ZyXEL Communications ZyWALL USG 100 Series User Manual
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Gateway
  5. ZyWALL USG 100 Series
  6. User manual

ZyXEL Communications ZyWALL USG 100 Series User Manual

Unified security gateway
Hide thumbs Also See for ZyWALL USG 100 Series:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
Table of Contents

Advertisement

Quick Links

See also: Manual
ZyWALL USG 100/200
Series
Unified Security Gateway
User's Guide
Version 2.11
12/2008
Edition 1
DEFAULT LOGIN
LAN1 Port
P4
IP Address
https://192.168.1.1
User Name
admin
Password
1234
www.zyxel.com

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications ZyWALL USG 100 Series

Summary of Contents for ZyXEL Communications ZyWALL USG 100 Series

  • Page 1 ZyWALL USG 100/200 Series Unified Security Gateway User’s Guide Version 2.11 12/2008 Edition 1 DEFAULT LOGIN LAN1 Port IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com...

  • Page 3: About This User's Guide

    • CLI Reference Guide The CLI Reference Guide explains how to use the Command-Line Interface (CLI) to configure the ZyWALL. It is recommended you use the web configurator to configure the ZyWALL. • Web Configurator Online Help ZyWALL USG 100/200 Series User’s Guide...
  • Page 4 Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you! The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. E-mail: techwriters@zyxel.com.tw ZyWALL USG 100/200 Series User’s Guide...

  • Page 5: Document Conventions

    Syntax Conventions • The ZyWALL USG 100 and ZyWALL USG 200 may be referred to as the “ZyWALL”, the “device”, the “system” or the “product” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
  • Page 6 Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router Printer ZyWALL USG 100/200 Series User’s Guide...

  • Page 7: Safety Warnings

    • Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device. ZyWALL USG 100/200 Series User’s Guide...
  • Page 8 Safety Warnings This product is recyclable. Dispose of it properly. ZyWALL USG 100/200 Series User’s Guide...

  • Page 9: Table Of Contents

    SSL VPN ..........................395 SSL User Screens ........................405 SSL User Application Screens ....................411 SSL User File Sharing ......................413 L2TP VPN ..........................419 L2TP VPN Example ......................... 425 Application Patrol ........................ 451 Application Patrol ........................453 ZyWALL USG 100/200 Series User’s Guide...
  • Page 10 Maintenance, Troubleshooting, & Specifications ............. 713 File Manager ........................... 715 Logs ............................725 Reports ........................... 737 Diagnostics ..........................751 Reboot ............................. 753 Troubleshooting ........................755 Product Specifications ......................759 Appendices and Index ......................767 ZyWALL USG 100/200 Series User’s Guide...

  • Page 11: Table Of Contents

    2.3.1 VPN Connectivity ....................... 62 2.3.2 SSL VPN Network Access ..................63 2.3.3 User-Aware Access Control ..................64 2.3.4 Multiple WAN Interfaces ..................... 65 2.3.5 Device HA ........................65 Chapter 3 Web Configurator........................67 ZyWALL USG 100/200 Series User’s Guide...
  • Page 12 4.8.7 VPN Advanced Wizard - Phase 2 ................108 4.8.8 VPN Advanced Wizard - Summary ................. 109 4.8.9 VPN Advanced Wizard - Finish ................109 Chapter 5 Configuration Basics......................111 5.1 Object-based Configuration ....................111 ZyWALL USG 100/200 Series User’s Guide...
  • Page 13 6.1.1 How to Configure a WAN Ethernet Interface ............130 6.1.2 How to Configure the OPT Interface for a Local Network ........130 6.1.3 How to Configure Port Roles ..................132 6.2 How to Configure a Cellular Interface ................133 ZyWALL USG 100/200 Series User’s Guide...
  • Page 14 7.1.1 What You Can Do in the Status Screens ..............175 7.2 The Status Screen ......................175 7.2.1 The CPU Usage Screen ................... 180 7.2.2 The Memory Usage Screen ..................181 7.2.3 The Session Usage Screen ..................181 ZyWALL USG 100/200 Series User’s Guide...
  • Page 15 10.5.2 Interface Wizard: WAN Type .................. 219 10.5.3 Interface Wizard: Non-WAN OPT Interface Setup ..........220 10.5.4 Interface Wizard: WAN Zone and IP Address Assignment ........221 10.5.5 Interface Wizard: WAN ISP Connection Settings ........... 221 ZyWALL USG 100/200 Series User’s Guide...
  • Page 16 12.1.2 What You Need to Know About Policy and Static Routing ........282 12.2 Policy Route Screen ......................283 12.2.1 Policy Route Edit Screen ..................285 12.3 IP Static Route Screen ....................287 12.3.1 Static Route Add/Edit Screen ................. 288 ZyWALL USG 100/200 Series User’s Guide...
  • Page 17 16.2.1 The Virtual Server Add/Edit Screen ............... 313 16.3 NAT 1:1 and NAT Loopback Examples ................315 Chapter 17 HTTP Redirect ........................323 17.1 Overview .......................... 323 17.1.1 What You Can Do in the HTTP Redirect Screens ..........323 ZyWALL USG 100/200 Series User’s Guide...
  • Page 18 20.2.1 Configuring the Firewall Screen ................351 20.2.2 The Firewall Edit Screen ..................354 20.3 The Session Limit Screen ....................355 20.3.1 The Session Limit Edit Screen ................357 Part IV: VPN ..................359 ZyWALL USG 100/200 Series User’s Guide...
  • Page 19 23.4 Bookmarking the ZyWALL ....................409 23.5 Logging Out of the SSL VPN User Screens ..............409 Chapter 24 SSL User Application Screens .................... 411 24.1 SSL User Application Screens Overview .................411 24.2 The Application Screen ....................411 ZyWALL USG 100/200 Series User’s Guide...
  • Page 20 28.1.1 What You Can Do in the Application Patrol Screens ..........453 28.1.2 What You Need to Know About Application Patrol ..........454 28.1.3 Application Patrol Bandwidth Management Examples ........... 458 28.2 Application Patrol General Screen .................. 461 ZyWALL USG 100/200 Series User’s Guide...
  • Page 21 30.4 The Profile Summary Screen ..................498 30.5 Creating New Profiles ...................... 499 30.5.1 Procedure To Create a New Profile ................ 499 30.6 Profiles: Packet Inspection ..................... 500 30.6.1 Profile > Group View Screen .................. 500 ZyWALL USG 100/200 Series User’s Guide...
  • Page 22 32.3 Content Filter Policy Add or Edit Screen ................. 543 32.4 Content Filter Profile Screen ..................544 32.5 Content Filter Categories Screen ................... 544 32.6 Content Filter Customization Screen ................553 32.7 Content Filter Cache Screen ................... 556 ZyWALL USG 100/200 Series User’s Guide...
  • Page 23 35.4 Configuring an Active-Passive Mode Monitored Interface ..........592 35.5 The Legacy Mode Screen ....................593 35.6 Configuring the Legacy Mode Screen ................593 35.7 The Legacy Mode Add/Edit Screen ................. 595 35.8 Device HA Technical Reference ..................597 ZyWALL USG 100/200 Series User’s Guide...
  • Page 24 39.1.1 What You Can Do in the Schedule Screens ............629 39.1.2 What You Need to Know About Schedules ............629 39.2 The Schedule Summary Screen ..................630 39.2.1 The One-Time Schedule Add/Edit Screen ............. 631 ZyWALL USG 100/200 Series User’s Guide...
  • Page 25 42.3 The Trusted Certificates Screen ..................660 42.3.1 The Trusted Certificates Edit Screen ..............661 42.3.2 The Trusted Certificates Import Screen ..............664 42.4 Certificates Technical Reference ..................665 Chapter 43 SSL Application ........................667 ZyWALL USG 100/200 Series User’s Guide...
  • Page 26 44.6.5 Service Control Rules .................... 691 44.6.6 HTTPS Example ....................692 44.7 SSH ..........................699 44.7.1 How SSH Works ....................700 44.7.2 SSH Implementation on the ZyWALL ..............701 44.7.3 Requirements for Using SSH ................. 701 ZyWALL USG 100/200 Series User’s Guide...
  • Page 27 46.4.1 Log Setting Summary ..................... 728 46.4.2 Edit System Log Settings ..................729 46.4.3 Edit Remote Server Log Settings ................732 46.4.4 Active Log Summary Screen .................. 734 Chapter 47 Reports ..........................737 47.1 Overview .......................... 737 ZyWALL USG 100/200 Series User’s Guide...
  • Page 28 Appendix A Log Descriptions ....................769 Appendix B Common Services..................... 825 Appendix C Displaying Anti-Virus Alert Messages in Windows..........829 Appendix D Importing Certificates..................835 Appendix E Wireless LANs ....................841 Appendix F Open Software Announcements ............... 855 ZyWALL USG 100/200 Series User’s Guide...
  • Page 29 Table of Contents Appendix G Legal Information....................893 Appendix H Customer Support..................... 897 Index............................903 ZyWALL USG 100/200 Series User’s Guide...
  • Page 30 Table of Contents ZyWALL USG 100/200 Series User’s Guide...

  • Page 31: List Of Figures

    List of Figures List of Figures Figure 1 ZyWALL USG 200 Front Panel ....................55 Figure 2 ZyWALL USG 100 Front Panel ....................56 Figure 3 Managing the ZyWALL: Web Configurator ................57 Figure 4 Applications: VPN Connectivity ....................63 Figure 5 Network Access Mode: Reverse Proxy ...................
  • Page 32 Figure 78 Funk Odyssey Access Wireless Client Login Example ............148 Figure 79 VPN Example ........................148 Figure 80 VPN > IPSec VPN > VPN Gateway > Add ................149 Figure 81 Object > Address > Address > Add ..................149 ZyWALL USG 100/200 Series User’s Guide...
  • Page 33 Figure 121 Device HA > Active-Passive Mode > Edit: Backup ZyWALL Example ....... 169 Figure 122 Device HA > Active-Passive Mode: Backup ZyWALL Example ......... 170 Figure 123 Device HA > General: Master ZyWALL Example ............... 170 Figure 124 Public Server Example Network Topology ................. 171 ZyWALL USG 100/200 Series User’s Guide...
  • Page 34 Figure 164 Interface > Cellular > Add ....................232 Figure 165 Interface > Cellular > Status .................... 235 Figure 166 Example of a Wireless Network ..................237 Figure 167 Network > Interface > WLAN ..................... 238 ZyWALL USG 100/200 Series User’s Guide...
  • Page 35 Figure 206 Example: Zones ......................... 301 Figure 207 Network > Zone ......................303 Figure 208 Network > Zone > Edit ..................... 303 Figure 209 Network > DDNS ........................ 306 Figure 210 Network > DDNS > Add ..................... 307 ZyWALL USG 100/200 Series User’s Guide...
  • Page 36 Figure 250 Firewall Example: Create a Service Object ................ 350 Figure 251 Firewall Example: Edit a Firewall Rule ................350 Figure 252 Firewall Example: MyService Example Rule in Summary ..........350 Figure 253 Using Virtual Interfaces to Avoid Asymmetrical Routes ............. 351 ZyWALL USG 100/200 Series User’s Guide...
  • Page 37 Figure 292 Logout: Prompt ........................409 Figure 293 Logout: Connection Termination Progress ................ 410 Figure 294 Application ..........................411 Figure 295 File Sharing ........................414 Figure 296 File Sharing: Enter Access User Name and Password ............ 414 ZyWALL USG 100/200 Series User’s Guide...
  • Page 38 Figure 337 IP Security Policy: Request for Secure Communication ............ 439 Figure 338 IP Security Policy: Completing the IP Security Policy Wizard ..........439 Figure 339 IP Security Policy Properties > Add ..................440 ZyWALL USG 100/200 Series User’s Guide...
  • Page 39 ................... 479 Figure 380 Anti-X > Anti-Virus > General .................... 482 Figure 381 Anti-X > Anti-Virus > General > Add .................. 484 Figure 382 Anti-X > Anti-Virus > Black/White List > Black List ............. 486 ZyWALL USG 100/200 Series User’s Guide...
  • Page 40 Figure 421 myZyXEL.com: Welcome ....................563 Figure 422 myZyXEL.com: Service Management ................564 Figure 423 Content Filter Reports Main Screen ................... 564 Figure 424 Content Filter Reports: Report Home ................. 565 Figure 425 Global Report Screen Example ..................566 ZyWALL USG 100/200 Series User’s Guide...
  • Page 41 Figure 465 Object > Schedule > Edit (One Time) ................. 631 Figure 466 Object > Schedule > Edit (Recurring) ................. 632 Figure 467 Example: Directory Service Client and Server ..............635 Figure 468 RADIUS Server Network Example ..................636 ZyWALL USG 100/200 Series User’s Guide...
  • Page 42 Figure 507 Security Certificate 2 (Netscape) ..................693 Figure 508 Login Screen (Internet Explorer) ..................694 Figure 509 ZyWALL Trusted CA Screen ....................694 Figure 510 CA Certificate Example ...................... 695 Figure 511 Personal Certificate Import Wizard 1 .................. 696 ZyWALL USG 100/200 Series User’s Guide...
  • Page 43 Figure 551 Maintenance > Report > Anti-Virus: Virus Name .............. 742 Figure 552 Maintenance > Report > Anti-Virus: Source ..............743 Figure 553 Maintenance > Report > Anti-Virus: Destination ............... 743 Figure 554 Maintenance > Report > IDP: Signature Name ..............744 ZyWALL USG 100/200 Series User’s Guide...
  • Page 44 Figure 582 Peer-to-Peer Communication in an Ad-hoc Network ............841 Figure 583 Basic Service Set ....................... 842 Figure 584 Infrastructure WLAN ......................843 Figure 585 RTS/CTS ........................... 844 Figure 586 WPA(2) with RADIUS Application Example ............... 851 Figure 587 WPA(2)-PSK Authentication ....................852 ZyWALL USG 100/200 Series User’s Guide...

  • Page 45: List Of Tables

    Table 22 Zones, Interfaces, and Physical Ethernet Ports ..............112 Table 23 ZyWALL USG 200 Default Port, Interface, and Zone Configuration ........114 Table 24 ZyWALL USG 100 Default Port, Interface, and Zone Configuration ........115 Table 25 ZyWALL Terminology That is Different Than ZyNOS .............115 Table 26 ZyWALL Terminology That Might Be Different Than Other Products ........116...
  • Page 46 Table 78 Example: Routing Table Before and After Bridge Interface br0 Is Created ......260 Table 79 Network > Interface > Bridge ....................261 Table 80 Network > Interface > Bridge > Add ..................263 Table 81 Network > Interface > Auxiliary ..................... 266 ZyWALL USG 100/200 Series User’s Guide...
  • Page 47 Table 122 VPN > IPSec VPN > VPN Connection ................364 Table 123 VPN > IPSec VPN > VPN Connection > Edit ..............367 Table 124 VPN > IPSec VPN > VPN Connection > Manual Key > Edit ..........371 ZyWALL USG 100/200 Series User’s Guide...
  • Page 48 Table 163 Anti-X > IDP > Profile > Group View ................... 502 Table 164 Policy Types ........................503 Table 165 IDP Service Groups ......................504 Table 166 Anti-X > IDP > Profile: Query View ..................506 Table 167 IP v4 Packet Headers ......................509 ZyWALL USG 100/200 Series User’s Guide...
  • Page 49 Table 207 Object > Address > Address ....................618 Table 208 Object > Address > Address > Edit ..................619 Table 209 Object > Address > Address Group ..................620 Table 210 Object > Address > Address Group > Add ................620 ZyWALL USG 100/200 Series User’s Guide...
  • Page 50 Table 249 System > FTP ........................705 Table 250 SNMP Traps ........................707 Table 251 System > SNMP ........................708 Table 252 System > Dial-in Mgmt ......................710 Table 253 System > Vantage CNM .......................711 ZyWALL USG 100/200 Series User’s Guide...
  • Page 51 Table 291 ADP Logs ..........................778 Table 292 Anti-Virus Logs ........................778 Table 293 User Logs ..........................781 Table 294 myZyXEL.com Logs ......................782 Table 295 IDP Logs ..........................787 Table 296 Application Patrol ........................ 791 ZyWALL USG 100/200 Series User’s Guide...
  • Page 52 Table 318 Commonly Used Services ....................825 Table 319 IEEE 802.11g ........................845 Table 320 Wireless Security Levels ..................... 846 Table 321 Comparison of EAP Authentication Types ................849 Table 322 Wireless Security Relational Matrix ..................852 ZyWALL USG 100/200 Series User’s Guide...

  • Page 53: Getting Started

    Getting Started Introducing the ZyWALL (55) Features and Applications (59) Web Configurator (67) Configuration Basics (111) Tutorials (129) Status (175) Registration (189) Signature Update (195)

  • Page 55: Introducing The Zywall

    Configure the ZyWALL USG 200’s OPT Gigabit Ethernet port as a third WAN port, an additional LAN1, WLAN, or DMZ port or a separate network. 1.2 Front Panel LEDs Figure 1 ZyWALL USG 200 Front Panel ZyWALL USG 100/200 Series User’s Guide...

  • Page 56: Management Overview

    Chapter 1 Introducing the ZyWALL Figure 2 ZyWALL USG 100 Front Panel The following table describes the LEDs. Table 1 Front Panel LEDs COLOR STATUS DESCRIPTION The ZyWALL is turned off. Green The ZyWALL is turned on. There is a hardware component failure. Shut down the...

  • Page 57: Starting And Stopping The Zywall

    The ZyWALL writes all cached data to the local storage, stops the system processes, and then does a warm start. Using the RESET If you press the RESET button, the ZyWALL sets the configuration to its button default values and then reboots. ZyWALL USG 100/200 Series User’s Guide...
  • Page 58 When you apply configuration files or running shell scripts, the ZyWALL does not stop or start the system processes. However, you might lose access to network resources temporarily while the ZyWALL is applying configuration files or running shell scripts. ZyWALL USG 100/200 Series User’s Guide...

  • Page 59: Features And Applications

    The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. ZyWALL USG 100/200 Series User’s Guide...
  • Page 60 Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers. ZyWALL USG 100/200 Series User’s Guide...

  • Page 61: Packet Flow

    2.2.1 Interface to Interface (Through ZyWALL) Ethernet -> VLAN -> Encap -> ALG -> DNAT-> Routing -> FW -> IDP -> AP-> CF -> AV - > AS -> SNAT -> BWM -> Encap -> VLAN -> Ethernet ZyWALL USG 100/200 Series User’s Guide...

  • Page 62: Interface To Interface (To/From Zywall)

    Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service. ZyWALL USG 100/200 Series User’s Guide...

  • Page 63: Ssl Vpn Network Access

    URL. You do not have to install additional client software on the remote user computers for access. Figure 5 Network Access Mode: Reverse Proxy LAN (192.168.1.X) https;// Web Mail File Share Web-based Application ZyWALL USG 100/200 Series User’s Guide...

  • Page 64: User-Aware Access Control

    Server 2.3.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 7 Applications: User-Aware Access Control ZyWALL USG 100/200 Series User’s Guide...

  • Page 65: Multiple Wan Interfaces

    Figure 8 Applications: Multiple WAN Interfaces 2.3.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network. Figure 9 Applications: Device HA ZyWALL USG 100/200 Series User’s Guide...
  • Page 66 Chapter 2 Features and Applications ZyWALL USG 100/200 Series User’s Guide...

  • Page 67: Web Configurator

    1 Make sure your ZyWALL hardware is properly connected. See the Quick Start Guide. 2 Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears. ZyWALL USG 100/200 Series User’s Guide...

  • Page 68: Figure 10 Login Screen

    5 The screen above appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore. ZyWALL USG 100/200 Series User’s Guide...

  • Page 69: Web Configurator Main Screen

    • A - title bar • B - navigation panel • C - main window • D - status bar 3.3.1 Title Bar The title bar provides some icons in the upper right corner. ZyWALL USG 100/200 Series User’s Guide...

  • Page 70: Navigation Panel

    IDP/AppPatrol Use this screen to schedule IDP signature updates and to update signature information immediately. System Protect Use this screen to schedule system-protect signature updates and to update signature information immediately. Network ZyWALL USG 100/200 Series User’s Guide...
  • Page 71 Use this screen to configure SSL VPN access rights for users and groups. Connection Use this screen to monitor current SSL VPN connection. Monitor Global Setting Use this screen to configure the ZyWALL’s SSL VPN settings that apply to all connections. ZyWALL USG 100/200 Series User’s Guide...
  • Page 72 Use these screens to configure (the new) active-passive mode device HA. Mode Legacy Mode Use these screens to use legacy mode device HA with other ZyWALLs that already have device HA setup using a firmware version earlier than 2.10. ZyWALL USG 100/200 Series User’s Guide...
  • Page 73 Use this screen to configure the telnet server settings for the ZyWALL. Use this screen to configure the FTP server settings for the ZyWALL. SNMP Use this screen to configure SNMP communities and services. ZyWALL USG 100/200 Series User’s Guide...

  • Page 74: Main Window

    Chapter 7 on page 175 for more information about the Status screen. 3.3.4 Message Bar Check the message bar when you click Apply or OK to verify that the configuration has been updated. Figure 13 Message Bar ZyWALL USG 100/200 Series User’s Guide...

  • Page 75: Figure 14 Warning Messages

    Click Refresh Now to update the screen. For example, if you just enabled a particular feature, you can look at the commands the web configurator generated to enable it. Close the popup window when you are done with it. ZyWALL USG 100/200 Series User’s Guide...
  • Page 76 Chapter 3 Web Configurator See the Command Reference Guide for information about the commands. ZyWALL USG 100/200 Series User’s Guide...

  • Page 77: Wizard Setup

    This wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP. This wizard also creates a WAN trunk. • VPN SETUP Use VPN SETUP to configure a VPN connection. See Section 4.6 on page ZyWALL USG 100/200 Series User’s Guide...

  • Page 78: Installation Setup, One Isp

    ISP to know what to enter in each field. Leave a field blank if you don’t have that information. Enter the Internet access information exactly as your ISP gave it to you. Figure 17 Internet Access: Step 1 ZyWALL USG 100/200 Series User’s Guide...

  • Page 79: Step 1 Internet Access

    Select Static If the ISP assigned a fixed IP address. 4.3.1 Ethernet: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays. Click Next to apply the configuration settings. ZyWALL USG 100/200 Series User’s Guide...

  • Page 80: Ethernet: Static Ip Address Assignment

    93). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.3.2 Ethernet: Static IP Address Assignment If you select Static as the IP Address Assignment, the following screen displays. ZyWALL USG 100/200 Series User’s Guide...

  • Page 81: Step 2 Internet Access Ethernet

    Click Next to continue. The ZyWALL applies the configuration settings. 4.3.3 Step 2 Internet Access Ethernet You do not configure this screen if you selected Auto as the IP Address Assignment in the previous screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 82: Figure 20 Ethernet Encapsulation: Static: Finish

    You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 93). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. ZyWALL USG 100/200 Series User’s Guide...

  • Page 83: Pppoe: Auto Ip Address Assignment

    This field displays to which security zone this interface and Internet connection will belong. IP Address The ISP will assign your WAN IP address automatically Next Click Next to continue. The ZyWALL applies the configuration settings. ZyWALL USG 100/200 Series User’s Guide...

  • Page 84: Pppoe: Static Ip Address Assignment

    93). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.3.5 PPPoE: Static IP Address Assignment If you select Static as the IP Address Assignment, the following screen displays. ZyWALL USG 100/200 Series User’s Guide...

  • Page 85: Figure 23 Pppoe Encapsulation: Static

    The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyWALL uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. ZyWALL USG 100/200 Series User’s Guide...

  • Page 86: Step 2 Internet Access Pppoe

    DNS Server: The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. ZyWALL USG 100/200 Series User’s Guide...

  • Page 87: Pptp: Auto Ip Address Assignment

    93). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.3.7 PPTP: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays. ZyWALL USG 100/200 Series User’s Guide...

  • Page 88: Figure 25 Pptp Encapsulation: Auto

    You can use alphanumeric and -_ characters, and it can be up to 31 characters long. WAN IP Address Assignments WAN Interface This displays the identity of the interface you configure to connect with your ISP. ZyWALL USG 100/200 Series User’s Guide...

  • Page 89: Figure 26 Pptp Encapsulation: Auto: Finish

    You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 93). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. ZyWALL USG 100/200 Series User’s Guide...

  • Page 90: Pptp: Static Ip Address Assignment

    Type the (static) IP address assigned to you by your ISP. IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Type the IP address of the PPTP server. ZyWALL USG 100/200 Series User’s Guide...

  • Page 91: Step 2 Internet Access Pptp

    Type a Connection ID or connection name. It must follow the “c:id” and “n:name” format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your broadband modem or router. ZyWALL USG 100/200 Series User’s Guide...

  • Page 92: Step 4 Internet Access - Finish

    You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 93). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. ZyWALL USG 100/200 Series User’s Guide...

  • Page 93: Device Registration

    20 alphanumeric characters (and the underscore). Spaces are not allowed. Check Click this button to check with the myZyXEL.com database to verify the user name you entered has not been used. ZyWALL USG 100/200 Series User’s Guide...
  • Page 94 Trial Service Activation: You can try a trial service subscription. The trial period starts the day you activate the trial. After the trial expires, you can buy an iCard and enter the license key in the Registration > Service screen to extend the service. ZyWALL USG 100/200 Series User’s Guide...

  • Page 95: Installation Setup, Two Internet Service Providers

    Configure the First WAN Interface and click Next. Figure 31 Internet Access: Step 1: First WAN Interface After you configure the First WAN Interface, you can configure the Second WAN Interface. Click Next to continue. ZyWALL USG 100/200 Series User’s Guide...

  • Page 96: Figure 32 Internet Access: Step 3: Second Wan Interface

    After you configure the Second WAN Interface, a summary of configuration settings display for both WAN interfaces. Figure 33 Internet Access: Finish You can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. ZyWALL USG 100/200 Series User’s Guide...

  • Page 97: Internet Access Wizard Setup Complete

    Advanced Use this wizard to configure detailed VPN security settings such as using certificates. The VPN connection can be to another ZLD-based ZyWALL or other IPSec device. Next Click Next to continue. ZyWALL USG 100/200 Series User’s Guide...

  • Page 98: Vpn Wizards

    Enter the WAN IP address or domain name of the remote IPSec router (secure Gateway gateway) to identify the remote IPSec router by its IP address or a domain name. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. ZyWALL USG 100/200 Series User’s Guide...

  • Page 99: Vpn Express Wizard - Remote Gateway

    Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 16 to 62 hexadecimal (“0-9”, “A-F”) characters. Proceed hexadecimal characters with “0x”. Figure 36 VPN Express Wizard: Step 3 ZyWALL USG 100/200 Series User’s Guide...

  • Page 100: Vpn Express Wizard - Policy Setting

    Figure 37 VPN Express Wizard: Step 4 The following table describes the labels in this screen. Table 17 VPN Express Wizard: Step 4 LABEL DESCRIPTION Summary Name This is the name of the VPN connection (and VPN gateway). ZyWALL USG 100/200 Series User’s Guide...

  • Page 101: Vpn Express Wizard - Summary

    Remote Policy: IP address and subnet mask of the computers on the network behind the peer IPSec device that can use the tunnel. You can copy and paste the Configuration for Remote Gateway commands into another ZLD-based ZyWALL’s command line interface. ZyWALL USG 100/200 Series User’s Guide...

