Zywall series internet security gateway (692 pages)
Summary of Contents for ZyXEL Communications ZyWALL USG 300
Page 1
ZyWALL USG 300 Unified Security Gateway User’s Guide Version 2.11 11/2008 Edition 1 DEFAULT LOGIN LAN Port IP Address http://192.168.1.1 User Name admin Password 1234 www.zyxel.com...
It is recommended you use the Web Configurator to configure the ZyWALL. • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. • Supporting Disc ZyWALL USG 300 User’s Guide...
Page 4
Graphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate. ZyWALL USG 300 User’s Guide...
Syntax Conventions • The ZyWALL USG 300 may be referred to as the “ZyWALL”, the “device”, the “system” or the “product” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
Page 6
Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 300 User’s Guide...
Page 13
6.3.3 Set Up the Policy Route for the VPN Tunnel ............130 6.3.4 Configure Security Policies for the VPN Tunnel ............132 6.4 How to Configure User-aware Access Control ..............132 6.4.1 Set Up User Accounts ....................132 6.4.2 Set Up User Groups ....................133 ZyWALL USG 300 User’s Guide...
Page 14
8.1.1 What You Can Do in the Registration Screens ............165 8.1.2 What you Need to Know About Service Registration ..........165 8.2 The Registration Screen ....................166 8.3 The Service Screen ......................169 Chapter 9 Signature Update ........................171 ZyWALL USG 300 User’s Guide...
Page 16
13.2 The RIP Screen ....................... 262 13.3 The OSPF Screen ......................263 13.3.1 Configuring the OSPF Screen ................266 13.3.2 OSPF Area Add/Edit Screen ................. 267 13.4 Routing Protocol Technical Reference ................269 Chapter 14 Zones ............................. 273 ZyWALL USG 300 User’s Guide...
Page 17
18.1.1 What You Can Do in the ALG Screen ..............299 18.1.2 What You Need to Know About ALG ..............300 18.1.3 Before You Begin ....................302 18.2 The ALG Screen ......................302 18.3 ALG Technical Reference ....................304 Chapter 19 IP/MAC Binding ........................ 307 ZyWALL USG 300 User’s Guide...
Page 18
21.3 The VPN Gateway Screen ....................346 21.3.1 The VPN Gateway Add/Edit Screen ..............347 21.4 The VPN Concentrator Screen ..................352 21.4.1 The VPN Concentrator Add/Edit Screen ..............353 21.5 The SA Monitor Screen ....................354 ZyWALL USG 300 User’s Guide...
Page 19
25.3.2 Saving a File ......................387 25.4 Creating a New Folder ..................... 388 25.5 Renaming a File or Folder ....................388 25.6 Deleting a File or Folder ....................389 25.7 Uploading a File ....................... 389 Chapter 26 L2TP VPN..........................391 ZyWALL USG 300 User’s Guide...
Page 22
34.1.1 What You Can Do in the Anti-Spam Screens ............541 34.1.2 What You Need to Know About Anti-Spam ............541 34.2 Before You Begin ......................543 34.3 The Anti-Spam General Screen ..................543 34.3.1 The Anti-Spam Policy Add or Edit Screen .............. 545 ZyWALL USG 300 User’s Guide...
Page 23
36.3 User Group Summary Screen ..................580 36.3.1 Group Add/Edit Screen ..................581 36.4 Setting Screen ........................ 581 36.4.1 Force User Authentication Policy Add/Edit Screen ..........584 36.4.2 User Aware Login Example ..................585 36.5 User /Group Technical Reference ................... 586 ZyWALL USG 300 User’s Guide...
Page 24
40.3 Active Directory or LDAP Group Summary Screen ............611 40.3.1 Creating an Active Directory or LDAP Group ............611 40.4 Configuring a Default RADIUS Server ................613 40.5 Configuring a Group of RADIUS Servers ............... 614 ZyWALL USG 300 User’s Guide...
Page 25
44.1.3 Example: Specifying a Web Site for Access ............644 44.2 The SSL Application Screen .................... 645 44.2.1 Creating/Editing a Web-based SSL Application Object ......... 645 44.2.2 Creating/Editing a File Sharing SSL Application Object ......... 647 ZyWALL USG 300 User’s Guide...
