ZyXEL Communications ZyWALL USG100-Plus User Manual
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Gateway
  5. ZyWALL USG100-Plus
  6. User manual

ZyXEL Communications ZyWALL USG100-Plus User Manual

Unified security gateway
Hide thumbs Also See for ZyWALL USG100-Plus:
Table of Contents

Advertisement

Quick Links

ZyWALL USG100-PLUS
Unified Security Gateway
Default Login Details
LAN IP
https://192.168.1.1
Address
User Name
Password
Version 3.00
Edition 2, 9/2012
www.zyxel.com
www.zyxel.com
admin
1234
Copyright © 2012
ZyXEL Communications Corporation

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications ZyWALL USG100-Plus

Summary of Contents for ZyXEL Communications ZyWALL USG100-Plus

  • Page 1 ZyWALL USG100-PLUS Unified Security Gateway Default Login Details LAN IP https://192.168.1.1 Address User Name admin Password 1234 Version 3.00 Edition 2, 9/2012 www.zyxel.com www.zyxel.com Copyright © 2012 ZyXEL Communications Corporation...

  • Page 2: Table Of Contents

    ZyWALL IPSec VPN Client Configuration Provisioning Video Example 72 SSL VPN Video Example 74 Configuring L2TP VPN on the ZyWALL Video Example 80 Configuring L2TP VPN in Windows 7 Video Example 85 Bandwidth Management Video Example 100 AppPatrol Video Example 117 ZyWALL USG100-PLUS User’s Guide...
  • Page 3 4.3 Hub-and-spoke IPSec VPN Without VPN Concentrator ..............67 4.4 ZyWALL IPSec VPN Client Configuration Provisioning ..............69 4.5 SSL VPN ............................73 4.6 L2TP VPN with Android, iOS, and Windows ..................75 4.7 One-Time Password Version 2 (OTPv2) ...................90 Managing Traffic ..........................93 ZyWALL USG100-PLUS User’s Guide...
  • Page 4 6.8 How to Get the ZyWALL’s Diagnostic File ..................130 6.9 How to Capture Packets on the ZyWALL ..................131 6.10 How to Get the ZyWALL’s Core Dump File ...................134 6.11 How to Use Packet Flow Explore for Troubleshooting ..............135 Appendix A Legal Information......................137 ZyWALL USG100-PLUS User’s Guide...

  • Page 5: Introduction

    Figure 2 Applications: IPv6 Routing VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also purchase the ZyWALL OTPv2 One-Time ZyWALL USG100-PLUS User’s Guide...
  • Page 6 In the following figure user A can access both the Internet and an internal file server. User B has a lower level of access and can only access the Internet. User C is not even logged in and cannot access either. ZyWALL USG100-PLUS User’s Guide...

  • Page 7: Default Zones, Interfaces, And Ports

    “the WAN interface” rather than “wan1” or “wan2”. Figure 7 Zones, Interfaces, and Physical Ethernet Ports Zones LAN1 LAN2 Interfaces wan1 wan2 lan1 lan2 Physical Ports 1.3 Management Overview You can manage the ZyWALL in the following ways. ZyWALL USG100-PLUS User’s Guide...

  • Page 8: Web Configurator

    • Use one of the following web browser versions or later: Internet Explorer 7, Firefox 3.5, Chrome 9.0, Opera 10.0, Safari 4.0 • Allow pop-up windows (blocked by default in Windows XP Service Pack 2) • Enable JavaScripts, Java permissions, and cookies The recommended screen resolution is 1024 x 768 pixels. ZyWALL USG100-PLUS User’s Guide...

  • Page 9: Web Configurator Access

    Follow the directions in the Update Admin Info screen. If you change the default password, the Login screen appears after you click Apply. If you click Ignore, the Installation Setup Wizard opens if the ZyWALL is using its default configuration; otherwise the dashboard appears. ZyWALL USG100-PLUS User’s Guide...

  • Page 10: Web Configurator Introduction Video

    Use Adobe Reader 9 or later or a recent version of Foxit Reader to play this video. After clicking play, you may need to confirm that you want to play the content and click play again. ZyWALL USG100-PLUS User’s Guide...

  • Page 11: Web Configurator Screens Overview

    Use the navigation panel menu items to open status and configuration screens. Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The following sections introduce the ZyWALL’s navigation panel menus and their screens. Figure 10 Navigation Panel ZyWALL USG100-PLUS User’s Guide...

  • Page 12: Monitor Menu

    Cache Manage the ZyWALL’s URL cache. Anti-Spam Report Collect and display spam statistics. Status Displays how many mail sessions the ZyWALL is currently checking and DNSBL (Domain Name Service-based spam Black List) statistics. Lists log entries. ZyWALL USG100-PLUS User’s Guide...

