Page 1 ZyWALL USG 1000 Unified Security Gateway Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com Firmware Version 2.12 Edition 1, 3/2010 www.zyxel.com Copyright © 2010 ZyXEL Communications Corporation...
Page 3: About This User's Guide
• CLI Reference Guide The CLI Reference Guide explains how to use the Command-Line Interface (CLI) to configure the ZyWALL. Note: It is recommended you use the Web Configurator to configure the ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 4 Documentation Feedback Send your comments, questions or suggestions to: techwriters@zyxel.com.tw Thank you! The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 30099, Taiwan. Need More Help? More help is available at www.zyxel.com.
Page 5: Zywall Usg 1000 User's Guide
Graphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate. ZyWALL USG 1000 User’s Guide...
Page 6: Document Conventions
For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000” or “1048576” and so on. • “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”. ZyWALL USG 1000 User’s Guide...
Page 7: Zywall Usg 1000 User's Guide
Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 1000 User’s Guide...
Page 8: Safety Warnings
Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately. ZyWALL USG 1000 User’s Guide...
Page 9: Table Of Contents
SSL User Screens ........................493 SSL User Application Screens ....................503 SSL User File Sharing ......................505 ZyWALL SecuExtender ......................513 L2TP VPN ..........................517 Application Patrol ........................521 Anti-Virus ..........................547 IDP ............................563 ADP ............................597 ZyWALL USG 1000 User’s Guide...
Page 10 SSL Application ........................765 Endpoint Security ........................773 System ........................... 783 Log and Report ........................833 File Manager ........................... 847 Diagnostics ..........................859 Reboot ............................. 865 Shutdown ..........................867 Troubleshooting ........................869 Product Specifications ......................891 ZyWALL USG 1000 User’s Guide...
Page 11 2.2.2 SSL VPN Network Access ..................46 2.2.3 User-Aware Access Control ..................48 2.2.4 Multiple WAN Interfaces ..................... 48 2.2.5 Device HA ........................49 Chapter 3 Web Configurator........................51 3.1 Web Configurator Requirements ..................51 3.2 Web Configurator Access ....................51 ZyWALL USG 1000 User’s Guide...
Page 12: Table Of Contents
5.5.6 VPN Advanced Wizard - Phase 2 ................92 5.5.7 VPN Advanced Wizard - Summary ................93 5.5.8 VPN Advanced Wizard - Finish ................. 94 Chapter 6 Configuration Basics......................95 6.1 Object-based Configuration ....................95 6.2 Zones, Interfaces, and Physical Ports ................. 96 ZyWALL USG 1000 User’s Guide...
Page 13 6.7 System ..........................115 6.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM ....115 6.7.2 Logs and Reports ......................116 6.7.3 File Manager ......................116 6.7.4 Diagnostics ........................116 6.7.5 Shutdown ........................116 Chapter 7 Tutorials ..........................119 ZyWALL USG 1000 User’s Guide...
Page 14 7.12.5 Set Up a DMZ to LAN Firewall Rule for SIP ............162 7.13 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic ....163 7.13.1 Create the Public IP Address Range Object ............163 7.13.2 Configure the Policy Route ..................164 ZyWALL USG 1000 User’s Guide...
Page 15 10.2 The Port Statistics Screen ....................224 10.2.1 The Port Statistics Graph Screen ................226 10.3 Interface Status Screen ....................227 10.4 The Traffic Statistics Screen .................... 230 10.5 The Session Monitor Screen ..................233 ZyWALL USG 1000 User’s Guide...
Page 16 12.4 The System Protect Update Screen ................275 Chapter 13 Interfaces ..........................277 13.1 Interface Overview ......................277 13.1.1 What You Can Do in this Chapter ................277 13.1.2 What You Need to Know ..................278 ZyWALL USG 1000 User’s Guide...
Page 17 15.1.2 What You Need to Know ..................348 15.2 Policy Route Screen ......................350 15.2.1 Policy Route Edit Screen ..................353 15.3 IP Static Route Screen ....................357 15.3.1 Static Route Add/Edit Screen ................. 358 15.4 Policy Routing Technical Reference ................359 ZyWALL USG 1000 User’s Guide...
Page 18 Chapter 20 HTTP Redirect ........................397 20.1 Overview .......................... 397 20.1.1 What You Can Do in this Chapter ................397 20.1.2 What You Need to Know ..................398 20.2 The HTTP Redirect Screen ..................... 399 ZyWALL USG 1000 User’s Guide...
Page 19 24.2 The Firewall Screen ......................431 24.2.1 Configuring the Firewall Screen ................432 24.2.2 The Firewall Add/Edit Screen ................. 435 24.3 The Session Limit Screen ....................436 24.3.1 The Session Limit Add/Edit Screen ................ 438 Chapter 25 IPSec VPN..........................441 ZyWALL USG 1000 User’s Guide...
Page 20 27.5 Logging Out of the SSL VPN User Screens ..............500 Chapter 28 SSL User Application Screens .................... 503 28.1 SSL User Application Screens Overview ................ 503 28.2 The Application Screen ....................503 Chapter 29 SSL User File Sharing ......................505 29.1 Overview .......................... 505 ZyWALL USG 1000 User’s Guide...
Page 21 32.3.2 The Application Patrol Policy Edit Screen ............. 537 32.4 The Other Applications Screen ..................540 32.4.1 The Other Applications Add/Edit Screen ..............543 Chapter 33 Anti-Virus..........................547 33.1 Overview .......................... 547 33.1.1 What You Can Do in this Chapter ................547 ZyWALL USG 1000 User’s Guide...
Page 22 34.9 IDP Technical Reference ....................594 Chapter 35 ADP ............................597 35.1 Overview .......................... 597 35.1.1 ADP and IDP Comparison ..................597 35.1.2 What You Can Do in this Chapter ................. 597 35.1.3 What You Need To Know ..................597 ZyWALL USG 1000 User’s Guide...
Page 23 38.4.1 The Anti-Spam Black or White List Add/Edit Screen ..........657 38.4.2 Regular Expressions in Black or White List Entries ..........658 38.5 The Anti-Spam White List Screen ..................659 38.6 The DNSBL Screen ......................660 ZyWALL USG 1000 User’s Guide...
Page 24 41.1.2 What You Need To Know ..................705 41.2 Address Summary Screen ....................705 41.2.1 Address Add/Edit Screen ..................707 41.3 Address Group Summary Screen ..................708 41.3.1 Address Group Add/Edit Screen ................709 Chapter 42 Services ..........................711 42.1 Overview ...........................711 ZyWALL USG 1000 User’s Guide...
Page 25 45.2.1 Creating an Authentication Method Object ............735 Chapter 46 Certificates ..........................739 46.1 Overview .......................... 739 46.1.1 What You Can Do in this Chapter ................739 46.1.2 What You Need to Know ..................739 ZyWALL USG 1000 User’s Guide...
Page 26 50.1.1 What You Can Do in this Chapter ................783 50.2 Host Name ........................784 50.3 Date and Time ........................ 785 50.3.1 Pre-defined NTP Time Servers List ................ 787 50.3.2 Time Server Synchronization ................. 788 ZyWALL USG 1000 User’s Guide...
Page 27 50.11 Dial-in Management ....................... 827 50.11.1 Configuring Dial-in Mgmt ..................828 50.12 Vantage CNM ....................... 829 50.12.1 Configuring Vantage CNM ................... 830 50.13 Language Screen ......................832 Chapter 51 Log and Report ........................833 51.1 Overview .......................... 833 ZyWALL USG 1000 User’s Guide...
Page 28 55.1.1 What You Need To Know ..................867 55.2 The Shutdown Screen ..................... 867 Chapter 56 Troubleshooting........................869 56.1 Resetting the ZyWALL ..................... 886 56.2 Changing a Power Module ....................887 56.3 Getting More Troubleshooting Help ................. 889 ZyWALL USG 1000 User’s Guide...
Page 29 Appendix A Log Descriptions ....................899 Appendix B Common Services..................... 959 Appendix C Displaying Anti-Virus Alert Messages in Windows..........963 Appendix D Importing Certificates..................969 Appendix E Open Software Announcements ............... 995 Appendix F Legal Information .................... 1051 Index............................. 1055 ZyWALL USG 1000 User’s Guide...
Page 30 Table of Contents ZyWALL USG 1000 User’s Guide...
Page 31: User's Guide
User’s Guide...
Page 33: Introducing The Zywall
Note: Leave 10 cm of clearance at the sides and 20 cm in the rear. Use a #2 Phillips screwdriver to install the screws. Note: Failure to use the proper screws may damage the unit. ZyWALL USG 1000 User’s Guide...
Page 34: Rack-Mounted Installation Procedure
After attaching both mounting brackets, position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack. Secure the ZyWALL to the rack with the rack-mounting screws. Figure 2 Rack Mounting ZyWALL USG 1000 User’s Guide...
Page 35: Front Panel
The ZyWALL is sending or receiving packets on this port. Orange There is no connection on this port. This port has a successful link. 1.4 Management Overview You can use the following ways to manage the ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 36: Starting And Stopping The Zywall
Table 2 Console Port Default Settings SETTING VALUE Speed 115200 bps Data Bits Parity None Stop Bit Flow Control 1.5 Starting and Stopping the ZyWALL Here are some of the ways to start and stop the ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 37: Starting And Stopping The Zywall
ZyWALL simply turns off. It does not stop the system processes or write cached data to local storage. The ZyWALL does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources. ZyWALL USG 1000 User’s Guide...
Page 38 Chapter 1 Introducing the ZyWALL ZyWALL USG 1000 User’s Guide...
Page 39: Features And Applications
Many security settings are made by zone, not by interface, port, or network. As a result, it is much simpler to set up and to change security settings in the ZyWALL. You can create your own custom zones. You can add interfaces and VPN tunnels to zones. ZyWALL USG 1000 User’s Guide...
Page 40 ZyWALL to check web sites against an external database of dynamically-updated ratings of millions of web sites. You then simply select categories to block or monitor, such as pornography or racial intolerance, from a pre-defined list. ZyWALL USG 1000 User’s Guide...
Page 41: Applications
SIP priority over all other traffic. This maximizes SIP traffic throughput for improved VoIP call sound quality. 2.2 Applications These are some example applications for your ZyWALL. See also Chapter 7 on page 119 for configuration tutorial examples. ZyWALL USG 1000 User’s Guide...
Page 42: Vpn Connectivity
ZyWALL appears to be the server to remote users. This provides an added layer of protection for your internal servers. With reverse proxy mode, remote users can easily access any web-based applications on the local network by clicking on links or entering the provided URL. ZyWALL USG 1000 User’s Guide...
Page 43 Figure 15 Network Access Mode: Full Tunnel Mode 192.168.1.100 LAN (192.168.1.X) https;// Web Mail File Share Web-based Application Application Non-Web Server ZyWALL USG 1000 User’s Guide...
Page 44: User-Aware Access Control
Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them. Figure 17 Applications: Multiple WAN Interfaces ZyWALL USG 1000 User’s Guide...
Page 45: Device Ha
Chapter 2 Features and Applications 2.2.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network. Figure 18 Applications: Device HA ZyWALL USG 1000 User’s Guide...
Page 46 Chapter 2 Features and Applications ZyWALL USG 1000 User’s Guide...
Page 47: Web Configurator
• Enable Java permissions (enabled by default) • Enable cookies The recommended screen resolution is 1024 x 768 pixels. 3.2 Web Configurator Access Make sure your ZyWALL hardware is properly connected. See the Quick Start Guide. ZyWALL USG 1000 User’s Guide...
Page 48 Click Login. If you logged in using the default user name and password, the Update Admin Info screen (Figure 20 on page 52) appears. Otherwise, the dashboard (Figure 21 on page 53) appears. Figure 20 Update Admin Info Screen ZyWALL USG 1000 User’s Guide...
Page 49: Web Configurator Screens Overview
67); otherwise the dashboard appears as shown next. Figure 21 Dashboard 3.3 Web Configurator Screens Overview The Web Configurator screen is divided into these parts (as illustrated in Figure 21 on page 53): • A - title bar ZyWALL USG 1000 User’s Guide...
Page 50: Title Bar
Web Configurator. 3.3.2 Navigation Panel Use the menu items on the navigation panel to open screens to configure ZyWALL features. Click the arrow in the middle of the right edge of the navigation panel to ZyWALL USG 1000 User’s Guide...
Page 51: Monitor Menu
Lists the devices that have received an IP address from ZyWALL interfaces using IP/MAC binding. Login Users Lists the users currently logged into the ZyWALL. WLAN Status Displays the connection status of the ZyWALL’s wireless clients. ZyWALL USG 1000 User’s Guide...
Page 52: Configuration Menu
View the licensed service status and upgrade licensed services. Signature Anti-Virus Update anti-virus signatures immediately or by a Update schedule. IDP/AppPatrol Update IDP signatures immediately or by a schedule. System Protect Update system-protect signatures immediately or by a schedule. Network ZyWALL USG 1000 User’s Guide...
Page 53 Configure IKE tunnels. Concentrator Configure VPN concentrators (hub-and-spoke VPN). SSL VPN Access Privilege Configure SSL VPN access rights for users and groups. Global Setting Configure the ZyWALL’s SSL VPN settings that apply to all connections. ZyWALL USG 1000 User’s Guide...
Page 54 HA. Active-Passive Configure active-passive mode device HA. Mode Legacy Mode Configure legacy mode device HA for use with ZyWALLs that already have device HA setup using a firmware version earlier than 2.10. Object ZyWALL USG 1000 User’s Guide...
Page 55 Configure the DNS server and address records for the ZyWALL. Service Control Configure HTTP, HTTPS, and general authentication. Login Page Configure how the login and access user screens look. Configure SSH server and SSH service settings. ZyWALL USG 1000 User’s Guide...
Page 56: Main Window
The main window shows the screen you select in the navigation panel. The main window screens are discussed in the rest of this document. Right after you log in, the Dashboard screen is displayed. See Chapter 9 on page for more information about the Dashboard screen. ZyWALL USG 1000 User’s Guide...
Page 57 Figure 25 Site Map 3.3.3.3 Object Reference Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration ZyWALL USG 1000 User’s Guide...
Page 58 This field identifies the configuration item that references the object. Description If the referencing configuration item has a description configured, it displays here. Refresh Click this to update the information in this screen. Cancel Click Cancel to close the screen. ZyWALL USG 1000 User’s Guide...
Page 59: Tables And Lists
Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column. Here are some examples of what you can do: ZyWALL USG 1000 User’s Guide...
Page 60 • Filter by mathematical operators (<, >, or =) or searching for text Figure 29 Common Table Column Options Select a column heading cell’s right border and drag to re-size the column. Figure 30 Resizing a Table Column ZyWALL USG 1000 User’s Guide...
Page 61: Working With Table Entries
The tables have icons for working with table entries. A sample is shown next. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. Figure 33 Common Table Icons ZyWALL USG 1000 User’s Guide...
Page 62 In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 34 Working with Lists ZyWALL USG 1000 User’s Guide...
Page 63: Installation Setup Wizard
• Click the double arrow in the upper right corner to display or hide the help. • Click Go to Dashboard to skip the installation setup wizard or click Next to start configuring for Internet access. ZyWALL USG 1000 User’s Guide...
Page 64: Internet Access Setup - Wan Interface
Select Static if the ISP assigned a fixed IP address. 4.1.2 Internet Access: Ethernet This screen is read-only if you set the previous screen’s IP Address Assignment field to Auto. Use this screen to configure your IP address settings. ZyWALL USG 1000 User’s Guide...
Page 65 The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. ZyWALL USG 1000 User’s Guide...
Page 66: Internet Access: Pppoe
[] and ?. This field can be blank. • Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPPoE server. ZyWALL USG 1000 User’s Guide...
Page 67: Internet Access: Pptp
Note: Enter the Internet access information exactly as given to you by your ISP. Figure 39 Internet Access: PPTP Encapsulation 4.1.5 ISP Parameters • Authentication Type - Select an authentication protocol for outgoing calls. Options are: ZyWALL USG 1000 User’s Guide...
Page 68 The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. ZyWALL USG 1000 User’s Guide...
Page 69: Internet Access Setup - Second Wan Interface
4.1.7 Internet Access - Finish You have set up your ZyWALL to access the Internet. After configuring the WAN interface(s), a screen displays with your settings. If they are not correct, click Back. Figure 41 Internet Access: Ethernet Encapsulation ZyWALL USG 1000 User’s Guide...
Page 70: Device Registration
Use the Registration > Service screen to update your service subscription status. Figure 42 Registration • Select new myZyXEL.com account if you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 71 After the trial expires, you can buy an iCard and enter the license key in the Registration > Service screen to extend the service. Figure 43 Registration: Registered Device ZyWALL USG 1000 User’s Guide...
Page 72 Chapter 4 Installation Setup Wizard ZyWALL USG 1000 User’s Guide...
Page 73: Quick Setup
ISP account settings in the ZyWALL if you use PPPoE or PPTP. See Section 5.2 on page • VPN SETUP Use VPN SETUP to configure a VPN (Virtual Private Network) tunnel for a secure connection to another computer or network. See Section 5.4 on page ZyWALL USG 1000 User’s Guide...
Page 74: Wan Interface Quick Setup
Figure 46 Choose an Ethernet Interface 5.2.2 Select WAN Type WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. ZyWALL USG 1000 User’s Guide...
Page 75: Configure Wan Settings
Use this screen to select to which zone the interface belongs and whether the interface should use a fixed or dynamic IP address. Figure 48 WAN Interface Setup: Step 2 • WAN Interface: This is the interface you are configuring for Internet access. • Zone: ZyWALL USG 1000 User’s Guide...
Page 76: Wan And Isp Connection Settings
Table 10 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection. Encapsulation This displays the type of Internet connection you are configuring. ZyWALL USG 1000 User’s Guide...
Page 77 This field displays to which security zone this interface and Internet connection will belong. IP Address This field is read-only when the WAN interface uses a dynamic IP address. If your WAN interface uses a static IP address, enter it in this field. ZyWALL USG 1000 User’s Guide...
Page 78: Quick Setup Interface Wizard: Summary
DESCRIPTION Encapsulation This displays what encapsulation this interface uses to connect to the Internet. Service Name This field only appears for a PPPoE interface. It displays the PPPoE service name specified in the ISP account. ZyWALL USG 1000 User’s Guide...
Page 79: Vpn Quick Setup
Wizard Welcome screen. The VPN wizard creates corresponding VPN connection and VPN gateway settings and address objects that you can use later in configuring more VPN connections or other features. Click Next. Figure 51 VPN Quick Setup Wizard ZyWALL USG 1000 User’s Guide...
Page 80: Vpn Setup Wizard: Wizard Type
ZyWALL using a pre-shared key and default security settings. Advanced: Use this wizard to configure detailed VPN security settings such as using certificates. The VPN connection can be to another ZLD-based ZyWALL or other IPSec device. ZyWALL USG 1000 User’s Guide...
Page 81: Vpn Express Wizard - Scenario
Only the clients can initiate the VPN tunnel. • Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. ZyWALL USG 1000 User’s Guide...
Page 82: Vpn Express Wizard - Configuration
If this field is configurable, type the IP address of a computer behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device. ZyWALL USG 1000 User’s Guide...
Page 83: Vpn Express Wizard - Summary
“.zysh” filename extension. Then you can use the file manager to run the script in order to configure the VPN connection. See the commands reference guide for details on the commands displayed in this list. ZyWALL USG 1000 User’s Guide...
Page 84: Vpn Express Wizard - Finish
Figure 56 VPN Express Wizard: Step 6 Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard. ZyWALL USG 1000 User’s Guide...
Page 85: Vpn Advanced Wizard - Scenario
• Remote Access (Server Role) - Choose this to allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. ZyWALL USG 1000 User’s Guide...
Page 86: Vpn Advanced Wizard - Phase 1 Settings
The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES ZyWALL USG 1000 User’s Guide...
Page 87 IPSec device. If it responds, the ZyWALL transmits the data. If it does not respond, the ZyWALL shuts down the IKE SA. • Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one of the ZyWALL’s certificates. ZyWALL USG 1000 User’s Guide...
Page 88: Vpn Advanced Wizard - Phase 2
• Remote Policy (IP/Mask): Type the IP address of a computer behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device. ZyWALL USG 1000 User’s Guide...
Page 89: Vpn Advanced Wizard - Summary
IPSec device that can use the tunnel. • Copy and paste the Configuration for Remote Gateway commands into another ZLD-based ZyWALL’s command line interface. • Click Save to save the VPN rule. ZyWALL USG 1000 User’s Guide...
Page 90: Vpn Advanced Wizard - Finish
Figure 61 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard. ZyWALL USG 1000 User’s Guide...
Page 91: Configuration Basics
You can create address objects based on an interface’s IP address, subnet, or gateway. The ZyWALL automatically updates every rule or setting that uses these ZyWALL USG 1000 User’s Guide...
Page 92: Configuration Basics
Port combine physical ports into interfaces. Physical The physical port is where you connect a cable. In configuration, you Ethernet Ports use physical ports when configuring port groups. You use interfaces and zones in configuring other features. (P1, P2, ...) ZyWALL USG 1000 User’s Guide...
Page 93: Interface Types
• The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the AUX port. ZyWALL USG 1000 User’s Guide...
Page 94: Default Interface And Zone Configuration
• The DMZ zone contains the ge4 and ge5 interfaces (physical ports 4 and 5). The DMZ zone has servers that are available to the public. These interface uses private IP addresses 192.168.2.1 and 192.168.3.1. ZyWALL USG 1000 User’s Guide...
Page 95: Terminology In The Zywall
Table 17 Bandwidth Management: Differences Between the ZLD ZyWALL and ZyNOS ZYNOS FEATURE / SCREEN ZLD ZYWALL FEATURE / SCREEN Interface bandwidth management Interface (outbound) OSI level-7 bandwidth management Application patrol General bandwidth management Policy route ZyWALL USG 1000 User’s Guide...
Page 96: Packet Flow
• A policy route can be automatically disabled if the next-hop is dead. • You do not need to set up policy routes for IPSec traffic. • Policy routes can override direct routes. ZyWALL USG 1000 User’s Guide...
Page 97: Routing Table Checking Flow Enhancements
ZyWALL’s interfaces. You can override this and have the ZyWALL check the policy routes first by enabling the policy route feature’s Use Policy Route to Override Direct Route option (see Section 15.1 on page 347). ZyWALL USG 1000 User’s Guide...
Page 98: Nat Table Checking Flow
The following figure shows how the ZLD 2.20 firmware’s NAT table compares with the earlier 2.1x firmware’s NAT table.The checking flow is from top to bottom. As soon as the packets match an entry in one of the sections, the ZyWALL USG 1000 User’s Guide...
Page 99: Feature Configuration Overview
This section provides information about configuring the main features in the ZyWALL. The features are listed in the same sequence as the menu item(s) in the Web Configurator. Each feature description is organized as shown below. ZyWALL USG 1000 User’s Guide...
Page 100: Feature
MENU ITEM(S) Internet access to myZyXEL.com PREREQUISITES 6.5.3 Licensing Update Use these screens to update the ZyWALL’s signature packages for the anti-virus, IDP and application patrol, and system protect features. You must have a valid ZyWALL USG 1000 User’s Guide...
Page 101: Interface
(out of the ZyWALL), port triggering, and general NAT on the source address. You have to set up the criteria, next-hops, and NAT settings first. Configuration > Network > Routing > Policy Route MENU ITEM(S) ZyWALL USG 1000 User’s Guide...
Page 102: Static Routes
FTP traffic. 6.5.7 Static Routes Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL. Configuration > Network > Routing > Static Route MENU ITEM(S) ZyWALL USG 1000 User’s Guide...
Page 103: Zones
Interfaces, addresses (HOST) PREREQUISITES Example: Suppose you have an FTP server with a private IP address connected to a DMZ port. You could configure a NAT rule to forwards FTP sessions from the WAN to the DMZ. ZyWALL USG 1000 User’s Guide...
Page 104: Http Redirect
Select the interface from which you want to redirect incoming HTTP requests (). Specify the IP address of the HTTP proxy server. Specify the port number to use for the HTTP traffic that you forward to the proxy server. ZyWALL USG 1000 User’s Guide...
Page 105: Alg
DMZ to the LAN so VoIP users on the LAN can receive calls. Create a VoIP service object for UDP port 5060 traffic (Configuration > Object > Service). Create an address object for the VoIP server (Configuration > Object > Address). ZyWALL USG 1000 User’s Guide...
Page 106: Ipsec Vpn
Interfaces, SSL application, users, user groups, addresses (network list, IP pool for assigning to clients, DNS and WINS server addresses), PREREQUISITES to-ZyWALL firewall, firewall Policy routes, zones WHERE USED Example: See Chapter 7 on page 119. ZyWALL USG 1000 User’s Guide...
Page 107: L2Tp Vpn
Note: With this example, Bob would have to log in using his account. If you do not want him to have to log in, you might create an exception policy with Bob’s computer IP address as the source. ZyWALL USG 1000 User’s Guide...
Page 108: Anti-Virus
Example: You can configure a policy that blocks Bill’s access to arts and entertainment web pages during the workday. You must have already subscribed to the content filter service. Create a user account for Bill if you have not done so already (Configuration > Object > User/Group). ZyWALL USG 1000 User’s Guide...
Page 109: Anti-Spam
To increase network reliability, device HA lets a backup ZyWALL automatically take over if a master ZyWALL fails. Configuration > Device HA MENU ITEM(S) Interfaces (with a static IP address), to-ZyWALL firewall PREREQUISITES Example: See Chapter 7 on page 119. ZyWALL USG 1000 User’s Guide...
Page 110: Objects
Use these screens to configure the ZyWALL’s administrator and user accounts. The ZyWALL provides the following user types. Table 19 User Types TYPE ABILITIES admin Change ZyWALL configuration (web, CLI) limited-admin Look at ZyWALL configuration (web) user Access network services, browse user-mode commands (CLI) ZyWALL USG 1000 User’s Guide...
Page 111: System
(WWW, SSH, FTP, Vantage CNM), authentication methods (WWW) Example: Suppose you want to allow an administrator to use HTTPS to manage the ZyWALL from the WAN. Create an administrator account (Configuration > Object > User/Group). ZyWALL USG 1000 User’s Guide...
Page 112: Logs And Reports
It can also capture packets going through the ZyWALL’s interfaces so you can analyze them to identify network problems. Maintenance > Diagnostics MENU ITEM(S) 6.7.5 Shutdown Use this to shutdown the device in preparation for disconnecting the power. ZyWALL USG 1000 User’s Guide...
Page 113 Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. Maintenance > Shutdown MENU ITEM(S) ZyWALL USG 1000 User’s Guide...
Page 114 Chapter 6 Configuration Basics ZyWALL USG 1000 User’s Guide...
Page 115: Tutorials
• DMZ servers are connected to ports P4 and P5 and need full wire speed communication with each other, so ports P4 and P5 are combined into a ge4 interface port group. It uses IP address 192.168.2.1. ZyWALL USG 1000 User’s Guide...
Page 116: Configure A Wan Ethernet Interface
Select Use Fixed IP Address and configure the IP address, subnet mask, and default gateway settings and click OK. Figure 68 Configuration > Network > Interface > Ethernet > Edit ge2 7.1.2 Configure Zones Do the following to create a VPN zone. ZyWALL USG 1000 User’s Guide...
Page 117: Configure Port Grouping