  • Page 102: Vpn Express Wizard - Finish

    93). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.8.4 VPN Advanced Wizard Click the Advanced radio button as shown in Figure 34 on page 97 to display the following screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 103: Figure 39 Vpn Advanced Wizard: Step 2

    My Certificates screen. Click Certificate under the Object menu to go to the My Certificates screen where you can view the ZyWALL's list of certificates. Next Click Next to continue. ZyWALL USG 100/200 Series User’s Guide...

  • Page 104: Vpn Advanced Wizard - Remote Gateway

    There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association). Figure 40 VPN Advanced Wizard: Step 3 ZyWALL USG 100/200 Series User’s Guide...

  • Page 105: Vpn Advanced Wizard - Phase 1

    4.8.6 VPN Advanced Wizard - Phase 1 Phases: IKE (Internet Key Exchange) negotiation has two phases. A phase 1 exchange establishes an IKE SA (Security Association) and phase 2 (Key Exchange) uses the SA to negotiate SAs for IPSec. ZyWALL USG 100/200 Series User’s Guide...

  • Page 106: Figure 41 Vpn Advanced Wizard: Step 4

    ZyWALL shuts down the IKE SA. 4.8.6.1 Phase 2 Setting Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 41 VPN Advanced Wizard: Step 4 ZyWALL USG 100/200 Series User’s Guide...

  • Page 107: Table 20 Vpn Advanced Wizard: Step 4

    LAN behind the remote gateway. Property Nailed-Up Select this if you want the ZyWALL to automatically renegotiate the IPSec SA when the SA life time expires. Next Click Next to continue. ZyWALL USG 100/200 Series User’s Guide...

  • Page 108: Vpn Advanced Wizard - Phase 2

    0.0.0.0, only the remote IPSec router can initiate the VPN connection. Pre-Shared This is a pre-shared key identifying a communicating party during a phase 1 IKE negotiation. Local Policy This is a (static) IP address and Subnet Mask on the LAN behind your ZyWALL. ZyWALL USG 100/200 Series User’s Guide...

  • Page 109: Vpn Advanced Wizard - Summary

    Copy and paste the Remote Gateway CLI commands into another ZLD-based ZyWALL’s command line interface. Click Save to save the VPN rule. 4.8.9 VPN Advanced Wizard - Finish Now you can use the VPN tunnel. ZyWALL USG 100/200 Series User’s Guide...

  • Page 110: Figure 43 Vpn Wizard: Step 6: Advanced

    You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 93). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. ZyWALL USG 100/200 Series User’s Guide...

  • Page 111: Configuration Basics

    If you are in a screen that uses objects, you can also usually select Create Object to open a screen where you can configure a new object. For a list of common objects, see Section 5.5 on page 124. ZyWALL USG 100/200 Series User’s Guide...

  • Page 112: Zones, Interfaces, And Physical Ports

    (P1~P7) 5.2.1 Interface Types There are many types of interfaces in the ZyWALL. In addition to being used in various features, interfaces also describe the network that is directly connected to the ZyWALL. ZyWALL USG 100/200 Series User’s Guide...

  • Page 113: Default Interface And Zone Configuration

    5.2.2 Default Interface and Zone Configuration This section explains the ZyWALL’s factory default zone and interface configuration. The following figure uses letters to denote public IP addresses or part of a private IP address. ZyWALL USG 100/200 Series User’s Guide...

  • Page 114: Figure 46 Default Network Topology

    192.168.2.1, DHCP server Protected LAN enabled ext-wlan WLAN 10.59.0.1, DHCP server Wireless access points enabled 192.168.3.1, DHCP server Public servers (such as web, disabled e-mail and FTP) None None Auxiliary modem CONSOLE None None Local management ZyWALL USG 100/200 Series User’s Guide...

  • Page 115: Terminology In The Zywall

    • The LAN1 zone contains the lan1 interface (a port group made up of physical ports P4 and P5 on the ZyWALL USG 200 or P3, P4, and P5 on the ZyWALL USG 100). The LAN1 zone is a protected zone. The lan1 interface uses 192.168.1.1 and the connected devices use IP addresses in the 192.168.1.2 to 192.168.1.254 range.

  • Page 116: Feature Configuration Overview

    You may not have to configure everything in the list of prerequisites. For example, you do not have to create a schedule for a policy route unless time is one of the criterion. ZyWALL USG 100/200 Series User’s Guide...

  • Page 117: Interface

    5.4.3 Trunks Use trunks to set up load balancing using two or more interfaces. Network > Interface > Trunk MENU ITEM(S) Interfaces PREREQUISITES Policy routes WHERE USED Example: See Chapter 6 on page 129. ZyWALL USG 100/200 Series User’s Guide...

  • Page 118: Ipsec Vpn

    Zones cannot overlap. Each interface and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run. Network > Zone MENU ITEM(S) Interfaces, IPSec VPN, SSL VPN PREREQUISITES ZyWALL USG 100/200 Series User’s Guide...

  • Page 119: Device Ha

    4 Select the interface that the traffic comes in through (dmz in this example). 5 Select the FTP server’s address as the source address. 6 You don’t need to specify the destination address or the schedule. 7 For the service, select FTP. ZyWALL USG 100/200 Series User’s Guide...

  • Page 120: Static Routes

    • You don’t need to specify the schedule or the user. • In the Source field, select the address object of the VoIP server. • You don’t need to specify the destination address. ZyWALL USG 100/200 Series User’s Guide...

  • Page 121: Application Patrol

    Use anti-virus to detect and take action on viruses. You must subscribe to use anti-virus. You can subscribe using the Licensing > Registration screens or one of the wizards. Anti-X > AV MENU ITEM(S) Registration, zones PREREQUISITES ZyWALL USG 100/200 Series User’s Guide...

  • Page 122: Idp

    11 Add a policy that uses the schedule, the filtering profile and the user that you created. 5.4.18 Anti-Spam Use anti-spam to detect and take action on spam mail. Anti-X > Anti-Spam MENU ITEM(S) Zones PREREQUISITES ZyWALL USG 100/200 Series User’s Guide...

  • Page 123: Virtual Server (Port Forwarding)

    4 Select the interface from which you want to redirect incoming HTTP requests (lan1). 5 Specify the IP address of the HTTP proxy server. 6 Specify the port number to use for the HTTP traffic that you forward to the proxy server. ZyWALL USG 100/200 Series User’s Guide...

  • Page 124: Alg

    Use these screens to configure the ZyWALL’s administrator and user accounts. The ZyWALL provides the following user types. Table 30 User Types TYPE ABILITIES Admin Change ZyWALL configuration (web, CLI) Limited-Admin Look at ZyWALL configuration (web) User Access network services, browse user-mode commands (CLI) ZyWALL USG 100/200 Series User’s Guide...

  • Page 125: System Management And Maintenance

    3 Click System > WWW to configure the HTTP management access. Enable HTTPS and add an administrator service control entry. • Select the address object for the administrator’s computer. • Select the WAN zone. • Set the action to Accept. ZyWALL USG 100/200 Series User’s Guide...

  • Page 126: File Manager

    Maintenance > Log, Report MENU ITEM(S) 5.6.6 Diagnostics The ZyWALL can generate a file containing the ZyWALL’s configuration and diagnostic information. Maintenance > Diagnostics MENU ITEM(S) ZyWALL USG 100/200 Series User’s Guide...
  • Page 127 Chapter 5 Configuration Basics ZyWALL USG 100/200 Series User’s Guide...
  • Page 128 Chapter 5 Configuration Basics ZyWALL USG 100/200 Series User’s Guide...

  • Page 129: Tutorials

    • This example does not use the ext-wlan interface (for Ethernet-connected APs) so you remove port P6 from the ext-wlan interface and add it to the dmz interface instead. Figure 47 Port Role and Ethernet Interface Configuration Example ZyWALL USG 100/200 Series User’s Guide...

  • Page 130: How To Configure A Wan Ethernet Interface

    6.1.2 How to Configure the OPT Interface for a Local Network Here is how to set the opt interface for a separate local network. It uses 192.168.4.1 as its IP address and has a DHCP server to distribute IP addresses to connected DHCP clients. ZyWALL USG 100/200 Series User’s Guide...

  • Page 131: Figure 49 Network > Interface > Ethernet > Edit Opt

    Address to 192.168.4.1 and the Subnet Mask to 255.255.255.0. Zone to WAN and select Get Automatically as shown next. Then click More Settings. Figure 49 Network > Interface > Ethernet > Edit opt 2 Set DHCP to DHCP Server and click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 132: How To Configure Port Roles

    Here is how to remove port P6 from the ext-wlan interface and add it to the dmz interface. 1 Click Network > Interface > Port Role. 2 Under P6 select the dmz (DMZ) radio button and click Apply. Figure 51 Network > Interface > Port Roles (Configured) ZyWALL USG 100/200 Series User’s Guide...

  • Page 133: How To Configure A Cellular Interface

    3G connection. Enter the PIN Code provided by the cellular 3G service provider (0000 in this example). In Related Setting, keep Add this interface to Trunk to allow WAN load balance selected. Click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 134: Figure 53 Network > Interface > Cellular > Edit

    Figure 53 Network > Interface > Cellular > Edit 5 Go to the Status screen. The Interface Status Summary section should contain a “cellular” entry. When its connection status is “Connected” you can use the 3G connection to access the Internet. ZyWALL USG 100/200 Series User’s Guide...

  • Page 135: How To Set Up A Wlan Interface

    WPA or WPA2 instead of needing an external RADIUS server. For each WLAN user, set up a user account containing the user name and password the WLAN user needs to enter to connect to the wireless LAN. ZyWALL USG 100/200 Series User’s Guide...

  • Page 136: How To Create The Wlan Interface

    Method. The ZyWALL can use its default authentication method (the local user database) and its default certificate to authenticate the users. Configure the interface’s IP address and set it to DHCP Server. Click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 137: Figure 56 Network > Interface > Wlan > Add (Wpa/Wpa2 Security)

    Chapter 6 Tutorials Figure 56 Network > Interface > WLAN > Add (WPA/WPA2 Security) Turn on the wireless LAN and click Apply. Figure 57 Network > Interface > WLAN ZyWALL USG 100/200 Series User’s Guide...

  • Page 138: How To Set Up The Wireless Clients To Use The Wlan Interface

    1 Open the wireless client utility and click Profile. Figure 58 ZyXEL Wireless Client 2 Add a new profile. This example uses “ZYXEL_WPA” as the name. It is also the SSID (name) of the wireless network. Select Infrastructure and click Next. ZyWALL USG 100/200 Series User’s Guide...

  • Page 139: Figure 59 Zyxel Wireless Client > Profile

    4 Set the encryption type to TKIP and the EAP type to TTLS. Configure wlan_user as the Login Name and enter the account’s password (also wlan_user in this example. In TTLS Protocol, select PAP. Click Next. ZyWALL USG 100/200 Series User’s Guide...

  • Page 140: Figure 61 Zyxel Wireless Client > Profile: Security Settings

    5 Confirm your settings and click Save. Figure 62 ZyXEL Wireless Client > Profile: Save 6 Click Activate Now. Figure 63 ZyXEL Wireless Client > Profile: Activate 7 The ZYXEL_WPA profile displays in your list of profiles. ZyWALL USG 100/200 Series User’s Guide...

  • Page 141: Figure 64 Zyxel Wireless Client > Profile: Activate

    Figure 65 Odyssey Access Client Manager > Profiles 2 Name the profile (this example uses ZYXEL_WPA). In the User Info tab, configure wlan_user as the Login name. In the Password sub-tab, select Prompt for long name and password. ZyWALL USG 100/200 Series User’s Guide...

  • Page 142: Figure 66 Odyssey Access Client Manager > Profiles > User Info

    Figure 66 Odyssey Access Client Manager > Profiles > User Info 3 Click the Authentication tab and select Validate server certificate. Figure 67 Odyssey Access Client Manager > Profiles > Authentication 4 Click the TTLS tab and select PAP. Then click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 143: Figure 68 Odyssey Access Client Manager > Profiles > Authentication

    6 Enter the name of the wireless network (“ZYXEL_WPA” in this example) or click Scan to look for it. Then select Authenticate using profile and select the profile you configured (“ZYXEL_WPA” in this example). Click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 144: Figure 70 Odyssey Access Client Manager > Networks > Add

    1 In Internet Explorer, click Tools > Internet Options > Content and click the Certificates button. Figure 71 Internet Explorer: Tools > Internet Options > Content ZyWALL USG 100/200 Series User’s Guide...

  • Page 145: Figure 72 Internet Explorer: Tools > Internet Options > Content > Certificates

    Type setting to All Files in order to see the certificate file. Figure 73 Internet Explorer Certificate Import Wizard File Open Screen 4 When you get to the Certificate Store screen, you can just leave it at the default setting. ZyWALL USG 100/200 Series User’s Guide...

  • Page 146: Figure 74 Internet Explorer Certificate Import Wizard Certificate Store Screen

    Trusted Root Certification Authorities tab. The values in the Issued To and Issued By fields should match those in the ZyWALL’s My Certificates screen’s Subject and Issuer fields (respectively). ZyWALL USG 100/200 Series User’s Guide...

  • Page 147: Figure 76 Internet Explorer: Trusted Root Certification Authorities

    ZyWALL’s certificate when using the WLAN interface. 6.3.3.4 How the Wireless Clients Use the WLAN Interface A login screen displays when the wireless client attempts to connect to the wireless interface. Enter the username and password and click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 148: How To Set Up An Ipsec Vpn

    2 Give the VPN gateway a name (“VPN_GW_EXAMPLE”). For My Address, select Interface and wan1. For the Peer Gateway Address, select Static Address and enter 2.2.2.2 in field 1. For the Authentication, Select Pre-Shared Key and enter 12345678. Click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 149: How To Set Up The Vpn Connection

    4 Give the VPN connection a name (“VPN_CONN_EXAMPLE”). Under VPN Gateway select Static Site-to-site and the VPN gateway (VPN_GW_EXAMPLE). Under Policy, select LAN1_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote. Click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 150: How To Set Up The Policy Route For The Vpn Tunnel

    Figure 83 Network > Routing > Policy Route 2 Configure the policy route as shown next. This policy route applies to traffic from the LAN1 subnet. Use the VPN connection’s local and remote objects as the source address ZyWALL USG 100/200 Series User’s Guide...

  • Page 151: How To Configure Security Policies For The Vpn Tunnel

    IPSec_VPN zone. Make sure all firewalls between the ZyWALL and remote IPSec router allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP). If you enable NAT traversal, all firewalls between the ZyWALL and remote IPSec router should also allow UDP port 4500. ZyWALL USG 100/200 Series User’s Guide...

  • Page 152: How To Configure User-Aware Access Control

    3 Repeat this process to set up the remaining user accounts. 6.5.2 How to Set Up User Groups Set up the user groups and assign the users to the user groups. 1 Click Object > User/Group > Group. Click the Add icon. ZyWALL USG 100/200 Series User’s Guide...

  • Page 153: How To Set Up User Authentication Using The Radius Server

    2 Click Object > Auth. method. Click the Add icon. 3 Give the new authentication method object a descriptive name, and click the Add icon. Select group radius because the ZyWALL should use the specified RADIUS server for authentication. Click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 154: How To Set Up Web Surfing Policies With Bandwidth Restrictions

    Use application patrol (AppPatrol) to enforce the web surfing and MSN policies. You must have already subscribed for the application patrol service. You can subscribe using the Licensing > Registration screens or using one of the wizards. ZyWALL USG 100/200 Series User’s Guide...

  • Page 155: Figure 91 Apppatrol > General

    3 Click the Default policy’s Edit icon. Figure 93 AppPatrol > Common > http 4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 156: How To Set Up Msn Policies

    1 Click Object > Schedule. Click the Add icon for recurring schedules. 2 Give the schedule a descriptive name. Set up the days (Monday through Friday) and the times (8:30 - 18:00) when Sales is allowed to use MSN. Click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 157: How To Set Up Firewall Rules

    Click the Add icon next to it. Figure 97 Firewall > LAN1 to DMZ > Edit 2 Change the Access field to deny, and click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 158: How To Configure Load Balancing

    As these connections have different bandwidth, you have decided to use the Weighted Round Robin algorithm and to send traffic to wan1 and wan2 in a 2:1 ratio. Figure 100 Trunk Example wan1: 1 Mbps wan2: 512 Kbps ZyWALL USG 100/200 Series User’s Guide...

  • Page 159: How To Set Up Available Bandwidth On Ethernet Interfaces

    1 Click Network > Interface > Trunk. Click the Edit icon next to WAN_TRUNK. 2 In the Load Balancing Algorithm field, select Weighted Round Robin. After the screen refreshes, enter 2 and 1 in the Weight column for wan1 and wan2, respectively. Click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 160: How To Configure Service Control

    6.7.1 How to Allow HTTPS Administrator Access Only From the LAN This example configures service control to block administrator HTTPS access from all zones except LAN1. 1 Click System > WWW. 2 In HTTPS Admin Service Control, click the Add icon. ZyWALL USG 100/200 Series User’s Guide...

  • Page 161: Figure 103 System > Www

    Chapter 6 Tutorials Figure 103 System > WWW 3 In the Zone field select LAN1 and click OK. Figure 104 System > WWW > Service Control Rule Edit 4 Click the new rule’s Add icon. ZyWALL USG 100/200 Series User’s Guide...

  • Page 162: Figure 105 System > Www (First Example Admin Service Rule Configured)

    Figure 105 System > WWW (First Example Admin Service Rule Configured) 5 Set the Zone to ALL and set the Action to Deny. Click OK. Figure 106 System > WWW > Service Control Rule Edit 6 Click Apply. ZyWALL USG 100/200 Series User’s Guide...

  • Page 163: How To Allow Incoming H.323 Peer-To-Peer Calls

    ZyWALL forward H.323 traffic destined for WAN1 IP address 10.0.0.8 to a H.323 device located on LAN1 and using IP address 192.168.1.56. Figure 108 WAN to LAN1 H.323 Peer-to-peer Calls Example 192.168.1.56 10.0.0.8 ZyWALL USG 100/200 Series User’s Guide...

  • Page 164: How To Turn On The Alg

    1 Use Object > Address > Add to create address objects for the private and public IP addresses (WAN_IP-for-H323 and LAN_H323) as shown next. Figure 110 Create Address Objects 2 Click Network > Virtual Server > Add. 3 Configure the screen as follows and click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 165: How To Set Up A Firewall Rule For H.323

    Figure 112 Firewall: WAN to LAN 1 3 Configure the screen as follows and click OK. LAN_H323 is the destination because the ZyWALL applies the virtual server to traffic before applying the firewall rule. ZyWALL USG 100/200 Series User’s Guide...

  • Page 166: How To Use Device Ha

    Here is an example of using device HA (High Availability) to backup ZyWALL A (the master) with ZyWALL B. ZyWALL B automatically takes over all of A’s functions if A fails or loses its lan1 or wan1 connection. ZyWALL USG 100/200 Series User’s Guide...

  • Page 167: Before You Start

    Section 6.9.4 on page 170). 6.9.2 How to Configure Device HA on the Master ZyWALL 1 Log into ZyWALL A (the master ) and click Device HA > Active-Passive Mode. Click lan1’s Edit icon. ZyWALL USG 100/200 Series User’s Guide...

  • Page 168: Figure 118 Device Ha > Active-Passive Mode > Edit: Master Zywall Example

    Enter a Synchronization Password (“mySyncPassword” in this example) and click Apply. Figure 119 Device HA > Active-Passive Mode: Master ZyWALL Example 4 Click the General tab. Turn on device HA and click Apply. ZyWALL USG 100/200 Series User’s Guide...

  • Page 169: How To Configure The Backup Zywall

    4 Set the Device Role to Backup. Turn on monitoring for the wan1 and lan1 interfaces. Set the Synchronization Server Address to 192.168.1.1, the Port to 21, and the Password to “mySyncPassword”. Select Auto Synchronize and set the Interval to 60. Click Apply. ZyWALL USG 100/200 Series User’s Guide...

  • Page 170: How To Deploy The Backup Zywall

    6.9.5 How to Check Your Device HA Setup 1 To make sure ZyWALL B copied ZyWALL A’s settings, you can log into ZyWALL B’s management IP address (192.168.1.5) and check the configuration. You can use the ZyWALL USG 100/200 Series User’s Guide...

  • Page 171: How To Allow Public Access To A Server

    1 Create an address object named DMZ_HTTP for the HTTP server’s private IP address of 192.168.3.7. Figure 125 Creating the Address Object for the HTTP Server’s Private IP Address 2 Create an address object named WAN2_HTTP for the wan2 public IP address of 1.1.1.2. ZyWALL USG 100/200 Series User’s Guide...

  • Page 172: How To Configure A Virtual Server

    • Select Add corresponding Policy Route rule for NAT Loopback to allow local users to use a domain name to access the HTTP server. See NAT Loopback Example on page 319 for details. Figure 127 Creating the Virtual Server ZyWALL USG 100/200 Series User’s Guide...
  • Page 173 Now the public can go to IP address 1.1.1.2 to access the HTTP server. If a domain name is registered for IP address 1.1.1.2, users can just go to the domain name to access the web server. ZyWALL USG 100/200 Series User’s Guide...
  • Page 174 Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide...

  • Page 175: Status

    The Status screen displays when you log into the ZyWALL or click Status. Use this screen to look at the ZyWALL’s general device information, system status, system resource usage, licensed service status, and interface status. ZyWALL USG 100/200 Series User’s Guide...

  • Page 176: Figure 128 Status

    This field displays the MAC addresses used by the ZyWALL. Each physical port Range has one MAC address. The first MAC address is assigned to physical port 1, the second MAC address is assigned to physical port 2, and so on. ZyWALL USG 100/200 Series User’s Guide...
  • Page 177 This field displays how many traffic sessions are currently open on the ZyWALL. These are the sessions that are traversing the ZyWALL. Click the icon to display a chart of ZyWALL’s recent session usage. Licensed Service Status ZyWALL USG 100/200 Series User’s Guide...
  • Page 178 If an Ethernet interface does not have any physical ports associated with it, its entry Summary is displayed in light gray text. Click the Detail icon to go to a (more detailed) summary screen of interface statistics. Name This field displays the name of each interface. ZyWALL USG 100/200 Series User’s Guide...
  • Page 179 The number in brackets indicates how many times the signature has been matched. Click the hyperlink for more detailed information on the intrusion. Virus Detected This is the name of the virus that the ZyWALL has detected. ZyWALL USG 100/200 Series User’s Guide...

  • Page 180: The Cpu Usage Screen

    The x-axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. ZyWALL USG 100/200 Series User’s Guide...

  • Page 181: The Memory Usage Screen

    Click this to update the information in the window right away. 7.2.3 The Session Usage Screen Use this screen to look at a chart of the ZyWALL’s recent traffic session usage. To access this screen, click Session Usage in the Status screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 182: The Vpn Status Screen

    Click this to update the information in the window right away. 7.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in the Status screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 183: The Dhcp Table Screen

    Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click the icon beside DHCP Table in the Status screen. Figure 133 Status > DHCP Table ZyWALL USG 100/200 Series User’s Guide...

  • Page 184: The Port Statistics Screen

    Click this to update the screen immediately. 7.2.6 The Port Statistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen, click Port Statistics in the Status screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 185: Figure 134 Status > Port Statistics

    Click this to set the Poll Interval the screen uses. Stop Click this to stop the window from updating automatically. You can start it again by setting the Poll Interval and clicking Set Interval. ZyWALL USG 100/200 Series User’s Guide...

  • Page 186: The Port Statistics Graph Screen

    This field displays how long the ZyWALL has been running since it last restarted or was turned on. Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. ZyWALL USG 100/200 Series User’s Guide...

  • Page 187: The Current Users Screen

    Use this screen to look at detailed status information for a cellular (3G) card. To access this screen, click the cellular card’s Detail icon in the Status screen. Figure 137 Status > Cellular Detail ZyWALL USG 100/200 Series User’s Guide...

  • Page 188: Table 41 Status > Cellular Detail

    (Subscriber Identity Module) card. The SIM card is installed in a mobile device and used for authenticating a customer to the carrier network. IMSI is a unique 15-digit number used to identify a user on a network. ZyWALL USG 100/200 Series User’s Guide...

  • Page 189: Registration

    ZyWALL’s serial number and LAN MAC address to register it. Refer to the web site’s on- line help for details. To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL. ZyWALL USG 100/200 Series User’s Guide...

  • Page 190: The Registration Screen

    8.2 The Registration Screen Use this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Licensing > Registration in the navigation panel to open the screen as shown next. ZyWALL USG 100/200 Series User’s Guide...

  • Page 191: Figure 138 Licensing > Registration

    Select the check box to activate a trial service subscription. The trial period starts the day you activate the trial. After the trial expires, you can buy an iCard and enter the license key in the Registration Service screen to extend the service. ZyWALL USG 100/200 Series User’s Guide...

  • Page 192: Figure 139 Licensing > Registration: Registered Device

    (if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Service screen to update your service subscription status. Figure 139 Licensing > Registration: Registered Device ZyWALL USG 100/200 Series User’s Guide...

  • Page 193: The Service Screen

    (specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Click this button to renew service license information (such as the Refresh registration status and expiration day). ZyWALL USG 100/200 Series User’s Guide...
  • Page 194 Chapter 8 Registration ZyWALL USG 100/200 Series User’s Guide...

  • Page 195: Signature Update

    • Your custom signature configurations are not over-written when you download new signatures. The ZyWALL does not have to reboot when you upload new signatures. 9.2 The Antivirus Update Screen Click Licensing > Update > Anti-Virus to display the following screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 196: Figure 141 Licensing > Update >Anti-Virus

    Select this option to have the ZyWALL check for new signatures once a week on the day and at the time specified. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 100/200 Series User’s Guide...

  • Page 197: The Idp/Apppatrol Update Screen

    You should select a time when your network is not busy for minimal interruption. Hourly Select this option to have the ZyWALL check for new IDP signatures every hour. ZyWALL USG 100/200 Series User’s Guide...

  • Page 198: The System Protect Update Screen

    IDP feature. The system-protection feature is enabled by default and can only be disabled via the commands. You do not need an IDP subscription to use the system-protection feature or to download updated system-protection signatures. ZyWALL USG 100/200 Series User’s Guide...

  • Page 199: Figure 145 Licensing > Update > System Protect

    Select this option to have the ZyWALL check for new signatures once a week on the day and at the time specified. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 100/200 Series User’s Guide...

  • Page 200: Figure 146 Downloading System Protect Signatures

    Chapter 9 Signature Update Figure 146 Downloading System Protect Signatures Figure 147 Successful System Protect Signature Download ZyWALL USG 100/200 Series User’s Guide...

  • Page 201: Network

    Network Interface (203) Trunks (273) Policy and Static Routes (281) Routing Protocols (291) Zones (301) DDNS (305) Virtual Servers (311) HTTP Redirect (323) ALG (327)

  • Page 203: Interface

    Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • Use the Trunks screens (Chapter 11 on page 273) to configure load balancing. ZyWALL USG 100/200 Series User’s Guide...

