Page 1 ZyWALL USG 2000 Support Notes ZyWALL USG 2000 Unified Security Gateway Support Notes Revision 2.10 Dec, 2008 All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 2: Table Of Contents
1.4.3 Star-Mesh Mixed Topology ................83 1.5 Device HA ........................99 1.5.1 Device HA ......................101 1.5.1.1 Configuration procedure ................ 101 1.5.2 Device High Availability (HA) Active-Passive mode ........113 1.5.2.1 Scenario Topology ................. 113 All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 3 3.3.3.1 Configuration procedure ................ 176 3.3.3.2 Scenario topology ................... 177 3.3.3.3 Steps to configure B/W list ..............177 3.4 Guaranteed Quality of Service ..................180 3.4.1 Priority & Bandwidth management ..............181 All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 4 E04. Why can’t I get DNS options from ZyWALL’s DHCP server? ......197 E05. Why does the PPP interface dials successfully even its base interface goes down? ......................... 198 F. Routing and NAT FAQ ....................199 All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 5 ....................... 211 I04. What is the difference between “Auto” and “Service Ports” settings in the Application Patrol configuration page? ..............212 I05. What is the difference between BWM (bandwidth management) in Policy Route All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 6 M02. What is the “re-authentication time” and “lease time”? ........221 M03. Why can’t I sign in to the device? ..............221 M04. Why is the TELNET/SSH/FTP session to the device disconnected? Why is the All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 7 P09. What kinds of protocol are currently supported on ZyWALL USG 2000 Anti-Virus engine? ..................... 227 P10. If the Anti-Virus engine detects a virus, what action it may take? Can it cure the file? ..........................227 All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 8: The Comparison Of Zynos And Zld
ZyWALL USG 2000 Support Notes The comparison of ZyNOS and ZLD Since ZyXEL USG 2000 adopt ZLD 2.10 as their network operating system. Additionally, ZLD 2.10 provides many new features and new design in GUI. Hence, the layout in ZyNOS might not be the same as the one in ZLD 2.10.
Page 9: Deploying Vpn
These are based on the source address, remote address, user and schedule to enhance VPN security. To help to reduce network intrusion attacks, administrators can configure the built-in IDP engine to inspect VPN traffic. For easy All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 10 VP PN connecti ion ability. The benefit f from deploy yment of Zy yXEL VPN solutions All contents co opyright (c) 20 008 ZyXEL C Communicatio ons Corporatio...
Page 11: Extended Intranets
‧ Lower cost 1.1 Extended Intranets The ZyXEL VPN solutions primarily can be used to extend the intranet and deliver increased connectivity between operation sites. The branch office subnet will be considered a part of main office internet. Therefore, user behind branch office also can use the internal network resources as if he was in the main office.
Page 12 IP. The configuration path in ZyWALL 1050 is Network > Interface > Ethernet >Edit > ge2 2) Switch to VPN > IPSec VPN > VPN Gateway select interface ge2 as My Address and All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 13 The Next-Hop type is VPN tunnel. Then choose the corresponding VPN connection rule from the VPN tunnel drop down menu. Now, the VPN tunnel and routing is configured and user can start to test it. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 14 IP. The configuration path in ZyWALL USG 2000 menu is ZyWALL > VPN > IPSec VPN >VPN Gateway > Add. Select Static site to site VPN and then create an object if you have not created any wan interface. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 15 Security Gateway Address field set the remote gateway IP to 210.110.7.1. The Local ID Type and content are IP and 167.35.4.3, Peer ID Type and content are IP and 210.110.7.1. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 16 Tips for application: 1. Make sure the presharekey is the same in both local and remote gateways. 2. Make sure the IKE & IPSec proposal is the same in both local and remote gateways. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 17 3. Select the correct interface for VPN connection. 4. The Local and Peer ID type and content must the opposite and contain the same. Make sure the VPN policy route has been configured in ZyWALL1050. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 18: Extranet Deployment
The ZyWALL USG 2000 can be placed as a VPN gateway in the central site. It can communicate with other ZyXEL’s VPN-capable products as well as VPN products from other major vendors in the network device industry, e.g. Cisco PIX/IOS VPN products, Check Point VPN Pro, Juniper NetScreen 100/200 and others…...
