Page 1 ZyWALL USG 300 Unified Security Gateway User’s Guide Version 2.11 11/2008 Edition 1 DEFAULT LOGIN LAN Port IP Address http://192.168.1.1 User Name admin Password 1234 www.zyxel.com...
Page 3: About This User's Guide
It is recommended you use the Web Configurator to configure the ZyWALL. • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. • Supporting Disc ZyWALL USG 300 User’s Guide...
Page 4 Graphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate. ZyWALL USG 300 User’s Guide...
Page 5: Document Conventions
Syntax Conventions • The ZyWALL USG 300 may be referred to as the “ZyWALL”, the “device”, the “system” or the “product” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
Page 6 Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 300 User’s Guide...
Page 7: Safety Warnings
• Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device. ZyWALL USG 300 User’s Guide...
Page 8 Safety Warnings This product is recyclable. Dispose of it properly. ZyWALL USG 300 User’s Guide...
Page 9: Table Of Contents
SSL VPN ..........................367 SSL User Screens ........................377 SSL User Application Screens ....................383 SSL User File Sharing ......................385 L2TP VPN ..........................391 L2TP VPN Example ......................... 395 Application Patrol ........................ 421 Application Patrol ........................423 ZyWALL USG 300 User’s Guide...
Page 10 System ........................... 651 Maintenance, Troubleshooting, & Specifications ............. 693 File Manager ........................... 695 Logs ............................705 Reports ........................... 717 Diagnostics ..........................731 Reboot ............................. 733 Troubleshooting ........................735 Product Specifications ......................739 Appendices and Index ......................745 ZyWALL USG 300 User’s Guide...
Page 11: Table Of Contents
2.2.4 Interface to Interface (To VPN Tunnel) ............... 60 2.3 Applications ......................... 60 2.3.1 VPN Connectivity ....................... 60 2.3.2 SSL VPN Network Access ..................61 2.3.3 User-Aware Access Control ..................62 2.3.4 Multiple WAN Interfaces ..................... 63 2.3.5 Device HA ........................63 ZyWALL USG 300 User’s Guide...
Page 12 5.2.2 Default Interface and Zone Configuration ..............109 5.3 Terminology in the ZyWALL ....................110 5.4 Feature Configuration Overview ..................111 5.4.1 Feature ........................111 5.4.2 Interface ........................111 5.4.3 Trunks ........................112 5.4.4 IPSec VPN ........................112 5.4.5 SSL VPN ........................112 ZyWALL USG 300 User’s Guide...
Page 13 6.3.3 Set Up the Policy Route for the VPN Tunnel ............130 6.3.4 Configure Security Policies for the VPN Tunnel ............132 6.4 How to Configure User-aware Access Control ..............132 6.4.1 Set Up User Accounts ....................132 6.4.2 Set Up User Groups ....................133 ZyWALL USG 300 User’s Guide...
Page 14 8.1.1 What You Can Do in the Registration Screens ............165 8.1.2 What you Need to Know About Service Registration ..........165 8.2 The Registration Screen ....................166 8.3 The Service Screen ......................169 Chapter 9 Signature Update ........................171 ZyWALL USG 300 User’s Guide...
Page 15 10.12 VLAN Interfaces ......................221 10.12.1 VLAN Overview ....................221 10.12.2 VLAN Interfaces Overview ................... 222 10.12.3 VLAN Summary Screen ..................223 10.12.4 VLAN Add/Edit ....................224 10.13 Virtual Interfaces ......................228 10.13.1 Virtual Interfaces Add/Edit ..................229 ZyWALL USG 300 User’s Guide...
Page 16 13.2 The RIP Screen ....................... 262 13.3 The OSPF Screen ......................263 13.3.1 Configuring the OSPF Screen ................266 13.3.2 OSPF Area Add/Edit Screen ................. 267 13.4 Routing Protocol Technical Reference ................269 Chapter 14 Zones ............................. 273 ZyWALL USG 300 User’s Guide...
Page 17 18.1.1 What You Can Do in the ALG Screen ..............299 18.1.2 What You Need to Know About ALG ..............300 18.1.3 Before You Begin ....................302 18.2 The ALG Screen ......................302 18.3 ALG Technical Reference ....................304 Chapter 19 IP/MAC Binding ........................ 307 ZyWALL USG 300 User’s Guide...
Page 18 21.3 The VPN Gateway Screen ....................346 21.3.1 The VPN Gateway Add/Edit Screen ..............347 21.4 The VPN Concentrator Screen ..................352 21.4.1 The VPN Concentrator Add/Edit Screen ..............353 21.5 The SA Monitor Screen ....................354 ZyWALL USG 300 User’s Guide...
Page 19 25.3.2 Saving a File ......................387 25.4 Creating a New Folder ..................... 388 25.5 Renaming a File or Folder ....................388 25.6 Deleting a File or Folder ....................389 25.7 Uploading a File ....................... 389 Chapter 26 L2TP VPN..........................391 ZyWALL USG 300 User’s Guide...
Page 20 28.5 Application Patrol Statistics ..................... 442 28.5.1 Application Patrol Statistics: General Setup ............442 28.5.2 Application Patrol Statistics: Bandwidth Statistics ..........442 28.5.3 Application Patrol Statistics: Protocol Statistics ............. 443 Part VI: Anti-X..................447 Chapter 29 Anti-Virus..........................449 ZyWALL USG 300 User’s Guide...
Page 21 30.8.1 Creating or Editing a Custom Signature ..............481 30.8.2 Custom Signature Example ................... 485 30.8.3 Applying Custom Signatures .................. 488 30.8.4 Verifying Custom Signatures .................. 488 30.9 IDP Technical Reference ....................489 Chapter 31 ADP ............................493 31.1 Overview .......................... 493 ZyWALL USG 300 User’s Guide...
Page 22 34.1.1 What You Can Do in the Anti-Spam Screens ............541 34.1.2 What You Need to Know About Anti-Spam ............541 34.2 Before You Begin ......................543 34.3 The Anti-Spam General Screen ..................543 34.3.1 The Anti-Spam Policy Add or Edit Screen .............. 545 ZyWALL USG 300 User’s Guide...
Page 23 36.3 User Group Summary Screen ..................580 36.3.1 Group Add/Edit Screen ..................581 36.4 Setting Screen ........................ 581 36.4.1 Force User Authentication Policy Add/Edit Screen ..........584 36.4.2 User Aware Login Example ..................585 36.5 User /Group Technical Reference ................... 586 ZyWALL USG 300 User’s Guide...
Page 24 40.3 Active Directory or LDAP Group Summary Screen ............611 40.3.1 Creating an Active Directory or LDAP Group ............611 40.4 Configuring a Default RADIUS Server ................613 40.5 Configuring a Group of RADIUS Servers ............... 614 ZyWALL USG 300 User’s Guide...
Page 25 44.1.3 Example: Specifying a Web Site for Access ............644 44.2 The SSL Application Screen .................... 645 44.2.1 Creating/Editing a Web-based SSL Application Object ......... 645 44.2.2 Creating/Editing a File Sharing SSL Application Object ......... 647 ZyWALL USG 300 User’s Guide...
Page 26 45.7.5 Secure Telnet Using SSH Examples ..............680 45.8 Telnet ..........................682 45.8.1 Configuring Telnet ....................682 45.9 FTP ..........................683 45.9.1 Configuring FTP ..................... 683 45.10 SNMP ........................... 684 45.10.1 Supported MIBs ....................686 45.10.2 SNMP Traps ......................686 ZyWALL USG 300 User’s Guide...
Page 27 48.4 The Anti-Virus Report Screen ..................722 48.5 The IDP Report Screen ....................723 48.6 The Content Filter Report Screen ..................725 48.7 The Anti-Spam Report Screen ..................727 48.8 The Email Daily Report Screen ..................729 ZyWALL USG 300 User’s Guide...
Page 28 Appendix C Displaying Anti-Virus Alert Messages in Windows..........807 Appendix D Importing Certificates..................813 Appendix E Open Software Announcements ............... 837 Appendix F Wireless LANs....................875 Appendix G Legal Information....................889 Appendix H Customer Support..................... 893 Index............................899 ZyWALL USG 300 User’s Guide...
Page 29: List Of Figures
List of Figures List of Figures Figure 1 ZyWALL USG 300 Front Panel ....................53 Figure 2 Managing the ZyWALL: Web Configurator ................55 Figure 3 Applications: VPN Connectivity ....................61 Figure 4 Network Access Mode: Reverse Proxy ................... 61 Figure 5 Network Access Mode: Full Tunnel Mode ................
Page 30 Figure 79 System > WWW > Service Control Rule Edit ..............140 Figure 80 System > WWW (Second Example Admin Service Rule Configured) ......... 141 Figure 81 WAN to LAN H.323 Peer-to-peer Calls Example ..............141 ZyWALL USG 300 User’s Guide...
Page 31 Figure 121 Network > Interface > Port Grouping ................187 Figure 122 Network > Interface > Ethernet ..................188 Figure 123 Network > Interface > Ethernet > Edit ................189 Figure 124 Static DHCP ........................194 ZyWALL USG 300 User’s Guide...
Page 32 Figure 163 OSPF: Types of Routers ....................265 Figure 164 OSPF: Virtual Link ......................266 Figure 165 Network > Routing > OSPF ....................266 Figure 166 Network > Routing > OSPF > Edit ..................268 Figure 167 Example: Zones ......................... 273 ZyWALL USG 300 User’s Guide...
Page 33 Figure 207 Firewall Example: Firewall Screen ..................321 Figure 208 Firewall Example: Create an Address Object ..............321 Figure 209 Firewall Example: Create a Service Object ................ 321 Figure 210 Firewall Example: Edit a Firewall Rule ................322 ZyWALL USG 300 User’s Guide...
Page 34 Figure 248 SecuExtender Progress ....................380 Figure 249 Remote User Screen ......................380 Figure 250 Add Favorite ........................381 Figure 251 Logout: Prompt ........................381 Figure 252 Logout: Connection Termination Progress ................ 382 Figure 253 Application ......................... 383 ZyWALL USG 300 User’s Guide...
Page 35 Figure 293 Add > IP Security Policy Management > Finish ..............408 Figure 294 Create IP Security Policy ....................408 Figure 295 IP Security Policy: Name ....................409 Figure 296 IP Security Policy: Request for Secure Communication ............ 409 ZyWALL USG 300 User’s Guide...
Page 36 Figure 335 AppPatrol > Statistics: General Setup ................442 Figure 336 AppPatrol > Statistics: Bandwidth Statistics ............... 443 Figure 337 AppPatrol > Statistics: Protocol Statistics ................444 Figure 338 ZyWALL Anti-Virus Example ................... 449 Figure 339 Anti-X > Anti-Virus > General .................... 452 ZyWALL USG 300 User’s Guide...
Page 37 Figure 378 Anti-X > Content Filter > Cache ..................529 Figure 379 Content Filter Lookup Procedure ..................530 Figure 380 myZyXEL.com: Login ......................534 Figure 381 myZyXEL.com: Welcome ....................535 Figure 382 myZyXEL.com: Service Management ................536 ZyWALL USG 300 User’s Guide...
Page 38 Figure 422 Object > Service > Service Group ..................598 Figure 423 Object > Service > Service Group > Edit ................599 Figure 424 Object > Schedule ......................602 Figure 425 Object > Schedule > Edit (One Time) ................. 603 ZyWALL USG 300 User’s Guide...
Page 39 Figure 465 HTTP/HTTPS Implementation .................... 664 Figure 466 System > WWW > Service Control ..................665 Figure 467 System > Service Control Rule > Edit ................667 Figure 468 System > WWW > Login Page ................... 668 ZyWALL USG 300 User’s Guide...
Page 40 Figure 508 Maintenance > File Manager > Shell Script > Copy ............703 Figure 509 Maintenance > File Manager > Shell Script > Rename ............703 Figure 510 Maintenance > Log > View Log ..................706 Figure 511 Maintenance > Log > Log Setting ..................708 ZyWALL USG 300 User’s Guide...
Page 41 Figure 551 Internet Explorer 7: Public Key Certificate File ..............819 Figure 552 Internet Explorer 7: Open File - Security Warning .............. 819 Figure 553 Internet Explorer 7: Tools Menu ..................820 Figure 554 Internet Explorer 7: Internet Options .................. 820 ZyWALL USG 300 User’s Guide...
Page 42 Figure 587 Peer-to-Peer Communication in an Ad-hoc Network ............875 Figure 588 Basic Service Set ....................... 876 Figure 589 Infrastructure WLAN ......................877 Figure 590 RTS/CTS ........................... 878 Figure 591 WPA(2) with RADIUS Application Example ............... 886 Figure 592 WPA(2)-PSK Authentication ....................886 ZyWALL USG 300 User’s Guide...
Page 43: List Of Tables
Table 35 Status > VPN Status ......................159 Table 36 Status > DHCP Table ......................160 Table 37 Status > Port Statistics ......................161 Table 38 Status > Port Statistics > Switch to Graphic View ..............162 ZyWALL USG 300 User’s Guide...
Page 44 Table 78 Least Load First Example ..................... 245 Table 79 Network > Interface > Trunk ....................247 Table 80 Network > Interface > Trunk > Add ..................248 Table 81 Network > Routing > Policy Route ..................254 ZyWALL USG 300 User’s Guide...
Page 45 Table 121 VPN > IPSec VPN > Concentrator > Edit ................353 Table 122 VPN > IPSec VPN > SA Monitor ..................355 Table 123 VPN Example: Matching ID Type and Content ..............359 Table 124 VPN Example: Mismatching ID Type and Content ............. 359 ZyWALL USG 300 User’s Guide...
Page 46 Table 164 Anti-X > ADP > General ...................... 494 Table 165 Anti-X > ADP > General > Add ................... 496 Table 166 Base Profiles ........................497 Table 167 Anti-X > ADP > Profile ......................497 ZyWALL USG 300 User’s Guide...
Page 47 Table 207 Object > Service > Service Group > Edit ................599 Table 208 Object > Schedule ......................602 Table 209 Object > Schedule > Edit (One Time) ................. 603 Table 210 Object > Schedule > Edit (Recurring) ................. 604 ZyWALL USG 300 User’s Guide...
Page 48 Table 250 System > Language ......................691 Table 251 Configuration Files and Shell Scripts in the ZyWALL ............696 Table 252 Maintenance > File Manager > Configuration File .............. 699 Table 253 Maintenance > File Manager > Firmware Package ............701 ZyWALL USG 300 User’s Guide...
Page 49 Table 291 Built-in Services Logs ......................776 Table 292 System Logs ........................779 Table 293 Connectivity Check Logs ....................784 Table 294 Device HA Logs ........................785 Table 295 Routing Protocol Logs ......................788 Table 296 NAT Logs ..........................790 ZyWALL USG 300 User’s Guide...
Page 50 Table 307 Commonly Used Services ....................803 Table 308 IEEE 802.11g ........................879 Table 309 Wireless Security Levels ..................... 880 Table 310 Comparison of EAP Authentication Types ................883 Table 311 Wireless Security Relational Matrix ..................887 ZyWALL USG 300 User’s Guide...
Page 51: Getting Started
Getting Started Introducing the ZyWALL (53) Features and Applications (57) Web Configurator (65) Configuration Basics (107) Tutorials (123) Status (151) Registration (165) Signature Update (171)
Page 53: Introducing The Zywall
Ethernet management interface can only be accessed from the LAN side by default. The default LAN IP address is 192.168.1.1; the default administrator login user name and password are “admin” and “1234” respectively. 1.2 Front Panel Figure 1 ZyWALL USG 300 Front Panel ZyWALL USG 300 User’s Guide...
Page 54: Front Panel Leds
1.3 Management Overview You can use the following ways to manage the ZyWALL. Web Configurator The Web Configurator allows easy ZyWALL setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. ZyWALL USG 300 User’s Guide...
Page 55: Starting And Stopping The Zywall
The ZyWALL writes all cached data to the local storage, stops the system processes, and then does a warm start. Using the RESET If you press the RESET button, the ZyWALL sets the configuration to its button default values and then reboots. ZyWALL USG 300 User’s Guide...
Page 56 When you apply configuration files or running shell scripts, the ZyWALL does not stop or start the system processes. However, you might lose access to network resources temporarily while the ZyWALL is applying configuration files or running shell scripts. ZyWALL USG 300 User’s Guide...
Page 57: Features And Applications
The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. ZyWALL USG 300 User’s Guide...
Page 58 The anti-spam feature can mark or discard spam. Use the white list to identify legitimate e- mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers. ZyWALL USG 300 User’s Guide...
Page 59: Packet Flow
2.2.1 Interface to Interface (Through ZyWALL) Ethernet -> VLAN -> Encap -> ALG -> DNAT-> Routing -> FW -> IDP -> AP-> CF -> AV -> AS -> SNAT -> BWM -> Encap -> VLAN -> Ethernet ZyWALL USG 300 User’s Guide...
Page 60: Interface To Interface (To/From Zywall)
2.3.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service. ZyWALL USG 300 User’s Guide...
Page 61: Ssl Vpn Network Access
URL. You do not have to install additional client software on the remote user computers for access. Figure 4 Network Access Mode: Reverse Proxy LAN (192.168.1.X) https;// Web Mail File Share Web-based Application ZyWALL USG 300 User’s Guide...
Page 62: User-Aware Access Control
Non-Web Server 2.3.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 6 Applications: User-Aware Access Control ZyWALL USG 300 User’s Guide...
Page 63: Multiple Wan Interfaces
In either case, you can balance the loads between them. Figure 7 Applications: Multiple WAN Interfaces 2.3.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network. Figure 8 Applications: Device HA ZyWALL USG 300 User’s Guide...
Page 64 Chapter 2 Features and Applications ZyWALL USG 300 User’s Guide...
Page 65: Web Configurator
1 Make sure your ZyWALL hardware is properly connected. See the Quick Start Guide. 2 Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears. ZyWALL USG 300 User’s Guide...
Page 66: Figure 9 Login Screen
Follow the directions in this screen. If you change the default password, the Login screen (Figure 9 on page 66) appears after you click Apply. If you click Ignore, the main screen appears. ZyWALL USG 300 User’s Guide...
Page 67: Web Configurator Main Screen
As illustrated in Figure 11 on page 67, the main screen is divided into these parts: • A - title bar • B - navigation panel • C - main window • D - status bar ZyWALL USG 300 User’s Guide...
Page 68: Title Bar
IDP/AppPatrol Use this screen to schedule IDP signature updates and to update signature information immediately. System Protect Use this screen to schedule system-protect signature updates and to update signature information immediately. Network ZyWALL USG 300 User’s Guide...
Page 69 Use this screen to configure IPSec tunnels. VPN Gateway Use this screen to configure IKE tunnels. Concentrator Use this screen to configure VPN concentrators (hub-and-spoke VPN). SA Monitor Use this screen to monitor current IPSec VPN tunnels. ZyWALL USG 300 User’s Guide...
Page 70 DNSBL Use these screens to have the ZyWALL check e-mail against DNS Black Lists. Status Use this screen to see how many mail sessions the ZyWALL is currently checking and DNSBL statistics. ZyWALL USG 300 User’s Guide...
Page 71 Use this screen to configure the DNS server and address records for the ZyWALL. Service Control Use this screen to configure HTTP, HTTPS, and general authentication. Login Page Use this screen to configure how the login and access user screens look. ZyWALL USG 300 User’s Guide...
Page 72: Main Window
Status screen. 3.3.4 Message Bar The message bar displays configuration status information. Check the message bar after you click Apply or OK to verify that the configuration has been updated. ZyWALL USG 300 User’s Guide...
Page 73: Figure 12 Message Bar
Click Clear Warning Messages to remove the current warning messages from the window. 3.3.4.2 CLI Messages Click CLI to look at the CLI commands sent by the Web Configurator. These commands appear in a popup window, such as the following. ZyWALL USG 300 User’s Guide...
Page 74: Figure 14 Cli Messages
Click Refresh Now to update the screen. For example, if you just enabled a particular feature, you can look at the commands the Web Configurator generated to enable it. Close the popup window when you are done with it. See the Command Reference Guide for information about the commands. ZyWALL USG 300 User’s Guide...
Page 75: Wizard Setup
(see Load Balancing Algorithms on page 244 for more on load balancing). This wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP. This wizard also creates a WAN trunk. ZyWALL USG 300 User’s Guide...
Page 76: Installation Setup, One Isp
ISP to know what to enter in each field. Leave a field blank if you don’t have that information. Enter the Internet access information exactly as your ISP gave it to you. ZyWALL USG 300 User’s Guide...
Page 77: Ethernet: Auto Ip Address Assignment
Next Click Next to continue. 4.2.1 Ethernet: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays. Click Next to apply the configuration settings. ZyWALL USG 300 User’s Guide...
Page 78: Ethernet: Static Ip Address Assignment
89). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.2.2 Ethernet: Static IP Address Assignment If you select Static as the IP Address Assignment, the following screen displays. ZyWALL USG 300 User’s Guide...
Page 79: Figure 18 Ethernet Encapsulation: Static
VPN, DDNS and the time server. Enter the DNS server IP addresses. Back Click Back to return to the previous screen. Next Click Next to continue. The ZyWALL applies the configuration settings. ZyWALL USG 300 User’s Guide...
Page 80: Pppoe: Auto Ip Address Assignment
Alternatively, click Close to exit the wizard. 4.2.3 PPPoE: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays after you click Next. ZyWALL USG 300 User’s Guide...
Page 81: Figure 20 Pppoe Encapsulation: Auto
This field displays to which security zone this interface and Internet connection will belong. IP Address The ISP will assign your WAN IP address automatically Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL USG 300 User’s Guide...
Page 82: Pppoe: Static Ip Address Assignment
89). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.2.4 PPPoE: Static IP Address Assignment If you select Static as the IP Address Assignment, the following screen displays. ZyWALL USG 300 User’s Guide...
Page 83: Figure 22 Pppoe Encapsulation: Static
The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyWALL uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. ZyWALL USG 300 User’s Guide...
Page 84: Pptp: Auto Ip Address Assignment
89). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.2.5 PPTP: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays. ZyWALL USG 300 User’s Guide...
Page 85: Figure 24 Pptp Encapsulation: Auto
Type the (static) IP address assigned to you by your ISP. IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Type the IP address of the PPTP server. ZyWALL USG 300 User’s Guide...
Page 86: Figure 25 Pptp Encapsulation: Auto: Finish
Click Back to return to the previous screen. Next Click Next to continue. The ZyWALL applies the configuration settings. Figure 25 PPTP Encapsulation: Auto: Finish You have set up your ZyWALL to access the Internet. ZyWALL USG 300 User’s Guide...
Page 87: Pptp: Static Ip Address Assignment
If you select Static as the IP Address Assignment, the following screen displays. Figure 26 PPTP Encapsulation: Static The following table describes the labels in this screen. Table 12 PPTP Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. ZyWALL USG 300 User’s Guide...
Page 88 DNS server, you must know the IP address of a machine in order to access it. Back Click Back to return to the previous screen. Next Click Next to continue. The ZyWALL applies the configuration settings. ZyWALL USG 300 User’s Guide...
Page 89: Internet Access - Finish
4.3 Device Registration Use this screen to register your ZyWALL with myZXEL.com and activate trial periods of subscription security features if you have not already done so. You must be connected to the Internet to register. ZyWALL USG 300 User’s Guide...
Page 90: Figure 28 Registration
Enter the password again for confirmation. E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. Country Code Select your country from the drop-down box list. ZyWALL USG 300 User’s Guide...
Page 91: Installation Setup, Two Internet Service Providers
Internet Service Providers (ISPs) or two different accounts with the same ISP. The configuration of the following screens is explained in Section 4.2 on page 76 section. Configure the First WAN Interface and click Next. ZyWALL USG 300 User’s Guide...
Page 92: Figure 30 Internet Access: Step 1: First Wan Interface
After you configure the First WAN Interface, you can configure the Second WAN Interface. Click Next to continue. Figure 31 Internet Access: Step 3: Second WAN Interface After you configure the Second WAN Interface, a summary of configuration settings display for both WAN interfaces. ZyWALL USG 300 User’s Guide...
Page 93: Internet Access Wizard Setup Complete
Well done! You have successfully set up your ZyWALL to access the Internet. 4.5 VPN Setup The VPN wizard creates corresponding VPN connection and VPN gateway settings, a policy route and address objects that you can use later in configuring more VPN connections or other features. ZyWALL USG 300 User’s Guide...
Page 94: Vpn Wizards
Use the Express wizard to create a VPN connection with another ZLD-based ZyWALL using a pre-shared key and default security settings. Use the Advanced wizard to configure detailed VPN security settings such as using certificates. The VPN connection can be to another ZLD-based ZyWALL or other IPSec devices. ZyWALL USG 300 User’s Guide...
Page 95: Vpn Express Wizard
Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) Access (Client and can initiate the VPN tunnel. Role) Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL USG 300 User’s Guide...
Page 96: Figure 35 Vpn Express Wizard: Step 3
IPSec router's configured local IP address (the local IP address of the other ZyWALL). To specify IP addresses on a network by their subnet mask, type the subnet mask of the LAN behind the remote gateway. ZyWALL USG 300 User’s Guide...
Page 97: Figure 36 Vpn Express Wizard: Step 4
Local Policy This is a (static) IP address and Subnet Mask on the LAN behind your ZyWALL. Remote This is a (static) IP address and Subnet Mask on the network behind the remote Policy IPSec router. If this field displays Any, only the remote IPSec router can initiate the VPN connection. ZyWALL USG 300 User’s Guide...
Page 98: Figure 37 Vpn Express Wizard: Step 6
Figure 37 VPN Express Wizard: Step 6 If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard. ZyWALL USG 300 User’s Guide...
Page 99: Vpn Advanced Wizard
Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) Access (Client and can initiate the VPN tunnel. Role) Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL USG 300 User’s Guide...