Here is how to combine physical ports P4 and P5 into the ge4 interface port group. Click Configuration > Network > Interface > Port Grouping. Drag physical port 5 onto representative interface ge4 and click Apply Figure 70 Configuration > Network > Interface > Port Grouping Example ZyWALL USG 1000 User’s Guide...
Page 118: How To Configure A Cellular Interface
Install the 3G device in the ZyWALL’s PCIMCIA slot or connect it to one of the ZyWALL’s USB ports. Click Configuration > Network > Interface > Cellular. Select the 3G device’s entry and click Edit. Figure 72 Configuration > Network > Interface > Cellular ZyWALL USG 1000 User’s Guide...
Page 119 The ZyWALL automatically adds the cellular interface to the system default WAN trunk. If the ZyWALL is using a user-configured trunk as its default trunk and you want this cellular interface to be part of it, use the Trunk screens to add it. ZyWALL USG 1000 User’s Guide...
Page 120: How To Configure Load Balancing
WAN_TRUNK trunk’s load balancing settings. 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces Here is how to set a limit on how much traffic the ZyWALL tries to send out through each WAN interface. ZyWALL USG 1000 User’s Guide...
Page 121: Configure The Wan Trunk
Figure 76 Configuration > Network > Interface > Ethernet > Edit (ge2) Repeat the process to set the egress bandwidth for ge3 to (512 Kbps). 7.3.2 Configure the WAN Trunk Click Configuration > Network > Interface > Trunk. Click the Add icon. ZyWALL USG 1000 User’s Guide...
Page 122 Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin. Add ge2 and enter 2 in the Weight column. Add ge3 and enter 1 in the Weight column. Click OK. Figure 77 Configuration > Network > Interface > Trunk > Add ZyWALL USG 1000 User’s Guide...
Page 123: How To Set Up An Ipsec Vpn Tunnel
This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 84 for details on the VPN quick setup wizard. Figure 79 VPN Example 2.2.2.2 1.2.3.4 192.168.1.0/24 172.16.1.0/24 ZyWALL USG 1000 User’s Guide...
Page 124: Set Up The Vpn Gateway
Interface and ge2. For the Peer Gateway Address, select Static Address and enter 2.2.2.2 in the Primary field. For the Authentication, Select Pre-Shared Key and enter 12345678. Click OK. Figure 80 Configuration > VPN > IPSec VPN > VPN Gateway > Add ZyWALL USG 1000 User’s Guide...
Page 125: Set Up The Vpn Connection
Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK. Figure 81 Configuration > Object > Address > Add Click Configuration > VPN > IPSec VPN > VPN Connection. Click the Add icon. ZyWALL USG 1000 User’s Guide...
Page 126: Configure Security Policies For The Vpn Tunnel
VPN connection. Make sure all firewalls between the ZyWALL and remote IPSec router allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP). If you enable NAT traversal, all firewalls between the ZyWALL and remote IPSec router should also allow UDP port 4500. ZyWALL USG 1000 User’s Guide...
Page 127: How To Configure A Hub-And-Spoke Ipsec Vpn Without A Vpn Concentrator
Branch Office A (ZyNOS-based ZyWALL): Gateway Policy (Phase 1) • My Address: 10.0.0.2 • Primary Remote Gateway: 10.0.0.1 Network Policy (Phase 2) • Local Network: 192.168.167.0/255.255.255.0 • Remote Network: 192.168.168.0~192.168.169.255 Headquarters (ZyWALL USG): VPN Gateway (VPN Tunnel 1): ZyWALL USG 1000 User’s Guide...
Page 128 • The hub router must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the hub-and-spoke networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule. ZyWALL USG 1000 User’s Guide...
Page 129: How To Configure User-Aware Access Control
First, set up the user accounts and user groups in the ZyWALL. Then, set up user authentication using the RADIUS server. Finally, set up the policies in the table above. The ZyWALL has its default settings. ZyWALL USG 1000 User’s Guide...
Page 130: Set Up User Accounts
Repeat this process to set up the remaining user accounts. 7.6.2 Set Up User Groups Set up the user groups and assign the users to the user groups. Click Configuration > Object > User/Group > Group. Click the Add icon. ZyWALL USG 1000 User’s Guide...
Page 131: Set Up User Authentication Using The Radius Server
RADIUS server. Then, set up the authentication method, and configure the ZyWALL to use the authentication method. Finally, force users to log in to the ZyWALL before it routes traffic for them. ZyWALL USG 1000 User’s Guide...
Page 132 Set up a default policy that forces every user to log in to the ZyWALL before the ZyWALL routes traffic for them. Select Enable. Set the Authentication field to required, and make sure Force User Authentication is selected. Keep the rest of the default settings, and click OK. ZyWALL USG 1000 User’s Guide...
Page 133: Web Surfing Policies With Bandwidth Restrictions
Use application patrol (AppPatrol) to enforce the web surfing and MSN policies. You must have already subscribed for the application patrol service. You can subscribe using the Configuration > Licensing > Registration screens or using one of the wizards. ZyWALL USG 1000 User’s Guide...
Page 134 Click Configuration > AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply. Figure 89 Configuration > AppPatrol > General Click the Common tab and double-click the http entry. Figure 90 Configuration > AppPatrol > Common ZyWALL USG 1000 User’s Guide...
Page 135 Figure 91 Configuration > AppPatrol > Common > http Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. Figure 92 Configuration > AppPatrol > Common > http > Edit Default ZyWALL USG 1000 User’s Guide...
Page 136: Set Up Msn Policies
7.6.5 Set Up MSN Policies Set up a recurring schedule object first because Sales can only use MSN during specified times on specified days. Click Configuration > Object > Schedule. Click the Add icon for recurring schedules. ZyWALL USG 1000 User’s Guide...
Page 137: Set Up Firewall Rules
Click Configuration > Firewall > Add. Set the From field as LAN and the To field as DMZ. Set the Access field to deny, and click OK. Figure 95 Configuration > Firewall > LAN to DMZ > Add ZyWALL USG 1000 User’s Guide...
Page 138: How To Use A Radius Server To Authenticate User Accounts Based On Groups
RADIUS server authenticate groups of user accounts defined in the RADIUS server. ZyWALL USG 1000 User’s Guide...
Page 139 Class. This attribute’s value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss. Figure 97 Configuration > Object > AAA Server > RADIUS > Add ZyWALL USG 1000 User’s Guide...
Page 140: How To Use Endpoint Security And Authentication Policies
Click Configuration > Object > Endpoint Security > Add to open the Endpoint Security Edit screen. • Select Endpoint must comply with all checking items. • Set the Endpoint Operating System to Windows and the Window Version to Windows 7. ZyWALL USG 1000 User’s Guide...
Page 141 • Select Endpoint must have Anti-Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti-Virus anti-virus software entries to the allowed list. The following figure shows the configuration screen example. Figure 99 Configuration > Object > Endpoint Security > Add ZyWALL USG 1000 User’s Guide...
Page 142: Configure The Authentication Policy
ZyWALL’s login screen. • Enable EPS checking and move the EPS objects you created to the selected list. • Click OK. Figure 100 Configuration > Auth. Policy > Add ZyWALL USG 1000 User’s Guide...
Page 143: How To Configure Service Control
Figure 102 Example: Endpoint Security Error Message 7.9 How to Configure Service Control Service control lets you configure rules that control HTTP and HTTPS management access (to the Web Configurator) and separate rules that control HTTP and HTTPS ZyWALL USG 1000 User’s Guide...
Page 144: Allow Https Administrator Access Only From The Lan
In HTTPS Admin Service Control, click the Add icon. Figure 103 Configuration > System > WWW In the Zone field select LAN and click OK. Figure 104 Configuration > System > WWW > Service Control Rule Edit ZyWALL USG 1000 User’s Guide...
Page 145 Figure 105 Configuration > System > WWW (First Example Admin Service Rule Configured) In the Zone field select ALL and set the Action to Deny. Click OK. Figure 106 Configuration > System > WWW > Service Control Rule Edit ZyWALL USG 1000 User’s Guide...
Page 146: How To Allow Incoming H.323 Peer-To-Peer Calls
Suppose you have a H.323 device on the LAN for VoIP calls and you want it to be able to receive peer-to-peer calls from the WAN. Here is an example of how to configure NAT and the firewall to have the ZyWALL forward H.323 traffic destined ZyWALL USG 1000 User’s Guide...
Page 147: Turn On The Alg
7.10.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720) traffic received on the ZyWALL’s 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. ZyWALL USG 1000 User’s Guide...
Page 148 Use Configuration > Object > Address > Add to create an address object for the public WAN IP address (called WAN_IP-for-H323 here). Then use it again to create an address object for the H.323 device’s private LAN IP address (called LAN_H323 here). Figure 110 Create Address Objects ZyWALL USG 1000 User’s Guide...
Page 149: Set Up A Firewall Rule For H.323
The default firewall rule for WAN-to-LAN traffic drops all traffic. Here is how to configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN IP address 192.168.1.56. ZyWALL USG 1000 User’s Guide...
Page 150: How To Allow Public Access To A Web Server
Internet (the WAN zone). In this example you have public IP address 1.1.1.1 that you will use on the ge3 interface and map to the HTTP server’s private IP address of 192.168.3.7. Figure 113 Public Server Example Network Topology 192.168.3.7 1.1.1.1 ZyWALL USG 1000 User’s Guide...
Page 151: Create The Address Objects
• HTTP traffic and the HTTP server in this example both use TCP port 80. So you set the Port Mapping Type to Port, the Protocol Type to TCP, and the original and mapped ports to 80. ZyWALL USG 1000 User’s Guide...
Page 152: Set Up A Firewall Rule
HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server. If a domain name is registered for IP address 1.1.1.1, users can just go to the domain name to access the web server. ZyWALL USG 1000 User’s Guide...
Page 153: How To Use An Ippbx On The Dmz
7.12 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet (the WAN zone). In this example you have public IP ZyWALL USG 1000 User’s Guide...
Page 154 Chapter 7 Tutorials address 1.1.1.2 that you will use on the ge3 interface and map to the IPPBX’s private IP address of 192.168.3.7. The local SIP clients are on the LAN. Figure 118 IPPBX Example Network Topology ZyWALL USG 1000 User’s Guide...
Page 155: Turn On The Alg
Use Configuration > Object > Address > Add to create the address objects. Create a host address object named IPPBX-DMZ for the IPPBX’s private DMZ IP address of 192.168.3.9. Figure 120 Creating the Address Object for the IPPBX’s Private IP Address ZyWALL USG 1000 User’s Guide...
Page 156: Setup A Nat Policy For The Ippbx
• Set the Port Mapping Type to Port, the Protocol Type to UDP and the original and mapped ports to 5060. • Keep Enable NAT Loopback selected to allow the LAN users to use the IPPBX (see NAT Loopback on page 393 for details). ZyWALL USG 1000 User’s Guide...
Page 157: Set Up A Wan To Dmz Firewall Rule For Sip
SIP traffic to the IPPBX. If a domain name is registered for IP address 1.1.1.2, users can use it to connect to for making SIP calls. ZyWALL USG 1000 User’s Guide...
Page 158: Set Up A Dmz To Lan Firewall Rule For Sip
The firewall blocks traffic from the DMZ zone to the LAN zone by default so you need to create a firewall rule to allow the IPPBX to send SIP traffic to the SIP clients on the LAN. ZyWALL USG 1000 User’s Guide...
Page 159: How To Use Multiple Static Public Wan Ip Addresses For Lan To Wan Traffic
Click Configuration > Object > Address > Add to create the address object that represents the range of static public IP addresses. In this example you name it Public-IPs and it goes from 1.1.1.10 to 1.1.1.17. Figure 125 Creating the Public IP Address Range Object ZyWALL USG 1000 User’s Guide...
Page 160: Configure The Policy Route
Here is an example of using device HA (High Availability) to backup ZyWALL A (the master) with ZyWALL B. ZyWALL B automatically takes over all of A’s functions if A fails or loses its ge1 or ge2 connection. ZyWALL USG 1000 User’s Guide...
Page 161: Before You Start
168). To avoid an IP address conflict, do not connect ZyWALL B to the LAN subnet until after you configure its device HA settings and the instructions tell you to deploy it (in Section 7.14.4 on page 170). ZyWALL USG 1000 User’s Guide...
Page 162: Configure Device Ha On The Master Zywall
LAN (ge1) to the Internet through the ge2 interface, so select the ge1 and ge2 interfaces and click Activate. Enter a Synchronization Password (“mySyncPassword” in this example) and click Apply. Figure 130 Configuration > Device HA > Active-Passive Mode: Master ZyWALL Example ZyWALL USG 1000 User’s Guide...
Page 163: Configure The Backup Zywall
In ZyWALL B click Configuration > Device HA > Active-Passive Mode. Click ge1’s Edit icon. Configure 192.168.1.5 as the Management IP and 255.255.255.0 as the Subnet Mask. Click OK. Figure 132 Configuration > Device HA > Active-Passive Mode > Edit: Backup ZyWALL Example ZyWALL USG 1000 User’s Guide...
Page 164: Deploy The Backup Zywall
Connect ZyWALL B’s ge1 interface to the LAN network. Connect ZyWALL B’s ge2 interface to the same router that ZyWALL A’s ge2 interface uses for Internet access. ZyWALL B copies A’s configuration (and re-synchronizes with A every ZyWALL USG 1000 User’s Guide...
Page 165: Check Your Device Ha Setup
ZyWALL’s other local networks. For example, enable device HA monitoring on the DMZ interfaces and use an Ethernet switch to connect both ZyWALLs’ DMZ interfaces to your publicly available servers. ZyWALL USG 1000 User’s Guide...
Page 166 Chapter 7 Tutorials ZyWALL USG 1000 User’s Guide...
Page 167: L2Tp Vpn Example
192.168.1.x subnet. 8.2 Configuring the Default L2TP VPN Gateway Example Click Configuration > VPN > Network > IPSec VPN > VPN Gateway to open the screen that lists the VPN gateways. Double-click the Default_L2TP_VPN_GW entry. ZyWALL USG 1000 User’s Guide...
Page 168 Figure 136 Configuration > VPN > IPSec VPN > VPN Gateway > Edit Select the Default_L2TP_VPN_GW entry and click Activate and click Apply to turn on the entry. Figure 137 Configuration > VPN > IPSec VPN > VPN Gateway (Enable) ZyWALL USG 1000 User’s Guide...
Page 169: Configuring The Default L2Tp Vpn Connection Example
L2TP_IFACE. • Set the Application Scenario to Remote Access (Server Role). • Set the Local Policy to use L2TP_IFACE. • Click OK. Figure 138 Configuration > VPN > IPSec VPN > VPN Connection > Edit ZyWALL USG 1000 User’s Guide...
Page 170: Configuring The L2Tp Vpn Settings Example
• This example uses the default authentication method (the ZyWALL’s local user data base). • Select a user or group of users that can use the tunnel. Here a user account named L2TP-test has been created. ZyWALL USG 1000 User’s Guide...
Page 171: Configuring L2Tp Vpn In Windows Vista, Xp, Or 2000
• For Windows 2000, use net start "ipsec policy agent". 8.5.1 Configuring L2TP in Windows Vista In Windows Vista do the following to establish an L2TP VPN connection. Click Start > Network > Network and Sharing Center > Set up a connection or network. ZyWALL USG 1000 User’s Guide...
Page 172 Select Connect to a workplace and click Next. Figure 141 Set up a connection or network: Chose a connection type Select Use my Internet connection (VPN). Figure 142 Connect to a workplace: How do you want to connect? ZyWALL USG 1000 User’s Guide...
Page 173 Figure 143 Connect to a workplace: Type the Internet address to connect to Enter the user name and password of a user account that can use the L2TP VPN connection and click Next. Figure 144 Connect to a workplace: Type your user name and password ZyWALL USG 1000 User’s Guide...
Page 174 Figure 145 Connect to a workplace: The connection is ready to use In the Network and Sharing Center screen, click Connect to a network. Right-click the L2TP VPN connection and select Properties. Figure 146 Connect L2TP to ZyWALL ZyWALL USG 1000 User’s Guide...
Page 175 Figure 148 Connect ZyWALL L2TP: Security > Advanced 10 Click Yes. When you use L2TP VPN to connect to the ZyWALL, the ZyWALL establishes an encrypted IPSec VPN tunnel first and then builds an L2TP tunnel ZyWALL USG 1000 User’s Guide...
Page 176 VPN gateway configuration that the ZyWALL is using for L2TP VPN (top-secret in this example). Click OK to close the IPSec Settings window and then click OK again to close the Properties window. Figure 151 L2TP to ZyWALL Properties > Networking > IPSec Settings ZyWALL USG 1000 User’s Guide...
Page 177 13 Select the L2TP VPN connection and click Connect. Figure 152 L2TP to ZyWALL Properties: Networking 14 Enter the user name and password of your ZyWALL user account. Click Connect. Figure 153 Connect L2TP to ZyWALL ZyWALL USG 1000 User’s Guide...
Page 178 16 If a window appears asking you to select a location for the network, you can select Work if you want your computer to be discoverable by computers behind the ZyWALL. Figure 155 Set Network Location ZyWALL USG 1000 User’s Guide...
Page 179 Figure 156 Set Network Location Successful 18 After the connection is up a connection icon displays in your system tray. Click it and then the L2TP connection to open a status screen. Figure 157 Connection System Tray Icon ZyWALL USG 1000 User’s Guide...
Page 180 20 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 159 ZyWALL-L2TP Status: Details 21 Access a server or other network resource behind the ZyWALL to make sure your access works. ZyWALL USG 1000 User’s Guide...
Page 181: Configuring L2Tp In Windows Xp
Click Next in the Welcome screen. Select Connect to the network at my workplace and click Next. Figure 160 New Connection Wizard: Network Connection Type Select Virtual Private Network connection and click Next. Figure 161 New Connection Wizard: Network Connection ZyWALL USG 1000 User’s Guide...
Page 182 Chapter 8 L2TP VPN Example Type L2TP to ZyWALL as the Company Name. Figure 162 New Connection Wizard: Connection Name Select Do not dial the initial connection and click Next. Figure 163 New Connection Wizard: Public Network ZyWALL USG 1000 User’s Guide...
Page 183 VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). Figure 164 New Connection Wizard: VPN Server Selection 172.16.1.2 Click Finish. The Connect L2TP to ZyWALL screen appears. Click Properties > Security. Figure 165 Connect L2TP to ZyWALL ZyWALL USG 1000 User’s Guide...
Page 184 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Figure 167 Connect ZyWALL L2TP: Security > Advanced ZyWALL USG 1000 User’s Guide...
Page 185 13 Select the Use pre-shared key for authentication check box and enter the pre- shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK. Figure 169 L2TP to ZyWALL Properties > Security > IPSec Settings ZyWALL USG 1000 User’s Guide...
Page 186 Figure 171 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified. 17 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 172 ZyWALL-L2TP System Tray Icon ZyWALL USG 1000 User’s Guide...
Page 187: Configuring L2Tp In Windows 2000
Click Start > Run. Type regedit and click OK. Figure 174 Starting the Registry Editor Click Registry > Export Registry File and save a backup copy of your registry. You can go back to using this backup if you misconfigure the registry settings. ZyWALL USG 1000 User’s Guide...
Page 188 Right-click Parameters and select New > DWORD Value. Figure 176 New DWORD Value Enter ProhibitIpSec as the name. And make sure the Data displays as 0’s. Figure 177 ProhibitIpSec DWORD Value Restart the computer and continue with the next section. ZyWALL USG 1000 User’s Guide...
Page 189 IPSec policy for the computer to use. Click Start > Run. Type mmc and click OK. Figure 178 Run mmc Click Console > Add/Remove Snap-in. Figure 179 Console > Add/Remove Snap-in ZyWALL USG 1000 User’s Guide...
Page 190 Figure 180 Add > IP Security Policy Management > Finish Right-click IP Security Policies on Local Machine and click Create IP Security Policy. Click Next in the welcome screen. Figure 181 Create IP Security Policy ZyWALL USG 1000 User’s Guide...
Page 191 Name the IP security policy L2TP to ZyWALL, and click Next. Figure 182 IP Security Policy: Name Clear the Activate the default response rule check box and click Next. Figure 183 IP Security Policy: Request for Secure Communication ZyWALL USG 1000 User’s Guide...
Page 192 Leave the Edit Properties check box selected and click Finish. Figure 184 IP Security Policy: Completing the IP Security Policy Wizard In the properties dialog box, click Add > Next. Figure 185 IP Security Policy Properties > Add ZyWALL USG 1000 User’s Guide...
Page 193 Select This rule does not specify a tunnel and click Next. Figure 186 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next. Figure 187 IP Security Policy Properties: Network Type ZyWALL USG 1000 User’s Guide...
Page 194 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 188 IP Security Policy Properties: Authentication Method 12 Click Add. Figure 189 IP Security Policy Properties: IP Filter List ZyWALL USG 1000 User’s Guide...
Page 195 (172.16.1.2 in this example) in the IP Address field. Make certain the Mirrored. Also match packets with the exact opposite source and destination addresses check box is selected and click Apply. Figure 191 Filter Properties: Addressing . 16 ZyWALL USG 1000 User’s Guide...
Page 196 UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 192 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next. Figure 193 IP Security Policy Properties: IP Filter List ZyWALL USG 1000 User’s Guide...
Page 197 18 In the Console window, right-click L2TP to ZyWALL and select Assign. Figure 195 Console: L2TP to ZyWALL Assign 8.5.3.3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy, use these directions to create a network connection. ZyWALL USG 1000 User’s Guide...
Page 198 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click Next. Figure 198 New Connection Wizard: Destination Address 172.16.1.2 ZyWALL USG 1000 User’s Guide...
Page 199 Select For all users and click Next. Figure 199 New Connection Wizard: Connection Availability Name the connection L2TP to ZyWALL and click Finish. Figure 200 New Connection Wizard: Naming the Connection Click Properties. Figure 201 Connect L2TP to ZyWALL ZyWALL USG 1000 User’s Guide...
Page 200 Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Click Yes if a screen pops up. Figure 203 Connect L2TP to ZyWALL: Security > Advanced ZyWALL USG 1000 User’s Guide...
Page 201 Figure 205 Connect L2TP to ZyWALL 11 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 206 ZyWALL-L2TP System Tray Icon ZyWALL USG 1000 User’s Guide...
Page 202 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 207 L2TP to ZyWALL Status: Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works. ZyWALL USG 1000 User’s Guide...
Page 203: Technical Reference
Technical Reference...
Page 205: Dashboard
9.2 The Dashboard Screen The Dashboard screen displays when you log into the ZyWALL or click Dashboard in the navigation panel. The dashboard displays general device information, system status, system resource usage, licensed service status, and ZyWALL USG 1000 User’s Guide...
Page 206 Front Panel Click this to view details about the status of the ZyWALL’s front panel LEDs and connections. See Section 1.3.3 on page 39 for LED descriptions. An unconnected interface or slot appears grayed out. ZyWALL USG 1000 User’s Guide...
Page 207 Device Information System This field displays the name used to identify the ZyWALL on any Name network. Click the icon to open the screen where you can change it. See Section 50.2 on page 784. ZyWALL USG 1000 User’s Guide...
Page 208 Status it, its entry is displayed in light gray text. Click the Detail icon to go to a Summary (more detailed) summary screen of interface statistics. Name This field displays the name of each interface. ZyWALL USG 1000 User’s Guide...
Page 209 If this interface is a member of an active virtual router, this field displays the IP address it is currently using. This is either the static IP address of the interface (if it is the master) or the management IP address (if it is a backup). ZyWALL USG 1000 User’s Guide...
Page 210 This field displays the number of users currently logged in to the Login Users ZyWALL. Click the icon to pop-open a list of the users who are currently logged in to the ZyWALL. See Section 9.2.6 on page 220. ZyWALL USG 1000 User’s Guide...
Page 211 This is how many times the ZyWALL has detected the event described in the entry. Top 5 Intrusions This is the entry’s rank in the list of the most commonly detected intrusions. Signature This is the IDentification number of the IDP signature. ZyWALL USG 1000 User’s Guide...
Page 212: The Cpu Usage Screen
The x-axis shows the time period over which the CPU usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Click this to update the information in the window right away. ZyWALL USG 1000 User’s Guide...
Page 213: The Memory Usage Screen
The x-axis shows the time period over which the RAM usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Click this to update the information in the window right away. ZyWALL USG 1000 User’s Guide...
Page 214: The Session Usage Screen
The x-axis shows the time period over which the session usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Click this to update the information in the window right away. ZyWALL USG 1000 User’s Guide...
Page 215: The Vpn Status Screen
Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click the icon beside DHCP Table in the dashboard. Figure 213 Dashboard > DHCP Table ZyWALL USG 1000 User’s Guide...
Page 216: The Number Of Login Users Screen
Use this screen to look at a list of the users currently logged into the ZyWALL. To access this screen, click the dashboard’s Number of Login Users icon. Figure 214 Dashboard > Number of Login Users ZyWALL USG 1000 User’s Guide...
Page 217 This field displays the way the user logged in to the ZyWALL. IP address This field displays the IP address of the computer used to log in to the ZyWALL. Force Logout Click this icon to end a user’s session. ZyWALL USG 1000 User’s Guide...
Page 218 Chapter 9 Dashboard ZyWALL USG 1000 User’s Guide...
Page 219: Monitor
• Use the VPN Monitor > SSL screen (see Section 10.12 on page 248) to list the users currently logged into the VPN SSL client portal. You can also log out individual users and delete related session information. ZyWALL USG 1000 User’s Guide...
Page 220: The Port Statistics Screen
10.2 The Port Statistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen, click Monitor > System Status > Port Statistics. Figure 215 Monitor > System Status > Port Statistics ZyWALL USG 1000 User’s Guide...
Page 221 Up Time This field displays how long the physical port has been connected. System Up This field displays how long the ZyWALL has been running since it last Time restarted or was turned on. ZyWALL USG 1000 User’s Guide...
Page 222: The Port Statistics Graph Screen
This line represents traffic transmitted from the ZyWALL on the physical port since it was last connected. This line represents the traffic received by the ZyWALL on the physical port since it was last connected. ZyWALL USG 1000 User’s Guide...
Page 223: Interface Status Screen
If an Ethernet interface does not have any physical ports associated with Status it, its entry is displayed in light gray text. Expand/Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces. ZyWALL USG 1000 User’s Guide...
Page 224 Fault - This VRRP group is not functioning in the virtual router right now. For example, this might happen if the interface is down. n/a - Device HA is not active on the interface. Zone This field displays the zone to which the interface is assigned. ZyWALL USG 1000 User’s Guide...
Page 225 This field displays the transmission speed, in bytes per second, on the interface in the one-second interval before the screen updated. Rx B/s This field displays the reception speed, in bytes per second, on the interface in the one-second interval before the screen updated. ZyWALL USG 1000 User’s Guide...
Page 226: The Traffic Statistics Screen
You use the Traffic Statistics screen to tell the ZyWALL when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually in the Traffic Statistics screen. Figure 218 Monitor > System Status > Traffic Statistics ZyWALL USG 1000 User’s Guide...
Page 227 Kbytes, Mbytes or Gbytes, depending on the amount of traffic for the particular IP address or user. The count starts over at zero if the number of bytes passes the byte count limit. See Table 32 on page 233. ZyWALL USG 1000 User’s Guide...
Page 228 Table 32 Maximum Values for Reports LABEL DESCRIPTION Maximum Number of Records Byte Count bytes; this is just less than 17 million terabytes. Limit Hit Count Limit 2 hits; this is over 1.8 x 10 hits. ZyWALL USG 1000 User’s Guide...
Page 229: The Session Monitor Screen
Click Monitor > System Status > Session Monitor to display the following screen. Figure 219 Monitor > System Status > Session Monitor ZyWALL USG 1000 User’s Guide...
Page 230 This field displays the user in each active session. If you are looking at the sessions by users (or all sessions) report, click + or - to display or hide details about a user’s sessions. ZyWALL USG 1000 User’s Guide...
Page 231: The Ddns Status Screen
Profile Name This field displays the descriptive profile name for this entry. Domain Name This field displays each domain name the ZyWALL can route. Effective IP This is the (resolved) IP address of the domain name. ZyWALL USG 1000 User’s Guide...
Page 232: Ip/Mac Binding Monitor