Page 19: Site To Site Vpn Solutions (Zywall Usg 2000 To Zywall70)
2) Switch to VPN > IPSec VPN > VPN Gateway, select My Address as interface ge2 and then in Security Gateway Address field set the remote gateway IP to 167.35.4.3. The Local ID Type and content are IP and 210.110.7.1, Peer ID Type and content are IP and All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 20 5) Switch to Network > IPSec VPN > VPN Connection, add a new VPN connection (IPSec phase2). Setup the Phase2 proposal and local and remote policies. The chosen phase2 proposal chosen must be the same as on the remote site’s ZyWALL70. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 21 8) The ZyWALL USG 2000 VPN is a route-based VPN, this means the VPN tunnel can be an interface to route the VPN traffic. Thus, we need to configure a policy route for VPN traffic from the local subnet to the remote subnet after configuring the VPN gateway and All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 22 9) After configuring both sides of the VPN, click the “Dial up” icon to test the VPN connectivity. 10) “VPN tunnel establishment successful,” message appears. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 23: Interoperability - Vpn With Other Vendors
FortiGate 200A. As on the figure shown below, the tunnel between Central and Remote offices ensures the packet flow between them are secure, because the packets go through the IPSec tunnel are All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 24 Perfect Forward Secrecy (PFS): None 1) Configure the ZyWALL USG 2000 ‘s VPN gateway and VPN connection as on the list. Also, remember to configure the policy route for the VPN traffic routing. Refer to the All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 25 4) Fill-in the VPN phase1 setting according to the table listed. We don’t have to setup the ID type and content because the FortiGate accepts any peer ID. Make sure both the pre-shares key and proposal are the same as in the ZyWALL USG 2000. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 26 Advanced… button to edit the phase 2 proposal and source and destination address. Please make sure the phase 2 proposal is the same as in ZyWALL USG 2000 phase 2. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 27 Using the “Create New” button to create a new address object. 9) Switch to Firewall > Policy and click “Insert Policy Before” icon to add new policy for the VPN traffic from FortiGate to ZyWALL. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 28 Address name is Zynet (192.168.1.0/255.255.255.0 address object). The destination interface is internal and the Address name is Fortinet (192.168.2.0/255.255.255.0 address object). Schedule and service type are always and ANY to ensure that all kinds of traffic All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 29 2. Make sure both IKE and IPSec proposal are the same in both local and remote gateways. 3. Make sure the VPN policy route has been configured in ZyWALL USG 2000. 4. Make sure the Firewall rule has been configured in FortiGate. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 30: Zywall With Netscreen Vpn Tunneling
Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 31 After configuring a static IP address in untrust interface, switch to Network -> Routing -> Routing Entries to edit a default Gateway IP address. In this example, the Gateway IP address is 167.35.4.1. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 32 ZyWALL's WAN IP address. In this example, we select Static IP Address option and enter IP 210.110.7.1 in the text box. Enter the key string 123456789 in Preshared Key text box, and then press Advanced button to edit the advanced settings. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 33 Key, group1, DES for Encryption Algorithm and MD5 for Authentication Algorithm. Select Main (ID Protection) option for Mode (Initiator). Then, press Return button, and press OK button on next page to save your settings. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 34 10) Give a name for the VPN, for example “ToZyWALL IPSec”. In Remote Gateway, choose the Predefined option and select the ToZyWALL rule. Then, press Advanced button to edit the advanced settings. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 35 13) Switch to Policies to set up policy rules for VPN traffic. In the field From choose Trust and in the field To choose Untrust (it means from LAN to WAN). Then press the New button to edit the policy rules. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 36 In drop down menu Action select the option Tunnel and then select the ToZyWALLIPSec VPN rule. Check Modify matching bidirectional VPN policy check box, so that you can create/modify the VPN policy for the opposite direction. Then, press OK button to save your settings. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 37 17) Ping the remote host and switch to VPNs > Monitor Status to check the VPN link status. If the Link status is Up, it means the VPN tunnel between ZyWALL and NetScreen has been successfully built. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 38: Zywall With Sonicwall Vpn Tunneling
If you jumped to this section first, please refer to ‘ZyWALL USG 2000 to ZYWALL70 VPN tunnel setting’ on the page 8. This list below is to briefly show the VPN phase1 and phase2 configuration parameters: All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 39 2) Using a web browser, login SonicWall by entering the LAN IP address of SonicWall in the URL field. The default username and password is admin/password. 3) Switch to menu Network > Interfaces and configure the WAN/LAN IP address to WAN: 167.35.4.3 LAN: 192.168.2.1/24. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 40 Address is the ZyWALL's WAN IP Address (IP address of the remote gateway). In this example, we use 210.110.7.1 in IPSec Primary Gateway Name or Address text box. Then, enter the key string 123456789 in the text box Shared Secret. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 41 Therefore, we have to create a new address object in the remote network drop down list. Then a new address object window will pop-up. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 42 8) Switch to Proposals tab. In IKE (Phase1) proposal settings, select Main mode, set DH Group to Group1, Encryption to DES and Authentication to MD5. In IPSec (Phase2) proposal settings, select ESP Protocol, Encryption to DES and Authentication to SHA1. Then press the OK button. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 43 9) Switch to Advanced tab. In the setting VPN policy bound to select Interface WAN. Then press the OK button. 10) The VPN status page will show a new VPN rule. Make sure the rule has been enabled. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 44 11) Ping the remote host to dial up the tunnel. We can check the connected VPN status in the VPN status page. The VPN tunnel should appear in the Currently Active VPN Tunnels page. It should show that the tunnel had been successfully built-up. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 45: Remote Access Vpn
ZyWALL USG 2000’s remote gateway setting it represents “any IPs”. On the other end, the teleworker use ZyWALL VPN client on their notebooks to establish IPSec VPN with the main office. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 46 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 47: Steps To Configure
3) Go to VPN > IPSec VPN > VPN Gateway to create gateway for remote a VPN client. Because this kind of VPN is initialed from remote user, the Secure Gateway should be set as All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 48 ZyWALL USG 2000 Support Notes dynamic, 0.0.0.0. Also, the VPN peers should keep consistence with each other for other parameters, such as Pre-Shared Key, ID Type, Encryption and Authentication proposal and so All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 49 We put VPN Gateway as dynamic as was defined in step 3. 5) Go to remote host to configure ZyXEL VPN Client. We create a Net Connection set remote access subnet to 192.168.2.x.