Page 100: Figure 39 Vpn Advanced Wizard: Step 3
Select Main for identity protection. Select Aggressive to allow more incoming Mode connections from dynamic IP addresses to use separate passwords. Note: Multiple SAs (security associations) connecting through a secure gateway must have the same negotiation mode. ZyWALL USG 300 User’s Guide...
Page 101: Table 19 Vpn Advanced Wizard: Step 3
ZyWALL's list of certificates. Back Click Back to return to the previous screen. Next Click Next to continue. Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. ZyWALL USG 300 User’s Guide...
Page 102: Figure 40 Vpn Advanced Wizard: Step 4
AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses a 256-bit key. Select Null to have no encryption. ZyWALL USG 300 User’s Guide...
Page 103: Table 20 Vpn Advanced Wizard: Step 4
Click Back to return to the previous screen. Next Click Next to continue. This read-only screen shows the status of the current VPN setting. Use the summary table to check whether what you have configured is correct. ZyWALL USG 300 User’s Guide...
Page 104: Figure 41 Vpn Advanced Wizard: Step 5
VPN connection. See the commands reference guide for details on the commands displayed in this list. Back Click Back to return to the previous screen. Save Click Save to store the VPN settings on your ZyWALL. ZyWALL USG 300 User’s Guide...
Page 105: Vpn Advanced Wizard - Finish
Now you can use the VPN tunnel. Figure 42 VPN Wizard: Step 6: Advanced If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard. ZyWALL USG 300 User’s Guide...
Page 106 Chapter 4 Wizard Setup ZyWALL USG 300 User’s Guide...
Page 107: Configuration Basics
If you are in a screen that uses objects, you can also usually select Create Object to open a screen where you can configure a new object. For a list of common objects, see Section 5.5 on page 118. ZyWALL USG 300 User’s Guide...
Page 108: Zones, Interfaces, And Physical Ports
(data link, MAC address) level. Then, you can configure the IP address and subnet mask of the bridge. It is also possible to configure zone-level security between the member interfaces in the bridge. ZyWALL USG 300 User’s Guide...
Page 109: Default Interface And Zone Configuration
Public servers (such as web, e-mail 192.168.3.1 (ge5), DHCP and FTP) server disabled WLAN 10.59.0.1, DHCP server Wireless access points enabled None None, DHCP server disabled Optional None None Auxiliary modem CONSOLE N/A None None Local management ZyWALL USG 300 User’s Guide...
Page 110: Terminology In The Zywall
IPSec VPN Table 27 Bandwidth Management: Differences Between the ZyWALL and ZyNOS ZYNOS FEATURE / SCREEN ZYWALL FEATURE / SCREEN Interface bandwidth management (outbound) Interface OSI level-7 bandwidth management Application patrol General bandwidth management Policy route ZyWALL USG 300 User’s Guide...
Page 111: Feature Configuration Overview
DDNS entries, so there is no WHERE USED entry. 5.4.2 Interface Section 5.2 on page 108 for background information. When you create an interface, there is no security applied on it until you assign it to a zone. ZyWALL USG 300 User’s Guide...
Page 112: Trunks
Interfaces, SSL application, users, user groups, addresses (network list, IP pool for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, PREREQUISITES firewall Policy routes, zones WHERE USED Example: See Chapter 6 on page 123. ZyWALL USG 300 User’s Guide...
Page 113: L2Tp Vpn
Interfaces (with a static IP address), to-ZyWALL firewall PREREQUISITES Example: See Chapter 6 on page 123. 5.4.9 DDNS Dynamic DNS maps a domain name to a dynamic IP address. The ZyWALL helps maintain this mapping. Network > DDNS MENU ITEM(S) Interface PREREQUISITES ZyWALL USG 300 User’s Guide...
Page 114: Policy Routes
FTP traffic. 5.4.11 Static Routes Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL. Network > Routing > Static Route MENU ITEM(S) Interfaces PREREQUISITES ZyWALL USG 300 User’s Guide...
Page 115: Firewall
(source, destination). These are only used as PREREQUISITES criteria in exceptions and conditions. Example: Suppose you want to allow vice president Bob to use BitTorrent and block everyone else from using it. ZyWALL USG 300 User’s Guide...
Page 116: Anti-Virus
(or groups) can access what content and at what times. You must have a subscription in order to use the category-based content filtering. You can subscribe using the menu item or one of the wizards. Anti-X > Content Filter MENU ITEM(S) Registration, addresses (source), schedules, users, user groups PREREQUISITES ZyWALL USG 300 User’s Guide...
Page 117: Anti-Spam
5 In the Mapped IP field, list the IP address of the FTP server. The ZyWALL will forward the packets received for the original IP address. 6 In Mapping Type, select Port. 7 Enter 21 in both the Original and the Mapped Port fields. ZyWALL USG 300 User’s Guide...
Page 118: Http Redirect
Policy routes (criteria), firewall, application patrol (source, destination), content filter, user settings (force user authentication), address groups, remote management (System) service, service Policy routes (criteria, port triggering), firewall, service groups, log (criteria) group ZyWALL USG 300 User’s Guide...
Page 119: User/Group
Use Host Name to configure the system and domain name for the ZyWALL. Use Date/Time to configure the current date, time, and time zone in the ZyWALL. Use Console Speed to set the console speed. Use Language to select a language for the Web Configurator screens. ZyWALL USG 300 User’s Guide...
Page 120: Dns, Www, Ssh, Telnet, Ftp, Snmp, Dial-In Mgmt, Vantage Cnm
Use these screens to register your ZyWALL and subscribe to services like anti-virus, IDP and application patrol, more SSL VPN tunnels, and content filtering. You must have Internet access to myZyXEL.com. Licensing > Registration MENU ITEM(S) Internet access to myZyXEL.com PREREQUISITES ZyWALL USG 300 User’s Guide...
Page 121: Licensing Update
Maintenance > Log, Report MENU ITEM(S) 5.6.6 Diagnostics The ZyWALL can generate a file containing the ZyWALL’s configuration and diagnostic information. Maintenance > Diagnostics MENU ITEM(S) ZyWALL USG 300 User’s Guide...
Page 122 Chapter 5 Configuration Basics ZyWALL USG 300 User’s Guide...
Page 123: Tutorials
• This example uses a limited number of DMZ servers that need full wire speed communication with each other, so ports P4 and P5 are combined into a ge4 interface port group. It uses IP address 192.168.2.1. Figure 45 Ethernet Interface, Port Grouping, and Zone Configuration Example ZyWALL USG 300 User’s Guide...
Page 124: Configure A Wan Ethernet Interface
Here is how to combine physical ports P4 and P5 into the ge4 interface port group. 1 Click Network > Interface > Port Grouping. 2 Drag physical port 5 onto representative interface ge4, as shown next. ZyWALL USG 300 User’s Guide...
Page 125: How To Configure Load Balancing
Internet connection (100 Mbps) while ge2 and ge3 have just 1 Mbps each. You want the ZyWALL to use ge7 for most Internet traffic and only use interfaces ge2 and ge3 for any traffic that exceeds what ge7 can handle. ZyWALL USG 300 User’s Guide...
Page 126: Set Up Available Bandwidth On Ethernet Interfaces
1 Click Network > Interface > Trunk. Click WAN_TRUNK’s Edit icon. 2 In the Load Balancing Algorithm field, select Spillover. After the screen refreshes, click the Add icon at the top of the right-hand column. ZyWALL USG 300 User’s Guide...
Page 127: How To Set Up An Ipsec Vpn Tunnel
Figure 53 Network > Interface > Trunk > WAN_TRUNK > Edit > Add 4 Click OK. Figure 54 Network > Interface > Trunk > WAN_TRUNK > Edit (Done) 6.3 How to Set Up an IPSec VPN Tunnel This example shows how to create the following VPN tunnel. ZyWALL USG 300 User’s Guide...
Page 128: Set Up The Vpn Gateway
2 Give the VPN gateway a name (“VPN_GW_EXAMPLE”). For My Address, select Interface and ge7. For the Peer Gateway Address, select Static Address and enter 2.2.2.2 in field 1. For the Authentication, Select Pre-Shared Key and enter 12345678. Click OK. ZyWALL USG 300 User’s Guide...
Page 129: Set Up The Vpn Connection
3 Click VPN > IPSec VPN > VPN Connection. Click the Add icon. 4 Give the VPN connection a name (“VPN_CONN_EXAMPLE”). Under VPN Gateway select Site-to-site and the VPN gateway (VPN_GW_EXAMPLE). Under Policy, select LAN_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote. Click OK. ZyWALL USG 300 User’s Guide...
Page 130: Set Up The Policy Route For The Vpn Tunnel
1 Click Network > Routing > Policy Route. You want this policy route to have higher priority than the default policy route for the trunk, so click the Add icon at the top of the column, not the one next to the existing policy route. ZyWALL USG 300 User’s Guide...
Page 131: Figure 59 Network > Routing > Policy Route
To trigger the VPN, either try to connect to a device on the peer IPSec router’s LAN or click VPN > IPSec VPN > VPN Connection and use the VPN connection screen’s Connect icon. ZyWALL USG 300 User’s Guide...
Page 132: Configure Security Policies For The Vpn Tunnel
1 Click Object > User/Group > User. Click the Add icon. 2 Enter the same user name that is used in the RADIUS server, and set the User Type to Ext-User because this user account is authenticated by an external server. Click OK. ZyWALL USG 300 User’s Guide...
Page 133: Set Up User Groups
Finally, force users to log in to the ZyWALL before it routes traffic for them. 1 Click Object > AAA Server > RADIUS > Default. Configure the RADIUS server, and click Apply. ZyWALL USG 300 User’s Guide...
Page 134: Figure 63 Object > Aaa Server > Radius > Default
ZyWALL routes traffic for them. Select Enable. Then, select force in the Authentication field. Keep the rest of the default settings, and click OK. The users will have to log in using the Web Configurator login screen before they can use HTTP or MSN. ZyWALL USG 300 User’s Guide...
Page 135: Set Up Web Surfing Policies With Bandwidth Restrictions
1 Click AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply. Figure 67 AppPatrol > General 2 Click the Common tab and then the Edit icon next to the default http service. ZyWALL USG 300 User’s Guide...
Page 136: Figure 68 Apppatrol > Common
Inbound and Outbound fields. Click OK. Repeat this process to add exceptions for all the other user groups that are allowed to browse the web. ZyWALL USG 300 User’s Guide...
Page 137: Set Up Msn Policies
1 Click Firewall. In From Zone, select LAN; in To Zone, select DMZ and click Refresh. The default rule for LAN-to-DMZ traffic allows all traffic. You want to limit access to specific groups, so change the default rule first. Click the Add icon next to it. ZyWALL USG 300 User’s Guide...
Page 138: Figure 73 Firewall > Lan To Dmz
4 Select one of the user groups that is allowed to access the DMZ, and click OK. Figure 75 Firewall > Add 5 Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ. ZyWALL USG 300 User’s Guide...
Page 139: How To Configure Service Control
This example configures service control to block administrator HTTPS access from all zones except the LAN. 1 Click System > WWW. 2 In HTTPS Admin Service Control, click the Add icon. Figure 76 System > WWW 3 In the Zone field select LAN and click OK. ZyWALL USG 300 User’s Guide...
Page 140: Figure 77 System > Www > Service Control Rule Edit
Figure 78 System > WWW (First Example Admin Service Rule Configured) 5 In the Zone field select ALL and set the Action to Deny. Click OK. Figure 79 System > WWW > Service Control Rule Edit 6 Click Apply. ZyWALL USG 300 User’s Guide...
Page 141: How To Allow Incoming H.323 Peer-To-Peer Calls
(port forwarding) and firewall rules to have the ZyWALL forward H.323 traffic destined for ge2 IP address 10.0.0.8 to a H.323 device located on the LAN and using IP address 192.168.1.56. Figure 81 WAN to LAN H.323 Peer-to-peer Calls Example 192.168.1.56 10.0.0.8 ZyWALL USG 300 User’s Guide...
Page 142: Turn On The Alg
1 Use Object > Address > Add to create address objects for the private and public IP addresses (WAN_IP-for-H323 and LAN_H323) as shown next. Figure 83 Create Address Objects 2 Click Network > Virtual Server > Add. 3 Configure the screen as follows and click OK. ZyWALL USG 300 User’s Guide...
Page 143: Set Up A Firewall Rule For H.323
Figure 85 Firewall: WAN to LAN 3 Configure the screen as follows and click OK. LAN_H323 is the destination because the ZyWALL applies the virtual server to traffic before applying the firewall rule. ZyWALL USG 300 User’s Guide...
Page 144: How To Use Active-Passive Device Ha
Each ZyWALL’s ge1 interface also has a separate management IP address that stays the same whether the ZyWALL functions as the master or a backup. ZyWALL A’s management IP address is 192.168.1.3 and ZyWALL B’s is 192.168.1.5. ZyWALL USG 300 User’s Guide...
Page 145: Before You Start
3 Set the Device Role to Master. This example focuses on the connection from the LAN (ge1) to the Internet through the ge2 interface, so turn on monitoring for the ge1 and ge2 interfaces. Enter a Synchronization Password (“mySyncPassword” in this example) and click Apply. ZyWALL USG 300 User’s Guide...
Page 146: Configure The Backup Zywall
2 In ZyWALL B click Device HA > Active-Passive Mode. Click ge1’s Edit icon. 3 Configure 192.168.1.5 as the Management IP and 255.255.255.0 as the Subnet Mask. Click OK. ZyWALL USG 300 User’s Guide...
Page 147: Figure 92 Device Ha > Active-Passive Mode > Edit: Backup Zywall Example
“mySyncPassword”. Select Auto Synchronize and set the Interval to 60. Click Apply. Figure 93 Device HA > Active-Passive Mode: Backup ZyWALL Example 5 Click the General tab. Turn on device HA and click Apply. ZyWALL USG 300 User’s Guide...
Page 148: Deploy The Backup Zywall
Internet (the WAN zone). You will use a public IP address of 1.1.1.2 on the ge3 interface and map it to the HTTP server’s private IP address of 192.168.3.7. Figure 95 Public Server Example Network Topology 192.168.3.7 1.1.1.2 ZyWALL USG 300 User’s Guide...
Page 149: Create The Address Objects
• Select Add corresponding Policy Route rule for NAT Loopback to allow local users to use a domain name to access the HTTP server. See NAT Loopback Example on page 291 for details. ZyWALL USG 300 User’s Guide...
Page 150: Figure 98 Creating The Virtual Server
Now the public can go to IP address 1.1.1.2 to access the HTTP server. If a domain name is registered for IP address 1.1.1.2, users can just go to the domain name to access the web server. ZyWALL USG 300 User’s Guide...
Page 151: Status
The Status screen displays when you log into the ZyWALL or click Status. Use this screen to look at the ZyWALL’s general device information, system status, system resource usage, licensed service status, and interface status. ZyWALL USG 300 User’s Guide...
Page 152: Figure 99 Status
This field displays the version number and date of the firmware the ZyWALL is Version currently running. Click the icon to open the screen where you can upload firmware. Section 46.3 on page 700. System Resources ZyWALL USG 300 User’s Guide...
Page 153 Click the Disconnect icon to stop a PPPoE/PPTP or auxiliary interface’s connection. Extension Slot This section of the screen displays the status of the extension card slot and the USB ports. Slot This field displays the name of each extension slot. ZyWALL USG 300 User’s Guide...
Page 154 Signature This field displays the version number, date, and time of the current set of Version signatures the ZyWALL is using. Last Update This field displays the last time the ZyWALL received updated signatures. Time ZyWALL USG 300 User’s Guide...
Page 155: The Cpu Usage Screen
This is the name of the virus that the ZyWALL has detected. 7.2.1 The CPU Usage Screen Use this screen to look at a chart of the ZyWALL’s recent CPU usage. To access this screen, click CPU Usage in the Status screen. ZyWALL USG 300 User’s Guide...
Page 156: The Memory Usage Screen
Click this to update the information in the window right away. 7.2.2 The Memory Usage Screen Use this screen to look at a chart of the ZyWALL’s recent memory (RAM) usage. To access this screen, click Memory Usage in the Status screen. ZyWALL USG 300 User’s Guide...
Page 157: The Session Usage Screen
Click this to update the information in the window right away. 7.2.3 The Session Usage Screen Use this screen to look at a chart of the ZyWALL’s recent traffic session usage. To access this screen, click Session Usage in the Status screen. ZyWALL USG 300 User’s Guide...
Page 158: The Vpn Status Screen
Click this to update the information in the window right away. 7.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in the Status screen. ZyWALL USG 300 User’s Guide...
Page 159: The Dhcp Table Screen
Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click the icon beside DHCP Table in the Status screen. Figure 104 Status > DHCP Table ZyWALL USG 300 User’s Guide...
Page 160: The Port Statistics Screen
Click this to update the screen immediately. 7.2.6 The Port Statistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen, click Port Statistics in the Status screen. ZyWALL USG 300 User’s Guide...
Page 161: Figure 105 Status > Port Statistics
Set Interval Click this to set the Poll Interval the screen uses. Stop Click this to stop the window from updating automatically. You can start it again by setting the Poll Interval and clicking Set Interval. ZyWALL USG 300 User’s Guide...
Page 162: The Port Statistics Graph Screen
This field displays how long the ZyWALL has been running since it last restarted or was turned on. Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. ZyWALL USG 300 User’s Guide...
Page 163: The Current Users Screen
This field displays the way the user logged in to the ZyWALL. IP address This field displays the IP address of the computer used to log in to the ZyWALL. Force Logout Click this icon to end a user’s session. ZyWALL USG 300 User’s Guide...
Page 164 Chapter 7 Status ZyWALL USG 300 User’s Guide...
Page 165: Registration
ZyWALL’s serial number and LAN MAC address to register it. Refer to the web site’s on- line help for details. To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL. ZyWALL USG 300 User’s Guide...
Page 166: The Registration Screen
8.2 The Registration Screen Use this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Licensing > Registration in the navigation panel to open the screen as shown next. ZyWALL USG 300 User’s Guide...
Page 167: Figure 108 Licensing > Registration
Select the check box to activate a trial service subscription. The trial period starts the day you activate the trial. After the trial expires, you can buy an iCard and enter the license key in the Registration Service screen to extend the service. ZyWALL USG 300 User’s Guide...
Page 168: Figure 109 Licensing > Registration: Registered Device
(if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Service screen to update your service subscription status. Figure 109 Licensing > Registration: Registered Device ZyWALL USG 300 User’s Guide...
Page 169: The Service Screen
(specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Click this button to renew service license information (such as the Refresh registration status and expiration day). ZyWALL USG 300 User’s Guide...
Page 170 Chapter 8 Registration ZyWALL USG 300 User’s Guide...
Page 171: Signature Update
• Your custom signature configurations are not over-written when you download new signatures. The ZyWALL does not have to reboot when you upload new signatures. 9.2 The Antivirus Update Screen Click Licensing > Update > Anti-Virus to display the following screen. ZyWALL USG 300 User’s Guide...
Page 172: Figure 111 Licensing > Update >Anti-Virus
The time format is the 24 hour clock, so ‘23’ means 11PM for example. Weekly Select this option to have the ZyWALL check for new signatures once a week on the day and at the time specified. ZyWALL USG 300 User’s Guide...
Page 173: The Idp/Apppatrol Update Screen
Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones. Released This field displays the date and time the set was released. Date ZyWALL USG 300 User’s Guide...
Page 174: The System Protect Update Screen
Click this button to return the screen to its last-saved settings. Figure 113 Downloading IDP Signatures Figure 114 Successful IDP Signature Download 9.4 The System Protect Update Screen Click Licensing > Update > System Protect to display the following screen. ZyWALL USG 300 User’s Guide...
Page 175: Figure 115 Licensing > Update > System Protect
The time format is the 24 hour clock, so ‘23’ means 11PM for example. Weekly Select this option to have the ZyWALL check for new signatures once a week on the day and at the time specified. ZyWALL USG 300 User’s Guide...
Page 176: Figure 116 Downloading System Protect Signatures
Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. Figure 116 Downloading System Protect Signatures Figure 117 Successful System Protect Signature Download ZyWALL USG 300 User’s Guide...
Page 177: Network
Network Interface (179) Trunks (243) Policy and Static Routes (251) Routing Protocols (261) Zones (273) DDNS (277) Virtual Servers (283) HTTP Redirect (295) ALG (299) IP/MAC Binding (307)
Page 179: Interface
Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • Use the Trunks screens (Chapter 11 on page 243) to configure load balancing. ZyWALL USG 300 User’s Guide...
Page 180: What You Need To Know About Interfaces
• The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the AUX port. • Trunks manage load balancing between interfaces. ZyWALL USG 300 User’s Guide...
Page 181: Table 44 Ethernet, Vlan, Bridge, Pppoe/Pptp, And Virtual Interfaces Characteristics
REQUIRED PORT / INTERFACE auxiliary interface auxiliary port port group physical port Ethernet interface physical port port group VLAN interface Ethernet interface bridge interface Ethernet interface* VLAN interface* PPPoE/PPTP interface Ethernet interface* VLAN interface* bridge interface ZyWALL USG 300 User’s Guide...
Page 182: Interface Summary Screen
Chapter 11 on page 243 to configure load balancing using trunks. 10.2 Interface Summary Screen This screen lists all of the ZyWALL’s interfaces and gives packet statistics for them. Click Network > Interface to access this screen. ZyWALL USG 300 User’s Guide...
Page 183: Figure 118 Network > Interface > Interface Summary
This field displays the name of each interface. Click + or - in the heading cell to display or hide all virtual interfaces. Click a name’s + or - to display or hide the virtual interfaces on top of that interface. ZyWALL USG 300 User’s Guide...
Page 184 DHCP request to a DHCP server. Click the Connect icon to try to connect the auxiliary interface or a PPPoE/PPTP interface. If the interface cannot use one of these ways to get or to update its IP address, this field displays n/a. ZyWALL USG 300 User’s Guide...
Page 185: Port Grouping
• There is a layer-2 Ethernet switch between physical ports in the port group. This provides wire-speed throughput but no security. • It can increase the bandwidth between the port group and other interfaces. In the example below, you might combine physical ports 3 and 4 into port group ge3. ZyWALL USG 300 User’s Guide...
Page 186: Port Grouping Screen
The Ethernet interface is still displayed in the screen, however, and the existing configuration remains. 10.3.2 Port Grouping Screen Define the relationship between physical ports, port groups, and Ethernet interfaces in the Port Grouping screen. To access this screen, click Network > Interface > Port Grouping. ZyWALL USG 300 User’s Guide...
Page 187: Ethernet Summary Screen
Click this button to change the port groups to their current configuration (last- saved values). 10.4 Ethernet Summary Screen This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. To access this screen, click Network > Interface. ZyWALL USG 300 User’s Guide...
Page 188: Ethernet Edit
The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP settings, OSPF settings, DHCP settings, and ping check settings. To access this screen, click an Edit icon in the Ethernet Summary screen. (See Section 10.4 on page 187.) ZyWALL USG 300 User’s Guide...
Page 189: Figure 123 Network > Interface > Ethernet > Edit
Chapter 10 Interface Figure 123 Network > Interface > Ethernet > Edit ZyWALL USG 300 User’s Guide...
Page 190: Table 49 Network > Interface > Ethernet > Edit
Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ZyWALL divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500. ZyWALL USG 300 User’s Guide...
Page 191 If this field is blank, the Pool Size must also be blank. In this case, the ZyWALL can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. ZyWALL USG 300 User’s Guide...
Page 192 This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information. Out-Only - This interface sends routing information. ZyWALL USG 300 User’s Guide...
Page 193 It will not change unless you change the setting or upload a different configuration file. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 300 User’s Guide...
Page 194: The Static Dhcp Screen
10.6 The PPP Interfaces Screen Use PPP interfaces (PPPoE/PPTP interfaces) to connect to your ISP so you do not have to install or manage PPPoE or PPTP software on each computer in the network. Figure 125 Example: PPPoE/PPTP Interfaces ZyWALL USG 300 User’s Guide...
Page 195: Figure 126 Network > Interface > Ppp
Dial-on-Demand PPPoE/PPTP interface. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
Page 196: Ppp Interface Edit Screen
This screen lets you configure new or existing PPPoE/PPTP interfaces. To access this screen, click the Edit icon in the PPP Interface screen. The PPP interface Edit > Configuration screen is shown here as an example. Figure 127 Network > Interface > PPP > Add > Configuration ZyWALL USG 300 User’s Guide...
Page 197: Table 52 Network > Interface > Ppp > Edit > Configuration
Allowed values are 0 - 1048576. Ingress This is reserved for future use. Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from the network through the interface. Allowed values are 0 - 1048576. ZyWALL USG 300 User’s Guide...
Page 198: Cellular Configuration Screen (3G)
It allows fast transfer of voice and non-voice data and provides broadband Internet access to mobile devices. ZyWALL USG 300 User’s Guide...
Page 199: Table 53 2G, 2.5G, 2.75G, 3G And 3.5G Wireless Technologies
To change your 3G WAN settings, click Network > Interface > Cellular. Install (or connect) a compatible 3G card to use a cellular connection. See Chapter 52 on page 739 for details. ZyWALL USG 300 User’s Guide...
Page 200: Cellular Add/Edit Screen
10.7.1 Cellular Add/Edit Screen To change your 3G settings, click Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that you want to configure. The following screen displays. ZyWALL USG 300 User’s Guide...
Page 201: Figure 129 Interface > Cellular > Add
Chapter 10 Interface Figure 129 Interface > Cellular > Add ZyWALL USG 300 User’s Guide...
Page 202: Table 55 Interface > Cellular > Add
Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: None: No authentication for outgoing calls. CHAP - Your ZyWALL accepts CHAP requests only. PAP - Your ZyWALL accepts PAP requests only. ZyWALL USG 300 User’s Guide...
Page 203 Check Period Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure. ZyWALL USG 300 User’s Guide...
Page 204 3.5G network (respectively). You may want to do this if you want to make sure the interface does not use the GSM network. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 300 User’s Guide...
Page 205: Cellular Status Screen
This field is a sequential value, and it is not associated with any interface. Extension Slot This field displays where the entry’s cellular card is located. Connected Device This field displays the model name of the cellular card. ZyWALL USG 300 User’s Guide...