  • Page 13: Configuration Menu

    IP/MAC binding. DNS Inbound DNS Load Configure DNS Load Balancing. Balancing Auth. Policy Define rules to force user authentication. Firewall Firewall Create and manage level-3 traffic rules. Session Limit Limit the number of concurrent client NAT/firewall sessions. ZyWALL USG100-PLUS User’s Guide...
  • Page 14 Turn anti-spam on or off and manage anti-spam policies. Mail Scan Configure e-mail scanning details. Black/White List Set up a black list to identify spam and a white list to identify legitimate e-mail. DNSBL Have the ZyWALL check e-mail against DNS Black Lists. Object ZyWALL USG100-PLUS User’s Guide...
  • Page 15 Enable IPv6 globally on the ZyWALL here. Log & Report Email Daily Configure where and how to send daily reports and what reports to Report send. Log Setting Configure the system log, e-mail logs, and remote syslog servers. ZyWALL USG100-PLUS User’s Guide...

  • Page 16: Tables And Lists

    • Sort in ascending or descending (reverse) alphabetical order • Select which columns to display • Group entries by field • Show entries in groups • Filter by mathematical operators (<, >, or =) or searching for text ZyWALL USG100-PLUS User’s Guide...
  • Page 17 Figure 15 Navigating Pages of Table Entries The tables have icons for working with table entries. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. ZyWALL USG100-PLUS User’s Guide...
  • Page 18 In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 17 Working with Lists ZyWALL USG100-PLUS User’s Guide...

  • Page 19: Stopping The Zywall

    Attach the other bracket in a similar fashion. After attaching both mounting brackets, position the ZyWALL in the rack and up the bracket holes with the rack holes. Secure the ZyWALL to the rack with the rack-mounting screws. ZyWALL USG100-PLUS User’s Guide...

  • Page 20: Front Panel

    Connected to a 3G network through the connected 3G USB card. P1~P5 Green There is no traffic on this port. Blinking The ZyWALL is sending or receiving packets on this port. Orange There is no connection on this port. This port has a successful link. ZyWALL USG100-PLUS User’s Guide...

  • Page 21: How To Set Up Your Network

    After you complete a wizard, you can go to the CONFIGURATION screens to configure advanced settings. 2.2 How to Configure Interfaces, Port Roles, and Zones This tutorial shows how to configure Ethernet interfaces, port roles, and zones for the following example configuration. ZyWALL USG100-PLUS User’s Guide...

  • Page 22: Configure A Wan Ethernet Interface

    Click Configuration > Network > Interface > Ethernet and double-click the wan1 interface’s entry in the Configuration section. Select Use Fixed IP Address and configure the IP address, subnet mask, and default gateway settings and click OK. ZyWALL USG100-PLUS User’s Guide...

  • Page 23: Configure Port Roles

    By default, it is assigned to the IPSec_VPN zone. Do the following to move WIZ_VPN from the IPSec_VPN zone to a new zone. Click Configuration > Network > Zone and then double-click the IPSec_VPN entry. Select WIZ_VPN and remove it from the Member box and click OK. ZyWALL USG100-PLUS User’s Guide...

  • Page 24: How To Configure A Cellular Interface

    WAN zone security settings to this 3G connection. Leaving Zone set to none has the ZyWALL not apply any security settings to the 3G connection. Enter the PIN Code provided by the cellular 3G service provider (0000 in this example). ZyWALL USG100-PLUS User’s Guide...
  • Page 25 The ZyWALL automatically adds the cellular interface to the system default WAN trunk. If the ZyWALL is using a user-configured trunk as its default trunk and you want this cellular interface to be part of it, use the Trunk screens to add it. ZyWALL USG100-PLUS User’s Guide...

  • Page 26: How To Configure Ethernet, Ppp, Vlan, Bridge And Policy Routing

    • IPv6 Address Assignment - This section allows you to enable auto-configuration and configure prefix delegation. • DHCPv6 Setting - This section allows you to configure the DHCPv6 role and the corresponding settings for the interface. ZyWALL USG100-PLUS User’s Guide...

  • Page 27: How To Set Up Ipv6 Interfaces For Pure Ipv6 Routing

    In the CONFIGURATION > Network > Interface > Ethernet screen’s IPv6 Configuration section, double-click the wan1. The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6. Select Enable Stateless Address Auto-configuration (SLAAC). Click OK. Note: Your ISP or uplink router should enable router advertisement. ZyWALL USG100-PLUS User’s Guide...
  • Page 28 You have completed the settings on the ZyWALL. But if you want to request a network address prefix from your ISP for your computers on the LAN, you can configure prefix delegation (see Section Section 2.5.4 on page 29). ZyWALL USG100-PLUS User’s Guide...