Page 27
48.4 The Anti-Virus Report Screen ..................722 48.5 The IDP Report Screen ....................723 48.6 The Content Filter Report Screen ..................725 48.7 The Anti-Spam Report Screen ..................727 48.8 The Email Daily Report Screen ..................729 ZyWALL USG 300 User’s Guide...
Page 28
Appendix C Displaying Anti-Virus Alert Messages in Windows..........807 Appendix D Importing Certificates..................813 Appendix E Open Software Announcements ............... 837 Appendix F Wireless LANs....................875 Appendix G Legal Information....................889 Appendix H Customer Support..................... 893 Index............................899 ZyWALL USG 300 User’s Guide...
List of Figures List of Figures Figure 1 ZyWALL USG 300 Front Panel ....................53 Figure 2 Managing the ZyWALL: Web Configurator ................55 Figure 3 Applications: VPN Connectivity ....................61 Figure 4 Network Access Mode: Reverse Proxy ................... 61 Figure 5 Network Access Mode: Full Tunnel Mode ................
Page 30
Figure 79 System > WWW > Service Control Rule Edit ..............140 Figure 80 System > WWW (Second Example Admin Service Rule Configured) ......... 141 Figure 81 WAN to LAN H.323 Peer-to-peer Calls Example ..............141 ZyWALL USG 300 User’s Guide...
Page 41
Figure 551 Internet Explorer 7: Public Key Certificate File ..............819 Figure 552 Internet Explorer 7: Open File - Security Warning .............. 819 Figure 553 Internet Explorer 7: Tools Menu ..................820 Figure 554 Internet Explorer 7: Internet Options .................. 820 ZyWALL USG 300 User’s Guide...
Page 42
Figure 587 Peer-to-Peer Communication in an Ad-hoc Network ............875 Figure 588 Basic Service Set ....................... 876 Figure 589 Infrastructure WLAN ......................877 Figure 590 RTS/CTS ........................... 878 Figure 591 WPA(2) with RADIUS Application Example ............... 886 Figure 592 WPA(2)-PSK Authentication ....................886 ZyWALL USG 300 User’s Guide...
Table 35 Status > VPN Status ......................159 Table 36 Status > DHCP Table ......................160 Table 37 Status > Port Statistics ......................161 Table 38 Status > Port Statistics > Switch to Graphic View ..............162 ZyWALL USG 300 User’s Guide...
Getting Started Introducing the ZyWALL (53) Features and Applications (57) Web Configurator (65) Configuration Basics (107) Tutorials (123) Status (151) Registration (165) Signature Update (171)
Ethernet management interface can only be accessed from the LAN side by default. The default LAN IP address is 192.168.1.1; the default administrator login user name and password are “admin” and “1234” respectively. 1.2 Front Panel Figure 1 ZyWALL USG 300 Front Panel ZyWALL USG 300 User’s Guide...
1.3 Management Overview You can use the following ways to manage the ZyWALL. Web Configurator The Web Configurator allows easy ZyWALL setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. ZyWALL USG 300 User’s Guide...
The ZyWALL writes all cached data to the local storage, stops the system processes, and then does a warm start. Using the RESET If you press the RESET button, the ZyWALL sets the configuration to its button default values and then reboots. ZyWALL USG 300 User’s Guide...
Page 56
When you apply configuration files or running shell scripts, the ZyWALL does not stop or start the system processes. However, you might lose access to network resources temporarily while the ZyWALL is applying configuration files or running shell scripts. ZyWALL USG 300 User’s Guide...
The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. ZyWALL USG 300 User’s Guide...
Page 58
The anti-spam feature can mark or discard spam. Use the white list to identify legitimate e- mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers. ZyWALL USG 300 User’s Guide...
2.3.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service. ZyWALL USG 300 User’s Guide...
URL. You do not have to install additional client software on the remote user computers for access. Figure 4 Network Access Mode: Reverse Proxy LAN (192.168.1.X) https;// Web Mail File Share Web-based Application ZyWALL USG 300 User’s Guide...
Non-Web Server 2.3.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 6 Applications: User-Aware Access Control ZyWALL USG 300 User’s Guide...