Page 206 This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider’s base station. More Info. This field displays other details about the 3G connection. ZyWALL USG 300 User’s Guide...
Page 207: Wlan Interface General Screen
Security stops unauthorized devices from using the wireless network and can protect the information that is sent in the wireless network. Click Network > Interface > WLAN to open the following screen. See Appendix F on page for more details on wireless LANs. ZyWALL USG 300 User’s Guide...
Page 208: Figure 132 Network > Interface > Wlan
Set the RTS/CTS equal to or higher than the fragmentation threshold to turn RTS/CTS off. Fragmentation This is the threshold (number of bytes) for the fragmentation boundary for directed Threshold messages. It is the maximum data fragment size that can be sent. ZyWALL USG 300 User’s Guide...
Page 209: Wlan Add/Edit Screen
LEVEL Weakest No Security MAC Address Filtering WEP Encryption IEEE 802.1x EAP with RADIUS Server Authentication WPA-PSK (Wi-Fi Protected Access Pre-Shared Key) WPA (Wi-Fi Protected Access) Strongest WPA-PSK2 WPA2 WPA2 or WPA2-PSK security is recommended. ZyWALL USG 300 User’s Guide...
Page 210 Click Network > Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. The screen varies according to the security features you select. It displays as shown next when you set the Security Type to none. ZyWALL USG 300 User’s Guide...
Page 211: Figure 133 Network > Interface > Wlan > Add (No Security)
Chapter 10 Interface Figure 133 Network > Interface > WLAN > Add (No Security) ZyWALL USG 300 User’s Guide...
Page 212: Table 59 Network > Interface > Wlan > Add (No Security)
Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. Interface Click Advanced to display more settings. Click Basic to display fewer settings. Parameters ZyWALL USG 300 User’s Guide...
Page 213 Server, Second you want to send to the DHCP clients. The WINS server keeps a mapping table of WINS Server the computer names on your network and the IP addresses that they are currently using. ZyWALL USG 300 User’s Guide...
Page 214 This field is available if the Authentication is MD5. Type the password for MD5 Authentication authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. ZyWALL USG 300 User’s Guide...
Page 215: Wlan Add/Edit Screen: Wep Security
To configure and enable WEP encryption, click Network > Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. Select WEP as the Security Type. The following screen shows the WEP security fields. Figure 134 Network > Interface > WLAN > Add (WEP Security) ZyWALL USG 300 User’s Guide...
Page 216: Wlan Add/Edit Screen: Wpa-Psk/Wpa2-Psk Security
The default time interval is 1800 seconds (30 minutes). Alternatively, enter “0” to turn reauthentication off. Note: If a RADIUS server authenticates wireless stations, the reauthentication timer on the RADIUS server has priority. ZyWALL USG 300 User’s Guide...
Page 217: Wlan Add/Edit Screen: Wpa/Wpa2 Security
The ZyWALL’s default configuration also includes an authentication method object named “default” that you can use. You can configure the “default” authentication method object, but it’s default configuration uses the ZyWALL’s local database for authentication. ZyWALL USG 300 User’s Guide...
Page 218: Wlan Interface Mac Filter Screen
(allow association) or block specific devices from accessing the ZyWALL (deny association) based on the devices’ MAC addresses. To display your ZyWALL’s MAC filter settings, click Network > Interface > WLAN > MAC Filter. The screen appears as shown. ZyWALL USG 300 User’s Guide...
Page 219: Mac Filter Add/Edit Screen
To change your ZyWALL’s MAC filter settings, click Network > Interface > WLAN > MAC Filter > Add (or Edit). The screen appears as shown when you click Add. You cannot edit the MAC address if you click Edit. ZyWALL USG 300 User’s Guide...
Page 220: Wlan Interface Station Monitor Screen
This displays the MAC address (in XX:XX:XX:XX:XX:XX format) of a connected Address wireless station. Strength This displays the strength of the wireless client’s radio signal. The signal strength mainly depends on the antenna output power and the wireless client’s distance from the ZyWALL. ZyWALL USG 300 User’s Guide...
Page 221: Vlan Interfaces
In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs. ZyWALL USG 300 User’s Guide...
Page 222: Vlan Interfaces Overview
VLAN interfaces, but it does not route traffic within a VLAN interface. All traffic for each VLAN interface can go through only one Ethernet interface, though each Ethernet interface can have one or more VLAN interfaces. ZyWALL USG 300 User’s Guide...
Page 223: Vlan Summary Screen
To remove an interface, click the Remove icon next to it. The ZyWALL confirms you want to remove it before doing so. To activate or deactivate an interface, click the Active icon next to it. Make sure you click Apply to save and apply the change. ZyWALL USG 300 User’s Guide...
Page 224: Vlan Add/Edit
VLAN interface. To access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen. The following screen appears. ZyWALL USG 300 User’s Guide...
Page 225: Figure 143 Network > Interface > Vlan > Edit
Each field is explained in the following table. Table 67 Network > Interface > VLAN > Edit LABEL DESCRIPTION General Settings Enable Interface Select this to turn this interface on. Clear this to disable this interface. Interface Properties ZyWALL USG 300 User’s Guide...
Page 226 ZyWALL stops routing to the gateway. The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check. ZyWALL USG 300 User’s Guide...
Page 227 If this field is blank, the IP Pool Start Address must also be blank. In this case, the ZyWALL can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. ZyWALL USG 300 User’s Guide...
Page 228: Virtual Interfaces
Virtual VLAN interfaces recognize and use the same VLAN ID. Otherwise, there is no difference between each type of virtual interface. Network policies (for example, firewall rules) that apply to the underlying interface automatically apply to the virtual interface as well. ZyWALL USG 300 User’s Guide...
Page 229: Virtual Interfaces Add/Edit
Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. ZyWALL USG 300 User’s Guide...
Page 230: Bridge Interfaces
MAC address is located, it sends the packet to that port. If the destination MAC address is not in the table, the bridge broadcasts the packet on every port (except the one on which it was received). ZyWALL USG 300 User’s Guide...
Page 231: Bridge Interface Overview
In this example, virtual Ethernet interface ge1:1 is also removed from the routing table when ge1 is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed. ZyWALL USG 300 User’s Guide...
Page 232: Bridge Summary
To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears. ZyWALL USG 300 User’s Guide...
Page 233: Figure 146 Network > Interface > Bridge > Edit
Chapter 10 Interface Figure 146 Network > Interface > Bridge > Edit ZyWALL USG 300 User’s Guide...
Page 234: Table 73 Network > Interface > Bridge > Edit
Click WAN TRUNK to go to a screen where you can configure the interface as TRUNK part of a WAN trunk for load balancing. Configure Policy Click Policy Route to go to the screen where you can manually configure a Route policy route to associate traffic with this interface. ZyWALL USG 300 User’s Guide...
Page 235 From ISP - select the DNS server that another interface received from its DHCP Server server. ZyWALL - the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay. ZyWALL USG 300 User’s Guide...
Page 236 This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 300 User’s Guide...
Page 237: Auxiliary Interface
When the ZyWALL hangs up the call, it drops the Data Terminal Ready (DTR) signal and issues the command 10.15.2 Configuring the Auxiliary Interface Use the Auxiliary screen to configure the ZyWALL’s auxiliary interface. Click Network > Interface > Auxiliary to open it. ZyWALL USG 300 User’s Guide...
Page 238: Figure 147 Network > Interface > Auxiliary
(+). Use a comma to pause during dialing. Use a plus sign to tell the external modem to make an international call. User Name Enter the user name required for authentication. Password Enter the password required for authentication. ZyWALL USG 300 User’s Guide...
Page 239: Interface Technical Reference
In most interfaces, you can enter the IP address and subnet mask manually. In PPPoE/PPTP interfaces, however, the subnet mask is always 255.255.255.255 because it is a point-to-point interface. For these interfaces, you can only enter the IP address. ZyWALL USG 300 User’s Guide...
Page 240: Table 76 Example: Routing Table Entry For A Gateway
On the other hand, some communication channels, such as Ethernet over ATM, might not be able to handle large data packets. At the time of writing, the ZyWALL does not support ingress bandwidth management. ZyWALL USG 300 User’s Guide...
Page 241: Table 77 Example: Assigning Ip Addresses From A Pool
• Subnet mask - The interface provides the same subnet mask you specify for the interface. IP Address Assignment on page 239. • Gateway - The interface provides the same gateway you specify for the interface. See Address Assignment on page 239. ZyWALL USG 300 User’s Guide...
Page 242 1 The first one runs on TCP port 1723. It is used to start and manage the second one. 2 The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. ZyWALL USG 300 User’s Guide...
Page 243: Trunks
If one interface's connection goes down, the ZyWALL can automatically send its traffic through another interface. You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic. ZyWALL USG 300 User’s Guide...
Page 244: Figure 149 Link Sticking
ZyWALL refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using. In the load balancing section, a session may refer to normal connection-oriented, UDP and SNMP2 traffic. ZyWALL USG 300 User’s Guide...
Page 245: Figure 150 Least Load First Example
512K. You can set the ZyWALL to distribute the network traffic between the two interfaces by setting the weight of ge2 and ge3 to 2 and 1 respectively. The ZyWALL assigns the traffic of two sessions to ge2 for every session's traffic assigned to ge3. ZyWALL USG 300 User’s Guide...
Page 246: The Trunk Summary Screen
11.2 The Trunk Summary Screen Click Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. ZyWALL USG 300 User’s Guide...
Page 247: Configuring A Trunk
Reset Click this button to return the screen to its last-saved settings. 11.3 Configuring a Trunk Click Network > Interface > Trunk and then the Add (or Edit) icon to open the Trunk Edit screen. ZyWALL USG 300 User’s Guide...
Page 248: Figure 154 Network > Interface > Trunk > Add
Egress This field displays with the least load first or spillover load balancing algorithm.It Bandwidth displays the maximum number of kilobits of data the ZyWALL is to send out through the interface per second. ZyWALL USG 300 User’s Guide...
Page 249: Trunk Technical Reference
The next queue is given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty. ZyWALL USG 300 User’s Guide...
Page 250 Chapter 11 Trunks ZyWALL USG 300 User’s Guide...
Page 251: Policy And Static Routes
You can generally just use policy routes. You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to propagate routing information to other routers. ZyWALL USG 300 User’s Guide...
Page 252: What You Can Do In The Policy And Static Route Screens
Configure static routes if you need to use RIP or OSPF to propagate the routing information to other routers. See Chapter 13 on page 261 for more on RIP and OSPF. ZyWALL USG 300 User’s Guide...
Page 253: Policy Route Screen
IPPR follows the existing packet filtering facility of RAS in style and in implementation. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 156 Network > Routing > Policy Route ZyWALL USG 300 User’s Guide...
Page 254: Table 81 Network > Routing > Policy Route
The ordering of your rules is important as they are applied in order of their numbering. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
Page 255: Policy Route Edit Screen
If the next hop is a dynamic VPN tunnel and you enable Auto Destination Address, the ZyWALL uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here. ZyWALL USG 300 User’s Guide...
Page 256 Note: You need to create a firewall rule to allow an incoming service before using a port triggering rule. This is the rule index number. ZyWALL USG 300 User’s Guide...
Page 257: Ip Static Route Screen
Click Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. ZyWALL USG 300 User’s Guide...
Page 258: Static Route Add/Edit Screen
If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID. Subnet Mask Enter the IP subnet mask here. ZyWALL USG 300 User’s Guide...
Page 259: Policy Routing Technical Reference
When the ZyWALL receives a new connection (trigger service) from the remote server, the ZyWALL forwards the traffic to the IP address of the client computer that sent the request. In the following example, you configure two services for port triggering: ZyWALL USG 300 User’s Guide...
Page 260: Figure 160 Trigger Port Forwarding Example
(as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level. ZyWALL USG 300 User’s Guide...
Page 261: Routing Protocols
Small (with up to 15 routers) Large Metric Hop count Bandwidth, hop count, throughput, round trip time and reliability. Convergence Slow Fast Finding Out More Section 13.4 on page 269 for background information on routing protocols. ZyWALL USG 300 User’s Guide...
Page 262: The Rip Screen
The key can consist of alphanumeric characters and the underscore, and it can be up to 8 characters long. This field is available if the Authentication is MD5. Type the ID for MD5 Authentication authentication. The ID can be between 1 and 255. ZyWALL USG 300 User’s Guide...
Page 263: The Ospf Screen
IP address. There are several types of areas. • The backbone is the transit area that routes packets between other areas. All other areas are connected to the backbone. ZyWALL USG 300 User’s Guide...
Page 264: Figure 162 Ospf: Types Of Areas
Each type is really just a different role, and it is possible for one router to play multiple roles at one time. • An internal router (IR) only exchanges routing information with other routers in the same area. ZyWALL USG 300 User’s Guide...
Page 265: Figure 163 Ospf: Types Of Routers
In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area to logically connect the area to the backbone. This is illustrated in the following example. ZyWALL USG 300 User’s Guide...
Page 266: Configuring The Ospf Screen
In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them. Click Network > Routing > OSPF to open the following screen. Figure 165 Network > Routing > OSPF ZyWALL USG 300 User’s Guide...
Page 267: Ospf Area Add/Edit Screen
The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see Section 13.3 on page 263), and click either the Add icon or an Edit icon. ZyWALL USG 300 User’s Guide...
Page 268: Figure 166 Network > Routing > Ospf > Edit
ABR that is connected to the backbone. This field is a sequential value, and it is not associated with a specific area. Peer Router ID Type the 32-bit ID (in IP address format) of the other ABR in the virtual link. ZyWALL USG 300 User’s Guide...
Page 269: Routing Protocol Technical Reference
It also includes an authentication ID, which can be set to any value between 1 and 255. The ZyWALL only accepts packets if these conditions are satisfied. • The packet’s authentication ID is the same as the authentication ID of the interface that received it. ZyWALL USG 300 User’s Guide...
Page 270 Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. ZyWALL USG 300 User’s Guide...
Page 271 Chapter 13 Routing Protocols ZyWALL USG 300 User’s Guide...
Page 272 Chapter 13 Routing Protocols ZyWALL USG 300 User’s Guide...
Page 273: Zones
Virtual interfaces are automatically assigned to the same zone as the interface on which they run. Figure 167 Example: Zones 14.1.1 What You Can Do in the Zones Screens Use the Zone screens (see Section 14.2 on page 274) to view, add, and edit the ZyWALL’s zones. ZyWALL USG 300 User’s Guide...
Page 274: What You Need To Know About Zones
14.2 The Zone Screen The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and zones. To access this screen, click Network > Zone. ZyWALL USG 300 User’s Guide...
Page 275: Zone Add/Edit
The Zone Add/Edit screen allows you to define a zone or edit an existing one. To access this screen, go to the Zone screen (see Section 14.2 on page 274), and click either the Add icon or an Edit icon. Figure 169 Network > Zone > Edit ZyWALL USG 300 User’s Guide...
Page 276: Table 91 Network > Zone > Edit
Member lists the interfaces that belong to the zone. Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them. ZyWALL USG 300 User’s Guide...
Page 277: Ddns
DDNS SERVICE PROVIDER SERVICE TYPES SUPPORTED WEBSITE DynDNS Dynamic DNS, Static DNS, and Custom DNS www.dyndns.com Dynu Basic, Premium www.dynu.com No-IP No-IP www.no-ip.com Peanut Hull Peanut Hull www.oray.cn 3322 3322 Dynamic DNS, 3322 Static DNS www.3322.org ZyWALL USG 300 User’s Guide...
Page 278: The Ddns Screen
- The IP address comes from the specified interface. auto detected -The DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name. custom - The IP address is static. ZyWALL USG 300 User’s Guide...
Page 279: The Dynamic Dns Add/Edit Screen
The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. Click Network > DDNS and then an Add or Edit icon to open this screen. Figure 171 Network > DDNS > Add ZyWALL USG 300 User’s Guide...
Page 280: Table 94 Network > Ddns > Add
Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select None to not use a backup address. ZyWALL USG 300 User’s Guide...
Page 281: The Ddns Status Screen
15.3 The DDNS Status Screen The DDNS Status screen shows the status of the ZyWALL’s DDNS domain names. Click Network > DDNS > Status to open the following screen. Figure 172 Network > DDNS > Status ZyWALL USG 300 User’s Guide...
Page 282: Table 95 Network > Ddns > Status
Click this to have the ZyWALL update the profile to the DDNS server. The ZyWALL attempts to resolve the IP address for the domain name. Refresh Click this to update the information displayed in the screen. ZyWALL USG 300 User’s Guide...
Page 283: Virtual Servers
16.1.2 What You Need to Know About Virtual Servers Virtual server is also known as port forwarding or port translation. The virtual server changes the destination address of packets. This is also known as Destination NAT (DNAT). ZyWALL USG 300 User’s Guide...
Page 284: The Virtual Server Screen
This field displays the new destination IP address for the packet. Protocol This field displays the service used by the packets for this virtual server. It displays any if there is no restriction on the services. ZyWALL USG 300 User’s Guide...
Page 285: The Virtual Server Add/Edit Screen
Type in the name of the virtual server. The name is used to refer to the virtual server. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL USG 300 User’s Guide...
Page 286 This field is available if Mapping Type is Ports. Enter the end of the range of Port translated destination ports if this virtual server forwards the packet. The original port range and the mapped port range must be the same size. ZyWALL USG 300 User’s Guide...
Page 287: Nat 1:1 And Nat Loopback Examples
1:1 NAT mapping from the public IP address to the server’s private one. The firewall is enabled, so you also need to create a rule to allow traffic in from the WAN zone. ZyWALL USG 300 User’s Guide...
Page 288: Figure 176 Nat 1:1 Example Network Topology
This section sets up a virtual server rule that changes the destination of SMTP traffic coming to IP address 1.1.1.1 at the ZyWALL’s ge3 interface, to the LAN SMTP server’s IP address (192.168.1.21). This is also called Destination NAT (DNAT) ZyWALL USG 300 User’s Guide...
Page 289: Figure 178 Nat 1:1 Example Virtual Server
This section sets up a policy route for the traffic coming from the LAN SMTP server to the ZyWALL’s ge1 interface. It changes the source address from 192.168.1.21 to 1.1.1.1. This is also called Source NAT (SNAT). It sends the traffic out through the ge3 interface. ZyWALL USG 300 User’s Guide...
Page 290: Figure 180 Nat 1:1 Example Policy Route
Create a firewall rule to allow access from the WAN zone to the mail server in the LAN zone. Be careful of where you create the rule as firewall rules are ordered in descending priority. ZyWALL USG 300 User’s Guide...
Page 291: Figure 182 Create A Firewall Rule
A LAN user computer at IP address 192.168.1.89 queries the domain name (xxx.LAN- SMTP.com in this example) from a public DNS server and gets the SMTP server’s 1-1 NAT mapped public IP address of 1.1.1.1. ZyWALL USG 300 User’s Guide...
Page 292: Figure 184 Nat Loopback Virtual Server
IP address 1.1.1.1 and coming in on WAN2 to the SMTP server (IP address 192.168.1.21). In this example the SMTP server also uses port 25, so the Mapped Port is set to 25. Figure 185 Create a Virtual Server ZyWALL USG 300 User’s Guide...
Page 293: Figure 186 Triangle Route
Be careful of where you create the route as routes are ordered in descending priority. This policy route applies source NAT to traffic sent from LAN to the SMTP server. Even if the packets go through the ZyWALL, they only undergo layer 2 switching, not NAT. ZyWALL USG 300 User’s Guide...
Page 294: Figure 188 Create A Policy Route
1.1.1.1 before sending it to the LAN user’s computer. The source in the return traffic matches the original destination address (1.1.1.1) and the LAN user can use the LAN SMTP server. Figure 189 NAT Loopback Successful Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 ZyWALL USG 300 User’s Guide...
Page 295: Http Redirect
A then forwards the response to the client. Figure 190 HTTP Redirect Example 17.1.1 What You Can Do in the HTTP Redirect Screens Use the HTTP Redirect screens (see Section 17.2 on page 296) to display and edit the HTTP redirect rules. ZyWALL USG 300 User’s Guide...
Page 296: What You Need To Know About Http Redirect
17.2 The HTTP Redirect Screen To configure redirection of a HTTP request to a proxy server, click Network > HTTP Redirect. This screen displays the summary of the HTTP redirect rules. ZyWALL USG 300 User’s Guide...
Page 297: The Http Redirect Edit Screen
Click Network > HTTP Redirect to open the HTTP Redirect screen. Then click the Add or Edit icon to open the HTTP Redirect Edit screen where you can configure the rule. Figure 192 Network > HTTP Redirect > Edit ZyWALL USG 300 User’s Guide...
Page 298: Table 99 Network > Http Redirect > Edit
Enter the IP address of the proxy server. Port Enter the port number that the proxy server uses. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 300 User’s Guide...
Page 299: Alg
The ZyWALL only needs to use the ALG feature for traffic that goes through the ZyWALL’s NAT. 18.1.1 What You Can Do in the ALG Screen Use the ALG screen (Section 18.2 on page 302) to set up SIP, H.323, and FTP ALG settings. ZyWALL USG 300 User’s Guide...
Page 300: What You Need To Know About Alg
• The SIP ALG supports peer-to-peer SIP calls. The firewall (by default) allows peer to peer calls from the LAN zone to go to the WAN zone and blocks peer to peer calls from the WAN zone to the LAN zone. ZyWALL USG 300 User’s Guide...
Page 301: Figure 195 Voip Calls From The Wan With Multiple Outgoing Calls
LAN or DMZ IP addresses go out through the same WAN IP address that calls come in on. The policy routing lets the ZyWALL correctly forward the return traffic for the calls initiated from the LAN IP addresses. ZyWALL USG 300 User’s Guide...
Page 302: Before You Begin
SIP ALG time outs. If the ZyWALL provides an ALG for a service, you must enable the ALG in order to perform bandwidth management on that service’s traffic. ZyWALL USG 300 User’s Guide...
Page 303: Figure 197 Network > Alg
ZyWALL. Enabling the H.323 ALG allows you to use bandwidth management on H.323 traffic. H.323 Signaling If you are using a custom TCP port number (not 1720) for H.323 traffic, enter it here. Port ZyWALL USG 300 User’s Guide...
Page 304: Alg Technical Reference
(that was set to passive) in order to have the connection go through the second interface. VoIP clients usually re-register automatically at set intervals or the users can manually force them to re-register. ZyWALL USG 300 User’s Guide...
Page 305 When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL USG 300 User’s Guide...
Page 306 Chapter 18 ALG ZyWALL USG 300 User’s Guide...
Page 307: Ip/Mac Binding
ZyWALL does not apply IP/MAC binding. • The Monitor screen (Section 19.4 on page 311) lists the devices that have received an IP address from ZyWALL interfaces with IP/MAC binding enabled. ZyWALL USG 300 User’s Guide...
Page 308: What You Need To Know About Ip/Mac Binding
Apply to save and apply the change. Click the Edit icon to go to the screen where you can edit an interface’s IP/MAC binding settings. Apply Click Apply to save your changes back to the ZyWALL. ZyWALL USG 300 User’s Guide...
Page 309: Ip/Mac Binding Edit
Click the Remove icon to delete an entry. A window displays asking you to confirm that you want to delete it. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 300 User’s Guide...
Page 310: Static Dhcp Edit
Click Network > IP/MAC Binding > Exempt List to open the IP/MAC Binding Exempt List screen. Use this screen to configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. Figure 202 Network > IP/MAC Binding > Exempt List ZyWALL USG 300 User’s Guide...
Page 311: Ip/Mac Binding Monitor
This field displays the MAC address to which the IP address is currently assigned. Last Access This is when the device last established a session with the ZyWALL through this interface. Refresh Click this button to update the information in the screen. ZyWALL USG 300 User’s Guide...
Page 312 Chapter 19 IP/MAC Binding ZyWALL USG 300 User’s Guide...
Page 313: Firewall
Firewall Firewall (315)
Page 315: Firewall
322) to enable or disable the firewall and asymmetrical routes, and manage and configure firewall rules. • Use the Session Limit screens (see Section 20.3 on page 327) to limit the number of concurrent NAT/firewall sessions a client can use. ZyWALL USG 300 User’s Guide...
Page 316: What You Need To Know About The Firewall
Traffic from the DMZ to the ZyWALL is allowed. To-ZyWALL Rules Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default: • The firewall allows only LAN computers to access or manage the ZyWALL. ZyWALL USG 300 User’s Guide...
Page 317 VPN tunnel to a new zone (the VPN zone for example), you can configure rules for VPN traffic between the VPN zone and other zones or From VPN To-ZyWALL rules for VPN traffic destined for the ZyWALL. ZyWALL USG 300 User’s Guide...
Page 318: Firewall Rule Example Applications
• The first row blocks LAN access to the IRC service on the WAN. • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN. ZyWALL USG 300 User’s Guide...
Page 319: Figure 206 Limited Lan To Wan Irc Traffic Example
• The second row blocks LAN access to the IRC service on the WAN. • The third row is the firewall’s default policy of allowing all traffic from the LAN to go to the WAN. ZyWALL USG 300 User’s Guide...
Page 320: Firewall Rule Configuration Example
IP addresses 192.168.1.10 through 192.168.1.15 (Dest_1) on the LAN. 1 Click Firewall. Click the Add icon ( ) in the heading row to configure a new first entry. Remember the sequence (priority) of the rules is important since they are applied in order. ZyWALL USG 300 User’s Guide...
Page 321: Figure 207 Firewall Example: Firewall Screen
5 The screen for configuring a service object opens. Configure it as follows and click OK. Figure 209 Firewall Example: Create a Service Object 6 Select From WAN and To LAN. 7 Enter the name of the firewall rule. ZyWALL USG 300 User’s Guide...
Page 322: The Firewall Screen