  • Page 29: Pure Ipv6 Routing Video Example

    WAN IPv6 Interface Edit screen. This example assumes that you were given a network prefix of 2001:b050:2d::/48 and you decide to divide it and give 2001:b050:2d:1111::/64 to the LAN network. LAN1’s IP address is 2001:b050:2d:1111::1/128. ZyWALL USG100-PLUS User’s Guide...
  • Page 30 It is 2001:b050:2d::/48 in this example. Note: Your ISP or a DHCPv6 server in the same network as the WAN should assign an IPv6 IP address for the WAN interface. ZyWALL USG100-PLUS User’s Guide...
  • Page 31 DHCPv6 request object from the drop-down list, type ::1111/64 in the Suffix Address field. (The combined prefix 2001:b050:2d:1111::/64 will display for the LAN1’s network prefix after you click OK and come back to this screen again). ZyWALL USG100-PLUS User’s Guide...
  • Page 32 Chapter 2 How to Set Up Your Network 2.5.5 Test Connect a computer to the ZyWALL’s LAN1. ZyWALL USG100-PLUS User’s Guide...

  • Page 33: Prefix Delegation And Router Advertisement Settings Video Example

    Use Adobe Reader 9 or later or a recent version of Foxit Reader to play this video. After clicking play, you may need to confirm that you want to play the content and click play again. ZyWALL USG100-PLUS User’s Guide...

  • Page 34: How To Set Up An Ipv6 6To4 Tunnel

    A relay router R (192.99.88.1) is used in this example in order to forward 6to4 packets to any unknown IPv6 addresses. 2.6.1 Configuration Concept After the 6to4 tunnel settings are complete, IPv4 and IPv6 packets transmitted between WAN1 and LAN1 will be handled by the ZyWALL through the following flow. ZyWALL USG100-PLUS User’s Guide...
  • Page 35 Enable Router Advertisement. Then click Add in the Advertised Prefix Table to add 2002:7a64:dcee:1::/64. The LAN1 hosts will get the network prefix through the router advertisement messages sent by the LAN1 IPv6 interface periodically. Click OK. ZyWALL USG100-PLUS User’s Guide...
  • Page 36 In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection screen. You should get an IPv6 IP address starting with 2002:7a64:dcee:1:. Type ping -6 ipv6.google.com in a Command Prompt to test. You should get a response. ZyWALL USG100-PLUS User’s Guide...

  • Page 37: Set Up An Ipv6 6To4 Tunnel Video Example

    You don’t need to activate the WAN1 IPv6 interface but make sure you enable the WAN1 IPv4 interface. In 6to4, the ZyWALL uses the WAN1 IPv4 interface to forward your 6to4 packets over the IPv4 network. ZyWALL USG100-PLUS User’s Guide...

  • Page 38: How To Set Up An Ipv6-In-Ipv4 Tunnel

    The Edit Tunnel screen appears. Select Enable. Enter tunnel0 as the Interface Name and select IPv6-in-IPv4 as the Tunnel Mode. Select wan1 in the Interface field in the Gateway Settings section. Enter 5.6.7.8 as the remote gateway’s IP address. Click OK. ZyWALL USG100-PLUS User’s Guide...
  • Page 39 Type 2003:1111:1111:1::1/128 in the IPv6 Address/Prefix Length field for the LAN1’s IP address. Enable Router Advertisement. Then click Add in the Advertised Prefix Table to add 2003:1111:1111:1::/64. The LAN1 hosts will get the network prefix through router advertisements sent by the LAN1 IPv6 interface periodically. Click OK. ZyWALL USG100-PLUS User’s Guide...
  • Page 40 2003:1111:1111:1::/64. Select Enable. Select the address object you just created in the Source Address field. Select any in the Destination Address field. Select Interface as the next-hop type and then tunnel0 as the interface. Click OK. ZyWALL USG100-PLUS User’s Guide...
  • Page 41 You should get an IPv6 IP address starting with 2003:1111:1111:1000:. Use the ping -6 [IPv6 IP address] command in a Command Prompt to test whether you can ping a computer behind ZyWALL Y. You should get a response. ZyWALL USG100-PLUS User’s Guide...

  • Page 42: Set Up An Ipv6-In-Ipv4 Tunnel Video Example

    In Windows, some IPv6 related tunnels may be enabled by default such as Teredo and 6to4 tunnels. It may cause your computer to handle IPv6 packets in an unexpected way. It is recommended to disable those tunnels on your computer. ZyWALL USG100-PLUS User’s Guide...
  • Page 43 Chapter 2 How to Set Up Your Network ZyWALL USG100-PLUS User’s Guide...
  • Page 44 Chapter 2 How to Set Up Your Network ZyWALL USG100-PLUS User’s Guide...

  • Page 45: Protecting Your Network

    A LAN user can initiate a Telnet session from within the LAN zone and the firewall allows the response. However, the firewall blocks Telnet traffic initiated from the WAN zone and destined for the LAN zone. The firewall allows VPN traffic between any of the networks. Figure 26 Default Firewall Action ZyWALL USG100-PLUS User’s Guide...

  • Page 46: User-Aware Access Control

    • Attempts to add the admin users to a user group with access users will fail. You cannot put access users and admin users in the same user group. • Attempts to add the default admin account to a user group will fail. You cannot put the default admin account into any user group. ZyWALL USG100-PLUS User’s Guide...

