add” button to complete the configuration in this step. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 72 2) Pick up an A-Key which is available from the right panel and click on “Assign” button to complete authentication key assignment. STEP 3: Verify the A-Key is Properly Assigned to the User All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 73 3) Select “PIN Set Mode” from the OPT Mode dropdown list. 4) Enter the password in the “OTP PIN” text field with 4-24 alphanumeric characters length. 5) Re-enter the password in the “Verify OTP PIN” text field. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 74 2) Fill in the ZyWALL’s name, IP Address of the ZyWALL and the shared secret. 3) Click Add button to finish NAS Device configuration. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 75 2) Click on the user account you created in the very first place and the Update User page will come up. 3) Add the ZyWALL device to “Resource(s) Allowed” list. 4) Click the “Update User” button to complete the entire ASAS setting. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 76 1) Open a browser window and connect to the ZyWALL web GUI. 2) In the login page, enter the user name, password and the One-Time Password generated from the token. 3) Select “Log into SSL VPN checkbox” and click on “Login” button. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 77: L2Tp Over Ipsec Application

    Once OTP works correctly, you will see the welcome message pop-up as the following example. 1.3.4 L2TP over IPSec Application Create Objects Step 1. Switch to menu Object > Address, create two objects for further VPN connection setting. L2TP_IFACE, HOST, 10.1.1.1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 78 Enable the rule by clicking the enable icon. Configure the default L2TP rule in IPSec VPN Connection Step1. Switch to menu VPN > IPSec VPN > VPN Connection, click the Default_L2TP_VPN_GW entry’s Edit icon. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 79 Configure the L2TP rule Step 1. Go to menu VPN > L2TP VPN, configure it as follows. Configure Policy Route for L2TP Step 1. Go to menu Network > Policy Route, configure it as follows. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 80 Click Start > Control Panel > Network Connections > New Connection Wizard. Step 2 Click Next in the Welcome screen. Step 3 Select Connect to the network at my workplace and click Next. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 81 Step 4 Select Virtual Private Network connection and click Next. Step 5 Type L2TP to ZyWALL as the Company Name. Step 6 Select Do not dial the initial connection and click Next. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 82 VPN gateway configuration that the ZyWALL is using for L2TP VPN (10.1.1.1 in this example). Click Next. Step 8 Click Finish. Step 9 The Connect L2TP to ZyWALL screen appears. Click Properties > Security. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 83 Step 11 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 84 VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK. Step 14 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. Step 15 Enter the user name and password of your ZyWALL account. Click Connect. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 85: Large-Scale Vpn Deployment

    Star topology is recommended when the total number of remote sites is high, Even more flexible design, Star and Mesh mixed topology (cascading topology) can be applied for a global distributed environment. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 86: Fully Meshed Topology

    10 VPN tunnels. The tunnels list follows: Tunnel 1: London Madrid Tunnel 2: London Paris Tunnel 3: London Hannover Tunnel 4: London Oslo Tunnel 5: Madrid Paris Tunnel 6: Madrid Hannover Tunnel 7: Madrid Oslo All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 87: Star Topology

    The ZyWALL USG supports Star topology via the VPN concentrator feature. The VPN concentrator can help to reduce the VPN tunnel numbers and allows centralized VPN tunnel management. The topology used for our VPN concentrator guide. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 88 Remote Office WAN: 10.59.1.11 WAN: 10.59.1.17 WAN: 10.59.1.10 LAN: 192.168.101.0/24 LAN: 192.168.100.0/24 LAN: 192.168.119.0/24 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 89 Configure the NL site address object for each remote office subnet Setup NL site address group that includes all the remote office subnets; the address object group is used as a policy route destination criterion. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 90 The screenshot below is the NL site VPN Gateway status page. NL site VPN Connection status page NL site policy route for VPN traffic, this policy route is used to indicate that the ZyWALL USG sends the packets to the VPN tunnel. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 91 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 92 Perfect Forward Secrecy (PFS): None Perfect Forward Secrecy (PFS): None Setup the remote offices’ subnets address objects for the further VPN configuring. Setup the HQ VPN Gateway for all the remote sites All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 93 The VPN traffic can be routed by HQ once the VPN connection has been added to the concentrator. If this tunnel is already included in the concentrator, user doesn’t need to add any All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 94 Thus, this depends on how customers want to deploy their Global VPN network. We can add the following policy route to allow the HQ subnet to connect with all the concentrator’s remote subnets. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 95 ZyWALL USG 1000 Support Notes All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 96: Star-Mesh Mixed Topology

    Regional Center devices whereas ZyWALL 2 Plus, 5, 35 and 70 are the regional remote sites’ devices which are building VPN tunnel back to the Regional Center and provide connection with the other area remote nodes via the VPN tunnel between the two Regional Centers. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 97 We can check the status page to confirm the correctness. Please refer to ZyWALL5 user guide for detail interface setting steps. The VPN configuration parameters in Asia Region Regional Remote Sites Regional Center WAN: 179.25.3.24 ZyWALL5 WAN: 179.25.106.124 Local Policy: 192.168.0.0/16 Local Policy: 192.168.12.0/24 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 98 IP addresses” option because the local and remote policies are in the overlap range in this application. If this feature is not activated, you will fail to access device because of triggering VPN tunnels. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 99 VPN setup is done. Please refer to the ZyWALL5 user guide for detail VPN setting steps. There are similar configuration steps for the ZyWALL35 interface and the VPN setup. The ZyWALL35 WAN and LAN interface are set as follow. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 100 IP addresses” option before starting to setup the VPN tunnel. The VPN tunnel status page after configured the local center ZyWALL USG tunnel. As soon as we finish the configuration of ZyWALL5 and ZyWALL35, we can move to ZyWALL USG’s configuration. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 101 192.168.10.1/255.255.255.0. The ge2 and ge3 are WAN1 and WAN2 interfaces and IP address are 179.25.3.24/255.255.0.0 and 179.25.133.4/255.255.0.0. We have to pre-configure some address objects for the later VPN configuration requirements. The needed address objects list is as follows: All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 102 For detail steps please refer to the ZyWALL USG user guide. We have to configure a secondary security gateway for the VPN gateway between both of the regional centers’ ZyWALL USGs. The VPN connection can fail over to secondary gateway in case the parameter gateway fails. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 103 The next step is to create the VPN connection (IPSec / IPSec Phase2). Make sure the parameters are configured correctly; otherwise, the VPN will fail to dial. Below is the VPN connection global page. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 104 The remote regional center ZyWALL USG VPN connection is also treated as a member of this concentrator and the packets will be sent to the remote center first and then following the All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 105 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 106 Remember to activate “VPN rules skip applying to the overlap range of local and remote IP addresses” option before configuring the VPN tunnel. Follow the VPN parameter table to configure the VPN tunnel. ZyWALL70 WAN and LAN interface setting. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 107 Remember to activate “VPN rules skip applying to the overlap range of local and remote IP addresses” option before configuring the VPN tunnel. Follow the VPN parameter table to configure the VPN tunnel. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 108 Authentication: SHA1 Perfect Forward Secrecy (PFS): None Perfect Forward Secrecy (PFS): None Please refer to the application topology to setup the ZyWALL USG interface first. Then we can move to setting the VPN. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 109 VPN gateway between both regional centers’ ZyWALL USGs. After configuration, there will be three VPN gateways listed in the VPN Gateway status page. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 110 VPN concentrator. Switch to the Concentrator sub menu and click the Add icon to add a new concentrator. Assign a name to this concentrator and then click the add icon to make the existing VPN become the member of this concentrator. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 111 VPN concentrator. We have finished all the Star-Mesh Mixed VPN topology setting. Now you can test the local VPN concentrator link. Also, you can try the connection between both concentrators’ site. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 112: Access Via Central Site