If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the connection, as the connection has not been acknowledged. ZyWALL USG 300 User’s Guide...
Page 323: Configuring The Firewall Screen
LAN IP address as the destination. See Section 6.6 on page 141 for an example. • The ordering of your rules is very important as rules are applied in sequence. ZyWALL USG 300 User’s Guide...
Page 324: Figure 213 Firewall
Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets. ZyWALL USG 300 User’s Guide...
Page 325 TCP reset packet to the sender (reject) or permits the passage of packets (allow). This field shows you whether a log (and alert) is created when packets match this rule or not. ZyWALL USG 300 User’s Guide...
Page 326: The Firewall Edit Screen
VPN tunnels. ZyWALL means packets destined for the ZyWALL itself. Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. ZyWALL USG 300 User’s Guide...
Page 327: The Session Limit Screen
NAT/firewall sessions a client can use. You can apply a default limit for all users and individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. ZyWALL USG 300 User’s Guide...
Page 328: Figure 215 Firewall > Session Limit
The ordering of your rules is important as they are applied in order of their numbering. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
Page 329: The Session Limit Edit Screen
For this rule’s users and addresses, this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 300 User’s Guide...
Page 330 Chapter 20 Firewall ZyWALL USG 300 User’s Guide...
Page 331: Vpn
IPSec VPN (333) SSL VPN (367) SSL User Screens (377) SSL User Application Screens (383) SSL User File Sharing (385) L2TP VPN (391) L2TP VPN Example (395)
Page 333: Ipsec Vpn
338) to manage the ZyWALL’s VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway. ZyWALL USG 300 User’s Guide...
Page 334: What You Need To Know About Ipsec Vpn
Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. ZyWALL USG 300 User’s Guide...
Page 335: Before You Begin
21.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel. ZyWALL USG 300 User’s Guide...
Page 336: The Vpn Connection Screen
The VPN wizard automatically creates a corresponding policy route. If you create the VPN connection in the VPN > IPSec VPN screens, you need to manually create a corresponding policy route. Figure 219 VPN > IPSec VPN > VPN Connection ZyWALL USG 300 User’s Guide...
Page 337: Table 115 Vpn > Ipsec Vpn > Vpn Connection
To connect or disconnect an IPSec SA, click the Connect icon next to the VPN connection. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
Page 338: The Vpn Connection Add/Edit (Ike) Screen
336), and click either the Add icon or an Edit icon. If you click the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the following screen appears. ZyWALL USG 300 User’s Guide...
Page 339: Figure 220 Vpn > Ipsec Vpn > Vpn Connection > Edit (Ike)
Chapter 21 IPSec VPN Figure 220 VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 300 User’s Guide...
Page 340: Table 116 Vpn > Ipsec Vpn > Vpn Connection > Edit
Selecting this restricts who can use the VPN tunnel. The ZyWALL drops traffic with source and destination IP addresses that do not match the local and remote policy. Phase 2 Settings Click Advanced to display more settings. Click Basic to display fewer settings. ZyWALL USG 300 User’s Guide...
Page 341 PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. ZyWALL USG 300 User’s Guide...
Page 342 Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). Inbound Traffic ZyWALL USG 300 User’s Guide...
Page 343: The Vpn Connection Add/Edit Manual Key Screen
IKE key management. To access this screen, go to the VPN Connection summary screen (see Section 21.2 on page 336), and click either the Add icon or an existing manual key entry’s Edit icon. In the VPN Gateway section of the screen, select Manual Key. ZyWALL USG 300 User’s Guide...
Page 344: Figure 221 Vpn > Ipsec Vpn > Vpn Connection > Manual Key > Edit
DESCRIPTION Manual Key My Address Type the IP address of the ZyWALL in the IPSec SA. 0.0.0.0 is invalid. Secure Type the IP address of the remote IPSec router in the IPSec SA. Gateway Address ZyWALL USG 300 User’s Guide...
Page 345 The ZyWALL ignores any characters above the minimum number of characters required by the algorithm. For example, if you enter for a DES 1234567890XYZ encryption key, the ZyWALL only uses 12345678 . The ZyWALL still stores the longer key. ZyWALL USG 300 User’s Guide...
Page 346: The Vpn Gateway Screen
Type a page number to go to or use the arrows to navigate the pages of entries. This field is a sequential value, and it is not associated with a specific VPN gateway. Name This field displays the name of the VPN gateway ZyWALL USG 300 User’s Guide...
Page 347: The Vpn Gateway Add/Edit Screen
The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 21.3 on page 346), and click either the Add icon or an Edit icon. ZyWALL USG 300 User’s Guide...
Page 348: Figure 223 Vpn > Ipsec Vpn > Vpn Gateway > Edit
If you select Domain Name / IP, enter the domain name or the IP address of the ZyWALL. The IP address of the ZyWALL in the IKE SA is the specified IP address or the IP address corresponding to the domain name. 0.0.0.0 is invalid. ZyWALL USG 300 User’s Guide...
Page 349 E-mail - the ZyWALL is identified by an e-mail address; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. ZyWALL USG 300 User’s Guide...
Page 350 The ZyWALL and the remote IPSec router must use the same negotiation mode. Proposal This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. ZyWALL USG 300 User’s Guide...
Page 351 Server Mode Select this if the ZyWALL authenticates the user name and password from the remote IPSec router. You also have to select the authentication method, which specifies how the ZyWALL authenticates this information. ZyWALL USG 300 User’s Guide...
Page 352: The Vpn Concentrator Screen
VPN traffic from one spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it, and sends it to the appropriate spoke. Therefore, a VPN concentrator is more suitable when there is a minimum amount of traffic between spoke routers. ZyWALL USG 300 User’s Guide...
Page 353: The Vpn Concentrator Add/Edit Screen
), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is a sequential value, and it is not associated with a specific member in the concentrator. ZyWALL USG 300 User’s Guide...
Page 354: The Sa Monitor Screen
VPN > IPSec VPN > SA Monitor. The following screen appears. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
Page 355: Figure 228 Vpn > Ipsec Vpn > Sa Monitor
This field is displayed if the IPSec SA does not use manual keys. Click the Disconnect icon next to an IPSec SA to disconnect it. Refresh Click Refresh to update the information in the display. ZyWALL USG 300 User’s Guide...
Page 356: Ipsec Vpn Background Information
SA. In main mode, this is done in steps 1 and 2, as illustrated next. Figure 229 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal One or more proposals, each one consisting of: - encryption algorithm - authentication algorithm - Diffie-Hellman key group ZyWALL USG 300 User’s Guide...
Page 357: Figure 230 Ike Sa: Main Negotiation Mode, Steps 3 - 4: Dh Key Exchange
The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as illustrated next. Figure 230 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange Diffie-Hellman key exchange ZyWALL USG 300 User’s Guide...
Page 358: Figure 231 Ike Sa: Main Negotiation Mode, Steps 5 - 6: Authentication
You have to create (and distribute) a pre-shared key. The ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. The ZyWALL and the remote IPSec router must use the same pre-shared key. ZyWALL USG 300 User’s Guide...
Page 359: Table 123 Vpn Example: Matching Id Type And Content
(for example, extended authentication) or if you are troubleshooting a VPN tunnel. Additional Topics for IKE SA This section provides more information about IKE SA. Negotiation Mode There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. ZyWALL USG 300 User’s Guide...
Page 360: Figure 232 Vpn/Nat Example
• Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header.) The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the ZyWALL and remote IPSec router support. ZyWALL USG 300 User’s Guide...
Page 361: Regular Expressions In Searching Ipsec Sas
“abc” and ending in “123” matches, no matter how many characters are in between. The whole VPN connection or policy name has to match if you do not use a question mark or asterisk. ZyWALL USG 300 User’s Guide...
Page 362: Ipsec Sa Overview
Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. The ZyWALL and remote IPSec router must use the same encapsulation. ZyWALL USG 300 User’s Guide...
Page 363: Figure 233 Vpn: Transport And Tunnel Mode Encapsulation
IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. Additional Topics for IPSec SA This section provides more information about IPSec SA in your ZyWALL. ZyWALL USG 300 User’s Guide...
Page 364 (for example, mail) from the remote network to a specific computer (like the mail server) in the local network. Each kind of translation is explained below. The following example is used to help explain each one. ZyWALL USG 300 User’s Guide...
Page 365: Figure 234 Vpn Example: Nat For Inbound And Outbound Traffic
For example, in Figure 234 on page 365, you can configure this kind of translation if you want to forward mail from the remote network to the mail server in the local network (A). ZyWALL USG 300 User’s Guide...
Page 366 (A). • Mapped Port - the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size. ZyWALL USG 300 User’s Guide...
Page 367: Ssl Vpn
With reverse proxy mode, remote users can easily access any web-based applications on the local network by clicking on links or entering the provided URL. You do not have to install additional client software on the remote user computers for access. Figure 235 Network Access Mode: Reverse Proxy ZyWALL USG 300 User’s Guide...
Page 368: Figure 236 Network Access Mode: Full Tunnel Mode
VPN connection. You cannot delete an object that is referenced by an SSL access policy. To delete the object, you must first unassociate the object from the SSL access policy. ZyWALL USG 300 User’s Guide...
Page 369: The Ssl Access Privilege Screen
Click Reset to discard all changes. 22.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. ZyWALL USG 300 User’s Guide...
Page 370: Figure 238 Vpn > Ssl Vpn > Access Privilege > Add/Edit
>> to add to the Selected User/Group Objects list. You can select more than one name. To remove a user or user group, select the name(s) in the Selected User/Group Objects list and click <<. ZyWALL USG 300 User’s Guide...
Page 371: The Ssl Connection Monitor Screen
Click VPN > SSL VPN in the navigation panel and click the Connection Monitor tab to display the user list. Use this screen to do the following: • View a list of active SSL VPN connections. • Log out individual users and delete related session information. ZyWALL USG 300 User’s Guide...
Page 372: The Ssl Global Setting Screen
IP address of the ZyWALL (or a gateway device) on your network for full tunnel mode access, enter access messages or upload a custom logo to be displayed on the remote user screen. ZyWALL USG 300 User’s Guide...
Page 373: Figure 240 Vpn > Ssl Vpn > Global Setting
Click Reset Logo to Default to display the ZyXEL company logo on the remote Default user’s web browser. Apply Click Apply to save the changes and/or start the logo file upload process. Reset Click Reset to start configuring this screen again. ZyWALL USG 300 User’s Guide...
Page 374: How To Upload A Custom Logo
3 Click Login. 4 SSL VPN connection starts. This may take several minutes depending on your network connection. Once the connection is up, you should see the client portal screen. The following shows an example. ZyWALL USG 300 User’s Guide...
Page 375: Figure 242 Ssl Vpn Client Portal Screen Example
If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated” message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal screens, refer to Chapter 23 on page 377. ZyWALL USG 300 User’s Guide...
Page 376 Chapter 22 SSL VPN ZyWALL USG 300 User’s Guide...
Page 377: Ssl User Screens
Here are the browser and computer system requirements for remote user access. • Windows 2000 and Windows XP • Internet Explorer 5.5 and above (for IE7, JRE 1.6 must be enabled) • Netscape 7.2 and above ZyWALL USG 300 User’s Guide...
Page 378: Remote User Login
1 Open a web browser and enter the web site address or IP address of the ZyWALL. For example, “http://sslvpn.mycompany.com”. Figure 244 Enter the Address in a Web Browser 2 Click OK or Yes if a security screen displays. ZyWALL USG 300 User’s Guide...
Page 379: Figure 245 Login Security Screen
If a certificate warning screen displays, click OK, Yes or Continue. Figure 247 Java Needed Message 6 The following status screen displays indicating the progress of the secure SSL VPN connection setup. ZyWALL USG 300 User’s Guide...
Page 380: The Ssl Vpn User Screens
Available resource links vary depending on the configuration your network administrator made. 23.3 The SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 249 Remote User Screen ZyWALL USG 300 User’s Guide...
Page 381: Bookmarking The Zywall
1 Click the Logout icon in any remote user screen. 2 A prompt window displays. Click OK to continue. Figure 251 Logout: Prompt 3 An information screen displays to indicate that the SSL VPN connection is about to terminate. ZyWALL USG 300 User’s Guide...
Page 382: Figure 252 Logout: Connection Termination Progress
Chapter 23 SSL User Screens Figure 252 Logout: Connection Termination Progress ZyWALL USG 300 User’s Guide...
Page 383: Ssl User Application Screens
Microsoft Outlook Web Access (OWA). To access a web-based application, simply click a link in the Application screen to display the web screen in a separate browser window. Figure 253 Application ZyWALL USG 300 User’s Guide...
Page 384 Chapter 24 SSL User Application Screens ZyWALL USG 300 User’s Guide...
Page 385: Ssl User File Sharing
25.2 The Main File Sharing Screen The first File Sharing screen displays the name(s) of the shared folder(s) available. The following figure shows an example with one file share. ZyWALL USG 300 User’s Guide...
Page 386: Opening A File Or Folder
3 If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue. Figure 255 File Sharing: Enter Access User Name and Password ZyWALL USG 300 User’s Guide...
Page 387: Downloading A File
25.3.2 Saving a File After you have opened a file in a web browser, you can save a copy of the file by clicking File > Save As and following the on-screen instructions. ZyWALL USG 300 User’s Guide...
Page 388: Creating A New Folder
Make sure the length of the folder name does not exceed the maximum allowed on the file server. Figure 258 File Sharing: Save a Word File 25.5 Renaming a File or Folder To rename a file or folder, click the Rename icon next to the file/folder. ZyWALL USG 300 User’s Guide...
Page 389: Deleting A File Or Folder
- so be sure you really do not want the item before you click. 25.7 Uploading a File Follow the steps below to upload a file to the file server. ZyWALL USG 300 User’s Guide...
Page 390: Figure 261 File Sharing: File Upload
4 After the file is uploaded successfully, you should see the name of the file and a message in the screen. Figure 261 File Sharing: File Upload Uploading a file with the same name and file extension replaces the existing file on the file server. No warning message is displayed. ZyWALL USG 300 User’s Guide...
Page 391: L2Tp Vpn
You must configure an IPSec VPN connection for L2TP VPN to use (see Chapter 21 on page for details). The IPSec VPN connection must: • Be enabled. • Use transport mode. • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. ZyWALL USG 300 User’s Guide...
Page 392: Figure 263 Policy Route For L2Tp Vpn
Finding Out More • See Section 5.4.6 on page 113 for related information on these screens. • See Chapter 27 on page 395 for an example of how to create a basic L2TP VPN tunnel. ZyWALL USG 300 User’s Guide...
Page 393: L2Tp Vpn Screen
Select a user or user group that can use the L2TP VPN tunnel. Select Create Object to configure a new user account (see Section 36.2.1 on page 578 details). Otherwise, select any to allow any user with a valid account and password on the ZyWALL to log in. ZyWALL USG 300 User’s Guide...
Page 394: L2Tp Vpn Session Monitor Screen
This field displays the public IP address that the remote user is using to connect to the Internet. Action Click the Disconnect icon next to an L2TP VPN connection to disconnect it. Refresh Click Refresh to update the information in the display. ZyWALL USG 300 User’s Guide...
Page 395: L2Tp Vpn Example
192.168.1.x subnet. 27.2 Configuring the Default L2TP VPN Gateway Example 1 Click VPN > Network > IPSec VPN > VPN Gateway to open the screen that lists the VPN gateways. Click the Default_L2TP_VPN_GW entry’s Edit icon. ZyWALL USG 300 User’s Guide...
Page 396: Configuring The Default L2Tp Vpn Connection Example
Figure 268 VPN > IPSec VPN > VPN Gateway (Enable) 27.3 Configuring the Default L2TP VPN Connection Example 1 Click VPN > Network > IPSec VPN to open the screen that lists the VPN connections. Click the Default_L2TP_VPN_Connection’s Edit icon. ZyWALL USG 300 User’s Guide...
Page 397: Figure 269 Vpn > Ipsec Vpn > Vpn Connection > Edit
• For the Remote Policy, create an address object that uses host type and an IP address of 0.0.0.0. It is named L2TP_HOST in this example. 3 Click the Default_L2TP_VPN_Connection entry’s Enable icon and click Apply to turn on the entry. Figure 270 VPN > IPSec VPN > VPN Connection (Enable) ZyWALL USG 300 User’s Guide...
Page 398: Configuring The L2Tp Vpn Settings Example
L2TP-test has been created. • The other fields are left to the defaults in this example, click Apply. 27.5 Configuring the Policy Route for L2TP Example 1 Click Routing > Add to open the following screen. ZyWALL USG 300 User’s Guide...
Page 399: Configuring L2Tp Vpn In Windows Xp And 2000
• For Windows 2000, use net start "ipsec policy agent". 27.6.1 Configuring L2TP in Windows XP In Windows XP do the following to establish an L2TP VPN connection. 1 Click Start > Control Panel > Network Connections > New Connection Wizard. ZyWALL USG 300 User’s Guide...
Page 400: Figure 273 New Connection Wizard: Network Connection Type
3 Select Connect to the network at my workplace and click Next. Figure 273 New Connection Wizard: Network Connection Type 4 Select Virtual Private Network connection and click Next. Figure 274 New Connection Wizard: Network Connection 5 Type L2TP to ZyWALL as the Company Name. ZyWALL USG 300 User’s Guide...
Page 401: Figure 275 New Connection Wizard: Connection Name
Figure 276 New Connection Wizard: Public Network 7 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). ZyWALL USG 300 User’s Guide...
Page 402: Figure 277 New Connection Wizard: Vpn Server Selection
Figure 277 New Connection Wizard: VPN Server Selection 172.16.1.2 8 Click Finish. 9 The Connect L2TP to ZyWALL screen appears. Click Properties > Security. Figure 278 Connect L2TP to ZyWALL 10 Click Security, select Advanced (custom settings) and click Settings. ZyWALL USG 300 User’s Guide...
Page 403: Figure 279 Connect L2Tp To Zywall: Security
11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Figure 280 Connect ZyWALL L2TP: Security > Advanced 12 Click IPSec Settings. ZyWALL USG 300 User’s Guide...
Page 404: Figure 281 L2Tp To Zywall Properties > Security
Figure 282 L2TP to ZyWALL Properties > Security > IPSec Settings 14 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. Figure 283 L2TP to ZyWALL Properties: Networking 15 Enter the user name and password of your ZyWALL account. Click Connect. ZyWALL USG 300 User’s Guide...
Page 405: Configuring L2Tp In Windows 2000
L2TP client. 27.6.2.1 Editing the Windows 2000 Registry In Windows 2000, you need to create a registry entry and restart the computer to have it use pre-shared keys. ZyWALL USG 300 User’s Guide...
Page 406: Figure 287 Starting The Registry Editor
3 Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parame ters. Figure 288 Registry Key 4 Right-click Parameters and select New > DWORD Value. Figure 289 New DWORD Value 5 Enter ProhibitIpSec as the name. And make sure the Data displays as 0’s. ZyWALL USG 300 User’s Guide...
Page 407: Figure 290 Prohibitipsec Dword Value
1 Click Start > Run. Type mmc and click OK. Figure 291 Run mmc 2 Click Console > Add/Remove Snap-in. Figure 292 Console > Add/Remove Snap-in 3 Click Add > IP Security Policy Management >Add > Finish. Click Close > OK. ZyWALL USG 300 User’s Guide...
Page 408: Figure 293 Add > Ip Security Policy Management > Finish
4 Right-click IP Security Policies on Local Machine and click Create IP Security Policy. Click Next in the welcome screen. Figure 294 Create IP Security Policy 5 Name the IP security policy L2TP to ZyWALL, and click Next. ZyWALL USG 300 User’s Guide...
Page 409: Figure 295 Ip Security Policy: Name
6 Clear the Activate the default response rule check box and click Next. Figure 296 IP Security Policy: Request for Secure Communication 7 Leave the Edit Properties check box selected and click Finish. Figure 297 IP Security Policy: Completing the IP Security Policy Wizard ZyWALL USG 300 User’s Guide...
Page 410: Figure 298 Ip Security Policy Properties > Add
Figure 298 IP Security Policy Properties > Add 9 Select This rule does not specify a tunnel and click Next. Figure 299 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next. ZyWALL USG 300 User’s Guide...
Page 411: Figure 300 Ip Security Policy Properties: Network Type
Figure 300 IP Security Policy Properties: Network Type 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 301 IP Security Policy Properties: Authentication Method 12 Click Add. ZyWALL USG 300 User’s Guide...
Page 412: Figure 302 Ip Security Policy Properties: Ip Filter List
ZyWALL’s WAN IP address (172.16.1.2 in this example) in the IP Address field. Make certain the Mirrored. Also match packets with the exact opposite source and destination addresses check box is selected and click Apply. ZyWALL USG 300 User’s Guide...
Page 413: Figure 304 Filter Properties: Addressing
15 Configure the following in the Filter Properties window’s Protocol tab. Set the protocol type to UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 305 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next. ZyWALL USG 300 User’s Guide...
Page 414: Figure 306 Ip Security Policy Properties: Ip Filter List
17 Select Require Security and click Next. Then click Finish and Close. Figure 307 IP Security Policy Properties: IP Filter List 18 In the Console window, right-click L2TP to ZyWALL and select Assign. Figure 308 Console: L2TP to ZyWALL Assign ZyWALL USG 300 User’s Guide...
Page 415: Figure 309 Start New Connection Wizard
Figure 310 New Connection Wizard: Network Connection Type 3 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click Next. ZyWALL USG 300 User’s Guide...
Page 416: Figure 311 New Connection Wizard: Destination Address
Figure 311 New Connection Wizard: Destination Address 172.16.1.2 4 Select For all users and click Next. Figure 312 New Connection Wizard: Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish. Figure 313 New Connection Wizard: Naming the Connection ZyWALL USG 300 User’s Guide...
Page 417: Figure 314 Connect L2Tp To Zywall
8 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Click Yes if a screen pops up. ZyWALL USG 300 User’s Guide...
Page 418: Figure 316 Connect L2Tp To Zywall: Security > Advanced
Click OK. Figure 317 Connect L2TP to ZyWALL: Networking 10 Enter your user name and password and click Connect. It may take up to one minute to establish the connection and register on the network. ZyWALL USG 300 User’s Guide...
Page 419: Figure 318 Connect L2Tp To Zywall
12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 320 L2TP to ZyWALL Status: Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works. ZyWALL USG 300 User’s Guide...
Page 420 Chapter 27 L2TP VPN Example ZyWALL USG 300 User’s Guide...
Page 421: Application Patrol
Application Patrol Application Patrol (423)
Page 423: Application Patrol
28.1.2 What You Need to Know About Application Patrol If you want to use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. ZyWALL USG 300 User’s Guide...
Page 424 When you allow an application, you can restrict the bandwidth it uses or even the bandwidth that particular features in the application (like voice, video, or file sharing) use. This restriction may be ineffective in certain cases, however, such as using MSN to send files via P2P. ZyWALL USG 300 User’s Guide...
Page 425: Figure 321 Lan To Wan Connection And Packet Directions
• Outbound traffic is limited to 200 kbps. The connection initiator is on the LAN so outbound means the traffic traveling from the LAN to the WAN. Each of the WAN zone’s two interfaces can send the limit of 200 kbps of traffic. ZyWALL USG 300 User’s Guide...
Page 426: Figure 322 Lan To Wan, Outbound 200 Kbps, Inbound 500 Kbps
DMZ to WAN policies for FTP servers A and B. Each server tries to send 1000 kbps, but the WAN is set to a maximum outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and policy B for server B’s traffic. ZyWALL USG 300 User’s Guide...
Page 427: Figure 323 Bandwidth Management Behavior
200 kbps plus 250 kbps for a total of 450 kbps. Table 135 Maximize Bandwidth Usage Effect POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE 300 kbps 550 kbps 200 kbps 450 kbps ZyWALL USG 300 User’s Guide...
Page 428: Application Patrol Bandwidth Management Examples
• FTP traffic from the LAN to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but it must be the lowest priority and limited so it does not interfere with SIP and HTTP traffic. ZyWALL USG 300 User’s Guide...
Page 429: Figure 324 Application Patrol Bandwidth Management Example
ZyWALL applies this limit before sending the traffic to LAN or DMZ. • Highest priority (1). Set policies for other applications to lower priorities so the SIP traffic always gets the best treatment. • Enable maximize bandwidth usage so the SIP traffic can borrow unused bandwidth. ZyWALL USG 300 User’s Guide...
Page 430: Figure 325 Sip Any To Wan Bandwidth Management Example
• ADSL supports more downstream than upstream so you allow remote users 300 kbps for uploads to the DMZ FTP server (outbound) but only 100 kbps for downloads (inbound). • Third highest priority (3). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. ZyWALL USG 300 User’s Guide...
Page 431: Application Patrol General Screen
Use this screen to enable and disable application patrol. It also lists the registration status and details about the signature set the ZyWALL is using. You must register for the IDP/AppPatrol signature service (at least the trial) before you can use it. ZyWALL USG 300 User’s Guide...
Page 432: Figure 329 Apppatrol > General
This link appears if you have not registered for the service or only have the trial Registration registration. Click this link to go to the screen where you can register for the service. Signature The following fields display information on the current signature set that the Information ZyWALL is using. ZyWALL USG 300 User’s Guide...
Page 433: Application Patrol Applications
To activate or deactivate patrol for an application, click the Active icon for the corresponding application. Make sure you click Apply to save and apply the change. To edit the settings for an application, click the Edit icon next to the application. The Configuration Edit screen appears. ZyWALL USG 300 User’s Guide...
Page 434: The Application Patrol Edit Screen