Page 50 Note: Do not forget to enter Pre-Shared Key by clicking the button Pre-Shared Key. The last step is to go to Security Policy to configure parameters for Phase1 and Phase 2. After saving the configuration, the VPN connection should be initialed from the host site. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 51 4. The Local and Peer ID type and content must the opposite and not of the same content. 5. The Local Policy of ZyWALL USG 2000 should be ‘dynamic single host with the value 0.0.0.0’. The VPN tunnel should be initialed from the remote host site. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 52: Ssl Vpn Application - Reverse Proxy
1) Connect your NB at ZyWALL USG 2000’s ge1 port. Get the IP address by DHCP and login to ZyWALL USG 2000 by http://192.168.1.1. Configure the ZyWALL USG 2000’s ge1 and ge2 interface with proper IP address. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 53 2) Go to menu ZyWALL> VPN > SSL VPN, create one access privilege rule by clicking the Add icon. Then continue to create user or group object. Here we create one user by click the “Add” button. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 54 Step 2. Enter the ID/password, check the “log into SSL VPN” and click Login button. Step 3. Click the Yes buttons until you see the following page, which is the ZW_http link available in the application list. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 55: Ssl Vpn Application - Network Extension
They can access any destination which is allowed and is pre-defined in “SSL VPN network” list. 1.3.3.1 Scenario topology WAN(wan1) LAN1 USG 2000 1.3.3.2 Configuration flow Network setup All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 56: Configuration Procedure
Create address Object for remote IP assignment. Switch to menu Object > Address and click Add icon to add new user. Configure a network range from 8.1.1.33 to 8.1.1.50 for remote IP assignment. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 57 Switch to menu Object > Address and click Add icon to add new address. Configure a network subnet 192.168.1.0/24. Step 4. Modify the SSL rule we created for LAB1 by clicking the modify icon. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 58 Config your NB with IP address 10.1.1.33 and connect it to ZyWALL USG 2000’s WAN site (ge2). Initial a browser and try to connect to https://10.1.1.1 Step 2. Enter the ID/password, check the “log into SSL VPN” and click Login button. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 59 ZyWALL USG 2000 Support Notes Step 3. Click Yes buttons until you see the following page. You can find a small window is processing about the security extender rule (for network extension). All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 60 After a while, the window will show you the information about network extension. Step 5. Please check the IP address assigned and routing info on the remote PC/NB. You will see one PPP interface as below by typing ‘ipconfig’ on command prompt. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 61 Try to ftp the device and see if you can access the ZyNOS ZyWALL by FTP tool. If so, that means you have successfully established the network extension and aren’t limited just by the available application list. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 62: L2Tp Over Ipsec Application
Switch to menu Object > Address, create two object for further VPN connection setting. L2TP_IFACE, HOST, 10.1.1.1 L2TP_HOST, HOST, 0.0.0.0 L2TP_Pool, Range, 192.168.2.1 ~ 192.168.2.10 Step 2. Switch to menu Object > User/Group, create one object for L2TP application. L2TP_user/1234, Local user All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 63 Step 2. Ensure the My Address is configured with Interface ge2 with WAN IP address, 10.1.1.1. And the pre-shared key is 12345678. Click the OK button. Step 3. Enable the rule by clicking the enable icon. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 64 VPN > IPSec VPN > VPN Connection, click the Default_L2TP_VPN_GW entry’s Edit icon. Step 2. Especially configure the policy enforcement as below. Click OK button. Step 3. Enable the rule by clicking the enable icon. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 65 Step 1. Go to menu VPN > L2TP VPN, configure it as follows. Configure Policy Route for L2TP Step 1. Go to menu Network > Routing > Policy Route, configure it as follows. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 66 Click Start > Control Panel > Network Connections > New Connection Wizard. Step 2 Click Next in the Welcome screen. Step 3 Select Connect to the network at my workplace and click Next. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 67 Step 4 Select Virtual Private Network connection and click Next. Step 5 Type L2TP to ZyWALL as the Company Name. Step 6 Select Do not dial the initial connection and click Next. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 68 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (10.1.1.1 in this example). Click Next. Step 8 Click Finish. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 69 Step 11 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 70 Step 13 Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 71 Step 18 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Step 19 Access the HTTP server behind the ZyWALL USG 2000 to make sure your access works. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 72 ZyWALL USG 2000 Support Notes All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 73: Large-Scale Vpn Deployment
2) For example, to complete the above topology, administrator needs to repeat the same steps at least five times and totally needs to establish 10 VPN tunnels. The tunnels list follows: Tunnel 1: London Madrid All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 74: Star Topology
Central site Amsterdam Oslo In a Star VPN topology, ZyWALL 1050 acts as a central site (enabling Hub & Spoke VPN) and spoke sites can be any model of ZyWALL series Paris Hannover All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 75 We will separate each group as a member of each office and build up the VPN tunnel with headquarter and then to route the VPN traffic across the HQ to the destination office’s internal network. The VPN configuration parameter Remote Office WAN: 10.59.1.11 WAN: 10.59.1.10 LAN: 192.168.100.0/24 All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 76 HQ. Please refer the above VPN parameter table to setup the VPN gateway and connection as I don’t list the detail configuration steps here,. Configure the NL site address object for each remote office subnet All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 77 Setup NL site address group that includes all the remote office subnets; the address object group is used as a policy route destination criterion. The screenshot below is the NL site VPN Gateway status page. NL site VPN Connection status page All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 78 This means that if we want HQ to route 5 remote sites VPN traffic, we need to configure 5 VPN tunnels from remote office to HQ. For the HQ VPN tunnel setting, please refer to the table below. Remote Office WAN: 10.59.1.11 WAN: 10.59.1.10 All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 79 Perfect Forward Secrecy (PFS): None Perfect Forward Secrecy (PFS): None Setup the remote offices’ subnets address objects for the further VPN configuring. Setup the HQ VPN Gateway for all the remote sites All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 80 On the concentrator edit page, click the add icon to add VPN connection to this concentrator. The VPN traffic can be routed by HQ once the VPN connection has been added to the All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 81 Thus, this depends on how customers want to deploy their Global VPN network. We can add the following policy route to allow the HQ subnet to connect with all the concentrator’s remote subnets. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 82 ZyWALL USG 2000 Support Notes All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 83: Star-Mesh Mixed Topology
Regional Center devices whereas ZyWALL 2 Plus, 5, 35 and 70 are the regional remote sites’ devices which are building VPN tunnel back to the Regional Center and provide connection with the other area remote nodes via the VPN tunnel between the two Regional Centers. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 84 We can check the status page to confirm the correctness. Please refer to ZyWALL5 user guide for detail interface setting steps. The VPN configuration parameters in Asia Region Regional Remote Sites Regional Center WAN: 179.25.3.24 ZyWALL5 WAN: 179.25.106.124 Local Policy: 192.168.0.0/16 Local Policy: 192.168.12.0/24 All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 85 IP addresses” option because the local and remote policies are in the overlap range in this application. If this feature is not activated, you will fail to access device because of triggering VPN tunnels. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 86 ZyWA ALL35 inter rface and the e VPN setup p. The ZyWALL L35 WAN a and LAN in nterface are set as follo All contents co opyright (c) 20 008 ZyXEL C Communicatio ons Corporatio...