This field displays the name used to identify this device on the network (the computer name). The ZyWALL learns these from the DHCP client requests. MAC Address This field displays the MAC address to which the IP address is currently assigned. ZyWALL USG 1000 User’s Guide...
Page 233: The Login Users Screen
This field displays the IP address of the computer used to log in to the ZyWALL. Force Logout Click this icon to end a user’s session. Refresh Click this button to update the information in the screen. ZyWALL USG 1000 User’s Guide...
Page 234: Cellular Status Screen
This field is a sequential value, and it is not associated with any interface. Extension Slot This field displays where the entry’s cellular card is located. Connected This field displays the model name of the cellular card. Device ZyWALL USG 1000 User’s Guide...
Page 235 The network type varies depending on the 3G card you inserted and could be UMTS, UMTS/HSDPA, GPRS or EDGE when you insert a GSM 3G card, or 1xRTT, EVDO Rev.0 or EVDO Rev.A when you insert a CDMA 3G card. ZyWALL USG 1000 User’s Guide...
Page 236: Application Patrol Statistics
Select the protocols for which to display statistics. Protocols Select All selects all of the protocols. Clear All clears all of the protocols. Click Expand to display individual protocols. Collapse hides them. Statistics for the selected protocols display after you click Apply. ZyWALL USG 1000 User’s Guide...
Page 237: Application Patrol Statistics: Bandwidth Statistics
ZyWALL sends to the initiator of the connection. • A dotted line represents a protocol’s outgoing bandwidth usage. This is the protocol’s traffic that the ZyWALL sends out from the initiator of the connection. • Different colors represent different protocols. ZyWALL USG 1000 User’s Guide...
Page 238: Application Patrol Statistics: Protocol Statistics
This is how much of the application’s traffic the ZyWALL identified by Connection examining the IP payload. Matched This is how much of the application’s traffic the ZyWALL identified by Service Ports examining OSI level-3 information such as IP addresses and port Connection numbers. ZyWALL USG 1000 User’s Guide...
Page 239: Application Patrol Statistics: Individual Protocol Statistics By Rule
The bottom of the Monitor > AppPatrol Statistics screen displays statistics for each of the selected protocols. Click a service’s name to display this screen with statistics for each of the service’s application patrol rules. Figure 227 Monitor > AppPatrol Statistics > Service ZyWALL USG 1000 User’s Guide...
Page 240: The Ipsec Monitor Screen
Click Cancel to close this screen. 10.11 The IPSec Monitor Screen You can use the IPSec Monitor screen to display and to manage active IPSec SAs. To access this screen, click Monitor > VPN Monitor > IPSec. The following ZyWALL USG 1000 User’s Guide...
Page 241 Type a page number to go to or use the arrows to navigate the pages of entries. This field is a sequential value, and it is not associated with a specific Name This field displays the name of the IPSec SA. ZyWALL USG 1000 User’s Guide...
Page 242: Regular Expressions In Searching Ipsec Sas
“abc” and ending in “123” matches, no matter how many characters are in between. The whole VPN connection or policy name has to match if you do not use a question mark or asterisk. ZyWALL USG 1000 User’s Guide...
Page 243: The Ssl Connection Monitor Screen
This field displays the number of bytes received by the ZyWALL on this (Bytes) connection. Outbound This field displays the number of bytes transmitted by the ZyWALL on (Bytes) this connection. Refresh Click Refresh to update this screen. ZyWALL USG 1000 User’s Guide...
Page 244: L2Tp Over Ipsec Session Monitor Screen
This field displays the IP address that the ZyWALL assigned for the remote user’s computer to use within the L2TP VPN tunnel. Public IP This field displays the public IP address that the remote user is using to connect to the Internet. ZyWALL USG 1000 User’s Guide...
Page 245: The Anti-Virus Statistics Screen
Total Viruses This field displays the number of different viruses that the ZyWALL has Detected detected. Infected Files This field displays the number of files in which the ZyWALL has detected a Detected virus. ZyWALL USG 1000 User’s Guide...
Page 246 The statistics display as follows when you display the top entries by source. Figure 232 Monitor > Anti-X Statistics > Anti-Virus: Source IP The statistics display as follows when you display the top entries by destination. Figure 233 Monitor > Anti-X Statistics > Anti-Virus: Destination IP ZyWALL USG 1000 User’s Guide...
Page 247: The Idp Statistics Screen
This field displays the number of packets that the ZyWALL has dropped. Total Packet The ZyWALL can detect and drop malicious packets from network traffic. Reset This field displays the number of packets that the ZyWALL has reset. ZyWALL USG 1000 User’s Guide...
Page 248 The statistics display as follows when you display the top entries by source. Figure 235 Monitor > Anti-X Statistics > IDP: Source The statistics display as follows when you display the top entries by destination. Figure 236 Monitor > Anti-X Statistics > IDP: Destination ZyWALL USG 1000 User’s Guide...
Page 249: The Content Filter Statistics Screen
Click this button to discard all of the screen’s statistics and update the report display. Total Web This field displays the number of web pages that the ZyWALL’s content Pages filter feature has checked. Inspected ZyWALL USG 1000 User’s Guide...
Page 250: Content Filter Cache Screen
The ZyWALL only queries the external content filtering database for sites not found in the cache. ZyWALL USG 1000 User’s Guide...
Page 251 Click this button to clear all web site addresses from the cache manually. Remove Select one or more URL entries and click Delete to remove them from the cache. This is the index number of a categorized web site address record. ZyWALL USG 1000 User’s Guide...
Page 252 ZyWALL to reflect changes in the external content filtering database. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 253: The Anti-Spam Statistics Screen
Total Mails This field displays the number of e-mails that the ZyWALL’s anti-spam Scanned feature has checked. Clear Mails This is the number of e-mails that the ZyWALL has determined to not be spam. ZyWALL USG 1000 User’s Guide...
Page 254 This column displays when you display the entries by Sender Mail Address Address. This column displays the e-mail addresses from which the ZyWALL has detected the most spam. Occurrence This field displays how many spam e-mails the ZyWALL detected from the sender. ZyWALL USG 1000 User’s Guide...
Page 255: The Anti-Spam Status Screen
This is the average for how long it takes to receive a reply from this Time (sec) DNSBL. No Response This is how many DNS queries the ZyWALL sent to this DNSBL without receiving a reply. ZyWALL USG 1000 User’s Guide...
Page 256: Log Screen
Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 241 Monitor > Log ZyWALL USG 1000 User’s Guide...
Page 257 Click this button to clear the whole log, regardless of what is currently displayed on the screen. This field is a sequential value, and it is not associated with a specific log message. Time This field displays the time the log message was recorded. ZyWALL USG 1000 User’s Guide...
Page 258 Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. ZyWALL USG 1000 User’s Guide...
Page 259: Registration
ZyWALL’s serial number and LAN MAC address to register it. Refer to the web site’s on-line help for details. Note: To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 260 ZyXEL engine anti-virus service subscription and enter the iCard’s PIN number (license key) in the Configuration > Registration > Service screen. The one-year ZyXEL engine anti-virus service subscription is automatically extended to 18 months. ZyWALL USG 1000 User’s Guide...
Page 261: The Registration Screen
Click this button to check with the myZyXEL.com database to verify the user name you entered has not been used. Password Enter a password of between six and 20 alphanumeric characters (and the underscore). Spaces are not allowed. ZyWALL USG 1000 User’s Guide...
Page 262 You can have the ZyWALL block, block and/or log access to web sites based on these categories. Apply Click Apply to save your changes back to the ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 263: The Service Screen
PIN number (license key) in this screen. Click Configuration > Licensing > Registration > Service to open the screen as shown next. Figure 244 Configuration > Licensing > Registration > Service ZyWALL USG 1000 User’s Guide...
Page 264 (specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Click this button to renew service license information (such as the Refresh registration status and expiration day). ZyWALL USG 1000 User’s Guide...
Page 265: Signature Update
• Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network. • Your custom signature configurations are not over-written when you download new signatures. Note: The ZyWALL does not have to reboot when you upload new signatures. ZyWALL USG 1000 User’s Guide...
Page 266: The Antivirus Update Screen
You can also subscribe to signature update e-mail notifications. Signature This field displays the number of signatures in this set. Number Released This field displays the date and time the set was released. Date ZyWALL USG 1000 User’s Guide...
Page 267: Signature Update
ZyWALL periodically if you have subscribed for the IDP/AppPatrol signatures service. You need to create an account at myZyXEL.com, register your ZyWALL and then subscribe for IDP service in order to be able to download new packet inspection ZyWALL USG 1000 User’s Guide...
Page 268 IDP signatures regularly at the time and day specified. You should select a time when your network is not busy for minimal interruption. Hourly Select this option to have the ZyWALL check for new IDP signatures every hour. ZyWALL USG 1000 User’s Guide...
Page 269: The System Protect Update Screen
The system-protection feature is enabled by default and can only be disabled via the commands. You do not need an IDP subscription to use the system-protection feature or to download updated system-protection signatures. Figure 247 Configuration > Licensing > Update > System Protect ZyWALL USG 1000 User’s Guide...
Page 270 Select this option to have the ZyWALL check for new signatures once a week on the day and at the time specified. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 271: Interfaces
Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • Use the Trunks screens (Chapter 14 on page 337) to configure load balancing. ZyWALL USG 1000 User’s Guide...
Page 272 See Section 13.2 on page 280, Chapter 14 on page 337, and Section 13.8 on page 327 for details. The other types of interfaces--Ethernet, PPP, cellular, VLAN, bridge, and virtual--have a lot of similar ZyWALL USG 1000 User’s Guide...
Page 273: Interfaces
Table 56 Relationships Between Different Types of Interfaces REQUIRED PORT / INTERFACE INTERFACE auxiliary interface auxiliary port port group physical port Ethernet interface physical port port group VLAN interface Ethernet interface bridge interface Ethernet interface* VLAN interface* ZyWALL USG 1000 User’s Guide...
Page 274: Port Grouping
(3G) interface. • See Chapter 14 on page 337 to configure load balancing using trunks. 13.2 Port Grouping This section introduces port groups and then explains the screen for port groups. ZyWALL USG 1000 User’s Guide...
Page 275: Port Grouping Overview
8 (the dual-personality Ethernet port and SFP slot pairs). The are always assigned to interfaces ge7 and ge8, respectively. To access this screen, click Configuration > Network > Interface > Port Grouping. Figure 248 Configuration > Network > Interface > Port Grouping ZyWALL USG 1000 User’s Guide...
Page 276: Ethernet Summary Screen
However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. The ZyWALL supports two routing protocols, RIP and OSPF. See Chapter 16 on page 363 for background information about these routing protocols. ZyWALL USG 1000 User’s Guide...
Page 277 Mask This field displays the interface’s subnet mask in dot decimal notation. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 278: Ethernet Edit
• Select in which direction(s) routing information is exchanged - The ZyWALL can receive routing information, send routing information, or do both. • Set the priority used to identify the DR or BDR if one does not exist. ZyWALL USG 1000 User’s Guide...
Page 279 Chapter 13 Interfaces Figure 250 Configuration > Network > Interface > Ethernet > Edit ZyWALL USG 1000 User’s Guide...
Page 280 General. Select this to make the interface a DHCP client and automatically get the IP address, subnet mask, and gateway address from a DHCP server. You should not select this if the interface is assigned to a VRRP group. Chapter 39 on page 667. ZyWALL USG 1000 User’s Guide...
Page 281 Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available. Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available. ZyWALL USG 1000 User’s Guide...
Page 282 If this field is blank, the Pool Size must also be blank. In this case, the ZyWALL can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. ZyWALL USG 1000 User’s Guide...
Page 283 Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This field is a sequential value, and it is not associated with a specific entry. ZyWALL USG 1000 User’s Guide...
Page 284 Choices are: Same-as-Area - use the default authentication method in the area None - disable authentication Text - authenticate OSPF routing information using a plain-text password MD5 - authenticate OSPF routing information using MD5 encryption ZyWALL USG 1000 User’s Guide...
Page 285: Object References
When a configuration screen includes an Object References icon, select a configuration object and click Object References to open the Object References screen. This screen displays which configuration settings reference the selected object. The fields shown vary with the type of object. ZyWALL USG 1000 User’s Guide...
Page 286: Ppp Interfaces
Click Cancel to close the screen. 13.4 PPP Interfaces Use PPPoE/PPTP interfaces to connect to your ISP. This way, you do not have to install or manage PPPoE/PPTP software on each computer in the network. ZyWALL USG 1000 User’s Guide...
Page 287: Ppp Interface Summary
At the time of writing, it is possible to set up the IP address of the gateway (ISP) using CLI commands but not in the Web Configurator. 13.4.1 PPP Interface Summary This screen lists every PPPoE/PPTP interface. To access this screen, click Configuration > Network > Interface > PPP. ZyWALL USG 1000 User’s Guide...
Page 288 Object References Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 13.3.2 on page 291 for an example. This field is a sequential value, and it is not associated with any interface. ZyWALL USG 1000 User’s Guide...
Page 289: Ppp Interface Add Or Edit
Note: You have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lets you configure a PPPoE or PPTP interface. To access this screen, click the Add icon or an Edit icon in the PPP Interface screen. ZyWALL USG 1000 User’s Guide...
Page 290 Table 62 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields. Advance Settings General Settings ZyWALL USG 1000 User’s Guide...
Page 291 ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first. ZyWALL USG 1000 User’s Guide...
Page 292 WAN TRUNK interface as part of a WAN trunk for load balancing. Policy Route Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this interface. ZyWALL USG 1000 User’s Guide...
Page 293: Cellular Configuration Screen (3G)
Internet access to mobile devices. Note: The actual data rate you obtain varies depending on the 3G card you use, the signal strength to the service provider’s base station, and so on. ZyWALL USG 1000 User’s Guide...
Page 294 Note: Install (or connect) a compatible 3G card to use a cellular connection. See Chapter 57 on page 891 for details. Note: The WAN IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets. ZyWALL USG 1000 User’s Guide...
Page 295: Cellular Add/Edit Screen
To change your 3G settings, click Configuration > Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that you want to configure. The following screen displays. ZyWALL USG 1000 User’s Guide...
Page 296 Chapter 13 Interfaces Figure 256 Configuration > Network > Interface > Cellular > Add ZyWALL USG 1000 User’s Guide...
Page 297 GSM or HSDPA 3G card. Enter the APN from your service provider. Connections with different APNs may provide different services (such as Internet access or MMS (Multi-Media Messaging Service)) and charge method. You can enter up to 63 ASCII printable characters. Spaces are allowed. ZyWALL USG 1000 User’s Guide...
Page 298 PIN code incorrectly, the 3G card may be blocked by your ISP and you cannot use the account to access the Internet. If your ISP disabled PIN code authentication, enter an arbitrary number. Interface Parameters ZyWALL USG 1000 User’s Guide...
Page 299 Configure Click Policy Route to go to the policy route summary screen where Policy Route you can configure a policy route to override the default routing and SNAT behavior for the interface. IP Address Assignment ZyWALL USG 1000 User’s Guide...
Page 300 Select this and specify the amount of time (in hours) that the 3G connection can be used within one month. If you change the value after you configure and enable budget control, the ZyWALL resets the statistics. ZyWALL USG 1000 User’s Guide...
Page 301 Log or Log-alert you can also select recurring every to have the ZyWALL send a log or alert for this event periodically. Specify how often (from 1 to 65535 minutes) to send the log or alert. ZyWALL USG 1000 User’s Guide...
Page 302: Vlan Interfaces
In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs. Figure 258 Example: After VLAN ZyWALL USG 1000 User’s Guide...
Page 303 Note: Each VLAN interface is created on top of only one Ethernet interface. Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. ZyWALL USG 1000 User’s Guide...
Page 304: Vlan Interfaces
This field displays the name of the interface. Port/VID For VLAN interfaces, this field displays • the Ethernet interface on which the VLAN interface is created • the VLAN ID For virtual interfaces, this field is blank. ZyWALL USG 1000 User’s Guide...
Page 305: Vlan Add/Edit
DHCP settings, and connectivity check for each VLAN interface. To access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen. The following screen appears. ZyWALL USG 1000 User’s Guide...
Page 306 Chapter 13 Interfaces Figure 260 Configuration > Network > Interface > VLAN > Edit ZyWALL USG 1000 User’s Guide...
Page 307 Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. ZyWALL USG 1000 User’s Guide...
Page 308 This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. DHCP Setting The DHCP settings are available for the OPT, LAN and DMZ interfaces. ZyWALL USG 1000 User’s Guide...
Page 309 DHCP clients. The WINS server WINS Server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. ZyWALL USG 1000 User’s Guide...
Page 310 RIP packets. Choices are 1, 2, and 1 and 2. V2-Broadcast This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the ZyWALL uses multicasting. ZyWALL USG 1000 User’s Guide...
Page 311 Click Policy Route to go to the screen where you can manually Policy Route configure a policy route to associate traffic with this VLAN. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 1000 User’s Guide...
Page 312: Bridge Interfaces
0B:0B:0B:0B:0B:0B in the table. There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4. Table 68 Example: Bridge Table After Computer A Sends a Packet to Computer B MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A ZyWALL USG 1000 User’s Guide...
Page 313 In this example, virtual Ethernet interface ge1:1 is also removed from the routing table when ge1 is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed. ZyWALL USG 1000 User’s Guide...
Page 314: Bridge Summary
This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface. It is blank for virtual interfaces. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 315: Bridge Add/Edit
DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears. ZyWALL USG 1000 User’s Guide...
Page 316 Chapter 13 Interfaces Figure 262 Configuration > Network > Interface > Bridge > Add ZyWALL USG 1000 User’s Guide...
Page 317 This field is enabled if you select Use Fixed IP Address. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. ZyWALL USG 1000 User’s Guide...
Page 318 Relay Server 1 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the ZyWALL is a DHCP Server. ZyWALL USG 1000 User’s Guide...
Page 319 Configure a list of static IP addresses the ZyWALL assigns to Table computers connected to the interface. Otherwise, the ZyWALL assigns an IP address dynamically using the interface’s IP Pool Start Address and Pool Size. ZyWALL USG 1000 User’s Guide...
Page 320 This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 1000 User’s Guide...
Page 321: Auxiliary Interface
When the ZyWALL hangs up the call, it drops the Data Terminal Ready (DTR) signal and issues the command ATH. 13.8.2 Auxiliary Use the Auxiliary screen to configure the ZyWALL’s auxiliary interface. Click Configuration > Network > Interface > Auxiliary to open it. ZyWALL USG 1000 User’s Guide...
Page 322 Pulse - select this if the telephone uses pulse-based dialing. Initial String Enter the AT command string to initialize the external modem. the most common string, but you should check the manual for the external modem for additional commands. Auxiliary Configuration ZyWALL USG 1000 User’s Guide...
Page 323: Virtual Interfaces
However, you have to manually specify the IP address and subnet mask; virtual interfaces cannot be DHCP clients. Like other interfaces, you can restrict bandwidth through virtual interfaces, but you ZyWALL USG 1000 User’s Guide...
Page 324: Virtual Interfaces Add/Edit
Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. ZyWALL USG 1000 User’s Guide...
Page 325: Interface Technical Reference
Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routing table. Figure 265 Example: Entry in the Routing Table Derived from Interfaces Table 75 Example: Routing Table Entries for Interfaces IP ADDRESS(ES) DESTINATION 100.100.1.1/16 200.200.200.1/24 ZyWALL USG 1000 User’s Guide...
Page 326 If the interface gets its IP address and subnet mask from a DHCP server, the DHCP server also specifies the gateway, if any. Interface Parameters The ZyWALL restricts the amount of traffic into and out of the ZyWALL through each interface. ZyWALL USG 1000 User’s Guide...
Page 327 DHCP requests to all of them. It is possible for an interface to be a DHCP relay and a DHCP client simultaneously. As a DHCP server, the interface provides the following information to DHCP clients. At the time of writing, the ZyWALL does not support ingress bandwidth management. ZyWALL USG 1000 User’s Guide...
Page 328 IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server. ZyWALL USG 1000 User’s Guide...
Page 329 The first one runs on TCP port 1723. It is used to start and manage the second one. The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. ZyWALL USG 1000 User’s Guide...
Page 330 Chapter 13 Interfaces ZyWALL USG 1000 User’s Guide...
Page 331: Trunks
• Use the Trunk Edit screen (Section 14.3 on page 343) to configure which interfaces belong to each trunk and the load balancing algorithm each trunk uses. ZyWALL USG 1000 User’s Guide...
Page 332: What You Need To Know
WAN IP address, the server would deny them. Here is an example. Figure 266 Link Sticking LAN user A logs into server B on the Internet. The ZyWALL uses ge2 to send the request to server B. ZyWALL USG 1000 User’s Guide...
Page 333 (current) outbound throughput of WAN 1 is 412K and WAN 2 is 198K. The ZyWALL calculates the load balancing index as shown in the table below. In the load balancing section, a session may refer to normal connection-oriented, UDP or SNMP2 traffic. ZyWALL USG 1000 User’s Guide...
Page 334 Suppose the first trunk member interface uses an unlimited access Internet connection and the second is billed by usage. Spillover load balancing only uses the second interface when the traffic load exceeds the threshold on the first ZyWALL USG 1000 User’s Guide...
Page 335 Trunk screens. • See Section 7.3 on page 124 for an example of how to configure load balancing. • See Section 14.4 on page 345 for more background information on trunks. ZyWALL USG 1000 User’s Guide...
Page 336: The Trunk Summary Screen
This setting applies when you use load balancing and have multiple WAN interfaces set to active mode. Timeout Specify the time period during which sessions from one source to the same destination are to use the same link. ZyWALL USG 1000 User’s Guide...
Page 337: Configuring A Trunk
Click Configuration > Network > Interface > Trunk and then the Add (or Edit) icon to open the Trunk Edit screen. Use this screen to create or edit a WAN trunk entry. Figure 271 Configuration > Network > Interface > Trunk > Add (or Edit) ZyWALL USG 1000 User’s Guide...
Page 338 Select Active to have the ZyWALL always attempt to use this connection. Select Passive to have the ZyWALL only use this connection when all of the connections set to active are down. You can only set one of a group’s interfaces to passive mode. ZyWALL USG 1000 User’s Guide...
Page 339: Trunk Technical Reference
The next queue is given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty. ZyWALL USG 1000 User’s Guide...
Page 340 Chapter 14 Trunks ZyWALL USG 1000 User’s Guide...
Page 341: Policy And Static Routes
RIP or OSPF to propagate routing information to other routers. 15.1.1 What You Can Do in this Chapter • Use the Policy Route screens (see Section 15.2 on page 350) to list and configure policy routes. ZyWALL USG 1000 User’s Guide...
Page 342: What You Need To Know
Configure static routes if you need to use RIP or OSPF to propagate the routing information to other routers. See Chapter 16 on page 363 for more on RIP and OSPF. ZyWALL USG 1000 User’s Guide...
Page 343: Chapter 15 Policy And Static Routes
DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different kinds of forwarding. Resources can then be allocated according to the DSCP values and the configured policies. ZyWALL USG 1000 User’s Guide...
Page 344: Policy Route Screen
• Limiting the amount of bandwidth available and setting a priority for traffic. IPPR follows the existing packet filtering facility of RAS in style and in implementation. Figure 273 Configuration > Network > Routing > Policy Route ZyWALL USG 1000 User’s Guide...
Page 345 This is the interface on which the packets are received. Source This is the name of the source IP address (group) object. any means all IP addresses. Destination This is the name of the destination IP address (group) object. any means all IP addresses. ZyWALL USG 1000 User’s Guide...
Page 346 This is the maximum bandwidth allotted to the policy. 0 means there is no bandwidth limitation for this route. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 347: Policy Route Edit Screen
Select this to activate the policy. Description Enter a descriptive name of up to 31 printable ASCII characters for the policy. Criteria User Select a user name or user group from which the packets are sent. ZyWALL USG 1000 User’s Guide...
Page 348 HOST address object. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. The gateway must be a router or switch on the same segment as your ZyWALL's interface(s). ZyWALL USG 1000 User’s Guide...
Page 349 Use this field to specify a custom DSCP value. Defined DSCP Code Address Use this section to configure NAT for the policy route. This section does Translation not apply to policy routes that use a VPN tunnel as the next hop. ZyWALL USG 1000 User’s Guide...
Page 350 This allows you to allocate bandwidth to a route and prioritize traffic that Shaping matches the routing policy. You must also enable bandwidth management in the main policy route screen (Network > Routing > Policy Route) in order to apply bandwidth shaping. ZyWALL USG 1000 User’s Guide...
Page 351: Ip Static Route Screen
Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. Figure 275 Configuration > Network > Routing > Static Route ZyWALL USG 1000 User’s Guide...
Page 352: Static Route Add/Edit Screen
255.255.255.255 in the subnet mask field to force the network number to be identical to the host Subnet Mask Enter the IP subnet mask here. ZyWALL USG 1000 User’s Guide...
Page 353: Policy Routing Technical Reference
If congestion occurs between classes, the traffic in the higher class (smaller numbered class) is generally given priority. Combining the classes and drop precedence produces the ZyWALL USG 1000 User’s Guide...
Page 354: Port Triggering
1 using port 1234. The ZyWALL records the IP address of computer A when the packets match a policy with SNAT configured. Game server 1 responds using a port number ranging between 5670 - 5678. The ZyWALL allows and forwards the traffic to computer A. ZyWALL USG 1000 User’s Guide...
Page 355: Maximize Bandwidth Usage
The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level. ZyWALL USG 1000 User’s Guide...
Page 356 Chapter 15 Policy and Static Routes ZyWALL USG 1000 User’s Guide...
Page 357: Routing Protocols
Network Size Small (with up to 15 routers) Large Metric Hop count Bandwidth, hop count, throughput, round trip time and reliability. Convergence Slow Fast Finding Out More Section 16.4 on page 374 for background information on routing protocols. ZyWALL USG 1000 User’s Guide...
Page 358: The Rip Screen
Use the RIP screen to specify the authentication method and maintain the policies for redistribution. Click Configuration > Network > Routing > RIP to open the following screen. Figure 278 Configuration > Network > Routing > RIP ZyWALL USG 1000 User’s Guide...