In either case, you can balance the loads between them. Figure 7 Applications: Multiple WAN Interfaces 2.3.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network. Figure 8 Applications: Device HA ZyWALL USG 300 User’s Guide...
Page 64
Chapter 2 Features and Applications ZyWALL USG 300 User’s Guide...
1 Make sure your ZyWALL hardware is properly connected. See the Quick Start Guide. 2 Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears. ZyWALL USG 300 User’s Guide...
Follow the directions in this screen. If you change the default password, the Login screen (Figure 9 on page 66) appears after you click Apply. If you click Ignore, the main screen appears. ZyWALL USG 300 User’s Guide...
As illustrated in Figure 11 on page 67, the main screen is divided into these parts: • A - title bar • B - navigation panel • C - main window • D - status bar ZyWALL USG 300 User’s Guide...
IDP/AppPatrol Use this screen to schedule IDP signature updates and to update signature information immediately. System Protect Use this screen to schedule system-protect signature updates and to update signature information immediately. Network ZyWALL USG 300 User’s Guide...
Page 69
Use this screen to configure IPSec tunnels. VPN Gateway Use this screen to configure IKE tunnels. Concentrator Use this screen to configure VPN concentrators (hub-and-spoke VPN). SA Monitor Use this screen to monitor current IPSec VPN tunnels. ZyWALL USG 300 User’s Guide...
Page 70
DNSBL Use these screens to have the ZyWALL check e-mail against DNS Black Lists. Status Use this screen to see how many mail sessions the ZyWALL is currently checking and DNSBL statistics. ZyWALL USG 300 User’s Guide...
Page 71
Use this screen to configure the DNS server and address records for the ZyWALL. Service Control Use this screen to configure HTTP, HTTPS, and general authentication. Login Page Use this screen to configure how the login and access user screens look. ZyWALL USG 300 User’s Guide...
Status screen. 3.3.4 Message Bar The message bar displays configuration status information. Check the message bar after you click Apply or OK to verify that the configuration has been updated. ZyWALL USG 300 User’s Guide...
Click Clear Warning Messages to remove the current warning messages from the window. 3.3.4.2 CLI Messages Click CLI to look at the CLI commands sent by the Web Configurator. These commands appear in a popup window, such as the following. ZyWALL USG 300 User’s Guide...
Click Refresh Now to update the screen. For example, if you just enabled a particular feature, you can look at the commands the Web Configurator generated to enable it. Close the popup window when you are done with it. See the Command Reference Guide for information about the commands. ZyWALL USG 300 User’s Guide...
(see Load Balancing Algorithms on page 244 for more on load balancing). This wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP. This wizard also creates a WAN trunk. ZyWALL USG 300 User’s Guide...
ISP to know what to enter in each field. Leave a field blank if you don’t have that information. Enter the Internet access information exactly as your ISP gave it to you. ZyWALL USG 300 User’s Guide...
Next Click Next to continue. 4.2.1 Ethernet: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays. Click Next to apply the configuration settings. ZyWALL USG 300 User’s Guide...
89). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.2.2 Ethernet: Static IP Address Assignment If you select Static as the IP Address Assignment, the following screen displays. ZyWALL USG 300 User’s Guide...
VPN, DDNS and the time server. Enter the DNS server IP addresses. Back Click Back to return to the previous screen. Next Click Next to continue. The ZyWALL applies the configuration settings. ZyWALL USG 300 User’s Guide...
Alternatively, click Close to exit the wizard. 4.2.3 PPPoE: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays after you click Next. ZyWALL USG 300 User’s Guide...
This field displays to which security zone this interface and Internet connection will belong. IP Address The ISP will assign your WAN IP address automatically Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL USG 300 User’s Guide...
89). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.2.4 PPPoE: Static IP Address Assignment If you select Static as the IP Address Assignment, the following screen displays. ZyWALL USG 300 User’s Guide...
The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyWALL uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. ZyWALL USG 300 User’s Guide...
89). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.2.5 PPTP: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays. ZyWALL USG 300 User’s Guide...
Type the (static) IP address assigned to you by your ISP. IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Type the IP address of the PPTP server. ZyWALL USG 300 User’s Guide...
Click Back to return to the previous screen. Next Click Next to continue. The ZyWALL applies the configuration settings. Figure 25 PPTP Encapsulation: Auto: Finish You have set up your ZyWALL to access the Internet. ZyWALL USG 300 User’s Guide...