Page 87 VPN tun nnel. The V PN tunnel s status page after config gured the loc cal center Z ZyWALL U USG2000 tun nnel. All contents co opyright (c) 20 008 ZyXEL C Communicatio ons Corporatio...
Page 88 Please refer to the application topology to setup the ZyWALL USG2000 interface first. We can move to next steps only after setting up the interface. We use ge1 as LAN interface and IP All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 89 ZyWALL USG2000 can do next processing. This ZyWALL USG2000 is the local center of Asia region. We need to setup the VPN tunnel between local sites ZyWALL5 and ZyWALL35 and Europe region center ZyWALL USG2000. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 90 ZyWALL USG2000s. The VPN connection can fail over to secondary gateway in case the parameter gateway fails. After configuration, there will be three VPN gateways listed in the VPN Gateway status page. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 91 VPN concentrator. Switch to Concentrator sub menu and click the Add icon to add a new concentrator. Give a name to this concentrator and then click add icon to make the existing VPN connection become a member of this concentrator. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 92 ZyWALL 2 Plus WAN and LAN interface setting The VPN configuration parameters in Europe Region Regional Remote Sites Regional Center WAN: 220.123.113.8 ZyWALL 2 Plus WAN: 220.123.65.117 Local Policy: 192.168.0.0/16 Local Policy: 192.168.21.0/24 Remote Policy: 192.168.0.0/16 Remote Policy: 192.168.21.0/16 All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 93 Remember to activate “VPN rules skip applying to the overlap range of local and remote IP addresses” option before configuring the VPN tunnel. Follow the VPN parameter table to configure the VPN tunnel. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 94 ZyWALL USG 2000 Support Notes ZyWALL70 WAN and LAN interface setting. Remember to activate “VPN rules skip applying to the overlap range of local and remote IP addresses” option before configuring the VPN tunnel. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 95 Key Group :DH1 Phase2 Phase2 Encapsulation: Tunnel Encapsulation: Tunnel Active Protocol: ESP Active Protocol: ESP Encryption: DES Encryption: DES Authentication: SHA1 Authentication: SHA1 Perfect Forward Secrecy (PFS): None Perfect Forward Secrecy (PFS): None All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 96 USG2000. Follow the VPN parameter tables to setup the three VPN gateways (IKE / IPSec Phase1). We have to configure a secondary security gateway for the VPN gateway between both regional centers’ ZyWALL USG2000s. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 97 The next step is to create the VPN connection (IPSec / IPSec Phase2). Make sure the parameters are correctly configured; otherwise the VPN will fail to dial. Below is the VPN connection global page. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 98 The remote regional center ZyWALL USG2000 VPN connection is also treated as a member of this concentrator and the packets will be sent to the remote center first and then All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 99: Device Ha
Remote Site 2 The benefits for the customer are: ‧ Dealing with the impact of unreliable WAN connectivity ‧ Mitigates the impact of Single Point of Failure All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 100 ZyWALL USG 2000 Support Notes Below is the Application topology. The L3 switch is configured to three VLANs to simulate the internet environment, and the traffic can be routed between each VLAN. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 101: Device Ha
Setup Master ZyWALL USG 2000 and the configuration will auto sync with Backup ZyWALL USG 2000 via the device HA setting. Configure the interface to correspond Zone Setup the routing Setup Device HA (Activate-Passive) All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 102 LAN port and ZyWALL USG 2000 will dispatch an IP for your PC. Then we can start to setup the basic interface and routing setting. Step1. Login to device and check the device status Step2. We can check all the interface information on the Status display page. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 103 The default interface configuration is as follows. We will configure ge2, ge3, ge1 and ge4 in turn. User needs to click the “Edit” icon to modify the setting. Step 3.1: ge2(WAN1 interface) 220.123.123.2/255.255.255.0 Gateway: 220.123.123.1( ZyWALL > Network > Interface > Edit > ge2) All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 104 ZyWALL USG 2000 Support Notes Step 3.2: ge3(WAN2 interface) 220.123.133.2/255.255.255.0 Gateway: 220.123.133.1(ZyWALL > Network > Interface > Edit > ge3) All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 105 Step 3.3: ge4(DMZ interface) Fix IP: 192.168.20.254/255.255.255.0 DHCP server (ZyWALL > Network > Interface > Edit > ge4) Step 3.4: ge1(LAN1 interface) Fix IP: 192.168.10.254/255.255.255.0 DHCP server (ZyWALL > Network > Interface > Edit >ge1) All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 106 The default interface for LAN zone is binding with ge1, WAN zone is binding with ge2 and ge3, DMZ zone is ge4 and ge5. Step3. Check the interface summary page to confirm the settings. (ZyWALL >Network >Interface >Interface Summary) All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 107 LAN and DMZ zone traffic going out to the network behind WAN. Switch to ZyWALL > Network > Routing > Policy Route or Static Route to check the routing settings. User can click the “Edit” icon to check the detail settings All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 108 We will configure the Device HA setting on master ZyWALL USG 2000 first. Then we can connect the Backup ZyWALL cables to L3 and L2 switch and then synchronize the configuration from Master. The Device HA will be ready after this and Backup ZyWALL All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 109 ZyWALL is down, the Device HA status of the failed interface will remain “active“ but Device HA status of the reset of not-failed interface will turn into “fault”. This design will All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 110 Backup ZyWALL and navigate to active the Device HA in ZyWALL > Device HA > General. Afterwards, click on “add” to create a Backup Device HA group in ZyWALL > Device HA > Active-Passive Mode. The detail parameter should be referred to the topology. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 111 IP. Now we can synchronize the configuration from the Master to the Backup. Switch to ZyWALL > Device HA > Acitve-Passive Mode> Synchronize and enter the Master ZyWALL admin account password. Input the LAN IP address of the Master ZyWALL All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 112 Backup ZyWALL USG 2000 and we can continue to setup the remaining setting HA group in Backup HA, you can refer to use guide to do detailed configuration. After these steps, the Device HA configuration is done. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 113: Device High Availability (Ha) Active-Passive Mode
USG 2000 1.5.2.2 Configuration Flow ZyXEL ZyWALL runs VRRP v2. Hence, you can only set up device HA with other ZyWALLs of the same model running the same firmware version. In this example, there are two gateways with the following configuration. You first configure a gateway as master one and then configure another one as backup gateway.