Page 359: The Ospf Screen
Click this button to return the screen to its last-saved settings. 16.3 The OSPF Screen OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous ZyWALL USG 1000 User’s Guide...
Page 360 • A Not So Stubby Area (NSSA, RFC 1587) has routing information about the OSPF AS and networks outside the OSPF AS to which the NSSA is directly connected. It does not have any routing information about other networks outside the OSPF AS. ZyWALL USG 1000 User’s Guide...
Page 361 • An Area Border Router (ABR) connects two or more areas. It is a member of all the areas to which it is connected, and it filters, summarizes, and exchanges routing information between them. ZyWALL USG 1000 User’s Guide...
Page 362 BDR in another group, and neither in a third group all at the same time. Virtual Links In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area ZyWALL USG 1000 User’s Guide...
Page 363: Configuring The Ospf Screen
Use the first OSPF screen to specify the OSPF router the ZyWALL uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them. ZyWALL USG 1000 User’s Guide...
Page 364 OSPF AS, and it can be between 1 and 16777214. Active Static Select this to advertise routes that were learned from static routes. Route The ZyWALL advertises routes learned from static routes to all types of areas. ZyWALL USG 1000 User’s Guide...
Page 365 Type field above. Authentication This field displays the default authentication method in the area. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 366: Ospf Area Add/Edit Screen
None uses no authentication. Text uses a plain text password that is sent over the network (not very secure). MD5 uses an MD5 password and authentication ID (most secure). ZyWALL USG 1000 User’s Guide...
Page 367: Virtual Link Add/Edit Screen
16.3.3 Virtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one. When the OSPF add or edit screen (see Section 16.3.2 on page ZyWALL USG 1000 User’s Guide...
Page 368: Routing Protocol Technical Reference
Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 16.4 Routing Protocol Technical Reference Here is more detailed information about RIP and OSPF. ZyWALL USG 1000 User’s Guide...
Page 369 Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. ZyWALL USG 1000 User’s Guide...
Page 370 Chapter 16 Routing Protocols ZyWALL USG 1000 User’s Guide...
Page 371: Zones
Virtual interfaces are automatically assigned to the same zone as the interface on which they run. Figure 285 Example: Zones 17.1.1 What You Can Do in this Chapter Use the Zone screens (see Section 17.2 on page 379) to manage the ZyWALL’s zones. ZyWALL USG 1000 User’s Guide...
Page 372: What You Need To Know
Finding Out More • See Section 6.5.8 on page 107 for related information on these screens. • See Section 7.1 on page 119 for an example of configuring Ethernet interfaces, port groups, and zones. ZyWALL USG 1000 User’s Guide...
Page 373: The Zone Screen
This field displays the name of the zone. Block Intra- This field indicates whether or not the ZyWALL blocks network traffic zone between members in the zone. Member This field displays the names of the interfaces that belong to each zone. ZyWALL USG 1000 User’s Guide...
Page 374: Zone Edit
Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 1000 User’s Guide...
Page 375: Ddns
Table 94 DDNS Service Providers PROVIDER SERVICE TYPES SUPPORTED WEBSITE DynDNS Dynamic DNS, Static DNS, and Custom DNS www.dyndns.com Dynu Basic, Premium www.dynu.com No-IP No-IP www.no-ip.com Peanut Hull Peanut Hull www.oray.cn 3322 3322 Dynamic DNS, 3322 Static DNS www.3322.org ZyWALL USG 1000 User’s Guide...
Page 376: The Ddns Screen
Profile Name This field displays the descriptive profile name for this entry. DDNS Type This field displays which DDNS service you are using. Domain Name This field displays each domain name the ZyWALL can route. ZyWALL USG 1000 User’s Guide...
Page 377: Chapter 18 Ddns
ZyWALL for the IP address to use for the domain name. custom - The IP address is static. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 378: The Dynamic Dns Add/Edit Screen
), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is read-only when you are editing an entry. DDNS Type Select the type of DDNS service you are using. ZyWALL USG 1000 User’s Guide...
Page 379 Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select None to not use a backup address. ZyWALL USG 1000 User’s Guide...
Page 380 Once your mail server is available again, the DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 1000 User’s Guide...
Page 381: Nat
Use the NAT screens (see Section 19.2 on page 388) to view and manage the list of NAT rules and see their configuration details. You can also create new NAT rules and edit or delete existing ones. ZyWALL USG 1000 User’s Guide...
Page 382: What You Need To Know
Table 97 Configuration > Network > NAT LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. ZyWALL USG 1000 User’s Guide...
Page 383: Chapter 19 Nat
This field displays the new destination port(s) for the packet. This field is blank if there is no restriction on the original destination port. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 384: The Nat Add/Edit Screen
Type in the name of the NAT rule. The name is used to refer to the NAT rule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL USG 1000 User’s Guide...
Page 385 ZyWALL. If you select one of them, this NAT rule supports the IP address specified by the address object. User Defined This field is available if Mapped IP is User Defined. Type the translated Original IP destination IP address that this NAT rule supports. ZyWALL USG 1000 User’s Guide...
Page 386 LAN interface’s IP address as the source address for the traffic it sends to the LAN server. See NAT Loopback on page 393 for more details. If you do not enable NAT loopback, this NAT rule only applies to packets received on the rule’s specified incoming interface. ZyWALL USG 1000 User’s Guide...
Page 387: Nat Technical Reference
Suppose a NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP e-mail server to give WAN users access. NAT loopback allows other users to also use the rule’s original IP to access the mail server. ZyWALL USG 1000 User’s Guide...
Page 388 The LAN SMTP server replies to the ZyWALL’s LAN IP address and the ZyWALL changes the source address to 1.1.1.1 before sending it to the LAN user. The return traffic’s source matches the original destination address (1.1.1.1). If the ZyWALL USG 1000 User’s Guide...
Page 389 LAN user’s computer to shut down the session. Figure 295 LAN to LAN Return Traffic Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 ZyWALL USG 1000 User’s Guide...
Page 390 Chapter 19 NAT ZyWALL USG 1000 User’s Guide...
Page 391: Http Redirect
Figure 296 HTTP Redirect Example LAN1 20.1.1 What You Can Do in this Chapter Use the HTTP Redirect screens (see Section 20.2 on page 399) to display and edit the HTTP redirect rules. ZyWALL USG 1000 User’s Guide...
Page 392: What You Need To Know
• a HTTP redirect rule to forward HTTP traffic from ge1 to proxy server A. For HTTP traffic between ge4 and ge2: • a from DMZ to WAN firewall rule (default) to allow HTTP requests from ge4 to ge2. Responses to these requests are allowed automatically. ZyWALL USG 1000 User’s Guide...
Page 393: The Http Redirect Screen
This icon is lit when the entry is active and dimmed when the entry is inactive. Name This is the descriptive name of a rule. Interface This is the interface on which the request must be received. Proxy Server This is the IP address of the proxy server. ZyWALL USG 1000 User’s Guide...
Page 394: The Http Redirect Edit Screen
Enter the IP address of the proxy server. Port Enter the port number that the proxy server uses. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 1000 User’s Guide...
Page 395: Alg
The ALG feature is only needed for traffic that goes through the ZyWALL’s NAT. 21.1.1 What You Can Do in this Chapter Use the ALG screen (Section 21.2 on page 405) to set up SIP, H.323, and FTP ALG settings. ZyWALL USG 1000 User’s Guide...
Page 396: What You Need To Know
Figure 300 H.323 ALG Example SIP ALG • SIP phones can be in any zone (including LAN, DMZ, WAN), and the SIP server and SIP clients can be in the same network or different networks. ZyWALL USG 1000 User’s Guide...
Page 397: Chapter 21 Alg
LAN IP address A make calls out through WAN IP address 1. Configure another policy route to have H.323 (or SIP) calls from LAN IP addresses B and C go out through WAN IP address 2. Even though only LAN IP address A ZyWALL USG 1000 User’s Guide...
Page 398 ALG for peer-to-peer H.323 traffic. • See Section 7.12 on page 157 for an example of making an IPPBX using SIP or a SIP server in the DMZ zone accessible from the Internet (the WAN zone). ZyWALL USG 1000 User’s Guide...
Page 399: Before You Begin
SIP ALG time outs. Note: If the ZyWALL provides an ALG for a service, you must enable the ALG in order to use the application patrol on that service’s traffic. Figure 303 Configuration > Network > ALG ZyWALL USG 1000 User’s Guide...
Page 400 If you are using a custom TCP port number (not 1720) for H.323 Port traffic, enter it here. Additional H.323 If you are also using H.323 on an additional TCP port number, enter it Signaling Port here. Transformations ZyWALL USG 1000 User’s Guide...
Page 401: Alg Technical Reference
ALG-managed traffic uses. You could also have a trunk with one interface set to active and a second interface set to passive. The ZyWALL does not automatically change ALG-managed ZyWALL USG 1000 User’s Guide...
Page 402 SIP handles telephone calls and can interface with traditional circuit- switched telephone networks. When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL USG 1000 User’s Guide...
Page 403: Ip/Mac Binding
(Section 22.2 on page 410) to bind IP addresses to MAC addresses. • Use the Exempt List screen (Section 22.3 on page 413) to configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. ZyWALL USG 1000 User’s Guide...
Page 404: What You Need To Know
To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. This field is a sequential value, and it is not associated with a specific entry. ZyWALL USG 1000 User’s Guide...
Page 405: Ip/Mac Binding Edit
MAC addresses. This stops anyone else from Binding manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses. ZyWALL USG 1000 User’s Guide...
Page 406: Static Dhcp Edit
MAC Binding Edit screen. Click the Add or Edit icon to open the following screen. Use this screen to configure an interface’s IP to MAC address binding settings. Figure 307 Configuration > Network > IP/MAC Binding > Edit > Add ZyWALL USG 1000 User’s Guide...
Page 407: Ip/Mac Binding Edit
This is the index number of the IP/MAC binding list entry. Name Enter a name to help identify this entry. Start IP Enter the first IP address in a range of IP addresses for which the ZyWALL does not apply IP/MAC binding. ZyWALL USG 1000 User’s Guide...
Page 408 Click the Add icon to add a new entry. Click the Remove icon to delete an entry. A window displays asking you to confirm that you want to delete it. Apply Click Apply to save your changes back to the ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 409: Authentication Policy
Figure 309 Authentication Policy Using Endpoint Security 23.1.1 What You Can Do in this Chapter Use the Configuration > Auth. Policy screens (Section 23.2 on page 416) to create and manage authentication policies. ZyWALL USG 1000 User’s Guide...
Page 410: What You Need To Know
Section 7.8 on page 144 for an example of how to use endpoint security and authentication policies. 23.2 Authentication Policy Screen The Authentication Policy screen displays the authentication policies you have configured on the ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 411: Chapter 23 Authentication Policy
Chapter 23 Authentication Policy Click Configuration > Auth. Policy to display the screen. Figure 310 Configuration > Auth. Policy ZyWALL USG 1000 User’s Guide...
Page 412 To turn off an entry, select it and click Inactivate. Move To move an entry to a different number in the list, click the Move icon. In the field that appears, specify the number to which you want to move the interface. ZyWALL USG 1000 User’s Guide...
Page 413: Creating/Editing An Authentication Policy
Click this button to return the screen to its last-saved settings. 23.2.1 Creating/Editing an Authentication Policy Click Configuration > Auth. Policy and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy. ZyWALL USG 1000 User’s Guide...
Page 414 Destination Select a destination address or address group for whom this policy Address applies. Select any if the policy is effective for every destination. This is any and not configurable for the default policy. ZyWALL USG 1000 User’s Guide...
Page 415 Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 1000 User’s Guide...
Page 416 Chapter 23 Authentication Policy ZyWALL USG 1000 User’s Guide...
Page 417: Firewall
431) to enable or disable the firewall and asymmetrical routes, and manage and configure firewall rules. • Use the Session Limit screens (see Section 24.3 on page 436) to limit the number of concurrent NAT/firewall sessions a client can use. ZyWALL USG 1000 User’s Guide...
Page 418 • The firewall allows only LAN, WAN computers to access or manage the ZyWALL. • The ZyWALL drops most packets from the WAN zone to the ZyWALL itself, except for VRRP traffic for Device HA and ESP/AH/IKE/NATT/HTTPS services for VPN tunnels, and generates a log. ZyWALL USG 1000 User’s Guide...
Page 419: Chapter 24 Firewall
After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN zone for example), you can configure a new LAN to LAN firewall rule or use intra-zone ZyWALL USG 1000 User’s Guide...
Page 420: Firewall Rule Example Applications
(Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need ZyWALL USG 1000 User’s Guide...
Page 421 • Has a static IP address, • You configure a static DHCP entry for it so the ZyWALL always assigns it the same IP address (see DHCP Settings on page 333 for information on DHCP). ZyWALL USG 1000 User’s Guide...
Page 422 CEO) to allow IRC traffic from any source IP address to go to any destination address. Your firewall would have the following configuration. Table 111 Limited LAN1 to WAN IRC Traffic Example 2 USER SOURCE DESTINATION SCHEDULE SERVICE ACTION Allow Deny Allow ZyWALL USG 1000 User’s Guide...
Page 423: Firewall Rule Configuration Example
At the top of the screen, click Create new Object > Address. The screen for configuring an address object opens. Configure it as follows and click OK. Figure 317 Firewall Example: Create an Address Object Click Create new Object > Service. ZyWALL USG 1000 User’s Guide...
Page 424 Select Dest_1 is selected for the Destination and Doom is selected as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done. Figure 319 Firewall Example: Edit a Firewall Rule ZyWALL USG 1000 User’s Guide...
Page 425: The Firewall Screen
A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN. The ZyWALL reroutes the packet to gateway A, which is in Subnet 2. The reply from the WAN goes to the ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 426: Configuring The Firewall Screen
So for example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you configure a corresponding firewall rule to allow the traffic, you need to set the LAN IP address as the destination. See Section 7.10 on page 150 for an example. ZyWALL USG 1000 User’s Guide...
Page 427 Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets. ZyWALL USG 1000 User’s Guide...
Page 428 This is the user name or user group name to which this firewall rule applies. Source This displays the source address object to which this firewall rule applies. Destination This displays the destination address object to which this firewall rule applies. ZyWALL USG 1000 User’s Guide...
Page 429: The Firewall Add/Edit Screen
Select this check box to activate the firewall rule. From For through-ZyWALL rules, select the direction of travel of packets to which the rule applies. any means all interfaces or VPN tunnels. ZyWALL means packets destined for the ZyWALL itself. ZyWALL USG 1000 User’s Guide...
Page 430: The Session Limit Screen
Click Configuration > Firewall > Session Limit to display the Firewall Session Limit screen. Use this screen to limit the number of concurrent NAT/ firewall sessions a client can use. You can apply a default limit for all users and ZyWALL USG 1000 User’s Guide...
Page 431 [ENTER] to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. Status This icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL USG 1000 User’s Guide...
Page 432: The Session Limit Add/Edit Screen
Use to configure any new settings objects that you need to use in this Object screen. Enable Rule Select this check box to turn on this session limit rule. Description Enter information to help you identify this rule. Use up to 64 printable ASCII characters. Spaces are allowed. ZyWALL USG 1000 User’s Guide...
Page 433 For this rule’s users and addresses, this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 1000 User’s Guide...
Page 434 Chapter 24 Firewall ZyWALL USG 1000 User’s Guide...
Page 435: Ipsec Vpn
VPN gateway a VPN connection policy uses and which devices (behind the IPSec routers) can use the VPN tunnel and the IPSec SA settings (phase 2 settings). You can also activate / deactivate and connect / disconnect each VPN connection (each IPSec SA). ZyWALL USG 1000 User’s Guide...
Page 436: What You Need To Know
Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. ZyWALL USG 1000 User’s Guide...
Page 437: Chapter 25 Ipsec Vpn
Only the clients can initiate the VPN Only this ZyWALL initiate the VPN tunnel. can initiate the VPN tunnel. tunnel. Finding Out More • See Section 6.5.15 on page 110 for related information on these screens. ZyWALL USG 1000 User’s Guide...
Page 438: The Vpn Connection Screen
The VPN Connection screen lists the VPN connection policies and their associated VPN gateway(s), and various settings. In addition, it also lets you activate / deactivate and connect / disconnect each VPN connection (each IPSec ZyWALL USG 1000 User’s Guide...
Page 439 Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Connect To connect an IPSec SA, select it and click Connect. ZyWALL USG 1000 User’s Guide...
Page 440: The Vpn Connection Add/Edit (Ike) Screen
444), and click either the Add icon or an Edit icon. If you click the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the following screen appears. ZyWALL USG 1000 User’s Guide...
Page 441 Chapter 25 IPSec VPN Figure 329 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 1000 User’s Guide...
Page 442 IKE key management. See Section 25.2.2 on page 453 for how to configure the manual key fields. Note: Only use manual key as a temporary solution, because it is not as secure as a regular IPSec SA. ZyWALL USG 1000 User’s Guide...
Page 443 Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. ZyWALL USG 1000 User’s Guide...
Page 444 DH key group. Connectivity The ZyWALL can regularly check the VPN connection to the gateway Check you specified to make sure it is still available. Enable Select this to turn on the VPN connection check. Connectivity Check ZyWALL USG 1000 User’s Guide...
Page 445 (or select Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). ZyWALL USG 1000 User’s Guide...
Page 446 The size of the original port range must be the same size as the size of the mapped port range. Click OK to save the changes. Cancel Click Cancel to discard all changes and return to the main VPN screen. ZyWALL USG 1000 User’s Guide...
Page 447: The Vpn Connection Add/Edit Manual Key Screen
Table 119 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual LABEL DESCRIPTION Manual Key My Address Type the IP address of the ZyWALL in the IPSec SA. 0.0.0.0 is invalid. ZyWALL USG 1000 User’s Guide...
Page 448 Select which hash algorithm to use to authenticate packet data in the Algorithm IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. The ZyWALL and remote IPSec router must use the same algorithm. ZyWALL USG 1000 User’s Guide...
Page 449 12345678901234567890 for a MD5 authentication key, the ZyWALL only uses 1234567890123456. The ZyWALL still stores the longer key. Click OK to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 1000 User’s Guide...
Page 450: The Vpn Gateway Screen
This field displays the interface or a domain name the ZyWALL uses for the VPN gateway. Secure Gateway This field displays the IP address(es) of the remote IPSec routers. VPN Connection This field displays VPN connections that use this VPN gateway. ZyWALL USG 1000 User’s Guide...
Page 451: The Vpn Gateway Add/Edit Screen
The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 25.3 on page 456), and click either the Add icon or an Edit icon. ZyWALL USG 1000 User’s Guide...
Page 452 Chapter 25 IPSec VPN Figure 332 Configuration > VPN > IPSec VPN > VPN Gateway > Edit ZyWALL USG 1000 User’s Guide...
Page 453 Select Dynamic Address if the remote IPSec router has a dynamic IP address (and does not use DDNS). Authentication Note: The ZyWALL and remote IPSec router must use the same authentication method to establish the IKE SA. ZyWALL USG 1000 User’s Guide...
Page 454 ZyWALL during authentication. Choices are: IP - the ZyWALL is identified by an IP address DNS - the ZyWALL is identified by a domain name E-mail - the ZyWALL is identified by an e-mail address ZyWALL USG 1000 User’s Guide...
Page 455 Any - the ZyWALL does not check the identity of the remote IPSec router If the ZyWALL and remote IPSec router use certificates, there is one more choice. Subject Name - the remote IPSec router is identified by the subject name in the certificate ZyWALL USG 1000 User’s Guide...
Page 456 Type the maximum number of seconds the IKE SA can last. When (Seconds) this time has passed, the ZyWALL and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however. ZyWALL USG 1000 User’s Guide...
Page 457 DH5 - use a 1536-bit random number The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. ZyWALL USG 1000 User’s Guide...
Page 458 IPSec router. The password can be 1-31 ASCII characters. It is case- sensitive, but spaces are not allowed. Click OK to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 1000 User’s Guide...
Page 459: Vpn Concentrator
25.4.1 IPSec VPN Concentrator Example You can use the ZyWALL’s VPN concentrator feature to combine multiple IPSec VPN connections into one secure network. In this example branch office A, headquarters (HQ), and branch office B all have USG ZyWALLs. ZyWALL USG 1000 User’s Guide...
Page 460 • Disable Policy Enforcement Policy Route • Source: 192.168.11.0 • Destination: 192.168.12.0 • Next Hop: VPN Tunnel 1 Headquarters (ZyWALL USG): VPN Gateway (VPN Tunnel 1): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.2 ZyWALL USG 1000 User’s Guide...
Page 461 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route • Source: 192.168.12.0 • Destination: 192.168.11.0 • Next Hop: VPN Tunnel 2 25.4.1.1 VPN Concentrator Requirements and Suggestions Consider the following when using the VPN concentrator. ZyWALL USG 1000 User’s Guide...
Page 462: Vpn Concentrator Screen
These are the VPN connection policies that are part of the VPN concentrator. 25.4.3 The VPN Concentrator Add/Edit Screen The VPN Concentrator Add/Edit screen allows you to create a new VPN concentrator or edit an existing one. To access this screen, go to the VPN ZyWALL USG 1000 User’s Guide...
Page 463: Ipsec Vpn Background Information
VPN concentrator, and click the left arrow button to remove them. Click OK to save your changes in the ZyWALL. Cancel Click Cancel to exit this screen without saving. 25.5 IPSec VPN Background Information Here is some more detailed IPSec VPN background information. ZyWALL USG 1000 User’s Guide...
Page 464: Ike Sa Overview
IKE SA. In main mode, this is done in steps 1 and 2, as illustrated next. Figure 337 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal One or more proposals, each one consisting of: - encryption algorithm - authentication algorithm - Diffie-Hellman key group ZyWALL USG 1000 User’s Guide...
Page 465 Figure 338 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange Diffie-Hellman key exchange DH public-key cryptography is based on DH key groups. Each key group is a fixed number of bits long. The longer the key, the more secure the encryption, but also ZyWALL USG 1000 User’s Guide...
Page 466 You have to create (and distribute) a pre-shared key. The ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. Note: The ZyWALL and the remote IPSec router must use the same pre-shared key. ZyWALL USG 1000 User’s Guide...
Page 467 ZyWALL provides another way to check the identity of the remote IPSec router (for example, extended authentication) or if you are troubleshooting a VPN tunnel. Additional Topics for IKE SA This section provides more information about IKE SA. ZyWALL USG 1000 User’s Guide...
Page 468 The routers cannot establish a VPN tunnel. Most routers like router A now have an IPSec pass-thru feature. This feature helps router A recognize VPN packets and route them appropriately. If router A has this ZyWALL USG 1000 User’s Guide...
Page 469 • Instead of using the pre-shared key, the ZyWALL and remote IPSec router check the signatures on each other’s certificates. Unlike pre-shared keys, the signatures do not have to match. ZyWALL USG 1000 User’s Guide...
Page 470: Ipsec Sa Overview
ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. Note: The ZyWALL and remote IPSec router must use the same encapsulation. ZyWALL USG 1000 User’s Guide...
Page 471 If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. ZyWALL USG 1000 User’s Guide...
Page 472 • Destination address in inbound packets - this translation is used if you want to forward packets (for example, mail) from the remote network to a specific computer (like the mail server) in the local network. ZyWALL USG 1000 User’s Guide...
Page 473 To set up this NAT, you have to specify the following information: • Source - the original source address; the remote network (B). • Destination - the original destination address; the local network (A). ZyWALL USG 1000 User’s Guide...
Page 474 IP address of the mail server in the local network (A). • Mapped Port - the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size. ZyWALL USG 1000 User’s Guide...
Page 475: Ssl Vpn
ZyWALL appears to be the server to remote users. This provides an added layer of protection for your internal servers. With reverse proxy mode, remote users can easily access any web-based applications on the local network by clicking on links or entering the provided URL. ZyWALL USG 1000 User’s Guide...
Page 476 • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. SSL Access Policy Objects The SSL access policies reference the following objects. If you update this information, in response to changes, the ZyWALL automatically propagates the ZyWALL USG 1000 User’s Guide...
Page 477: Chapter 26 Ssl Vpn
ZyWALL (after you have configured the SSL VPN settings on the ZyWALL). • See Chapter 49 on page 773 for details on endpoint security objects. • See Chapter 48 on page 765 for details on SSL application objects. ZyWALL USG 1000 User’s Guide...
Page 478: The Ssl Access Privilege Screen
This field displays the user account or user group name(s) associated to an SSL access policy. This field displays up to three names. Access Policy This field displays details about the SSL application object this policy Summary uses including its name, type, and address. ZyWALL USG 1000 User’s Guide...
Page 479 Chapter 26 SSL VPN Table 127 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Apply Click Apply to save the settings. Reset Click Reset to discard all changes. ZyWALL USG 1000 User’s Guide...
Page 480: The Ssl Access Policy Add/Edit Screen
26.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. Figure 346 VPN > SSL VPN > Access Privilege > Add/Edit ZyWALL USG 1000 User’s Guide...
Page 481 To make the endpoint security check as efficient as possible, arrange the endpoint security objects in order with the one that the most users should match first and the one that the least users should match last. ZyWALL USG 1000 User’s Guide...
Page 482: The Ssl Global Setting Screen
26.3 The SSL Global Setting Screen Click VPN > SSL VPN and click the Global Setting tab to display the following screen. Use this screen to set the IP address of the ZyWALL (or a gateway device) ZyWALL USG 1000 User’s Guide...
Page 483 Login Message Specify a message to display on the screen when a user logs in and an SSL VPN connection is established successfully. You can enter up to 60 characters (“a-z”, A-Z”, “0-9”) with spaces allowed. ZyWALL USG 1000 User’s Guide...
Page 484: How To Upload A Custom Logo
Click Browse to locate the logo graphic. Make sure the file is in GIF, JPG, or PNG format. Click Apply to start the file transfer process. Log in as a user to verify that the new logo displays properly. ZyWALL USG 1000 User’s Guide...
Page 485: Establishing An Ssl Vpn Connection
SSL VPN button to establish an SSL VPN connection. See Section 27.2 on page 494 for details. Display the ZyWALL’s login screen and enter your user account information (the user name and password). Click SSL VPN. Figure 349 Login Screen ZyWALL USG 1000 User’s Guide...
Page 486 Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal screens, refer to Chapter 27 on page 493. ZyWALL USG 1000 User’s Guide...
Page 487: Ssl User Screens