  • Page 204: What You Need To Know About Interfaces

    • The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the AUX port. • Trunks manage load balancing between interfaces. ZyWALL USG 100/200 Series User’s Guide...

  • Page 205: Table 46 Ethernet, Vlan, Bridge, Ppp, And Virtual Interfaces Characteristics

    The relationships between interfaces are explained in the following table. Table 47 Relationships Between Different Types of Interfaces INTERFACE REQUIRED PORT / INTERFACE auxiliary interface auxiliary port port group physical port Ethernet interface physical port port group ZyWALL USG 100/200 Series User’s Guide...

  • Page 206: The Interface Status Screen

    Chapter 11 on page 273 to configure load balancing using trunks. 10.2 The Interface Status Screen This screen lists all of the ZyWALL’s interfaces and gives packet statistics for them. Click Network > Interface to access this screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 207: Figure 148 Network > Interface > Status

    This field displays the name of each interface. If there is a Expand icon (plus-sign) next to the name, click this to look at the status of virtual interfaces on top of this interface. ZyWALL USG 100/200 Series User’s Guide...
  • Page 208 IP address, this field displays n/a. Interface This table provides packet statistics for each interface. Statistics Refresh Click this button to update the information in the screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 209: The Port Role Screen

    ZyWALL's lan1, ext-wlan, or dmz IP address. 2 Use the appropriate lan1, ext-wlan, or dmz IP address to access the ZyWALL. Figure 149 Network > Interface > Port Role Physical Ports Interfaces ZyWALL USG 100/200 Series User’s Guide...

  • Page 210: The Ethernet Summary Screen

    The ZyWALL supports two routing protocols, RIP and OSPF. Chapter 13 on page 291 for background information about these routing protocols. ZyWALL USG 100/200 Series User’s Guide...

  • Page 211: The Ethernet Edit Screen

    Section 10.5 on page 218 for details. The OPT interface’s Edit > Configuration screen is shown here as an example. The screens for other interfaces are similar and contain a subset to the OPT interface screen’s fields. ZyWALL USG 100/200 Series User’s Guide...
  • Page 212 • Select in which direction(s) routing information is exchanged - The ZyWALL can receive routing information, send routing information, or do both. • Set the priority used to identify the DR or BDR if one does not exist. ZyWALL USG 100/200 Series User’s Guide...

  • Page 213: Figure 151 Network > Interface > Ethernet > Edit (Opt)

    Chapter 10 Interface Figure 151 Network > Interface > Ethernet > Edit (Opt) ZyWALL USG 100/200 Series User’s Guide...

  • Page 214: Table 51 Network > Interface > Ethernet > Edit

    Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can Bandwidth send through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management. ZyWALL USG 100/200 Series User’s Guide...
  • Page 215 This option is available for the LAN and DMZ interfaces. Click this link to lan1 Policy automatically configure a policy route to allow traffic that comes in through the Route for WAN LAN or DMZ interface to go out through the WAN. access. ZyWALL USG 100/200 Series User’s Guide...
  • Page 216 Use Default Select this option to have the interface use the factory assigned default MAC MAC Address address. By default, the ZyWALL uses the factory assigned MAC address to identify itself. ZyWALL USG 100/200 Series User’s Guide...
  • Page 217 DHCP clients. The WINS server keeps a mapping WINS Server table of the computer names on your network and the IP addresses that they are currently using. ZyWALL USG 100/200 Series User’s Guide...

  • Page 218: Interface Wizards

    • For a WAN interface, go to Section 10.5.2 on page 219. For a WAN interface, enter the Internet access information exactly as your ISP gave it to you. Leave a field blank if you don’t have that information. ZyWALL USG 100/200 Series User’s Guide...

  • Page 219: Interface Wizard: Opt Interface First Screen

    Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP. Back Click Back to return to the previous screen. Next Click Next to continue. Go to Section 10.5.4 on page 221. ZyWALL USG 100/200 Series User’s Guide...

  • Page 220: Interface Wizard: Non-Wan Opt Interface Setup

    Back Click Back to return to the previous screen. Next Click Next to continue to Section 10.5.6 on page 223. ZyWALL USG 100/200 Series User’s Guide...

  • Page 221: Interface Wizard: Wan Zone And Ip Address Assignment

    Section 10.5.5 on page 221. 10.5.5 Interface Wizard: WAN ISP Connection Settings Use this screen to configure the ISP and WAN interface settings. Figure 157 Interface Wizard: WAN ISP Connection Settings (PPTP, Static IP Shown) ZyWALL USG 100/200 Series User’s Guide...

  • Page 222: Table 56 Interface Wizard: Wan Isp Connection Settings

    Back Click Back to return to the previous screen. Next Click Next to continue to Section 10.5.7 on page 223. ZyWALL USG 100/200 Series User’s Guide...

  • Page 223: Interface Wizard: Summary (Non-Wan)

    WAN. WAN access Click OK to close the screen. 10.5.7 Interface Wizard: Summary (WAN) This screen displays the WAN interface’s settings. ZyWALL USG 100/200 Series User’s Guide...

  • Page 224: Figure 159 Interface Wizard: Summary Wan (Pptp Shown)

    Second DNS Server Add this interface This shows whether or not the interface is part of the default WAN trunk for load to WAN_TRUNK balancing. for WAN load balance. Click OK to close the screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 225: The Ppp Interfaces Screen

    This field is a sequential value, and it is not associated with any interface. Name This field displays the name of the interface. Base Interface This field displays the interface on the top of which the PPPoE/PPTP interface ZyWALL USG 100/200 Series User’s Guide...

  • Page 226: Ppp Interface Edit Screen

    Edit icon in the PPP Interface screen. The PPP interface Edit > Configuration screen is shown here as an example. You can click the Wizard tab instead to configure just the key settings. See Section 10.5 on page 218 for details. ZyWALL USG 100/200 Series User’s Guide...

  • Page 227: Figure 162 Network > Interface > Ppp > Edit > Configuration

    For the OPT port, select to which zone this PPP interface belongs. For PPP interfaces on a WAN interface, this field is read-only. Base Interface This field is read-only and displays the name of the interface upon which this PPP interface is built. ZyWALL USG 100/200 Series User’s Guide...
  • Page 228 Interface Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can Bandwidth send through the interface to the network. Allowed values are 0 - 1048576. ZyWALL USG 100/200 Series User’s Guide...
  • Page 229 Click this link to go to the screen where you can manually configure a policy route to associate traffic with this interface. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 100/200 Series User’s Guide...

  • Page 230: Cellular Configuration Screen (3G)

    A. The International Telecommunication Union (ITU) is an international organization within which governments and the private sector coordinate global telecom networks and services. To change your 3G WAN settings, click Network > Interface > Cellular. ZyWALL USG 100/200 Series User’s Guide...

  • Page 231: Figure 163 Network > Interface > Cellular

    To connect or disconnect an interface, click the Connect icon next to it. You might use this icon to test the interface or to manually establish the connection. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 100/200 Series User’s Guide...

  • Page 232: Cellular Add/Edit Screen

    To change your 3G settings, click Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that you want to configure. The following screen displays. Figure 164 Interface > Cellular > Add ZyWALL USG 100/200 Series User’s Guide...

  • Page 233: Table 63 Interface > Cellular > Add

    Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: None: No authentication for outgoing calls. CHAP - Your ZyWALL accepts CHAP requests only. PAP - Your ZyWALL accepts PAP requests only. SIM Card Setting ZyWALL USG 100/200 Series User’s Guide...
  • Page 234 Select this option to use the interface as part of a WAN trunk for load balancing. interface to TRUNK to allow WAN load balance. Policy Route Click this link to go to the screen where you can manually configure a policy route to associate traffic with this interface. ZyWALL USG 100/200 Series User’s Guide...

  • Page 235: Cellular Status Screen

    Click Cancel to exit this screen without saving. 10.8 Cellular Status Screen To check your 3G connection status, click Network > Interface > Cellular > Status. The following screen displays. Figure 165 Interface > Cellular > Status ZyWALL USG 100/200 Series User’s Guide...

  • Page 236: Table 64 Interface > Cellular > Status

    3G card you inserted and could be UMTS, UMTS/HSDPA, GPRS or EDGE when you insert a GSM 3G card, or 1xRTT, EVDO Rev.0 or EVDO Rev.A when you insert a CDMA 3G card. ZyWALL USG 100/200 Series User’s Guide...

  • Page 237: Wlan Interface General Screen

    Security stops unauthorized devices from using the wireless network and can protect the information that is sent in the wireless network. Click Network > Interface > WLAN to open the following screen. See Appendix E on page for more details on wireless LANs. ZyWALL USG 100/200 Series User’s Guide...

  • Page 238: Figure 167 Network > Interface > Wlan

    APs. Select one of the following 100%, 50%, 25%, 12.5% or Minimum. See the product specifications for more information on your ZyWALL’s output power. This field is a sequential value, and it is not associated with any interface. ZyWALL USG 100/200 Series User’s Guide...

  • Page 239: Wlan Add/Edit Screen

    RADIUS server. With WPA or WPA2, users have to log into the wireless network before using it. This is called user authentication. WPA and WPA2 are also called the enterprise version of WPA). ZyWALL USG 100/200 Series User’s Guide...
  • Page 240 Click Network > Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. The screen varies according to the security features you select. It displays as shown next when you set the Security Type to none. ZyWALL USG 100/200 Series User’s Guide...

  • Page 241: Figure 168 Network > Interface > Wlan > Add (No Security)

    Chapter 10 Interface Figure 168 Network > Interface > WLAN > Add (No Security) ZyWALL USG 100/200 Series User’s Guide...

  • Page 242: Table 67 Network > Interface > Wlan > Add (No Security)

    Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. Interface Click Advanced to display more settings. Click Basic to display fewer settings. Parameters ZyWALL USG 100/200 Series User’s Guide...
  • Page 243 Server, Second you want to send to the DHCP clients. The WINS server keeps a mapping table of WINS Server the computer names on your network and the IP addresses that they are currently using. ZyWALL USG 100/200 Series User’s Guide...

  • Page 244: Figure 169 Network > Interface > Ethernet > Edit > Edit Static Dhcp Table

    ZyWALL uses multicasting. OSPF Setting Section 13.3 on page 293 for more information about OSPF. Area Select the area in which this interface belongs. Select None to disable OSPF in this interface. ZyWALL USG 100/200 Series User’s Guide...

  • Page 245: Wlan Add/Edit Screen: Wep Security

    To configure and enable WEP encryption, click Network > Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. Select WEP as the Security Type. The following screen shows the WEP security fields. ZyWALL USG 100/200 Series User’s Guide...

  • Page 246: Wlan Add/Edit Screen: Wpa-Psk/Wpa2-Psk Security

    Network > Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. Select WPA-PSK or WPA2-PSK as the Security Type. The following screen shows the security fields. Figure 171 Network > Interface > WLAN > Add (WPA-PSK/WPA2-PSK Security) ZyWALL USG 100/200 Series User’s Guide...

  • Page 247: Wlan Add/Edit Screen: Wpa/Wpa2 Security

    Network > Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. Select WPA-Enterprise or WPA2-Enterprise as the Security Type. The following figure shows the security fields. Figure 172 Network > Interface > WLAN > Add (WPA/WPA2 Security) ZyWALL USG 100/200 Series User’s Guide...

  • Page 248: Table 70 Network > Interface > Wlan > Add (Wpa/Wpa2 Security)

    AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA-PSK mode. The ZyWALL default is 1800 seconds (30 minutes). ZyWALL USG 100/200 Series User’s Guide...

  • Page 249: Wlan Interface Mac Filter Screen

    The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC addresses of the devices to configure this screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 250: Wlan Interface Station Monitor Screen

    Table 73 Network > Interface > WLAN > Station Monitor LABEL DESCRIPTION Extension Select the location where the IEEE 802.11b/g is located. Slot Refresh Click this button to update the information in the screen. This is the index number of the MAC address. ZyWALL USG 100/200 Series User’s Guide...

  • Page 251: Vlan Interface Screen

    In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs. ZyWALL USG 100/200 Series User’s Guide...

  • Page 252: Figure 177 Example: After Vlan

    VLAN interfaces, but it does not route traffic within a VLAN interface. All traffic for each VLAN interface can go through only one Ethernet interface, though each Ethernet interface can have one or more VLAN interfaces. ZyWALL USG 100/200 Series User’s Guide...

  • Page 253: Configuring The Vlan Summary Screen

    This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces. Mask This field displays the interface’s subnet mask in dot decimal notation. ZyWALL USG 100/200 Series User’s Guide...

  • Page 254: Configuring The Vlan Add/Edit Screen

    VLAN interface. To access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen. The following screen appears. ZyWALL USG 100/200 Series User’s Guide...

  • Page 255: Figure 179 Network > Interface > Vlan > Edit

    Each field is explained in the following table. Table 75 Network > Interface > VLAN > Edit LABEL DESCRIPTION General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties ZyWALL USG 100/200 Series User’s Guide...
  • Page 256 Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ZyWALL divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500. ZyWALL USG 100/200 Series User’s Guide...
  • Page 257 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the ZyWALL is a DHCP Server. ZyWALL USG 100/200 Series User’s Guide...

  • Page 258: Figure 180 Network > Interface > Ethernet > Edit > Edit Static Dhcp Table

    Note: You must click OK in the Static DHCP screen and then click OK in this screen to save your changes. Enable IP/MAC Click this to associate a MAC address to a specific IP address. Binding ZyWALL USG 100/200 Series User’s Guide...

  • Page 259: Bridge Interface Screen

    There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4. Table 76 Example: Bridge Table After Computer A Sends a Packet to Computer B MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A ZyWALL USG 100/200 Series User’s Guide...

  • Page 260: Configuring The Bridge Summary Screen

    10.13.1 Configuring the Bridge Summary Screen This screen lists every bridge interface and virtual interface created on top of bridge interfaces. To access this screen, click Network > Interface > Bridge. ZyWALL USG 100/200 Series User’s Guide...

  • Page 261: Configuring The Bridge Add/Edit Screen

    To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears. ZyWALL USG 100/200 Series User’s Guide...

  • Page 262: Figure 183 Network > Interface > Bridge > Add

    Chapter 10 Interface Figure 183 Network > Interface > Bridge > Add ZyWALL USG 100/200 Series User’s Guide...

  • Page 263: Table 80 Network > Interface > Bridge > Add

    Click this link to go to the screen where you can manually configure a policy route to associate traffic with this interface. More Settings/Less Click this button to display a greater or lesser number of configuration fields. Settings ZyWALL USG 100/200 Series User’s Guide...
  • Page 264 Custom Defined - enter a static IP address. Server From ISP - select the DNS server that another interface received from its DHCP server. ZyWALL - the ZyWALL uses the IP address of this interface and works as a DNS relay. ZyWALL USG 100/200 Series User’s Guide...

  • Page 265: Figure 184 Network > Interface > Edit > Edit Static Dhcp Table

    Select this to ping a specified domain name or IP address. Enter that domain address name or IP address in the field next to it. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 100/200 Series User’s Guide...

  • Page 266: Auxiliary Interface Screen

    General Settings Enable Interface Select this to turn on the auxiliary dial up interface. The interface does not dial out, however, unless it is part of a trunk and load-balancing conditions are satisfied. Interface Properties ZyWALL USG 100/200 Series User’s Guide...

  • Page 267: Virtual Interface Screen

    Virtual VLAN interfaces recognize and use the same VLAN ID. Otherwise, there is no difference between each type of virtual interface. Network policies (for example, firewall rules) that apply to the underlying interface automatically apply to the virtual interface as well. ZyWALL USG 100/200 Series User’s Guide...

  • Page 268: Figure 186 Network > Interface > Bridge > Add

    Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. Interface Parameters ZyWALL USG 100/200 Series User’s Guide...

  • Page 269: Interface Technical Reference

    DHCP clients. You have to assign the IP address and subnet mask manually. In general, the IP address and subnet mask of each interface should not overlap, though it is possible for this to happen with DHCP clients. ZyWALL USG 100/200 Series User’s Guide...

  • Page 270: Table 84 Example: Routing Table Entry For A Gateway

    (such as the IP addresses of DNS servers) on computers in the network. This reduces the amount of manual configuration you have to do and usually uses available IP addresses more efficiently. At the time of writing, the ZyWALL does not support ingress bandwidth management. ZyWALL USG 100/200 Series User’s Guide...

  • Page 271: Table 85 Example: Assigning Ip Addresses From A Pool

    DHCP servers (for example, a DNS server at an ISP). These other interfaces have to be DHCP clients. It is not possible for an interface to be the DHCP server and a DHCP client simultaneously. ZyWALL USG 100/200 Series User’s Guide...
  • Page 272 2 The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. ZyWALL USG 100/200 Series User’s Guide...

  • Page 273: Trunks

    If one interface's connection goes down, the ZyWALL can automatically send its traffic through another interface. You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic. ZyWALL USG 100/200 Series User’s Guide...

  • Page 274: Figure 188 Link Sticking

    ZyWALL refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using. In the load balancing section, a session may refer to normal connection-oriented, UDP and SNMP2 traffic. ZyWALL USG 100/200 Series User’s Guide...

  • Page 275: Figure 189 Least Load First Example

    WAN2 is 512K. You can set the ZyWALL to distribute the network traffic between the two interfaces by setting the weight of WAN1 and WAN2 to 2 and 1 respectively. The ZyWALL assigns the traffic of two sessions to WAN1 for every session's traffic assigned to WAN2. ZyWALL USG 100/200 Series User’s Guide...

  • Page 276: The Trunk Summary Screen

    11.2 The Trunk Summary Screen Click Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. ZyWALL USG 100/200 Series User’s Guide...

  • Page 277: The Trunk Edit Screen

    Reset Click this button to return the screen to its last-saved settings. 11.2.1 The Trunk Edit Screen Click Network > Interface > Trunk and then the Edit icon to open the Trunk Edit screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 278: Figure 193 Network > Interface > Trunk > Edit

    ZyWALL sends new session traffic through the next interface. The traffic of existing sessions still goes through the interface on which they started. The ZyWALL uses the group member interfaces in the order that they are listed. ZyWALL USG 100/200 Series User’s Guide...

  • Page 279: Trunk Technical Reference

    This queue then moves to the back of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty. ZyWALL USG 100/200 Series User’s Guide...
  • Page 280 Chapter 11 Trunks ZyWALL USG 100/200 Series User’s Guide...

  • Page 281: Policy And Static Routes

    You can generally just use policy routes. You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to propagate routing information to other routers. ZyWALL USG 100/200 Series User’s Guide...

  • Page 282: What You Can Do In The Policy And Static Route Screens

    Configure static routes if you need to use RIP or OSPF to propagate the routing information to other routers. See Chapter 13 on page 291 for more on RIP and OSPF. ZyWALL USG 100/200 Series User’s Guide...

  • Page 283: Policy Route Screen

    • Limiting the amount of bandwidth available and setting a priority for traffic. IPPR follows the existing packet filtering facility of RAS in style and in implementation. Figure 195 Network > Routing > Policy Route ZyWALL USG 100/200 Series User’s Guide...

  • Page 284: Table 89 Network > Routing > Policy Route

    The ordering of your rules is important as they are applied in order of their numbering. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 100/200 Series User’s Guide...

  • Page 285: Policy Route Edit Screen

    If the next hop is a dynamic VPN tunnel and you enable Auto Destination Address, the ZyWALL uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here. ZyWALL USG 100/200 Series User’s Guide...
  • Page 286 Note: You need to create a firewall rule to allow an incoming service before using a port triggering rule. This is the rule index number. ZyWALL USG 100/200 Series User’s Guide...

  • Page 287: Ip Static Route Screen

    Click Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. ZyWALL USG 100/200 Series User’s Guide...

  • Page 288: Static Route Add/Edit Screen

    If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID. Subnet Mask Enter the IP subnet mask here. ZyWALL USG 100/200 Series User’s Guide...

  • Page 289: Policy Routing Technical Reference

    When the ZyWALL receives a new connection (trigger service) from the remote server, the ZyWALL forwards the traffic to the IP address of the client computer that sent the request. In the following example, you configure two services for port triggering: ZyWALL USG 100/200 Series User’s Guide...

  • Page 290: Figure 199 Trigger Port Forwarding Example

    (as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level. ZyWALL USG 100/200 Series User’s Guide...

  • Page 291: Routing Protocols

    Small (with up to 15 routers) Large Metric Hop count Bandwidth, hop count, throughput, round trip time and reliability. Convergence Slow Fast Finding Out More Section 13.4 on page 299 for background information on routing protocols. ZyWALL USG 100/200 Series User’s Guide...

  • Page 292: The Rip Screen

    This field is available if the Authentication is Text. Type the password for text Authentication authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 8 characters long. ZyWALL USG 100/200 Series User’s Guide...

  • Page 293: The Ospf Screen

    IP address. There are several types of areas. • The backbone is the transit area that routes packets between other areas. All other areas are connected to the backbone. ZyWALL USG 100/200 Series User’s Guide...

  • Page 294: Figure 201 Ospf: Types Of Areas

    Each type is really just a different role, and it is possible for one router to play multiple roles at one time. • An internal router (IR) only exchanges routing information with other routers in the same area. ZyWALL USG 100/200 Series User’s Guide...

  • Page 295: Figure 202 Ospf: Types Of Routers

    In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area to logically connect the area to the backbone. This is illustrated in the following example. ZyWALL USG 100/200 Series User’s Guide...

  • Page 296: Configuring The Ospf Screen

    To access this screen, login to the web configurator. When the main screen appears, click once on Network > Routing > OSPF to open the following screen. Figure 204 Network > Routing > OSPF ZyWALL USG 100/200 Series User’s Guide...

  • Page 297: Ospf Area Add/Edit Screen

    The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see Section 13.3 on page 293), and click either the Add icon or an Edit icon. ZyWALL USG 100/200 Series User’s Guide...

  • Page 298: Figure 205 Network > Routing > Ospf > Edit

    This field is a sequential value, and it is not associated with a specific area. Peer Router ID Type the 32-bit ID (in IP address format) of the other ABR in the virtual link. ZyWALL USG 100/200 Series User’s Guide...

  • Page 299: Routing Protocol Technical Reference

    It also includes an authentication ID, which can be set to any value between 1 and 255. The ZyWALL only accepts packets if these conditions are satisfied. • The packet’s authentication ID is the same as the authentication ID of the interface that received it. ZyWALL USG 100/200 Series User’s Guide...
  • Page 300 Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. ZyWALL USG 100/200 Series User’s Guide...

  • Page 301: Zones

    Virtual interfaces are automatically assigned to the same zone as the interface on which they run. Figure 206 Example: Zones 14.1.1 What You Can Do in the Zones Screens Use the Zone screens (see Section 14.2 on page 302) to view and edit the ZyWALL’s zones. ZyWALL USG 100/200 Series User’s Guide...

  • Page 302: What You Need To Know About Zones

    14.2 The Zone Screen The Zone screen provides a summary of all zones. In addition, this screen allows you to edit zones. To access this screen, click Network > Zone. ZyWALL USG 100/200 Series User’s Guide...

  • Page 303: The Zone Edit Screen

    The following table describes the labels in this screen. Table 99 Network > Zone > Edit LABEL DESCRIPTION Name This is the name of the zone. Block Intra-zone Select this check box to block network traffic between members in the zone. Traffic ZyWALL USG 100/200 Series User’s Guide...
  • Page 304 You cannot remove a default member interface. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 100/200 Series User’s Guide...

  • Page 305: Ddns

    Table 100 Network > DDNS DDNS SERVICE SERVICE TYPES SUPPORTED WEBSITE NOTES PROVIDER DynDNS Dynamic DNS, Static DNS, and Custom www.dyndns.com Dynu Basic, Premium www.dynu.com No-IP No-IP www.no-ip.com Peanut Hull Peanut Hull www.oray.cn Chinese website ZyWALL USG 100/200 Series User’s Guide...

  • Page 306: The Ddns Screen

    - The IP address comes from the specified interface. auto detected -The DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name. custom - The IP address is static. ZyWALL USG 100/200 Series User’s Guide...

  • Page 307: The Dynamic Dns Add/Edit Screen

    The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. Click Network > DDNS and then an Add or Edit icon to open this screen. Figure 210 Network > DDNS > Add ZyWALL USG 100/200 Series User’s Guide...

  • Page 308: Table 102 Network > Ddns > Add

    Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select None to not use a backup address. ZyWALL USG 100/200 Series User’s Guide...

  • Page 309: The Ddns Status Screen

    The DDNS Status screen shows the status of the ZyWALL’s DDNS domain names. To access this screen, login to the web configurator. When the main screen appears, click Network > DDNS > Status. The following screen appears. ZyWALL USG 100/200 Series User’s Guide...

  • Page 310: Figure 211 Network > Ddns > Status

    Click this to have the ZyWALL update the profile to the DDNS server. The ZyWALL attempts to resolve the IP address for the domain name. Refresh Click this to update the information displayed in the screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 311: Virtual Servers

    16.1.2 What You Need to Know About Virtual Servers Virtual server is also known as port forwarding or port translation. The virtual server changes the destination address of packets. This is also known as Destination NAT (DNAT). ZyWALL USG 100/200 Series User’s Guide...

  • Page 312: The Virtual Server Screen

    This field is blank if there is no restriction on the original destination port. Mapped Port This field displays the new destination port(s) for the packet. This field is blank if there is no restriction on the original destination port. ZyWALL USG 100/200 Series User’s Guide...

  • Page 313: The Virtual Server Add/Edit Screen

    This value is case-sensitive. Incoming Select the interface on which packets for the virtual server must be received. It can Interface be an Ethernet, VLAN, bridge, or PPPoE/PPTP interface. ZyWALL USG 100/200 Series User’s Guide...
  • Page 314 Or you can click Policy Route to go to the screens where you can manually mapping. configure a NAT 1:1 policy route for this virtual server. NAT 1:1 Example on page 315 for an example of NAT 1:1. ZyWALL USG 100/200 Series User’s Guide...

  • Page 315: Nat 1:1 And Nat Loopback Examples

    1:1 NAT mapping from the public IP address to its private one. The firewall is enabled, so you also need to create a rule to allow traffic in from the WAN zone. Figure 215 NAT 1:1 Example Network Topology LAN1 1.1.1.1 192.168.1.21 ZyWALL USG 100/200 Series User’s Guide...

  • Page 316: Figure 216 Create Address Objects

    This section sets up a virtual server rule that changes the destination of SMTP traffic coming to IP address 1.1.1.1 at the ZyWALL’s wan2 interface, to the LAN1 SMTP server’s IP address (192.168.1.21). This is also called Destination NAT (DNAT) ZyWALL USG 100/200 Series User’s Guide...

  • Page 317: Figure 218 Nat 1:1 Example Virtual Server

    This section sets up a policy route for the traffic coming from the LAN1 SMTP server to the ZyWALL’s lan1 interface. It changes the source address from 192.168.1.21 to 1.1.1.1. This is also called Source NAT (SNAT). It sends the traffic out through the wan2 interface. ZyWALL USG 100/200 Series User’s Guide...

  • Page 318: Figure 220 Nat 1:1 Example Policy Route

    Create a firewall rule to allow access from the WAN zone to the mail server in the LAN1 zone. Be careful of where you create the rule as firewall rules are ordered in descending priority. ZyWALL USG 100/200 Series User’s Guide...