Service Ports - the ZyWALL identifies this application by looking at the destination port in the IP header. Service Port This is available if the Classification is Service Ports. You can view and edit the ports used to identify this application. ZyWALL USG 300 User’s Guide...
Page 435 In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration. This field shows whether the ZyWALL generates a log (log), a log and alert (log alert) or neither (no) when the application’s traffic matches this policy. ZyWALL USG 300 User’s Guide...
Page 436: The Application Patrol Policy Edit Screen
Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 39 on page 601 for details). Otherwise, select none to make the policy always effective. ZyWALL USG 300 User’s Guide...
Page 437 If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. ZyWALL USG 300 User’s Guide...
Page 438: The Other Applications Screen
You can also control the bandwidth used by these other applications.This screen also allows you to add, edit, and remove conditions to this default policy. Click AppPatrol > Other to open the Other (applications) screen. Figure 333 AppPatrol > Other ZyWALL USG 300 User’s Guide...
Page 439: Table 141 Apppatrol > Other
(7) regardless of this field’s configuration. Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this policy. See Chapter 47 on page 705 more on logs. ZyWALL USG 300 User’s Guide...
Page 440: The Other Applications Add/Edit Screen
Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 39 on page 601 for details). Otherwise, select any to make the policy always effective. ZyWALL USG 300 User’s Guide...
Page 441 The number in this field is ignored if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration. ZyWALL USG 300 User’s Guide...
Page 442: Application Patrol Statistics
Click Expand to display individual protocols. Collapse hides them. Statistics for the selected protocols display after you click Apply. 28.5.2 Application Patrol Statistics: Bandwidth Statistics The middle of the AppPatrol > Statistics screen displays a bandwidth usage line graph for the selected protocols. ZyWALL USG 300 User’s Guide...
Page 443: Application Patrol Statistics: Protocol Statistics
ZyWALL sends out from the initiator of the connection. • Different colors represent different protocols. 28.5.3 Application Patrol Statistics: Protocol Statistics The bottom of the AppPatrol > Statistics screen displays statistics for each of the selected protocols. ZyWALL USG 300 User’s Guide...
Page 444: Figure 337 Apppatrol > Statistics: Protocol Statistics
So for a connection initiated from the LAN to the WAN, the traffic sent from the LAN to the WAN is the outbound traffic. Forwarded This is how much of the application’s traffic the ZyWALL has sent (in kilobytes). Data (KB) ZyWALL USG 300 User’s Guide...
Page 445 This is how much of the application’s traffic the ZyWALL has discarded and notified Data (KB) the client that the traffic was rejected (in kilobytes). This traffic was rejected because it matched a policy set to “reject”. ZyWALL USG 300 User’s Guide...
Page 446 Chapter 28 Application Patrol ZyWALL USG 300 User’s Guide...
Page 447: Anti-X
Anti-X Anti-Virus (449) IDP (463) ADP (493) Content Filtering (511) Content Filter Reports (533) Anti-Spam (541)
Page 449: Anti-Virus
(Section 29.3 on page 455) to set up anti-virus black (blocked) and white (allowed) lists of virus file patterns. • Use the Signature screen (Section 29.6 on page 458) to search signatures to get more information about signatures. ZyWALL USG 300 User’s Guide...
Page 450: What You Need To Know About Anti-Virus
The un-infected portion of the file before a virus pattern was matched still goes through. 5 If the send alert message function is enabled, the ZyWALL sends an alert to the file’s intended destination computer(s). ZyWALL USG 300 User’s Guide...
Page 451: Before You Begin
• You may need to customize the zones (in the Network > Zone) used for the anti-virus scanning direction. 29.2 Anti-Virus Summary Screen Click Anti-X > Anti-Virus to display the configuration screen as shown next. ZyWALL USG 300 User’s Guide...
Page 452: Figure 339 Anti-X > Anti-Virus > General
HTTP applies to traffic using TCP ports 80, 8080 and 3128. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. IMAP4 applies to traffic using TCP port 143. ZyWALL USG 300 User’s Guide...
Page 453: Anti-Virus Policy Add Or Edit Screen
Click Reset to start configuring this screen again. 29.2.1 Anti-Virus Policy Add or Edit Screen Click the Add or Edit icon in the Anti-X > Anti-Virus > General screen to display the configuration screen as shown next. ZyWALL USG 300 User’s Guide...
Page 454: Figure 340 Anti-X > Anti-Virus > General > Add
Select this check box to set the ZyWALL to send a message alert to files’ intended Message user(s) using Microsoft Windows computers connected to the to interface. Refer to Appendix C on page 807 if your Windows computer does not display the alert messages. ZyWALL USG 300 User’s Guide...
Page 455: Anti-Virus Black List
Black List screen to set up the Anti-Virus black (blocked) list of virus file patterns. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
Page 456: Anti-Virus Black List Or White List Add/Edit
• For a black list entry, enter a file pattern that should cause the ZyWALL to log and delete a file. • For a white list entry, enter a file pattern that should cause the ZyWALL to allow a file. ZyWALL USG 300 User’s Guide...
Page 457: Anti-Virus White List
Use the Black/White List screen to set up Anti-Virus black (blocked) and white (allowed) lists of virus file patterns. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
Page 458: Signature Searching
No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
Page 459: Figure 344 Anti-X > Anti-Virus > Signature: Search By Severity
Click a signature’s name to see details about the virus. This is the IDentification number of the anti-virus signature. Click the ID column header to sort your search results in ascending or descending order according to the ID. ZyWALL USG 300 User’s Guide...
Page 460: Anti-Virus Technical Reference
A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in the network. It inspects files for virus patterns as they are moved in and out of the hard drive. However, host-based anti-virus scanners cannot eliminate all viruses for a number of reasons: ZyWALL USG 300 User’s Guide...
Page 461 • NAV scanners stops virus threats at the network edge before they enter or exit a network. • NAV scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. ZyWALL USG 300 User’s Guide...
Page 462 Chapter 29 Anti-Virus ZyWALL USG 300 User’s Guide...
Page 463: Idp
You can apply IDP profiles to traffic flowing from one zone to another. For example, apply the default LAN_IDP profile to any traffic going to the LAN zone in order to protect your LAN computers. ZyWALL USG 300 User’s Guide...
Page 464: Before You Begin
You must register in order to use packet inspection signatures. See the Registration screens. If you try to enable IDP when the IDP service has not yet been registered, a warning screen displays and IDP is not enabled. ZyWALL USG 300 User’s Guide...
Page 465: Figure 345 Anti-X > Idp > General
From WAN To WAN means packets that come in from the WAN zone and the ZyWALL routes back out through the WAN zone. IDP Profile This field shows which IDP profile is bound to which traffic direction. Click the popup icon to change to a different profile. ZyWALL USG 300 User’s Guide...
Page 466: Configuring Idp Policies
30.2.1 Configuring IDP Policies Click Anti-X > IDP > General and then an Add or Edit icon to display the following screen. Use this screen to apply an IDP profile to traffic flowing from one zone to another. ZyWALL USG 300 User’s Guide...
Page 467: Introducing Idp Profiles
30.3.1 Base Profiles The ZyWALL comes with several base profiles. You use base profiles to create new profiles. In the Anti-X > IDP > Profile screen, click the Add icon to display the following screen. ZyWALL USG 300 User’s Guide...
Page 468: The Profile Summary Screen
• Add a new profile • Edit an existing profile • Delete an existing profile. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
Page 469: Creating New Profiles
468) and then click OK to go to the profile details screen. If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. ZyWALL USG 300 User’s Guide...
Page 470: Profiles: Packet Inspection
Select Anti-X > IDP > Profile and then add a new or edit an existing profile select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer- 4 to layer-7. 30.6.1 Profile > Group View Screen ZyWALL USG 300 User’s Guide...
Page 471: Figure 349 Anti-X > Idp > Profile > Edit : Group View
Chapter 30 IDP Figure 349 Anti-X > IDP > Profile > Edit : Group View ZyWALL USG 300 User’s Guide...
Page 472: Table 156 Anti-X > Idp > Profile > Group View
ZyWALL create a log when a packet matches a signature(s). log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the ZyWALL send an alert when a packet matches a signature(s). ZyWALL USG 300 User’s Guide...
Page 473: Policy Types
After you enter a chat (or chat room), any room member can type a message that will appear on the monitors of all the other participants. SPAM Spam is unsolicited “junk” e-mail sent to large numbers of people to promote products or services. ZyWALL USG 300 User’s Guide...
Page 474: Idp Service Groups
An IDP service group is a set of related packet inspection signatures. Table 158 IDP Service Groups WEB_PHP WEB_MISC WEB_IIS WEB_FRONTPAGE WEB_CGI WEB_ATTACKS TFTP TELNET SNMP SMTP RSERVICES POP3 POP2 ORACLE NNTP NETBIOS MYSQL MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC ZyWALL USG 300 User’s Guide...
Page 475: Profile > Query View Screen
In the query view screen, you can search for signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions. ZyWALL USG 300 User’s Guide...
Page 476: Figure 351 Anti-X > Idp > Profile: Query View
Hold down the [Ctrl] key if you want to make multiple selections. Activation Search for enabled and/or disabled signatures here. Search for signatures by log option here. See Table 156 on page 472 for option details. ZyWALL USG 300 User’s Guide...
Page 477: Query Example
This example shows a search with these criteria: • Severity: severe and high • Attack Type: DDoS • Platform: Windows 2000 and Windows XP computers • Service: Any • Actions: Any Figure 352 Query Example Search Criteria ZyWALL USG 300 User’s Guide...
Page 478: Introducing Idp Custom Signatures
You need some knowledge of packet headers and attack types to create your own custom signatures. 30.7.1 IP Packet Header These are the fields in an Internet Protocol (IP) version 4 packet header. ZyWALL USG 300 User’s Guide...
Page 479: Figure 354 Ip V4 Packet Headers
IP network. Source IP Address This is the IP address of the original sender of the packet. Destination IP Address This is the IP address of the final destination of the packet. ZyWALL USG 300 User’s Guide...
Page 480: Configuring Custom Signatures
If a packet matches a rule for reject-receiver and it also matches a rule for reject- sender, then the ZyWALL will reject-both. Figure 355 Anti-X > IDP > Custom Signatures ZyWALL USG 300 User’s Guide...
Page 481: Creating Or Editing A Custom Signature
(including packet contents), then the fewer false positives the signature will trigger. Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. ZyWALL USG 300 User’s Guide...
Page 482: Figure 356 Anti-X > Idp > Custom Signatures > Add/Edit
Chapter 30 IDP Figure 356 Anti-X > IDP > Custom Signatures > Add/Edit ZyWALL USG 300 User’s Guide...
Page 483: Table 162 Anti-X > Idp > Custom Signatures > Add/Edit
Some intrusions can be identified by the number in this field. Select the check box, select Equal, Smaller or Greater and then type in a number. ZyWALL USG 300 User’s Guide...
Page 484 ICMP fields when they communicate. Payload Options The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature. ZyWALL USG 300 User’s Guide...
Page 485: Custom Signature Example
As an example, say you want to create a signature for the ‘Microsoft Windows Plug-and-Play Service Remote Overflow (MS-05-39)’ attack. Search the Security Focus web site and you will find it uses the NetBIOS service in established TCP connections to a server using port 445. ZyWALL USG 300 User’s Guide...
Page 486: Figure 357 Custom Signature Example Pattern 1
Figure 359 Custom Signature Example Patterns 3 and 4 The final custom signature should look like as shown in the following figure. If the attack occurs, check the logs for a log of your custom signature. This indicates the signature works correctly. ZyWALL USG 300 User’s Guide...
Page 487: Figure 360 Example Custom Signature
Chapter 30 IDP Figure 360 Example Custom Signature ZyWALL USG 300 User’s Guide...
Page 488: Applying Custom Signatures
The Note column displays ACCESS FORWARD when no action is configured for the signature. It displays ACCESS DENIED if you configure the signature action to drop the packet. The destination port is the service port (NetBIOS in this case) that the attack tries to exploit. ZyWALL USG 300 User’s Guide...
Page 489: Idp Technical Reference
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are the option keywords. ZyWALL USG 300 User’s Guide...
Page 490: Table 163 Zywall - Snort Equivalent Terms
Sequence Number icmp_seq Payload Options (Snort rule options) Payload Size dsize Offset (relative to start of payload) offset Relative to end of last match distance Content content Case-insensitive nocase Decode as URI uricontent ZyWALL USG 300 User’s Guide...
Page 491 Chapter 30 IDP Not all Snort functionality is supported in the ZyWALL. ZyWALL USG 300 User’s Guide...
Page 492 Chapter 30 IDP ZyWALL USG 300 User’s Guide...
Page 493: Adp
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated when you upload new firmware. ZyWALL USG 300 User’s Guide...
Page 494: Before You Begin
The following table describes the screens in this screen. Table 164 Anti-X > ADP > General LABEL DESCRIPTION General Settings Enable Anomaly Select this check box to enable traffic anomaly and protocol anomaly Detection detection. ZyWALL USG 300 User’s Guide...
Page 495: Configuring Adp Policies
Click Anti-X > ADP > General and then an Add or Edit icon to display the following screen. Use this screen to apply an ADP profile to a traffic direction. Figure 364 Anti-X > ADP > General > Add ZyWALL USG 300 User’s Guide...
Page 496: The Profile Summary Screen
• Create a new profile using an existing base profile • Edit an existing profile • Delete an existing profile 31.3.1 Base Profiles The ZyWALL comes with base profiles. You use base profiles to create new profiles. Figure 365 Base Profiles ZyWALL USG 300 User’s Guide...
Page 497: Configuring The Adp Profile Summary Screen
A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the ZyWALL. As each network is different, false positives and false negatives are common on initial ADP deployment. ZyWALL USG 300 User’s Guide...
Page 498: Traffic Anomaly Profiles
Edit icon or click the Add icon and choose a base profile. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. ZyWALL USG 300 User’s Guide...
Page 499: Figure 367 Profiles: Traffic Anomaly
Chapter 31 ADP Figure 367 Profiles: Traffic Anomaly ZyWALL USG 300 User’s Guide...
Page 500: Protocol Anomaly Profiles
Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (PA) rules check for protocol compliance against the relevant RFC (Request for Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder, and ICMP Decoder where each category reflects the packet type inspected. ZyWALL USG 300 User’s Guide...
Page 501: Protocol Anomaly Configuration
Protocol Anomaly tab. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab. ZyWALL USG 300 User’s Guide...
Page 502: Figure 368 Profiles: Protocol Anomaly
Chapter 31 ADP Figure 368 Profiles: Protocol Anomaly ZyWALL USG 300 User’s Guide...
Page 503: Technical Reference
31.3.4 on page 498) Port Scanning An attacker scans device(s) to determine what types of network protocols or services a device supports. One of the most common port scanning tools in use today is Nmap. ZyWALL USG 300 User’s Guide...
Page 504 These are some filtered port scan examples. • TCP Filtered Portscan • UDP Filtered Portscan • IP Filtered Portscan • TCP Filtered Decoy • UDP Filtered Decoy • IP Filtered Decoy Portscan Portscan Portscan ZyWALL USG 300 User’s Guide...
Page 505: Figure 369 Smurf Attack
Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. ZyWALL USG 300 User’s Guide...
Page 506: Figure 370 Tcp Three-Way Handshake
ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered to ports on victim, the system will go down. ZyWALL USG 300 User’s Guide...
Page 507: Table 170 Http Inspection And Tcp/Udp/Icmp Decoders
NULL bytes in the request-URI. NON-RFC-HTTP- This is when a newline “\n” character is detected as a delimiter. This DELIMITER ATTACK is non-standard but is accepted by both Apache and IIS web servers. ZyWALL USG 300 User’s Guide...
Page 508 20 bytes.This may cause some applications to crash. UDP Decoder OVERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length field of greater than the actual packet length. This may cause some applications to crash. ZyWALL USG 300 User’s Guide...
Page 509 TRUNCATED-TIMESTAMP- This is when an ICMP packet is sent which has an ICMP datagram HEADER ATTACK length of less than the ICMP Time Stamp header length. This may cause some applications to crash. ZyWALL USG 300 User’s Guide...
Page 510 Chapter 31 ADP ZyWALL USG 300 User’s Guide...
Page 511: Content Filtering
A content filtering profile conveniently stores your custom settings for the following features. • Category-based Blocking The ZyWALL can block access to particular categories of web site content, such as pornography or racial intolerance. • Restrict Web Features ZyWALL USG 300 User’s Guide...
Page 512: Before You Begin
• You must configure an address object, a schedule object and a filtering profile before you can set up a content filter policy. • You must subscribe to use the external database content filtering (see the Licensing > Registration screens). ZyWALL USG 300 User’s Guide...
Page 513: Content Filter General Screen
User This column displays the individual or group to which this policy applies. any means the content filter policy applies to all of the web access requests that the ZyWALL receives from any user. ZyWALL USG 300 User’s Guide...
Page 514 None displays if you have not successfully registered and activated the service. Standard displays if you have successfully registered the ZyWALL and activated the service. Trial displays if you have successfully registered the ZyWALL and activated the trial service subscription. ZyWALL USG 300 User’s Guide...
Page 515: Content Filter Policy Add Or Edit Screen
Select Create Object to configure a new user account (see Section 36.2.1 on page for details). Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any user. ZyWALL USG 300 User’s Guide...
Page 516: Content Filter Profile Screen
You must register for external content filtering before you can use it. See Section 8.2 on page 166 for how to register. Chapter 33 on page 533 for how to view content filtering reports. ZyWALL USG 300 User’s Guide...
Page 517: Figure 375 Anti-X > Content Filter > Filter Profile > Add
Chapter 32 Content Filtering Figure 375 Anti-X > Content Filter > Filter Profile > Add ZyWALL USG 300 User’s Guide...
Page 518: Table 174 Anti-X > Content Filter > Filter Profile > Add
Content Filter General screen along with the category of the blocked web page. Select Log to record attempts to access web pages that match the other categories that you select below. ZyWALL USG 300 User’s Guide...
Page 519 These are categories of web pages that are known to pose a threat to users or their computers. Phishing This category includes pages that are designed to appear as a legitimate bank or retailer with the intent to fraudulently capture sensitive data (i.e. credit card numbers, pin numbers). ZyWALL USG 300 User’s Guide...
Page 520 It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco. It does not include pages that sell alcohol or tobacco as a subset of other products. ZyWALL USG 300 User’s Guide...
Page 521 Includes sites that endorse or offer methods, means of instruction, or other resources to affect or influence real events through the use of spells, incantations, curses and magic powers. This category includes sites which discuss or deal with paranormal or unexplained events. ZyWALL USG 300 User’s Guide...
Page 522 Internet and technology-related organizations and companies. Search Engines/Portals This category includes pages that support searching the Internet, indices, and directories. Job Search/Careers This category includes pages that provide assistance in finding employment, and tools for locating prospective employers. ZyWALL USG 300 User’s Guide...
Page 523 It does not include pages that can be classified in other categories (such as vehicles or weapons). Auctions This category includes pages that support the offering and purchasing of goods between individuals. This does not include classified advertisements. ZyWALL USG 300 User’s Guide...
Page 524 This does not include advertising servers that serve adult- oriented advertisements. Web Hosting This category includes pages of organizations that provide top-level domain pages, as well as web communities or hosting services. Test Web Site Category ZyWALL USG 300 User’s Guide...
Page 525: Content Filter Blocked And Warning Messages
(blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list. ZyWALL USG 300 User’s Guide...
Page 526: Figure 377 Anti-X > Content Filter > Filter Profile > Customization
ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX ActiveX controls are downloaded to your browser, where they remain in case you visit the site again. ZyWALL USG 300 User’s Guide...
Page 527 (such as Bad for example). Blocked URL Keywords This list displays the keywords already added. Click this button when you have finished adding the key words field above. ZyWALL USG 300 User’s Guide...
Page 528: Content Filter Cache Screen
Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
Page 529: Figure 378 Anti-X > Content Filter > Cache
This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries. This is the index number of a categorized web site address record. ZyWALL USG 300 User’s Guide...
Page 530: Content Filter Technical Reference
2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache. The ZyWALL blocks, blocks and logs or just logs the request based on your configuration. ZyWALL USG 300 User’s Guide...
Page 531 5 The external content filter server sends the category information back to the ZyWALL, which then blocks and/or logs access to the web site based on the settings in the content filter profile. The web site’s address and category are then stored in the ZyWALL’s content filter cache. ZyWALL USG 300 User’s Guide...
Page 532 Chapter 32 Content Filtering ZyWALL USG 300 User’s Guide...
Page 533: Content Filter Reports
You need to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days). 1 Go to http://www.myZyXEL.com. ZyWALL USG 300 User’s Guide...
Page 534: Figure 380 Myzyxel.com: Login
Chapter 33 Content Filter Reports 2 Fill in your myZyXEL.com account information and click Login. Figure 380 myZyXEL.com: Login ZyWALL USG 300 User’s Guide...
Page 535: Figure 381 Myzyxel.com: Welcome
Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 382 on page 536). Figure 381 myZyXEL.com: Welcome ZyWALL USG 300 User’s Guide...
Page 536: Figure 382 Myzyxel.com: Service Management
4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 382 myZyXEL.com: Service Management 5 In the Web Filter Home screen, click the Reports tab. Figure 383 Content Filter Reports Main Screen ZyWALL USG 300 User’s Guide...
Page 537: Figure 384 Content Filter Reports: Report Home
Chapter 33 Content Filter Reports 6 Select items under Global Reports to view the corresponding reports. Figure 384 Content Filter Reports: Report Home ZyWALL USG 300 User’s Guide...
Page 538: Figure 385 Global Report Screen Example
Taken field and click Run Report. The screens vary according to the report type you selected in the Report Home screen. 8 A chart and/or list of requested web site categories display in the lower half of the screen. Figure 385 Global Report Screen Example ZyWALL USG 300 User’s Guide...
Page 539: Figure 386 Requested Urls Example
Chapter 33 Content Filter Reports 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 386 Requested URLs Example ZyWALL USG 300 User’s Guide...
Page 540 Chapter 33 Content Filter Reports ZyWALL USG 300 User’s Guide...
Page 541: Anti-Spam
IP address or uses a specified header field and header value as being spam. If an e-mail does not match any of the white list entries, the ZyWALL checks it against the black list entries. The ZyWALL classifies an e-mail that ZyWALL USG 300 User’s Guide...
Page 542 ZyWALL can check the routing addresses of e-mail against DNSBLs and classify an e-mail as spam if it was sent or forwarded by a computer with an IP address in the DNSBL. Here’s how the ZyWALL uses DNSBLs. ZyWALL USG 300 User’s Guide...
Page 543: Before You Begin
Click Anti-X > Anti-Spam to open the Anti-Spam General screen. Use this screen to turn the anti-spam feature on or off and manage anti-spam policies. You can also select the action the ZyWALL takes when the mail sessions threshold is reached. ZyWALL USG 300 User’s Guide...
Page 544: Figure 388 Anti-X > Anti-Spam > General
The anti-spam policy has the ZyWALL scan e-mail traffic that is going to this zone from the From zone. Protocol These are the protocols of traffic to scan for spam. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. ZyWALL USG 300 User’s Guide...
Page 545: The Anti-Spam Policy Add Or Edit Screen
Use this screen to configure an anti-spam policy that controls what traffic direction of e-mail to check, which e-mail protocols to scan, the scanning options, and the action to take on spam traffic. Figure 389 Anti-X > Anti-Spam > General > Add ZyWALL USG 300 User’s Guide...
Page 546: The Anti-Spam Black List Screen
Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
Page 547: The Anti-Spam Black Or White List Add/Edit Screen
Click Reset to begin configuring this screen afresh. 34.4.1 The Anti-Spam Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the following screen. ZyWALL USG 300 User’s Guide...
Page 548: Figure 391 Anti-X > Anti-Spam > Black/White List > Black List (Or White List) > Add
63 ASCII characters. For example, if you want the entry to check the “Received:” header for a specific mail server’s domain, enter the mail server’s domain here. Section 34.4.2 on page 549 for more details. ZyWALL USG 300 User’s Guide...
Page 549: Regular Expressions In Black Or White List Entries
LABEL DESCRIPTION General Settings Enable White List Select this check box to have the ZyWALL forward e-mail that matches (an Checking active) white list entry without doing any more anti-spam checking on that individual e-mail. ZyWALL USG 300 User’s Guide...
Page 550: The Dnsbl Screen
Click Anti-X > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to configure the ZyWALL to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). ZyWALL USG 300 User’s Guide...
Page 551: Figure 393 Anti-X > Anti-Spam > Dnsbl
This is the IP of the last server that forwarded the mail. Actions when Query Use this section to set what the ZyWALL does if the queries to the DNSBL Timeout domains time out. ZyWALL USG 300 User’s Guide...
Page 552: The Dnsbl Add/Edit Screen
(identifying legitimate e-mail as spam). Different DNSBLs have different usage policies. For example, you can check http:// www.spamhaus.org or https://www.sorbs.net for more information. Figure 394 Anti-X > Anti-Spam > DNSBL > Add ZyWALL USG 300 User’s Guide...