  • Page 47: Endpoint Security (Eps)

    Click the Service tab. To activate or extend a standard service subscription enter your iCard’s license key in the License Key field. The license key can be found on the reverse side of the iCard. ZyWALL USG100-PLUS User’s Guide...

  • Page 48: Anti-Virus Policy Configuration

    Policies section click Add to display the Add Rule screen. Select Enable. In the Direction section, you can select the From and To zones for traffic to scan for viruses. You can also select traffic types to scan for viruses under Protocols to Scan. Click OK. ZyWALL USG100-PLUS User’s Guide...
  • Page 49 (pass-through VPN traffic). • Traffic through custom (non-standard) ports. The only exception is FTP traffic. The ZyWALL scans whatever port number is specified for FTP in the ALG screen. • ZIP file(s) within a ZIP file. ZyWALL USG100-PLUS User’s Guide...

  • Page 50: Idp Profile Configuration

    Note: If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. Type a new profile Name. Enable or disable individual signatures by selecting a row and clicking Activate or Inactivate. Click OK. ZyWALL USG100-PLUS User’s Guide...

  • Page 51: Adp Profile Configuration

    ‘inline profile’ whereby you configure appropriate actions to be taken when a packet matches a detection. 3.7.1 Procedure To Create a New ADP Profile To create a new profile: ZyWALL USG100-PLUS User’s Guide...
  • Page 52 Sensitivity drop-down menu adjusts levels for scan thresholds and sample times. Edit the default log options and actions by selecting a row and making a selection in the Log or Action drop-down menus. Click OK. ZyWALL USG100-PLUS User’s Guide...
  • Page 53 Click the Protocol Anomaly tab. Type a new profile Name. Enable or disable individual rules by selecting a row and clicking Activate or Inactivate. Edit the default log options and actions by selecting a row and making a selection in the Log or Action drop-down menus. Click OK. ZyWALL USG100-PLUS User’s Guide...

  • Page 54: Content Filter Profile Configuration

    Filter Profile > Add to open the following screen. Enter a profile Name and select Enable Content Filter Category Service and select desired actions for the different web page categories. Then select the categories to include in the profile or select Select All Categories. Click Apply. ZyWALL USG100-PLUS User’s Guide...
  • Page 55 In the General screen, the configured policy will appear in the Policies section. Select Enable Content Filter and select BlueCoat. Then select Enable Content Filter Report Service to collect content filtering statistics for reports. Click Apply. ZyWALL USG100-PLUS User’s Guide...

  • Page 56: Content Filtering Video Example

    Alternatively, you can also view content filtering reports during the free trial (up to 30 days). Go to http://www.myZyXEL.com. Fill in your myZyXEL.com account information and click Login. ZyWALL USG100-PLUS User’s Guide...
  • Page 57 ZyWALL using the Rename button in the Service Management screen. In the Service Management screen click Content Filter (BlueCoat) or Content Filter (Commtouch) in the Service Name column to open the content filter reports screens. ZyWALL USG100-PLUS User’s Guide...
  • Page 58 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report. The screens vary according to the report type you selected in the Report Home screen. ZyWALL USG100-PLUS User’s Guide...
  • Page 59 A chart and/or list of requested web site categories display in the lower half of the screen. You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL USG100-PLUS User’s Guide...

  • Page 60: Anti-Spam Policy Configuration

    To configure DNS Black List (DNSBL), click the DNSBL tab. Select Enable DNS Black List (DNSBL) Checking. In the DNSBL Domain section click Add. Enter the DNSBL Domain for a DNSBL service. In this example, zen.spamhaus.org is used. Click Apply. ZyWALL USG100-PLUS User’s Guide...
  • Page 61 Select from the list of available Scan Options and click OK to return to the General screen. In the General screen, the policy configured in the previous step will display in the Policy Summary section. Select Enable Anti-Spam and click Apply. ZyWALL USG100-PLUS User’s Guide...
  • Page 62 Chapter 3 Protecting Your Network ZyWALL USG100-PLUS User’s Guide...

  • Page 63: Create Secure Connections Across The Internet

    You configure security policies based on zones. The new VPN connection was assigned to the IPSec_VPN zone. By default, there are no security restrictions on the IPSec_VPN zone, so, next, you should set up security policies that apply to the IPSec_VPN zone. ZyWALL USG100-PLUS User’s Guide...
  • Page 64 ZyWALL uses one of its Trusted Certificates to authenticate the remote IPSec router’s certificate. The trusted certificate can be the remote IPSec router’s self-signed certificate or that of a trusted CA that signed the remote IPSec router’s certificate. ZyWALL USG100-PLUS User’s Guide...

  • Page 65: Vpn Concentrator Example

    Branch Office A VPN Gateway (VPN Tunnel 1): • My Address: 10.0.0.2 • Peer Gateway Address: 10.0.0.1 VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.11.0/255.255.255.0 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route ZyWALL USG100-PLUS User’s Guide...
  • Page 66 Branch Office B VPN Gateway (VPN Tunnel 2): • My Address: 10.0.0.3 • Peer Gateway Address: 10.0.0.1 VPN Connection (VPN Tunnel 2): • Local Policy: 192.168.12.0/255.255.255.0 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route ZyWALL USG100-PLUS User’s Guide...