Page 114 Configuring Manage IP for the LAN Interface on the backup USG Interconnecting the Master and the Backup Test: Unplug the WAN cable on the Master In this example, the network parameters will be the same as following table. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 115 Configuration on the Master First, we decide one gateway as master router. Therefore, you enable the Device HA and then configure it as master router in the tab of “Active-Passive mode (AP mode)” All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 116 Configuring Manage IP for the WAN Interface on the Master After setting up the virtual router IP, we need to configure the management IP and its corresponding subnet for this master router. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 117 After finishing the setting of WAN, you need to configure the setting of LAN for this master gateway. Configuring LAN interface In this figure, it shows that you need to set the parameters of LAN for master gateway. IN this example, we type ge1 Manage IP as 192.168.10.250. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 118 ZyWALL USG 2000 Support Notes All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 119 Then, you first activate the function of “Device HA.” Enable Device HA on the backup At the same time, configure this gateway as backup one. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 120 In the following figure, it shows the setting of ge2 in backup gateway. Assign a manage IP to the WAN Interface on the Backup Next, we set the parameters in LAN for backup gateway. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 121 Connect the Master and the Backup After confirming the setting in both of gateway, we link these two gateways. You should see the corresponding role shown in HA status. Master management IP is 192.168.1.2. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 122 This is not the same as the administrator’s password. The default is the password in FTP service. It is recommended to use LAN to synchronize the configuration in both of devices. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 123 In this figure, you can see the master router goes down based on the information shown in HA status. You can see that HA status will change to fault on the Master and the Backup will go Active All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 124 In this figure, you can find that backup server is alive and is in the status of “Active” because master gateway is down now. Hence, the backup server is handling all traffic. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 125 IM/P2P application well can mitigate security breaches. Besides, restricting access to IM/P2P applications can help employees focusing on his/her job to increase productivity and reduce misuse of network resources, e.g. bandwidth. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 126 With ZLD1.0x the ZyWALL can decide whether the specific traffic can be forwarded or not, but it does not differentiate the traffic from different sources. As a result, it may accidentally drop the packet. For example, both the malicious/suspicious packets from WAN to LAN All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 127 ZyWALL AppPatrol according to company IT policy as: Boss: Can use any internet application without access control and bandwidth limitation. Sales: Can use instant messaging application (MSN) for text message and file transfer All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 128 Bandwidth Victor Manager Unlimited Peter Sales 08:00-18:00 500k John 08:00-20:00 Guest Guest 2. Navigate to ZyWALL > Object > User/Group > User tab and add the user ‘Victor’ as the screen dump. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 129 Sales group and add ‘John’ into RD group. STEP 2: Create Schedule Object as Required Go to menu ZyWALL > Object > Schedule, click Add button from the Recurring schedule to create a new schedule as following. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 130 ZyWALL USG 2000 Support Notes Click ’OK’ button to complete this settings and repeat the above steps to create a new schedule for RD-Group. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 131 STEP 3: AppPatrol Configuration 1. Navigate to ZyWALL > AppPatrol> General and check ‘Enable Application Patrol’. 2. Go to Instant Messenger tab and click ‘Modify’ button on MSN for further configuration. 3. Enable the service. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 132 2. Change the default access to ‘Reject’ and then click ‘OK’ 3. Create a new application policy rule by clicking ‘+’ icon and fill out the setting as the figure shown below. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 133 ZyWALL USG 2000 Support Notes Application Policy for Manager-Group Application Policy for Sales-Group Application Policy for RD-Group 4. Press ‘OK’ button to complete the setting. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 134 LAN to DMZ or WAN to DMZ, the Anti-Virus engine always scans the email transaction to ensure the email is not infected. Thus, it is unnecessary to scan every outgoing email from the DMZ again. Please follow the instruction in order to achieve the result: All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 135 2) Assign IP to wan1 and another to DMZ. Leave the reset of settings as default which will disable the DHCP Server in these two interfaces. Tips: You do not need a Gateway here since this interface is directly connected to ZyWALL All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 136 2) Assign proper ports in to the zone area. You can check ports zone status in ZyWALL> Network> Interface >Port role. In this example, we just need P4 as in LAN1 zone, P6 in DMZ zone. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 137 LAN zone, WAN1 in WAN zone and the DMZ in DMZ zone. 4) Create 3 policies as WAN to LAN, WAN to DMZ, and LAN to DMZ. Navigate to Anti-X > Anti-Virus. In the Policies section, click “Add” button. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 138 ZyWALL USG 2000 Support Notes All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 139 5) To create one policy and enable this rule, configure direction from WAN to LAN and select which protocols you want to scan. 6) To create one policy and enable this rule, configure direction from WAN to DMZ and select which protocols you want to scan. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 140 9) Test: Send an email contains virus from LAN to the mail server in DMZ. 10) Check the log file again from Maintenance > Log. Sort the log by selecting Anti-Virus form Display drop-down list. We can see the viruses have been destroyed correctly. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 141 2) Check the Enable checkbox and enter the file name in File Pattern field. In this example, we try to destroy a file that named “Virus.exe” so we enter it in the field. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 142 5) Check the system log from Maintenance > Log and select Anti-Virus form Display drop-down list. 2.2.3 Enabling Anti-Virus Statistics Report 1) Navigate to Maintenance > Report, click the Anti-Virus tab and check the Collect Statistics checkbox. 2) Click Apply button. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 143 Setting parameters of WLAN in USG Test wireless connection between client and USG In this example, the following parameters will be applied in ZyWALL USG 200. SSID: USG 200 DHCP Server: 192.168.77.1 IP Pool: 192.168.77.51-60 All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 144 First, you must check whether the wireless card is installed in your device and can be detected by ZyWALL USG 2000. In the following figure, you can see the wireless card, ZyXEL G-170S, has been installed and detected by ZyWALL USG 2000.