  • Page 319: Figure 222 Create A Firewall Rule

    A LAN1 user computer at IP address 192.168.1.89 queries the domain name (xxx.LAN- SMTP.com in this example) from a public DNS server and gets the SMTP server’s 1-1 NAT mapped public IP address of 1.1.1.1. ZyWALL USG 100/200 Series User’s Guide...

  • Page 320: Figure 224 Nat Loopback Virtual Server

    IP address 1.1.1.1 and coming in on WAN2 to the SMTP server (IP address 192.168.1.21). In this example the SMTP server also uses port 25, so the Mapped Port is set to 25. Figure 225 Create a Virtual Server ZyWALL USG 100/200 Series User’s Guide...

  • Page 321: Figure 226 Triangle Route

    Be careful of where you create the route as routes are ordered in descending priority. This policy route applies source NAT to traffic sent from LAN1 to the SMTP server. Even if the packets go through the ZyWALL, they only undergo layer 2 switching, not NAT. ZyWALL USG 100/200 Series User’s Guide...

  • Page 322: Figure 228 Create A Policy Route

    (1.1.1.1) and the LAN1 user can use the LAN1 SMTP server. Figure 229 NAT Loopback Successful Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 ZyWALL USG 100/200 Series User’s Guide...

  • Page 323: Http Redirect

    Figure 230 HTTP Redirect Example 17.1.1 What You Can Do in the HTTP Redirect Screens Use the HTTP Redirect screens (see Section 17.2 on page 324) to display and edit the HTTP redirect rules. ZyWALL USG 100/200 Series User’s Guide...

  • Page 324: What You Need To Know About Http Redirect

    17.2 The HTTP Redirect Screen To configure redirection of a HTTP request to a proxy server, click Network > HTTP Redirect. This screen displays the summary of the HTTP redirect rules. ZyWALL USG 100/200 Series User’s Guide...

  • Page 325: The Http Redirect Edit Screen

    Click Network > HTTP Redirect to open the HTTP Redirect screen. Then click the Add or Edit icon to open the HTTP Redirect Edit screen where you can configure the rule. Figure 232 Network > HTTP Redirect > Edit ZyWALL USG 100/200 Series User’s Guide...

  • Page 326: Table 107 Network > Http Redirect > Edit

    Enter the IP address of the proxy server. Port Enter the port number that the proxy server uses. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 100/200 Series User’s Guide...

  • Page 327: Alg

    The ZyWALL only needs to use the ALG feature for traffic that goes through the ZyWALL’s NAT. 18.1.1 What You Can Do in the ALG Screen Use the ALG screen (Section 18.2 on page 330) to set up SIP, H.323, and FTP ALG settings. ZyWALL USG 100/200 Series User’s Guide...

  • Page 328: What You Need To Know About Alg

    • The SIP ALG supports peer-to-peer SIP calls. The firewall (by default) allows peer to peer calls from the LAN zone to go to the WAN zone and blocks peer to peer calls from the WAN zone to the LAN zone. ZyWALL USG 100/200 Series User’s Guide...

  • Page 329: Figure 235 Voip Calls From The Wan With Multiple Outgoing Calls

    LAN or DMZ IP addresses go out through the same WAN IP address that calls come in on. The policy routing lets the ZyWALL correctly forward the return traffic for the calls initiated from the LAN IP addresses. ZyWALL USG 100/200 Series User’s Guide...

  • Page 330: Before You Begin

    SIP ALG time outs. If the ZyWALL provides an ALG for a service, you must enable the ALG in order to perform bandwidth management on that service’s traffic. ZyWALL USG 100/200 Series User’s Guide...

  • Page 331: Figure 237 Network > Alg

    If you are using a custom TCP port number (not 1720) for H.323 traffic, enter it here. Port Additional H.323 If you are also using H.323 on an additional TCP port number, enter it here. Signaling port transformations ZyWALL USG 100/200 Series User’s Guide...

  • Page 332: Alg Technical Reference

    File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files. ZyWALL USG 100/200 Series User’s Guide...
  • Page 333 When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL USG 100/200 Series User’s Guide...
  • Page 334 Chapter 18 ALG ZyWALL USG 100/200 Series User’s Guide...

  • Page 335: Ip/Mac Binding

    ZyWALL does not apply IP/MAC binding. • The Monitor screen (Section 19.4 on page 339) lists the devices that have received an IP address from ZyWALL interfaces with IP/MAC binding enabled. ZyWALL USG 100/200 Series User’s Guide...

  • Page 336: What You Need To Know About Ip/Mac Binding

    Click Apply to save your changes back to the ZyWALL. 19.2.1 IP/MAC Binding Edit Click Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit screen. Use this screen to configure an interface’s IP to MAC address binding settings. ZyWALL USG 100/200 Series User’s Guide...

  • Page 337: Static Dhcp Edit

    Click Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit screen. Click the Add or Edit icon to open the following screen. Use this screen to configure an interface’s IP to MAC address binding settings. ZyWALL USG 100/200 Series User’s Guide...

  • Page 338: Ip/Mac Binding Exempt List

    This is the index number of the IP/MAC binding list entry. Name Enter a name to help identify this entry. Start IP Enter the first IP address in a range of IP addresses for which the ZyWALL does not apply IP/MAC binding. ZyWALL USG 100/200 Series User’s Guide...

  • Page 339: Ip/Mac Binding Monitor

    This field displays the MAC address to which the IP address is currently assigned. Last Access This is when the device last established a session with the ZyWALL through this interface. Refresh Click this button to update the information in the screen. ZyWALL USG 100/200 Series User’s Guide...
  • Page 340 Chapter 19 IP/MAC Binding ZyWALL USG 100/200 Series User’s Guide...

  • Page 341: Firewall

    Firewall Firewall (343)

  • Page 343: Firewall

    Section 20.2.2 on page 354) to edit or add a firewall rule. • Use the Session Limit screens (see Section 20.3 on page 355) to limit the number of concurrent NAT/firewall sessions a client can use. ZyWALL USG 100/200 Series User’s Guide...

  • Page 344: What You Need To Know About The Firewall

    From WLAN to WAN Traffic from WLAN to WAN is rejected. From WLAN to DMZ Traffic from WLAN to DMZ is rejected. From WLAN to ZyWALL Traffic from the DMZ to the ZyWALL is denied. ZyWALL USG 100/200 Series User’s Guide...
  • Page 345 To use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. The ZyWALL checks the firewall rules before the application patrol rules for traffic going through the ZyWALL. ZyWALL USG 100/200 Series User’s Guide...

  • Page 346: Firewall Rule Example Applications

    Your firewall would have the following configuration. Table 115 Blocking All LAN1 to WAN IRC Traffic Example USER SOURCE DESTINATION SCHEDULE SERVICE ACTION Deny Default Allow • The first row blocks LAN1 access to the IRC service on the WAN. ZyWALL USG 100/200 Series User’s Guide...

  • Page 347: Figure 246 Limited Lan To Wan Irc Traffic Example

    • The first row allows the LAN1 computer at IP address 192.168.1.7 to access the IRC service on the WAN. • The second row blocks LAN access to the IRC service on the WAN. ZyWALL USG 100/200 Series User’s Guide...

  • Page 348: Firewall Rule Configuration Example

    (as in this example) or the Add icon ( ) in an entry to add a rule below the selected entry. Remember the sequence (priority) of the rules is important since they are applied in order. ZyWALL USG 100/200 Series User’s Guide...

  • Page 349: Figure 247 Firewall Example: Select The Traveling Direction Of Traffic

    Figure 249 Firewall Example: Create an Address Object 4 Select Create Object in the Service drop-down list box. 5 The screen for configuring a service object opens. Configure it as follows and click OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 350: Figure 250 Firewall Example: Create A Service Object

    Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done. Figure 251 Firewall Example: Edit a Firewall Rule 8 The firewall rule appears in the firewall rule summary. Figure 252 Firewall Example: MyService Example Rule in Summary ZyWALL USG 100/200 Series User’s Guide...

  • Page 351: The Firewall Screen

    Note the following. • If you enable intra-zone traffic blocking (see the chapter about zones), the firewall automatically creates (implicit) rules to deny packet passage between the interfaces in the specified zone. ZyWALL USG 100/200 Series User’s Guide...

  • Page 352: Figure 254 Firewall

    Note: Allowing asymmetrical routes may let traffic from the WAN go directly to LAN1 without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets. ZyWALL USG 100/200 Series User’s Guide...
  • Page 353 TCP reset packet to the sender (reject) or permits the passage of packets (allow). This field shows you whether a log (and alert) is created when packets match this rule or not. ZyWALL USG 100/200 Series User’s Guide...

  • Page 354: The Firewall Edit Screen

    Select this check box to activate the firewall rule. From For through-ZyWALL rules, select the direction of travel of packets to which the rule applies. any means all interfaces or VPN tunnels. ZyWALL means packets destined for the ZyWALL itself. ZyWALL USG 100/200 Series User’s Guide...

  • Page 355: The Session Limit Screen

    NAT/firewall sessions a client can use. You can apply a default limit for all users and individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. ZyWALL USG 100/200 Series User’s Guide...

  • Page 356: Figure 256 Firewall > Session Limit

    The ordering of your rules is important as they are applied in order of their numbering. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 100/200 Series User’s Guide...

  • Page 357: The Session Limit Edit Screen

    For this rule’s users and addresses, this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 100/200 Series User’s Guide...
  • Page 358 Chapter 20 Firewall ZyWALL USG 100/200 Series User’s Guide...

  • Page 359: Vpn

    IPSec VPN (361) SSL VPN (395) SSL User Screens (405) SSL User Application Screens (411) SSL User File Sharing (413) L2TP VPN (419) L2TP VPN Example (425)

  • Page 361: Ipsec Vpn

    ZyWALL’s VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway. ZyWALL USG 100/200 Series User’s Guide...

  • Page 362: What You Need To Know About Ipsec Vpn

    Section 6.4 on page 148 for an example of configuring IPSec VPN. 21.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. ZyWALL USG 100/200 Series User’s Guide...

  • Page 363: The Vpn Connection Screen

    The VPN wizard automatically creates a corresponding policy route. If you create the VPN connection in the VPN > IPSec VPN screens, you need to manually create a corresponding policy route. Figure 260 VPN > IPSec VPN > VPN Connection ZyWALL USG 100/200 Series User’s Guide...

  • Page 364: Table 122 Vpn > Ipsec Vpn > Vpn Connection

    To connect or disconnect an IPSec SA, click the Connect icon next to the VPN connection. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 100/200 Series User’s Guide...

  • Page 365: The Vpn Connection Add/Edit (Ike) Screen

    363), and click either the Add icon or an Edit icon. If you click the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the following screen appears. ZyWALL USG 100/200 Series User’s Guide...

  • Page 366: Figure 261 Vpn > Ipsec Vpn > Vpn Connection > Edit (Ike)

    Chapter 21 IPSec VPN Figure 261 VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 100/200 Series User’s Guide...

  • Page 367: Table 123 Vpn > Ipsec Vpn > Vpn Connection > Edit

    Selecting this restricts who can use the VPN tunnel. The ZyWALL drops traffic with source and destination IP addresses that do not match the local and remote policy. Phase 2 Settings Click Advanced to display more settings. Click Basic to display fewer settings. ZyWALL USG 100/200 Series User’s Guide...
  • Page 368 PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. ZyWALL USG 100/200 Series User’s Guide...
  • Page 369 Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). ZyWALL USG 100/200 Series User’s Guide...

  • Page 370: The Vpn Connection Add/Edit Manual Key Screen

    IKE key management. To access this screen, go to the VPN Connection summary screen (see Section 21.2 on page 363), and click either the Add icon or an existing manual key entry’s Edit icon. In the VPN Gateway section of the screen, select Manual Key. ZyWALL USG 100/200 Series User’s Guide...

  • Page 371: Figure 262 Vpn > Ipsec Vpn > Vpn Connection > Manual Key > Edit

    Gateway Address Type a unique SPI (Security Parameter Index) between 256 and 4095. The SPI is used to identify the ZyWALL during authentication. The ZyWALL and remote IPSec router must use the same SPI. ZyWALL USG 100/200 Series User’s Guide...
  • Page 372 The ZyWALL ignores any characters above the minimum number of characters required by the algorithm. For example, if you enter 1234567890XYZ for a DES encryption key, the ZyWALL only uses 12345678 . The ZyWALL still stores the longer key. ZyWALL USG 100/200 Series User’s Guide...

  • Page 373: The Vpn Gateway Screen

    Type a page number to go to or use the arrows to navigate the pages of entries. This field is a sequential value, and it is not associated with a specific VPN gateway. ZyWALL USG 100/200 Series User’s Guide...

  • Page 374: The Vpn Gateway Add/Edit Screen

    The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 21.3 on page 373), and click either the Add icon or an Edit icon. ZyWALL USG 100/200 Series User’s Guide...

  • Page 375: Figure 264 Vpn > Ipsec Vpn > Vpn Gateway > Edit

    If you select Domain Name / IP, enter the domain name or the IP address of the ZyWALL. The IP address of the ZyWALL in the IKE SA is the specified IP address or the IP address corresponding to the domain name. 0.0.0.0 is invalid. ZyWALL USG 100/200 Series User’s Guide...
  • Page 376 E-mail - the ZyWALL is identified by an e-mail address; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. ZyWALL USG 100/200 Series User’s Guide...
  • Page 377 The ZyWALL and the remote IPSec router must use the same negotiation mode. Proposal This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. ZyWALL USG 100/200 Series User’s Guide...
  • Page 378 ZyWALL authenticates this information. Client Mode Select this radio button if the ZyWALL provides a username and password to the remote IPSec router for authentication. You also have to provide the User Name and the Password. ZyWALL USG 100/200 Series User’s Guide...

  • Page 379: The Vpn Concentrator Screen

    The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL. To access this screen, click VPN > IPSec VPN > Concentrator. The following screen appears. ZyWALL USG 100/200 Series User’s Guide...

  • Page 380: The Vpn Concentrator Add/Edit Screen

    ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is a sequential value, and it is not associated with a specific member in the concentrator. ZyWALL USG 100/200 Series User’s Guide...

  • Page 381: The Sa Monitor Screen

    21.5 The SA Monitor Screen You can use the SA Monitor screen to display and to manage active IPSec SAs. To access this screen, click VPN > IPSec VPN > SA Monitor. The following screen appears. ZyWALL USG 100/200 Series User’s Guide...

  • Page 382: Figure 269 Vpn > Ipsec Vpn > Sa Monitor

    ZyWALL to the remote IPSec router since the IPSec SA was established. Action This field is displayed if the IPSec SA does not use manual keys. Click the Disconnect icon next to an IPSec SA to disconnect it. ZyWALL USG 100/200 Series User’s Guide...

  • Page 383: Ipsec Vpn Background Information

    The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustrated next. ZyWALL USG 100/200 Series User’s Guide...

  • Page 384: Figure 270 Ike Sa: Main Negotiation Mode, Steps 1 - 2: Ike Sa Proposal

    • MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data. • SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data. Diffie-Hellman (DH) Key Exchange on page 385 for more information about DH key groups. ZyWALL USG 100/200 Series User’s Guide...

  • Page 385: Figure 271 Ike Sa: Main Negotiation Mode, Steps 3 - 4: Dh Key Exchange

    Figure 272 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued) Step 5: pre-shared key ZyWALL identity, consisting of - ID type - content Step 6: pre-shared key Remote IPSec router identity, consisting of - ID type - content ZyWALL USG 100/200 Series User’s Guide...

  • Page 386: Table 130 Vpn Example: Matching Id Type And Content

    In this case, you usually set the peer ID type to Any. This is less secure, so you should only use this if your ZyWALL provides another way to check the identity of the remote IPSec router (for example, extended authentication) or if you are troubleshooting a VPN tunnel. ZyWALL USG 100/200 Series User’s Guide...

  • Page 387: Figure 273 Vpn/Nat Example

    X and router Y can establish a VPN tunnel. You have to do the following things to set up NAT traversal. • Enable NAT traversal on the ZyWALL and remote IPSec router. ZyWALL USG 100/200 Series User’s Guide...

  • Page 388: Regular Expressions In Searching Ipsec Sas

    (of any type) of characters in front of the “abc” at the end and the VPN connection or policy name would still match. A VPN connection or policy name named “testacc” for example would not match. ZyWALL USG 100/200 Series User’s Guide...

  • Page 389: Ipsec Sa Overview

    Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. ZyWALL USG 100/200 Series User’s Guide...

  • Page 390: Figure 274 Vpn: Transport And Tunnel Mode Encapsulation

    If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. ZyWALL USG 100/200 Series User’s Guide...
  • Page 391 (for example, mail) from the remote network to a specific computer (like the mail server) in the local network. Each kind of translation is explained below. The following example is used to help explain each one. ZyWALL USG 100/200 Series User’s Guide...

  • Page 392: Figure 275 Vpn Example: Nat For Inbound And Outbound Traffic

    For example, in Figure 275 on page 392, you can configure this kind of translation if you want to forward mail from the remote network to the mail server in the local network (A). ZyWALL USG 100/200 Series User’s Guide...
  • Page 393 (A). • Mapped Port - the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size. ZyWALL USG 100/200 Series User’s Guide...
  • Page 394 Chapter 21 IPSec VPN ZyWALL USG 100/200 Series User’s Guide...

  • Page 395: Ssl Vpn

    With reverse proxy mode, remote users can easily access any web-based applications on the local network by clicking on links or entering the provided URL. You do not have to install additional client software on the remote user computers for access. ZyWALL USG 100/200 Series User’s Guide...

  • Page 396: Figure 276 Network Access Mode: Reverse Proxy

    • limit user access to specific applications or files on the network. • allow user access to specific networks. • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. ZyWALL USG 100/200 Series User’s Guide...

  • Page 397: The Ssl Access Privilege Screen

    Table 133 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION This field displays the index number of the entry. Name This field displays the descriptive name of the SSL access policy for identification purposes. ZyWALL USG 100/200 Series User’s Guide...

  • Page 398: The Ssl Access Policy Add/Edit Screen

    Click Reset to discard all changes. 22.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 399: Figure 279 Vpn > Ssl Vpn > Access Privilege > Add/Edit

    Any security rules or settings configured for the SSL_VPN security zone will also apply to this SSL access policy . Description Enter additional information about this SSL access policy. You can enter up to 31 characters (“0-9”, “a-z”, “A-Z”, “-” and “_”). ZyWALL USG 100/200 Series User’s Guide...

  • Page 400: The Ssl Vpn Connection Monitor Screen

    The ZyWALL can keep track of SSL VPN users°¶ connections. Click VPN > SSL VPN in the navigation panel and click the Connection Monitor tab to display the user list. Use this screen to do the following: ZyWALL USG 100/200 Series User’s Guide...

  • Page 401: The Ssl Global Setting Screen

    IP address of the ZyWALL (or a gateway device) on your network for full tunnel mode access, enter access messages or upload a custom logo to be displayed on the remote user screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 402: Figure 281 Vpn > Ssl Vpn > Global Setting

    Click Reset Logo to Default to display the ZyXEL company logo on the remote Default user’s web browser. Apply Click Apply to save the changes and/or start the logo file upload process. Reset Click Reset to start configuring this screen again. ZyWALL USG 100/200 Series User’s Guide...

  • Page 403: How To Upload A Custom Logo

    3 Click Login. 4 SSL VPN connection starts. This may take several minutes depending on your network connection. Once the connection is up, you should see the client portal screen. The following shows an example. ZyWALL USG 100/200 Series User’s Guide...

  • Page 404: Figure 283 Ssl Vpn Client Portal Screen Example

    Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal screens, refer to Chapter 23 on page 405. ZyWALL USG 100/200 Series User’s Guide...

  • Page 405: Ssl User Screens

    Here are the browser and computer system requirements for remote user access. • Windows 2000 and Windows XP • Internet Explorer 5.5 and above (for IE7, JRE 1.6 must be enabled) • Netscape 7.2 and above ZyWALL USG 100/200 Series User’s Guide...

  • Page 406: Remote User Login

    1 Open a web browser and enter the web site address or IP address of the ZyWALL. For example, “http://sslvpn.mycompany.com”. Figure 285 Enter the Address in a Web Browser 2 Click OK or Yes if a security screen displays. ZyWALL USG 100/200 Series User’s Guide...

  • Page 407: Figure 286 Login Security Screen

    If a certificate warning screen displays, click OK, Yes or Continue. Figure 288 Java Needed Message 6 The following status screen displays indicating the progress of the secure SSL VPN connection setup. ZyWALL USG 100/200 Series User’s Guide...

  • Page 408: The Ssl Vpn User Screens

    Available resource links vary depending on the configuration your network administrator made. 23.3 The SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 290 Remote User Screen ZyWALL USG 100/200 Series User’s Guide...

  • Page 409: Bookmarking The Zywall

    1 Click the Logout icon in any remote user screen. 2 A prompt window displays. Click OK to continue. Figure 292 Logout: Prompt 3 An information screen displays to indicate that the SSL VPN connection is about to terminate. ZyWALL USG 100/200 Series User’s Guide...

  • Page 410: Figure 293 Logout: Connection Termination Progress

    Chapter 23 SSL User Screens Figure 293 Logout: Connection Termination Progress ZyWALL USG 100/200 Series User’s Guide...

  • Page 411: Ssl User Application Screens

    Microsoft Outlook Web Access (OWA). To access a web-based application, simply click a link in the Application screen to display the web screen in a separate browser window. Figure 294 Application ZyWALL USG 100/200 Series User’s Guide...
  • Page 412 Chapter 24 SSL User Application Screens ZyWALL USG 100/200 Series User’s Guide...

  • Page 413: Ssl User File Sharing

    25.2 The Main File Sharing Screen The first File Sharing screen displays the name(s) of the shared folder(s) available. The following figure shows an example with one file share. ZyWALL USG 100/200 Series User’s Guide...

  • Page 414: Opening A File Or Folder

    3 If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue. Figure 296 File Sharing: Enter Access User Name and Password ZyWALL USG 100/200 Series User’s Guide...

  • Page 415: Downloading A File

    25.3.2 Saving a File After you have opened a file in a web browser, you can save a copy of the file by clicking File > Save As and following the on-screen instructions. ZyWALL USG 100/200 Series User’s Guide...

  • Page 416: Creating A New Folder

    Make sure the length of the folder name does not exceed the maximum allowed on the file server. Figure 299 File Sharing: Save a Word File 25.5 Renaming a File or Folder To rename a file or folder, click the Rename icon next to the file/folder. ZyWALL USG 100/200 Series User’s Guide...

  • Page 417: Deleting A File Or Folder

    - so be sure you really do not want the item before you click. 25.7 Uploading a File Follow the steps below to upload a file to the file server. ZyWALL USG 100/200 Series User’s Guide...

  • Page 418: Figure 302 File Sharing: File Upload

    4 After the file is uploaded successfully, you should see the name of the file and a message in the screen. Figure 302 File Sharing: File Upload Uploading a file with the same name and file extension replaces the existing file on the file server. No warning message is displayed. ZyWALL USG 100/200 Series User’s Guide...

  • Page 419: L2Tp Vpn

    You must configure an IPSec VPN connection for L2TP VPN to use (see Chapter 21 on page for details). The IPSec VPN connection must: • Be enabled. • Use transport mode. • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. ZyWALL USG 100/200 Series User’s Guide...

  • Page 420: Figure 304 Policy Route For L2Tp Vpn

    Finding Out More • See Section 5.4.6 on page 118 for related information on these screens. • See Chapter 27 on page 425 for an example of how to create a basic L2TP VPN tunnel. ZyWALL USG 100/200 Series User’s Guide...

  • Page 421: L2Tp Vpn Screen

    The authentication method has the ZyWALL check a user’s user name and password against the ZyWALL’s local database, a remote LDAP, RADIUS, a Active Directory server, or more than one of these. See Chapter 41 on page 645 for how to create authentication method objects. ZyWALL USG 100/200 Series User’s Guide...

  • Page 422: L2Tp Vpn Session Monitor Screen

    This field displays the IP address that the ZyWALL assigned for the remote user’s computer to use within the L2TP VPN tunnel. Public IP This field displays the public IP address that the remote user is using to connect to the Internet. ZyWALL USG 100/200 Series User’s Guide...
  • Page 423 Table 139 VPN > L2TP VPN > Session Monitor (continued) LABEL DESCRIPTION Disconnect Click the Disconnect icon next to an L2TP VPN connection to disconnect it. Refresh Click Refresh to update the information in the display. ZyWALL USG 100/200 Series User’s Guide...
  • Page 424 Chapter 26 L2TP VPN ZyWALL USG 100/200 Series User’s Guide...

  • Page 425: L2Tp Vpn Example

    27.2 Configuring the Default L2TP VPN Gateway Example 1 Click VPN > Network > IPSec VPN > VPN Gateway to open the screen that lists the VPN gateways. Click the Default_L2TP_VPN_GW entry’s Edit icon. ZyWALL USG 100/200 Series User’s Guide...

  • Page 426: Configuring The Default L2Tp Vpn Connection Example

    Figure 309 VPN > IPSec VPN > VPN Gateway (Enable) 27.3 Configuring the Default L2TP VPN Connection Example 1 Click VPN > Network > IPSec VPN to open the screen that lists the VPN connections. Click the Default_L2TP_VPN_Connection’s Edit icon. ZyWALL USG 100/200 Series User’s Guide...

  • Page 427: Figure 310 Vpn > Ipsec Vpn > Vpn Connection > Edit

    0.0.0.0. It is named L2TP_HOST in this example. 3 Click the Default_L2TP_VPN_Connection entry’s Enable icon and click Apply to turn on the entry. Figure 311 VPN > IPSec VPN > VPN Connection (Enable) ZyWALL USG 100/200 Series User’s Guide...

  • Page 428: Configuring The L2Tp Vpn Settings Example

    L2TP-test has been created. • The other fields are left to the defaults in this example, click Apply. 27.5 Configuring the Policy Route for L2TP Example 1 Click Routing > Add to open the following screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 429: Configuring L2Tp Vpn In Windows Xp And 2000

    • For Windows 2000, use net start "ipsec policy agent". 27.6.1 Configuring L2TP in Windows XP In Windows XP do the following to establish an L2TP VPN connection. 1 Click Start > Control Panel > Network Connections > New Connection Wizard. ZyWALL USG 100/200 Series User’s Guide...

  • Page 430: Figure 314 New Connection Wizard: Network Connection Type

    3 Select Connect to the network at my workplace and click Next. Figure 314 New Connection Wizard: Network Connection Type 4 Select Virtual Private Network connection and click Next. Figure 315 New Connection Wizard: Network Connection 5 Type L2TP to ZyWALL as the Company Name. ZyWALL USG 100/200 Series User’s Guide...

  • Page 431: Figure 316 New Connection Wizard: Connection Name

    Figure 317 New Connection Wizard: Public Network 7 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). ZyWALL USG 100/200 Series User’s Guide...

  • Page 432: Figure 318 New Connection Wizard: Vpn Server Selection

    Figure 318 New Connection Wizard: VPN Server Selection 172.16.1.2 8 Click Finish. 9 The Connect L2TP to ZyWALL screen appears. Click Properties > Security. Figure 319 Connect L2TP to ZyWALL 10 Click Security, select Advanced (custom settings) and click Settings. ZyWALL USG 100/200 Series User’s Guide...