  • Page 67: Hub-And-Spoke Ipsec Vpn Without Vpn Concentrator

    • Branch B’s ZyWALL uses one VPN rule to access both the headquarters and branch A’s networks. Figure 28 Hub-and-spoke VPN Example This hub-and-spoke VPN example uses the following settings. Branch Office A (ZyNOS-based ZyWALL): Gateway Policy (Phase 1): • My Address: 10.0.0.2 ZyWALL USG100-PLUS User’s Guide...
  • Page 68 • This example uses a wide range for the ZyNOS-based ZyWALL’s remote network, to use a narrower range, see Section 4.3 on page 67 for an example of configuring a VPN concentrator. • The local IP addresses configured in the VPN rules should not overlap. ZyWALL USG100-PLUS User’s Guide...

  • Page 69: Zywall Ipsec Vpn Client Configuration Provisioning

    Create a VPN rule on the ZyWALL using the VPN Configuration Provisioning wizard. Configure a username and password for the rule on the ZyWALL. On a computer, use the ZyWALL IPSec VPN Client to get the VPN rule configuration. ZyWALL USG100-PLUS User’s Guide...

  • Page 70: Configuration Steps

    Enter the WAN IP address or URL for the ZyWALL. If you changed the default HTTPS port on the ZyWALL, then enter the new one here. Enter the user name (Login) and and password exactly as configured on the ZyWALL or external authentication server. Click Next. ZyWALL USG100-PLUS User’s Guide...
  • Page 71 Chapter 4 Create Secure Connections Across the Internet Click OK. The rule settings are now imported from the ZyWALL into the ZyWALL IPSec VPN Client. ZyWALL USG100-PLUS User’s Guide...

  • Page 72: Zywall Ipsec Vpn Client Configuration Provisioning Video Example

    Check that the client authentication method selected on the ZyWALL is where the user name and password are configured . For example, if the user name and password are configured on the ZyWALL, then the configured authentication method should be Local. ZyWALL USG100-PLUS User’s Guide...

  • Page 73: Ssl Vpn

    ZyWALL automatically loads the ZyWALL SecuExtender client program to your computer. With the ZyWALL SecuExtender, you can access network resources, remote desktops and manage files as if you were on the local network. ZyWALL USG100-PLUS User’s Guide...

  • Page 74: Ssl Vpn Video Example

    • Operating system and browser requirements for the remote user’s computer: • Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit) • Internet Explorer 7 and above or Firefox 1.5 and above ZyWALL USG100-PLUS User’s Guide...

  • Page 75: L2Tp Vpn With Android, Ios, And Windows

    • You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel. • The VPN rule allows the remote user to access the LAN1_SUBNET (the 192.168.1.x subnet). ZyWALL USG100-PLUS User’s Guide...
  • Page 76 Address IP address you configured in the Default_L2TP_VPN_GW. The address object in this example uses the WAN interface’s IP address (172.16.1.2) and is named L2TP_IFACE. Select Enable, set Application Scenario to Remote Acces and Local Policy to L2TP_IFACE, and click OK. ZyWALL USG100-PLUS User’s Guide...
  • Page 77 • Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users (L2TP_POOL in this example)). • Set the next hop to be the VPN tunnel that you are using for L2TP VPN. ZyWALL USG100-PLUS User’s Guide...
  • Page 78 If some of the traffic from the L2TP clients needs to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. • Set Incoming to Tunnel and select your L2TP VPN connection. • Set the Source Address to the L2TP address pool. ZyWALL USG100-PLUS User’s Guide...
  • Page 79 Chapter 4 Create Secure Connections Across the Internet • Set the Next-Hop Type to Trunk and select the appropriate WAN trunk. ZyWALL USG100-PLUS User’s Guide...

  • Page 80: Configuring L2Tp Vpn On The Zywall Video Example

    L2TP VPN over IPSec (top-secret in this example). • Enable L2TP secret turn this off. • DNS search domain leave this on. • When dialing the L2TP VPN, the user will have to enter his account and password. ZyWALL USG100-PLUS User’s Guide...
  • Page 81 ZyWALL is using for L2TP VPN (172.16.1.2 in this example). For the Destination name, specify a name to identify this VPN (L2TP to ZyWALL for example). Select Don’t connect now, just set it up so I can connect later and click Next. ZyWALL USG100-PLUS User’s Guide...
  • Page 82 In Windows 7, click Security and set the Type of VPN to Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec). Then click Advanced settings. In Windows Vista, click Networking. Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings. ZyWALL USG100-PLUS User’s Guide...
  • Page 83 In the Network and Sharing Center screen, click Connect to a network, select the L2TP VPN connection and click Connect to display a login screen. Enter the user name and password of your ZyWALL user account and click Connect. ZyWALL USG100-PLUS User’s Guide...
  • Page 84 Click the L2TP connection’s View status link to open a status screen. Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20 in the example). ZyWALL USG100-PLUS User’s Guide...