    By doing this, we can achieve good level of security while the total network throughput and performance remains high. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 113 ZyWALL USG B which is the internet connection gateway of main office. Thus, ZyWALL USG A will route the traffic from the VPN tunnel and send it to the appropriate place of the packet destination. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 114 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 115 1) Login ZyWALL USG A GUI and go to Configuration > Network > Interface > Ethernet and configure the IP setting as shown in the topology. 2) Go to Configuration > Object >Address to create an address object for all the incoming traffic. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 116 Security Gateway Address and 123456789 as the Pre-Shared Key. For other parameters, we leave them as default. There are no special settings for these parameters and the main concern is to let the VPN peers match each other. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 117 Here, we assume the peer subnet is 192.168.1.x and select the default address object ‘VPN_LAN_SUBNET’ to meet our requirements. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 118 LAN host to internet, thus the next-hop will be ge3 that is connected to the internet gateway ZyWALL USG B. The third rule is for the traffic coming from the VPN tunnel and the destination is the internet. Then next-hop will be ge3. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 119 [0] crypto map zw70tunnel [1] ipsec-isakmp zw70 [2] encapsulation tunnel [3] transform-set esp-des-sha [4] set security-association lifetime seconds 86400 [5] set pfs none [6] no policy-enforcement [7] local-policy wholerange [8] remote-policy VPN_LAN_SUBNET [9] no nail-up All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 120 2) Go to Security >VPN to set the IKE rules. We put 172.23.23.1 as My Address, 172.23.23.2 as the Remote Gateway address and 123456789 as the Pre-Shared Key. For other parameters, we set them to match those set in the ZyWALL USG A. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 121 ZyWALL USG 1000 Support Notes Go to the Associated Network Policies of this rule to configure the IPSec rule. Please note that the Remote Network should be within 0.0.0.0-255.255.255.255 range. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 122 1) Login the ZyWALL USG A GUI and go to Configuration > Network > Interface > Ethernet and configure the IP settings as shown in the topology. 2) We have to add one more policy route for the traffic from DMZ (ge4) to internet (WAN_TRUNK). All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 123 5. The Local Policy of ZyWALL USG should be within the range of 0.0.0.0-255.255.255.255. Then it can take the role of a central controller of all the outgoing traffic from a branch. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 124: Multiple Entry Point (Mep)

    In case the primary WAN access is unavailable, he configures a secondary secure gateway to access the server through another branch office which has a lease line to connect to the main office. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 125 2 Plus which supports VPN HA and Dial Backup functions. When the primary WAN access to the VPN tunnel is down, ZyWALL USG will trigger the dialup backup and establish a VPN tunnel with second secure gateway of another ZyWALL USG located at the branch office. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 126 One ZyWALL 2 Plus Two ZyWALL USG One ES-4024A One modem connecting to ZyWALL 2 Plus’s AUX port (ex. ZyXEL omni.lite com+) One FTP server One PC behind ZyWALL 2 Plus Now, we are going to complete the following main tasks: 1.
  • Page 127 Subnet, 192.168.1.0 Subnet, 192.168.3.0 Subnet, 192.168.3.0 SNAT Change Change 192.168.3.0 192.168.3.0 192.168.1.0 192.168.1.0 192.168.30.0 192.168.31.0 192.168.1.0 192.168.1.0 Phase1 Negotiation Main Main Main Mode Pre-share key 123456789 123456789 123456789 Encryption Authentication Key Group Phase2 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 128 Name: Local_192_168_1 Subnet, 192.168.1.0/255.255.255.0 3. Create another one for the remote VPN network Name: Remote_192_168_3 Subnet, 192.168.3.0/255.255.255.0 4. Create another one for the network behind ZyWALL USG-A performing SNAT Name: Local_192_168_30 Subnet, 192.168.30.0/255.255.255.0 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 129 9. Create one more still to indicate ZyWALL USG-A’s ge2(WAN) IP address for Firewall rule usage which will allow ZyWALL USG-A’s ge2 to be ping from ZyWALL 2 plus and also can response to the ping. Name: ge2_IP Host, 59.124.163.154/255.255.255.255 CLI command for reference: All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 130 Step2. Create an IKE rule 1. Go to menu Configuration > Network > IPSec VPN, switch to 'VPN Gateway' 2. Create a new IKE by clicking '+' icon 3. Fill out the fields as following. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 131 ZyWALL USG 1000 Support Notes CLI commands for reference: [0] isakmp policy IKE1 [1] mode main [2] transform-set des-md5 [3] lifetime 86400 [4] no natt [5] dpd [6] local-ip interface ge2 [7] peer-ip 0.0.0.0 0.0.0.0 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 132 Step3. Configure the IPSec rule 1. Go to menu Configuration > Network > IPSec VPN, switch to 'VPN Connection' 2. Create a new IPSec by clicking '+' icon 3. Configure the VPN setting as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 133 192.168.1.0 network to 192.168.30.0 network. And we will also configure ZyWALL USG-B to change the VPN traffic from 192.168.3.0 network which will go to 192.168.2.0 network to 192.168.31.0 network later. CLI commands for reference All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 134 ZyWALL USG-B to return via original path. Define that all the traffic from 192.168.1.0 network that wants to go to 192.168.31.0 routed by the gateway, the host of 192.168.1.254. The configuration is as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 135 So when traffic would return, it will be flowed from FTP server ZyWALL USG-A’s ge2 (which will redirect the traffic to another host ) 192.168.1.254 (which is ES-4024A’s VLAN3 route-domain IP address) ZyWALL USG-B ZyWALL 2 Plus the PC behind ZyWALL 2 Plus. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 136 ZyWALL USG 1000 Support Notes After the configuration is down, you will see two policy routes as shown below. CLI commands for reference: [0] policy 1 [1] no deactivate [2] no description [3] no user All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 137 Go to GUI menu Security > Firewall Enable Firewall: On Choose To-ZyWALL rules and click “+” at the right site to add a new rule. Fill out the information as following and click “apply” button then. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 138 ZyWALL USG 1000 Support Notes The new firewall rule is available as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 139 5. Create another one for dynamic remote network. Name: Remote_ANY Subnet, 0.0.0.0/0.0.0.0 6. Create still one more for the IP domain interface on ES-4024A’s VLAN3. Name: HOST_192_168_2_254 Host, 192.168.2.254/255.255.255.255 CLI commands for reference: [0] address-object Local_192_168_2 192.168.2.0 255.255.255.0 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 140 Step2. Create an IKE rule 1. Go to menu Configuration > Network > IPSec VPN, switch to 'VPN Gateway' 2. Create a new IKE by clicking '+' icon 3. Fill out the fields as following. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 141 ZyWALL USG 1000 Support Notes CLI commands for reference: [0] isakmp policy IKE1 [1] mode main [2] transform-set des-md5 [3] lifetime 86400 [4] no natt [5] dpd [6] local-ip interface ge2 [7] peer-ip 0.0.0.0 0.0.0.0 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 142 Step3. Configure the IPSec rule 1. Go to menu Configuration > Network > IPSec VPN, switch to 'VPN Connection' 2. Create a new IPSec by click '+' icon 3. Fill out the fields as following All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 143 Note that we use Source NAT to change the VPN traffic from 192.168.3.0 which will goes to 192.168.1.0 network and to 192.168.31.0 network. CLI commands for reference [0] crypto map IPsec1 [1] ipsec-isakmp IKE1 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 144 ZyWALL USG-A’s LAN network will be routed to. Define that all the traffic that wants to go to 192.168.1.0 network will be routed by the gateway, the host of 192.168.2.254. The configuration is as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 145 ZyWALL USG 1000 Support Notes After the configuration is down, you will see two policy routes as shown below. CLI commands for reference: [0] policy 1 [1] no deactivate All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 146 [3] no user [4] no interface [5] no tunnel [6] source any [7] destination Local_192_168_1 [8] no schedule [9] service any [10] next-hop gateway HOST_192_168_2_254 [11] no snat [12] no bandwidth [13] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 147 2. Telnet or login ZyWALL 2 Plus console and switch to menu 24.8 to enable the pingcheck to detect the WAN connection availability. - Execute the CLI command: sys rn pingcheck 1 3. Add the CLI to autoexec.net to make it always enabled even after device reboot. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 148 (4) VPN Setting 1. Switch to GUI menu Security > VPN, click the ‘+’ icon as following to add a VPN-IKE rule. 2. Configure VPN-IKE setting on ZyWALL 2 Plus as following. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 149 ZyWALL USG 1000 Support Notes 3. At the same page of menu Security > VPN, click the icon to add a VPN-IPSec rule. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 150 ZyWALL USG 1000 Support Notes 4. Configure the IPSec rule as following. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 151 1. Login to ES-4024A’s GUI menu Advanced Application > VLAN > Static VLAN link. 2. Add vlan2 (including port 9-16, Fixed, Untag when Egress process) and vlan3 (including port 17-24, Fixed, Untag when Egress process). Then click the Add button. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 152 ZyWALL USG 1000 Support Notes All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 153 ZyWALL USG 1000 Support Notes All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 154 3. Switch to menu Advanced Application > VLAN > VLAN Port Setting link. Configure PVID equal to 2 for port 9 ~16 and PVID equal to 3 for port 17~24 as shown below. Then click the Apply button. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 155 1. Enter the ES4024A’s GUI, go to menu Routing Protocol > Static Routing. 2. Define that the traffic that wants to go to the 192.168.31.0/24 network will be routed by the gateway, 192.168.2.1. The configuration is as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 156 3 normal "" fixed 17-24 forbidden 1-16,25-28 untagged 1-28 ip address 192.168.2.254 255.255.255.0 exit interface port-channel 9 pvid 2 exit interface port-channel 10 pvid 2 exit interface port-channel 11 pvid 2 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 157 3 exit interface port-channel 19 pvid 3 exit interface port-channel 20 pvid 3 exit interface port-channel 21 pvid 3 exit interface port-channel 22 pvid 3 exit interface port-channel 23 pvid 3 exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 158 Keeping Ping from the PC(ex. IP with 192.168.3.33) behind ZyWALL2 Plus to the FTP server(ex. IP with 192.168.1.33), it will be reachable after the primary VPN tunnel is on. See the screen capture of ZyWALL 2 Plus’s log as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 159 HASH-DEL packet out. (However, since the Internet access is down, so ZyWALL USG-A won’t receive those HASH-DEL packets.) The dial backup starts right away then. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 160 ZyWALL USG 1000 Support Notes The screen capture below shows you the dial backup gets dynamic IP 218.32.98.40. And the IPSec HA take action after several IKE packets sent without any packet returned. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 161 ZyWALL USG 1000 Support Notes Then ZyWALL 2 Plus tries to establish VPN tunnel with ZyWALL USG-B (59.124.163.155). All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 162 ZyWALL USG 1000 Support Notes Finally, the VPN tunnel has been successfully established with ZyWALL USG-B. And the PC behind ZyWALL 2 Plus can ping the FTP server then. See the screen capture shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 163: Device Ha Together With Vpn Ha