  • Page 433: Figure 320 Connect L2Tp To Zywall: Security

    11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Figure 321 Connect ZyWALL L2TP: Security > Advanced 12 Click IPSec Settings. ZyWALL USG 100/200 Series User’s Guide...

  • Page 434: Figure 322 L2Tp To Zywall Properties > Security

    14 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. Figure 324 L2TP to ZyWALL Properties: Networking 15 Enter the user name and password of your ZyWALL account. Click Connect. ZyWALL USG 100/200 Series User’s Guide...

  • Page 435: Configuring L2Tp In Windows 2000

    L2TP client. 27.6.2.1 Editing the Windows 2000 Registry In Windows 2000, you need to create a registry entry and restart the computer to have it use pre-shared keys. ZyWALL USG 100/200 Series User’s Guide...

  • Page 436: Figure 328 Starting The Registry Editor

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parame ters. Figure 329 Registry Key 4 Right-click Parameters and select New > DWORD Value. Figure 330 New DWORD Value 5 Enter ProhibitIpSec as the name. And make sure the Data displays as 0’s. ZyWALL USG 100/200 Series User’s Guide...

  • Page 437: Figure 331 Prohibitipsec Dword Value

    1 Click Start > Run. Type mmc and click OK. Figure 332 Run mmc 2 Click Console > Add/Remove Snap-in. Figure 333 Console > Add/Remove Snap-in 3 Click Add > IP Security Policy Management >Add > Finish. Click Close > OK. ZyWALL USG 100/200 Series User’s Guide...

  • Page 438: Figure 334 Add > Ip Security Policy Management > Finish

    4 Right-click IP Security Policies on Local Machine and click Create IP Security Policy. Click Next in the welcome screen. Figure 335 Create IP Security Policy 5 Name the IP security policy L2TP to ZyWALL, and click Next. ZyWALL USG 100/200 Series User’s Guide...

  • Page 439: Figure 336 Ip Security Policy: Name

    6 Clear the Activate the default response rule check box and click Next. Figure 337 IP Security Policy: Request for Secure Communication 7 Leave the Edit Properties check box selected and click Finish. Figure 338 IP Security Policy: Completing the IP Security Policy Wizard ZyWALL USG 100/200 Series User’s Guide...

  • Page 440: Figure 339 Ip Security Policy Properties > Add

    Figure 339 IP Security Policy Properties > Add 9 Select This rule does not specify a tunnel and click Next. Figure 340 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next. ZyWALL USG 100/200 Series User’s Guide...

  • Page 441: Figure 341 Ip Security Policy Properties: Network Type

    Figure 341 IP Security Policy Properties: Network Type 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 342 IP Security Policy Properties: Authentication Method 12 Click Add. ZyWALL USG 100/200 Series User’s Guide...

  • Page 442: Figure 343 Ip Security Policy Properties: Ip Filter List

    ZyWALL’s WAN IP address (172.16.1.2 in this example) in the IP Address field. Make certain the Mirrored. Also match packets with the exact opposite source and destination addresses check box is selected and click Apply. ZyWALL USG 100/200 Series User’s Guide...

  • Page 443: Figure 345 Filter Properties: Addressing

    15 Configure the following in the Filter Properties window’s Protocol tab. Set the protocol type to UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 346 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next. ZyWALL USG 100/200 Series User’s Guide...

  • Page 444: Figure 347 Ip Security Policy Properties: Ip Filter List

    17 Select Require Security and click Next. Then click Finish and Close. Figure 348 IP Security Policy Properties: IP Filter List 18 In the Console window, right-click L2TP to ZyWALL and select Assign. Figure 349 Console: L2TP to ZyWALL Assign ZyWALL USG 100/200 Series User’s Guide...

  • Page 445: Figure 350 Start New Connection Wizard

    Figure 351 New Connection Wizard: Network Connection Type 3 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click Next. ZyWALL USG 100/200 Series User’s Guide...

  • Page 446: Figure 352 New Connection Wizard: Destination Address

    172.16.1.2 4 Select For all users and click Next. Figure 353 New Connection Wizard: Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish. Figure 354 New Connection Wizard: Naming the Connection ZyWALL USG 100/200 Series User’s Guide...

  • Page 447: Figure 355 Connect L2Tp To Zywall

    8 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Click Yes if a screen pops up. ZyWALL USG 100/200 Series User’s Guide...

  • Page 448: Figure 357 Connect L2Tp To Zywall: Security > Advanced

    Click OK. Figure 358 Connect L2TP to ZyWALL: Networking 10 Enter your user name and password and click Connect. It may take up to one minute to establish the connection and register on the network. ZyWALL USG 100/200 Series User’s Guide...

  • Page 449: Figure 359 Connect L2Tp To Zywall

    12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 361 L2TP to ZyWALL Status: Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works. ZyWALL USG 100/200 Series User’s Guide...
  • Page 450 Chapter 27 L2TP VPN Example ZyWALL USG 100/200 Series User’s Guide...

  • Page 451: Application Patrol

    Application Patrol Application Patrol (453)

  • Page 453: Application Patrol

    It also lets you open the Other Configuration Add/Edit screen to create new conditions or edit existing ones. • Use the Statistics screen (see Section 28.5 on page 472) to see a bandwidth usage graph and statistics for each protocol. ZyWALL USG 100/200 Series User’s Guide...

  • Page 454: What You Need To Know About Application Patrol

    When you allow an application, you can restrict the bandwidth it uses or even the bandwidth that particular features in the application (like voice, video, or file sharing) use. This restriction may be ineffective in certain cases, however, such as using MSN to send files via P2P. ZyWALL USG 100/200 Series User’s Guide...

  • Page 455: Figure 362 Lan1 To Wan Connection And Packet Directions

    • Outbound traffic is limited to 200 kbps. The connection initiator is on LAN1 so outbound means the traffic traveling from LAN1 to the WAN. Each of the WAN zone’s two interfaces can send the limit of 200 kbps of traffic. ZyWALL USG 100/200 Series User’s Guide...

  • Page 456: Figure 363 Lan 1To Wan, Outbound 200 Kbps, Inbound 500 Kbps

    DMZ to WAN policies for FTP servers A and B. Each server tries to send 1000 kbps, but the WAN is set to a maximum outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and policy B for server B’s traffic. ZyWALL USG 100/200 Series User’s Guide...

  • Page 457: Figure 364 Bandwidth Management Behavior

    200 kbps plus 250 kbps for a total of 450 kbps. Table 142 Maximize Bandwidth Usage Effect POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE 300 kbps 550 kbps 200 kbps 450 kbps ZyWALL USG 100/200 Series User’s Guide...

  • Page 458: Application Patrol Bandwidth Management Examples

    • FTP traffic from the LAN to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but it must be the lowest priority and limited so it does not interfere with SIP and HTTP traffic. ZyWALL USG 100/200 Series User’s Guide...

  • Page 459: Figure 365 Application Patrol Bandwidth Management Example

    • Highest priority (1). Set policies for other applications to lower priorities so the SIP traffic always gets the best treatment. • Enable maximize bandwidth usage so the SIP traffic can borrow unused bandwidth. ZyWALL USG 100/200 Series User’s Guide...

  • Page 460: Figure 366 Sip Any To Wan Bandwidth Management Example

    DMZ FTP server (outbound) but only 100 kbps for downloads (inbound). • Third highest priority (3). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. ZyWALL USG 100/200 Series User’s Guide...

  • Page 461: Application Patrol General Screen

    Inbound: 50 Mbps Outbound: 50 Mbps 28.2 Application Patrol General Screen Use this screen to enable and disable application patrol. It also lists the registration status and details about the signature set the ZyWALL is using. ZyWALL USG 100/200 Series User’s Guide...

  • Page 462: Figure 370 Apppatrol > General

    (Expired). Registration This field displays whether you applied for a trial application (Trial) or registered a Type service with your iCard’s PIN number (Standard). None displays when the service is not activated. ZyWALL USG 100/200 Series User’s Guide...

  • Page 463: Application Patrol Applications

    This field is a sequential value, and it is not associated with a specific application. Service This field displays the name of the application. Default Access This field displays what the ZyWALL does with packets for this application. Choices are: forward, drop, and reject. ZyWALL USG 100/200 Series User’s Guide...

  • Page 464: The Application Patrol Edit Screen

    Auto - the ZyWALL identifies this application by matching the IP payload with the application’s pattern(s). Service Ports - the ZyWALL identifies this application by looking at the destination port in the IP header. ZyWALL USG 100/200 Series User’s Guide...
  • Page 465 ZyWALL ignores this number if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration. ZyWALL USG 100/200 Series User’s Guide...

  • Page 466: The Application Patrol Policy Edit Screen

    Select this check box to turn on this policy for the application. Port Use this field to specify a specific port number to which to apply this policy. Type zero, if this policy applies for every port number. ZyWALL USG 100/200 Series User’s Guide...
  • Page 467 If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. ZyWALL USG 100/200 Series User’s Guide...

  • Page 468: The Other Applications Screen

    You can also control the bandwidth used by these other applications.This screen also allows you to add, edit, and remove conditions to this default policy. Click AppPatrol > Other to open the Other (applications) screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 469: Figure 374 Apppatrol > Other

    The ZyWALL ignores this number if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration. ZyWALL USG 100/200 Series User’s Guide...

  • Page 470: The Other Applications Add/Edit Screen

    Select this check box to turn on this policy. Port Use this field to specify a specific port number to which to apply this policy. Type zero, if this policy applies for every port number. ZyWALL USG 100/200 Series User’s Guide...
  • Page 471 If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. ZyWALL USG 100/200 Series User’s Guide...

  • Page 472: Application Patrol Statistics

    Click AppPatrol > Statistics to open the following screen. 28.5.1 Application Patrol Statistics: General Setup Use the top of the AppPatrol > Statistics screen to configure what to display. Figure 376 AppPatrol > Statistics: General Setup ZyWALL USG 100/200 Series User’s Guide...

  • Page 473: Application Patrol Statistics: Bandwidth Statistics

    ZyWALL sends out from the initiator of the connection. • Different colors represent different protocols. 28.5.3 Application Patrol Statistics: Protocol Statistics The bottom of the AppPatrol > Statistics screen displays statistics for each of the selected protocols. ZyWALL USG 100/200 Series User’s Guide...

  • Page 474: Figure 378 Apppatrol > Statistics: Protocol Statistics

    This is the protocol’s traffic that the ZyWALL sends out from the initiator of the connection. So for a connection initiated from the LAN to the WAN, the traffic sent from the LAN to the WAN is the outbound traffic. ZyWALL USG 100/200 Series User’s Guide...
  • Page 475 This is how much of the application’s traffic the ZyWALL has discarded and notified Data (KB) the client that the traffic was rejected (in kilobytes). This traffic was rejected because it matched a policy set to “reject”. ZyWALL USG 100/200 Series User’s Guide...
  • Page 476 Chapter 28 Application Patrol ZyWALL USG 100/200 Series User’s Guide...

  • Page 477: Anti-X

    Anti-X Anti-Virus (479) IDP (493) ADP (521) Content Filtering (539) Content Filter Reports (561) Anti-Spam (569)

  • Page 479: Anti-Virus

    485) to set up anti-virus black (blocked) and white (allowed) lists of virus file patterns. • Use the Signature screen (Section 29.6 on page 488) to search signatures to get more information about signatures. ZyWALL USG 100/200 Series User’s Guide...

  • Page 480: What You Need To Know About Anti-Virus

    The un-infected portion of the file before a virus pattern was matched still goes through. 5 If the send alert message function is enabled, the ZyWALL sends an alert to the file’s intended destination computer(s). ZyWALL USG 100/200 Series User’s Guide...

  • Page 481: Before You Begin

    • You may need to customize the zones (in the Network > Zone) used for the anti-virus scanning direction. 29.2 Anti-Virus Summary Screen Click Anti-X > Anti-Virus to display the configuration screen as shown next. ZyWALL USG 100/200 Series User’s Guide...

  • Page 482: Figure 380 Anti-X > Anti-Virus > General

    HTTP applies to traffic using TCP ports 80, 8080 and 3128. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. IMAP4 applies to traffic using TCP port 143. ZyWALL USG 100/200 Series User’s Guide...

  • Page 483: Anti-Virus Policy Add Or Edit Screen

    Click Reset to start configuring this screen again. 29.2.1 Anti-Virus Policy Add or Edit Screen Click the Add or Edit icon in the Anti-X > Anti-Virus > General screen to display the configuration screen as shown next. ZyWALL USG 100/200 Series User’s Guide...

  • Page 484: Figure 381 Anti-X > Anti-Virus > General > Add

    Select this check box to set the ZyWALL to send a message alert to files’ intended Message user(s) using Microsoft Windows computers connected to the to interface. Refer to Appendix C on page 829 if your Windows computer does not display the alert messages. ZyWALL USG 100/200 Series User’s Guide...

  • Page 485: Anti-Virus Black List

    29.3 Anti-Virus Black List Click Anti-X > Anti-Virus > Black/White List to display the screen shown next. Use the Black List screen to set up the Anti-Virus black (blocked) list of virus file patterns. ZyWALL USG 100/200 Series User’s Guide...

  • Page 486: Anti-Virus Black List Or White List Add/Edit

    • For a black list entry, enter a file pattern that should cause the ZyWALL to log and delete a file. • For a white list entry, enter a file pattern that should cause the ZyWALL to allow a file. ZyWALL USG 100/200 Series User’s Guide...

  • Page 487: Anti-Virus White List

    Click Anti-X > Anti-Virus > Black/White List > White List to display the screen shown next. Use the Black/White List screen to set up Anti-Virus black (blocked) and white (allowed) lists of virus file patterns. ZyWALL USG 100/200 Series User’s Guide...

  • Page 488: Signature Searching

    Click Anti-X > Anti-Virus > Signature to display this screen. Use this screen to locate signatures and display details about them. If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. ZyWALL USG 100/200 Series User’s Guide...

  • Page 489: Figure 385 Anti-X > Anti-Virus > Signature: Search By Severity

    Click a signature’s name to see details about the virus. This is the IDentification number of the anti-virus signature. Click the ID column header to sort your search results in ascending or descending order according to the ID. ZyWALL USG 100/200 Series User’s Guide...

  • Page 490: Anti-Virus Technical Reference

    A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in the network. It inspects files for virus patterns as they are moved in and out of the hard drive. However, host-based anti-virus scanners cannot eliminate all viruses for a number of reasons: ZyWALL USG 100/200 Series User’s Guide...
  • Page 491 • NAV scanners stops virus threats at the network edge before they enter or exit a network. • NAV scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. ZyWALL USG 100/200 Series User’s Guide...
  • Page 492 Chapter 29 Anti-Virus ZyWALL USG 100/200 Series User’s Guide...

  • Page 493: Idp

    You can apply IDP profiles to traffic flowing from one zone to another. For example, apply the default LAN_IDP profile to any traffic going to the LAN zone in order to protect your LAN computers. ZyWALL USG 100/200 Series User’s Guide...

  • Page 494: Before You Begin

    You must register in order to use packet inspection signatures. See the Registration screens. If you try to enable IDP when the IDP service has not yet been registered, a warning screen displays and IDP is not enabled. ZyWALL USG 100/200 Series User’s Guide...

  • Page 495: Figure 386 Anti-X > Idp > General

    From WAN To WAN means packets that come in from the WAN zone and the ZyWALL routes back out through the WAN zone. IDP Profile This field shows which IDP profile is bound to which traffic direction. Click the popup icon to change to a different profile. ZyWALL USG 100/200 Series User’s Guide...

  • Page 496: Configuring Idp Policies

    Click Anti-X > IDP > General and then an Add or Edit icon to display the following screen. Use this screen to apply an IDP profile to traffic flowing from one zone to another. ZyWALL USG 100/200 Series User’s Guide...

  • Page 497: Introducing Idp Profiles

    30.3.1 Base Profiles The ZyWALL comes with several base profiles. You use base profiles to create new profiles. In the Anti-X > IDP > Profile screen, click the Add icon to display the following screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 498: The Profile Summary Screen

    Click Cancel to exit this screen without saving your changes. 30.4 The Profile Summary Screen Select Anti-X > IDP > Profile. Use this screen to: • Add a new profile • Edit an existing profile • Delete an existing profile ZyWALL USG 100/200 Series User’s Guide...

  • Page 499: Creating New Profiles

    498) and then click OK to go to the profile details screen. If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. ZyWALL USG 100/200 Series User’s Guide...

  • Page 500: Profiles: Packet Inspection

    Select Anti-X > IDP > Profile and then add a new or edit an existing profile select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer- 4 to layer-7. 30.6.1 Profile > Group View Screen ZyWALL USG 100/200 Series User’s Guide...

  • Page 501: Figure 390 Anti-X > Idp > Profile > Edit : Group View

    Chapter 30 IDP Figure 390 Anti-X > IDP > Profile > Edit : Group View ZyWALL USG 100/200 Series User’s Guide...

  • Page 502: Table 163 Anti-X > Idp > Profile > Group View

    An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the ZyWALL send an alert when a packet matches a signature(s). ZyWALL USG 100/200 Series User’s Guide...

  • Page 503: Policy Types

    After you enter a chat (or chat room), any room member can type a message that will appear on the monitors of all the other participants. SPAM Spam is unsolicited “junk” e-mail sent to large numbers of people to promote products or services. ZyWALL USG 100/200 Series User’s Guide...

  • Page 504: Idp Service Groups

    An IDP service group is a set of related packet inspection signatures. Table 165 IDP Service Groups WEB_PHP WEB_MISC WEB_IIS WEB_FRONTPAGE WEB_CGI WEB_ATTACKS TFTP TELNET SNMP SMTP RSERVICES POP3 POP2 ORACLE NNTP NETBIOS MYSQL MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC ZyWALL USG 100/200 Series User’s Guide...

  • Page 505: Profile > Query View Screen

    In the query view screen, you can search for signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions. ZyWALL USG 100/200 Series User’s Guide...

  • Page 506: Figure 392 Anti-X > Idp > Profile: Query View

    Hold down the [Ctrl] key if you want to make multiple selections. Activation Search for enabled and/or disabled signatures here. Search for signatures by log option here. See Table 163 on page 502 for option details. ZyWALL USG 100/200 Series User’s Guide...

  • Page 507: Query Example

    This example shows a search with these criteria: • Severity: severe and high • Attack Type: DDoS • Platform: Windows 2000 and Windows XP computers • Service: Any • Actions: Any Figure 393 Query Example Search Criteria ZyWALL USG 100/200 Series User’s Guide...

  • Page 508: Introducing Idp Custom Signatures

    You need some knowledge of packet headers and attack types to create your own custom signatures. 30.7.1 IP Packet Header These are the fields in an Internet Protocol (IP) version 4 packet header. ZyWALL USG 100/200 Series User’s Guide...

  • Page 509: Figure 395 Ip V4 Packet Headers

    IP network. Source IP Address This is the IP address of the original sender of the packet. Destination IP Address This is the IP address of the final destination of the packet. ZyWALL USG 100/200 Series User’s Guide...

  • Page 510: Configuring Custom Signatures

    If a packet matches a rule for reject-receiver and it also matches a rule for reject- sender, then the ZyWALL will reject-both. Figure 396 Anti-X > IDP > Custom Signatures ZyWALL USG 100/200 Series User’s Guide...

  • Page 511: Creating Or Editing A Custom Signature

    (including packet contents), then the fewer false positives the signature will trigger. Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. ZyWALL USG 100/200 Series User’s Guide...

  • Page 512: Figure 397 Anti-X > Idp > Custom Signatures > Add/Edit

    Chapter 30 IDP Figure 397 Anti-X > IDP > Custom Signatures > Add/Edit ZyWALL USG 100/200 Series User’s Guide...

  • Page 513: Table 169 Anti-X > Idp > Custom Signatures > Add/Edit

    Some intrusions can be identified by the number in this field. Select the check box, select Equal, Smaller or Greater and then type in a number. ZyWALL USG 100/200 Series User’s Guide...
  • Page 514 Payload Options The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature. ZyWALL USG 100/200 Series User’s Guide...

  • Page 515: Custom Signature Example

    As an example, say you want to create a signature for the ‘Microsoft Windows Plug-and-Play Service Remote Overflow (MS-05-39)’ attack. Search the Security Focus web site and you will find it uses the NetBIOS service in established TCP connections to a server using port 445. ZyWALL USG 100/200 Series User’s Guide...

  • Page 516: Figure 398 Custom Signature Example Pattern 1

    Figure 400 Custom Signature Example Patterns 3 and 4 The final custom signature should look like as shown in the following figure. If the attack occurs, check the logs for a log of your custom signature. This indicates the signature works correctly. ZyWALL USG 100/200 Series User’s Guide...

  • Page 517: Figure 401 Example Custom Signature

    Chapter 30 IDP Figure 401 Example Custom Signature ZyWALL USG 100/200 Series User’s Guide...

  • Page 518: Applying Custom Signatures

    The Note column displays ACCESS FORWARD when no action is configured for the signature. It displays ACCESS DENIED if you configure the signature action to drop the packet. The destination port is the service port (NetBIOS in this case) that the attack tries to exploit. ZyWALL USG 100/200 Series User’s Guide...

  • Page 519: Idp Technical Reference

    The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are the option keywords. The rule header contains the rule's: • Action • Protocol ZyWALL USG 100/200 Series User’s Guide...

  • Page 520: Table 170 Zywall - Snort Equivalent Terms

    Payload Size dsize Offset (relative to start of payload) offset Relative to end of last match distance Content content Case-insensitive nocase Decode as URI uricontent Not all Snort functionality is supported in the ZyWALL. ZyWALL USG 100/200 Series User’s Guide...

  • Page 521: Adp

    Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated when you upload new firmware. ZyWALL USG 100/200 Series User’s Guide...

  • Page 522: Before You Begin

    31.2 The ADP General Screen Click Anti-X > ADP > General. Use this screen to turn anomaly detection on or off and apply anomaly profiles to traffic directions. Figure 404 Anti-X > ADP > General ZyWALL USG 100/200 Series User’s Guide...

  • Page 523: Configuring Adp Policies

    Click Anti-X > ADP > General and then an Add or Edit icon to display the following screen. Use this screen to apply an ADP profile to a traffic direction. Figure 405 Anti-X > ADP > General > Add ZyWALL USG 100/200 Series User’s Guide...

  • Page 524: The Profile Summary Screen

    • Create a new profile using an existing base profile • Edit an existing profile • Delete an existing profile 31.3.1 Base Profiles The ZyWALL comes with base profiles. You use base profiles to create new profiles. Figure 406 Base Profiles ZyWALL USG 100/200 Series User’s Guide...

  • Page 525: Configuring The Adp Profile Summary Screen

    When you’re satisfied that they have been reduced to an acceptable level, you could then create an ‘inline profile’ whereby you configure appropriate actions to be taken when a packet matches a rule. ZyWALL USG 100/200 Series User’s Guide...

  • Page 526: Traffic Anomaly Profiles

    Edit icon or click the Add icon and choose a base profile. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. ZyWALL USG 100/200 Series User’s Guide...

  • Page 527: Figure 408 Profiles: Traffic Anomaly

    Chapter 31 ADP Figure 408 Profiles: Traffic Anomaly ZyWALL USG 100/200 Series User’s Guide...

  • Page 528: Protocol Anomaly Profiles

    Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (PA) rules check for protocol compliance against the relevant RFC (Request for Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder where each category reflects the packet type inspected. ZyWALL USG 100/200 Series User’s Guide...

  • Page 529: Protocol Anomaly Configuration

    Protocol Anomaly tab. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab. ZyWALL USG 100/200 Series User’s Guide...

  • Page 530: Figure 409 Profiles: Protocol Anomaly

    Chapter 31 ADP Figure 409 Profiles: Protocol Anomaly ZyWALL USG 100/200 Series User’s Guide...

  • Page 531: Technical Reference

    31.3.4 on page 526) Port Scanning An attacker scans device(s) to determine what types of network protocols or services a device supports. One of the most common port scanning tools in use today is Nmap. ZyWALL USG 100/200 Series User’s Guide...
  • Page 532 These are some filtered port scan examples. • TCP Filtered Portscan • UDP Filtered Portscan • IP Filtered Portscan • TCP Filtered Decoy • UDP Filtered Decoy • IP Filtered Decoy Portscan Portscan Portscan ZyWALL USG 100/200 Series User’s Guide...

  • Page 533: Figure 410 Smurf Attack

    Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. ZyWALL USG 100/200 Series User’s Guide...

  • Page 534: Figure 411 Tcp Three-Way Handshake

    ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered to ports on victim, the system will go down. ZyWALL USG 100/200 Series User’s Guide...

  • Page 535: Table 177 Http Inspection And Tcp/Udp/Icmp Decoders

    NULL bytes in the request-URI. NON-RFC-HTTP- This is when a newline “\n” character is detected as a delimiter. This DELIMITER ATTACK is non-standard but is accepted by both Apache and IIS web servers. ZyWALL USG 100/200 Series User’s Guide...
  • Page 536 20 bytes.This may cause some applications to crash. UDP Decoder OVERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length field of greater than the actual packet length. This may cause some applications to crash. ZyWALL USG 100/200 Series User’s Guide...
  • Page 537 TRUNCATED-TIMESTAMP- This is when an ICMP packet is sent which has an ICMP datagram HEADER ATTACK length of less than the ICMP Time Stamp header length. This may cause some applications to crash. ZyWALL USG 100/200 Series User’s Guide...
  • Page 538 Chapter 31 ADP ZyWALL USG 100/200 Series User’s Guide...

  • Page 539: Content Filtering

    A content filtering profile conveniently stores your custom settings for the following features. • Category-based Blocking The ZyWALL can block access to particular categories of web site content, such as pornography or racial intolerance. • Restrict Web Features ZyWALL USG 100/200 Series User’s Guide...

  • Page 540: Before You Begin

    • You must register the content filtering standard (in the Licensing > Registration > Service) or trial (Licensing > Registration > Registration) service before you can use external database content filtering (in the Anti-X > Content Filter > Filter Profiles > Categories). ZyWALL USG 100/200 Series User’s Guide...

  • Page 541: Content Filter General Screen

    User This column displays the individual or group to which this policy applies. any means the content filter policy applies to all of the web access requests that the ZyWALL receives from any user. ZyWALL USG 100/200 Series User’s Guide...
  • Page 542 None displays if you have not successfully registered and activated the service. Standard displays if you have successfully registered the ZyWALL and activated the service. Trial displays if you have successfully registered the ZyWALL and activated the trial service subscription. ZyWALL USG 100/200 Series User’s Guide...

  • Page 543: Content Filter Policy Add Or Edit Screen

    Select Create Object to configure a new user account (see Section 36.2.1 on page for details). Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any user. ZyWALL USG 100/200 Series User’s Guide...

  • Page 544: Content Filter Profile Screen

    You must register for external content filtering before you can use it. See Section 8.2 on page 190 for how to register. Chapter 33 on page 561 for how to view content filtering reports. ZyWALL USG 100/200 Series User’s Guide...

  • Page 545: Figure 416 Anti-X > Content Filter > Filter Profile > Add

    Chapter 32 Content Filtering Figure 416 Anti-X > Content Filter > Filter Profile > Add ZyWALL USG 100/200 Series User’s Guide...