  • Page 85: Configuring L2Tp Vpn In Windows 7 Video Example

    Use Adobe Reader 9 or later or a recent version of Foxit Reader to play this video. After clicking play, you may need to confirm that you want to play the content and click play again. ZyWALL USG100-PLUS User’s Guide...
  • Page 86 Click Start > Control Panel > Network Connections > New Connection Wizard. Click Next in the Welcome screen. Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Next. Type L2TP to ZyWALL as the Company Name. ZyWALL USG100-PLUS User’s Guide...
  • Page 87 ZyWALL is using for L2TP VPN (172.16.1.2 in this example). 172.16.1.2 Click Finish. The Connect L2TP to ZyWALL screen appears. Click Properties > Security. 10 Click Security, select Advanced (custom settings) and click Settings. ZyWALL USG100-PLUS User’s Guide...
  • Page 88 13 Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK. 14 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. ZyWALL USG100-PLUS User’s Guide...
  • Page 89 17 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. 18 Click Details to see the address that you received from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). ZyWALL USG100-PLUS User’s Guide...

  • Page 90: One-Time Password Version 2 (Otpv2)

    OTPv2 tokens for Windows computers and Android and iOS mobile devices. Figure 33 OTPv2 Example ***** OTP PIN SafeWord 2008 Authentication Server File Email Web-based Server Server Application Here is an overview of how to use OTP. See the ZyWALL OTPv2 support note for details. ZyWALL USG100-PLUS User’s Guide...
  • Page 91 • Users cannot log in if they try to re-use a password that they have already used to log in. Users must generate a new password for each login. • Authentication fails if the SafeWord 2008 authentication server goes down, loses its network connection, or is too busy. Users can try again a little later. ZyWALL USG100-PLUS User’s Guide...
  • Page 92 Chapter 4 Create Secure Connections Across the Internet ZyWALL USG100-PLUS User’s Guide...

  • Page 93: Managing Traffic

    • Inbound traffic comes back from the WAN to the LAN1 device. The ZyWALL applies bandwidth management before sending the traffic out a LAN1 interface. You can set outbound and inbound guaranteed and maximum bandwidths for an application. ZyWALL USG100-PLUS User’s Guide...
  • Page 94 SIP instead. 5.1.4 SIP Any-to-WAN and WAN-to-Any Bandwidth Management Example • Manage SIP traffic going to WAN1 from users on the LAN or DMZ. ZyWALL USG100-PLUS User’s Guide...
  • Page 95 • Set inbound guaranteed and maximum rates as the local users on the LAN and DMZ will probably download more than they upload to the Internet. • Set fourth highest priority (4) for the HTTP traffic in both directions. ZyWALL USG100-PLUS User’s Guide...
  • Page 96 Select App Patrol Service and http as the service type. Set the guaranteed inbound bandwidth to 10240 (kbps) and set priority 4. Set the maximum to 46080 (kbps). Set the outbound priority to 4. Click OK. ZyWALL USG100-PLUS User’s Guide...
  • Page 97 Select App Patrol Service and ftp as the service type. Set inbound guaranteed bandwidth to 792 kbps, priority 5, and maximum 2048 kbps. Set outbound guaranteed bandwidth to 5120 kbps, priority 5, and maximum 10240 kbps. Click ZyWALL USG100-PLUS User’s Guide...
  • Page 98 Gbps connections, but give it lower priority and limit it to avoid interference with other traffic. • Limit both outbound and inbound traffic to 50 Mbps. • Set fifth highest priority (5) for the FTP traffic. Figure 38 FTP LAN-to-DMZ Bandwidth Management Example Outbound: 50 Mbps Inbound: 50 Mbps ZyWALL USG100-PLUS User’s Guide...
  • Page 99 Type 10240 (kbps) with priority 5 for both the inbound and outbound guaranteed bandwidth. Do not select the Maximize Bandwidth Usage. Set the maximum to 51200 (kbps). Click OK. Finally, in the BWM screen, select Enable BWM. Click Apply. ZyWALL USG100-PLUS User’s Guide...

  • Page 100: Bandwidth Management Video Example

    5.2 How to Configure a Trunk for WAN Load Balancing These examples show how to configure a trunk for two WAN connections to the Internet. The available bandwidth for the connections is 1 Mbps (wan1) and 512 Kbps (wan2 or cellular1) ZyWALL USG100-PLUS User’s Guide...

  • Page 101: Set Up Available Bandwidth On Ethernet Interfaces

    Here is how to set a limit on how much traffic the ZyWALL tries to send out through each WAN interface. Click Configuration > Network > Interface > Ethernet and double-click the wan1 entry. Enter the available bandwidth (1000 kbps) in the Egress Bandwidth field. Click OK. ZyWALL USG100-PLUS User’s Guide...