ZyWALL SecuExtender client program to your computer. With the ZyWALL SecuExtender, you can access network resources, remote desktops and manage files as if you were on the local network. See Chapter 30 on page 513 for more on the ZyWALL SecuExtender. ZyWALL USG 1000 User’s Guide...
Page 488: Remote User Login
SSL VPN on the ZyWALL. 27.2 Remote User Login This section shows you how to access and log into the network through the ZyWALL. Example screens for Internet Explorer are shown. ZyWALL USG 1000 User’s Guide...
Page 489: Chapter 27 Ssl User Screens
If a token password is also required, enter it in the One-Time Password field. Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources. Figure 354 Login Screen ZyWALL USG 1000 User’s Guide...
Page 490 Figure 355 Java Needed Message The ZyWALL tries to install the SecuExtender client. As shown next, you may have to click some pop-ups to get your browser to allow the installation. Figure 356 ActiveX Object Installation Blocked by Browser ZyWALL USG 1000 User’s Guide...
Page 491 In Internet Explorer, click Run. Figure 358 SecuExtender Progress Click Next to use the setup wizard to install the SecuExtender client on your computer. Figure 359 SecuExtender Progress ZyWALL USG 1000 User’s Guide...
Page 492 11 The Application screen displays showing the list of resources available to you. Figure 361 on page 499 for a screen example. Note: Available resource links vary depending on the configuration your network administrator made. ZyWALL USG 1000 User’s Guide...
Page 493: The Ssl Vpn User Screens
This part of the screen displays a list of the resources available to you. In the Application screen, click on a link to access or display the access method. In the File Sharing screen, click on a link to open a file or directory. ZyWALL USG 1000 User’s Guide...
Page 494: Bookmarking The Zywall
To properly terminate a connection, click on the Logout icon in any remote user screen. Click the Logout icon in any remote user screen. A prompt window displays. Click OK to continue. Figure 363 Logout: Prompt ZyWALL USG 1000 User’s Guide...
Page 495 Chapter 27 SSL User Screens An information screen displays to indicate that the SSL VPN connection is about to terminate. Figure 364 Logout: Connection Termination Progress ZyWALL USG 1000 User’s Guide...
Page 496 Chapter 27 SSL User Screens ZyWALL USG 1000 User’s Guide...
Page 497: Ssl User Application Screens
(Web Server) or web-based e-mail using Microsoft Outlook Web Access (OWA). To access a web-based application, simply click a link in the Application screen to display the web screen in a separate browser window. Figure 365 Application ZyWALL USG 1000 User’s Guide...
Page 498 Chapter 28 SSL User Application Screens ZyWALL USG 1000 User’s Guide...
Page 499: Ssl User File Sharing
• Rename a file or folder. • Delete a file or folder. • Upload a file. Note: Available actions you can perform in the File Sharing screen vary depending on the rights granted to you on the file server. ZyWALL USG 1000 User’s Guide...
Page 500: The Main File Sharing Screen
You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer. Log in as a remote user and click the File Sharing tab. Click on a file share icon. ZyWALL USG 1000 User’s Guide...
Page 501: Chapter 29 Ssl User File Sharing
If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue. Figure 367 File Sharing: Enter Access User Name and Password ZyWALL USG 1000 User’s Guide...
Page 502: Downloading A File
You are prompted to download a file which cannot be opened using a web browser. Follow the on-screen instructions to download and save the file to your computer. Then launch the associated application to open the file. ZyWALL USG 1000 User’s Guide...
Page 503: Saving A File
Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add. Note: Make sure the length of the folder name does not exceed the maximum allowed on the file server. Figure 370 File Sharing: Save a Word File ZyWALL USG 1000 User’s Guide...
Page 504: Renaming A File Or Folder
You may not be able to open a file if you change the file extension. Figure 372 File Sharing: Rename 29.6 Deleting a File or Folder Click the Delete icon next to a file or folder to remove it. ZyWALL USG 1000 User’s Guide...
Page 505: Uploading A File
After the file is uploaded successfully, you should see the name of the file and a message in the screen. Figure 373 File Sharing: File Upload Note: Uploading a file with the same name and file extension replaces the existing file on the file server. No warning message is displayed. ZyWALL USG 1000 User’s Guide...
Page 506 Chapter 29 SSL User File Sharing ZyWALL USG 1000 User’s Guide...
Page 507: Zywall Secuextender
• Gray: the SSL VPN tunnel’s connection is suspended. This means the SSL VPN tunnel is connected, but the ZyWALL SecuExtender will not send any traffic through it until you right-click the icon and resume the connection. ZyWALL USG 1000 User’s Guide...
Page 508: Statistics
IP addresses that they are currently using. Network 1~4 These are the networks (including netmask) that you can access through the SSL VPN connection. Activity Connected Time This is how long the computer has been connected to the SSL VPN tunnel. ZyWALL USG 1000 User’s Guide...
Page 509: Zywall Secuextender
30.4 Suspend and Resume the Connection When the ZyWALL SecuExtender icon in the system tray is green, you can right- click the icon and select Suspend Connection to keep the SSL VPN tunnel ZyWALL USG 1000 User’s Guide...
Page 510: Stop The Connection
Click start > All Programs > ZyXEL > ZyWALL SecuExtender > Uninstall. In the confirmation screen, click Yes. Figure 377 Uninstalling the ZyWALL SecuExtender Confirmation Windows uninstalls the ZyWALL SecuExtender. Figure 378 ZyWALL SecuExtender Uninstallation ZyWALL USG 1000 User’s Guide...
Page 511: L2Tp Vpn
IPSec VPN. IPSec Configuration Required for L2TP VPN You must configure an IPSec VPN connection for L2TP VPN to use (see Chapter 25 on page 441 for details). The IPSec VPN connection must: • Be enabled. ZyWALL USG 1000 User’s Guide...
Page 512 • Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users (L2TP_POOL in the following figure). • Set the next hop to be the VPN tunnel that you are using for L2TP. Figure 380 Policy Route for L2TP VPN L2TP_POOL LAN_SUBNET ZyWALL USG 1000 User’s Guide...
Page 513: L2Tp Vpn Screen
Create new Use to configure any new settings objects that you need to use in this Object screen. Enable L2TP Use this field to turn the ZyWALL’s L2TP VPN function on or off. Over IPSec ZyWALL USG 1000 User’s Guide...
Page 514 Type the IP addresses of up to two WINS servers to assign to the remote users. You can specify these IP addresses two ways. Apply Click Apply to save your changes in the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 515: Application Patrol
ZyWALL does when it does not recognize the application, and it identifies the conditions that refine this. It also lets you open the Other Configuration Add/ Edit screen to create new conditions or edit existing ones. ZyWALL USG 1000 User’s Guide...
Page 516: What You Need To Know
Custom Ports for SIP and the SIP ALG Configuring application patrol to use custom port numbers for SIP traffic also configures the SIP ALG (see Chapter 21 on page 401) to use the same port ZyWALL USG 1000 User’s Guide...
Page 517: Chapter 32 Application Patrol
A connection has outbound and inbound packet flows. The ZyWALL controls the bandwidth of traffic of each flow as it is going out through an interface or VPN tunnel. ZyWALL USG 1000 User’s Guide...
Page 518 • Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN so inbound means the traffic traveling from the WAN to the LAN. Figure 383 LAN to WAN, Outbound 200 kbps, Inbound 500 kbps Inbound Outbound Outbound 500 kbps 200 kbps 200 kbps ZyWALL USG 1000 User’s Guide...
Page 519 B. Each server tries to send 1000 kbps, but the WAN is set to a maximum outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and policy B for server B’s traffic. Figure 384 Bandwidth Management Behavior 1000 kbps 1000 kbps 1000 kbps ZyWALL USG 1000 User’s Guide...
Page 520 You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error. Even though the ZyWALL still attempts to let all traffic get through and not be lost, ZyWALL USG 1000 User’s Guide...
Page 521: Application Patrol Bandwidth Management Examples
SIP calls no matter which interface they are connected • HTTP traffic needs to be given priority over FTP traffic. • FTP traffic from the WAN to the DMZ must be limited so it does not interfere with SIP and HTTP traffic. ZyWALL USG 1000 User’s Guide...
Page 522: Sip Any To Wan Bandwidth Management Example
• Inbound traffic (to the LAN and DMZ from the WAN) is also limited to 200 kbps. The ZyWALL applies this limit before sending the traffic to LAN or DMZ. • Highest priority (1). Set policies for other applications to lower priorities so the SIP traffic always gets the best treatment. ZyWALL USG 1000 User’s Guide...
Page 523: Sip Wan To Any Bandwidth Management Example
HTTP traffic gets sent before non-SIP traffic. • Enable maximize bandwidth usage so the HTTP traffic can borrow unused bandwidth. Figure 387 HTTP Any to WAN Bandwidth Management Example Outbound: 200 kbps Inbound: 500 kbps ZyWALL USG 1000 User’s Guide...
Page 524: Ftp Wan To Dmz Bandwidth Management Example
• Fourth highest priority (4). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. Figure 389 FTP LAN to DMZ Bandwidth Management Example Inbound: 50 Mbps Outbound: 50 Mbps ZyWALL USG 1000 User’s Guide...
Page 525: Application Patrol General Screen
This same setting also appears in the Network > Routing > Policy Route screen. Enabling or disabling it in one screen also enables or disables it in the other screen. ZyWALL USG 1000 User’s Guide...
Page 526: Application Patrol Applications
Use the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or Streaming screen to manage traffic of individual applications. Use the Common screen (shown here as an example) to manage traffic of the most commonly used web, file transfer and e-mail protocols. ZyWALL USG 1000 User’s Guide...
Page 527: The Application Patrol Edit Screen
Click Reset to return the screen to its last-saved settings. 32.3.1 The Application Patrol Edit Screen Use this screen to edit the settings for an application. To access this screen, go to the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or ZyWALL USG 1000 User’s Guide...
Page 528 Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. ZyWALL USG 1000 User’s Guide...
Page 529 If any displays, the policy is effective for every source. Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. ZyWALL USG 1000 User’s Guide...
Page 530 (7) regardless of this field’s configuration. This field shows whether the ZyWALL generates a log (log), a log and alert (log alert) or neither (no) when the application’s traffic matches this policy. ZyWALL USG 1000 User’s Guide...
Page 531: The Application Patrol Policy Edit Screen
Select this check box to turn on this policy for the application. Port Use this field to specify a specific port number to which to apply this policy. Type zero, if this policy applies for every port number. ZyWALL USG 1000 User’s Guide...
Page 532 PHB for DiffServ on page 359 for more details. Select preserve to have the ZyWALL keep the packets’ original DSCP value. Select default to have the ZyWALL set the DSCP value of the packets to ZyWALL USG 1000 User’s Guide...
Page 533 If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. ZyWALL USG 1000 User’s Guide...
Page 534: The Other Applications Screen
ZyWALL should do more precisely. You can also control the bandwidth used by these other applications.This screen also allows you to add, edit, and remove conditions to this default policy. ZyWALL USG 1000 User’s Guide...
Page 535 This is the destination zone of the traffic to which this policy applies. Source This is the source address or address group for whom this policy applies. If any displays, the policy is effective for every source. ZyWALL USG 1000 User’s Guide...
Page 536 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration. ZyWALL USG 1000 User’s Guide...
Page 537: The Other Applications Add/Edit Screen
Select this check box to turn on this policy. Port Use this field to specify a specific port number to which to apply this policy. Type zero, if this policy applies for every port number. ZyWALL USG 1000 User’s Guide...
Page 538 Select default to have the ZyWALL set the DSCP value of the packets to Bandwidth Configure these fields to set the amount of bandwidth the application Management can use. These fields only apply when Access is set to forward. ZyWALL USG 1000 User’s Guide...
Page 539 Chapter 51 on page 833 for more on logs. no - the ZyWALL does not record anything log - the ZyWALL creates a record in the log log alert - the ZyWALL creates an alert ZyWALL USG 1000 User’s Guide...
Page 540 Chapter 32 Application Patrol Table 142 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 1000 User’s Guide...
Page 541: Anti-Virus
555) to set up anti- virus black (blocked) and white (allowed) lists of virus file patterns. • Use the Signature screen (Section 33.6 on page 558) to search signatures to get more information about signatures. ZyWALL USG 1000 User’s Guide...
Page 542: What You Need To Know
• IMAP4 (Internet Message Access Protocol version 4) How the ZyWALL Anti-Virus Scanner Works The following describes the virus scanning process on the ZyWALL. The ZyWALL first identifies SMTP, POP3, IMAP4, HTTP and FTP packets through standard ports. ZyWALL USG 1000 User’s Guide...
Page 543: Chapter 33 Anti-Virus
• ZIP file(s) within a ZIP file. Finding Out More • See Section 6.5.19 on page 112 for related information on these screens. • See Section 33.7 on page 561 for anti-virus background information. ZyWALL USG 1000 User’s Guide...
Page 544: Before You Begin
• You may need to customize the zones (in the Network > Zone) used for the anti-virus scanning direction. 33.2 Anti-Virus Summary Screen Click Configuration > Anti-X > Anti-Virus to display the configuration screen as shown next. Figure 397 Configuration > Anti-X > Anti-Virus > General ZyWALL USG 1000 User’s Guide...
Page 545 From The anti-virus policy has the ZyWALL scan traffic coming from this zone and going to the To zone. The anti-virus policy has the ZyWALL scan traffic going to this zone from the From zone. ZyWALL USG 1000 User’s Guide...
Page 546 Click this link to go to the screen you can use to download signatures Signatures from the update server. Apply Click Apply to save your changes. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 547: Anti-Virus Policy Add Or Edit Screen
FTP applies to traffic using the TCP port number specified for FTP in the ALG screen. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. IMAP4 applies to traffic using TCP port 143. ZyWALL USG 1000 User’s Guide...
Page 548 “zip” or “rar” file extension). The ZyWALL first (ZIP and RAR) decompresses the ZIP file and then scans the contents for viruses. Note: The ZyWALL decompresses a ZIP file once. The ZyWALL does NOT decompress any ZIP file(s) within a ZIP file. ZyWALL USG 1000 User’s Guide...
Page 549: Anti-Virus Black List
(blocked) list of virus file patterns. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 399 Configuration > Anti-X > Anti-Virus > Black/White List > Black List ZyWALL USG 1000 User’s Guide...
Page 550: Anti-Virus Black List Or White List Add/Edit
• For a white list entry, enter a file pattern that should cause the ZyWALL to allow a file. Figure 400 Configuration > Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add ZyWALL USG 1000 User’s Guide...
Page 551: Anti-Virus White List
Click Configuration > Anti-X > Anti-Virus > Black/White List > White List to display the screen shown next. Use the Black/White List screen to set up Anti-Virus black (blocked) and white (allowed) lists of virus file patterns. Click a ZyWALL USG 1000 User’s Guide...
Page 552: Signature Searching
Click Reset to return the screen to its last-saved settings. 33.6 Signature Searching Click Configuration > Anti-X > Anti-Virus > Signature to display this screen. Use this screen to locate signatures and display details about them. ZyWALL USG 1000 User’s Guide...
Page 553 No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 402 Configuration > Anti-X > Anti-Virus > Signature: Search by Severity ZyWALL USG 1000 User’s Guide...
Page 554 Category This column displays whether the signature is for identifying a virus or spyware. Click the column heading to sort your search results by category. ZyWALL USG 1000 User’s Guide...
Page 555: Anti-Virus Technical Reference
Once the virus is spread through the network, the number of infected networked computers can grow exponentially. Types of Anti-Virus Scanner The section describes two types of anti-virus scanner: host-based and network- based. ZyWALL USG 1000 User’s Guide...
Page 556 • NAV scanners stops virus threats at the network edge before they enter or exit a network. • NAV scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. ZyWALL USG 1000 User’s Guide...
Page 557: Idp
Chapter 35 on page 597). Zone A zone is a combination of ZyWALL interfaces and VPN connections used for configuring security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces. ZyWALL USG 1000 User’s Guide...
Page 558: Before You Begin
When the trial subscription expires, purchase and enter a license key using the same screens to continue the subscription. • Configure zones on the ZyWALL - see Chapter 17 on page 377 for more information. ZyWALL USG 1000 User’s Guide...
Page 559: The Idp General Screen
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Select an entry and click this to be able to modify it. ZyWALL USG 1000 User’s Guide...
Page 560 Click this link to go to the screen where you can register for the service. Signature The following fields display information on the current signature set Information that the ZyWALL is using. ZyWALL USG 1000 User’s Guide...
Page 561: Introducing Idp Profiles
You need to subscribe for IDP service in order to be able to download new signatures. In general, packet inspection signatures are created for known attacks while anomaly detection looks for abnormal behavior (see Chapter 35 on page 597 information on anomaly detection). ZyWALL USG 1000 User’s Guide...
Page 562: Base Profiles
Signatures with a low or medium severity level (two or three) generate logs (not log alerts) and no action is taken on packets that trigger them. Signatures with a very low severity level (one) are disabled. ZyWALL USG 1000 User’s Guide...
Page 563: The Profile Summary Screen
Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This is the entry’s index number in the list. ZyWALL USG 1000 User’s Guide...
Page 564: Creating New Profiles
Note: If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. Type a new profile name Enable or disable individual signatures. Edit the default log options and actions. ZyWALL USG 1000 User’s Guide...
Page 565: Profiles: Packet Inspection
Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer-4 to layer-7. 34.6.1 Profile > Group View Screen Figure 406 Configuration > Anti-X > IDP > Profile > Edit: Group View ZyWALL USG 1000 User’s Guide...
Page 566 An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the ZyWALL send an alert when a packet matches a signature(s). ZyWALL USG 1000 User’s Guide...
Page 567 Very Low (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc. Policy Type This is the attack type as defined on the ZyWALL. See Table 154 on page for a description of each type. ZyWALL USG 1000 User’s Guide...
Page 568 Internet. A Distributed Denial of Service (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system. ZyWALL USG 1000 User’s Guide...
Page 569: Policy Types
Web attacks refer to attacks on web servers such as IIS (Internet Information Services). 34.6.3 IDP Service Groups An IDP service group is a set of related packet inspection signatures. Table 155 IDP Service Groups WEB_PHP WEB_MISC WEB_IIS WEB_FRONTPAGE WEB_CGI WEB_ATTACKS TFTP TELNET ZyWALL USG 1000 User’s Guide...
Page 570: Profile > Query View Screen
34.6.4 Profile > Query View Screen Click Switch to query view in the screen as shown in Figure 406 on page 571 go to a signature query screen. In the query view screen, you can search for ZyWALL USG 1000 User’s Guide...
Page 571 ID fields are left blank, then all custom signatures are displayed. Name Type the name or part of the name of the signature(s) you want to find. Signature Type the ID or part of the ID of the signature(s) you want to find. ZyWALL USG 1000 User’s Guide...
Page 572 Click Save to save the configuration to the ZyWALL, but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile. ZyWALL USG 1000 User’s Guide...
Page 573: Query Example
Chapter 34 IDP 34.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attack Type: DDoS • Platform: Windows 2000 and Windows XP computers • Service: Any ZyWALL USG 1000 User’s Guide...
Page 574 Chapter 34 IDP • Actions: Any Figure 409 Query Example Search Criteria Figure 410 Query Example Search Results ZyWALL USG 1000 User’s Guide...
Page 575: Introducing Idp Custom Signatures
Flags are used to control whether routers are allowed to fragment a packet and to indicate the parts of a packet to the receiver. Fragment Offset This is a byte count from the start of the original sent packet. ZyWALL USG 1000 User’s Guide...
Page 576: Configuring Custom Signatures
Click the Add icon to create a new signature or click the Edit icon to edit an existing signature. You can also delete custom signatures here or save them to your computer. ZyWALL USG 1000 User’s Guide...
Page 577 This is the name of your custom signature. Duplicate names can exist, but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent. ZyWALL USG 1000 User’s Guide...
Page 578: Creating Or Editing A Custom Signature
Figure 412 on page 583. A packet must match all items you configure in this screen before it matches the signature. The more specific your signature (including packet contents), then the fewer false positives the signature will trigger. ZyWALL USG 1000 User’s Guide...
Page 579 Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. Figure 413 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit ZyWALL USG 1000 User’s Guide...
Page 580 If a datagram is fragmented, it contains a value that identifies the datagram to which the fragment belongs. Some intrusions use an invalid Identification number. Select the check box and then type in the invalid number that the intrusion uses. ZyWALL USG 1000 User’s Guide...
Page 581 The following fields vary depending on whether you choose TCP, UDP or ICMP. Transport Protocol: TCP Port Select the check box and then enter the source and destination TCP port numbers that will trigger this signature. ZyWALL USG 1000 User’s Guide...
Page 582 Payload Options The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature. ZyWALL USG 1000 User’s Guide...
Page 583 %2 for directory traversals, these signatures will not be triggered because the content is normalized out of the URI buffer. For example, the URI: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver will get normalized into: /winnt/system32/cmd.exe?/c+ver ZyWALL USG 1000 User’s Guide...
Page 584: Custom Signature Example
As an example, say you want to check if your router is being overloaded with DNS queries so you create a signature to detect DNS query traffic. ZyWALL USG 1000 User’s Guide...
Page 585 From the details about DNS query you see that the protocol is UDP and the port is 53. The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as the first pattern. ZyWALL USG 1000 User’s Guide...
Page 586: Applying Custom Signatures
After you create your custom signature, it becomes available in the IDP service group category in the Configuration > Anti-X > IDP > Profile > Edit screen. Custom signatures have an SID from 9000000 to 9999999. ZyWALL USG 1000 User’s Guide...
Page 587: Verifying Custom Signatures
All IDP signatures come under the IDP category. The Note column displays ACCESS FORWARD when no action is configured for the signature. It displays ACCESS DENIED if you configure the signature action to drop the packet. The ZyWALL USG 1000 User’s Guide...
Page 588: Idp Technical Reference
Disadvantages of host IDPs are that you have to install them on each device (that you want to protect) in your network and due to the necessarily tight integration with the host operating system, future operating system upgrades could cause problems. ZyWALL USG 1000 User’s Guide...
Page 589 These are some equivalent Snort terms in the ZyWALL. Table 160 ZyWALL - Snort Equivalent Terms ZYWALL TERM SNORT EQUIVALENT TERM Type Of Service Identification Fragmentation fragbits Fragmentation Offset fragoffset Time to Live IP Options ipopts ZyWALL USG 1000 User’s Guide...
Page 590 Payload Size dsize Offset (relative to start of offset payload) Relative to end of last match distance Content content Case-insensitive nocase Decode as URI uricontent Note: Not all Snort functionality is supported in the ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 591: Adp
Traffic anomaly rules look for abnormal behavior or events such as port scanning, sweeping or network flooding. It operates at OSI layer-2 and layer-3. Traffic anomaly rules may be updated when you upload new firmware. ZyWALL USG 1000 User’s Guide...
Page 592: Before You Begin
IDP-related term definitions. • See Section 35.4 on page 609 for background information on these screens. 35.1.4 Before You Begin Configure the ZyWALL’s zones - see Chapter 17 on page 377 for more information. ZyWALL USG 1000 User’s Guide...
Page 593: The Adp General Screen
[ENTER] to move the entry to the number that you typed. This is the entry’s index number in the list. Priority This is the rank in the list of anomaly profile policies. The list is applied in order of priority. ZyWALL USG 1000 User’s Guide...
Page 594: The Profile Summary Screen
Click Reset to return the screen to its last-saved settings. 35.3 The Profile Summary Screen Use this screen to: • Create a new profile using an existing base profile • Edit an existing profile • Delete an existing profile ZyWALL USG 1000 User’s Guide...
Page 595: Base Profiles
Cancel Click Cancel to exit this screen without saving your changes. 35.3.2 Configuring The ADP Profile Summary Screen Select Configuration > Anti-X > ADP > Profile. Figure 420 Configuration > Anti-X > ADP > Profile ZyWALL USG 1000 User’s Guide...
Page 596: Creating New Adp Profiles
In the Configuration > Anti-X > ADP > Profile screen, click the Edit icon or click the Add icon and choose a base profile. If you made changes to other screens ZyWALL USG 1000 User’s Guide...
Page 597 Chapter 35 ADP belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 421 Profiles: Traffic Anomaly ZyWALL USG 1000 User’s Guide...
Page 598 The ZyWALL silently drops packets that matches the rule. Neither sender nor receiver are notified. This is the entry’s index number in the list. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL USG 1000 User’s Guide...
Page 599: Protocol Anomaly Profiles
Add icon and choose a base profile, then select the Protocol Anomaly tab. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab. ZyWALL USG 1000 User’s Guide...
Page 600 Chapter 35 ADP Figure 422 Profiles: Protocol Anomaly ZyWALL USG 1000 User’s Guide...
Page 601 To edit an item’s log option, select it and use the Log icon. Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly rule. See Chapter 51 on page 833 for more on logs. ZyWALL USG 1000 User’s Guide...
Page 602 Select what the ZyWALL should do when a packet matches a rule. none: The ZyWALL takes no action when a packet matches the signature(s). block: The ZyWALL silently drops packets that matches the rule. Neither sender nor receiver are notified. ZyWALL USG 1000 User’s Guide...
Page 603: Adp Technical Reference
IP protocols such as EGP (Exterior Gateway Protocol) or IGP (Interior Gateway Protocol). Determining these additional protocols can help reveal if the destination device is a workstation, a printer, or a router. ZyWALL USG 1000 User’s Guide...
Page 604 • UDP Filtered Portscan • IP Filtered Portscan Portscan • TCP Filtered Decoy • UDP Filtered Decoy • IP Filtered Decoy Portscan Portscan Portscan • TCP Filtered • UDP Filtered Portsweep • IP Filtered Portsweep Portsweep ZyWALL USG 1000 User’s Guide...
Page 605 Figure 423 Smurf Attack TCP SYN Flood Attack Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then ZyWALL USG 1000 User’s Guide...
Page 606 In a LAND attack, hackers flood SYN packets into a network with a spoofed source IP address of the network itself. This makes it appear as if the computers in the network sent the packets to themselves, so the network is unavailable while they try to respond to themselves. ZyWALL USG 1000 User’s Guide...
Page 607 “/abc/xyz”. Also, “/abc/./xyz” gets normalized to “/abc/xyz”. If a user wants to configure an alert, then specify “yes”, otherwise “no”. This alert may give false positives since some web sites refer to files using directory traversals. ZyWALL USG 1000 User’s Guide...
Page 608 % encoding. Apache uses this standard, so for any Apache servers, make sure you have this option turned on. When this rule is enabled, ASCII decoding is also enabled to enforce correct functioning. ZyWALL USG 1000 User’s Guide...
Page 609 ICMP Decoder TRUNCATED-ADDRESS- This is when an ICMP packet is sent which has an ICMP HEADER ATTACK datagram length of less than the ICMP address header length. This may cause some applications to crash. ZyWALL USG 1000 User’s Guide...
Page 610 % encoding. Apache uses this standard, so for any Apache servers, make sure you have this option turned on. When this rule is enabled, ASCII decoding is also enabled to enforce correct functioning. ZyWALL USG 1000 User’s Guide...