    ‧ Mitigates the impact of Single Point of Failure Below is the Application topology. The L3 switch is configured to three VLANs to simulate the internet environment, and the traffic can be routed between each VLAN. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 164: Device Ha

    The default LAN subnet is combined with ge1 and default IP is 192.168.1.1. Please connect to ge1 and ZyWALL USG will dispatch an IP for your PC. Then we can start to setup the basic interface and routing setting. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 165 Step1. Login to device and check the device status Step2. We can check all the interface information on the Status display page. Step3. Setup WAN1, WAN2, LAN and DMZ interface IP parameters as in the demo topology. WAN1 WAN2 Reserved All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 166 The default interface configuration is as follows. We will configure ge2, ge3, ge4 and ge1 in turn. User needs to click the “Edit” icon to modify the setting. ge2 Fix IP: 220.123.123.2/255.255.255.0 Gateway: 220.123.123.1(ZyWALL > Network > Interface > Edit >ge2) All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 167 ZyWALL USG 1000 Support Notes ge3 Fix IP: 220.123.133.2/255.255.255.0 Gateway: 220.123.133.1(ZyWALL > Network > Interface > Edit >ge3) ge4 Fix IP: 192.168.20.254/255.255.255.0 DHCP server(ZyWALL > Network > Interface > Edit >ge4) All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 168 ZyWALL USG 1000 Support Notes ge1 Fix IP: 192.168.10.254/255.255.255.0 DHCP server(ZyWALL > Network > Interface > Edit >ge1) All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 169 WAN zone is binding with ge2 and ge3, DMZ zone is binding ge4 and ge5. Thus, we need to modify the DMZ zone to bind the ge4 only. This is an optional setting that won’t affect the whole application. Click the “Remove” icon to delete ge5 under the DMZ zone. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 170 Step1. Switch to ZyWALL > Objects > Address > Address and you will find there is one default LAN_SUBNET address object. Change the address from 192.168.1.0 to 192.168.10.0 to configure the new LAN IP. The All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 171 There is one default policy route form LAN for the traffic outgoing to the network behind WAN. Switch to ZyWALL > Network > Routing > Policy Route or Static Route to check the routing settings. User can click the “Edit” icon to check the detail settings All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 172 Backup ZyWALL cables to L3 and L2 switch and then synchronize the configuration from Master. The Device HA will be ready after this and Backup ZyWALL would take over when Master ZyWALL fails. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 173 Device HA status of the reset of not-failed interface will turn into “fault”. This design will guarantees the backup ZyWALL can correctly detect the failure event from the master ZyWALL. Secondly, click the “add” icon to add a new VRRP GROUP. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 174 ZyWALL USG 1000 Support Notes Setup the ge1 (LAN) VRRP group. Setup the ge2 (WAN1) VRRP group. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 175 ZyWALL USG 1000 Support Notes Setup the ge3 (WAN2) VRRP group. Setup the ge4 (DMZ) VRRP group. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 176 Between Master and Backup Role, the difference in settings is the Management IP configuration. The Backup ZyWALL will copy all the settings from the Master ZyWALL so we need a management IP to access and configure the Backup ZyWALL. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 177 Switch to ZyWALL > Device HA > Synchronize and enter the Master ZyWALL admin account password. Input the LAN IP address of the Master ZyWALL in the “Synchronize from” option and set the auto synchronize interval. Then click the “Apply” button to save the configuration. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 178 Step5. Switch to “Synchronize” page again and click the “Sync. NOW” button to start configuration synchronization from the Master ZyWALL to the Backup ZyWALL immediately. Sync process in action… Sync successful notification window comes up. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 179 Step6. Check the system status page. You will see that the Master ZyWALL USG’s configuration has been synchronized to Backup ZyWALL USG and we can continue to setup the remaining three VRRP groups. Setup the ge2 (WAN1) VRRP group. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 180 ZyWALL USG 1000 Support Notes Setup the ge3 (WAN2) VRRP group. Setup the ge4 (DMZ) VRRP group. After these steps, the Device HA configuration is done. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 181: Vpn Ha