If you select Static as the IP Address Assignment, the following screen displays. Figure 26 PPTP Encapsulation: Static The following table describes the labels in this screen. Table 12 PPTP Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. ZyWALL USG 300 User’s Guide...
Page 88
DNS server, you must know the IP address of a machine in order to access it. Back Click Back to return to the previous screen. Next Click Next to continue. The ZyWALL applies the configuration settings. ZyWALL USG 300 User’s Guide...
4.3 Device Registration Use this screen to register your ZyWALL with myZXEL.com and activate trial periods of subscription security features if you have not already done so. You must be connected to the Internet to register. ZyWALL USG 300 User’s Guide...
Enter the password again for confirmation. E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. Country Code Select your country from the drop-down box list. ZyWALL USG 300 User’s Guide...
Internet Service Providers (ISPs) or two different accounts with the same ISP. The configuration of the following screens is explained in Section 4.2 on page 76 section. Configure the First WAN Interface and click Next. ZyWALL USG 300 User’s Guide...
After you configure the First WAN Interface, you can configure the Second WAN Interface. Click Next to continue. Figure 31 Internet Access: Step 3: Second WAN Interface After you configure the Second WAN Interface, a summary of configuration settings display for both WAN interfaces. ZyWALL USG 300 User’s Guide...
Well done! You have successfully set up your ZyWALL to access the Internet. 4.5 VPN Setup The VPN wizard creates corresponding VPN connection and VPN gateway settings, a policy route and address objects that you can use later in configuring more VPN connections or other features. ZyWALL USG 300 User’s Guide...
Use the Express wizard to create a VPN connection with another ZLD-based ZyWALL using a pre-shared key and default security settings. Use the Advanced wizard to configure detailed VPN security settings such as using certificates. The VPN connection can be to another ZLD-based ZyWALL or other IPSec devices. ZyWALL USG 300 User’s Guide...
Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) Access (Client and can initiate the VPN tunnel. Role) Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL USG 300 User’s Guide...
IPSec router's configured local IP address (the local IP address of the other ZyWALL). To specify IP addresses on a network by their subnet mask, type the subnet mask of the LAN behind the remote gateway. ZyWALL USG 300 User’s Guide...
Local Policy This is a (static) IP address and Subnet Mask on the LAN behind your ZyWALL. Remote This is a (static) IP address and Subnet Mask on the network behind the remote Policy IPSec router. If this field displays Any, only the remote IPSec router can initiate the VPN connection. ZyWALL USG 300 User’s Guide...
Figure 37 VPN Express Wizard: Step 6 If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard. ZyWALL USG 300 User’s Guide...
Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) Access (Client and can initiate the VPN tunnel. Role) Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL USG 300 User’s Guide...
Select Main for identity protection. Select Aggressive to allow more incoming Mode connections from dynamic IP addresses to use separate passwords. Note: Multiple SAs (security associations) connecting through a secure gateway must have the same negotiation mode. ZyWALL USG 300 User’s Guide...
ZyWALL's list of certificates. Back Click Back to return to the previous screen. Next Click Next to continue. Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. ZyWALL USG 300 User’s Guide...
AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses a 256-bit key. Select Null to have no encryption. ZyWALL USG 300 User’s Guide...
Click Back to return to the previous screen. Next Click Next to continue. This read-only screen shows the status of the current VPN setting. Use the summary table to check whether what you have configured is correct. ZyWALL USG 300 User’s Guide...
VPN connection. See the commands reference guide for details on the commands displayed in this list. Back Click Back to return to the previous screen. Save Click Save to store the VPN settings on your ZyWALL. ZyWALL USG 300 User’s Guide...
Now you can use the VPN tunnel. Figure 42 VPN Wizard: Step 6: Advanced If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard. ZyWALL USG 300 User’s Guide...
If you are in a screen that uses objects, you can also usually select Create Object to open a screen where you can configure a new object. For a list of common objects, see Section 5.5 on page 118. ZyWALL USG 300 User’s Guide...
(data link, MAC address) level. Then, you can configure the IP address and subnet mask of the bridge. It is also possible to configure zone-level security between the member interfaces in the bridge. ZyWALL USG 300 User’s Guide...