  • Page 102: Configure The Wan Trunk

    Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin. Add wan1 and enter 2 in the Weight column. Add wan2 (or cellular1) and enter 1 in the Weight column. Click OK. ZyWALL USG100-PLUS User’s Guide...

  • Page 103: How To Use Multiple Static Public Wan Ip Addresses For Lan-To-Wan Traffic

    Click Configuration > Object > Address > Add (in IPv4 Address Configuration) to create the address object that represents the range of static public IP addresses. In this example you name it Public-IPs and it goes from 1.1.1.10 to 1.1.1.17. ZyWALL USG100-PLUS User’s Guide...

  • Page 104: How To Configure Dns Inbound Load Balancing

    ZyWALL’s WAN1 (202.1.2.3) and WAN2 (202.5.6.7) to use DNS inbound load balancing to balance traffic loading coming from the Internet. In the CONFIGURATION > Network > Inbound LB screen, select Enable DNS Load Balancing. Click Apply. ZyWALL USG100-PLUS User’s Guide...
  • Page 105 • If you choose Custom in the Load Balancing Member screen and enter another IP address for a member interface, make sure the entered IP address is configured in the corresponding firewall and NAT virtual server rules. ZyWALL USG100-PLUS User’s Guide...

  • Page 106: How To Allow Public Access To A Web Server

    HTTP traffic and the HTTP server in this example both use TCP port 80. So you set the Port Mapping Type to Port, the Protocol Type to TCP, and the original and mapped ports to 80. Keep Enable NAT Loopback selected to allow users connected to other interfaces to access the HTTP server. ZyWALL USG100-PLUS User’s Guide...

  • Page 107: Set Up A Firewall Rule

    Destination to the HTTP server’s DMZ IP address object (DMZ_HTTP). DMZ_HTTP is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. Set the Access field to allow and the Service to HTTP, and click OK. ZyWALL USG100-PLUS User’s Guide...

  • Page 108: How To Manage Voice Traffic

    LAN and using IP address 192.168.1.56. Figure 42 WAN to LAN H.323 Peer-to-peer Calls Example 192.168.1.56 10.0.0.8 5.6.1.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable H.323 ALG and Enable H.323 transformations and click Apply. ZyWALL USG100-PLUS User’s Guide...
  • Page 109 1720. Click OK. 5.6.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN IP address 192.168.1.56. ZyWALL USG100-PLUS User’s Guide...

  • Page 110: How To Use An Ippbx On The Dmz

    • You want the IPPBX to receive calls from the WAN and also be able to send calls to the WAN so you set the Classification to NAT 1:1. • Set the Incoming Interface to use the WAN interface. ZyWALL USG100-PLUS User’s Guide...
  • Page 111 Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Set the Destination to the IPPBX’s DMZ IP address object (DMZ_SIP). IPPBX_DMZ is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. Set the Access field to allow and click OK. ZyWALL USG100-PLUS User’s Guide...
  • Page 112 If traffic matches a rule that comes earlier in the list, it may be unexpectedly blocked. • The ZyWALL does not apply the firewall rule. The ZyWALL only apply’s a zone’s rules to the interfaces that belong to the zone. Make sure the WAN interface is assigned to WAN zone. ZyWALL USG100-PLUS User’s Guide...

  • Page 113: How To Limit Web Surfing And Msn To Specific People

    Click Configuration > AppPatrol > Common and double-click the http entry to edit it. Double-click the Default policy. Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. ZyWALL USG100-PLUS User’s Guide...

  • Page 114: Set Up Msn Policies

    Click Configuration > AppPatrol > IM and double-click the msn entry to edit it. Double-click the Default policy. Change the access to Drop because you do not want anyone except the authorized user group (sales) to use MSN. Click OK. ZyWALL USG100-PLUS User’s Guide...
  • Page 115 Click the Add icon in the policy list. In the new policy, select WorkHours as the schedule and Sales as the user group that is allowed to use MSN at the appointed schedule. Then select forward in the Access field. Click OK to finish the setup. ZyWALL USG100-PLUS User’s Guide...
  • Page 116 Chapter 5 Managing Traffic Now only the sales group may use MSN during work hours on week days. ZyWALL USG100-PLUS User’s Guide...

  • Page 117: Apppatrol Video Example

    If you have not already subscribed for the application patrol service, you will not be able to configure any policies. You can do so by using the Configuration > Licensing > Registration screens or using one of the wizards. ZyWALL USG100-PLUS User’s Guide...
  • Page 118 Chapter 5 Managing Traffic ZyWALL USG100-PLUS User’s Guide...