    As My Address, we use Domain Name 0.0.0.0 defining a dynamic source as this VPN gateway will be accepting the traffic from ge2 (WAN1) and ge3 (WAN2). All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 182 Switch to ZyWALL > Objects > Address > Address and we will find the LAN subnet already setup and we need to click the “Add” icon to add one more address object. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 183 Set the 192.168.1.0/24 subnet as the remote address object and name it as “VPN_REMOTE_SUBNET”. Get back to the overview of the address object page (ZyWALL > Object > Address > Address) and confirm that the address objects have been correctly set up. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 184 Setup the VPN connection for RANGE (LAN and DMZ) subnet access. Step5. Add Policy Route for VPN traffic We have to setup the policy route for the VPN traffic routing to LAN and DMZ. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 185 Redundant remote Gateways. Activate the “Fail back to Primary Remote Gateway when possible” option and set the checking interval. Setup the DNS domain name “ZyWALL 2”and “ZyWALL USG” as Local and Peer ID type. Click Apply to save the configuration. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 186 Click the Add icon to edit the VPN Network Policy. Setup the VPN policy for local LAN subnet (192.168.1.0/24) and set Remote address type to “Range Address” and its IP from 192.168.10.0 to 192.168.20.255. Click Apply to save the configuration. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 187 ZyWALL USG 1000 Support Notes We will see the new VPN tunnel listed on the VPN status page after configuring the VPN tunnel. Ping the remote subnet to trigger the VPN tunnel. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 188: Voip Over Vpn

    VoIP ATA VoIP ATA ZyWALL 70 ZyWALL VoIP calls can be protected by VPN Server farm deployment to provide The VoIP line deployment between different offices is more and more popular. This All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 189 LAN: 192.168.10.0/24 LAN: 192.168.22.0/24 We used two VoIP ATA (ZyXEL P2002 series) connected to office gateway. Each of the VoIP ATA has a SIP number for remote ATA dialing. This kind of application is called Fix VoIP Line application. User only needs to install and configure VoIP ATA device and doesn’t need to register with an external SIP server.
  • Page 190 Switch to the Maintenance menu and check what IP address was granted from ZyWALL USG. Connect to the other P2002 GUI and repeat the same steps to find out the IP address. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 191 ZyWALL USG 1000 Support Notes 1. Setup the SIP Number in the Branch Office. 2. Setup the SIP Number in the Main Office. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 192 ATA and then click the Add button to add this record in the Speed Dial Phone Book. 4. Setup the Main Office SIP number and the IP address in the Branch Office’s P2002’s PHONEBOOK menu. The remote office SIP info will show up in Speed Dial Phone Book All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 193 1. Login to the ZyWALL USG Web GUI and setup the ZyWALL USG WAN and LAN interface as shown on the previous topology diagram. 2. Setup the remote subnet address object for the subnet behind the remote office ZyWALL70. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 194 4. Switch to ZyWALL USG > Configuration > Network > IPSec VPN > VPN Connection and add a new VPN connection. The local and remote policy are the Address objects LAN_SUBNET and zw70VPN_LAN. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 195 5. Switch to ZyWALL USG > Configuration > Policy > Route > Policy Route to add a policy route for routing the local subnet traffic to the remote branch office subnet via the tunnel - zw70VPN. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 196 Criteria can be different users, sources or services. 8. We also can use IDP to detect and intercept the intrusion in the VPN tunnel. Switch to All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 197 [8] show service-register status idp [9] show idp activation Branch Office ZyWALL70 Configuration: 1. Login to the ZyWALL70 Web GUI and setup the ZyWALL70 WAN and LAN interface as shown in the previous topology diagram. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 198 2. Configure the VPN tunnel for connecting with ZyWALL USG. We can start to enjoy the VoIP Phone Line convenience and cost saving without security issues after the VPN connection and security policy enforcement has been deployed in the network environment. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 199: Security Policy Enforcement

    IM/P2P applications, managing IM/P2P application well can mitigate security breaches. Besides, restricting access to IM/P2P applications can help employees focusing on his/her job to increase productivity and reduce misuse of network resources, e.g. bandwidth. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 200: What Does Zywall Usg Provide For Managing Im/P2P Applications

    For example, both the malicious/suspicious packets from WAN to LAN (known as a attack) and the traffic coming from DMZ to LAN (normal traffic) will be treated as an attack. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 201 Sales: Can use instant messaging application (MSN) for text message and file transfer purpose. Application allowed during certain period of time between 8:00~18:00 with bandwidth limitation 500K bps. RD: Allows instant messaging chat but file transfer within period 8:00~20:00. Bandwidth All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 202 Bandwidth Victor Manager Unlimited Peter Sales 08:00-18:00 500k John 08:00-20:00 Guest Guest 2. Navigate to ZyWALL > Object > User/Group > User tab and add the user ‘Victor’ as the screen dump. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 203 [0] groupname Manager-Group [1] description Manager group [2] user Victor [3] exit 4. Create three more groups called ‘Sales-Group’, ‘RD-Group’ and ‘Guest-Group’. Add ‘Peter’ into the Sales group and add ‘John’ into RD group. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 204 Go to menu ZyWALL > Object > Schedule, click Add button from the Recurring schedule to create a new schedule as following. Click ’OK’ button to complete this settings and repeat the above steps to create a new schedule for RD-Group. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 205 STEP 3: AppPatrol Configuration 1. Navigate to ZyWALL > AppPatrol and check ‘Enable Application Patrol’. 2. Go to Instant Messenger tab and click ‘Modify’ button on MSN for further configuration. 3. Enable the service. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 206 2. Change the default access to ‘Reject’ and then click ‘OK’ 3. Create a new application policy rule by clicking ‘+’ icon and fill out the setting as the figure shown below. Application Policy for Manager-Group All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 207 ZyWALL USG 1000 Support Notes Application Policy for Sales-Group Application Policy for RD-Group All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 208 ZyWALL USG 1000 Support Notes 4. Press ‘OK’ button to complete the setting. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 209: Zone-Based Anti-Virus Protection