Page 611 ICMP Decoder TRUNCATED-ADDRESS- This is when an ICMP packet is sent which has an ICMP HEADER ATTACK datagram length of less than the ICMP address header length. This may cause some applications to crash. ZyWALL USG 1000 User’s Guide...
Page 612 TRUNCATED- This is when an ICMP packet is sent which has an ICMP TIMESTAMP-HEADER datagram length of less than the ICMP Time Stamp header ATTACK length. This may cause some applications to crash. ZyWALL USG 1000 User’s Guide...
Page 613: Content Filtering
• Use schedule objects to define when to apply a content filter profile. • Use address and/or user/group objects to define to whose web access to apply the content filter profile. • Apply a content filter profile that you have custom-tailored. ZyWALL USG 1000 User’s Guide...
Page 614 URL. For example, with the URL www.zyxel.com.tw/news/ pressroom.php, the domain name is www.zyxel.com.tw. The file path is the characters that come after the first slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the file path is news/pressroom.php. ZyWALL USG 1000 User’s Guide...
Page 615: Content Filter General Screen
Licensing > Registration screens). 36.2 Content Filter General Screen Click Configuration > Anti-X > Content Filter > General to open the Content Filter General screen. Use this screen to enable content filtering, view and order ZyWALL USG 1000 User’s Guide...
Page 616 Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. ZyWALL USG 1000 User’s Guide...
Page 617 The web page you specify here opens in a new frame below the denied access message. Use “http://” or “https://” followed by up to 255 characters (0-9a- zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/ blocked access. ZyWALL USG 1000 User’s Guide...
Page 618: Content Filter Policy Add Or Edit Screen
36.3 Content Filter Policy Add or Edit Screen Click Configuration > Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen. Use this screen to configure a content ZyWALL USG 1000 User’s Guide...
Page 619 Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any user. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 1000 User’s Guide...
Page 620: Content Filter Profile Screen
Note: You must register for external content filtering before you can use it. See Section 11.2 on page 267 for how to register. ZyWALL USG 1000 User’s Guide...
Page 621 Chapter 36 Content Filtering Chapter 37 on page 641 for how to view content filtering reports. Figure 429 Configuration > Anti-X > Content Filter > Filter Profile > Add ZyWALL USG 1000 User’s Guide...
Page 622 The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page. ZyWALL USG 1000 User’s Guide...
Page 623 Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized. Select Log to record attempts to access web pages that are not categorized. ZyWALL USG 1000 User’s Guide...
Page 624 Phishing This category includes pages that are designed to appear as a legitimate bank or retailer with the intent to fraudulently capture sensitive data (i.e. credit card numbers, pin numbers). ZyWALL USG 1000 User’s Guide...
Page 625 This category includes pages that contain images or offer the Swimsuit sale of swimsuits or intimate apparel or other types of suggestive clothing. It does not include pages selling undergarments as a subsection of other products offered. ZyWALL USG 1000 User’s Guide...
Page 626 Hacking encompasses instructions on illegal or questionable tactics, such as creating viruses, distributing cracked or pirated software, or distributing other protected intellectual property. ZyWALL USG 1000 User’s Guide...
Page 627 It also includes pages dedicated to selling board games as well as journals and magazines dedicated to game playing. It includes pages that support or host online sweepstakes and giveaways. ZyWALL USG 1000 User’s Guide...
Page 628 This category includes pages that offer access to Usenet news groups or other messaging or bulletin board systems. Also, blog specific sites or an individual with his own blog. This does not include social networking communities with blogs. ZyWALL USG 1000 User’s Guide...
Page 629 Pornography category. Restaurants/Dining/ This category includes pages that list, review, discuss, advertise Food and promote food, catering, dining services, cooking and recipes. ZyWALL USG 1000 User’s Guide...
Page 630 These sites are salacious that are bereft of historical context, educational value or artistic merit created solely to debase, dehumanize or shock. Examples include necrophilia, cannibalism, scat and amputee fetish sites. ZyWALL USG 1000 User’s Guide...
Page 631 This category includes servers that provide commercial hosting for a variety of content such as images and media files. These types of servers are typically used in conjunction with other web servers to optimize content retrieval speeds. ZyWALL USG 1000 User’s Guide...
Page 632: Content Filter Blocked And Warning Messages
Click Cancel to exit this screen without saving your changes. 36.5.1 Content Filter Blocked and Warning Messages These are the content filtering warning messages. The messages for blocked access are the same but do not include the buttons. Figure 430 Content Filter Warning Messages ZyWALL USG 1000 User’s Guide...
Page 633: Content Filter Customization Screen
This value is case-sensitive. Enable Custom Service Select this check box to allow trusted web sites and block forbidden web sites. Content filter list customization may be enabled and disabled without re-entering these site names. ZyWALL USG 1000 User’s Guide...
Page 634 Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. ZyWALL USG 1000 User’s Guide...
Page 635: Content Filter Technical Reference
(such as Bad for example). Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 36.7 Content Filter Technical Reference This section provides content filtering background information. ZyWALL USG 1000 User’s Guide...
Page 636 ZyWALL, which then blocks and/or logs access to the web site based on the settings in the content filter profile. The web site’s address and category are then stored in the ZyWALL’s content filter cache. ZyWALL USG 1000 User’s Guide...
Page 637: Content Filter Reports
You need to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days). Go to http://www.myZyXEL.com. ZyWALL USG 1000 User’s Guide...
Page 638 Chapter 37 Content Filter Reports Fill in your myZyXEL.com account information and click Login. Figure 433 myZyXEL.com: Login ZyWALL USG 1000 User’s Guide...
Page 639 Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 435 on page 644). Figure 434 myZyXEL.com: Welcome ZyWALL USG 1000 User’s Guide...
Page 640 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 435 myZyXEL.com: Service Management In the Web Filter Home screen, click the Reports tab. Figure 436 Content Filter Reports Main Screen ZyWALL USG 1000 User’s Guide...
Page 641 Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen. ZyWALL USG 1000 User’s Guide...
Page 642 Chapter 37 Content Filter Reports A chart and/or list of requested web site categories display in the lower half of the screen. Figure 438 Global Report Screen Example ZyWALL USG 1000 User’s Guide...
Page 643 Chapter 37 Content Filter Reports You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 439 Requested URLs Example ZyWALL USG 1000 User’s Guide...
Page 644 Chapter 37 Content Filter Reports ZyWALL USG 1000 User’s Guide...
Page 645: Anti-Spam
The white list can also increases the ZyWALL’s anti-spam speed and efficiency by not having the ZyWALL perform the full anti-spam checking process on legitimate e-mail. ZyWALL USG 1000 User’s Guide...
Page 646 For example, in Microsoft’s Outlook Express, select a mail and click File > Properties > Details. This displays the e-mail’s header. Click Message Source to see the source for the entire mail including both the header and the body. ZyWALL USG 1000 User’s Guide...
Page 647: Before You Begin
Configure your zones before you configure anti-spam. 38.3 The Anti-Spam General Screen Click Configuration > Anti-X > Anti-Spam to open the Anti-Spam General screen. Use this screen to turn the anti-spam feature on or off and manage anti- ZyWALL USG 1000 User’s Guide...
Page 648 Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Select an entry and click this to be able to modify it. ZyWALL USG 1000 User’s Guide...
Page 649: The Anti-Spam Policy Add Or Edit Screen
Click the Add or Edit icon in the Configuration > Anti-X > Anti-Spam > General screen to display the configuration screen as shown next. Use this screen to configure an anti-spam policy that controls what traffic direction of e-mail to ZyWALL USG 1000 User’s Guide...
Page 650 To zone. Protocols to Select which protocols of traffic to scan for spam. Scan SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. ZyWALL USG 1000 User’s Guide...
Page 651: The Anti-Spam Black List Screen
Configure the black list to identify spam e-mail. You can create black list entries based on the sender’s or relay server’s IP address or e-mail address. You can also create entries that check for particular e-mail header fields with specific values or ZyWALL USG 1000 User’s Guide...
Page 652 This field displays the subject content, source or relay IP address, source e-mail address, or header value for which the entry checks. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 653: The Anti-Spam Black Or White List Add/Edit Screen
This field displays when you select the Subject type. Enter up to 63 Keyword ASCII characters of text to check for in e-mail headers. Spaces are not allowed, although you could substitute a question mark (?). See Section 38.4.2 on page 658 for more details. ZyWALL USG 1000 User’s Guide...
Page 654: Regular Expressions In Black Or White List Entries
You cannot use two wildcards side by side, there must be other characters between them. • The ZyWALL checks the first header with the name you specified in the entry. So if the e-mail has more than one “Received” header, the ZyWALL checks the first one. ZyWALL USG 1000 User’s Guide...
Page 655: The Anti-Spam White List Screen
To turn off an entry, select it and click Inactivate. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. This is the entry’s index number in the list. ZyWALL USG 1000 User’s Guide...
Page 656: The Dnsbl Screen
DNSBL screen. Use this screen to configure the ZyWALL to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). Figure 445 Configuration > Anti-X > Anti-Spam > DNSBL ZyWALL USG 1000 User’s Guide...
Page 657 Enter a message or label (up to 15 ASCII characters) to add to the mail subject of e-mails that the ZyWALL forwards if queries to the DNSBL domains time out. DNSBL Domain List Click this to create a new entry. ZyWALL USG 1000 User’s Guide...
Page 658: Anti-Spam Technical Reference
• The ZyWALL records DNSBL responses for IP addresses in a cache for up to 72 hours. The ZyWALL checks an e-mail’s sender and relay IP addresses against the cache first and only sends DNSBL queries for IP addresses that are not in the cache. ZyWALL USG 1000 User’s Guide...
Page 659 In this example it was an SMTP mail and the defined action was to drop the mail. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 1000 User’s Guide...
Page 660 Now that the ZyWALL has received at least one non-spam reply for each of the e- mail’s routing IP addresses, the ZyWALL immediately classifies the e-mail as legitimate and forwards it. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 1000 User’s Guide...
Page 661 In this example it was an SMTP mail and the defined action was to drop the mail. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 1000 User’s Guide...
Page 662 Chapter 38 Anti-Spam ZyWALL USG 1000 User’s Guide...
Page 663: Device Ha
VRRP group settings and synchronize backup ZyWALLs. 39.1.2 What You Need to Know Active-Passive Mode and Legacy Mode • Active-passive mode lets a backup ZyWALL take over if the master ZyWALL fails. ZyWALL USG 1000 User’s Guide...
Page 664: Before You Begin
ZyWALLs are both subscribed. For example, a backup subscribed to IDP/ AppPatrol, but not anti-virus, gets IDP/AppPatrol updates from the master, but not anti-virus updates. It is highly recommended to subscribe the master and backup ZyWALLs to the same services. ZyWALL USG 1000 User’s Guide...
Page 665: Device Ha General
You can use this IP address and subnet mask to access the ZyWALL whether it is in master or backup mode. Link Status This tells whether the monitored interface’s connection is down or up. ZyWALL USG 1000 User’s Guide...
Page 666: The Active-Passive Mode Screen
ZyWALL A and backup ZyWALL B form a virtual router. Figure 451 Virtual Router Cluster ID You can have multiple ZyWALL virtual routers on your network. Use a different cluster ID to identify each virtual router. In the following example, ZyWALLs A and ZyWALL USG 1000 User’s Guide...
Page 667 IP address to manage the ZyWALL regardless of whether it is the master or the backup. For example, ZyWALL B takes over A’s 192.168.1.1 LAN interface IP address. This is a virtual router IP address. ZyWALL A keeps it’s LAN management IP address of ZyWALL USG 1000 User’s Guide...
Page 668: Configuring Active-Passive Mode Device Ha
HA settings, view and manage the list of monitored interfaces, and synchronize backup ZyWALLs. To access this screen, click Configuration > Device HA > Active-Passive Mode. Figure 454 Configuration > Device HA > Active-Passive Mode ZyWALL USG 1000 User’s Guide...
Page 669 The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ‘ \ () ), and it can be up to eight characters long. Authentication Types on page 375 for more information about authentication methods. ZyWALL USG 1000 User’s Guide...
Page 670 Secure FTP port number. Click the link if you need to change the FTP port number. Every ZyWALL in the virtual router must use the same port number. If the master ZyWALL changes, you have to manually change this port number in the backups. ZyWALL USG 1000 User’s Guide...
Page 671: Configuring An Active-Passive Mode Monitored Interface
Ethernet interface to a bridge, the ZyWALL retains the interface’s device HA settings and uses them again if you later remove the interface from the bridge. If the bridge is later deleted or the interface is removed from it, Device HA will recover the interface’s setting. ZyWALL USG 1000 User’s Guide...
Page 672 Manage IP Enter the subnet mask of the interface’s management IP address. Subnet Mask Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 1000 User’s Guide...
Page 673: The Legacy Mode Screen
Link monitoring has a backup ZyWALL take over all of an unavailable master ZyWALL’s static IP addresses. This way the backup ZyWALL takes over all of the master ZyWALL’s functions. This also means you can only access the original master ZyWALL through its management IP address. ZyWALL USG 1000 User’s Guide...
Page 674: Configuring The Legacy Mode Screen
ZyWALL’s 3G connection even when a VRRP monitored interface link goes down. interface is fault Monitored Interface Summary Click this to create a new entry. Edit Select an entry and click this to be able to modify it. ZyWALL USG 1000 User’s Guide...
Page 675 If you leave this field blank in the master ZyWALL, it does not allow any backup ZyWALLs to synchronize from it. If you leave this field blank in a backup ZyWALL, it cannot synchronize from the master ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 676 The Device HA Legacy Mode Add or Edit screen lets you configure a VRRP group. To access this screen, click Configuration > Device HA > Legacy Mode > Add (or Edit). Figure 457 Configuration > Device HA > Legacy Mode > Add ZyWALL USG 1000 User’s Guide...
Page 677 Select this if the selected interface should become the master interface if a lower-priority interface is the master when this one is enabled. (If the role is Master, the interface preempts by default.) Virtual Router Settings ZyWALL USG 1000 User’s Guide...
Page 678: Device Ha Technical Reference
Here are two ways to avoid a broadcast storm when you connect the bridge interfaces on two ZyWALLs. First Option for Connecting the Bridge Interfaces on Two ZyWALLs The first way is to activate device HA before connecting the bridge interfaces as shown in the following example. ZyWALL USG 1000 User’s Guide...
Page 679 HA. Br0 {ge4, ge5} Configure the bridge interface on the backup ZyWALL, set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Br0 {ge4, ge5} ZyWALL USG 1000 User’s Guide...
Page 680 In this case the ZyWALLs are already connected, but the bridge faces have not been configured yet. Configure a disabled bridge interface on the master ZyWALL but disable it. Then set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Disabled ZyWALL USG 1000 User’s Guide...
Page 681 Br0 {ge4, ge5} Disabled Br0 {ge4, ge5} Disabled Enable the bridge interface on the master ZyWALL and then on the backup ZyWALL. Br0 {ge4, ge5} Br0 {ge4, ge5} Connect the ZyWALLs. Br0 {ge4, ge5} Br0 {ge4, ge5} ZyWALL USG 1000 User’s Guide...
Page 682 The loss of ZyWALL A has no effect on the network. If there is more than one backup ZyWALL, the backup ZyWALL with the highest priority becomes the master. The other backup ZyWALLs remain backups. ZyWALL USG 1000 User’s Guide...
Page 683 • The backup ZyWALL cannot be the master in any active VRRP group. This refers to the actual role at the time of synchronization, not the role setting in the VRRP group. The backup applies the entire configuration if it is different from the backup’s current configuration. ZyWALL USG 1000 User’s Guide...
Page 684 Chapter 39 Device HA ZyWALL USG 1000 User’s Guide...
Page 685: User/Group
User Types These are the types of user accounts the ZyWALL uses. Table 183 Types of User Accounts TYPE ABILITIES LOGIN METHOD(S) Admin Users admin Change ZyWALL configuration (web, CLI) WWW, TELNET, SSH, FTP, Console, Dial-in ZyWALL USG 1000 User’s Guide...
Page 686 User account in the remote server. User account (Ext-User) in the ZyWALL. Default user account for AD users (ad-users), LDAP users (ldap-users) or RADIUS users (radius-users) in the ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 687 • See Section 7.7 on page 142 for an example of how to use a RADIUS server to authenticate user accounts based on groups. ZyWALL USG 1000 User’s Guide...
Page 688: User Summary Screen
40.2.1.1 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only contain the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] ZyWALL USG 1000 User’s Guide...
Page 689 To access this screen, go to the User screen (see Section 40.2 on page 692), and click either the Add icon or an Edit icon. Figure 461 Configuration > User/Group > User > Add ZyWALL USG 1000 User’s Guide...
Page 690 (see Section 40.4 on page 697), the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires. ZyWALL USG 1000 User’s Guide...
Page 691: User Group Summary Screen
Object Select an entry and click Object References to open a screen that References shows which settings use the entry. See Section 13.3.2 on page 291 an example. ZyWALL USG 1000 User’s Guide...
Page 692: Group Add/Edit Screen
This value is case-sensitive. User group names have to be different than user names. Description Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces. ZyWALL USG 1000 User’s Guide...
Page 693: Setting Screen
The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. ZyWALL USG 1000 User’s Guide...
Page 694 Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. This field is a sequential value, and it is not associated with a specific entry. ZyWALL USG 1000 User’s Guide...
Page 695 This field is effective when Enable user idle detection is checked. Type the number of minutes each access user can be logged in and idle before the ZyWALL automatically logs out the access user. User Logon Settings ZyWALL USG 1000 User’s Guide...
Page 696: Default User Authentication Timeout Settings Edit Screens
These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings. ZyWALL USG 1000 User’s Guide...
Page 697 Unlike Lease Time, the user has no opportunity to renew the session without logging out. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 1000 User’s Guide...
Page 698: User Aware Login Example
Remaining This field displays the amount of time that remains before the ZyWALL time before automatically logs the access user out, regardless of the lease time. auth. timeout ZyWALL USG 1000 User’s Guide...
Page 699: User /Group Technical Reference
Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 52 on page 847 for more information about shell scripts. ZyWALL USG 1000 User’s Guide...
Page 700 Chapter 40 User/Group ZyWALL USG 1000 User’s Guide...
Page 701: Addresses
WAN IP addresses for LAN to WAN traffic. 41.2 Address Summary Screen The address screens are used to create, maintain, and remove addresses. There are the types of address objects. • HOST - a host address is defined by an IP Address. ZyWALL USG 1000 User’s Guide...
Page 702 This field displays the IP addresses represented by each address object. If the object’s settings are based on one of the ZyWALL’s interfaces, the name of the interface displays first followed by the object’s current address settings. ZyWALL USG 1000 User’s Guide...
Page 703: Address Add/Edit Screen
This field is only available if the Address Type is SUBNET, in which case this field cannot be blank. Enter the subnet mask of the network that this address object represents. Use dotted decimal format. ZyWALL USG 1000 User’s Guide...
Page 704: Address Group Summary Screen
This field is a sequential value, and it is not associated with a specific address group. Name This field displays the name of each address group. Description This field displays the description of each address group, if any. ZyWALL USG 1000 User’s Guide...
Page 705: Address Group Add/Edit Screen
Move any members you do not want included to the Available list. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 1000 User’s Guide...
Page 706 Chapter 41 Addresses ZyWALL USG 1000 User’s Guide...
Page 707: Services
Then, the connection is terminated. In contrast, computers use UDP to send short messages to each other. There is no guarantee that the messages arrive in sequence or that the messages arrive at all. ZyWALL USG 1000 User’s Guide...
Page 708: The Service Summary Screen
In addition, this screen allows you to add, edit, and remove services. To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column’s heading cell to sort the table ZyWALL USG 1000 User’s Guide...
Page 709 This field is a sequential value, and it is not associated with a specific service. Name This field displays the name of each service. Content This field displays a description of each service. ZyWALL USG 1000 User’s Guide...
Page 710: The Service Add/Edit Screen
Click Cancel to exit this screen without saving your changes. 42.3 The Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. ZyWALL USG 1000 User’s Guide...
Page 711 This field displays the name of each service group. By default, the ZyWALL uses services starting with “Default_Allow_” in the firewall rules to allow certain services to connect to the ZyWALL. Description This field displays the description of each service group, if any. ZyWALL USG 1000 User’s Guide...
Page 712: The Service Group Add/Edit Screen
Move any members you do not want included to the Available list. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 1000 User’s Guide...
Page 713: Schedules
(Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday). Recurring schedules always begin and end in the same day. Recurring schedules are useful for defining the workday and off-work hours. ZyWALL USG 1000 User’s Guide...
Page 714: The Schedule Summary Screen
This field displays the name of the schedule, which is used to refer to the schedule. Start Day / This field displays the date and time at which the schedule begins. Time Stop Day / This field displays the date and time at which the schedule ends. Time ZyWALL USG 1000 User’s Guide...
Page 715: The One-Time Schedule Add/Edit Screen
Name Type the name used to refer to the one-time schedule. You may use 1- 31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL USG 1000 User’s Guide...
Page 716: The Recurring Schedule Add/Edit Screen
Click Cancel to exit this screen without saving your changes. 43.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to define a recurring schedule or edit an existing one. To access this screen, go to the Schedule screen ZyWALL USG 1000 User’s Guide...
Page 717 Weekly Week Days Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 1000 User’s Guide...
Page 718 Chapter 43 Schedules ZyWALL USG 1000 User’s Guide...
Page 719: Aaa Server
The ZyWALL tries to bind (or log in) to the LDAP/AD server. When the binding process is successful, the ZyWALL checks the user information in the directory against the user name and password pair. If it matches, the user is allowed access. Otherwise, access is blocked. ZyWALL USG 1000 User’s Guide...
Page 720: Radius Server
44.1.4 What You Can Do in this Chapter • Use the Configuration > Object > AAA Server > Active Directory (or LDAP) screens (Section 44.2 on page 727) to configure Active Directory or LDAP server objects. ZyWALL USG 1000 User’s Guide...
Page 721: What You Need To Know
RADIUS server. RADIUS authentication allows you to validate a large number of users from a central location. Directory Structure The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the directory structure reflects the geographical or ZyWALL USG 1000 User’s Guide...
Page 722 If the bind password is incorrect, the login will fail. Finding Out More • See Section 7.6.3 on page 135 for an example of how to set up user authentication using a radius server. ZyWALL USG 1000 User’s Guide...
Page 723: Active Directory Or Ldap Server Summary
44.2.1 Adding an Active Directory or LDAP Server Click Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. Click the Add icon or an Edit icon to display the ZyWALL USG 1000 User’s Guide...
Page 724 Specify the port number on the AD or LDAP server to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535. This port number should be the same on all AD or LDAP server(s) in this group. ZyWALL USG 1000 User’s Guide...
Page 725: Radius Server Summary
Click OK to save the changes. Cancel Click Cancel to discard the changes. 44.3 RADIUS Server Summary Use the RADIUS screen to manage the list of RADIUS servers the ZyWALL can use in authenticating users. ZyWALL USG 1000 User’s Guide...
Page 726 Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. Apply Click Apply to save the changes. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 727: Adding A Radius Server
If the RADIUS server has a backup server, enter its address here. Address Backup Specify the port number on the RADIUS server to which the ZyWALL Authentication sends authentication requests. Enter a number between 1 and 65535. Port ZyWALL USG 1000 User’s Guide...
Page 728 “sales”, “RD”, and “management”. Then you could also create a ext- group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 1000 User’s Guide...
Page 729: Authentication Method
Follow the steps below to specify the authentication method for a VPN connection. Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen. Click Show Advance Setting and select Enable Extended Authentication. ZyWALL USG 1000 User’s Guide...
Page 730: Authentication Method Objects
Select an entry and click Object References to open a screen that shows References which settings use the entry. See Section 13.3.2 on page 291 for an example. This field displays the index number. Method Name This field displays a descriptive name for identification purposes. ZyWALL USG 1000 User’s Guide...
Page 731: Creating An Authentication Method Object
ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. Note: You can NOT select two server objects of the same type. ZyWALL USG 1000 User’s Guide...
Page 732 If two accounts with the same username exist on two authentication servers you specify, the ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. ZyWALL USG 1000 User’s Guide...
Page 733 Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 1000 User’s Guide...
Page 734 Chapter 45 Authentication Method ZyWALL USG 1000 User’s Guide...
Page 735: Certificates
Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). ZyWALL USG 1000 User’s Guide...
Page 736 • Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys. Self-signed Certificates You can have the ZyWALL act as a certification authority and sign its own certificates. ZyWALL USG 1000 User’s Guide...
Page 737: Verifying A Certificate
MD5 or SHA1 algorithm. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate. Browse to where you have the certificate saved on your computer. ZyWALL USG 1000 User’s Guide...
Page 738 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. ZyWALL USG 1000 User’s Guide...
Page 739: The My Certificates Screen
This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. ZyWALL USG 1000 User’s Guide...
Page 740: The My Certificates Add Screen
Click Refresh to display the current validity status of the certificates. 46.2.1 The My Certificates Add Screen Click Configuration > Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the ZyWALL USG 1000 User’s Guide...
Page 741 Chapter 46 Certificates ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 493 Configuration > Object > Certificate > My Certificates > Add ZyWALL USG 1000 User’s Guide...
Page 742 Create a self- Select this to have the ZyWALL generate the certificate and act as signed certificate the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates. ZyWALL USG 1000 User’s Guide...