  • Page 546: Table 181 Anti-X > Content Filter > Filter Profile > Add

    Content Filter General screen along with the category of the blocked web page. Select Log to record attempts to access web pages that are not categorized. ZyWALL USG 100/200 Series User’s Guide...
  • Page 547 Phishing This category includes pages that are designed to appear as a legitimate bank or retailer with the intent to fraudulently capture sensitive data (i.e. credit card numbers, pin numbers). ZyWALL USG 100/200 Series User’s Guide...
  • Page 548 It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco. It does not include pages that sell alcohol or tobacco as a subset of other products. ZyWALL USG 100/200 Series User’s Guide...
  • Page 549 Includes sites that endorse or offer methods, means of instruction, or other resources to affect or influence real events through the use of spells, incantations, curses and magic powers. This category includes sites which discuss or deal with paranormal or unexplained events. ZyWALL USG 100/200 Series User’s Guide...
  • Page 550 Search Engines/Portals This category includes pages that support searching the Internet, indices, and directories. Job Search/Careers This category includes pages that provide assistance in finding employment, and tools for locating prospective employers. ZyWALL USG 100/200 Series User’s Guide...
  • Page 551 It does not include pages that can be classified in other categories (such as vehicles or weapons). Auctions This category includes pages that support the offering and purchasing of goods between individuals. This does not include classified advertisements. ZyWALL USG 100/200 Series User’s Guide...
  • Page 552 This does not include advertising servers that serve adult- oriented advertisements. Web Hosting This category includes pages of organizations that provide top-level domain pages, as well as web communities or hosting services. Test Web Site Category ZyWALL USG 100/200 Series User’s Guide...

  • Page 553: Content Filter Customization Screen

    (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list. ZyWALL USG 100/200 Series User’s Guide...

  • Page 554: Figure 417 Anti-X > Content Filter > Filter Profile > Customization

    ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX ActiveX controls are downloaded to your browser, where they remain in case you visit the site again. ZyWALL USG 100/200 Series User’s Guide...
  • Page 555 (such as Bad for example). Blocked URL Keywords This list displays the keywords already added. Click this button when you have finished adding the key words field above. ZyWALL USG 100/200 Series User’s Guide...

  • Page 556: Content Filter Cache Screen

    You can remove individual entries from the cache. When you do this, the ZyWALL queries the external content filtering database the next time someone tries to access that web site. This allows you to check whether a web site’s category has been changed. ZyWALL USG 100/200 Series User’s Guide...

  • Page 557: Figure 418 Anti-X > Content Filter > Cache

    This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries. This is the index number of a categorized web site address record. ZyWALL USG 100/200 Series User’s Guide...

  • Page 558: Content Filter Technical Reference

    2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache. The ZyWALL blocks, blocks and logs or just logs the request based on your configuration. ZyWALL USG 100/200 Series User’s Guide...
  • Page 559 The web site’s address and category are then stored in the ZyWALL’s content filter cache. ZyWALL USG 100/200 Series User’s Guide...
  • Page 560 Chapter 32 Content Filtering ZyWALL USG 100/200 Series User’s Guide...

  • Page 561: Content Filter Reports

    You need to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days). 1 Go to http://www.myZyXEL.com. ZyWALL USG 100/200 Series User’s Guide...

  • Page 562: Figure 420 Myzyxel.com: Login

    Chapter 33 Content Filter Reports 2 Fill in your myZyXEL.com account information and click Login. Figure 420 myZyXEL.com: Login ZyWALL USG 100/200 Series User’s Guide...

  • Page 563: Figure 421 Myzyxel.com: Welcome

    Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 422 on page 564). Figure 421 myZyXEL.com: Welcome ZyWALL USG 100/200 Series User’s Guide...

  • Page 564: Figure 422 Myzyxel.com: Service Management

    4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 422 myZyXEL.com: Service Management 5 In the Web Filter Home screen, click the Reports tab. Figure 423 Content Filter Reports Main Screen ZyWALL USG 100/200 Series User’s Guide...

  • Page 565: Figure 424 Content Filter Reports: Report Home

    Chapter 33 Content Filter Reports 6 Select items under Global Reports to view the corresponding reports. Figure 424 Content Filter Reports: Report Home ZyWALL USG 100/200 Series User’s Guide...

  • Page 566: Figure 425 Global Report Screen Example

    Taken field and click Run Report. The screens vary according to the report type you selected in the Report Home screen. 8 A chart and/or list of requested web site categories display in the lower half of the screen. Figure 425 Global Report Screen Example ZyWALL USG 100/200 Series User’s Guide...

  • Page 567: Figure 426 Requested Urls Example

    Chapter 33 Content Filter Reports 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 426 Requested URLs Example ZyWALL USG 100/200 Series User’s Guide...
  • Page 568 Chapter 33 Content Filter Reports ZyWALL USG 100/200 Series User’s Guide...

  • Page 569: Anti-Spam

    IP address or uses a specified header field and header value as being spam. If an e-mail does not match any of the white list entries, the ZyWALL checks it against the black list entries. The ZyWALL classifies an e-mail that ZyWALL USG 100/200 Series User’s Guide...
  • Page 570 ZyWALL can check the routing addresses of e-mail against DNSBLs and classify an e-mail as spam if it was sent or forwarded by a computer with an IP address in the DNSBL. Here’s how the ZyWALL uses DNSBLs. ZyWALL USG 100/200 Series User’s Guide...

  • Page 571: Before You Begin

    Click Anti-X > Anti-Spam to open the Anti-Spam General screen. Use this screen to turn the anti-spam feature on or off and manage anti-spam policies. You can also select the action the ZyWALL takes when the mail sessions threshold is reached. ZyWALL USG 100/200 Series User’s Guide...

  • Page 572: Figure 428 Anti-X > Anti-Spam > General

    The anti-spam policy has the ZyWALL scan e-mail traffic that is going to this zone from the From zone. Protocol These are the protocols of traffic to scan for spam. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. ZyWALL USG 100/200 Series User’s Guide...

  • Page 573: The Anti-Spam Policy Add Or Edit Screen

    Use this screen to configure an anti-spam policy that controls what traffic direction of e-mail to check, which e-mail protocols to scan, the scanning options, and the action to take on spam traffic. Figure 429 Anti-X > Anti-Spam > General > Add ZyWALL USG 100/200 Series User’s Guide...

  • Page 574: The Anti-Spam Black List Screen

    Configure the black list to identify spam e-mail. You can create black list entries based on the sender’s or relay server’s IP address or e-mail address. You can also create entries that check for particular e-mail header fields with specific values or specific subject text. ZyWALL USG 100/200 Series User’s Guide...

  • Page 575: The Anti-Spam Black Or White List Add/Edit Screen

    Click Reset to begin configuring this screen afresh. 34.4.1 The Anti-Spam Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the following screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 576: Figure 431 Anti-X > Anti-Spam > Black/White List > Black List (Or White List) > Add

    63 ASCII characters. For example, if you want the entry to check the “Received:” header for a specific mail server’s domain, enter the mail server’s domain here. Section 34.4.2 on page 577 for more details. ZyWALL USG 100/200 Series User’s Guide...

  • Page 577: Regular Expressions In Black Or White List Entries

    DESCRIPTION General Settings Enable White List Select this check box to have the ZyWALL forward e-mail that matches (an Checking active) white list entry without doing any more anti-spam checking on that individual e-mail. ZyWALL USG 100/200 Series User’s Guide...

  • Page 578: The Dnsbl Screen

    Click Anti-X > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to configure the ZyWALL to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). ZyWALL USG 100/200 Series User’s Guide...

  • Page 579: Figure 433 Anti-X > Anti-Spam > Dnsbl

    This is the IP of the last server that forwarded the mail. Actions when Query Use this section to set what the ZyWALL does if the queries to the DNSBL Timeout domains time out. ZyWALL USG 100/200 Series User’s Guide...

  • Page 580: The Dnsbl Add/Edit Screen

    (identifying legitimate e-mail as spam). Different DNSBLs have different usage policies. For example, you can check http:// www.spamhaus.org or https://www.sorbs.net for more information. Figure 434 Anti-X > Anti-Spam > DNSBL > Add ZyWALL USG 100/200 Series User’s Guide...

  • Page 581: The Anti-Spam Status Screen

    DNSBL Domain These are the DNSBLs the ZyWALL uses to check sender and relay IP addresses in e-mails. Total Queries This is the total number of DNS queries the ZyWALL has sent to this DNSBL. ZyWALL USG 100/200 Series User’s Guide...
  • Page 582 This is the average for how long it takes to receive a reply from this DNSBL. Time (sec) No Response This is how many DNS queries the ZyWALL sent to this DNSBL without receiving a reply. ZyWALL USG 100/200 Series User’s Guide...

  • Page 583: Device Ha

    Device HA Device HA (585)

  • Page 585: Device Ha

    Legacy mode configuration involves a greater degree of complexity. Active-passive mode is recommended for general failover deployments. • The ZyWALLs must all support and be set to use the same device HA mode (either active- passive or legacy). ZyWALL USG 100/200 Series User’s Guide...

  • Page 586: Before You Begin

    35.2 Device HA General The Device HA General screen lets you enable or disable device HA, and displays which device HA mode the ZyWALL is set to use along with a summary of the monitored interfaces. ZyWALL USG 100/200 Series User’s Guide...

  • Page 587: Figure 437 Device Ha > General

    ZyWALL can take over all of the master ZyWALL’s functions. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 100/200 Series User’s Guide...

  • Page 588: The Active-Passive Mode Screen

    Figure 439 Cluster IDs for Multiple Virtual Routers Monitored Interfaces in Active-Passive Mode Device HA You can select which interfaces device HA monitors. If a monitored interface on the ZyWALL loses its connection, device HA has the backup ZyWALL take over. ZyWALL USG 100/200 Series User’s Guide...

  • Page 589: Configuring Active-Passive Mode Device Ha

    The Device HA Active-Passive Mode screen lets you configure general active-passive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup ZyWALLs. To access this screen, click Device HA > Active-Passive Mode. ZyWALL USG 100/200 Series User’s Guide...

  • Page 590: Figure 441 Device Ha > Active-Passive Mode

    Type the cluster ID number. A virtual router consists of a master ZyWALL and all of its backup ZyWALLs. If you have multiple ZyWALL virtual routers on your network, use a different cluster ID for each virtual router. ZyWALL USG 100/200 Series User’s Guide...
  • Page 591 If you leave this field blank in the master ZyWALL, no backup ZyWALLs can synchronize from it. If you leave this field blank in a backup ZyWALL, it cannot synchronize from the master ZyWALL. ZyWALL USG 100/200 Series User’s Guide...

  • Page 592: Configuring An Active-Passive Mode Monitored Interface

    IP address should be in the same subnet as the interface IP address. Subnet Mask Enter the subnet mask of the interface’s management IP address. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 100/200 Series User’s Guide...

  • Page 593: The Legacy Mode Screen

    The Device HA Legacy Mode screen lets you configure general legacy mode HA settings including link monitoring, configure the VRRP group and synchronize backup ZyWALLs. To access this screen, click Device HA > Legacy Mode. ZyWALL USG 100/200 Series User’s Guide...

  • Page 594: Figure 443 Device Ha > Legacy Mode

    Virtual Router IP This is the interface’s IP address and subnet mask in the virtual router. / Netmask Management IP / This field displays the management IP address and subnet mask of an interface. Netmask ZyWALL USG 100/200 Series User’s Guide...

  • Page 595: The Legacy Mode Add/Edit Screen

    • You can only have one active VRRP group for each virtual router (VR ID). The Device HA Legacy Mode Add or Edit screen lets you configure a VRRP group. To access this screen, click Device HA > Legacy Mode > Add (or Edit). ZyWALL USG 100/200 Series User’s Guide...

  • Page 596: Figure 444 Device Ha > Legacy Mode > Add

    The backup interface with the highest value takes over the role of the master interface if the master interface becomes unavailable. The priority must be between 1 and 254. (The master interface has priority 255.) ZyWALL USG 100/200 Series User’s Guide...

  • Page 597: Device Ha Technical Reference

    IP address of the default gateway. Each virtual router is identified by a unique 8-bit identification number called a Virtual Router ID (VR ID). In the example below, ZyWALL A and ZyWALL B are part of virtual router 10 with IP address 192.168.10.254. ZyWALL USG 100/200 Series User’s Guide...

  • Page 598: Figure 445 Example: Vrrp, Normal Operation

    (the network returns to the state shown in Figure 445 on page 598). Synchronization During synchronization, the master ZyWALL sends the following information to the backup ZyWALL. • Startup configuration file (startup-config.conf) • AV signatures • IDP and application patrol signatures ZyWALL USG 100/200 Series User’s Guide...
  • Page 599 • The backup ZyWALL cannot be the master in any active VRRP group. This refers to the actual role at the time of synchronization, not the role setting in the VRRP group. The backup applies the entire configuration if it is different from the backup’s current configuration. ZyWALL USG 100/200 Series User’s Guide...
  • Page 600 Chapter 35 Device HA ZyWALL USG 100/200 Series User’s Guide...

  • Page 601: Objects

    VIII Objects User/Group (603) Addresses (617) Services (623) Schedules (629) AAA Server (635) Authentication Method (645) Certificates (649) SSL Application (667)

  • Page 603: User/Group

    WWW, TELNET, SSH, FTP, Console, Dial-in Limited-Admin Look at ZyWALL configuration (web, CLI) WWW, TELNET, SSH, Console, Dial-in Perform basic diagnostics (CLI) Access Users User Access network services WWW, TELNET, SSH Browse user-mode commands (CLI) ZyWALL USG 100/200 Series User’s Guide...
  • Page 604 User groups may consist of user accounts or other user groups. Use user groups when you want to create the same rule for several user accounts, instead of creating separate rules for each one. ZyWALL USG 100/200 Series User’s Guide...

  • Page 605: User Summary Screen

    36.2 User Summary Screen The User screen provides a summary of all user accounts. To access this screen, login to the web configurator, and click Object > User/Group. ZyWALL USG 100/200 Series User’s Guide...

  • Page 606: User Add/Edit Screen

    • Reserved user names are listed in the following table. Table 199 Reserved User Names • • admin • • • daemon • debug • devicehaecived • • games • halt • ldap-users • • mail • news • nobody ZyWALL USG 100/200 Series User’s Guide...

  • Page 607: Figure 448 User/Group > User > Edit

    Renew button on their screen. If you allow access users to renew time automatically (see Section 36.4 on page 609), the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires. ZyWALL USG 100/200 Series User’s Guide...

  • Page 608: User Group Summary Screen

    The Group Add/Edit screen allows you to create a new user group or edit an existing one. To access this screen, go to the Group screen (see Section 36.3 on page 608), and click either the Add icon or an Edit icon. ZyWALL USG 100/200 Series User’s Guide...

  • Page 609: Setting Screen

    ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. To access this screen, login to the web configurator, and click Object > User/Group > Setting. ZyWALL USG 100/200 Series User’s Guide...

  • Page 610: Figure 451 Object > User/Group > Setting

    Allow renewing Select this check box if access users can renew lease time automatically, as lease time ... well as manually, simply by checking the Updating lease time automatically check box on their screen. ZyWALL USG 100/200 Series User’s Guide...
  • Page 611 Type a page number to go to or use the arrows to navigate the pages of entries. This field is a sequential value, and it is not associated with a specific condition. ZyWALL USG 100/200 Series User’s Guide...

  • Page 612: Force User Authentication Policy Add/Edit Screen

    Use this screen to specify a condition when users must log in or do not have to log in to the ZyWALL before their HTTP traffic can pass through the ZyWALL. Figure 452 Object > User/Group > Setting > Add/Edit ZyWALL USG 100/200 Series User’s Guide...

  • Page 613: User Aware Login Example

    Instead, when access users log in to the ZyWALL (forced in the screen as shown in Figure 451 on page 610 or otherwise), the following screen appears. Figure 453 Web Configurator for Non-Admin Users ZyWALL USG 100/200 Series User’s Guide...

  • Page 614: User /Group Technical Reference

    The following examples show you how you might set up user attributes in LDAP and RADIUS servers. Figure 454 LDAP Example: Keywords for User Attributes type: admin leaseTime: 99 reauthTime: 199 Figure 455 RADIUS Example: Keywords for User Attributes type=user;leaseTime=222;reauthTime=222 ZyWALL USG 100/200 Series User’s Guide...
  • Page 615 Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 45 on page 715 for more information about shell scripts. ZyWALL USG 100/200 Series User’s Guide...
  • Page 616 Chapter 36 User/Group ZyWALL USG 100/200 Series User’s Guide...

  • Page 617: Addresses

    • SUBNET - a network address is defined by a Network IP address and Netmask subnet mask. The Address screen provides a summary of all addresses in the ZyWALL. To access this screen, click Object > Address > Address. ZyWALL USG 100/200 Series User’s Guide...

  • Page 618: Address Add/Edit Screen

    The Address Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 37.2 on page 617), and click either the Add icon or an Edit icon. Figure 457 Object > Address > Address > Edit ZyWALL USG 100/200 Series User’s Guide...

  • Page 619: Address Group Summary Screen

    37.3 Address Group Summary Screen The Address Group screen provides a summary of all address groups. To access this screen, click Object > Address > Address Group. Figure 458 Object > Address > Address Group ZyWALL USG 100/200 Series User’s Guide...

  • Page 620: Address Group Add/Edit Screen

    ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Description This field displays the description of each address group, if any. You can use up to 60 characters, punctuation marks, and spaces. ZyWALL USG 100/200 Series User’s Guide...
  • Page 621 The order of members is not important. To remove members, select them and click the left arrow. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 100/200 Series User’s Guide...
  • Page 622 Chapter 37 Addresses ZyWALL USG 100/200 Series User’s Guide...

  • Page 623: Services

    Another use is ping. ICMP does not guarantee delivery, but networks often treat ICMP messages differently, sometimes looking at the message itself to decide where to send it. ZyWALL USG 100/200 Series User’s Guide...

  • Page 624: The Service Summary Screen

    To access this screen, log in to the web configurator, and click Object > Service > Service. Figure 460 Object > Service > Service ZyWALL USG 100/200 Series User’s Guide...

  • Page 625: The Service Add/Edit Screen

    This field appears if the IP Protocol is TCP or UDP. Specify the port number(s) used by this service. If you fill in one of these fields, the service uses that port. If Ending Port you fill in both fields, the service uses the range of ports. ZyWALL USG 100/200 Series User’s Guide...

  • Page 626: The Service Group Summary Screen

    To edit a service group, click the Edit icon next to the service group. The Service Group Add/Edit screen appears. To delete a service group, click on the Remove icon next to the service group. The web configurator confirms that you want to delete the service group. ZyWALL USG 100/200 Series User’s Guide...

  • Page 627: The Service Group Add/Edit Screen

    The order of members is not important. To remove members, select them and click the left arrow. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 100/200 Series User’s Guide...
  • Page 628 Chapter 38 Services ZyWALL USG 100/200 Series User’s Guide...

  • Page 629: Schedules

    Finding Out More • See Section 5.5 on page 124 for related information on these screens. • See Section 44.3 on page 676 for information about the ZyWALL’s current date and time. ZyWALL USG 100/200 Series User’s Guide...

  • Page 630: The Schedule Summary Screen

    To edit a schedule, click the Edit icon next to the schedule. The Schedule Add/ Edit screen appears. To delete a schedule, click the Remove icon next to the schedule. The web configurator confirms that you want to delete the schedule before doing so. ZyWALL USG 100/200 Series User’s Guide...

  • Page 631: The One-Time Schedule Add/Edit Screen

    Hour - 0 - 23 Minute - 0 - 59 All of these fields are required. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 100/200 Series User’s Guide...

  • Page 632: The Recurring Schedule Add/Edit Screen

    Hour - 0 - 23 Minute - 0 - 59 The Hour and Minute fields are both required. To set all day (24 hours), configure the stop hour to 23 and minute to 59. Weekly ZyWALL USG 100/200 Series User’s Guide...
  • Page 633 Week Days Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 100/200 Series User’s Guide...
  • Page 634 Chapter 39 Schedules ZyWALL USG 100/200 Series User’s Guide...

  • Page 635: Aaa Server

    (or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location. ZyWALL USG 100/200 Series User’s Guide...

  • Page 636: Asas

    The directory consists of a database specialized for fast information retrieval and filtering activities. You create and store user profile and login information on the external server. • RADIUS ZyWALL USG 100/200 Series User’s Guide...

  • Page 637: Active Directory Or Ldap Default Server Screen

    A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and/or country. For example, o=MyCompany, c=UK where o means organization and c means country. ZyWALL USG 100/200 Series User’s Guide...

  • Page 638: Configuring Active Directory Or Ldap Default Server Settings

    Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the AD or LDAP server. In this case, user authentication fails. The search timeout occurs when either the user information is not in the LDAP server or the server is down. ZyWALL USG 100/200 Series User’s Guide...

  • Page 639: Active Directory Or Ldap Group Summary Screen

    Click Object > AAA Server > Active Directory (or LDAP) > Group to display the Active Directory (or LDAP) > Group screen. Click the Add icon or an Edit icon to display the configuration fields. ZyWALL USG 100/200 Series User’s Guide...

  • Page 640: Figure 472 Object > Aaa Server > Active Directory (Or Ldap) > Group > Add

    Specify the URI (Uniform Resource Identifier) of an AD or LDAP server. You can enter the IP address (in dotted decimal notation) or the fully qualified domain name (FQDN; up to 63 alphanumerical characters) of the AD or LDAP server. ZyWALL USG 100/200 Series User’s Guide...

  • Page 641: Configuring A Default Radius Server

    Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. Apply Click Apply to save the changes. Reset Click Reset to start configuring this screen again. ZyWALL USG 100/200 Series User’s Guide...

  • Page 642: Configuring A Group Of Radius Servers

    Click Object > AAA Server > RADIUS > Group to display the RADIUS > Group screen. Click the Add icon or an Edit icon to display the configuration fields. Figure 475 Object > AAA Server > RADIUS > Group > Add ZyWALL USG 100/200 Series User’s Guide...

  • Page 643: Table 223 Object > Aaa Server > Radius > Group > Add

    Click Add to add a new RADIUS server. You can add up to four RADIUS member servers. Click Delete to remove a RADIUS server. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 100/200 Series User’s Guide...
  • Page 644 Chapter 40 AAA Server ZyWALL USG 100/200 Series User’s Guide...

  • Page 645: Authentication Method

    1 Access the VPN > IPSec VPN > VPN Gateway > Edit screen. 2 Select Enable Extended Authentication. 3 Select Server Mode and select an authentication method object from the drop-down list box. 4 Click OK to save the settings. ZyWALL USG 100/200 Series User’s Guide...

  • Page 646: Viewing Authentication Method Objects

    Method List This field displays the authentication method(s) for this entry. Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to remove an entry. ZyWALL USG 100/200 Series User’s Guide...

  • Page 647: Creating An Authentication Method Object

    You can NOT select two server objects of the same type. 7 Click OK to save the settings or click Cancel to discard all changes and return to the previous screen. Figure 478 Object > Auth. Method > Add ZyWALL USG 100/200 Series User’s Guide...

  • Page 648: Table 225 Object > Auth. Method > Add

    Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 100/200 Series User’s Guide...

  • Page 649: Certificates

    3 Tim uses his private key to sign the message and sends it to Jenny. 4 Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the ZyWALL USG 100/200 Series User’s Guide...
  • Page 650 A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The ZyWALL currently allows the importation of a PKS#7 file that contains a single certificate. ZyWALL USG 100/200 Series User’s Guide...

  • Page 651: Verifying A Certificate

    2 Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 479 Remote Host Certificates 3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. ZyWALL USG 100/200 Series User’s Guide...

  • Page 652: The My Certificates Screen

    When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates. This field displays the certificate index number. The certificates are listed in alphabetical order. ZyWALL USG 100/200 Series User’s Guide...

  • Page 653: The My Certificates Add Screen

    Click Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. ZyWALL USG 100/200 Series User’s Guide...

  • Page 654: Figure 482 Object > Certificate > My Certificates > Add

    @ symbol, periods and the underscore. Organizational Unit Identify the organizational unit or department to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. ZyWALL USG 100/200 Series User’s Guide...
  • Page 655 You must have the certification authority’s certificate already imported in the Trusted Certificates screen. Click Trusted CAs to go to the Trusted Certificates screen where you can view (and manage) the ZyWALL's list of certificates of trusted certification authorities. ZyWALL USG 100/200 Series User’s Guide...

  • Page 656: The My Certificates Edit Screen

    Click Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. ZyWALL USG 100/200 Series User’s Guide...

  • Page 657: Figure 483 Object > Certificate > My Certificates > Edit

    “Not trusted” in this field if any certificate on the path has expired or been revoked. Refresh Click Refresh to display the certification path. Certificate These read-only fields display detailed information about the certificate. Information ZyWALL USG 100/200 Series User’s Guide...
  • Page 658 You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example). ZyWALL USG 100/200 Series User’s Guide...

  • Page 659: The My Certificates Import Screen

    The certificate you import replaces the corresponding request in the My Certificates screen. You must remove any spaces from the certificate’s filename before you can import it. Figure 484 Object > Certificate > My Certificates > Import ZyWALL USG 100/200 Series User’s Guide...

  • Page 660: The Trusted Certificates Screen

    With self-signed certificates, this is the same information as in the Subject field. Valid From This field displays the date that the certificate becomes applicable. ZyWALL USG 100/200 Series User’s Guide...

  • Page 661: The Trusted Certificates Edit Screen

    Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate’s name and set whether or not you want the ZyWALL to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. ZyWALL USG 100/200 Series User’s Guide...

  • Page 662: Figure 486 Object > Certificate > Trusted Certificates > Edit

    (along with the end entity’s own certificate). The ZyWALL does not trust the end entity’s certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked. ZyWALL USG 100/200 Series User’s Guide...
  • Page 663 This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm). ZyWALL USG 100/200 Series User’s Guide...

  • Page 664: The Trusted Certificates Import Screen

    Click Object > Certificate > Trusted Certificates > Import to open the Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the ZyWALL. You must remove any spaces from the certificate’s filename before you can import the certificate. ZyWALL USG 100/200 Series User’s Guide...

  • Page 665: Certificates Technical Reference

    ZyWALL only gets information on the certificates that it needs to verify, not a huge list. When the ZyWALL requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response. ZyWALL USG 100/200 Series User’s Guide...
  • Page 666 Chapter 42 Certificates ZyWALL USG 100/200 Series User’s Guide...

  • Page 667: Ssl Application

    43.1.3 Example: Specifying a Web Site for Access This example shows you how to create a web-based application for an internal web site. The address of the web site is http://info with web page encryption. ZyWALL USG 100/200 Series User’s Guide...

  • Page 668: The Ssl Application Screen

    To add an object, click the Add icon at the top of the column. To edit an object, click the Edit icon next to the object. To delete an object, click the Remove icon next to the object. ZyWALL USG 100/200 Series User’s Guide...

  • Page 669: Creating/Editing A Web-Based Ssl Application Object

    This field is optional. You only need to configure this field if you need to specify the name of the directory or file on the local server as the home page or home directory on the user screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 670: Creating/Editing A File Sharing Ssl Application Object

    For example, if you enter “\\my-server\Tmp”, this allows remote users to access all files and/or folders in the “\Tmp” share on the “my-server” computer. Preview Click Preview to display the file share in a new web browser. ZyWALL USG 100/200 Series User’s Guide...
  • Page 671 Click Cancel to discard the changes and return to the main SSL Application Configuration screen. You must then configure the shared folder on the file server for remote access. Refer to the document that comes with your file server. ZyWALL USG 100/200 Series User’s Guide...
  • Page 672 Chapter 43 SSL Application ZyWALL USG 100/200 Series User’s Guide...