    LAN to DMZ or WAN to DMZ, the Anti-Virus engine always scans the email transaction to ensure the email is not infected. Thus, it is unnecessary to scan every outgoing email from the DMZ again. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 210 1) Assign an IP to GE2 and another to GE5. Leave the reset of settings as default which will disable the DHCP Server in these two interfaces. Tips: You do not need a Gateway here since this interface is directly connected to ZyWALL All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 211 ZyWALL USG 1000 Support Notes 2) The final summary of the Ethernet Interfaces should looks like the example below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 212 DMZ. 4) Create 3 policies as WAN to LAN, WAN to DMZ, and LAN to DMZ. Navigate to Anti-X > Anti-Virus. In the Policies section, click “Add” button. WAN to LAN All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 213 ZyWALL USG 1000 Support Notes WAN to DMZ LAN to DMZ All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 214 6) Send an email contains virus from LAN to the mail server in DMZ. 7) Check the log file again from Maintenance > Log. Sort the log by selecting Anti-Virus form Display drop-down list. We can see the viruses have been destroyed correctly. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 215: Enabling Black And White List

    2) Check the Enable checkbox and enter the file name in File Pattern field. In this example, we try to destroy a file that named “Virus.exe” so we enter it in the field. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 216 3) Check “Enable the Black List” on the Setting page and press “Apply” button. 4) Send an email with attached file “Virus.exe” to examinant the functionality of Back List. 5) Check the system log from Maintenance > Log and select Anti-Virus form Display drop-down list. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 217: Enabling Anti-Virus Statistics Report

    1) Navigate to Maintenance > Report, click the Anti-Virus tab and check the Collect Statistics checkbox. 2) Click Apply button. 3) Send an email to from the LAN. 4) Check the Anti-Virus statistics report from Anti-Virus tab by navigate to Maintenance > Report. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 218: Managing Wlan

    We recommend that Wireless AP must be isolated from your Intranet. Also, there must be a mechanism to centrally manage access privileges and access credentials regardless of whether the clients are wired or wireless. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 219 Interface name is vlan10 (same as the vlan tag id for its not being confusing). Choose ‘ge5’ for physical port interface that we want to bind with. Virtual VLAN Tag is 10. Give it a clear description. Use the fixed IP address with 192.168.10.1/24. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 220 ZyWALL USG 1000 Support Notes Leave other fields as default and press ‘ok’ button Step2. Define WLAN zones Go to menu Network > Zone. Define a zone for wireless and bind it to interface “vlan10”. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 221 2. Go to menu User/Group > Setting > Force User Authentication Policy, click ‘+’ to force all the packets from wireless network to be redirected to the authentication page. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 222 ZyWALL USG 1000 Support Notes Step4. Configure the LDAP server information. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 223 2. Co-work with LDAP server admin to create user/groups with lease time / re-authentication time attributes configured. 3. Go to menu User/Group > User, configure user “ldap-users” for “non-employees” by clicking the modify icon. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 224 [3] username ldap-users logon-re-auth-time 30 Corresponding CLI commends for your reference [0] username ldap-employee user-type ext-user [1] username ldap-employee description External User [2] username ldap-employee logon-lease-time 1440 [3] username ldap-employee logon-re-auth-time 1440 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 225 3. Go to menu System > WWW, make sure the authentication method is the profile we just modified. (That is, if I just have created another profile which is not named as ‘default’, then here we have to choose it.) All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 226 1. Go to menu Network > Firewall 2. Enable firewall and choose from the zone “Wireless_Zone” that we just created and to each zone. Here we configure to zone “WAN” first. 3. Click ‘+’ to add rules. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 227 4. Configure a rule to allow employee access from the source “wireless network” to “any” in WAN. Corresponding CLI commands for your reference [0] firewall 8 [1] no schedule [2] user ldap-employee [3] sourceip Wireless [4] no destinationip All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 228 6. After this, you will see the results as on the figure below. Click Apply button. Corresponding CLI commands for your reference [0] firewall activate [1] no firewall asymmetrical-route activate [2] firewall 8 [3] activate [4] exit [5] firewall 9 [6] activate [7] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 229 ZyWALL USG 1000 Support Notes 7. Continue to configure WLAN-to-LAN, WLAN-to-DMZ, WLAN-to-WLAN. Those are accessible for employees only. See the following figures. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 230: Employee Internet Management (Eim)

    Flexible access policy: provides the Enforce Access policy with granularity Always up to date: query dynamically updated URL database Customizable: Keyword blocking/Black list/White list In-depth Inspection: can control access of Java/ActiveX/Cookie/embedded proxy links All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 231 Step1. Make sure the Internet access has been configured well from PC behind ZyWALL USG. By default, ge2 and ge3 of ZyWALL USG’s WAN ports will get the IP address from the ISP or All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 232 GUI Home page check whether ZyWALL USG gets the IP address. Make sure ZyWALL USG can access the Internet using CLI commands via console or telnet. See the example shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 233 Check the ‘Content Filtering’ service activation. Click the Apply button to complete the registration process. Step3. Switch to menu Configuration > Policy > Content Filter > Filtering Profile tab, All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 234 Define all matched and unrated web pages that should be blocked and logged. Here, we choose to apply the block action to Pornography category. Click the OK button. Click the modify icon to configure the trusted website list. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 235 Switch to Customization tab, enable the web site customization. Add the website, www.zyxel.com for example, to the trusted websites. Click OK button. Then follow the similar configuration to create another filtering profile for Sales department. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 236 For example, we add an extra access restriction to the websites with ActiveX and Cookies features as configured on the figure below. Click OK button. After it’s done, you will see two profiles as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 237 [13] content-filter profile Sales-profile custom trust www.zyxel.com Step4. Switch to menu Configuration > Object > Address, create two Address Objects to define the IP address range for the Engineer and the Sales department. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 238 Step5. Switch to Content Filter > General tab, enable the Content Filter. Add two filtering profiles as shown below. CLI commands for reference: [0] content-filter block message The web access is restricted. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 239 On the other hand, a Sales department employee with PC IP address 192.168.1.57 accesses the same website, he is allowed the browsing without any warning message returned. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 240: Seamless Incorporation

    IP segments. Thus, we need NAT, which is the router mode here. In our example, ge1 acts as LAN, ge2 and ge3 stands for WAN, ge4 and ge5 stands for DMZ. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 241 IP address that it used in the WAN interface, however you will get a warning message like below. If you got more than one IP, you can pick the other one here. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 242 3) Switch to Configuration > Policy > Route > Policy Route, to modify the default rule there. The default rule is for the Router Mode (NAT Mode). Since we have two different modes co-existing here, we need to make some adjustments to this rule. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 243 [1] no deactivate [2] no description [3] user admin [4] interface ge1 [5] source LAN_SUBNET [6] destination any [7] no schedule [8] service any [9] next-hop interface br1 [10] snat outgoing-interface [11] no bandwidth All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 244 ZyWALL USG 1000 Support Notes [12] exit Tips for application: Disable the Firewall to test the connectivity. Every time you make a change, don’t forget to click the “apply” button All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 245 2) Switch to Configuration > Policy > Virtual Server and add a new Virtual Server. Fill in the mapping information. In our example here, since ge2 is our WAN port, we are going to All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 246 192.168.1.55 map-type port protocol tcp original-port 80 mapped-port 80 3)Switch to Configuration > Objects > Address, and add a new address object for your Web server. CLI to create an address object [0] address-object WebServer 192.168.1.55 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 247 [8] to LAN [9] log [10] activate [11] description WebServerFW [12] exit Tips for application: Do not forget to place your rule before the default “Deny all” Rule in the WAN-to-LAN direction. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 248 ZyWALL USG 1000 Support Notes All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 249: Zone-Based Idp Protection