Page 553: The Anti-Spam Status Screen
DNSBL Domain These are the DNSBLs the ZyWALL uses to check sender and relay IP addresses in e-mails. Total Queries This is the total number of DNS queries the ZyWALL has sent to this DNSBL. ZyWALL USG 300 User’s Guide...
Page 554 This is the average for how long it takes to receive a reply from this DNSBL. Time (sec) No Response This is how many DNS queries the ZyWALL sent to this DNSBL without receiving a reply. ZyWALL USG 300 User’s Guide...
Page 555: Device Ha
Device HA Device HA (557)
Page 557: Device Ha
Legacy mode configuration involves a greater degree of complexity. Active-passive mode is recommended for general failover deployments. • The ZyWALLs must all support and be set to use the same device HA mode (either active- passive or legacy). ZyWALL USG 300 User’s Guide...
Page 558: Before You Begin
35.2 Device HA General The Device HA General screen lets you enable or disable device HA, and displays which device HA mode the ZyWALL is set to use along with a summary of the monitored interfaces. ZyWALL USG 300 User’s Guide...
Page 559: Figure 397 Device Ha > General
ZyWALL can take over all of the master ZyWALL’s functions. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
Page 560: The Active-Passive Mode Screen
Enable monitoring for the same interfaces on the master and backup ZyWALLs. Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL. ZyWALL USG 300 User’s Guide...
Page 561: Configuring Active-Passive Mode Device Ha
The Device HA Active-Passive Mode screen lets you configure general active-passive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup ZyWALLs. To access this screen, click Device HA > Active-Passive Mode. ZyWALL USG 300 User’s Guide...
Page 562: Figure 401 Device Ha > Active-Passive Mode
Type the cluster ID number. A virtual router consists of a master ZyWALL and all of its backup ZyWALLs. If you have multiple ZyWALL virtual routers on your network, use a different cluster ID for each virtual router. ZyWALL USG 300 User’s Guide...
Page 563 If you leave this field blank in the master ZyWALL, no backup ZyWALLs can synchronize from it. If you leave this field blank in a backup ZyWALL, it cannot synchronize from the master ZyWALL. ZyWALL USG 300 User’s Guide...
Page 564: Configuring An Active-Passive Mode Monitored Interface
ZyWALL whether it is the master or a backup. This management IP address should be in the same subnet as the interface IP address. Subnet Mask Enter the subnet mask of the interface’s management IP address. ZyWALL USG 300 User’s Guide...
Page 565: The Legacy Mode Screen
Link monitoring has a backup ZyWALL take over all of an unavailable master ZyWALL’s static IP addresses. This way the backup ZyWALL takes over all of the master ZyWALL’s functions. This also means you can only access the original master ZyWALL through its management IP address. ZyWALL USG 300 User’s Guide...
Page 566: Configuring The Legacy Mode Screen
VRRP interface link goes down. monitored interface is fault Monitored Interface Summary Name This field displays the name of the VRRP group. Interface This field displays which interface is part of the virtual router. ZyWALL USG 300 User’s Guide...
Page 567 HA. Apply This appears when the ZyWALL is currently using legacy mode device HA. Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
Page 568: Figure 404 Device Ha > Legacy Mode > Add
IP address should be in the same subnet as the interface IP address so the backup ZyWALL cannot synchronize with the master via this VRRP interface. Subnet Mask Enter the subnet mask of the interface’s management IP address. ZyWALL USG 300 User’s Guide...
Page 569 (+-/*= :; .! @$&%#~ ‘ \ () ), and it can be up to eight characters long. Authentication Types on page 269 for more information about authentication methods. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 300 User’s Guide...
Page 570: Device Ha Technical Reference
The other backup ZyWALLs remain backups. If ZyWALL A becomes available again, ZyWALL A preempts ZyWALL B and becomes the master again (the network returns to the state shown in Figure 405 on page 570). ZyWALL USG 300 User’s Guide...
Page 571 • The backup ZyWALL cannot be the master in any active VRRP group. This refers to the actual role at the time of synchronization, not the role setting in the VRRP group. The backup applies the entire configuration if it is different from the backup’s current configuration. ZyWALL USG 300 User’s Guide...
Page 572 Chapter 35 Device HA ZyWALL USG 300 User’s Guide...
Page 573: Objects
VIII Objects User/Group (575) Addresses (589) Services (595) Schedules (601) AAA Server (607) Authentication Method (617) Certificates (621) ISP Accounts (639) SSL Application (643)
Page 575: User/Group
WWW, TELNET, SSH, FTP, Console, Dial-in Limited-Admin Look at ZyWALL configuration (web, CLI) WWW, TELNET, SSH, Console, Dial-in Perform basic diagnostics (CLI) Access Users User Access network services WWW, TELNET, SSH Browse user-mode commands (CLI) ZyWALL USG 300 User’s Guide...
Page 576 User Groups User groups may consist of user accounts or other user groups. Use user groups when you want to create the same rule for several user accounts, instead of creating separate rules for each one. ZyWALL USG 300 User’s Guide...
Page 577: User Summary Screen
36.2 User Summary Screen The User screen provides a summary of all user accounts. To access this screen, login to the Web Configurator, and click Object > User/Group. ZyWALL USG 300 User’s Guide...
Page 578: User Add/Edit Screen
• Reserved user names are listed in the following table. Table 192 Reserved User Names • • admin • • • daemon • debug • devicehaecived • • games • halt • ldap-users • • mail • news • nobody ZyWALL USG 300 User’s Guide...
Page 579: Figure 408 User/Group > User > Edit
Default descriptions are provided. Authentication If you want to set authentication timeout to a value other than the default settings, Timeout Settings select Use Manual Settings then fill your preferred values in the fields that follow. ZyWALL USG 300 User’s Guide...
Page 580: User Group Summary Screen
To delete a user group, click the Remove icon next to the user group. The Web Configurator confirms that you want to delete the user group before doing so. If you delete the group, you do not delete the users in the group. ZyWALL USG 300 User’s Guide...
Page 581: Group Add/Edit Screen
ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. To access this screen, login to the Web Configurator, and click Object > User/Group > Setting. ZyWALL USG 300 User’s Guide...
Page 582: Figure 411 Object > User/Group > Setting
Settings Allow renewing Select this check box if access users can renew lease time automatically, as lease time ... well as manually, simply by checking the Updating lease time automatically check box on their screen. ZyWALL USG 300 User’s Guide...
Page 583 This field is a sequential value, and it is not associated with a specific condition. Schedule This field displays the schedule object that specifies when this condition applies. It displays none if this condition always applies. ZyWALL USG 300 User’s Guide...
Page 584: Force User Authentication Policy Add/Edit Screen
Use this screen to specify a condition when users must log in or do not have to log in to the ZyWALL before their HTTP traffic can pass through the ZyWALL. Figure 412 Object > User/Group > Setting > Add/Edit ZyWALL USG 300 User’s Guide...
Page 585: User Aware Login Example
Access users cannot use the Web Configurator to browse the configuration of the ZyWALL. Instead, when access users log in to the ZyWALL (forced in the screen as shown in Figure 411 on page 582 or otherwise), the following screen appears. Figure 413 Web Configurator for Non-Admin Users ZyWALL USG 300 User’s Guide...
Page 586: User /Group Technical Reference
The following examples show you how you might set up user attributes in LDAP and RADIUS servers. Figure 414 LDAP Example: Keywords for User Attributes type: admin leaseTime: 99 reauthTime: 199 Figure 415 RADIUS Example: Keywords for User Attributes type=user;leaseTime=222;reauthTime=222 ZyWALL USG 300 User’s Guide...
Page 587 Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 46 on page 695 for more information about shell scripts. ZyWALL USG 300 User’s Guide...
Page 588 Chapter 36 User/Group ZyWALL USG 300 User’s Guide...
Page 589: Addresses
The Address screen provides a summary of all addresses in the ZyWALL. To access this screen, click Object > Address > Address. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
Page 590: Address Add/Edit Screen
The Address Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 37.2 on page 589), and click either the Add icon or an Edit icon. Figure 417 Object > Address > Address > Edit ZyWALL USG 300 User’s Guide...
Page 591: Address Group Summary Screen
Object > Address > Address Group. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 418 Object > Address > Address Group ZyWALL USG 300 User’s Guide...
Page 592: Address Group Add/Edit Screen
This field displays the names of the address and address group objects that can be added to the address group. Select address and address group objects that you want to be members of this group and click the right arrow to add them to the member list. ZyWALL USG 300 User’s Guide...
Page 593 The order of members is not important. To remove members, select them and click the left arrow. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 300 User’s Guide...
Page 594 Chapter 37 Addresses ZyWALL USG 300 User’s Guide...
Page 595: Services
Another use is ping. ICMP does not guarantee delivery, but networks often treat ICMP messages differently, sometimes looking at the message itself to decide where to send it. ZyWALL USG 300 User’s Guide...
Page 596: The Service Summary Screen
To access this screen, log in to the Web Configurator, and click Object > Service > Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 420 Object > Service > Service ZyWALL USG 300 User’s Guide...
Page 597: The Service Add/Edit Screen
This field appears if the IP Protocol is TCP or UDP. Specify the port number(s) used by this service. If you fill in one of these fields, the service uses that port. If Ending Port you fill in both fields, the service uses the range of ports. ZyWALL USG 300 User’s Guide...
Page 598: The Service Group Summary Screen
To edit a service group, click the Edit icon next to the service group. The Service Group Add/Edit screen appears. To delete a service group, click on the Remove icon next to the service group. The Web Configurator confirms that you want to delete the service group. ZyWALL USG 300 User’s Guide...
Page 599: The Service Group Add/Edit Screen
The order of members is not important. To remove members, select them and click the left arrow. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 300 User’s Guide...
Page 600 Chapter 38 Services ZyWALL USG 300 User’s Guide...
Page 601: Schedules
Finding Out More • See Section 5.5 on page 118 for related information on these screens. • See Section 45.3 on page 652 for information about the ZyWALL’s current date and time. ZyWALL USG 300 User’s Guide...
Page 602: The Schedule Summary Screen
To edit a schedule, click the Edit icon next to the schedule. The Schedule Add/ Edit screen appears. To delete a schedule, click the Remove icon next to the schedule. The Web Configurator confirms that you want to delete the schedule before doing so. ZyWALL USG 300 User’s Guide...
Page 603: The One-Time Schedule Add/Edit Screen
Hour - 0 - 23 Minute - 0 - 59 All of these fields are required. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 300 User’s Guide...
Page 604: The Recurring Schedule Add/Edit Screen
Hour - 0 - 23 Minute - 0 - 59 The Hour and Minute fields are both required. To set all day (24 hours), configure the stop hour to 23 and minute to 59. Weekly ZyWALL USG 300 User’s Guide...
Page 605 DESCRIPTION Week Days Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 300 User’s Guide...
Page 606 Chapter 39 Schedules ZyWALL USG 300 User’s Guide...
Page 607: Aaa Server
(or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location. ZyWALL USG 300 User’s Guide...
Page 608: Asas
The directory consists of a database specialized for fast information retrieval and filtering activities. You create and store user profile and login information on the external server. • RADIUS ZyWALL USG 300 User’s Guide...
Page 609: Active Directory Or Ldap Default Server Screen
A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and/or country. For example, o=MyCompany, c=UK where o means organization and c means country. ZyWALL USG 300 User’s Guide...
Page 610: Configuring Active Directory Or Ldap Default Server Settings
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the AD or LDAP server. In this case, user authentication fails. The search timeout occurs when either the user information is not in the LDAP server or the server is down. ZyWALL USG 300 User’s Guide...
Page 611: Active Directory Or Ldap Group Summary Screen
Click Object > AAA Server > Active Directory (or LDAP) > Group to display the Active Directory (or LDAP) > Group screen. Click the Add icon or an Edit icon to display the configuration fields. ZyWALL USG 300 User’s Guide...
Page 612: Figure 432 Object > Aaa Server > Active Directory (Or Ldap) > Group > Add
Specify the URI (Uniform Resource Identifier) of an AD or LDAP server. You can enter the IP address (in dotted decimal notation) or the fully qualified domain name (FQDN; up to 63 alphanumerical characters) of the AD or LDAP server. ZyWALL USG 300 User’s Guide...
Page 613: Configuring A Default Radius Server
Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. Apply Click Apply to save the changes. Reset Click Reset to start configuring this screen again. ZyWALL USG 300 User’s Guide...
Page 614: Configuring A Group Of Radius Servers
Click Object > AAA Server > RADIUS > Group to display the RADIUS > Group screen. Click the Add icon or an Edit icon to display the configuration fields. Figure 435 Object > AAA Server > RADIUS > Group > Add ZyWALL USG 300 User’s Guide...
Page 615: Table 216 Object > Aaa Server > Radius > Group > Add
Click Add to add a new RADIUS server. You can add up to four RADIUS member servers. Click Delete to remove a RADIUS server. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 300 User’s Guide...
Page 616 Chapter 40 AAA Server ZyWALL USG 300 User’s Guide...
Page 617: Authentication Method
1 Access the VPN > IPSec VPN > VPN Gateway > Edit screen. 2 Select Enable Extended Authentication. 3 Select Server Mode and select an authentication method object from the drop-down list box. 4 Click OK to save the settings. ZyWALL USG 300 User’s Guide...
Page 618: Viewing Authentication Method Objects
Method List This field displays the authentication method(s) for this entry. Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to remove an entry. ZyWALL USG 300 User’s Guide...
Page 619: Creating An Authentication Method Object
You can NOT select two server objects of the same type. 7 Click OK to save the settings or click Cancel to discard all changes and return to the previous screen. Figure 438 Object > Auth. Method > Add ZyWALL USG 300 User’s Guide...
Page 620: Table 218 Object > Auth. Method > Add
Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 300 User’s Guide...
Page 621: Certificates
3 Tim uses his private key to sign the message and sends it to Jenny. 4 Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the ZyWALL USG 300 User’s Guide...
Page 622 A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The ZyWALL currently allows the importation of a PKS#7 file that contains a single certificate. ZyWALL USG 300 User’s Guide...
Page 623: Verifying A Certificate
2 Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 439 Remote Host Certificates 3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. ZyWALL USG 300 User’s Guide...
Page 624: The My Certificates Screen
When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates. This field displays the certificate index number. The certificates are listed in alphabetical order. ZyWALL USG 300 User’s Guide...
Page 625: The My Certificates Add Screen
Click Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. ZyWALL USG 300 User’s Guide...
Page 626: Figure 442 Object > Certificate > My Certificates > Add
@ symbol, periods and the underscore. Organizational Unit Identify the organizational unit or department to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. ZyWALL USG 300 User’s Guide...
Page 627 You must have the certification authority’s certificate already imported in the Trusted Certificates screen. Click Trusted CAs to go to the Trusted Certificates screen where you can view (and manage) the ZyWALL's list of certificates of trusted certification authorities. ZyWALL USG 300 User’s Guide...
Page 628: The My Certificates Edit Screen
42.2.2 The My Certificates Edit Screen Click Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. ZyWALL USG 300 User’s Guide...
Page 629: Figure 443 Object > Certificate > My Certificates > Edit
“Not trusted” in this field if any certificate on the path has expired or been revoked. Refresh Click Refresh to display the certification path. Certificate These read-only fields display detailed information about the certificate. Information ZyWALL USG 300 User’s Guide...
Page 630 You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example). ZyWALL USG 300 User’s Guide...
Page 631: The My Certificates Import Screen
The certificate you import replaces the corresponding request in the My Certificates screen. You must remove any spaces from the certificate’s filename before you can import it. Figure 444 Object > Certificate > My Certificates > Import ZyWALL USG 300 User’s Guide...
Page 632: The Trusted Certificates Screen
With self-signed certificates, this is the same information as in the Subject field. Valid From This field displays the date that the certificate becomes applicable. ZyWALL USG 300 User’s Guide...
Page 633: The Trusted Certificates Edit Screen
Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate’s name and set whether or not you want the ZyWALL to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. ZyWALL USG 300 User’s Guide...
Page 634: Figure 446 Object > Certificate > Trusted Certificates > Edit
(along with the end entity’s own certificate). The ZyWALL does not trust the end entity’s certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked. ZyWALL USG 300 User’s Guide...
Page 635 This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm). ZyWALL USG 300 User’s Guide...
Page 636: The Trusted Certificates Import Screen
Click Object > Certificate > Trusted Certificates > Import to open the Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the ZyWALL. You must remove any spaces from the certificate’s filename before you can import the certificate. ZyWALL USG 300 User’s Guide...
Page 637: Certificates Technical Reference
ZyWALL only gets information on the certificates that it needs to verify, not a huge list. When the ZyWALL requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response. ZyWALL USG 300 User’s Guide...
Page 638 Chapter 42 Certificates ZyWALL USG 300 User’s Guide...
Page 639: Isp Accounts
This field displays the profile name of the ISP account. This name is used to identify the ISP account. Protocol This field displays the protocol used by the ISP account. Authentication This field displays the authentication type used by the ISP account. Type ZyWALL USG 300 User’s Guide...
Page 640: Isp Account Edit
This field is read-only if you are editing an existing account. Select the protocol used by the ISP account. Options are: pppoe - This ISP account uses the PPPoE protocol. pptp - This ISP account uses the PPTP protocol. ZyWALL USG 300 User’s Guide...
Page 641 ISP Account Edit screen. Cancel Click Cancel to return to the ISP Account screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists). ZyWALL USG 300 User’s Guide...
Page 642 Chapter 43 ISP Accounts ZyWALL USG 300 User’s Guide...
Page 643: Ssl Application
Available SSL application names are displayed as links in remote user screens. Depending on the application type, remote users can simply click the links or follow the steps in the pop-up dialog box to access. ZyWALL USG 300 User’s Guide...
Page 644: Example: Specifying A Web Site For Access
5 In the Server Type field, select Web Server. 6 Select Web Page Encryption to prevent users from saving the web content. 7 Click Apply to save the settings. The configuration screen should look similar to the following figure. ZyWALL USG 300 User’s Guide...
Page 645: The Ssl Application Screen
A web-based application allows remote users to access an application via standard web browsers. To configure a web-based application, click the Add or Edit button in the SSL Application screen and select Web Application in the Type field to display the configuration screen as shown. ZyWALL USG 300 User’s Guide...
Page 646: Figure 453 Object > Ssl Application > Add/Edit: Web Application
This field displays if the Server Type is set to RDP or VNC. Address(es) Specify the IP address or Fully-Qualified Domain Name (FQDN) of the computer(s) that you want to allow the remote users to manage. ZyWALL USG 300 User’s Guide...
Page 647: Creating/Editing A File Sharing Ssl Application Object
Select File Sharing to create a file share application for VPN SSL. File Sharing Name Enter a descriptive name to identify this object. You can enter up to 31 characters (“0- 9”, “a-z”, “A-Z”, “-” and “_”). Spaces are not allowed. ZyWALL USG 300 User’s Guide...
Page 648 Click Cancel to discard the changes and return to the main SSL Application Configuration screen. You must then configure the shared folder on the file server for remote access. Refer to the document that comes with your file server. ZyWALL USG 300 User’s Guide...
Page 649: System
System System (651)
Page 651: System
• Connect an external serial modem to the AUX port to provide a management connection in case the ZyWALL’s other WAN connections are down. Use the System > Dial-in Mgmt. screen (see Section 45.11 on page 687) to configure the external serial modem. ZyWALL USG 300 User’s Guide...
Page 652: Host Name
To change your ZyWALL’s time based on your local time zone and date, click System > Date/Time. The screen displays as shown. You can manually set the ZyWALL’s time and date or have the ZyWALL get the date and time from a time server. ZyWALL USG 300 User’s Guide...
Page 653: Figure 456 System > Date And Time
When you click Apply or Synchronize Now in this screen. • 24-hour intervals after starting up. Time Server Enter the IP address or URL of your time server. Check with your ISP/network Address administrator if you are unsure of this information. ZyWALL USG 300 User’s Guide...
Page 654: Pre-Defined Ntp Time Servers List
When you turn on the ZyWALL for the first time, the date and time start at 2003-01-01 00:00:00. The ZyWALL then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers. ZyWALL USG 300 User’s Guide...
Page 655: Time Server Synchronization
4 As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for daylight savings. 5 Under Time and Date Setup, enter a Time Server Address (Table 233 on page 655). 6 Click Apply. ZyWALL USG 300 User’s Guide...
Page 656: Console Port Speed
• If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL’s WAN IP address), set the DNS server fields to get the DNS server address from the ISP. • You can manually enter the IP addresses of other DNS servers. ZyWALL USG 300 User’s Guide...
Page 657: Configuring The Dns Screen
A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The ZyWALL uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records. ZyWALL USG 300 User’s Guide...
Page 658 This is the zone on the ZyWALL the user is allowed or denied to access. Address This is the object name of the IP address(es) with which the computer is allowed or denied to send DNS queries. ZyWALL USG 300 User’s Guide...
Page 659: Address Record
IP address to a domain name. 45.5.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/PTR record. Figure 460 System > DNS > Address/PTR Record Edit ZyWALL USG 300 User’s Guide...
Page 660: Domain Zone Forwarder
45.5.7 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 461 System > DNS > Domain Zone Forwarder Add ZyWALL USG 300 User’s Guide...
Page 661: Mx Record
Enter the domain name where the mail is destined for. IP Address/FQDN Enter the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above. ZyWALL USG 300 User’s Guide...
Page 662: Adding A Dns Service Control Rule
Click Cancel to exit this screen without saving 45.6 WWW Overview The following figure shows secure and insecure management of the ZyWALL coming in from the WAN. HTTPS and SSH access are secure. HTTP, Telnet, and dial-in management access are not secure. ZyWALL USG 300 User’s Guide...
Page 663: Service Access Limitations
Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires. You can change the timeout settings in the User/Group screens. ZyWALL USG 300 User’s Guide...
Page 664: Https
2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s web server. Figure 465 HTTP/HTTPS Implementation If you disable HTTP in the WWW screen, then the ZyWALL blocks all HTTP connection attempts. ZyWALL USG 300 User’s Guide...
Page 665: Configuring Www Service Control
Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs connections. ZyWALL USG 300 User’s Guide...
Page 666 User Service Control specifies from which zones a user can use HTTP to log into the ZyWALL (to log into SSL VPN for example). You can also specify the IP addresses from which the users can access the ZyWALL. ZyWALL USG 300 User’s Guide...
Page 667: Service Control Rules
45.6.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. Figure 467 System > Service Control Rule > Edit ZyWALL USG 300 User’s Guide...
Page 668: Customizing The Www Login Page
Internet. See Chapter 36 on page 575 for more on access user accounts. Figure 468 System > WWW > Login Page The following figures identify the parts you can customize in the login and access pages. ZyWALL USG 300 User’s Guide...
Page 669: Figure 469 Login Page Customization
• Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)” for black. ZyWALL USG 300 User’s Guide...
Page 670: Table 242 System > Www > Login Page
Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. Message Color Specify the color of the screen’s text. Note Message Enter a note to display below the title. Use up to 64 printable ASCII characters. Spaces are allowed. ZyWALL USG 300 User’s Guide...
Page 671: Https Example
Certificate if you want to verify that the certificate is from the ZyWALL. If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape. Select Accept this certificate permanently to import the ZyWALL’s certificate into the SSL client. ZyWALL USG 300 User’s Guide...
Page 672: Figure 472 Security Certificate 1 (Netscape)
Appendix D on page 813 for details. 45.6.7.4 Login Screen After you accept the certificate, the ZyWALL login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection. ZyWALL USG 300 User’s Guide...
Page 673: Figure 474 Login Screen (Internet Explorer)
The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). 45.6.7.5.1 Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next. ZyWALL USG 300 User’s Guide...
Page 674: Figure 476 Ca Certificate Example
Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. Figure 477 Personal Certificate Import Wizard 1 ZyWALL USG 300 User’s Guide...
Page 675: Figure 478 Personal Certificate Import Wizard 2
Figure 479 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. ZyWALL USG 300 User’s Guide...
Page 676: Figure 480 Personal Certificate Import Wizard 4