  • Page 673: System

    System System (675)

  • Page 675: System

    • Connect an external serial modem to the AUX port to provide a management connection in case the ZyWALL’s other WAN connections are down. Use the System > Dial-in Mgmt. screen (Figure 530 on page 710) to configure the external serial modem. ZyWALL USG 100/200 Series User’s Guide...

  • Page 676: Host Name

    To change your ZyWALL’s time based on your local time zone and date, click System > Date/ Time. The screen displays as shown. You can manually set the ZyWALL’s time and date or have the ZyWALL get the date and time from a time server. ZyWALL USG 100/200 Series User’s Guide...

  • Page 677: Figure 493 System > Date And Time

    When you click Apply or Synchronize Now in this screen. • 24-hour intervals after starting up. Time Server Enter the IP address or URL of your time server. Check with your ISP/network Address administrator if you are unsure of this information. ZyWALL USG 100/200 Series User’s Guide...

  • Page 678: Pre-Defined Ntp Time Servers List

    When you turn on the ZyWALL for the first time, the date and time start at 2003-01-01 00:00:00. The ZyWALL then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers. ZyWALL USG 100/200 Series User’s Guide...

  • Page 679: Time Server Synchronization

    4 As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for daylight savings. 5 Under Time and Date Setup, enter a Time Server Address (Table 238 on page 679). 6 Click Apply. ZyWALL USG 100/200 Series User’s Guide...

  • Page 680: Console Port Speed

    • If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL’s WAN IP address), set the DNS server fields to get the DNS server address from the ISP. • You can manually enter the IP addresses of other DNS servers. ZyWALL USG 100/200 Series User’s Guide...

  • Page 681: Configuring The Dns Screen

    A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The ZyWALL uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records. ZyWALL USG 100/200 Series User’s Guide...
  • Page 682 This is the zone on the ZyWALL the user is allowed or denied to access. Address This is the object name of the IP address(es) with which the computer is allowed or denied to send DNS queries. ZyWALL USG 100/200 Series User’s Guide...

  • Page 683: Address Record

    IP address to a domain name. 44.5.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/PTR record. Figure 497 System > DNS > Address/PTR Record Edit ZyWALL USG 100/200 Series User’s Guide...

  • Page 684: Domain Zone Forwarder

    44.5.7 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 498 System > DNS > Domain Zone Forwarder Add ZyWALL USG 100/200 Series User’s Guide...

  • Page 685: Mx Record

    Enter the domain name where the mail is destined for. IP Address/FQDN Enter the IP address or fully qualified domain name of a mail server that handles the mail for the domain specified in the field above. ZyWALL USG 100/200 Series User’s Guide...

  • Page 686: Adding A Dns Service Control Rule

    44.6 WWW Overview The following figure shows secure and insecure management of the ZyWALL coming in from the WAN. HTTPS and SSH access are secure. HTTP, Telnet, and dial-in management access are not secure. ZyWALL USG 100/200 Series User’s Guide...

  • Page 687: Service Access Limitations

    Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires. You can change the timeout settings in the User/Group screens. ZyWALL USG 100/200 Series User’s Guide...

  • Page 688: Https

    2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s web server. Figure 502 HTTP/HTTPS Implementation If you disable HTTP in the WWW screen, then the ZyWALL blocks all HTTP connection attempts. ZyWALL USG 100/200 Series User’s Guide...

  • Page 689: Configuring Www

    Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL web configurator using secure HTTPs connections. ZyWALL USG 100/200 Series User’s Guide...
  • Page 690 User Service Control specifies from which zones a user can use HTTP to log into the ZyWALL (to log into SSL VPN for example). You can also specify the IP addresses from which the users can access the ZyWALL. ZyWALL USG 100/200 Series User’s Guide...

  • Page 691: Service Control Rules

    44.6.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. Figure 504 System > Service Control Rule Edit ZyWALL USG 100/200 Series User’s Guide...

  • Page 692: Https Example

    You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the web configurator login screen; if you select No, then web configurator access is blocked. Figure 505 Security Alert Dialog Box (Internet Explorer) ZyWALL USG 100/200 Series User’s Guide...

  • Page 693: Figure 506 Security Certificate 1 (Netscape)

    • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities. The issuing certificate authority of the ZyWALL's factory default certificate is the ZyWALL itself since the certificate is a self- signed certificate. ZyWALL USG 100/200 Series User’s Guide...

  • Page 694: Figure 508 Login Screen (Internet Explorer)

    ZyWALL’s Trusted CA web configurator screen). Figure 509 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). ZyWALL USG 100/200 Series User’s Guide...

  • Page 695: Figure 510 Ca Certificate Example

    You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. ZyWALL USG 100/200 Series User’s Guide...

  • Page 696: Figure 511 Personal Certificate Import Wizard 1

    2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 512 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA. ZyWALL USG 100/200 Series User’s Guide...

  • Page 697: Figure 513 Personal Certificate Import Wizard 3

    4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 514 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. ZyWALL USG 100/200 Series User’s Guide...

  • Page 698: Figure 515 Personal Certificate Import Wizard 5

    2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example. ZyWALL USG 100/200 Series User’s Guide...

  • Page 699: Ssh

    In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session. ZyWALL USG 100/200 Series User’s Guide...

  • Page 700: How Ssh Works

    After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server. ZyWALL USG 100/200 Series User’s Guide...

  • Page 701: Ssh Implementation On The Zywall

    Select the certificate whose corresponding private key is to be used to identify the Certificate ZyWALL for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 42 on page 649 details). ZyWALL USG 100/200 Series User’s Guide...

  • Page 702: Secure Telnet Using Ssh Examples

    3 A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 523 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL. The CLI screen displays next. ZyWALL USG 100/200 Series User’s Guide...

  • Page 703: Telnet

    Click System > TELNET to configure your ZyWALL for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. ZyWALL USG 100/200 Series User’s Guide...

  • Page 704: Ftp

    You can upload and download the ZyWALL’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. Please see Chapter 45 on page 715 for more information about firmware and configuration files. ZyWALL USG 100/200 Series User’s Guide...

  • Page 705: Configuring Ftp

    This is the object name of the IP address(es) with which the computer is allowed or denied to access. Action This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). ZyWALL USG 100/200 Series User’s Guide...

  • Page 706: Snmp

    The ZyWALL supports SNMP version one (SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation. Figure 528 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. ZyWALL USG 100/200 Series User’s Guide...

  • Page 707: Supported Mibs

    This trap is sent when the Ethernet link is down. linkUp 1.3.6.1.6.3.1.1.5.4 This trap is sent when the Ethernet link is up. authenticationFailure 1.3.6.1.6.3.1.1.5.5 This trap is sent when an SNMP request comes from non-authenticated hosts. ZyWALL USG 100/200 Series User’s Guide...

  • Page 708: Configuring Snmp

    This is the object name of the IP address(es) with which the computer is allowed or denied to access. Action This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). ZyWALL USG 100/200 Series User’s Guide...

  • Page 709: Dial-In Management

    44.11.1 Configuring Dial-in Mgmt Click System > Dial-in Mgmt to display the following screen. Configure this screen for dial- in management connections. ZyWALL USG 100/200 Series User’s Guide...

  • Page 710: Vantage Cnm

    ZyWALL (using either the web configurator or commands) without notifying the Vantage CNM administrator. 44.12.1 Configuring Vantage CNM Vantage CNM is disabled on the device by default. Click System > Vantage CNM to configure your device’s Vantage CNM settings. ZyWALL USG 100/200 Series User’s Guide...

  • Page 711: Figure 531 System > Vantage Cnm

    Vantage CNM server’s certificate. In order to do this you need to import the Vantage CNM server’s public key (certificate) into the ZyWALL’s trusted certificates. Vantage Select the Vantage CNM server’s certificate. This applies when you enable HTTPS Certificate authentication. ZyWALL USG 100/200 Series User’s Guide...

  • Page 712: Language Screen

    Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 100/200 Series User’s Guide...

  • Page 713: Maintenance, Troubleshooting, & Specifications

    Maintenance, Troubleshooting, & Specifications File Manager (715) Logs (725) Reports (737) Diagnostics (751) Reboot (753) Troubleshooting (755) Product Specifications (759)

  • Page 715: File Manager

    When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. ZyWALL USG 100/200 Series User’s Guide...

  • Page 716: Figure 533 Configuration File / Shell Script: Example

    ZyWALL treat the line as a comment. Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode. ZyWALL USG 100/200 Series User’s Guide...

  • Page 717: The Configuration File Screen

    Use the Configuration File screen to store, run, and name configuration files. You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL. ZyWALL USG 100/200 Series User’s Guide...

  • Page 718: Figure 534 Maintenance > File Manager > Configuration File

    The ZyWALL still generates a log for any errors. Figure 534 Maintenance > File Manager > Configuration File Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL USG 100/200 Series User’s Guide...

  • Page 719: Figure 535 Maintenance > File Manager > Configuration File > Copy

    Click a configuration file’s row to select it and click Run to have the ZyWALL use that configuration file. The ZyWALL does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures. ZyWALL USG 100/200 Series User’s Guide...

  • Page 720: The Firmware Package Screen

    See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”. ZyWALL USG 100/200 Series User’s Guide...

  • Page 721: Figure 537 Maintenance > File Manager > Firmware Package

    Click Upload to begin the upload process. This process may take up to two minutes. After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 538 Firmware Upload In Process ZyWALL USG 100/200 Series User’s Guide...

  • Page 722: The Shell Script Screen

    If you do not use the write command, the changes will be lost when the ZyWALL restarts. You write could use multiple commands in a long script. write Figure 541 Maintenance > File Manager > Shell Script ZyWALL USG 100/200 Series User’s Guide...

  • Page 723: Figure 542 Maintenance > File Manager > Shell Script > Copy

    The bottom part of the screen allows you to upload a new or previously saved shell script Shell Script file from your computer to your ZyWALL. File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. ZyWALL USG 100/200 Series User’s Guide...
  • Page 724 Table 258 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. ZyWALL USG 100/200 Series User’s Guide...

  • Page 725: Logs

    You can also look at the debugging log by selecting Debug Log. All debugging messages have the same priority. To access this screen, click Maintenance > View Log. The log is displayed in the following screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 726: Figure 544 Maintenance > Log > View Log

    If a match is found in any field, the log message is displayed. You can use up to 63 alphanumeric characters and the underscore, as well as punctuation marks ()’ ,:;?! +-*/= #$% @ ; the period, double quotes, and brackets are not allowed. ZyWALL USG 100/200 Series User’s Guide...

  • Page 727: Log Setting Screens

    For alerts, the Log Settings tab controls which events generate alerts and where alerts are e- mailed. ZyWALL USG 100/200 Series User’s Guide...

  • Page 728: Log Setting Summary

    To activate or deactivate a log, click the Active icon. Make sure you click Apply to save and apply the change. To edit the settings, click the Edit icon next to the associated log. The Log Settings Edit screen appears. ZyWALL USG 100/200 Series User’s Guide...

  • Page 729: Edit System Log Settings

    The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 46.4.1 on page 728), and click the system log Edit icon. ZyWALL USG 100/200 Series User’s Guide...

  • Page 730: Figure 546 Maintenance > Log > Log Setting > Edit (System Log)

    Chapter 46 Logs Figure 546 Maintenance > Log > Log Setting > Edit (System Log) ZyWALL USG 100/200 Series User’s Guide...

  • Page 731: Table 262 Maintenance > Log > Log Setting > Edit (System Log)

    (green checkmark) and/or in alerts (yellow exclamation point) for the e- mail settings specified in E-Mail Server 2. The ZyWALL does not e-mail debugging information, even if it is recorded in the System log. Log Consolidation ZyWALL USG 100/200 Series User’s Guide...

  • Page 732: Edit Remote Server Log Settings

    The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 46.4.1 on page 728), and click a remote server Edit icon. ZyWALL USG 100/200 Series User’s Guide...

  • Page 733: Figure 547 Maintenance > Log > Log Setting > Edit (Remote Server)

    Chapter 46 Logs Figure 547 Maintenance > Log > Log Setting > Edit (Remote Server) ZyWALL USG 100/200 Series User’s Guide...

  • Page 734: Active Log Summary Screen

    (for example, where and how often log information is e-mailed or remote server names).To access this screen, go to the Log Settings Summary screen (see Section 46.4.1 on page 728), and click the Active Log Summary button. ZyWALL USG 100/200 Series User’s Guide...

  • Page 735: Figure 548 Active Log Summary

    Log Category This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software. ZyWALL USG 100/200 Series User’s Guide...
  • Page 736 If you check one of the check boxes for All Logs, it affects the settings for every category. Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 100/200 Series User’s Guide...

  • Page 737: Reports

    • Most-used protocols or service ports and the amount of traffic on each one • LAN IP with heaviest traffic and how much traffic has been sent to and from each one ZyWALL USG 100/200 Series User’s Guide...

  • Page 738: Figure 549 Maintenance > Report > Traffic Statistics

    Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. Statistics Interface Select the interface from which to collect information. You can collect information from Ethernet, VLAN, bridge, PPPoE/PPTP, and auxiliary interfaces. ZyWALL USG 100/200 Series User’s Guide...
  • Page 739 Table 266 on page 740. These fields are available when the Traffic Type is Web Site Hits. This field is the rank of each record. The domain names are sorted by the number of hits. ZyWALL USG 100/200 Series User’s Guide...

  • Page 740: The Session Screen

    / service or service group, source address, and/or destination address and view it by user. To access this screen, login to the web configurator. When the main screen appears, click Maintenance > Report > Session. The following screen appears. ZyWALL USG 100/200 Series User’s Guide...

  • Page 741: Figure 550 Maintenance > Report > Session

    User, Service, Source Address, and Destination Address fields. sessions per Select the number of active sessions displayed on each page. You can use the page arrow keys on the right to change pages. ZyWALL USG 100/200 Series User’s Guide...

  • Page 742: The Anti-Virus Report Screen

    Click Reset to begin configuring this screen afresh. Refresh Click this button to update the report display. Flush Data Click this button to discard all of the screen’s statistics and update the report display. ZyWALL USG 100/200 Series User’s Guide...

  • Page 743: The Idp Report Screen

    The statistics display as follows when you display the top entries by destination. Figure 553 Maintenance > Report > Anti-Virus: Destination 47.5 The IDP Report Screen Click Maintenance > Report > IDP to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. ZyWALL USG 100/200 Series User’s Guide...

  • Page 744: Figure 554 Maintenance > Report > Idp: Signature Name

    Severity This column displays when you display the entries by Signature Name. It shows the level of threat that the intrusions may pose. See Table 163 on page 502 for more information. ZyWALL USG 100/200 Series User’s Guide...

  • Page 745: The Content Filter Report Screen

    The statistics display as follows when you display the top entries by destination. Figure 556 Maintenance > Report > IDP: Destination 47.6 The Content Filter Report Screen Click Maintenance > Report > Content Filter to display the following screen. This screen displays content filter statistics. ZyWALL USG 100/200 Series User’s Guide...

  • Page 746: Figure 557 Maintenance > Report > Content Filter

    Features Forbidden This is the number of web pages to which the ZyWALL did not allow access because Web Sites they matched the content filtering custom service’s forbidden web sites list. ZyWALL USG 100/200 Series User’s Guide...

  • Page 747: The Anti-Spam Report Screen

    47.7 The Anti-Spam Report Screen Click Maintenance > Report > Anti-Spam to display the following screen. This screen displays spam statistics. Figure 558 Maintenance > Report > Anti-Spam: Sender IP ZyWALL USG 100/200 Series User’s Guide...

  • Page 748: Table 271 Maintenance > Report > Anti-Spam

    IP address of spam e-mails that the ZyWALL has detected. Sender Mail This column displays when you display the entries by Sender Mail Address. This Address column displays the e-mail addresses from which the ZyWALL has detected the most spam. ZyWALL USG 100/200 Series User’s Guide...

  • Page 749: The Email Daily Report Screen

    Click Maintenance > Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day. Figure 559 Maintenance > Report > Email Daily Report ZyWALL USG 100/200 Series User’s Guide...

  • Page 750: Table 272 Maintenance > Report > Email Daily Report

    Click this to discard all report data and start all of the counters over at zero. Counters Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 100/200 Series User’s Guide...

  • Page 751: Diagnostics

    This is the size of the most recently created diagnostic file. Collect Now Click this to have the ZyWALL create a new diagnostic file. Download Click this to save the most recent diagnostic file to a computer. ZyWALL USG 100/200 Series User’s Guide...
  • Page 752 Chapter 48 Diagnostics ZyWALL USG 100/200 Series User’s Guide...

  • Page 753: Reboot

    Click the Reboot button to restart the ZyWALL. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command to restart the ZyWALL. reboot ZyWALL USG 100/200 Series User’s Guide...
  • Page 754 Chapter 49 Reboot ZyWALL USG 100/200 Series User’s Guide...

  • Page 755: Troubleshooting

    This depends on the zone to which you assign the VPN tunnel and the zone from which and to which traffic may be routed. • If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you are using). ZyWALL USG 100/200 Series User’s Guide...
  • Page 756 Destroy compressed files that could not be decompressed option while you download the firmware package. See Section 29.2.1 on page 483 for more on the anti- virus Destroy compressed files that could not be decompressed option. ZyWALL USG 100/200 Series User’s Guide...
  • Page 757 6 Check your configuration for the cellular interface, especially the PIN code (and the APN and dial plan if you had to enter them). 7 Make sure your ZyWALL is within the transmission range of the cellular base station. ZyWALL USG 100/200 Series User’s Guide...

  • Page 758: Resetting The Zywall

    3 Release the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. 50.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL USG 100/200 Series User’s Guide...

  • Page 759: Product Specifications

    Storage Environment Temperature: -30 C to 60 C Humidity: 5% to 95% (non-condensing ) MTBF Mean Time Between Failures: 323,823 hours Dimensions 242 (W) x 175 (D) x 35.5 (H) mm Weight 1.2 kg ZyWALL USG 100/200 Series User’s Guide...

  • Page 760: Table 276 Feature Specifications

    New Session Rate (sessions per second) 1400 1000 FIREWALL Firewall ACL Rules 1000 APPLICATION PATROL Maximum Rules for Other Protocols Maximum Rules for Each Protocol Default Ports ZyWALL USG 100/200 Series User’s Guide...
  • Page 761 A record NS record MX record Maximum Number of Service Control Entries 16 per service 16 per service Maximum DHCP Host Pool Maximum Number of DDNS Profiles DHCP Relay 2 per interface 2 per interface ZyWALL USG 100/200 Series User’s Guide...
  • Page 762 Maximum Number of Concurrent ZIP File 50 ZIP files 30 ZIP files Decompression Sessions 8 RAR-LZSS or 1 4 RAR-LZSS or 1 RAR-PPM RAR-PPM Maximum Number of Anti-Virus Rules Maximum Number of White List Entries ZyWALL USG 100/200 Series User’s Guide...

  • Page 763: Table 277 Standards Referenced By Features

    RFCs 958, 1059, 1119, 1305 Used by SSH service RFCs 4250, 4251, 4252, 4253, 4254 Used by Time service RFCs 3339 Used by Telnet service RFCs 318, 854, 1413 Used by SIP ALG RFCs 3261, 3264 ZyWALL USG 100/200 Series User’s Guide...

  • Page 764: Or Wlan Pcmcia Card Installation

    Slide the connector end of the card into the slot as shown next. Do not force, bend or twist the wireless LAN card, 3G card or ZyWALL Turbo Card. Figure 562 WLAN Card Installation ZyWALL USG 100/200 Series User’s Guide...

  • Page 765: Power Adaptor Specifications

    POWER CONSUMPTION 20 W MAX. SAFETY STANDARDS Table 283 China Plug Standards AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 3.5A POWER CONSUMPTION 20 W MAX. SAFETY STANDARDS ZyWALL USG 100/200 Series User’s Guide...
  • Page 766 Chapter 51 Product Specifications ZyWALL USG 100/200 Series User’s Guide...

  • Page 767: Appendices And Index

    Appendices and Index Common Services (825) Displaying Anti-Virus Alert Messages in Windows (829) Open Software Announcements (855) Legal Information (893) Customer Support (897) Index (903)

  • Page 769: Appendix A Log Descriptions

    %s: website host The device allowed access to a web site. The content filtering service %s: Service is not is unregistered and the default policy is not set to block. registered %s: website host ZyWALL USG 100/200 Series User’s Guide...

  • Page 770: Table 286 Blocked Web Site Logs

    The web content matched a user defined keyword. %s: Keyword blocking %s: website host No content filter policy is applied and access was blocked since the %s: Blocking by default action is block. default policy %s: website host ZyWALL USG 100/200 Series User’s Guide...

  • Page 771: Table 287 Anti-Spam Logs

    The anti-spam black list rule with the specified index number (%d) Black List rule %d has has been turned off. been deactivated. anti-spam DNSBL (DNS Black List) server checking has been turned DNSBL checking has been activated. ZyWALL USG 100/200 Series User’s Guide...

  • Page 772: Table 288 Ssl Vpn Logs

    IP address given to the SSL user. established An SSL tunnel has been disconnected. The source is the login IP SSL tunnel is address. The destination is the IP address given to the SSL user. disconnected ZyWALL USG 100/200 Series User’s Guide...
  • Page 773 %s) in the listed SSL VPN policy (second %s), so the listed address subnet with %s in SSL (third %s) will not be given to an SSL VPN client. VPN policy %s. So %s will not be injected to client side. ZyWALL USG 100/200 Series User’s Guide...
  • Page 774 The listed user (%s) failed to log into SSL VPN because the maximum Failed login attempt number of users were already logged in. to SSLVPN from %s (reach the max. number of user) ZyWALL USG 100/200 Series User’s Guide...

  • Page 775: Table 289 L2Tp Over Ipsec Logs

    An attempted login to the L2TP over IPSec service failed because the User has been denied L2TP over IPSec IP address pool does not have any more IP from L2TP service. addresses to give out. (address pool exhausted) ZyWALL USG 100/200 Series User’s Guide...

  • Page 776: Table 290 Zysh Logs

    1st:zysh entry name can't alloc entry: %s! 1st:zysh entry name can't retrieve entry: 1st:zysh entry name can't get entry: %s! 1st:zysh entry name can't print entry: %s! 1st:zysh list name %s: cannot retrieve entries from list! ZyWALL USG 100/200 Series User’s Guide...
  • Page 777 1st:zysh entry num Unable to move entry #%d! 1st:zysh table name %s: apply failed at initial stage! 1st:zysh table name %s: apply failed at main stage! 1st:zysh table name %s: apply failed at closing stage! ZyWALL USG 100/200 Series User’s Guide...

  • Page 778: Table 291 Adp Logs

    The ZyWALL failed to initialize the anti-virus signatures due to an Initializing Anti-Virus internal error. signature reference table has failed. The ZyWALL failed to reload the anti-virus signatures due to an Reloading Anti-Virus internal error. signature database has failed. ZyWALL USG 100/200 Series User’s Guide...
  • Page 779 (Memory not enough) An anti-virus signatures update failed because the anti-virus AV signature size is signature file was too large. over system limitation ZyWALL USG 100/200 Series User’s Guide...
  • Page 780 2nd %s: The white list or black list. An anti-virus file pattern white list or black list was turned on or off. %s has been %s 1st %s: The white list or black list. 2nd %s: Activated/deactivated. ZyWALL USG 100/200 Series User’s Guide...

  • Page 781: Table 293 User Logs

    The ZyWALL blocked a login because the maximum login capacity Failed login attempt to for the particular service has already been reached. ZyWALL from %s (reach %s: service name the max. number of user) ZyWALL USG 100/200 Series User’s Guide...

  • Page 782: Table 294 Myzyxel.com Logs

    %s: service name succeeded. The device received an incomplete response from the myZyXEL.com Trial service server and it caused a parsing error for the device. activation has failed. Because of lack must fields. ZyWALL USG 100/200 Series User’s Guide...
  • Page 783 The device failed to change the type of anti-virus engine. %s is the Change Anti-Virus server response error message. engine has failed:%s. The device successfully changed the type of anti-virus engine. Change Anti-Virus engine has succeeded. ZyWALL USG 100/200 Series User’s Guide...
  • Page 784 The device started an IDP signature update. Starting signature update. The device successfully downloaded an IDP signature file. IDP signature download has succeeded. The device successfully downloaded and applied an IDP signature file. IDP signature update has succeeded. ZyWALL USG 100/200 Series User’s Guide...
  • Page 785 Before the device sends an expiration day check packet, it needs to Expiration daily- check whether or not it will trigger a PPP connection. check will trigger PPP interface. Do self- check. ZyWALL USG 100/200 Series User’s Guide...
  • Page 786 HTTP header. After the device sent packets to a server, the device did not receive Timeout for get server any response from the server. The root cause may be a network delay response. issue. ZyWALL USG 100/200 Series User’s Guide...

  • Page 787: Table 295 Idp Logs

    IDP signatures. license is not registered. Update signature failed. An attempt to add a custom IDP signature failed. The error sid and Custom signature add message are displayed. error: sid <sid>, <error_message>. ZyWALL USG 100/200 Series User’s Guide...
  • Page 788 IDP device HA synchronized file failed. failed. Can not update synchronized file. An IDP signature update succeeded. The previous and updated IDP IDP signature update signature versions are listed. from version <version> to version <version> has succeeded. ZyWALL USG 100/200 Series User’s Guide...
  • Page 789 The device could not get the signature version from the new Can not get signature signature package it downloaded from the update server. version. An IDP system-protect signature update failed. IDP system-protect signature update failed. Invalid IDP config file. ZyWALL USG 100/200 Series User’s Guide...
  • Page 790 See the CLI reference guide for how to restore the default system please refer to your database. user documentation to recover the default database file The IDP signature set is too large (exceeds the ZyWALL’s system IDP signature size is limitation). over system limitation. ZyWALL USG 100/200 Series User’s Guide...

  • Page 791: Table 296 Application Patrol

    Rule %s:%s has been removed. 1st %s: Protocol name 2nd %s: From rule index number 3rd %s: To rule index number The device failed to initiate the application patrol daemon. System fatal error: 60011001. ZyWALL USG 100/200 Series User’s Guide...

  • Page 792: Table 297 Ike Logs

    When selecting a matched proposal in phase-1 or phase-2, so [SA] : No proposal proposal was selected. chosen %s is the tunnel name. When negotiating Phase-1, the authentication [SA] : Tunnel [%s] algorithm did not match. Phase 1 authentication algorithm mismatch ZyWALL USG 100/200 Series User’s Guide...
  • Page 793 1st %s is my ip address. 2nd %s is the tunnel name. When selecting a Cannot resolve My IP matched proposal in phase-1, the engine could not get My-IP address. Addr %s for Tunnel [%s] ZyWALL USG 100/200 Series User’s Guide...
  • Page 794 %s is the tunnel name. When negotiating phase-1, the pre-shared key Tunnel [%s] Phase 1 did not match. pre-shared key mismatch %s is the tunnel name. The device received an IKE request. Tunnel [%s] Recving IKE request ZyWALL USG 100/200 Series User’s Guide...
  • Page 795 Sending IKE request The variables represent the tunnel name and the SPI of a tunnel that Tunnel [%s:0x%x] is was disconnected. disconnected %s is the tunnel name. The tunnel was rekeyed successfully. Tunnel [%s] rekeyed successfully ZyWALL USG 100/200 Series User’s Guide...