Page 145 2.3.2 MAC filter in WLAN In WLAN of ZyXEL USG, you can also specify which MAC address(es) will be allowed or denied to access this WLAN service. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 146 In this example, you assign a given MAC to be allowed to access the WLAN service. After setting the parameters in MAC filter, you can check it by using a wireless device to access the WLAN of ZyXEL USG. In client’s view, you can see there is a WLAN service with SSID shown as USG200.
Page 147 Internet access; it is light to carry everywhere and can utilize a 3G card for dial up to get the Internet access. Besides, you could utilize the embedded wireless card to provide All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 148 WAN link encounters disconnection. At that moment, 3G wireless network can be active to take over the function of wire WAN. We will show you how to configure this function step-by-step. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 149 ZyWALL USG 2000 Support Notes 2.4.1.1 Configuration procedure Install 3G card Setting parameters 3G card in ZyXEL USG 2000 Step 1. Plug the 3G card to ZyWALL USG 2000's card slot before powering on the ZyWALL USG device. In this figure, it shows the 3G card, Sierra Wireless AC850, has been installed in ZyWALL USG.
Page 150 Step 5. Next, you have to enter the PIN code for ZyWALL USG 2000 to dial up the 3G wireless network. Also, you can apply this 3G wireless network as backup WAN link. So, you need to select the checkbox “add this interface to Trunk to allow WAN load balance.” All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 151 ZyWALL USG 2000 Support Notes Step 6. Next, click the Trunk tab to edit the WAN_Trunk detail. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 152 Step 8. Within this step, you can assign the mode of load balance for the 3G wireless network. Passive mode means that the 3G network will be backup link once the main WAN link fails. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 153 WAN link, WAN1. Then, the WAN1 link fails. There is no ICMP response and get time out. After a while, the backup link, cellular network, take over the WAN link. Hence, ZyWALL USG receives the ICMP responses again. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 154 ZyWALL USG 2000 Support Notes All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 155 Step 11. If dialed up successfully, you can see the GUI home page as shown below. You will get the "Cellular1 is connected" and "3G card's signal strength" messages in the latest alerts. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 156 IP address (as those in WAN zone) for effortless IP management. Additionally, IP addressing in LAN zone is private IP segments. Thus, we apply NAT, which is the router mode here. To make this scenario works the follow the configuration steps as stated below: All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 157 Thus, it needs an IP address. You may use the same IP address that it used in the WAN interface, All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 158 3) Switch to Network > Routing > Policy Route, to modify the default rule there. The default rule is for the Router Mode (NAT Mode). Since we have two different modes co-existing here, we need to make some adjustments to this rule. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 159 There is a web server located in the DMZ zone. The virtual Server setting in ZyWALL USG 2000 is required here for people outside of WAN to access the Web pages located on the Web All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 160 IP from the WAN port to our internal Web Server, which is 192.168.1.55. And in this case, our web server is running on TCP 80, therefore, we pick TCP 80 for our mapping. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 161 Since it is a web server, we choose “HTTP” as the Service and “Allow” for the access action. Tips for application: Do not forget to place your rule before the default “Deny all” Rule in the WAN-to-LAN direction. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 162 ZyWALL USG 2000 Zone-based IDP protection provides the most flexible protection for each customer. Malicious attacks can be stopped at the gateway – customers’ servers are securely protected and a notification alert can be sent to the involved parties or individuals. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 163 1) Login the ZyWALL USG 2000 GUI and go to Network > Interface > Port role. Since we are going to have three intra-networks in our scenario, we will make P5 and P6 another two networks for DMZ and LAN2. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 164 11) Now, we can assign an IP domain to P4 and another one for P5. Other settings are all optional. In this example, we keep the default values which will disable the DHCP Server in these two interfaces. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 165 Tips: You do not need a Gateway here since this interface is directly connected to ZyWALL USG 2000. 12) Your final summary of the Ethernet Interfaces should look like the figure below. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 166 14) Although the DMZ Zone is already there, Click the “edit” icon of DMZ Zone and then select the P5 interface as DMZ zone. 15) Before you apply the IDP profiles, you need to make sure that the IDP Service on your ZyWALL USG 2000 is licensed. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 167 30 days free trial on IDP Service. Just register your ZyWALL USG 2000 and your ZyWALL USG 2000 will receive the license automatically. Here a page which is already registered is shown. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 168 ZyWALL USG 2000 Support Notes 17) Now, go to Anti- X > IDP. Enable the IDP check box to activate the IDP service on your ZyWALL USG 2000. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 169 Hence, anti-spam is a major requirement for business to protect their network environment. Now, this feature is built in ZyWALL 2000. Anti-spam provides an efficient method for enterprise to restrict flooding spam mails. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 170 In this case, the Email server is located at ISP or Internet, which means end user will receive the email through protocol POP3 only. It also means that the location of email server is outside ZyWALL USG. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 171 DNSBL website. Here, we select “POP3” in the option of “protocol to scan.” Then, choose the check DNSBL checkbox in the option of “scan options.” All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 172 Afterwards, we click the DNSBL tab to edit the trusted DNSBL website. During this step, we activate the DNSBL checking and then edit the list. In this step, we type the DNSBL website we will refer. There are many reference DNSBL All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 173 In other words, scan all incoming emails before they are received by our email server. Hence, we must scan based on the SMTP protocol and DNSBL. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 174 ZyWALL USG 2000 Support Notes First, we select the checkbox to enable the anti-spam. Then, we choose the SMTP and option of DNSBL to be checked. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 175 Next, you select the tab of DNSBL to configure more details. In the tab of DNSBL, we activate the DNSBL checking and then edit the list. In this step, we enter the DNSBL website we will refer. Please remember to APPLY the All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 176 IP address of relay email servers, email address. 3.3.3.1 Configuration procedure Enabling Anti-Spam Add Policy Editing Black/White List Click Apply button to apply it Test result: the subject of email has been tagged All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 177 In this example, we consider the SMTP email server is outside the LAN. 3.3.3.3 Steps to configure B/W list Step 1. Enabling Anti-Spam First, we activate the function of “Anti-Spam” ZyWALL > Anti-X > Click Add button All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 178 Here, you need to select the check box and add a special tag in the title of suspected spam emails if you want. Then, we edit our owned black list that displays the relayed email servers we do not trust. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 179 In this example, we sue the type of sender or re mail relay IP address to judge whether the mails are spam. Step 5. Apply the setting In the following figure, we can see the new entry in the black list. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 180 If bandwidth is expensive in your region, QoS style approach may make more sense than just simply adding more bandwidth. It is assumed that there is insufficient capacity for all users to complete what they want at the same time. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 181 WAN Trunk in this scenario. Now, we will need to create those Bandwidth Management policies for our application. Logon to the ZyWALL 1050 GUI and go to Configuration > Policy > Route > Policy Route. Then click the “+” to add a new policy All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 182 We can assign this policy a relatively high priority (like 100) just in case the bandwidth is not enough at all but SMTP service can still get more bandwidth than the other type of network services. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 183 3) Repeat the above steps to create two more policy routes for “WWW” and “FTP” services. In the policy route you can set their Maximum Bandwidth to 800Kbps and 100Kbps along with a priority value. Below is what you should get so far: All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 184 WAN is 1.5Mbps. Now we already spent 400kbps for SMTP, 800kbps for HTTP, and 100kbps for SMTP. What left over is 200kbps available to us; thus, we can apply it for the remaining traffic, which is our default route. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 185 ZyWALL USG 2000 Support Notes 5) Modify the values of bandwidth and priority here in the default policy route. Click “OK” to apply. 9) Now the final list should look like the one below: All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 186 [9] next-hop trunk WAN_TRUNK [10] snat outgoing-interface [11] bandwidth 400 priority 100 [12] exit CLI commands for applying bandwidth and priority to the default policy route: [0] policy 4 (the number of your default policy) All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 187 [3] no user [4] interface ge1 [5] source LAN_SUBNET [6] destination any [7] no schedule [8] service any [9] next-hop trunk WAN_TRUNK [10] snat outgoing-interface [11] bandwidth 200 priority 1024 [12] exit All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 188 6. You can be connecting to ZyWALL USG 2000 from a WAN interface which is blocked by default. If you don’t want this block rule, go to GUI menu System > WWW to set to accept the access from ‘WAN’ or from ‘All’. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 189 By default, Firewall blocks all the access except the traffic like VRRP, IPSec ESP, IPSec AH, IPSec NATT, IPSec IKE. A03. What’s difference between “Admin Service Control” and “User Service Control” configuration in GUI menu System > WWW? All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 190 500 VPN settings. Please connect to console and you can see which process the system is processing at. Note: If the system is processing ok, admin can connect to ZyWALL USG 2000’s lan1 port which is with IP address 192.168.1.1 by default. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 191 Set the transfer mode to binary (use “bin” in the Windows command prompt). 4. Reload the firmware. (ex. use command “put 1.00(XL.1)C0.bin” to upload firmware file) 5. Wait the FTP uploading completed and it will restart the ZyWALL USG 2000 automatically. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 192 1. Next time device synchronization with myZyXEL.com. 2. User click “Service License Refresh” button from ZyWALL > Licensing > Registration > Service page. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 193 It’s mandatory to have at least 70MB free memory before upgrade firmware. If you still can’t get enough memory to upgrade firmware, you can perform upgrade after system reboot which frees up the memory. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 194 C06. Why can’t I run shell script successfully? Please ensure that you follow the correct CLI command syntax to write this script. And make sure that you add the “configure terminal” in the top line of this script file. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 195 SSL VPN, you can simply click the “Add” button, it will pop-up a new windows and link to “User Configuration” page, therefore you don’t have to leave the page you are configuring access policy. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 196 If you have several redundant LDAP/RADIUS servers, you may need to create your own LDAP/RADIUS server groups. But don’t forget selecting the LDAP/RADIUS server groups in the authentication method chosen for authenticating. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 197 LAN PCs. So make sure all the interfaces that provide DNS server don’t go down because of link down, ping-check or becoming disabled. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 198 E05. Why does the PPP interface dials successfully even its base interface goes down? The base interface is just a reference which ZyWALL uses to connect to PPP server. If you have another active interface/routes, ZyWALL will try to maintain connectivity. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 199 For a general application the users access to the web service by entering the FQDN (Full Qualify Domain Name, e.g. http://www.zyxel.com) other than an IP address. This is because the domain name is easier to remember. However, when both the Server and Client are located behind the same NAT, a triangle route problem will encounter.