  • Page 119: Maintenance

    • The to-ZyWALL firewall rules allow this traffic. The following example is used to check that administrators and users are allowed to access the ZyWALL from the WAN using HTTPs. 6.1.1 Check Service Control Click Configuration > System > WWW. ZyWALL USG100-PLUS User’s Guide...
  • Page 120 If the WAN to ZyWALL firewall rule denies access, double-click it to edit it. Mouse over the Service field and if HTTPS is not in the Default_Allow_WAN_To_ZyWALL service group list go to the Object > Service > Service Group screen to edit it. ZyWALL USG100-PLUS User’s Guide...
  • Page 121 Chapter 6 Maintenance In the Edit Firewall Rule screen, you can also configure a schedule object, address object, or apply it to certain a user/user group. ZyWALL USG100-PLUS User’s Guide...

  • Page 122: How To Use A Radius Server To Authenticate User Accounts Based On Groups

    > Object > User/Group > User. Click the Add icon. Enter a user name and set the User Type to ext-group-user. In the Group Identifier field, enter Finance and set the Associated AAA Server Object to radius. ZyWALL USG100-PLUS User’s Guide...

  • Page 123: How To Use Ssh For Secure Telnet Access

    Configure the SSH client to accept connection using SSH version 1. A window displays prompting you to store the host key in you computer. Click Yes to continue. Enter the password to log in to the ZyWALL. The CLI screen displays next. ZyWALL USG100-PLUS User’s Guide...

  • Page 124: How To Manage Zywall Configuration Files

    *.conf file from its path and click Upload. After the upload is successful, you can find the *.conf file in the configuration file list. Click Apply to run the selected configuration file. ZyWALL USG100-PLUS User’s Guide...

  • Page 125: How To Manage Zywall Firmware

    6.5 How to Manage ZyWALL Firmware Click Maintenance > File Manager > Firmware Package. Use this screen to check current firmware version and upload firmware to the ZyWALL. ZyWALL USG100-PLUS User’s Guide...

  • Page 126: How To Download And Upload A Shell Script

    *.zysh file in the shell script list. Click Apply to run the selected shell script. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. ZyWALL USG100-PLUS User’s Guide...

  • Page 127: How To Save System Logs To A Usb Storage Device

    Insert a USB storage device to any USB port on your ZyWALL. In the Monitor > System Status > USB Storage screen, you can see the USB device’s information. Note: Make sure the USB device’s file system is supported by the ZyWALL. (It should not display “Unknown”.) ZyWALL USG100-PLUS User’s Guide...
  • Page 128 Select the green check marks to log regular information and alerts from the corresponding categories. You can also simply click Selection and then enable normal logs to select the green check marks for all categories as shown in this example. Click OK. ZyWALL USG100-PLUS User’s Guide...
  • Page 129 In the Maintenance > Diagnostics > System Log screen, you can see a new log file which is recording the system logs. You can select it and click Download if you want to save it to your computer. ZyWALL USG100-PLUS User’s Guide...

  • Page 130: How To Get The Zywall's Diagnostic File

    To save diagnostic files to a USB storage device, do the following before you collect a diagnostic file: Insert the USB storage device to any USB port on your ZyWALL. In the Monitor > System Status > USB Storage screen, make sure the USB device’s file system doesn’t display “unknown”. ZyWALL USG100-PLUS User’s Guide...

  • Page 131: How To Capture Packets On The Zywall

    Capture Interfaces box. Select IPv4 in the IP Version field. Select User Defined and enter 172.16.1.33 in the Host IP field. Select Save data to onboard storage only (if the displayed available size is enough). Click Capture. ZyWALL USG100-PLUS User’s Guide...
  • Page 132 The TXT files display the packet statistics, such as packets captured according to your filters, packets received in total, and packets dropped. The CAP files display each captured packet’s details. You will need a packet analyzer tool to view them (see Section 6.9.1 on page 133 for an example). ZyWALL USG100-PLUS User’s Guide...
  • Page 133 15 on the wire is 1514 bytes while the captured size is only 1500 bytes. The ZyWALL truncated the frame because the capture screen’s Number Of Bytes To Capture (Per Packet) field was set to 1500 bytes. ZyWALL USG100-PLUS User’s Guide...

  • Page 134: How To Get The Zywall's Core Dump File

    If your ZyWALL’s flash is almost full, you can use a USB storage device. Note: You can check the remaining flash space in the Dashboard screen. To save new core dump files to a connected USB storage device, do the following: ZyWALL USG100-PLUS User’s Guide...

  • Page 135: How To Use Packet Flow Explore For Troubleshooting

    ZyWALL checks if a packet matches an SNAT rule’s criteria by following the order of the flow as shown from left to right. Once a packet matches the criteria of an SNAT rule, the ZyWALL takes the corresponding action on the packet and does not perform any further SNAT flow checking. ZyWALL USG100-PLUS User’s Guide...
  • Page 136 Chapter 6 Maintenance ZyWALL USG100-PLUS User’s Guide...

  • Page 137: Appendix A Legal Information

    The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.
  • Page 138 Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately. ZyWALL USG100-PLUS User’s Guide...
  • Page 139 Appendix A Legal Information ROHS ZyWALL USG100-PLUS User’s Guide...
  • Page 140 Appendix A Legal Information ZyWALL USG100-PLUS User’s Guide...

Table of Contents