    Malicious attacks can be stopped at the gateway – customers’ servers are securely protected and a notification alert can be sent to the involved parties or individuals. 3.2.1 Applying Zone-Based IDP to ZyWALL USG Here is an example: All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 250 8) Now we can assign an IP domain to GE4 and another one for GE5. Other settings are all optional. In this example, we keep the default values which will disable the DHCP Server in these two interfaces. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 251 ZyWALL USG 1000 Support Notes Tips: You do not need a Gateway here since this interface is directly connected to ZyWALL USG. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 252 Since we need GE5 for our LAN2 Zone, we will need to remove the interface GE5 from the DMZ Zone. Click the “edit” icon of DMZ Zone and then click on the “remove” icon of the GE5 interface. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 253 13) Put the name “LAN2” and click the “+” icon again to bind the interface to this Zone. Now we only have one interface in this Zone. It is not necessary to care about any Intra-zone traffic. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 254 14) Since GE5 is the only interface left, GE5 will be automatically selected. Finally click “OK” to apply the new setting. 15) Before you apply the IDP profiles, you need to make sure that the IDP Service on your ZyWALL USG is licensed. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 255 USG will receive the license automatically. Here a page which is already registered is shown. 17) Now, go to Configuration > Policy > IDP. Enable the IDP check box to activate the IDP service on your ZyWALL USG. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 256 [1] ip address 192.168.2.1 255.255.255.0 [2] ping-check default-gateway [3] ping-check default-gateway period 30 [4] ping-check default-gateway timeout 5 [5] ping-check default-gateway fail-tolerance 5 [6] no ping-check activate [7] exit [8] router rip [9] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 257 CLI commands for removing GE5 from the DMZ Zone: [0] zone DMZ [1] block [2] no interface ge4 [3] no interface ge5 [4] interface ge4 [5] exit CLI commands for creating the LAN2 Zone: [0] zone LAN2 [1] no block All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 258 CLI commands for activating the IDP service: [0] idp activate [1] idp zone LAN activate [2] no idp zone WAN activate [3] idp zone DMZ activate [4] no idp zone LAN2 activate All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 259: Networking Partitioning Using Vlan

    Access privilege only be granted to authorized Corporate are placed in this zone. Strict access policy users Intranet may apply to prevent misuse from happening VLAN30 VLAN20 VLAN10 *VLAN-capable L2 switch is required to create VLAN tags All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 260 IP automatically for this interface or assigning a static one to it. ZyWALL USG also supports DHCP Server or Relay per VLAN interface. You can change it in the DHCP Setting section. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 261 ZyWALL USG 1000 Support Notes 3) By following the above steps you can create another two VLAN interfaces. (VLAN20 and VLAN30). The CLI commands to create the above VLAN10: [0] interface vlan10 [1] no shutdown All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 262: Adding Vlan Virtual Interfaces To The Zone

    To create these zones, please follow the configuration steps as below: 1) Login ZyWALL USG GUI and go to Configuration > Network > Zone. Then click the “+” to create a new zone. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 263 However, it may not be the one that you have been looking for. Thus, you will need to click on the box of the interface and choose the one that you are looking for. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 264 ZyWALL USG 1000 Support Notes 4) Finally, click “OK” to apply your settings. 4) Repeat the above steps to create the other two Zones for VLAN20 and VLAN30. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 265: Applying Firewall Policy To The Zone Of Vlans

    For example, first we want to block the access from Finance Zone to Secret Zone, we pick Finance Zone on the left and Secret Zone on the right. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 266 19) It is optional to give this rule a description. If you want to allow anything or block anything, just simply choose “allow” or “deny” as the option of “Access”. Option “Reject” means dropping the packets that match with this rule silently. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 267 Zone to “LAN_VLAN20” Zone. The CLI commands for the above actions: [0] firewall Finance Secret insert 1 [1] no schedule [2] no user [3] no sourceip [4] no destinationip [5] no service [6] action deny All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 268 ZyWALL USG 1000 Support Notes [7] from Finance [8] to Secret [9] no log [10] activate [11] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 269: Connecting Multiple Isp Links

    3.4.1 Multiple PPPoE links Multiple PPPoE Links are supported on ZyWALL USG, with a L2 Switch it will only take one of your physical ports. Here is an example. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 270 Please set the Idle timeout to 0 if you do not want this link to be a subject to timeout. All other parameters including the username and the password should be based on your ISP’s requirements. Finally, click “OK” to add this account. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 271 4) Now, all the PPPoE accounts are created. Our next task will be creating the PPPoE Interfaces. Go to Configuration > Network > Interface > PPPoE/PPTP. Then click the “+” to create a new account. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 272 PPPoE connections are coming from GE2. Thus, we pick GE2 as our base interface. Pick the account profile that you want to apply for this PPPoE interface. All other remaining settings are either optional or depending on the requirements of your ISP. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 273 7) Now all the PPPoE interfaces are created. And all of them are desired to be added to the WAN Zone as well. Go to Configuration > Network > Zone to click on the modify icon of the WAN Zone. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 274 9) Now check the box below to pick PPP1 as the Interface to join the WAN Zone. Repeat the above steps to add PPP2 and PPP3 into the WAN Zone as well. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 275 10) Second, we will need to add all three of our PPPoE Interfaces into the WAN Trunk interface. Please go to Configuration > Network > Interface > Trunk 11) Click on the “+” icon to add a new interface into this WAN Trunk interface. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 276 Bandwidth” here are the values used for reference of the Load Balancing Algorithm. 13) Repeat the above steps until all three PPPoE interfaces are added into this WAN_Trunk interface. Remove the fixed links on GE2 and/GE3 if you want. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 277 [4] compression no [5] idle 0 [6] exit CLI commands to create a PPPoE interface [0] interface ppp1 [1] no shutdown [2] description ISP1 [3] mtu 1492 [4] upstream 1048576 [5] downstream 1048576 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 278 [7] interface ge2 [8] interface ge3 [9] exit CLI commands to add those three PPPoE interfaces into the WAN_Trunk interface [0] interface-group WAN_TRUNK [1] mode trunk [2] algorithm llf [3] no interface ge2 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 279 [4] no interface ge3 [5] no interface aux [6] interface 1 ppp3 [7] interface 2 ppp2 [8] interface 3 ppp1 [9] interface 4 ge2 [10] interface 5 ge3 [11] interface 6 aux passive [12] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 280: Multiple Fixed Wan Links