Page 200 1-1 NAT mapping Configuration: Firstly create two address object: WEB_WAN as 192.168.35.100 and WEB_LAN as 192.168.105.37. After that, create the Virtual Server rule of incoming DNAT translation to allow the server connect to outside network. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 201 In order to run the NAT loopback on ZyWALL USG 2000, please add these rules after you finish the 1-1 NAT mapping. Firstly, add one Virtual Server rule for LAN usage. All the parameters are the same as those set on 1-1 NAT mapping, except the Interface item. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 202 This Policy Route rule makes all the internal access must do the SNAT translation. This will force all the traffic to go back to the ZyWALL USG 2000 and avoid the triangle route problem. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 203 This feature allows ports/host mapping from a WAN interface IP to an internal DMZ/LAN IP. For example, if you want to forward HTTP traffic with 8080 port to the ZyWALL5 in ZyWALL USG 2000’s DMZ zone, you need to configure virtual server to All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 204 ZyWALL USG 2000 will search with the following order: 1. Local and direct connect subnet table. 2. Policy route rule. 3. Main table, which includes routes learned from RIP/OSPF, static routes and default routes. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 205 The port trigger will work only when there is a connection matching that policy route rule. Please note that firewall may block those triggered services. So, if you have problems with triggering the service, check firewall settings and its logs too. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 206 F12. Why can’t ZyWALL learn the route from RIP and/or OSPF? ZyWALL blocks RIP/OSPF routing advertisement from WAN/DMZ by default. If you find that it fails to learn the routes, check your firewall to-ZyWALL rules. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 207 We need a policy route to notify the ZyWALL USG 2000 send the packet to VPN tunnel when the packet’s destination address is VPN remote subnet. Please switch to ZyWALL USG All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 208 If the traffic doesn't match the policy and the policy enforcement is active, it will be dropped by the VPN. For Inbound traffic SNAT/DNAT, check if there is a directly connected subnet or a route rule to the destination. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 209 You need to set the access control rules in system for each service such as DNS, ICMP, WWW, SSH, TELNET, FTP and SNMP. After b6 image, user can configure to-ZyWALL rules to manage traffic that is destined to ZyWALL. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 210 Outlook Express 6 Protocol detect Common SMTP Outlook Express 6 Protocol detect aol-icq ICQ 5.1 audio aol-icq ICQ 5.1 video aol-icq ICQ 5.1 file transfer aol-icq ICQ 5.1 Login aol-icq ICQ 5.1 Message All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 211 Protocol detect VoIP H323 Netmeeting 3.01 Protocol detect VoIP Windows Messenger 5.1 Protocol detect VoIP Gizmo 3.0 Protocol detect I03. Why does the application patrol fail to drop/reject invalid access for some All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 212 (1) Defines the port used in ZyWALL USG 2000. For easy configuration purpose, the ZyWLL has been pre-configured for the frequent use service port. For example: eDonkey service is pre-defined to take action on port 4661 ~ 4665 as shown below. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 213 2. App. Patrol – App. Patrol supports both Outbound BWM and Inbound BWM. If a traffic matches the BWM rules of both Policy Route and App. Patrol, Policy route will be applied on the traffic. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 214 No, as the new ZLD platform 2.0x enhances zone-to-zone mechanism which is not capable to migrate into new AppPatrol. Therefore, the user will be required to reconfigure the related setting after complete firmware upgrade. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 215 The following are 3 major differences made from ZLD2.0x 2000: IDP-Inspects via. Signature An IDP system can detect malicious or suspicious packets and respond instantaneously. It is designed to detect pattern-based attacks. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 216 System Protection System Protection System offers the ZyWALL ability to protect itself against host-based intrusions. ZyXEL can prevent not only network intrusions but also host-based instructions. Zone to Zone Protection A zone is a combination of ZyWALL interfaces for security. Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to.
Page 217 J09. After an IDP signature updated, does it require ZyWALL to reboot to make new signatures take effect? No, it is not necessary to reboot the device to make new signatures take effect. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 218 MSN messenger wants to access are not in the trusted website, access would be blocked. If you really want this option enabled, you have to add these websites in the trusted websites list. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 219 HA group cannot detect the faulty event encountered on the master router. You can click on Device HA from the left panel and check the “Enable” checkbox to enable “Monitored Interface.” All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 220 MUST forward the VRRP multicast to the backup ZWUSG 2000. Otherwise the backup ZyWALL will never receive VRPT announcement. Please ensure the switch forwards the multicast VRRP announcement (224.0.0.18) by enabling the "Unkown multicast flodding" option in the switch setting. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 221 There are several reasons that device could log you out. 1. Re-authentication, lease or idle timeout 2. IP address is changed after authentication 3. Another account was used to login from the same computer All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 222 If it still cannot find, it will use the attribute of “ldap-users” and “radius-users” at GUI menu Configuration > User/Group > User tab as below. The default lease time and re-authentication time of ldap-users and radius-users are 1440 minutes. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 223 ZyWALL USG 2000 Support Notes See the flow as shown below. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 224 N02. After I have the entire required field filled, why can’t I receive the log mail? E-mail server may reject the event/alert mail delivering due to many reasons. Please enable system debug log and find out why the e-mail server refused to receive the mail. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 225 O04. Why cannot I see the connections from/to ZyWALL itself? In Session module, only the forwarding traffic will be listed The forwarding traffic means the traffic going through ZyWALL. Therefore, the broadcast traffic in the bridge interface will be listed. All contents copyright (c) 2008 ZyXEL Communications Corporation.
Page 226 48 hours. P06. How to retrieve the virus information in detail? Simply you can navigate to the web site with URL http://mysecurity.zyxel.com, and search any virus relate detail as you required. P07. I cannot download a file from Internet through ZyWALL USG 2000 because the Anti-Virus engine considers this file has been infected by the virus;...
Page 227 P10. If the Anti-Virus engine detects a virus, what action it may take? Can it cure the file? The ZyWALL USG 2000 will destroy the infected file, log this event and send alert to system administrator. Anti-Virus engine cannot cure the infected file. All contents copyright (c) 2008 ZyXEL Communications Corporation.

ZyXEL Communications ZYWALL USG 2000 Support Notes

Quick Links

Need help?

Questions and answers

Related Manuals for ZyXEL Communications ZYWALL USG 2000

Summary of Contents for ZyXEL Communications ZYWALL USG 2000

Table of Contents