  • Page 796: Table 298 Ipsec Logs

    3rd is the to zone, 4th is the service name, 5th is ACCEPT/DROP/ REJECT. Firewall is dead, trace to %s is which file, %d is which line, %s is which %s:%d: in %s(): function %s is enabled/disabled Firewall has been %s. ZyWALL USG 100/200 Series User’s Guide...

  • Page 797: Table 300 Sessions Limit Logs

    User-aware policy routing is disabled due to some reason. Cannot get handle from UAM, user-aware PR is disabled Allocating policy routing rule fails: insufficient memory. mblock: allocate memory failed! Allocating policy routing rule fails: insufficient memory. pt: allocate memory failed! ZyWALL USG 100/200 Series User’s Guide...

  • Page 798: Table 302 Built-In Services Logs

    HTTPS %s is certificate name assigned by user service will not work. An administrator changed the port number for HTTPS. HTTPS port has been changed to port %s. %s is port number ZyWALL USG 100/200 Series User’s Guide...
  • Page 799 If interface is stand-by mode for device HA, DHCP server can't be run. DHCP Server on Otherwise it has conflict with the interface in master mode. Interface %s will not %s is interface name work due to Device HA status is Stand-By ZyWALL USG 100/200 Series User’s Guide...
  • Page 800 Zone Forwarder have reached the maximum number of 128 DNS servers. Ping check ok, add DNS servers in bind. Interface %s ping check is successful. %s is interface name Zone Forwarder adds DNS servers in records. ZyWALL USG 100/200 Series User’s Guide...

  • Page 801: Table 303 System Logs

    Table 303 System Logs LOG MESSAGE DESCRIPTION When LINK is up, %d is the port number. Port %d is up!! When LINK is down, %d is the port number. Port %d is down!! ZyWALL USG 100/200 Series User’s Guide...
  • Page 802 IP address The ARP cache was cleared successfully. Clear arp cache successfully. A client MAC address is not an Ethernet address. Client MAC address is not an Ethernet address ZyWALL USG 100/200 Series User’s Guide...
  • Page 803 FQDN %s was blocked for abuse. Try to update profile, but failed, because of authentication fail, %s is Update the profile %s the profile name. has failed because of authentication fail. ZyWALL USG 100/200 Series User’s Guide...
  • Page 804 The profile is paused by device-HA, because the VRRP status of that The profile %s has iface is standby, %s is the profile name. been paused because the VRRP status of WAN interface was standby. ZyWALL USG 100/200 Series User’s Guide...
  • Page 805 Rename DDNS profile, 1st %s is the original profile name, 2nd %s is DDNS profile %s has the new profile name. been renamed as %s. Delete DDNS profile, %s is the profile name, DDNS profile %s has been deleted. ZyWALL USG 100/200 Series User’s Guide...

  • Page 806: Table 304 Connectivity Check Logs

    The connectivity check process can't get interface configuration. Can't get flags of %s interface %s: interface name The connectivity check process can't get remote address of PPP Can't get remote interface address of %s %s: interface name interface ZyWALL USG 100/200 Series User’s Guide...

  • Page 807: Table 305 Device Ha Logs

    The System Startup configuration file synchronized from the Master is Master configuration the same with the one in the Backup, so the configuration does not is the same with have to be updated. Backup. Skip updating ZyWALL USG 100/200 Series User’s Guide...
  • Page 808 A VRRP group’s Authentication Type (Md5 or IPSec AH) configuration Device HA may not match between the Backup and the Master. %s: The name of authentication type the VRRP group. for VRRP group %s maybe wrong. ZyWALL USG 100/200 Series User’s Guide...
  • Page 809 %s for %s due to transmission timeout. %s: The name of the VRRP interface. VRRP interface %s has been shutdown. %s: The name of the VRRP interface. VRRP interface %s has been brought up. ZyWALL USG 100/200 Series User’s Guide...

  • Page 810: Table 306 Routing Protocol Logs

    %s has been changed to BiDir. RIP text or md5 authentication has been disabled. RIP authentication has benn disabled. RIP text authentication key has been deleted. RIP text authentication key has been deleted. ZyWALL USG 100/200 Series User’s Guide...
  • Page 811 %s: Virtual-Link ID link %d md5 authentication of area Virtual-link %s text authentication has been set without setting text Invalid OSPF virtual- authentication key first. %s: Virtual-Link ID link %s text authentication of area ZyWALL USG 100/200 Series User’s Guide...

  • Page 812: Table 307 Nat Logs

    SIP ALG apply additional signal port failed. Register SIP ALG extra port=%d failed. %d: Port number SIP ALG apply signal port failed. Register SIP ALG signal port=%d failed. %d: Port number ZyWALL USG 100/200 Series User’s Guide...

  • Page 813: Table 308 Pki Logs

    The device was unable to use SCEP to enroll a certificate. 1st %s is a SCEP enrollment "%s" request name, 2nd %s is the CA name, 3rd %s is the URL failed, CA "%s", URL "%s" ZyWALL USG 100/200 Series User’s Guide...
  • Page 814 "%s" from "My Certificate" successfully The device exported a x509 format certificate from Trusted Export X509 Certificates. %s is the certificate request name. certificate "%s" from "Trusted Certificate" successfully ZyWALL USG 100/200 Series User’s Guide...
  • Page 815 CRL decoding failed. CRL is not currently valid, but in the future. CRL contains duplicate serial numbers. Time interval is not continuous. Time information not available. Database method failed due to timeout. Database method failed. ZyWALL USG 100/200 Series User’s Guide...

  • Page 816: Table 309 Interface Logs

    An administrator added a new interface. %s: interface name. Interface %s has been added. An administrator enabled an interface. %s: interface name. Interface %s is enabled. An administrator disabled an interface. %s: interface name. Interface %s is disabled. ZyWALL USG 100/200 Series User’s Guide...
  • Page 817 CHAP server does not support CHAP). CHAP: interface name. authentication failed. A PPP or AUX interface connected successfully. %s: interface name. Interface %s is connected. ZyWALL USG 100/200 Series User’s Guide...
  • Page 818 You entered an incorrect PUK code so you were not able to unlock the "Incorrect PUK code of SIM card for the cellular device associated with the listed cellular interface cellular%d. interface (%d). Please check the PUK code setting. ZyWALL USG 100/200 Series User’s Guide...
  • Page 819 %s, but current inserted device is %s. The cellular device (identified by its manufacturer and model) has been "Cellular device [%s inserted in or connected to the specified slot. %s] has been inserted into %s. ZyWALL USG 100/200 Series User’s Guide...

  • Page 820: Table 310 Wlan Logs

    Station association connect to the specified WLAN interface (first %s) because the WLAN has failed. Maximum interface already has its maximum number of wireless clients. associations have reached the maximum number. Interface: %s, MAC: %s. ZyWALL USG 100/200 Series User’s Guide...

  • Page 821: Table 311 Account Logs

    DHCP client and has more than one member in its group. In this case client. the DHCP client will renew. %s: interface name. An administrator configured port-grouping, %s: interface name. Port Grouping %s has been changed. ZyWALL USG 100/200 Series User’s Guide...

  • Page 822: Table 313 Force Authentication Logs

    DHCP clients, so there is no IP address to give to the listed DHCP client. DHCP server offered %s to The DHCP server feature gave the listed IP address to the computer %s(%s) with the listed hostname and MAC address. ZyWALL USG 100/200 Series User’s Guide...

  • Page 823: Table 316 E-Mail Daily Report Logs

    LOG MESSAGE DESCRIPTION Drop packet %s- The IP-MAC binding feature dropped an Ethernet packet. The %u.%u.%u.%u- interface the packet came in through and the sender’s IP address and %02X:%02X:%02X:%02X:% MAC address are also shown. 02X:%02X ZyWALL USG 100/200 Series User’s Guide...
  • Page 824 The interface the packet came in through, the sender’s IP %s#%u.%u.%u.%u#%02X:% address and MAC address, are also shown along with the binding type 02X:%02X:%02X:%02X:%02 (“s” for static or “d” for dynamic). ZyWALL USG 100/200 Series User’s Guide...

  • Page 825: Appendix B Common Services

    The IPSEC ESP (Encapsulation Security (IPSEC_TUNNEL) Protocol) tunneling protocol uses this service. FINGER Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. ZyWALL USG 100/200 Series User’s Guide...
  • Page 826 This is the data channel. RCMD Remote Command Service. REAL_AUDIO 7070 A streaming audio service that enables real time sound over the web. REXEC Remote Execution Daemon. RLOGIN Remote Login. RTELNET Remote Telnet. ZyWALL USG 100/200 Series User’s Guide...
  • Page 827 TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. ZyWALL USG 100/200 Series User’s Guide...
  • Page 828 Appendix B Common Services ZyWALL USG 100/200 Series User’s Guide...

  • Page 829: Appendix C Displaying Anti-Virus Alert Messages In Windows

    Windows XP 1 Click Start > Control Panel > Administrative Tools > Services. Figure 563 Windows XP: Opening the Services Window 2 Select the Messenger service and click Start. ZyWALL USG 100/200 Series User’s Guide...

  • Page 830: Figure 564 Windows Xp: Starting The Messenger Service

    3 Close the window when you are done. Windows 2000 1 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 565 Windows 2000: Opening the Services Window 2 Select the Messenger service and click Start Service. ZyWALL USG 100/200 Series User’s Guide...

  • Page 831: Figure 566 Windows 2000: Starting The Messenger Service

    98 SE (steps are similar for Windows Me). 1 Right-click on the program task bar and click Properties. Figure 568 WIndows 98 SE: Program Task Bar 2 Click the Start Menu Programs tab and click Advanced ... ZyWALL USG 100/200 Series User’s Guide...

  • Page 832: Figure 569 Windows 98 Se: Task Bar Properties

    3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut. Figure 570 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. ZyWALL USG 100/200 Series User’s Guide...

  • Page 833: Figure 571 Windows 98 Se: Startup: Create Shortcut

    6 Specify a name for the shortcut or accept the default and click Finish. Figure 572 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. ZyWALL USG 100/200 Series User’s Guide...

  • Page 834: Figure 573 Windows 98 Se: Startup: Shortcut

    Appendix C Displaying Anti-Virus Alert Messages in Windows Figure 573 Windows 98 SE: Startup: Shortcut The WinPopup window displays after the computer finishes the startup process (see Figure 567 on page 831). ZyWALL USG 100/200 Series User’s Guide...

  • Page 835: Appendix D Importing Certificates

    The following example procedure shows how to import the ZyWALL’s (self-signed) server certificate into your operating system as a trusted certification authority. 1 In Internet Explorer, double click the lock shown in the following screen. ZyWALL USG 100/200 Series User’s Guide...

  • Page 836: Figure 575 Login Screen

    Appendix D Importing Certificates Figure 575 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 576 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. ZyWALL USG 100/200 Series User’s Guide...

  • Page 837: Figure 577 Certificate Import Wizard 1

    Figure 577 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 578 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. ZyWALL USG 100/200 Series User’s Guide...

  • Page 838: Figure 579 Certificate Import Wizard 3

    Appendix D Importing Certificates Figure 579 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 580 Root Certificate Store ZyWALL USG 100/200 Series User’s Guide...

  • Page 839: Figure 581 Certificate General Information After Import

    Appendix D Importing Certificates Figure 581 Certificate General Information after Import ZyWALL USG 100/200 Series User’s Guide...
  • Page 840 Appendix D Importing Certificates ZyWALL USG 100/200 Series User’s Guide...

  • Page 841: Appendix E Wireless Lans

    A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. ZyWALL USG 100/200 Series User’s Guide...

  • Page 842: Figure 583 Basic Service Set

    An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. ZyWALL USG 100/200 Series User’s Guide...

  • Page 843: Figure 584 Infrastructure Wlan

    (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. ZyWALL USG 100/200 Series User’s Guide...

  • Page 844: Figure 585 Rts/Cts

    AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. ZyWALL USG 100/200 Series User’s Guide...

  • Page 845: Table 319 Ieee 802.11G

    5.5 / 11 CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. ZyWALL USG 100/200 Series User’s Guide...

  • Page 846: Table 320 Wireless Security Levels

    RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks: • Authentication Determines the identity of the users. • Authorization ZyWALL USG 100/200 Series User’s Guide...
  • Page 847 EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. . ZyWALL USG 100/200 Series User’s Guide...
  • Page 848 However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. ZyWALL USG 100/200 Series User’s Guide...

  • Page 849: Table 321 Comparison Of Eap Authentication Types

    If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. ZyWALL USG 100/200 Series User’s Guide...
  • Page 850 AP and does not need to go with the authentication process again. Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. ZyWALL USG 100/200 Series User’s Guide...

  • Page 851: Figure 586 Wpa(2) With Radius Application Example

    A WPA(2)-PSK application looks as follows. 1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols). ZyWALL USG 100/200 Series User’s Guide...

  • Page 852: Figure 587 Wpa(2)-Psk Authentication

    Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable Shared Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable TKIP/AES Enable WPA-PSK TKIP/AES Disable WPA2 TKIP/AES Enable WPA2-PSK TKIP/AES Disable ZyWALL USG 100/200 Series User’s Guide...

  • Page 853: Antenna Characteristics

    The angle of the beam determines the width of the coverage pattern. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications. ZyWALL USG 100/200 Series User’s Guide...

  • Page 854: Positioning Antennas

    For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. ZyWALL USG 100/200 Series User’s Guide...

  • Page 855: Appendix F Open Software Announcements

    No part may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, except the express written permission of ZyXEL Communications Corporation. This Product includes ppp-2.4.2 software under the PPP License PPP License Copyright (c) 1993 The Australian National University.
  • Page 856 TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This Product includes ntp-4.1.2 software under the NTP License NTP License Copyright (c) David L. Mills 1992-2004 ZyWALL USG 100/200 Series User’s Guide...
  • Page 857 The GNU General Public License, Version 1 • This license is compatible with The GNU General Public License, Version 2 This is just like a Simple Permissive license, but it requires that a copyright notice be maintained. ZyWALL USG 100/200 Series User’s Guide...
  • Page 858 THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL ZyWALL USG 100/200 Series User’s Guide...
  • Page 859 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ZyWALL USG 100/200 Series User’s Guide...
  • Page 860 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ZyWALL USG 100/200 Series User’s Guide...
  • Page 861 Copyright (c) 1995-2003 by Internet Software Consortium Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. ZyWALL USG 100/200 Series User’s Guide...
  • Page 862 "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. ZyWALL USG 100/200 Series User’s Guide...
  • Page 863 (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and ZyWALL USG 100/200 Series User’s Guide...
  • Page 864 Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS ZyWALL USG 100/200 Series User’s Guide...
  • Page 865 Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign. This Product includes libosip2, libgcgi-0.9.5 and gmp-4.1 software under LGPL license. GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 ZyWALL USG 100/200 Series User’s Guide...
  • Page 866 License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. ZyWALL USG 100/200 Series User’s Guide...
  • Page 867 Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the ZyWALL USG 100/200 Series User’s Guide...
  • Page 868 GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. ZyWALL USG 100/200 Series User’s Guide...
  • Page 869 (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface- ZyWALL USG 100/200 Series User’s Guide...
  • Page 870 License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or ZyWALL USG 100/200 Series User’s Guide...
  • Page 871 WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR ZyWALL USG 100/200 Series User’s Guide...
  • Page 872 You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. ZyWALL USG 100/200 Series User’s Guide...
  • Page 873 License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) ZyWALL USG 100/200 Series User’s Guide...
  • Page 874 Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. ZyWALL USG 100/200 Series User’s Guide...
  • Page 875 Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY ZyWALL USG 100/200 Series User’s Guide...
  • Page 876 Original Code or Modifications or the combination of the Original Code and Modifications, in each case including portions thereof. 1.4. "Electronic Distribution Mechanism" means a mechanism generally accepted in the software development community for the electronic transfer of data. ZyWALL USG 100/200 Series User’s Guide...
  • Page 877 Original Code or another well known, available Covered Code of the Contributor's choice. The Source Code can be in a compressed or archival form, provided the appropriate decompression or de-archiving software is widely available for no charge. 1.12. "You" (or "Your") ZyWALL USG 100/200 Series User’s Guide...
  • Page 878 Modifications made by that Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed by Covered Code in the absence of Modifications made by that Contributor. ZyWALL USG 100/200 Series User’s Guide...
  • Page 879 If Contributor's Modifications include an application programming interface and Contributor has knowledge of patent licenses which are reasonably necessary to implement that API, Contributor must also include this information in the legal file. (c) Representations. ZyWALL USG 100/200 Series User’s Guide...
  • Page 880 Section 3.4 and must be included with all distributions of the Source Code. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 5. Application of this License. ZyWALL USG 100/200 Series User’s Guide...
  • Page 881 60 days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice You either: (i) agree in writing to pay Participant a mutually agreeable reasonable royalty for Your past and future use of Modifications made by such Participant, or ZyWALL USG 100/200 Series User’s Guide...
  • Page 882 License shall be subject to the jurisdiction of the Federal Courts of the Northern District of California, with venue lying in Santa Clara County, California, with the losing party responsible for costs, including without limitation, court costs and reasonable ZyWALL USG 100/200 Series User’s Guide...
  • Page 883 Code files of the Original Code. You should use the text of this Exhibit A rather than the text found in the Original Code Source Code for Your Modifications. This Product includes unzip-5.50 and zip-2.3 software under Info-ZIP license ZyWALL USG 100/200 Series User’s Guide...
  • Page 884 •Info-ZIP retains the right to use the names "Info-ZIP," "Zip," "UnZip," "UnZipSFX," "WiZ," "Pocket UnZip," "Pocket Zip," and "MacZip" for its own source and binary releases. This Product includes libpcap-0.8.3, libnet-1.1.2.1, net-snmp-5.1.1, libpcap-0.9.4, and openssh- software under BSD license 4.3p2 ZyWALL USG 100/200 Series User’s Guide...
  • Page 885 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT ZyWALL USG 100/200 Series User’s Guide...
  • Page 886 Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. ZyWALL USG 100/200 Series User’s Guide...
  • Page 887 Software, and to permit persons to whom the Software is furnished to do so, subject to the following ZyWALL USG 100/200 Series User’s Guide...
  • Page 888 EVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ZyWALL USG 100/200 Series User’s Guide...
  • Page 889 ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. NOTE: Some components of the ZyWALL USG 100/200 incorporate source code covered under the Apache License, GPL License, LGPL License, BSD...
  • Page 890 ZyXEL Communications Corporation at: ZyXEL Technical Support. End-User License Agreement for “ZyWALL USG 100/200” WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE ENCLOSED SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AS INSTALLING THE SOFTWARE WILL INDICATE YOUR ASSENT TO THEM.
  • Page 891 EVENT EXCEED THE AMOUNT OF THE PRODUCT. BECAUSE SOME STATES/ COUNTRIES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. 8.Export Restrictions ZyWALL USG 100/200 Series User’s Guide...
  • Page 892 License Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this License Agreement shall be interpreted so as to reasonably effect the intention of the parties. ZyWALL USG 100/200 Series User’s Guide...

  • Page 893: Legal Information

    ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.

  • Page 894: Appendix G Legal Information

    Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. Viewing Certifications 1 Go to http://www.zyxel.com. 2 Select your product on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page. ZyWALL USG 100/200 Series User’s Guide...

  • Page 895: Zyxel Limited Warranty

    To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/ support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. ZyWALL USG 100/200 Series User’s Guide...
  • Page 896 Appendix G Legal Information ZyWALL USG 100/200 Series User’s Guide...

  • Page 897: Customer Support

    • Sales E-mail: sales@zyxel.com.tw • Telephone: +886-3-578-3942 • Fax: +886-3-578-2439 • Web: www.zyxel.com • Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, Taiwan China - ZyXEL Communications (Beijing) Corp. • Support E-mail: cso.zycn@zyxel.cn • Sales E-mail: sales@zyxel.cn •...

  • Page 898: Appendix H Customer Support

    Czech Republic • E-mail: info@cz.zyxel.com • Telephone: +420-241-091-350 • Fax: +420-241-091-359 • Web: www.zyxel.cz • Regular Mail: ZyXEL Communications, Czech s.r.o., Modranská 621, 143 01 Praha 4 - Modrany, Ceská Republika Denmark • Support E-mail: support@zyxel.dk • Sales E-mail: sales@zyxel.dk •...
  • Page 899 • Support: http://zyxel.kz/support • Sales E-mail: sales@zyxel.kz • Telephone: +7-3272-590-698 • Fax: +7-3272-590-689 • Web: www.zyxel.kz • Regular Mail: ZyXEL Kazakhstan, 43 Dostyk Ave., Office 414, Dostyk Business Centre, 050010 Almaty, Republic of Kazakhstan ZyWALL USG 100/200 Series User’s Guide...
  • Page 900 • Support Telephone: +1-800-978-7222 • Sales E-mail: sales@zyxel.com • Sales Telephone: +1-714-632-0882 • Fax: +1-714-632-0858 • Web: www.zyxel.com • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no •...
  • Page 901 • Support E-mail: support@zyxel.es • Sales E-mail: sales@zyxel.es • Telephone: +34-902-195-420 • Fax: +34-913-005-345 • Web: www.zyxel.es • Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • Telephone: +46-31-744-7700 •...
  • Page 902 • Sales E-mail: sales@zyxel.co.uk • Telephone: +44-1344-303044, 0845 122 0301 (UK only) • Fax: +44-1344-303034 • Web: www.zyxel.co.uk • Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK) ZyWALL USG 100/200 Series User’s Guide...

  • Page 903: Index

    522, 526 updating signatures and encapsulation Advanced Encryption Standard See AES. active sessions 177, 181, 740 Advanced Encryption Standard. See AES. ActiveX 384, 850 AD (Active Directory) and transport mode ZyWALL USG 100/200 Series User’s Guide...
  • Page 904 479, 480 statistics alert message trial service activation alerts unidentified applications black list 485, 486 updating signatures boot sector virus vs firewall 343, 345 configuration overview EICAR applications e-mail virus AppPatrol, See application patrol. ZyWALL USG 100/200 Series User’s Guide...
  • Page 905 287, 290, 456, 457, See certificates. 458, 468, 472 Certificate Management Protocol (CMP) OSI level-7. See application patrol. Certificate Revocation List (CRL) over allotment of bandwidth vs OCSP priority priority effect certificates ZyWALL USG 100/200 Series User’s Guide...
  • Page 906 572, 748 trial service activation configuration uncategorized pages example of web-based SSL application unsafe web pages object-based URL for blocked access overview content filtering reports ZyWALL USG 100/200 Series User’s Guide...
  • Page 907 HA status pointer (PTR) records legacy mode 585, 593 DNS Blacklist see DNSBL link monitoring DNS servers 217, 222, 258, 264, 680, 684 management access and interfaces management IP address DNSBL 570, 574, 578 ZyWALL USG 100/200 Series User’s Guide...
  • Page 908 ESSID and VoIP pass through Ethereal and zones 344, 353 Ethernet interfaces 129, 204, 210 asymmetrical routes 351, 352 and OSPF configuration overview and RIP global rules and routing protocols prerequisites basic characteristics priority ZyWALL USG 100/200 Series User’s Guide...
  • Page 909 Generic Routing Encapsulation. See GRE. ICMP flood attack global SSL setting ICMP portsweep user portal logo ICMP sequence number ICMP type ICMP unreachable identification (IP) identifying legitimate e-mail spam H.323 163, 333 action additional signaling port alerts ZyWALL USG 100/200 Series User’s Guide...
  • Page 910 IP address ID type metric IP address, remote IPSec router IP address, ZyXEL device local identity overlapping IP address and subnet mask main mode 383, 387 PPPoE/PPTP. See also PPPoE/PPTP interfaces. ZyWALL USG 100/200 Series User’s Guide...
  • Page 911 Java Default_L2TP_VPN_Connection permissions Default_L2TP_VPN_Connection example JavaScripts Default_L2TP_VPN_GW Default_L2TP_VPN_GW example established in two phases L2TP VPN local network manual key remote access key pairs remote IPSec router kick out user remote network kill user session ZyWALL USG 100/200 Series User’s Guide...
  • Page 912 731, 734, 735 monitor profile 499, 525 debugging monitored interfaces regular device HA types of MS-05-39 log options 485, 574 (IDP) 215, 234, 256 logged in users multiple slash encoding login mutation virus ZyWALL USG 100/200 Series User’s Guide...
  • Page 913 (DR) internal (IR) link state advertisements priority types of outgoing bandwidth 214, 234, 256 object-based configuration oversize-chunk-encoding objects 111, 124, 397 oversize-len attack AAA server oversize-offset attack addresses and address groups oversize-request-uri-directory authentication method ZyWALL USG 100/200 Series User’s Guide...
  • Page 914 VoIP pass through web. See web proxy servers. and VPN connections 285, 286, 755 bandwidth management public server tutorial benefits Public-Key Infrastructure (PKI) configuration overview public-private key pairs criteria prerequisites polymorphic virus POP2 POP3 ZyWALL USG 100/200 Series User’s Guide...
  • Page 915 Ethernet interfaces connection FTP. See FTP. prerequisites RTS (Request To Send) see also service control threshold 843, 844 Telnet to-ZyWALL firewall WWW. See WWW. remote user screen links report daily safety warnings reports ZyWALL USG 100/200 Series User’s Guide...
  • Page 916 Session Initiation Protocol. See SIP. session limits GetNext session monitor (L2TP VPN) Manager managers sessions sessions usage 177, 181 network components setup wizards severity (IDP) 498, 502 Trap SHA1 traps shell scripts versions ZyWALL USG 100/200 Series User’s Guide...
  • Page 917 SSL application object strict source routing file sharing STUN file sharing application and ALG remote user screen links subscription services summary and synchronization (device HA) types AppPatrol web-based 667, 669 content filtering web-based example ZyWALL USG 100/200 Series User’s Guide...
  • Page 918 TCP portsweep member interface mode TCP RST member interfaces prerequisites TCP SYN flood See also load balancing. TCPdump tutorial Telnet where used and address groups Trusted Certificates. See also certificates. and address objects ZyWALL USG 100/200 Series User’s Guide...
  • Page 919 User Datagram Protocol. See UDP. User (type) user group user names objects UTF-8 decode user groups 603, 604 and content filtering and firewall 355, 357 ZyWALL USG 100/200 Series User’s Guide...
  • Page 920 Web attack See also ALG. web configurator 56, 67 VoIP pass through see ALG. access access users requirements active protocol supported browsers and NAT and the firewall web features ZyWALL USG 100/200 Series User’s Guide...
  • Page 921 PCMCIA card installation security parameters see also wireless. troubleshooting user accounts wireless client setup worm 480, 504 key caching pre-authentication user authentication vs WPA-PSK wireless client supplicant with RADIUS application example WPA2 ZyWALL USG 100/200 Series User’s Guide...
  • Page 922 Index ZyWALL USG 100/200 Series User’s Guide...

This manual is also suitable for:

Zywall usg 200 series

Table of Contents