5 Click Finish to complete the wizard and begin the import process. Figure 481 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 482 Personal Certificate Import Wizard 6 ZyWALL USG 300 User’s Guide...
Page 677: Figure 483 Access The Zywall Via Https
ZyWALL. This screen displays even if you only have a single certificate as in the example. Figure 484 SSL Client Authentication 3 You next see the Web Configurator login screen. Figure 485 Secure Web Configurator Login Screen ZyWALL USG 300 User’s Guide...
Page 678: Ssh
The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. ZyWALL USG 300 User’s Guide...
Page 679: Ssh Implementation On The Zywall
SSH can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 488 System > SSH ZyWALL USG 300 User’s Guide...
Page 680: Secure Telnet Using Ssh Examples
1 Launch the SSH client and specify the connection information (IP address, port number) for the ZyWALL. 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prompting you to store the host key in you computer. Click Yes to continue. ZyWALL USG 300 User’s Guide...
Page 681: Figure 489 Ssh Example 1: Store Host Key
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: 3 The CLI screen displays next. ZyWALL USG 300 User’s Guide...
Page 682: Telnet
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed. ZyWALL USG 300 User’s Guide...
Page 683: Ftp
ZyWALL for FTP connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 42 on page 621 details). Service Control This specifies from which computers you can access which ZyWALL zones. ZyWALL USG 300 User’s Guide...
Page 684: Snmp
Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation. ZyWALL USG 300 User’s Guide...
Page 685: Figure 494 Snmp Management Model
Get operation, followed by a series of GetNext operations. • Set - Allows the manager to set values for object variables within an agent. • Trap - Used by the agent to inform the manager of some events. ZyWALL USG 300 User’s Guide...
Page 686: Supported Mibs
Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 495 System > SNMP ZyWALL USG 300 User’s Guide...
Page 687: Dial-In Management
Connect an external serial modem to the AUX port to provide a management connection in case the ZyWALL’s other WAN connections are down. This is like an auxiliary interface, except it is used for management connections coming into the ZyWALL instead of as a backup WAN connection. ZyWALL USG 300 User’s Guide...
Page 688: Configuring Dial-In Mgmt
Port Speed Use the drop-down list box to select the speed of the connection between the ZyWALL’s auxiliary port and the external modem. Available speeds are: 9600, 19200, 38400, 57600, or 115200 bps. ZyWALL USG 300 User’s Guide...
Page 689: Vantage Cnm
Table 249 System > Vantage CNM LABEL DESCRIPTION Vantage CNM Click Advanced to display more configuration fields or click Basic to display fewer fields. Enable Select this check box to allow Vantage CNM to manage your ZyWALL. ZyWALL USG 300 User’s Guide...
Page 690: Language Screen
Click Reset to begin configuring this screen afresh. 45.13 Language Screen Click System > Language to open the following screen. Use this screen to select a display language for the ZyWALL’s Web Configurator screens. Figure 498 System > Language ZyWALL USG 300 User’s Guide...
Page 691: Table 250 System > Language
Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
Page 692 Chapter 45 System ZyWALL USG 300 User’s Guide...
Page 693: Maintenance, Troubleshooting, & Specifications
Maintenance, Troubleshooting, & Specifications File Manager (695) Logs (705) Reports (717) Diagnostics (731) Reboot (733) Troubleshooting (735) Product Specifications (739)
Page 695: File Manager
When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. ZyWALL USG 300 User’s Guide...
Page 696: Figure 499 Configuration File / Shell Script: Example
ZyWALL treat the line as a comment. Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode. ZyWALL USG 300 User’s Guide...
Page 697: The Configuration File Screen
Use the Configuration File screen to store, run, and name configuration files. You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL. ZyWALL USG 300 User’s Guide...
Page 698: Figure 500 Maintenance > File Manager > Configuration File
The ZyWALL still generates a log for any errors. Figure 500 Maintenance > File Manager > Configuration File Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL USG 300 User’s Guide...
Page 699: Figure 501 Maintenance > File Manager > Configuration File > Copy
Click a configuration file’s row to select it and click Run to have the ZyWALL use that configuration file. The ZyWALL does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures. ZyWALL USG 300 User’s Guide...
Page 700: The Firmware Package Screen
See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”. ZyWALL USG 300 User’s Guide...
Page 701: Figure 503 Maintenance > File Manager > Firmware Package
(.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes. After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. ZyWALL USG 300 User’s Guide...
Page 702: The Shell Script Screen
You should include commands in your scripts. If you do not use the write command, the changes will be lost when the ZyWALL restarts. You write could use multiple commands in a long script. write ZyWALL USG 300 User’s Guide...
Page 703: Figure 507 Maintenance > File Manager > Shell Script
A pop-up window asks you to confirm that you want to delete the shell script file. Click OK to delete the shell script file or click Cancel to close the screen without deleting the shell script file. ZyWALL USG 300 User’s Guide...
Page 704 Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. ZyWALL USG 300 User’s Guide...
Page 705: Logs
Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
Page 706: Figure 510 Maintenance > Log > View Log
If a match is found in any field, the log message is displayed. You can use up to 63 alphanumeric characters and the underscore, as well as punctuation marks ()’ ,:;?! +-*/= #$% @ ; the period, double quotes, and brackets are not allowed. ZyWALL USG 300 User’s Guide...
Page 707 This field displays the destination IP address and the port number of the event that generated the log message. Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. ZyWALL USG 300 User’s Guide...
Page 708: Log Setting Screens
Active Log Summary screen to edit this information for all logs at the same time. 47.4.1 Log Setting Summary To access this screen, click Maintenance > Log > Log Setting. Figure 511 Maintenance > Log > Log Setting ZyWALL USG 300 User’s Guide...
Page 709: Edit System Log Settings
The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 47.4.1 on page 708), and click the system log Edit icon. ZyWALL USG 300 User’s Guide...
Page 710: Figure 512 Maintenance > Log > Log Setting > Edit (System Log)
Chapter 47 Logs Figure 512 Maintenance > Log > Log Setting > Edit (System Log) ZyWALL USG 300 User’s Guide...
Page 711: Table 257 Maintenance > Log > Log Setting > Edit (System Log)
(green checkmark) and/or in alerts (yellow exclamation point) for the e- mail settings specified in E-Mail Server 2. The ZyWALL does not e-mail debugging information, even if it is recorded in the System log. Log Consolidation ZyWALL USG 300 User’s Guide...
Page 712: Edit Remote Server Log Settings
The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 47.4.1 on page 708), and click a remote server Edit icon. ZyWALL USG 300 User’s Guide...
Page 713: Figure 513 Maintenance > Log > Log Setting > Edit (Remote Server)
Chapter 47 Logs Figure 513 Maintenance > Log > Log Setting > Edit (Remote Server) ZyWALL USG 300 User’s Guide...
Page 714: Active Log Summary Screen
(for example, where and how often log information is e-mailed or remote server names).To access this screen, go to the Log Settings Summary screen (see Section 47.4.1 on page 708), and click the Active Log Summary button. ZyWALL USG 300 User’s Guide...
Page 715: Figure 514 Active Log Summary
This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 47.4.2 on page 709, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL USG 300 User’s Guide...
Page 716: Table 259 Maintenance > Log > Log Setting > Active Log Summary
If you check one of the check boxes for All Logs, it affects the settings for every category. Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 300 User’s Guide...
Page 717: Reports
• Most-used protocols or service ports and the amount of traffic on each one • LAN IP with heaviest traffic and how much traffic has been sent to and from each one ZyWALL USG 300 User’s Guide...
Page 718: Figure 515 Maintenance > Report > Traffic Statistics
This field indicates whether the IP address or user is sending or receiving traffic. Ingress- traffic is coming from the IP address or user to the ZyWALL. Egress - traffic is going from the ZyWALL to the IP address or user. ZyWALL USG 300 User’s Guide...
Page 719: Table 261 Maximum Values For Reports
Table 261 Maximum Values for Reports LABEL DESCRIPTION Maximum Number of Records Byte Count Limit bytes; this is just less than 17 million terabytes. Hit Count Limit hits; this is over 1.8 x 10 hits. ZyWALL USG 300 User’s Guide...
Page 720: The Session Monitor Screen
You can also filter the information by user, protocol / service or service group, source address, and/or destination address and view it by user. Click Maintenance > Report > Session Monitor to display the following screen. Figure 516 Maintenance > Report > Session Monitor ZyWALL USG 300 User’s Guide...
Page 721: Table 262 Maintenance > Report > Session Monitor
IP address’s sessions. This field displays the amount of information received by the source in the active session. This field displays the amount of information transmitted by the source in the active session. ZyWALL USG 300 User’s Guide...
Page 722: The Anti-Virus Report Screen
Select Source to list the source IP addresses from which the ZyWALL has detected the most virus-infected files. Select Destination to list the most common destination IP addresses for virus- infected files that ZyWALL has detected. ZyWALL USG 300 User’s Guide...
Page 723: The Idp Report Screen
The statistics display as follows when you display the top entries by destination. Figure 519 Maintenance > Report > Anti-Virus: Destination 48.5 The IDP Report Screen Click Maintenance > Report > IDP to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. ZyWALL USG 300 User’s Guide...
Page 724: Figure 520 Maintenance > Report > Idp: Signature Name
Severity This column displays when you display the entries by Signature Name. It shows the level of threat that the intrusions may pose. See Table 156 on page 472 for more information. ZyWALL USG 300 User’s Guide...
Page 725: The Content Filter Report Screen
The statistics display as follows when you display the top entries by destination. Figure 522 Maintenance > Report > IDP: Destination 48.6 The Content Filter Report Screen Click Maintenance > Report > Content Filter to display the following screen. This screen displays content filter statistics. ZyWALL USG 300 User’s Guide...
Page 726: Figure 523 Maintenance > Report > Content Filter
Custom Service Restricted This is the number of web pages to which the ZyWALL did not allow access due to the content filtering custom service’s restricted web features configuration. Features ZyWALL USG 300 User’s Guide...
Page 727: The Anti-Spam Report Screen
48.7 The Anti-Spam Report Screen Click Maintenance > Report > Anti-Spam to display the following screen. This screen displays spam statistics. Figure 524 Maintenance > Report > Anti-Spam: Sender IP ZyWALL USG 300 User’s Guide...
Page 728: Table 266 Maintenance > Report > Anti-Spam
IP address of spam e-mails that the ZyWALL has detected. Sender Mail This column displays when you display the entries by Sender Mail Address. This Address column displays the e-mail addresses from which the ZyWALL has detected the most spam. ZyWALL USG 300 User’s Guide...
Page 729: The Email Daily Report Screen
Click Maintenance > Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day. Figure 525 Maintenance > Report > Email Daily Report ZyWALL USG 300 User’s Guide...
Page 730: Table 267 Maintenance > Report > Email Daily Report
Click this to discard all report data and start all of the counters over at zero. Counters Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
Page 731: Diagnostics
This is the size of the most recently created diagnostic file. Collect Now Click this to have the ZyWALL create a new diagnostic file. Download Click this to save the most recent diagnostic file to a computer. ZyWALL USG 300 User’s Guide...
Page 732 Chapter 49 Diagnostics ZyWALL USG 300 User’s Guide...
Page 733: Reboot
Click the Reboot button to restart the ZyWALL. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command to restart the ZyWALL. reboot ZyWALL USG 300 User’s Guide...
Page 734 Chapter 50 Reboot ZyWALL USG 300 User’s Guide...
Page 735: Troubleshooting
UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the To-ZyWALL firewall rules allow UDP port 4500 too. ZyWALL USG 300 User’s Guide...
Page 736 The ZyWALL’s firmware package cannot go through the ZyWALL when you enable the anti- virus Destroy compressed files that could not be decompressed option. The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it. ZyWALL USG 300 User’s Guide...
Page 737: Resetting The Zywall
3 Release the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. 51.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL USG 300 User’s Guide...
Page 738 Chapter 51 Troubleshooting ZyWALL USG 300 User’s Guide...
Page 739: Product Specifications
Humidity: 20% to 95% (non-condensing ) MTBF Mean Time Between Failures: 180,382 hours Dimensions 430 (W) x 201.2 (D) x 42.0 (H) mm Weight 2.8 kg Rack-mounting Rack-mountable (rack-mount kit included) This table gives details about the ZyWALL’s features. ZyWALL USG 300 User’s Guide...
Page 740: Table 271 Feature Specifications
Address Space Number USER PROFILES Maximum Local Users Maximum Admin Users Maximum User Groups Maximum Users in One User Group OBJECTS Address Objects 1000 1000 Address Groups Maximum address object in one group Service Objects 1000 1000 ZyWALL USG 300 User’s Guide...
Page 741 Maximum DHCP Host Pool Maximum Number of DDNS Profiles DHCP Relay 2 per interface 2 per interface CENTRALIZED LOG Log Entries Debug Log Entries 1024 1024 Admin E-mail Addresses Syslog Servers Maximum Number of IDP Profiles Custom Signatures ZyWALL USG 300 User’s Guide...
Page 742: Table 272 Standards Referenced By Features
1876, 1982, 1995, 1996, 2136, 2163, 2181, 2230, 2308, 2535, 2536, 2537, 2538, 2539, 2671, 2672, 2673, 2782, 3007, 3090 Built-in service, DHCP server RFCs 1542, 2131, 2132, 2485, 2489 Built-in service, HTTP server RFCs 1945, 2616, 2965, 2732, 2295 ZyWALL USG 300 User’s Guide...
Page 743 Used by Time service RFCs 3339 Used by Telnet service RFCs 318, 854, 1413 Used by SIP ALG RFCs 3261, 3264 DHCP relay RFC 1541 ZySH W3C XML standard RFC 826 IP/IPv4 RFC 791 RFC 793 ZyWALL USG 300 User’s Guide...
Page 744 Chapter 52 Product Specifications ZyWALL USG 300 User’s Guide...
Page 745: Appendices And Index
Appendices and Index Common Services (803) Displaying Anti-Virus Alert Messages in Windows (807) Importing Certificates (813) Open Software Announcements (837) Wireless LANs (875) Legal Information (889) Customer Support (893) Index (899)
Page 747: Appendix A Log Descriptions
%s: website host The device allowed access to a web site. The content filtering service %s: Service is not is unregistered and the default policy is not set to block. registered %s: website host ZyWALL USG 300 User’s Guide...
Page 748: Table 275 Blocked Web Site Logs
The web content matched a user defined keyword. %s: Keyword blocking %s: website host No content filter policy is applied and access was blocked since the %s: Blocking by default action is block. default policy %s: website host ZyWALL USG 300 User’s Guide...
Page 749: Table 276 Anti-Spam Logs
The anti-spam black list rule with the specified index number (%d) Black List rule %d has has been turned off. been deactivated. anti-spam DNSBL (DNS Black List) server checking has been turned DNSBL checking has been activated. ZyWALL USG 300 User’s Guide...
Page 750: Table 277 Ssl Vpn Logs
IP address given to the SSL user. established An SSL tunnel has been disconnected. The source is the login IP SSL tunnel is address. The destination is the IP address given to the SSL user. disconnected ZyWALL USG 300 User’s Guide...
Page 751 %s) in the listed SSL VPN policy (second %s), so the listed address subnet with %s in SSL (third %s) will not be given to an SSL VPN client. VPN policy %s. So %s will not be injected to client side. ZyWALL USG 300 User’s Guide...
Page 752 (login on a lockout address) The listed user (%s) failed to log into SSL VPN because the maximum Failed login attempt number of users were already logged in. to SSLVPN from %s (reach the max. number of user) ZyWALL USG 300 User’s Guide...
Page 753: Table 278 L2Tp Over Ipsec Logs
An attempted login to the L2TP over IPSec service failed because the User has been denied L2TP over IPSec IP address pool does not have any more IP from L2TP service. addresses to give out. (address pool exhausted) ZyWALL USG 300 User’s Guide...
Page 754: Table 279 Zysh Logs
1st:zysh entry name can't alloc entry: %s! 1st:zysh entry name can't retrieve entry: 1st:zysh entry name can't get entry: %s! 1st:zysh entry name can't print entry: %s! 1st:zysh list name %s: cannot retrieve entries from list! ZyWALL USG 300 User’s Guide...
Page 755 1st:zysh entry num Unable to move entry #%d! 1st:zysh table name %s: apply failed at initial stage! 1st:zysh table name %s: apply failed at main stage! 1st:zysh table name %s: apply failed at closing stage! ZyWALL USG 300 User’s Guide...
Page 756: Table 280 Adp Logs
The ZyWALL failed to initialize the anti-virus signatures due to an Initializing Anti-Virus internal error. signature reference table has failed. The ZyWALL failed to reload the anti-virus signatures due to an Reloading Anti-Virus internal error. signature database has failed. ZyWALL USG 300 User’s Guide...
Page 757 AV signature update has have enough system resources free to finish the signature update. failed. (Memory not enough) An anti-virus signatures update failed because the anti-virus AV signature size is signature file was too large. over system limitation ZyWALL USG 300 User’s Guide...
Page 758 2nd %s: The white list or black list. An anti-virus file pattern white list or black list was turned on or off. %s has been %s 1st %s: The white list or black list. 2nd %s: Activated/deactivated. ZyWALL USG 300 User’s Guide...
Page 759: Table 282 User Logs
The ZyWALL blocked a login because the maximum login capacity Failed login attempt to for the particular service has already been reached. ZyWALL from %s (reach %s: service name the max. number of user) ZyWALL USG 300 User’s Guide...
Page 760: Table 283 Myzyxel.com Logs
%s: service name succeeded. The device received an incomplete response from the myZyXEL.com Trial service server and it caused a parsing error for the device. activation has failed. Because of lack must fields. ZyWALL USG 300 User’s Guide...
Page 761 The device failed to change the type of anti-virus engine. %s is the Change Anti-Virus server response error message. engine has failed:%s. The device successfully changed the type of anti-virus engine. Change Anti-Virus engine has succeeded. ZyWALL USG 300 User’s Guide...
Page 762 The device started an IDP signature update. Starting signature update. The device successfully downloaded an IDP signature file. IDP signature download has succeeded. The device successfully downloaded and applied an IDP signature file. IDP signature update has succeeded. ZyWALL USG 300 User’s Guide...
Page 763 Before the device sends an expiration day check packet, it needs to Expiration daily- check whether or not it will trigger a PPP connection. check will trigger PPP interface. Do self- check. ZyWALL USG 300 User’s Guide...
Page 764 The wrong format for HTTP header. After the device sent packets to a server, the device did not receive Timeout for get server any response from the server. The root cause may be a network delay response. issue. ZyWALL USG 300 User’s Guide...
Page 765: Table 284 Idp Logs
IDP signatures. license is not registered. Update signature failed. An attempt to add a custom IDP signature failed. The error sid and Custom signature add message are displayed. error: sid <sid>, <error_message>. ZyWALL USG 300 User’s Guide...
Page 766 IDP device HA synchronized file failed. failed. Can not update synchronized file. An IDP signature update succeeded. The previous and updated IDP IDP signature update signature versions are listed. from version <version> to version <version> has succeeded. ZyWALL USG 300 User’s Guide...
Page 767 The device could not get the signature version from the new Can not get signature signature package it downloaded from the update server. version. An IDP system-protect signature update failed. IDP system-protect signature update failed. Invalid IDP config file. ZyWALL USG 300 User’s Guide...
Page 768 See the CLI reference guide for how to restore the default system please refer to your database. user documentation to recover the default database file The IDP signature set is too large (exceeds the ZyWALL’s system IDP signature size is limitation). over system limitation. ZyWALL USG 300 User’s Guide...
Page 769: Table 285 Application Patrol
An application patrol rule has been deleted. Rule %s:%s has been removed. 1st %s: Protocol name 2nd %s: From rule index number 3rd %s: To rule index number The device failed to initiate the application patrol daemon. System fatal error: 60011001. ZyWALL USG 300 User’s Guide...
Page 770: Table 286 Ike Logs
When selecting a matched proposal in phase-1 or phase-2, so [SA] : No proposal proposal was selected. chosen %s is the tunnel name. When negotiating Phase-1, the authentication [SA] : Tunnel [%s] algorithm did not match. Phase 1 authentication algorithm mismatch ZyWALL USG 300 User’s Guide...
Page 771 1st %s is my ip address. 2nd %s is the tunnel name. When selecting a Cannot resolve My IP matched proposal in phase-1, the engine could not get My-IP address. Addr %s for Tunnel [%s] ZyWALL USG 300 User’s Guide...
Page 772 %s is the tunnel name. When negotiating phase-1, the pre-shared key Tunnel [%s] Phase 1 did not match. pre-shared key mismatch %s is the tunnel name. The device received an IKE request. Tunnel [%s] Recving IKE request ZyWALL USG 300 User’s Guide...
Page 773 Sending IKE request The variables represent the tunnel name and the SPI of a tunnel that Tunnel [%s:0x%x] is was disconnected. disconnected %s is the tunnel name. The tunnel was rekeyed successfully. Tunnel [%s] rekeyed successfully ZyWALL USG 300 User’s Guide...
Page 774: Table 287 Ipsec Logs
3rd is the to zone, 4th is the service name, 5th is ACCEPT/DROP/ REJECT. Firewall is dead, trace to %s is which file, %d is which line, %s is which %s:%d: in %s(): function %s is enabled/disabled Firewall has been %s. ZyWALL USG 300 User’s Guide...
Page 775: Table 289 Sessions Limit Logs
User-aware policy routing is disabled due to some reason. Cannot get handle from UAM, user-aware PR is disabled Allocating policy routing rule fails: insufficient memory. mblock: allocate memory failed! Allocating policy routing rule fails: insufficient memory. pt: allocate memory failed! ZyWALL USG 300 User’s Guide...
Page 776: Table 291 Built-In Services Logs
HTTPS %s is certificate name assigned by user service will not work. An administrator changed the port number for HTTPS. HTTPS port has been changed to port %s. %s is port number ZyWALL USG 300 User’s Guide...
Page 777 If interface is stand-by mode for device HA, DHCP server can't be run. DHCP Server on Otherwise it has conflict with the interface in master mode. Interface %s will not %s is interface name work due to Device HA status is Stand-By ZyWALL USG 300 User’s Guide...
Page 778 Zone Forwarder have reached the maximum number of 128 DNS servers. Ping check ok, add DNS servers in bind. Interface %s ping check is successful. %s is interface name Zone Forwarder adds DNS servers in records. ZyWALL USG 300 User’s Guide...
Page 779: Table 292 System Logs
Table 292 System Logs LOG MESSAGE DESCRIPTION When LINK is up, %d is the port number. Port %d is up!! When LINK is down, %d is the port number. Port %d is down!! ZyWALL USG 300 User’s Guide...
Page 780 IP address The ARP cache was cleared successfully. Clear arp cache successfully. A client MAC address is not an Ethernet address. Client MAC address is not an Ethernet address ZyWALL USG 300 User’s Guide...
Page 781 FQDN %s was blocked for abuse. Try to update profile, but failed, because of authentication fail, %s is Update the profile %s the profile name. has failed because of authentication fail. ZyWALL USG 300 User’s Guide...
Page 782 The profile is paused by device-HA, because the VRRP status of that The profile %s has iface is standby, %s is the profile name. been paused because the VRRP status of WAN interface was standby. ZyWALL USG 300 User’s Guide...
Page 783 Rename DDNS profile, 1st %s is the original profile name, 2nd %s is DDNS profile %s has the new profile name. been renamed as %s. Delete DDNS profile, %s is the profile name, DDNS profile %s has been deleted. ZyWALL USG 300 User’s Guide...
Page 784: Table 293 Connectivity Check Logs
The connectivity check process can't get interface configuration. Can't get flags of %s interface %s: interface name The connectivity check process can't get remote address of PPP Can't get remote interface address of %s %s: interface name interface ZyWALL USG 300 User’s Guide...
Page 785: Table 294 Device Ha Logs
The System Startup configuration file synchronized from the Master is Master configuration the same with the one in the Backup, so the configuration does not is the same with have to be updated. Backup. Skip updating ZyWALL USG 300 User’s Guide...
Page 786 A VRRP group’s Authentication Type (Md5 or IPSec AH) configuration Device HA may not match between the Backup and the Master. %s: The name of authentication type the VRRP group. for VRRP group %s maybe wrong. ZyWALL USG 300 User’s Guide...
Page 787 %s for %s due to transmission timeout. %s: The name of the VRRP interface. VRRP interface %s has been shutdown. %s: The name of the VRRP interface. VRRP interface %s has been brought up. ZyWALL USG 300 User’s Guide...
Page 788: Table 295 Routing Protocol Logs
Name interface %s has been changed to BiDir. RIP text or md5 authentication has been disabled. RIP authentication has benn disabled. RIP text authentication key has been deleted. RIP text authentication key has been deleted. ZyWALL USG 300 User’s Guide...
Page 789 %s: Virtual-Link ID link %d md5 authentication of area Virtual-link %s text authentication has been set without setting text Invalid OSPF virtual- authentication key first. %s: Virtual-Link ID link %s text authentication of area ZyWALL USG 300 User’s Guide...
Page 790: Table 296 Nat Logs
Signal port of SIP ALG has been modified. SIP ALG apply additional signal port failed. Register SIP ALG extra port=%d failed. %d: Port number SIP ALG apply signal port failed. Register SIP ALG signal port=%d failed. %d: Port number ZyWALL USG 300 User’s Guide...
Page 791: Table 297 Pki Logs
The device was unable to use SCEP to enroll a certificate. 1st %s is a SCEP enrollment "%s" request name, 2nd %s is the CA name, 3rd %s is the URL failed, CA "%s", URL "%s" ZyWALL USG 300 User’s Guide...
Page 792 "%s" from "My Certificate" successfully The device exported a x509 format certificate from Trusted Export X509 Certificates. %s is the certificate request name. certificate "%s" from "Trusted Certificate" successfully ZyWALL USG 300 User’s Guide...