Page 743 You must have the certification authority’s certificate already imported in the Trusted Certificates screen. Click Trusted CAs to go to the Trusted Certificates screen where you can view (and manage) the ZyWALL's list of certificates of trusted certification authorities. ZyWALL USG 1000 User’s Guide...
Page 744 Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyWALL to enroll a certificate online. ZyWALL USG 1000 User’s Guide...
Page 745: The My Certificates Edit Screen
Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. Figure 494 Configuration > Object > Certificate > My Certificates > Edit ZyWALL USG 1000 User’s Guide...
Page 746 “none” displays for a certification request. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. “none” displays for a certification request. ZyWALL USG 1000 User’s Guide...
Page 747 Private Key Type the certificate’s password and click this button. Click Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. ZyWALL USG 1000 User’s Guide...
Page 748: The My Certificates Import Screen
Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL. Browse Click Browse to find the certificate file you want to upload. ZyWALL USG 1000 User’s Guide...
Page 749: The Trusted Certificates Screen
Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action. ZyWALL USG 1000 User’s Guide...
Page 750: The Trusted Certificates Edit Screen
Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate’s name and set whether or not you want the ZyWALL to check a certification ZyWALL USG 1000 User’s Guide...
Page 751 Chapter 46 Certificates authority’s list of revoked certificates before trusting a certificate issued by the certification authority. Figure 497 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL USG 1000 User’s Guide...
Page 752 (usually a certification authority). Password Type the password (up to 31 ASCII characters) from the entity maintaining the CRL directory server (usually a certification authority). Certificate These read-only fields display detailed information about the Information certificate. ZyWALL USG 1000 User’s Guide...
Page 753 This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. ZyWALL USG 1000 User’s Guide...
Page 754: The Trusted Certificates Import Screen
ZyWALL. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 498 Configuration > Object > Certificate > Trusted Certificates > Import ZyWALL USG 1000 User’s Guide...
Page 755: Certificates Technical Reference
The second is a reduction in network traffic since the ZyWALL only gets information on the certificates that it needs to verify, not a huge list. When the ZyWALL requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response. ZyWALL USG 1000 User’s Guide...
Page 756 Chapter 46 Certificates ZyWALL USG 1000 User’s Guide...
Page 757: Isp Accounts
ISP accounts in the ZyWALL. 47.2 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL. To access this screen, click Configuration > Object > ISP Account. Figure 499 Configuration > Object > ISP Account ZyWALL USG 1000 User’s Guide...
Page 758: Isp Account Edit
Account screen. (See Section 47.2 on page 761.) Then, click on an Add icon or Edit icon to open the ISP Account Edit screen below. Figure 500 Configuration > Object > ISP Account > Edit ZyWALL USG 1000 User’s Guide...
Page 759 If this ISP account uses the PPPoE protocol, type the PPPoE service name to access. PPPoE uses the specified service name to identify and reach the PPPoE server. This field can be blank. If this ISP account uses the PPTP protocol, this field is not displayed. ZyWALL USG 1000 User’s Guide...
Page 760 ISP Account Edit screen. Cancel Click Cancel to return to the ISP Account screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists). ZyWALL USG 1000 User’s Guide...
Page 761: Ssl Application
Available SSL application names are displayed as links in remote user screens. Depending on the application type, remote users can simply click the links or follow the steps in the pop-up dialog box to access. ZyWALL USG 1000 User’s Guide...
Page 762: Example: Specifying A Web Site For Access
This example shows you how to create a web-based application for an internal web site. The address of the web site is http://info with web page encryption. Click Configuration > Object > SSL Application in the navigation panel. ZyWALL USG 1000 User’s Guide...
Page 763: The Ssl Application Screen
48.2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects. Click Configuration > Object > SSL Application in the navigation panel. Figure 503 Configuration > Object > SSL Application ZyWALL USG 1000 User’s Guide...
Page 764: Creating/Editing A Web-Based Ssl Application Object
To configure a web-based application, click the Add or Edit button in the SSL Application screen and select Web Application in the Type field to display the configuration screen as shown. Figure 504 Configuration > Object > SSL Application > Add/Edit: Web Application ZyWALL USG 1000 User’s Guide...
Page 765 This field is optional. You only need to configure this field if you need to specify the name of the directory or file on the local server as the home page or home directory on the user screen. ZyWALL USG 1000 User’s Guide...
Page 766: Creating/Editing A File Sharing Ssl Application Object
Note: You must also configure the shared folder on the file server for remote access. Refer to the document that comes with your file server. Figure 505 Configuration > Object > SSL Application > Add/Edit: File Sharing ZyWALL USG 1000 User’s Guide...
Page 767 “\Tmp” share on the “my-server” computer. Click Ok to save the changes and return to the main SSL Application Configuration screen. Cancel Click Cancel to discard the changes and return to the main SSL Application Configuration screen. ZyWALL USG 1000 User’s Guide...
Page 768 Chapter 48 SSL Application ZyWALL USG 1000 User’s Guide...
Page 769: Endpoint Security
SSL VPN access policy; in this example a web server. SSL VPN user C fails all of the SSL VPN’s endpoint security check and is not given any access. Figure 506 Endpoint Security ZyWALL USG 1000 User’s Guide...
Page 770: What You Can Do In This Chapter
User computers must have Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.4. Finding Out More Section 7.8 on page 144 for an example of how to use endpoint security and authentication policies. ZyWALL USG 1000 User’s Guide...
Page 771: Endpoint Security Screen
Enter a message to display when a user’s computer fails the endpoint Failure security check. Use up to 1023 characters (0-9a-zA-Z;/?:@=+$\.- Message _!*'()%,”). For example, “Endpoint Security checking failed. Please contact your network administrator for help.”. ZyWALL USG 1000 User’s Guide...
Page 772 Chapter 49 Endpoint Security Table 221 Configuration > Object > Endpoint Security (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 773: Endpoint Security Add/Edit
Chapter 49 Endpoint Security 49.3 Endpoint Security Add/Edit Click Configuration > Object > Endpoint Security and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint security object. ZyWALL USG 1000 User’s Guide...
Page 774 Chapter 49 Endpoint Security Figure 508 Configuration > Object > Endpoint Security > Add ZyWALL USG 1000 User’s Guide...
Page 775 The user’s computer must have all of the listed Windows security patches installed to pass this checking item. Click Add to create a new entry. Select one or more entries and click Remove to delete it or them. ZyWALL USG 1000 User’s Guide...
Page 776 Include the filename extension for Linux operating systems. Click Add to create a new entry. Select one or more entries and click Remove to delete it or them. ZyWALL USG 1000 User’s Guide...
Page 777 The user’s computer must pass one of the listed file information checks to pass this checking item. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 1000 User’s Guide...
Page 778 Chapter 49 Endpoint Security ZyWALL USG 1000 User’s Guide...
Page 779: System
SNMP screen (see Section 50.10 on page 823) to configure SNMP settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. ZyWALL USG 1000 User’s Guide...
Page 780: Host Name
254 alphanumeric characters long. Spaces are not allowed, but dashes “-” are accepted. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 781: Date And Time
Table 224 Configuration > System > Date and Time LABEL DESCRIPTION Current Time and Date Current Time This field displays the present time of your ZyWALL. Current Date This field displays the present date of your ZyWALL. Time and Date Setup ZyWALL USG 1000 User’s Guide...
Page 782 European Union you would select Last, Sunday, March. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). ZyWALL USG 1000 User’s Guide...
Page 783: Pre-Defined Ntp Time Servers List
If the synchronization fails, then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried. ZyWALL USG 1000 User’s Guide...
Page 784: Time Server Synchronization
Select Get from Time Server under Time and Date Setup. Under Time Zone Setup, select your Time Zone from the list. As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for daylight savings. ZyWALL USG 1000 User’s Guide...
Page 785: Console Port Speed
DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. ZyWALL USG 1000 User’s Guide...
Page 786: Dns Server Address Assignment
You can also configure the ZyWALL to accept or discard DNS queries. Use the Network > Interface screens to configure the DNS server information that the ZyWALL sends to the specified DHCP client devices. Figure 513 Configuration > System > DNS ZyWALL USG 1000 User’s Guide...
Page 787 A “*” means all domain zones. Type This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User-Defined). ZyWALL USG 1000 User’s Guide...
Page 788 DNS queries. Action This displays whether the ZyWALL accepts DNS queries from the computer with the IP address specified above through the specified zone (Accept) or discards them (Deny). ZyWALL USG 1000 User’s Guide...
Page 789: Address Record
IP address to a domain name. 50.5.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/PTR record. Figure 514 Configuration > System > DNS > Address/PTR Record Edit ZyWALL USG 1000 User’s Guide...
Page 790: Domain Zone Forwarder
50.5.7 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 515 Configuration > System > DNS > Domain Zone Forwarder Add ZyWALL USG 1000 User’s Guide...
Page 791: Mx Record
Each host or domain can have only one MX record, that is, one domain is mapping to one host. ZyWALL USG 1000 User’s Guide...
Page 792: Adding A Mx Record
Click Cancel to exit this screen without saving 50.5.10 Adding a DNS Service Control Rule Click the Add icon in the Service Control table to add a service control rule. Figure 517 Configuration > System > DNS > Service Control Rule Add ZyWALL USG 1000 User’s Guide...
Page 793: Www Overview
Note: To allow the ZyWALL to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-ZyWALL firewall rule to block that traffic. ZyWALL USG 1000 User’s Guide...
Page 794: Service Access Limitations
(SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). ZyWALL USG 1000 User’s Guide...
Page 795: Configuring Www Service Control
Click Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ZyWALL using HTTP or HTTPS. You can also specify which IP addresses the access can come from. ZyWALL USG 1000 User’s Guide...
Page 796 Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs connections. ZyWALL USG 1000 User’s Guide...
Page 797 This is the object name of the IP address(es) with which the computer is allowed or denied to access. Action This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). ZyWALL USG 1000 User’s Guide...
Page 798 ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). Authentication Client Select a method the HTTPS or HTTP server uses to authenticate a Authentication client. Method You must have configured the authentication methods in the Auth. method screen. ZyWALL USG 1000 User’s Guide...
Page 799: Service Control Rules
Click Cancel to exit this screen without saving 50.6.6 Customizing the WWW Login Page Click Configuration > System > WWW > Login Page to open the Login Page screen. Use this screen to customize the Web Configurator login screen. You can ZyWALL USG 1000 User’s Guide...
Page 800 Web Configurator to access network services like the Internet. See Chapter 40 on page for more on access user accounts. Figure 522 Configuration > System > WWW > Login Page ZyWALL USG 1000 User’s Guide...
Page 801 Note Message (last line of text) Figure 524 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: ZyWALL USG 1000 User’s Guide...
Page 802 Web Configurator to access network services like the Internet. Title Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. Message Color Specify the color of the screen’s text. ZyWALL USG 1000 User’s Guide...
Page 803: Https Example
You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the Web Configurator login screen; if you select No, then Web Configurator access is blocked. Figure 525 Security Alert Dialog Box (Internet Explorer) ZyWALL USG 1000 User’s Guide...
Page 804: Netscape Navigator Warning Messages
Figure 527 Security Certificate 2 (Netscape) 50.6.7.3 Avoiding Browser Warning Messages Here are the main reasons your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings: ZyWALL USG 1000 User’s Guide...
Page 805: Login Screen
The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details). ZyWALL USG 1000 User’s Guide...
Page 806 50.6.7.5.1 Installing the CA’s Certificate Double click the CA’s trusted certificate to produce a screen similar to the one shown next. Figure 530 CA Certificate Example Click Install Certificate and follow the wizard as shown earlier in this appendix. ZyWALL USG 1000 User’s Guide...
Page 807 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 532 Personal Certificate Import Wizard 2 ZyWALL USG 1000 User’s Guide...
Page 808 Figure 533 Personal Certificate Import Wizard 3 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 534 Personal Certificate Import Wizard 4 ZyWALL USG 1000 User’s Guide...
Page 809: Using A Certificate When Accessing The Zywall Example
50.6.7.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. Enter ‘https://ZyWALL IP Address/ in your browser’s web address field. Figure 537 Access the ZyWALL Via HTTPS ZyWALL USG 1000 User’s Guide...
Page 810: Ssh
Figure 539 Secure Web Configurator Login Screen 50.7 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s command line interface. Specify which zones allow SSH access and from which IP address the access can come. ZyWALL USG 1000 User’s Guide...
Page 811: How Ssh Works
The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. ZyWALL USG 1000 User’s Guide...
Page 812: Ssh Implementation On The Zywall
Click Configuration > System > SSH to change your ZyWALL’s Secure Shell settings. Use this screen to specify from which zones SSH can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. ZyWALL USG 1000 User’s Guide...
Page 813 Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. ZyWALL USG 1000 User’s Guide...
Page 814: Secure Telnet Using Ssh Examples
Configure the SSH client to accept connection using SSH version 1. A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 543 SSH Example 1: Store Host Key ZyWALL USG 1000 User’s Guide...
Page 815: Telnet
Administrator@192.168.1.1's password: The CLI screen displays next. 50.8 Telnet You can use Telnet to access the ZyWALL’s command line interface. Specify which zones allow Telnet access and from which IP address the access can come. ZyWALL USG 1000 User’s Guide...
Page 816: Configuring Telnet
To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. ZyWALL USG 1000 User’s Guide...
Page 817: Ftp
50.9.1 Configuring FTP To change your ZyWALL’s FTP settings, click Configuration > System > FTP tab. The screen appears as shown. Use this screen to specify from which zones FTP can ZyWALL USG 1000 User’s Guide...
Page 818 Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. ZyWALL USG 1000 User’s Guide...
Page 819: Snmp
Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1) ZyWALL USG 1000 User’s Guide...
Page 820 SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: • Get - Allows the manager to retrieve an object variable from the agent. ZyWALL USG 1000 User’s Guide...
Page 821: Supported Mibs
This trap is sent when an SNMP request comes from non-authenticated hosts. 50.10.3 Configuring SNMP To change your ZyWALL’s SNMP settings, click Configuration > System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP ZyWALL USG 1000 User’s Guide...
Page 822 SNMP manager. The default is public and allows all requests. Destination Type the IP address of the station to send your SNMP traps to. Service This specifies from which computers you can access which ZyWALL Control zones. ZyWALL USG 1000 User’s Guide...
Page 823: Dial-In Management
ATDP. DTR Signal The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE. When the Drop DTR When ZyWALL USG 1000 User’s Guide...
Page 824: Configuring Dial-In Mgmt
Select this check box to stop the external serial modem from making audible sounds during a dial-in management session. Answer Rings Set how many times the ZyWALL lets the incoming dial-in management session ring before processing it. ZyWALL USG 1000 User’s Guide...
Page 825 If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the Web Configurator or commands) without notifying the Vantage CNM administrator. ZyWALL USG 1000 User’s Guide...
Page 826: Vantage Cnm
If the Vantage CNM server is behind a firewall, you may have to create a rule on the firewall to allow UDP port 11864 traffic through to the Vantage CNM server (most (new) ZyXEL firewalls automatically allow this). ZyWALL USG 1000 User’s Guide...
Page 827 Select the Vantage CNM server’s certificate. This applies when you Certificate enable HTTPS authentication. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 828: Language Screen
You also need to open a new browser session to display the screens in the new language. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 1000 User’s Guide...
Page 829: Log And Report
51.2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your ZyWALL. Note: Data collection may decrease the ZyWALL’s traffic throughput rate. ZyWALL USG 1000 User’s Guide...
Page 830 Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day. Figure 553 Configuration > Log & Report > Email Daily Report ZyWALL USG 1000 User’s Guide...
Page 831: Log Setting Screens
The system log is available on the View Log tab, the e-mail profiles are used to mail log messages to the specified destinations, and the other four logs are stored on specified syslog servers. ZyWALL USG 1000 User’s Guide...
Page 832: Log Setting Summary
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. ZyWALL USG 1000 User’s Guide...
Page 833: Edit System Log Settings
The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 51.3.1 on page 836), and click the system log Edit icon. ZyWALL USG 1000 User’s Guide...
Page 834 Chapter 51 Log and Report Figure 555 Configuration > Log & Report > Log Setting > Edit (System Log) ZyWALL USG 1000 User’s Guide...
Page 835 2 also has normal logs enabled, the ZyWALL will e-mail logs to them. enable normal logs and debug logs (yellow check mark) - create log messages, alerts, and debugging information for all categories. The ZyWALL does not e-mail debugging information, even if this setting is selected. ZyWALL USG 1000 User’s Guide...
Page 836 (green check mark) and/or in alerts (red exclamation point) for the e-mail settings specified in E-Mail Server 2. The ZyWALL does not e-mail debugging information, even if it is recorded in the System log. Log Consolidation ZyWALL USG 1000 User’s Guide...
Page 837 Message field. Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 1000 User’s Guide...
Page 838: Edit Remote Server Log Settings
(syslog). Go to the Log Settings Summary screen (see Section 51.3.1 on page 836), and click a remote server Edit icon. Figure 556 Configuration > Log & Report > Log Setting > Edit (Remote Server) ZyWALL USG 1000 User’s Guide...
Page 839 (yellow check mark) - log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 1000 User’s Guide...
Page 840: Active Log Summary Screen
This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 51.3.2 on page 837, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL USG 1000 User’s Guide...
Page 841 This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software. ZyWALL USG 1000 User’s Guide...
Page 842 (yellow check mark) - log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 1000 User’s Guide...
Page 843: File Manager
When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. ZyWALL USG 1000 User’s Guide...
Page 844: Comments In Configuration Files Or Shell Scripts
Comments in Configuration Files or Shell Scripts In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the ZyWALL treat the line as a comment. ZyWALL USG 1000 User’s Guide...
Page 845 The ZyWALL ignores any errors in the configuration file or shell script and applies all of the valid commands. The ZyWALL still generates a log for any errors. ZyWALL USG 1000 User’s Guide...
Page 846: The Configuration File Screen
The ZyWALL still generates a log for any errors. Figure 559 Maintenance > File Manager > Configuration File Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL USG 1000 User’s Guide...
Page 847 Click OK to delete the configuration file or click Cancel to close the screen without deleting the configuration file. Download Click a configuration file’s row to select it and click Download to save the configuration to your computer. ZyWALL USG 1000 User’s Guide...
Page 848 Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. ZyWALL USG 1000 User’s Guide...
Page 849 The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space. ZyWALL USG 1000 User’s Guide...
Page 850: The Firmware Package Screen
52.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmware Package screen. Use the Firmware Package screen to check your current firmware version and upload firmware to the ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 851 Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes. ZyWALL USG 1000 User’s Guide...
Page 852: The Shell Script Screen
Click Maintenance > File Manager > Shell Script to open the Shell Script screen. Use the Shell Script screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the ZyWALL at the same time. ZyWALL USG 1000 User’s Guide...
Page 853 Click OK to delete the shell script file or click Cancel to close the screen without deleting the shell script file. Download Click a shell script file’s row to select it and click Download to save the configuration to your computer. ZyWALL USG 1000 User’s Guide...
Page 854 Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. ZyWALL USG 1000 User’s Guide...
Page 855: Diagnostics
ZyWALL’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting. Click Maintenance > Diagnostics to open the Diagnostic screen. Figure 570 Maintenance > Diagnostics ZyWALL USG 1000 User’s Guide...
Page 856: The Packet Capture Screen
Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. Note: New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this. Figure 571 Maintenance > Diagnostics > Packet Capture ZyWALL USG 1000 User’s Guide...
Page 857 ZyWALL automatically truncates packets that exceed this size. As a result, when you view the packet capture files in a packet analyzer, the actual size of the packets may be larger than the size of captured packets. ZyWALL USG 1000 User’s Guide...
Page 858: The Packet Capture Files Screen
[Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete. Download Click a file to select it and click Download to save it to your computer. ZyWALL USG 1000 User’s Guide...
Page 859: Example Of Viewing A Packet Capture File
Notice that the size of frame 15 on the wire is 1514 bytes while the captured size is only 1500 bytes. The ZyWALL truncated the frame because the capture screen’s Number Of Bytes To Capture (Per Packet) field was set to 1500 bytes. Figure 573 Packet Capture File Example ZyWALL USG 1000 User’s Guide...
Page 860 Chapter 53 Diagnostics ZyWALL USG 1000 User’s Guide...
Page 861: Reboot
Click the Reboot button to restart the ZyWALL. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command reboot to restart the ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 862 Chapter 54 Reboot ZyWALL USG 1000 User’s Guide...
Page 863: Shutdown
Click the Shutdown button to shut down the ZyWALL. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You can also use the CLI command shutdown to shutdown the ZyWALL. ZyWALL USG 1000 User’s Guide...
Page 864 Chapter 55 Shutdown ZyWALL USG 1000 User’s Guide...
Page 865: Troubleshooting
5 seconds (or until the PWR LED starts to blink), then release it. It returns the ZyWALL to the factory defaults (password is 1234, LAN IP address 192.168.1.1 etc.; see your User’s Guide for details). ZyWALL USG 1000 User’s Guide...
Page 866 • Make sure your ZyWALL has the IDP/application patrol service registered and that the license is not expired. Purchase a new license if the license is expired. • Make sure your ZyWALL is connected to the Internet. ZyWALL USG 1000 User’s Guide...
Page 867 The ZyWALL checks the firewall rules in the order that they are listed. So make sure that your custom firewall rule comes before any other rules that the traffic would also match. I cannot enter the interface name I want. ZyWALL USG 1000 User’s Guide...
Page 868 The data rates through my cellular connection are no-where near the rates I expected. The actual cellular data rate you obtain varies depending on the cellular device you use, the signal strength to the service provider’s base station, and so on. ZyWALL USG 1000 User’s Guide...
Page 869 At the time of writing, the ZyWALL does not support ingress bandwidth management. The ZyWALL is not applying my application patrol bandwidth management settings. Bandwidth management in policy routes has priority over application patrol bandwidth management. ZyWALL USG 1000 User’s Guide...
Page 870 Depending on your network topology and traffic load, binding every packet direction to an IDP profile may affect the ZyWALL’s performance. You may want to focus IDP scanning on certain traffic directions such as incoming traffic. ZyWALL USG 1000 User’s Guide...
Page 871 For example LAN to WAN traffic. You must manually configure a policy route to add routing and SNAT settings for an interface with the Interface Type set to General. You can also configure a policy route to override ZyWALL USG 1000 User’s Guide...
Page 872 Make sure you have the SIP ALG enabled. I cannot get the application patrol to manage H.323 traffic. Make sure you have the H.323 ALG enabled. I cannot get the application patrol to manage FTP traffic. ZyWALL USG 1000 User’s Guide...
Page 873 • When using pre-shared keys, the ZyWALL and the remote IPSec router must use the same pre-shared key. • The ZyWALL’s local and peer ID type and content must match the remote IPSec router’s peer and local ID type and content, respectively. ZyWALL USG 1000 User’s Guide...
Page 874 CA that signed the remote IPSec router’s certificate. • Multiple SAs connecting through a secure gateway must have the same negotiation mode. I cannot set up an L2TP VPN tunnel. ZyWALL USG 1000 User’s Guide...
Page 875 127 x 57 pixels to avoid distortion when displayed. The ZyWALL automatically resizes a graphic of a different resolution to 127 x 57 pixels. The file size must be 100 kilobytes or less. Transparent background is recommended. ZyWALL USG 1000 User’s Guide...
Page 876: Uploading A File
I changed the LAN IP address and can no longer access the Internet. The ZyWALL automatically updates address objects based on an interface’s IP address, subnet, or gateway if the interface’s IP address settings change. ZyWALL USG 1000 User’s Guide...
Page 877 ZyWALL for management whether the ZyWALL is the master or a backup. The management IP address should be in the same subnet as the interface IP address. • Enable monitoring for the same interfaces on the master and backup ZyWALLs. ZyWALL USG 1000 User’s Guide...
Page 878 I cannot add the admin users to a user group with access users. You cannot put access users and admin users in the same user group. I cannot add the default admin account to a user group. ZyWALL USG 1000 User’s Guide...
Page 879 • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. • PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form. ZyWALL USG 1000 User’s Guide...
Page 880 Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. I uploaded a logo to use as the screen or window background but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. ZyWALL USG 1000 User’s Guide...
Page 881 See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. My packet capture captured less than I wanted or failed. ZyWALL USG 1000 User’s Guide...
Page 882: Resetting The Zywall
Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.) Release the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. ZyWALL USG 1000 User’s Guide...
Page 883: Getting More Troubleshooting Help
Chapter 56 Troubleshooting 56.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL USG 1000 User’s Guide...
Page 884 Chapter 56 Troubleshooting ZyWALL USG 1000 User’s Guide...
Page 885: Product Specifications
Extension Card Slot Slot for optional hardware accessories PCMCIA slot for a cellular (3G) card. Compatible PCMCIA Cards Sierra Wireless AC850, AC860, AC880 or AC881 3G card Power Requirements 100-240 V AC, 50/60 Hz, 1 A Max ZyWALL USG 1000 User’s Guide...
Page 886 430.7 (W) x 292.0 (D) x 43.5 (H) mm Weight 4.7 kg Rack-mounting Rack-mountable (rack-mount kit included) This table gives details about the ZyWALL’s features. Table 257 ZyWALL USG 1000 Feature Specifications VERSION # V2.00 V2.11, V2.12 V2.20 FEATURE # of MAC...