    1) Login ZyWALL USG GUI and go to Configuration > Network > Interface > Ethernet. The default setting of GE2 and GE3 is already good for our scenario. Thus, we only need to modify the settings of GE4 in this case. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 281 3) Now since GE4 is in the DMZ Zone by default, we will need to release it for us to use. Go to Configuration > Network > Zone and click on the modify icon of DMZ. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 282 5) Next, we will need GE4 to join the WAN Zone in order for us to be able to apply a single WAN policy on ZyWALL USG. Go to Configuration > Network > Zone and click on the modify icon of WAN Zone. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 283 ZyWALL USG 1000 Support Notes 6) Click the “+” icon again to make the new interface to join this Zone. 7) Since GE4 is the only free interface here, it will be selected automatically. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 284 Configuration > Network > Interface > Trunk and click on to modify the settings of the WAN_Trunk. 9) Click on the “+” icon to add a new interface into this WAN_Trunk interface. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 285 10) Click the box below to switch the interface from GE1 to GE4. Click OK and to complete the setup of this scenario. CLI commands to configure the IP information on GE4: [0] interface ge4 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 286 [4] interface ge5 [5] exit CLI commands to join GE4 to the WAN Zone: [0] zone WAN [1] block [2] no interface ge2 [3] no interface ge3 [4] interface ge4 [5] interface ge2 All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 287 [2] algorithm llf [3] no interface ge2 [4] no interface ge3 [5] no interface aux [6] interface 1 ge4 [7] interface 2 ge2 [8] interface 3 ge3 [9] interface 4 aux passive [10] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 288 E1 Router. 1) Login the ZyWALL USG GUI and go to Configuration > Network > ISP Account. Then click on “+” to create a new account for a PPPoE connection. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 289 3) Since we have three PPPoE links in our scenario, you will need two additional PPPoE accounts here as well. Repeat the above steps to create all the other accounts. Your final PPPoE account summary screen should look like this. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 290 PPPoE connections are coming from GE2. Thus, we pick GE2 as our base interface. Pick the account profile that you want to apply for this PPPoE interface; all other remaining settings are either optional or depending on the requirements of your ISP. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 291 6) Repeat the above steps to create the other two PPPoE Interfaces. Then you should get a screen that looks like this. If you want to connect your PPPoE interface manually, click on the icon below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 292 9) Now check the box below to pick PPP1 as the Interface to join the WAN Zone. Repeat the above steps to add PPP2 and PPP3 into the WAN Zone as well. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 293 10) Second, we will need to add all three of our PPPoE Interfaces into the WAN Trunk interface. Please go to Configuration > Network > Interface > Trunk 11) Click on the “+” icon to add a new interface into this WAN_Trunk interface. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 294 “Passive” here. The “Downstream Bandwidth” and the “Upstream Bandwidth” are the values used for reference of the Load Balancing Algorithm. 13) Repeat the above steps until all the three PPPoE interfaces are added into this WAN_Trunk interface. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 295 [0] account pppoe ISP1 [1] user test1@isp1.com [2] password abcdefg [3] authentication chap-pap [4] compression no [5] idle 0 [6] exit CLI commands to create a PPPoE interface [0] interface ppp1 [1] no shutdown All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 296 CLI commands to add all the PPPoE interfaces into the WAN Zone: [0] zone WAN [1] block [2] no interface ge2 [3] no interface ge3 [4] interface ppp3 [5] interface ppp2 [6] interface ppp1 [7] interface ge2 [8] interface ge3 [9] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 297 [4] no interface ge3 [5] no interface aux [6] interface 1 ppp3 [7] interface 2 ppp2 [8] interface 3 ppp1 [9] interface 4 ge2 [10] interface 5 ge3 [11] interface 6 aux passive [12] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 298: Guaranteed Quality Of Service

    Bandwidth management and prioritization can be done with policy route in ZyWALL USG. Here is an example: All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 299 Management policies for our application. Logon to the ZyWALL USG GUI and go to Configuration > Policy > Route > Policy Route. Then click the “+” to add a new policy route at the top of your list. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 300 We can assign this policy a relatively high priority (like 100) just in case the bandwidth is not enough at all but SMTP service can still get more bandwidth than the other type of network services. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 301 3) Repeat the above steps to create two more policy routes for “WWW” and “FTP” services. In the policy route you can set their Maximum Bandwidth to 800Kbps and 100Kbps along with a priority value. Below is what you should get so far: All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 302 WAN is 1.5Mbps. Now we already spent 400kbps for SMTP, 800kbps for HTTP, and 100kbps for SMTP. What left over is 200kbps available to us; thus, we can apply it for the remaining traffic, which is our default route. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 303 ZyWALL USG 1000 Support Notes 5) Modify the values of bandwidth and priority here in the default policy route. Click “OK” to apply. 11) Now the final list should look like the one below: All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 304 [9] next-hop trunk WAN_TRUNK [10] snat outgoing-interface [11] bandwidth 400 priority 100 [12] exit CLI commands for applying bandwidth and priority to the default policy route: [0] policy 4 (the number of your default policy) All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 305 [3] no user [4] interface ge1 [5] source LAN_SUBNET [6] destination any [7] no schedule [8] service any [9] next-hop trunk WAN_TRUNK [10] snat outgoing-interface [11] bandwidth 200 priority 1024 [12] exit All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 306: A. Device Management Faq

    6. You can be connecting to ZyWALL USG from a WAN interface which is blocked by default. If you don’t want this block rule, go to GUI menu Configuration > System > WWW to set to accept the access from ‘WAN’ or from ‘All’. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 307: A04. Why Zywall Usg Redirects Me To The Login Page When I Am Performing The Management Tasks In Gui

    A04. Why ZyWALL USG redirects me to the login page when I am performing the management tasks in GUI? There may be several reasons for ZyWALL USG to redirect you to login page when you are doing configuration. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 308: A05. Why Do I Lose My Configuration Setting After Zywall Usg Restarts

    2. The ZyWALL USG may get firmware crashed. Generally, it may happen if power off ZyWALL USG when it’s during firmware upgrading. For this case, admin could connect to console and see the message as shown below (ensure your terminal baud rate is configured correctly). All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 309 Set the transfer mode to binary (use “bin” in the Windows command prompt). 4. Reload the firmware. (ex. use command “put 1.00(XL.1)C0.bin” to upload firmware file) 5. Wait the FTP uploading completed and it will restart the ZyWALL USG automatically. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 310: B. Registration Faq

    1. Next time device synchronization with myZyXEL.com. 2. User click “Service License Refresh” button from ZyWALL > Licensing > Registration > Service page. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 311: C. File Manager Faq

    It’s mandatory to have at least 70MB free memory before upgrade firmware. If you still can’t get enough memory to upgrade firmware, you can perform upgrade after system reboot which frees up the memory. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 312: C05. How To Write A Shell Script

    C06. Why can’t I run shell script successfully? Please ensure that you follow the correct CLI command syntax to write this script. And make sure that you add the “configure terminal” in the top line of this script file. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 313: D. Object Faq

    SSL VPN, you can simply click the “Add” button, it will pop-up a new windows and link to “User Configuration” page, therefore you don’t have to leave the page you are configuring access policy. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 314: D02. What's The Difference Between Trunk And The Zone Object

    If you have several redundant LDAP/RADIUS servers, you may need to create your own LDAP/RADIUS server groups. But don’t forget selecting the LDAP/RADIUS server groups in the authentication method chosen for authenticating. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 315: E. Interface Faq

    LAN PCs. So make sure all the interfaces that provide DNS server don’t go down because of link down, ping-check or becoming disabled. E05. Why does the PPP interface dials successfully even its base interface goes All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 316: E06. What Is The Port Grouping Used For In Zywall Usg

    MAC address without security checks (such as firewall, IDP…). E07. What's the maximum VLAN interface supported by ZyWALL USG ? The maximum VLAN interface supported by ZyWALL USG and USG 300 is 32. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 317: F. Routing And Nat Faq