Page 793 CRL decoding failed. CRL is not currently valid, but in the future. CRL contains duplicate serial numbers. Time interval is not continuous. Time information not available. Database method failed due to timeout. Database method failed. ZyWALL USG 300 User’s Guide...
Page 794: Table 298 Interface Logs
An administrator added a new interface. %s: interface name. Interface %s has been added. An administrator enabled an interface. %s: interface name. Interface %s is enabled. An administrator disabled an interface. %s: interface name. Interface %s is disabled. ZyWALL USG 300 User’s Guide...
Page 795 CHAP server does not support CHAP). CHAP: interface name. authentication failed. A PPP or AUX interface connected successfully. %s: interface name. Interface %s is connected. ZyWALL USG 300 User’s Guide...
Page 796 You entered an incorrect PUK code so you were not able to unlock the "Incorrect PUK code of SIM card for the cellular device associated with the listed cellular interface cellular%d. interface (%d). Please check the PUK code setting. ZyWALL USG 300 User’s Guide...
Page 797 %s, but current inserted device is %s. The cellular device (identified by its manufacturer and model) has been "Cellular device [%s inserted in or connected to the specified slot. %s] has been inserted into %s. ZyWALL USG 300 User’s Guide...
Page 798: Table 299 Wlan Logs
Station association connect to the specified WLAN interface (first %s) because the WLAN has failed. Maximum interface already has its maximum number of wireless clients. associations have reached the maximum number. Interface: %s, MAC: %s. ZyWALL USG 300 User’s Guide...
Page 799: Table 300 Account Logs
DHCP client and has more than one member in its group. In this case client. the DHCP client will renew. %s: interface name. An administrator configured port-grouping, %s: interface name. Port Grouping %s has been changed. ZyWALL USG 300 User’s Guide...
Page 800: Table 302 Force Authentication Logs
DHCP clients, so there is no IP address to give to the listed DHCP client. DHCP server offered %s to The DHCP server feature gave the listed IP address to the computer %s(%s) with the listed hostname and MAC address. ZyWALL USG 300 User’s Guide...
Page 801: Table 305 E-Mail Daily Report Logs
LOG MESSAGE DESCRIPTION Drop packet %s- The IP-MAC binding feature dropped an Ethernet packet. The %u.%u.%u.%u- interface the packet came in through and the sender’s IP address and %02X:%02X:%02X:%02X:% MAC address are also shown. 02X:%02X ZyWALL USG 300 User’s Guide...
Page 802 The interface the packet came in through, the sender’s IP %s#%u.%u.%u.%u#%02X:% address and MAC address, are also shown along with the binding type 02X:%02X:%02X:%02X:%02 (“s” for static or “d” for dynamic). ZyWALL USG 300 User’s Guide...
Page 803: Appendix B Common Services
User-Defined The IPSEC ESP (Encapsulation Security (IPSEC_TUNNEL) Protocol) tunneling protocol uses this service. FINGER Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. ZyWALL USG 300 User’s Guide...
Page 804 This is the data channel. RCMD Remote Command Service. REAL_AUDIO 7070 A streaming audio service that enables real time sound over the web. REXEC Remote Execution Daemon. RLOGIN Remote Login. RTELNET Remote Telnet. ZyWALL USG 300 User’s Guide...
Page 805 TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. ZyWALL USG 300 User’s Guide...
Page 806 Appendix B Common Services ZyWALL USG 300 User’s Guide...
Page 807: Appendix C Displaying Anti-Virus Alert Messages In Windows
Windows XP 1 Click Start > Control Panel > Administrative Tools > Services. Figure 528 Windows XP: Opening the Services Window 2 Select the Messenger service and click Start. ZyWALL USG 300 User’s Guide...
Page 808: Figure 529 Windows Xp: Starting The Messenger Service
3 Close the window when you are done. Windows 2000 1 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 530 Windows 2000: Opening the Services Window 2 Select the Messenger service and click Start Service. ZyWALL USG 300 User’s Guide...
Page 809: Figure 531 Windows 2000: Starting The Messenger Service
98 SE (steps are similar for Windows Me). 1 Right-click on the program task bar and click Properties. Figure 533 WIndows 98 SE: Program Task Bar 2 Click the Start Menu Programs tab and click Advanced ... ZyWALL USG 300 User’s Guide...
Page 810: Figure 534 Windows 98 Se: Task Bar Properties
3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut. Figure 535 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. ZyWALL USG 300 User’s Guide...
Page 811: Figure 536 Windows 98 Se: Startup: Create Shortcut
6 Specify a name for the shortcut or accept the default and click Finish. Figure 537 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. ZyWALL USG 300 User’s Guide...
Page 812: Figure 538 Windows 98 Se: Startup: Shortcut
Appendix C Displaying Anti-Virus Alert Messages in Windows Figure 538 Windows 98 SE: Startup: Shortcut The WinPopup window displays after the computer finishes the startup process (see Figure 532 on page 809). ZyWALL USG 300 User’s Guide...
Page 813: Appendix D Importing Certificates
In this appendix, you can import a public key certificate for: • Internet Explorer on page 814 • Firefox on page 822 • Opera on page 827 • Konqueror on page 833 ZyWALL USG 300 User’s Guide...
Page 814: Figure 539 Internet Explorer 7: Certification Error
Figure 539 Internet Explorer 7: Certification Error 2 Click Continue to this website (not recommended). Figure 540 Internet Explorer 7: Certification Error 3 In the Address Bar, click Certificate Error > View certificates. Figure 541 Internet Explorer 7: Certificate Error ZyWALL USG 300 User’s Guide...
Page 815: Figure 542 Internet Explorer 7: Certificate
Appendix D Importing Certificates 4 In the Certificate dialog box, click Install Certificate. Figure 542 Internet Explorer 7: Certificate 5 In the Certificate Import Wizard, click Next. Figure 543 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 300 User’s Guide...
Page 816: Figure 544 Internet Explorer 7: Certificate Import Wizard
Figure 545 Internet Explorer 7: Certificate Import Wizard 8 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 546 Internet Explorer 7: Select Certificate Store ZyWALL USG 300 User’s Guide...
Page 817: Figure 547 Internet Explorer 7: Certificate Import Wizard
9 In the Completing the Certificate Import Wizard screen, click Finish. Figure 547 Internet Explorer 7: Certificate Import Wizard 10 If you are presented with another Security Warning, click Yes. Figure 548 Internet Explorer 7: Security Warning ZyWALL USG 300 User’s Guide...
Page 818: Figure 549 Internet Explorer 7: Certificate Import Wizard
12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information. Figure 550 Internet Explorer 7: Website Identification ZyWALL USG 300 User’s Guide...
Page 819: Figure 551 Internet Explorer 7: Public Key Certificate File
2 In the security warning dialog box, click Open. Figure 552 Internet Explorer 7: Open File - Security Warning 3 Refer to steps 4-12 in the Internet Explorer procedure beginning on page 814 complete the installation process. ZyWALL USG 300 User’s Guide...
Page 820: Figure 553 Internet Explorer 7: Tools Menu
1 Open Internet Explorer and click Tools > Internet Options. Figure 553 Internet Explorer 7: Tools Menu 2 In the Internet Options dialog box, click Content > Certificates. Figure 554 Internet Explorer 7: Internet Options ZyWALL USG 300 User’s Guide...
Page 821: Figure 555 Internet Explorer 7: Certificates
5 In the Root Certificate Store dialog box, click Yes. Figure 557 Internet Explorer 7: Root Certificate Store 6 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. ZyWALL USG 300 User’s Guide...
Page 822: Figure 558 Firefox 2: Website Certified By An Unknown Authority
3 The certificate is stored and you can now connect securely to the Web Configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page’s security information. Figure 559 Firefox 2: Page Info ZyWALL USG 300 User’s Guide...
Page 823: Figure 560 Firefox 2: Tools Menu
1 Open Firefox and click Tools > Options. Figure 560 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 561 Firefox 2: Options ZyWALL USG 300 User’s Guide...
Page 824: Figure 562 Firefox 2: Certificate Manager
Firefox 2: Select File 5 The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information. ZyWALL USG 300 User’s Guide...
Page 825: Figure 564 Firefox 2: Tools Menu
This section shows you how to remove a public key certificate in Firefox 2. 1 Open Firefox and click Tools > Options. Figure 564 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 565 Firefox 2: Options ZyWALL USG 300 User’s Guide...
Page 826: Figure 566 Firefox 2: Certificate Manager
4 In the Delete Web Site Certificates dialog box, click OK. Figure 567 Firefox 2: Delete Web Site Certificates 5 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. ZyWALL USG 300 User’s Guide...
Page 827: Figure 568 Opera 9: Certificate Signer Not Found
3 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Figure 569 Opera 9: Security information ZyWALL USG 300 User’s Guide...
Page 828: Figure 570 Opera 9: Tools Menu
1 Open Opera and click Tools > Preferences. Figure 570 Opera 9: Tools Menu 2 In Preferences, click Advanced > Security > Manage certificates. Figure 571 Opera 9: Preferences ZyWALL USG 300 User’s Guide...
Page 829: Figure 572 Opera 9: Certificate Manager
3 In the Certificates Manager, click Authorities > Import. Figure 572 Opera 9: Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open. Figure 573 Opera 9: Import certificate ZyWALL USG 300 User’s Guide...
Page 830: Figure 574 Opera 9: Install Authority Certificate
Figure 575 Opera 9: Install authority certificate 7 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. ZyWALL USG 300 User’s Guide...
Page 831: Figure 576 Opera 9: Tools Menu
This section shows you how to remove a public key certificate in Opera 9. 1 Open Opera and click Tools > Preferences. Figure 576 Opera 9: Tools Menu 2 In Preferences, Advanced > Security > Manage certificates. Figure 577 Opera 9: Preferences ZyWALL USG 300 User’s Guide...
Page 832: Figure 578 Opera 9: Certificate Manager
4 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. There is no confirmation when you delete a certificate authority, so be absolutely certain that you want to go through with it before clicking the button. ZyWALL USG 300 User’s Guide...
Page 833: Figure 579 Konqueror 3.5: Server Authentication
Figure 580 Konqueror 3.5: Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details. Figure 581 Konqueror 3.5: KDE SSL Information ZyWALL USG 300 User’s Guide...
Page 834: Figure 582 Konqueror 3.5: Public Key Certificate File
Figure 584 Konqueror 3.5: Kleopatra 3 The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Information window to view the web page’s security details. ZyWALL USG 300 User’s Guide...
Page 835: Figure 585 Konqueror 3.5: Settings Menu
4 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button. ZyWALL USG 300 User’s Guide...
Page 836 Appendix D Importing Certificates ZyWALL USG 300 User’s Guide...
Page 837: Appendix E Open Software Announcements
No part may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, except the express written permission of ZyXEL Communications Corporation. This Product includes ppp-2.4.2 software under the PPP License PPP License Copyright (c) 1993 The Australian National University.
Page 838 The University of Delaware makes no representations about the suitability this software for any purpose. It is provided "as is" without express or implied warranty. ZyWALL USG 300 User’s Guide...
Page 839 Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. ZyWALL USG 300 User’s Guide...
Page 840 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR ZyWALL USG 300 User’s Guide...
Page 841 POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] ZyWALL USG 300 User’s Guide...
Page 842 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This Product includes bind-9.2.3 software under the Internet Software Consortium and Nominum License ZyWALL USG 300 User’s Guide...
Page 843 THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY ZyWALL USG 300 User’s Guide...
Page 844 "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). ZyWALL USG 300 User’s Guide...
Page 845 (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and ZyWALL USG 300 User’s Guide...
Page 846 Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS ZyWALL USG 300 User’s Guide...
Page 847 Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign. This Product includes libosip2, libgcgi-0.9.5 and gmp-4.1 software under LGPL license. GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 ZyWALL USG 300 User’s Guide...
Page 848 License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. ZyWALL USG 300 User’s Guide...
Page 849 Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the ZyWALL USG 300 User’s Guide...
Page 850 GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. ZyWALL USG 300 User’s Guide...
Page 851 (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface- ZyWALL USG 300 User’s Guide...
Page 852 License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would ZyWALL USG 300 User’s Guide...
Page 853 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, ZyWALL USG 300 User’s Guide...
Page 854 You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. ZyWALL USG 300 User’s Guide...
Page 855 License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) ZyWALL USG 300 User’s Guide...
Page 856 Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. ZyWALL USG 300 User’s Guide...
Page 857 Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY ZyWALL USG 300 User’s Guide...
Page 858 Original Code or Modifications or the combination of the Original Code and Modifications, in each case including portions thereof. 1.4. "Electronic Distribution Mechanism" means a mechanism generally accepted in the software development community for the electronic transfer of data. ZyWALL USG 300 User’s Guide...
Page 859 Original Code or another well known, available Covered Code of the Contributor's choice. The Source Code can be in a compressed or archival form, provided the appropriate decompression or de-archiving software is widely available for no charge. 1.12. "You" (or "Your") ZyWALL USG 300 User’s Guide...
Page 860 Modifications made by that Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed by Covered Code in the absence of Modifications made by that Contributor. ZyWALL USG 300 User’s Guide...
Page 861 If Contributor's Modifications include an application programming interface and Contributor has knowledge of patent licenses which are reasonably necessary to implement that API, Contributor must also include this information in the legal file. (c) Representations. ZyWALL USG 300 User’s Guide...
Page 862 Section 3.4 and must be included with all distributions of the Source Code. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 5. Application of this License. ZyWALL USG 300 User’s Guide...
Page 863 60 days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice You either: (i) agree in writing to pay Participant a mutually agreeable reasonable royalty for Your past and future use of Modifications made by such Participant, or ZyWALL USG 300 User’s Guide...
Page 864 License shall be subject to the jurisdiction of the Federal Courts of the Northern District of California, with venue lying in Santa Clara County, California, with the losing party responsible for costs, including without limitation, court costs and reasonable ZyWALL USG 300 User’s Guide...
Page 865 Code files of the Original Code. You should use the text of this Exhibit A rather than the text found in the Original Code Source Code for Your Modifications. This Product includes unzip-5.50 and zip-2.3 software under Info-ZIP license ZyWALL USG 300 User’s Guide...
Page 866 •Info-ZIP retains the right to use the names "Info-ZIP," "Zip," "UnZip," "UnZipSFX," "WiZ," "Pocket UnZip," "Pocket Zip," and "MacZip" for its own source and binary releases. This Product includes libpcap-0.8.3, libnet-1.1.2.1, net-snmp-5.1.1, libpcap-0.9.4, and openssh- software under BSD license 4.3p2 ZyWALL USG 300 User’s Guide...
Page 867 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT ZyWALL USG 300 User’s Guide...
Page 868 Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. ZyWALL USG 300 User’s Guide...
Page 869 (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following ZyWALL USG 300 User’s Guide...
Page 870 EVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ZyWALL USG 300 User’s Guide...
Page 871 OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. NOTE: Some components of the ZyWALL USG 300 incorporate source code covered under the Apache License, GPL License, LGPL License, BSD...
Page 872 ZyXEL Communications Corporation at: ZyXEL Technical Support. End-User License Agreement for “ZyWALL USG 300” WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE ENCLOSED SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AS INSTALLING THE SOFTWARE WILL INDICATE YOUR ASSENT TO THEM.
Page 873 BUT SHALL IN NO EVENT EXCEED THE AMOUNT OF THE PRODUCT. BECAUSE SOME STATES/COUNTRIES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. 8.Export Restrictions ZyWALL USG 300 User’s Guide...
Page 874 License Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this License Agreement shall be interpreted so as to reasonably effect the intention of the parties. ZyWALL USG 300 User’s Guide...
Page 875: Appendix F Wireless Lans
A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. ZyWALL USG 300 User’s Guide...
Page 876: Figure 588 Basic Service Set
An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. ZyWALL USG 300 User’s Guide...
Page 877: Figure 589 Infrastructure Wlan
(AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. ZyWALL USG 300 User’s Guide...
Page 878: Figure 590 Rts/Cts
RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. ZyWALL USG 300 User’s Guide...
Page 879: Table 308 Ieee 802.11G
The IEEE 802.11g data rate and modulation are as follows: Table 308 IEEE 802.11g DATA RATE (MBPS) MODULATION DBPSK (Differential Binary Phase Shift Keyed) DQPSK (Differential Quadrature Phase Shift Keying) ZyWALL USG 300 User’s Guide...
Page 880: Table 309 Wireless Security Levels
RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients. ZyWALL USG 300 User’s Guide...
Page 881 Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. ZyWALL USG 300 User’s Guide...
Page 882 However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. ZyWALL USG 300 User’s Guide...
Page 883: Table 310 Comparison Of Eap Authentication Types
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication. ZyWALL USG 300 User’s Guide...
Page 884 WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP) ZyWALL USG 300 User’s Guide...
Page 885 4 The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. ZyWALL USG 300 User’s Guide...
Page 886: Figure 591 Wpa(2) With Radius Application Example
4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them. Figure 592 WPA(2)-PSK Authentication ZyWALL USG 300 User’s Guide...
Page 887: Table 311 Wireless Security Relational Matrix
An antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz (IEEE 802.11a) is needed to communicate efficiently in a wireless LAN Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antenna’s coverage area. ZyWALL USG 300 User’s Guide...
Page 888: Types Of Antennas For Wlan
For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. ZyWALL USG 300 User’s Guide...
Page 890: Zyxel Limited Warranty
During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the ZyWALL USG 300 User’s Guide...
Page 891 To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/ support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. ZyWALL USG 300 User’s Guide...
Page 892 Appendix G Legal Information ZyWALL USG 300 User’s Guide...
Page 893: Appendix H Customer Support
• Sales E-mail: sales@zyxel.com.tw • Telephone: +886-3-578-3942 • Fax: +886-3-578-2439 • Web: www.zyxel.com • Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, Taiwan China - ZyXEL Communications (Beijing) Corp. • Support E-mail: cso.zycn@zyxel.cn • Sales E-mail: sales@zyxel.cn •...
Page 894 Czech Republic • E-mail: info@cz.zyxel.com • Telephone: +420-241-091-350 • Fax: +420-241-091-359 • Web: www.zyxel.cz • Regular Mail: ZyXEL Communications, Czech s.r.o., Modranská 621, 143 01 Praha 4 - Modrany, Ceská Republika Denmark • Support E-mail: support@zyxel.dk • Sales E-mail: sales@zyxel.dk •...
Page 895 Kazakhstan • Support: http://zyxel.kz/support • Sales E-mail: sales@zyxel.kz • Telephone: +7-3272-590-698 • Fax: +7-3272-590-689 • Web: www.zyxel.kz • Regular Mail: ZyXEL Kazakhstan, 43 Dostyk Ave., Office 414, Dostyk Business Centre, 050010 Almaty, Republic of Kazakhstan ZyWALL USG 300 User’s Guide...
Page 896 • Support Telephone: +1-800-978-7222 • Sales E-mail: sales@zyxel.com • Sales Telephone: +1-714-632-0882 • Fax: +1-714-632-0858 • Web: www.zyxel.com • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no •...
Page 897 • Support E-mail: support@zyxel.es • Sales E-mail: sales@zyxel.es • Telephone: +34-902-195-420 • Fax: +34-913-005-345 • Web: www.zyxel.es • Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • Telephone: +46-31-744-7700 •...
Page 898 • Sales E-mail: sales@zyxel.co.uk • Telephone: +44-1344-303044, 0845 122 0301 (UK only) • Fax: +44-1344-303034 • Web: www.zyxel.co.uk • Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK) ZyWALL USG 300 User’s Guide...
Page 899: Index
FTP Access Point Name, see APN and NAT and policy routes 255, 256, 585 access point, see AP and SNMP access users 575, 577 and SSH custom page ZyWALL USG 300 User’s Guide...
Page 900 VoIP pass through signatures statistics tutorial trial service activation announcements updating signatures software virus Anomaly Detection and Prevention, see ADP virus types answer rings white list 455, 458 antenna Windows 98/Me requirements directional worm ZyWALL USG 300 User’s Guide...
Page 901 Authentication Header, see AH access control authentication method objects Apache-whitespace and users ASCII-encoding and WWW backdoor create bare byte encoding example base36-encoding where used buffer overflow authentication type 239, 641 Denial of Service (DoS) ZyWALL USG 300 User’s Guide...
Page 902 630, 636 black list importing anti-spam in IPSec in the VPN wizard Blaster not used for encryption bookmarks revoked boot module self-signed 622, 627 boot sector virus serial number 630, 635 bridge interfaces 180, 231 ZyWALL USG 300 User’s Guide...
Page 903 65, 527 downloading copyright downloading with FTP CPU usage 153, 155 editing CTS (Clear to Send) how applied lastgood.conf 698, 700 current date/time 154, 652 ZyWALL USG 300 User’s Guide...
Page 904 Distributed Denial of Service (DDoS) attacks copying configuration distributed port scans device role HA status 609, 610, 612 legacy mode 557, 565 213, 656 link monitoring address records management access domain name forwarders ZyWALL USG 300 User’s Guide...
Page 905 Encapsulating Security Payload, see ESP file infector encapsulation file manager and active protocol configuration overview IPSec file sharing SSL application transport mode create tunnel mode filter, MAC address encryption filtered port scan and anti-virus ZyWALL USG 300 User’s Guide...
Page 906 HSDPA FQDN HTTP fragmentation flag inspection 500, 507 fragmentation offset over SSL, see HTTPS redirect to HTTPS fragmentation threshold vs HTTPS fragmenting IPSec packets HTTP redirect front panel ports ZyWALL USG 300 User’s Guide...
Page 907 VPN monitor profile user name packet inspection profiles packet inspection signatures IM (Instant Messenger) ZyWALL USG 300 User’s Guide...
Page 908 DHCP 194, 241 subnet mask established in two phases trunks, see also trunks fragmentation types L2TP VPN virtual, see also virtual interfaces local network VLAN, see also VLAN interfaces local policy where used manual key ZyWALL USG 300 User’s Guide...
Page 909 IKE SA is disconnected session monitor IPSec VPN where used configuration overview WINS prerequisites see also IPSec interface tutorial IP address where used LAND attack ISP account lastgood.conf 698, 700 CHAP ZyWALL USG 300 User’s Guide...
Page 910 239, 641 logged in users Point-to-Point Encryption (MPPE) login Windows Plug-and-Play Service Remote Overflow custom page (MS-05-39) attack default settings model name SSL user monitor logo in SSL logout monitor profile SSL user Web Configurator logs ZyWALL USG 300 User’s Guide...
Page 911 (cost) Network Address Translation, see NAT routers, see OSPF routers virtual links network list, see SSL vs RIP 261, 263 network policy, see VPN connections OSPF areas 263, 264 Network Time Protocol (NTP) ZyWALL USG 300 User’s Guide...
Page 912 Diffie-Hellman key group and service groups Personal Identification Number code, see PIN code and services PFS (Perfect Forward Secrecy) 341, 363 ports phishing Post Office Protocol, see POP physical ports power off ZyWALL USG 300 User’s Guide...
Page 913 RADIUS 607, 608, 881 anti-virus advantages collecting data and IKE SA configuration overview and PPPoE content filtering and users daily message types daily e-mail messages ZyWALL USG 300 User’s Guide...
Page 914 318, 327 session monitor (L2TP VPN) sessions safety warnings sessions usage 153, 157 same IP severity (IDP) 468, 472 scan attacks SHA1 scanner types shell scripts SCEP (Simple Certificate Enrollment Protocol) and users schedules downloading ZyWALL USG 300 User’s Guide...
Page 915 Manager user screens logout managers user screens required information 685, 686 user screens system requirements network components WINS SSL application object Trap file sharing traps file sharing application versions remote user screen links Snort summary ZyWALL USG 300 User’s Guide...
Page 916 SSL user session flag bits stopping the ZyWALL 55, 56 port numbers streaming protocols management portscan strict source routing portsweep stub area SYN (synchronize) STUN SYN flood and ALG window size ZyWALL USG 300 User’s Guide...
Page 917 731, 735 uploading packet flow configuration files truncated-address-header attack firmware shell scripts truncated-header attack URI (Uniform Resource Identifier) truncated-options attack usage truncated-timestamp-header attack 153, 155 trunk flash trunks 180, 243 memory 153, 156 ZyWALL USG 300 User’s Guide...
Page 918 154, 163 mutation default lease time polymorphic default reauthentication time scan default type for Ext-User Ext-User (type) VLAN groups, see user groups advantages Guest (type) and MAC address lease time ZyWALL USG 300 User’s Guide...
Page 919 ID (VR ID) security VRRP groups SSID and interfaces wireless security 207, 880 and to-ZyWALL firewall Wizard Setup authentication WLAN role (desired) interference see also VRRP security parameters see also wireless worm 450, 474 attacks ZyWALL USG 300 User’s Guide...
Page 920 SSH and Telnet and VPN 108, 273 and WWW block intra-zone traffic 276, 323 configuration overview default extra-zone traffic inter-zone traffic intra-zone traffic prerequisites types of traffic where used ZyWALL terminology differences ZyXEL web site ZyWALL USG 300 User’s Guide...

ZyXEL Communications ZyWALL USG 300 User Manual

About this User's Guide

Document Conventions

Safety Warnings

Contents Overview

Table of Contents

List of Figures

List of Tables

Getting Started

Part I: Getting Started

Chapter 1 Introducing the Zywall

Chapter 2 Features and Applications

Chapter 3 Web Configurator

Chapter 4 Wizard Setup

Chapter 5 Configuration Basics

Chapter 6 Tutorials

Chapter 7 Status

Chapter 8 Registration

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWALL USG 300

Summary of Contents for ZyXEL Communications ZyWALL USG 300