Page 887: Product Specifications
Chapter 57 Product Specifications Table 257 ZyWALL USG 1000 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.20 FEATURE Firewall ACL Rules 5,000 5000 5000 Maximum Session Limit per Host 1000 1000 Rules APPLICATION PATROL Maximum Rules for Other Protocols...
Page 888 Chapter 57 Product Specifications Table 257 ZyWALL USG 1000 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.20 FEATURE Number of Trunks (system default) Maximum Number of Trunks (user created) Maximum Number of VPN Tunnels 1000 1000 1000 Maximum Number of VPN...
Page 889 Chapter 57 Product Specifications Table 257 ZyWALL USG 1000 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.20 FEATURE Maximum Number of Content Filter Profiles Maximum Number of Forbidden 256 per profile 256 per profile 256 per profile Domain Entries...
Page 890 Chapter 57 Product Specifications Table 257 ZyWALL USG 1000 Feature Specifications (continued) VERSION # V2.00 V2.11, V2.12 V2.20 FEATURE Maximum SSL VPN Connections 5 without a 5 without a 5 without a license license license 50 with license Licenses come...
Page 891: Pcmcia Card Installation
IP/IPv4 RFC 791 RFC 793 57.1 3G PCMCIA Card Installation Only insert a compatible 3G card. Slide the connector end of the card into the slot. Note: Do not force, bend or twist the card. ZyWALL USG 1000 User’s Guide...
Page 892 Chapter 57 Product Specifications ZyWALL USG 1000 User’s Guide...
Page 893: Appendix A Log Descriptions
%s: website host The device allowed access to a web site. The content filtering %s: Service is not service is unregistered and the default policy is not set to registered block. %s: website host ZyWALL USG 1000 User’s Guide...
Page 894 The web site contains Java applet and access was blocked %s: Contains Java according to a profile. applet %s: website host The web site contains a cookie and access was blocked %s: Contains cookie according to a profile. %s: website host ZyWALL USG 1000 User’s Guide...
Page 895 The anti-spam white list rule with the specified index number White List rule %d has (%d) has been turned on. been activated. The anti-spam white list rule with the specified index number White List rule %d has (%d) has been turned off. been deactivated. ZyWALL USG 1000 User’s Guide...
Page 896 %s) and Subject (second %s) header values are listed. From:%s Subject:%s The number of concurrent e-mail sessions has exceeded the Mail sessions have maximum number of concurrent e-mail sessions that the reached the maximum anti-spam feature can handle (%d). threshold of %d. ZyWALL USG 1000 User’s Guide...
Page 897 The listed address object (first %s) is not the right kind for The %s address-object the second WINS server specified in the listed SSL VPN is wrong type for policy (second %s). '2nd-wins' in SSL Policy %s. ZyWALL USG 1000 User’s Guide...
Page 898 SSL VPN policy rule %s position (%d) in the list of SSL VPN policies. has been moved to %d. The listed SSL VPN policy has been removed. SSL VPN policy rule %s has been deleted. ZyWALL USG 1000 User’s Guide...
Page 899 The listed user (%s) failed to log into SSL VPN because of Failed login attempt entering an incorrect password or a user name that does not to SSLVPN from %s exist. (incorrect password or inexistent username) ZyWALL USG 1000 User’s Guide...
Page 900 L2TP over IPSec may not work because the configuration of L2TP over IPSec the IPSec VPN connection it uses (Crypto Map %s) has been sessions have been all changed. disconnected since configuration of Tunnel %s has been changed ZyWALL USG 1000 User’s Guide...
Page 901 Can't append entry: %s! 1st:zysh entry name 1st:zysh entry name Can't set entry: %s! Can't define entry: %s! 1st:zysh entry name 1st:zysh list name %s: list is full! 1st:zysh list name Can't undefine %s ZyWALL USG 1000 User’s Guide...
Page 902 1st:zysh entry num Unable to move entry #%d! 1st:zysh table name %s: apply failed at initial stage! 1st:zysh table name %s: apply failed at main stage! 1st:zysh table name %s: apply failed at closing stage! ZyWALL USG 1000 User’s Guide...
Page 903 The ZyWALL’s ADP feature detected traffic with the same IP LAND attack packet. address set as both the source and the destination. Source IP is the same as Destination IP. ZyWALL USG 1000 User’s Guide...
Page 904 A file matched a file pattern in the anti-virus black list. %s, %s matched the Black-List %s 1st %s: The protocol of the packet. 2nd %s: The filename of the related file. 3rd %s: The file pattern that the file matched. ZyWALL USG 1000 User’s Guide...
Page 905 (2nd %d). been moved to %d All of the anti-virus rules have been deleted. Anti-Virus rules have been flushed. The anti-virus rule of the specified number has been Anti-Virus rule %d has deleted. been deleted. ZyWALL USG 1000 User’s Guide...
Page 906 2nd %s: The filename of the related file. 3rd %s: Whether the file was deleted (DESTROY) or forwarded (PASS). Updating of the signature file information failed due to an Update signature info internal error. has failed. ZyWALL USG 1000 User’s Guide...
Page 907 Too many failed login attempts were made from an IP Address %u.%u.%u.%u has address so the ZyWALL is blocking login attempts from that been put into lockout IP address. state %u.%u.%u.%u: the source address of the user’s login attempt ZyWALL USG 1000 User’s Guide...
Page 908 Device registration failed, an error message returned by the Device registration MyZyXEL.com server will be appended to this log. has failed:%s. %s: error message returned by the myZyXEL.com server The device registered successfully with the myZyXEL.com Device registration server. has succeeded. ZyWALL USG 1000 User’s Guide...
Page 909 The device could not connect to the MyZyXEL.com server. Connect to MyZyXEL.com server has failed. The device started to check whether or not the user name in Do account check. MyZyXEL.com's database. ZyWALL USG 1000 User’s Guide...
Page 910 File download to the update server again. after %d seconds. The device already has the latest version of the file so no Device has latest update is needed. file. No need to update. ZyWALL USG 1000 User’s Guide...
Page 911 Some information was missing in the packets that the device Build query message sent to the server. has failed. The device could not process an HTTPS connection because it Verify server's could not verify the server's certificate. certificate has failed. ZyWALL USG 1000 User’s Guide...
Page 912 Load trusted root the device can verify a server's certificate. This log displays if certificates has the device failed to load it. failed. Verification of a server’s certificate failed because it has Certificate has expired. expired. ZyWALL USG 1000 User’s Guide...
Page 913 The device turned off the use of the IDP signature file. Disable IDP succeeded. The device failed to turn on the IDP engine. Enable IDP engine failed. The device failed to turn off the IDP engine. Disable IDP engine failed. ZyWALL USG 1000 User’s Guide...
Page 914 (second num), and the number of the custom signature is <num. Adding custom (third num) that was not added display. signature number is <num>. The device failed to get the custom IDP signature number. Get custom signature number error. ZyWALL USG 1000 User’s Guide...
Page 915 The setting for IDP Out of memory. IDP activation has not changed. activation unchanged. Activation of the IDP system-protect function failed due to System-protect error. an internal system error. Create IDP proc failed. IDP activation failed. ZyWALL USG 1000 User’s Guide...
Page 916 Checking for duplicated signature IDs failed. There was an Check duplicate sid error while allocating memory. failed. Allocate memory error. Checking for duplicated signature IDs failed. Opening a Check duplicate sid temporary file failed. failed. Open file error. ZyWALL USG 1000 User’s Guide...
Page 917 An application patrol rule has been modified. 1st %s: Rule %s:%s has been Protocol Name, 2nd: Rule Index. modified Application patrol was turned on. App. Patrol has been activated. Application patrol was turned off. App. Patrol has been deactivated. ZyWALL USG 1000 User’s Guide...
Page 918 The device failed to get the application patrol protocol list. System fatal error: 60011002. The device failed to initiate XML. System fatal error: 60011003. The device failed to turn application patrol off while the System fatal error: system was initiating. 60011004. ZyWALL USG 1000 User’s Guide...
Page 919 [SA] : Tunnel [%s] authentication method did not match. Phase 1 authentication method mismatch %s is the tunnel name. When negotiating Phase-1, the [SA] : Tunnel [%s] encryption algorithm did not match. Phase 1 encryption algorithm mismatch ZyWALL USG 1000 User’s Guide...
Page 920 %s is the tunnel name. The tunnel is a dynamic tunnel and Could not dial dynamic the device cannot dial it. tunnel "%s" %s is the tunnel name. The tunnel setting is not complete. Could not dial incomplete tunnel "%s" ZyWALL USG 1000 User’s Guide...
Page 921 %s is the tunnel name. When IKE request is already sent but Tunnel [%s] IKE still attempting to dial a tunnel. Negotiation is in process %s is the gateway name. An administrator disabled the VPN VPN gateway %s was gateway. disabled ZyWALL USG 1000 User’s Guide...
Page 922 An outgoing packet needed to be transformed but was longer Encapsulated packet than 65535. too big with length When performing inbound processing for incoming IPSEC Get inbound transform packets and ICMPs related to them, the engine cannot obtain fail the transform context. ZyWALL USG 1000 User’s Guide...
Page 923 %d is the global index of rule Firewall rule %d has been deleted. Firewall rules were flushed Firewall rules have been flushed. %d is the global index of rule, %s is appended/inserted/ Firewall rule %d was modified ZyWALL USG 1000 User’s Guide...
Page 924 Failed to send control message to policy routing manager. To send message to policy route daemon failed! Allocating policy routing rule fails: insufficient memory. The policy route %d allocates memory fail! %d: the policy route rule number ZyWALL USG 1000 User’s Guide...
Page 925 %s %u.%u.%u.%u is IP address %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET An administrator assigned a nonexistent certificate to HTTPS. HTTPS certificate:%s does not exist. HTTPS %s is certificate name assigned by user service will not work. ZyWALL USG 1000 User’s Guide...
Page 926 An administrator changed the port number for SNMP back to SNMP port has been the default (161). changed to default port. An administrator changed the console port baud rate. Console baud has been changed to %s. %s is baud rate assigned by user ZyWALL USG 1000 User’s Guide...
Page 927 An administrator modified the rule %u. DNS access control rule %u has been %u is rule number modified An administrator removed the rule %u. DNS access control rule %u has been %u is rule number deleted. ZyWALL USG 1000 User’s Guide...
Page 928 %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. An access control rule was inserted successfully. Access control rule %u of %s was inserted. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. ZyWALL USG 1000 User’s Guide...
Page 929 Memory usage drops below the threshold of %d%%: mem- threshold-min. When local storage usage drops below threshold-min, %s: partition_name file system drops below the threshold of %d%%: disk-threshold-min. DHCP Server executed with cautious mode enabled. DHCP Server executed with cautious mode enabled ZyWALL USG 1000 User’s Guide...
Page 930 The device successfully synchronized with a NTP time server . NTP update successful, current time is %s %s is the date and time. The device was not able to synchronize with the NTP time NTP update failed server successfully. ZyWALL USG 1000 User’s Guide...
Page 931 Update profile failed because of a dynsdns internal error, %s Update the profile %s is the profile name. has failed because of dyndns internal error ZyWALL USG 1000 User’s Guide...
Page 932 WAN interface was empty. DDNS profile cannot be updated because the ping-check for Update the profile %s WAN iface failed , %s is the profile name. has failed because ping-check of WAN interface has failed. ZyWALL USG 1000 User’s Guide...
Page 933 - Server did not respond. The diagnostics scripts were executed successfully. Collect Diagnostic Infomation has succeeded. The specified port has it’s link up. Port %d is up!! The specified port has it’s link down. Port %d is down!! ZyWALL USG 1000 User’s Guide...
Page 934 The connectivity check process can't get netmask address of Can't get NETMASK interface. address of %s interface %s: interface name The connectivity check process can't get broadcast address of Can't get BROADCAST interface address of %s interface %s: interface name ZyWALL USG 1000 User’s Guide...
Page 935 The System Startup configuration file synchronized from the Master configuration Master is the same with the one in the Backup, so the is the same with configuration does not have to be updated. Backup. Skip updating ZyWALL USG 1000 User’s Guide...
Page 936 Master. 1st %s: The object to syncing %s since %s is be synchronized, 2ed %s: The feature name for the object to be synchronized, 3rd %s: unlicensed or license expired. ZyWALL USG 1000 User’s Guide...
Page 937 %s for %s due to transmission timeout. %s: The name of the VRRP interface. VRRP interface %s has been shutdown. %s: The name of the VRRP interface. VRRP interface %s has been brought up. ZyWALL USG 1000 User’s Guide...
Page 938 Interface Name interface %s has been changed to BiDir. RIP text or md5 authentication has been disabled. RIP authentication has benn disabled. RIP text authentication key has been deleted. RIP text authentication key has been deleted. ZyWALL USG 1000 User’s Guide...
Page 939 %s: Virtual-Link link %d md5 authentication of area Virtual-link %s text authentication has been set without Invalid OSPF virtual- setting text authentication key first. %s: Virtual-Link ID link %s text authentication of area ZyWALL USG 1000 User’s Guide...
Page 940 SIP ALG has been modified. Default SIP ALG port has been changed. Signal port of SIP ALG has been modified. SIP ALG apply additional signal port failed. Register SIP ALG extra port=%d failed. %d: Port number ZyWALL USG 1000 User’s Guide...
Page 941 The device was unable to use CMP to enroll a certificate. 1st CMP enrollment "%s" %s is a request name, 2nd %s is the CA name, 3rd %s is the failed, CA "%s", URL "%s" ZyWALL USG 1000 User’s Guide...
Page 942 Trusted Certificates. %s is the certificate request name. certificate "%s" from "Trusted Certificate" failed The device exported a x509 format certificate from My Export X509 Certificates. %s is the certificate request name. certificate "%s" from "My Certificate" successfully ZyWALL USG 1000 User’s Guide...
Page 943 CRL was not found (anywhere). CRL was not added to the cache. CRL decoding failed. CRL is not currently valid, but in the future. CRL contains duplicate serial numbers. Time interval is not continuous. Time information not available. ZyWALL USG 1000 User’s Guide...
Page 944 1st %s is interface name, 2nd %s is is disabled now. interface. An administrator changed an interface’s configuration. %s: Interface %s has been interface name. changed. An administrator added a new interface. %s: interface name. Interface %s has been added. ZyWALL USG 1000 User’s Guide...
Page 945 MS-CHAPv2 authentication failed (the server must support Interface %s connect mS-CHAPv2 and verify that the authentication failed, this failed: MS-CHAPv2 does not include cases where the servers does not support mutual authentication MS-CHAPv2). %s: interface name. failed. ZyWALL USG 1000 User’s Guide...
Page 946 %s. Please try to remove then insert the device. The PIN code configured for the listed cellular interface (%d) "PIN code is required is incorrect or missing. for inteface cellular%d. Please check the PIN code setting. ZyWALL USG 1000 User’s Guide...
Page 947 %s, but current inserted device is %s. The cellular device (identified by its manufacturer and model) "Cellular device [%s has been inserted in or connected to the specified slot. %s] has been inserted into %s. ZyWALL USG 1000 User’s Guide...
Page 948 DHCP client and has more than one member in its client. group. In this case the DHCP client will renew. %s: interface name. An administrator configured port-grouping, %s: interface Port Grouping %s has name. been changed. ZyWALL USG 1000 User’s Guide...
Page 949 After the system reset, it started to apply the configuration System resetted. Now file. apply %s.. %s is configuration file name. An administrator ran the listed shell script. Running %s... %s is script file name. ZyWALL USG 1000 User’s Guide...
Page 950 The ZyWALL could not connect to the SMTP e-mail server Failed to connect to (%s). The address configured for the server may be incorrect mail server %s. or there may be a problem with the ZyWALL’s or the server’s network connection. ZyWALL USG 1000 User’s Guide...
Page 951 The interface the packet came in %s#%u.%u.%u.%u#%0 through, the sender’s IP address and MAC address, are also 2X:%02X:%02X:%02X: shown along with the binding type (“s” for static or “d” for %02X:%02X. dynamic). ZyWALL USG 1000 User’s Guide...
Page 952 Appendix A Log Descriptions ZyWALL USG 1000 User’s Guide...
Page 953 Border Gateway Protocol. BOOTP_CLIENT DHCP Client. BOOTP_SERVER DHCP Server. CU-SEEME 7648 A popular videoconferencing solution from White Pines Software. 24032 TCP/UDP Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers. ZyWALL USG 1000 User’s Guide...
Page 954: Appendix B Common Services
ICMP echo requests to test whether or not a remote host is reachable. POP3 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other). ZyWALL USG 1000 User’s Guide...
Page 955 TELNET Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems. ZyWALL USG 1000 User’s Guide...
Page 956 PROTOCOL PORT(S) DESCRIPTION TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. ZyWALL USG 1000 User’s Guide...
Page 957: Appendix C Displaying Anti-Virus Alert Messages In Windows
Windows XP Click Start > Control Panel > Administrative Tools > Services. Figure 580 Windows XP: Opening the Services Window ZyWALL USG 1000 User’s Guide...
Page 958: Windows 2000
Figure 581 Windows XP: Starting the Messenger Service Close the window when you are done. Windows 2000 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 582 Windows 2000: Opening the Services Window ZyWALL USG 1000 User’s Guide...
Page 959 WinPopup window displays as shown. Figure 584 Windows 98 SE: WinPopup If you want to display the WinPopup window at startup, follow the steps below for Windows 98 SE (steps are similar for Windows Me). ZyWALL USG 1000 User’s Guide...
Page 960 Right-click on the program task bar and click Properties. Figure 585 WIndows 98 SE: Program Task Bar Click the Start Menu Programs tab and click Advanced ... Figure 586 Windows 98 SE: Task Bar Properties Double-click Programs and click StartUp. ZyWALL USG 1000 User’s Guide...
Page 961 Right-click in the StartUp pane and click New, Shortcut. Figure 587 Windows 98 SE: StartUp A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. Figure 588 Windows 98 SE: Startup: Create Shortcut ZyWALL USG 1000 User’s Guide...
Page 962 A shortcut is created in the StartUp pane. Restart the computer when prompted. Figure 590 Windows 98 SE: Startup: Shortcut Note: The WinPopup window displays after the computer finishes the startup process (see Figure 584 on page 965). ZyWALL USG 1000 User’s Guide...
Page 963: Appendix D Importing Certificates
• Opera on page 983 • Konqueror on page 990 Internet Explorer The following example uses Microsoft Internet Explorer 7 on Windows XP Professional; however, they can also apply to Internet Explorer on Windows Vista. ZyWALL USG 1000 User’s Guide...
Page 964 Figure 591 Internet Explorer 7: Certification Error Click Continue to this website (not recommended). Figure 592 Internet Explorer 7: Certification Error In the Address Bar, click Certificate Error > View certificates. Figure 593 Internet Explorer 7: Certificate Error ZyWALL USG 1000 User’s Guide...
Page 965 Appendix D Importing Certificates In the Certificate dialog box, click Install Certificate. Figure 594 Internet Explorer 7: Certificate In the Certificate Import Wizard, click Next. Figure 595 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 1000 User’s Guide...
Page 966 Next again and then go to step 9. Figure 596 Internet Explorer 7: Certificate Import Wizard Otherwise, select Place all certificates in the following store and then click Browse. Figure 597 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 1000 User’s Guide...
Page 967 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 598 Internet Explorer 7: Select Certificate Store In the Completing the Certificate Import Wizard screen, click Finish. Figure 599 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 1000 User’s Guide...
Page 968 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information. Figure 602 Internet Explorer 7: Website Identification ZyWALL USG 1000 User’s Guide...
Page 969 Refer to steps 4-12 in the Internet Explorer procedure beginning on page 969 complete the installation process. Removing a Certificate in Internet Explorer This section shows you how to remove a public key certificate in Internet Explorer ZyWALL USG 1000 User’s Guide...
Page 970 Appendix D Importing Certificates Open Internet Explorer and click Tools > Internet Options. Figure 605 Internet Explorer 7: Tools Menu In the Internet Options dialog box, click Content > Certificates. Figure 606 Internet Explorer 7: Internet Options ZyWALL USG 1000 User’s Guide...
Page 971 Figure 607 Internet Explorer 7: Certificates In the Certificates confirmation, click Yes. Figure 608 Internet Explorer 7: Certificates In the Root Certificate Store dialog box, click Yes. Figure 609 Internet Explorer 7: Root Certificate Store ZyWALL USG 1000 User’s Guide...
Page 972 If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Select Accept this certificate permanently and click OK. Figure 610 Firefox 2: Website Certified by an Unknown Authority ZyWALL USG 1000 User’s Guide...
Page 973 Installing a Stand-Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. ZyWALL USG 1000 User’s Guide...
Page 974 Appendix D Importing Certificates Open Firefox and click Tools > Options. Figure 612 Firefox 2: Tools Menu In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 613 Firefox 2: Options ZyWALL USG 1000 User’s Guide...
Page 975 Figure 615 Firefox 2: Select File The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information. ZyWALL USG 1000 User’s Guide...
Page 976 This section shows you how to remove a public key certificate in Firefox 2. Open Firefox and click Tools > Options. Figure 616 Firefox 2: Tools Menu In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 617 Firefox 2: Options ZyWALL USG 1000 User’s Guide...
Page 977 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Opera The following example uses Opera 9 on Windows XP Professional; however, the screens can apply to Opera 9 on all platforms. ZyWALL USG 1000 User’s Guide...
Page 978 Figure 620 Opera 9: Certificate signer not found The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Figure 621 Opera 9: Security information ZyWALL USG 1000 User’s Guide...
Page 979 Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. Open Opera and click Tools > Preferences. Figure 622 Opera 9: Tools Menu ZyWALL USG 1000 User’s Guide...
Page 980 Appendix D Importing Certificates In Preferences, click Advanced > Security > Manage certificates. Figure 623 Opera 9: Preferences ZyWALL USG 1000 User’s Guide...
Page 981 Appendix D Importing Certificates In the Certificates Manager, click Authorities > Import. Figure 624 Opera 9: Certificate manager Use the Import certificate dialog box to locate the certificate and then click Open. Figure 625 Opera 9: Import certificate ZyWALL USG 1000 User’s Guide...
Page 982 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9. ZyWALL USG 1000 User’s Guide...
Page 983 Appendix D Importing Certificates Open Opera and click Tools > Preferences. Figure 628 Opera 9: Tools Menu In Preferences, Advanced > Security > Manage certificates. Figure 629 Opera 9: Preferences ZyWALL USG 1000 User’s Guide...
Page 984 Konqueror 3.5 on all Linux KDE distributions. If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. ZyWALL USG 1000 User’s Guide...
Page 985 Click Forever when prompted to accept the certificate. Figure 632 Konqueror 3.5: Server Authentication Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details. Figure 633 Konqueror 3.5: KDE SSL Information ZyWALL USG 1000 User’s Guide...
Page 986 Figure 634 Konqueror 3.5: Public Key Certificate File In the Certificate Import Result - Kleopatra dialog box, click OK. Figure 635 Konqueror 3.5: Certificate Import Result The public key certificate appears in the KDE certificate manager, Kleopatra. Figure 636 Konqueror 3.5: Kleopatra ZyWALL USG 1000 User’s Guide...
Page 987 Figure 637 Konqueror 3.5: Settings Menu In the Configure dialog box, select Crypto. On the Peer SSL Certificates tab, select the certificate you want to delete and then click Remove. Figure 638 Konqueror 3.5: Configure ZyWALL USG 1000 User’s Guide...
Page 988 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button. ZyWALL USG 1000 User’s Guide...
Page 989: Appendix E Open Software Announcements
Open Software Announcements End-User License Agreement for “ZyWALL USG 1000” WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AS INSTALLING THE SOFTWARE WILL INDICATE YOUR ASSENT TO THEM.
Page 990 Software, and to use reasonable best efforts to ensure their compliance with such terms and conditions, including, without limitation, not knowingly permitting such persons to use any portion of the Software for the purpose of deriving the source code of the Software. ZyWALL USG 1000 User’s Guide...
Page 991 ORDERS, OR OTHER RESTRICTIONS. YOU AGREE TO INDEMNIFY ZyXEL AGAINST ALL CLAIMS, LOSSES, DAMAGES, LIABILITIES, COSTS AND EXPENSES, INCLUDING REASONABLE ATTORNEYS' FEES, TO THE EXTENT SUCH CLAIMS ARISE OUT OF ANY BREACH OF THIS SECTION 8. ZyWALL USG 1000 User’s Guide...
Page 992 To obtain the source code covered under those Licenses, please check ZyXEL Technical Support (support@zyxel.com.tw) to get it. Open-Sourced Components 3rd party software Version Web Address Of The Software License Term ZyWALL USG 1000 User’s Guide...
Page 993 4.1.2 http://www.ntp.org/ expat-1.95.6 1.95.6 http://expat.sourceforge.net/ libevent-1.1a 1.1a http://www.monkey.org/~provos/libevent/ libpcap-0.9.4 0.9.4 http://www.tcpdump.org/ tzcode2006c 2006c ftp://elsie.nci.nih.gov/pub xinetd-2.3.14 2.3.14 http://www.xinetd.org/ openssh-4.3p2 4.3p2 http://www.openssh.com/ iproute2 2.4.7-now- http://linux-net.osdl.org/index.php/Iproute2 ss020116- iptables-1.2.11/netfilter(kernel) 1.2.11 http://www.netfilter.org dhcp-helper http://thekelleys.org.uk/dhcp-helper/ busybox http://busybox.net/downloads/ libtecla-1.6.1 1.6.1 http://www.astro.caltech.edu/~mcs/tecla/index.html ZyWALL USG 1000 User’s Guide...
Page 994 ZyXEL Communications Corporation. This Product includes ppp-2.4.2 software under the PPP License 1000 ZyWALL USG 1000 User’s Guide...
Page 995 IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. This Product includes Netkit Telnet -0.17 software under the Netkit Telnet License Netkit Telnet License Copyright (c) 1989 Regents of the University of California. 1001 ZyWALL USG 1000 User’s Guide...
Page 996 The University of Delaware makes no representations about the suitability this software for any purpose. It is provided "as is" without express or implied warranty. 1002 ZyWALL USG 1000 User’s Guide...
Page 997 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. This Product includes libtecla-1.6.1 software under the an X11-style License an X11-style license This is a Free Software License •This license is compatible with The GNU General Public License, Version 1 1003 ZyWALL USG 1000 User’s Guide...
Page 998 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 1004 ZyWALL USG 1000 User’s Guide...
Page 999 The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, 1005 ZyWALL USG 1000 User’s Guide...
Page 1000 [including the GNU Public Licence.] 1006 ZyWALL USG 1000 User’s Guide...
Page 1001 * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 1007 ZyWALL USG 1000 User’s Guide...
Page 1002 THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, 1008 ZyWALL USG 1000 User’s Guide...
Page 1003 OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. This Product includes dhcp-3.0.3 software under the ISC License ISC license Copyright (c) 2004-2005 by Internet Systems Consortium, Inc. ("ISC") Copyright (c) 1995-2003 by Internet Software Consortium 1009 ZyWALL USG 1000 User’s Guide...

ZyXEL Communications ZyWALL USG 1000 User Manual

About this User's Guide

Document Conventions

Safety Warnings

Contents Overview

Table of Contents

User's Guide

PART I User's Guide

Chapter 1 Introducing the Zywall

Chapter 2 Features and Applications

Chapter 3 Web Configurator

Chapter 4 Installation Setup Wizard

Chapter 5 Quick Setup

Chapter 6 Configuration Basics

Chapter 7 Tutorials

Chapter 8 L2TP VPN Example

Technical Reference

Part II: Technical Reference

Chapter 9 Dashboard

Chapter 10 Monitor

Chapter 11 Registration

Chapter 12 Signature Update

Chapter 13 Interfaces

Chapter 14 Trunks

Policy and Static Routes

Chapter 15 Policy and Static Routes

Chapter 16 Routing Protocols

Zones

Chapter 17 Zones

Ddns

Chapter 18 DDNS

Nat

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWALL USG 1000

Summary of Contents for ZyXEL Communications ZyWALL USG 1000