    For a general application the users access to the web service by entering the FQDN (Full Qualify Domain Name, e.g. http://www.zyxel.com) other than an IP address. This is because the domain name is easier to remember. However, when both the Server and Client are located behind the same NAT, a triangle route problem will encounter.
  • Page 318 Create one Policy Route rule for outgoing SNAT to translate the private IP to public one. After these two steps, the 1-1 NAT mapping on ZyWALL USG is complete. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 319 In order to run the NAT loopback on ZyWALL USG, please add these rules after you finish the 1-1 NAT mapping. Firstly, add one Virtual Server rule for LAN usage. All the parameters are the same as those set on 1-1 NAT mapping, except the Interface item. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 320 This Policy Route rule makes all the internal access must do the SNAT translation. This will force all the traffic to go back to the ZyWALL USG and avoid the triangle route problem. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 321: F03. How To Configure A Nat

    Address Translation area. Choose ‘none’ means to turn off the NAT feature for the policy route rule accordingly. To choose “outgoing-interface” or other address objects you defined, it means turn on the NAT feature and it will refer to the next-hop setting to execute routing. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 322: F04. After I Installed A Http Proxy Server And Set A Http Redirect Rule, I Still Can't Access Web. Why

    1.0 to 2.0, the “Enable BWM” checkbox will be checked. F06. What’s the routing order of policy route, dynamic route, and static route and direct connect subnet table? All these routing information create the ZyWALL USG routing database. When routing, All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 323: F07. Why Zywall Usg Cannot Ping The Internet Host, But Pc From Lan Side Can Browse Internet Www

    WAN to LAN is disabled. F10. Why port trigger does not work? The port trigger will work only when there is a connection matching that policy route rule. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 324: F11. How Do I Use The Traffic Redirect Feature In Zywall Usg

    F12. Why can’t ZyWALL learn the route from RIP and/or OSPF? ZyWALL blocks RIP/OSPF routing advertisement from WAN/DMZ by default. If you find that it fails to learn the routes, check your firewall to-ZyWALL rules. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 325: G. Vpn And Certificate

    We need a policy route to notify the ZyWALL USG send the packet to VPN tunnel when the packet’s destination address is VPN remote subnet. Please switch to ZyWALL USG GUI > All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 326: G04. Vpn Connections Are Dialed Successfully, And The Policy Route Is Set. But The Traffic Is Lost Or There Is No Response From Remote Site

    If the traffic doesn't match the policy and the policy enforcement is active, it will be dropped by the VPN. For Inbound traffic SNAT/DNAT, check if there is a directly connected subnet or a route rule to the destination. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 327: H. Firewall Faq

    You need to set the access control rules in system for each service such as DNS, ICMP, WWW, SSH, TELNET, FTP and SNMP. After b6 image, user can configure to-ZyWALL rules to manage traffic that is destined to ZyWALL. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 328: I. Application Patrol Faq

    Outlook Express 6 Protocol detect Common SMTP Outlook Express 6 Protocol detect aol-icq ICQ 5.1 audio aol-icq ICQ 5.1 video aol-icq ICQ 5.1 file transfer aol-icq ICQ 5.1 Login aol-icq ICQ 5.1 Message All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 329 Protocol detect VoIP H323 Netmeeting 3.01 Protocol detect VoIP Windows Messenger 5.1 Protocol detect VoIP Gizmo 3.0 Protocol detect I03. Why does the application patrol fail to drop/reject invalid access for some All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 330 (1) Defines the port used in ZyWALL USG. For easy configuration purpose, the ZyWLL has been pre-configured for the frequent use service port. For example: eDonkey service is pre-defined to take action on port 4661 ~ 4665 as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 331: I05. What Is The Difference Between Bwm (Bandwidth Management) In Policy Route And App. Patrol

    2. App. Patrol – App. Patrol supports both Outbound BWM and Inbound BWM. If a traffic matches the BWM rules of both Policy Route and App. Patrol, Policy route will be applied on the traffic. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 332: I06. Do I Have To Purchase Icards Specifically For Using Apppatrol Feature

    No, as the new ZLD platform 2.0x enhances zone-to-zone mechanism which is not capable to migrate into new AppPatrol. Therefore, the user will be required to reconfigure the related setting after complete firmware upgrade. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 333: J01. Why Doesn't The Idp Work? Why Has The Signature Updating Failed

    “protected zone” in the related IDP profile is others than “none”. J06. What are the major design differences in IDP in ZLD1.0x and latest IDP/ADP in ZLD2.0x? The following are 3 major differences made from ZLD2.0x series: IDP-Inspects via. Signature All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 334: J07. Does Idp Subscription Have Anything To Do With Apppatrol

    System Protection System Protection System offers the ZyWALL ability to protect itself against host-based intrusions. ZyXEL can prevent not only network intrusions but also host-based instructions. Zone to Zone Protection A zone is a combination of ZyWALL interfaces for security. Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to.
  • Page 335: J08. How To Get A Detailed Description Of An Idp Signature

    J09. After an IDP signature updated, does it require ZyWALL to reboot to make new signatures take effect? No, it is not necessary to reboot the device to make new signatures take effect. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 336: K. Content Filtering Faq

    MSN messenger wants to access are not in the trusted website, access would be blocked. If you really want this option enabled, you have to add these websites in the trusted websites list. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 337: L. Device Ha Faq

    VRRP group cannot detect the faulty event encountered on the master router. You can click on Device HA from the left panel and check the “Enable” checkbox to enable the link monitor. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 338: L04. Can Link Monitor Of Device Ha Be Used In Backup Vrrp Interfaces

    MUST forward the VRRP multicast to the backup ZYWALL USG. Otherwise the backup ZyWALL will never receive VRPT announcement. Please ensure the switch forwards the multicast VRRP announcement (224.0.0.18) by enabling the "Unknown multicast flooding" option in the switch setting. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 339: M. User Management Faq

    There are several reasons that device could log you out. 1. Re-authentication, lease or idle timeout 2. IP address is changed after authentication 3. Another account was used to login from the same computer All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 340: M05. What Is Aaa

    If it still cannot find, it will use the attribute of “ldap-users” and “radius-users” at GUI menu Configuration > User/Group > User tab as below. The default lease time and re-authentication time of ldap-users and radius-users are 1440 minutes. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 341 ZyWALL USG 1000 Support Notes See the flow as shown below. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 342: N. Centralized Log Faq

    N02. After I have the entire required field filled, why can’t I receive the log mail? E-mail server may reject the event/alert mail delivering due to many reasons. Please enable system debug log and find out why the e-mail server refused to receive the mail. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 343: O. Traffic Statistics Faq

    O04. Why cannot I see the connections from/to ZyWALL itself? In Session module, only the forwarding traffic will be listed The forwarding traffic means the traffic going through ZyWALL. Therefore, the broadcast traffic in the bridge interface will be listed. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 344: P. Anti-Virus Faq

    P05. How frequent the AV signature will be updated? The signature is powered by Kaspersky Labs. The signatures are updated 3 times a week. The emergency case will be responded within 48 hours. All contents copyright (c) 2007 ZyXEL Communications Corporation.
  • Page 345: P06. How To Retrieve The Virus Information In Detail

    ZyWALL USG 1000 Support Notes P06. How to retrieve the virus information in detail? Simply you can navigate to the web site with URL http://mysecurity.zyxel.com, and search any virus relate detail as you required. P07. I cannot download a file from Internet through ZyWALL USG because the Anti-Virus engine considers this file has been infected by the virus;...

Table of Contents