DDNS entries, so there is no WHERE USED entry. 5.4.2 Interface Section 5.2 on page 108 for background information. When you create an interface, there is no security applied on it until you assign it to a zone. ZyWALL USG 300 User’s Guide...
Interfaces, SSL application, users, user groups, addresses (network list, IP pool for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, PREREQUISITES firewall Policy routes, zones WHERE USED Example: See Chapter 6 on page 123. ZyWALL USG 300 User’s Guide...
Interfaces (with a static IP address), to-ZyWALL firewall PREREQUISITES Example: See Chapter 6 on page 123. 5.4.9 DDNS Dynamic DNS maps a domain name to a dynamic IP address. The ZyWALL helps maintain this mapping. Network > DDNS MENU ITEM(S) Interface PREREQUISITES ZyWALL USG 300 User’s Guide...
FTP traffic. 5.4.11 Static Routes Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL. Network > Routing > Static Route MENU ITEM(S) Interfaces PREREQUISITES ZyWALL USG 300 User’s Guide...
(source, destination). These are only used as PREREQUISITES criteria in exceptions and conditions. Example: Suppose you want to allow vice president Bob to use BitTorrent and block everyone else from using it. ZyWALL USG 300 User’s Guide...
(or groups) can access what content and at what times. You must have a subscription in order to use the category-based content filtering. You can subscribe using the menu item or one of the wizards. Anti-X > Content Filter MENU ITEM(S) Registration, addresses (source), schedules, users, user groups PREREQUISITES ZyWALL USG 300 User’s Guide...
5 In the Mapped IP field, list the IP address of the FTP server. The ZyWALL will forward the packets received for the original IP address. 6 In Mapping Type, select Port. 7 Enter 21 in both the Original and the Mapped Port fields. ZyWALL USG 300 User’s Guide...
Use Host Name to configure the system and domain name for the ZyWALL. Use Date/Time to configure the current date, time, and time zone in the ZyWALL. Use Console Speed to set the console speed. Use Language to select a language for the Web Configurator screens. ZyWALL USG 300 User’s Guide...
Use these screens to register your ZyWALL and subscribe to services like anti-virus, IDP and application patrol, more SSL VPN tunnels, and content filtering. You must have Internet access to myZyXEL.com. Licensing > Registration MENU ITEM(S) Internet access to myZyXEL.com PREREQUISITES ZyWALL USG 300 User’s Guide...
Maintenance > Log, Report MENU ITEM(S) 5.6.6 Diagnostics The ZyWALL can generate a file containing the ZyWALL’s configuration and diagnostic information. Maintenance > Diagnostics MENU ITEM(S) ZyWALL USG 300 User’s Guide...
• This example uses a limited number of DMZ servers that need full wire speed communication with each other, so ports P4 and P5 are combined into a ge4 interface port group. It uses IP address 192.168.2.1. Figure 45 Ethernet Interface, Port Grouping, and Zone Configuration Example ZyWALL USG 300 User’s Guide...
Here is how to combine physical ports P4 and P5 into the ge4 interface port group. 1 Click Network > Interface > Port Grouping. 2 Drag physical port 5 onto representative interface ge4, as shown next. ZyWALL USG 300 User’s Guide...
Internet connection (100 Mbps) while ge2 and ge3 have just 1 Mbps each. You want the ZyWALL to use ge7 for most Internet traffic and only use interfaces ge2 and ge3 for any traffic that exceeds what ge7 can handle. ZyWALL USG 300 User’s Guide...
1 Click Network > Interface > Trunk. Click WAN_TRUNK’s Edit icon. 2 In the Load Balancing Algorithm field, select Spillover. After the screen refreshes, click the Add icon at the top of the right-hand column. ZyWALL USG 300 User’s Guide...
Figure 53 Network > Interface > Trunk > WAN_TRUNK > Edit > Add 4 Click OK. Figure 54 Network > Interface > Trunk > WAN_TRUNK > Edit (Done) 6.3 How to Set Up an IPSec VPN Tunnel This example shows how to create the following VPN tunnel. ZyWALL USG 300 User’s Guide...
2 Give the VPN gateway a name (“VPN_GW_EXAMPLE”). For My Address, select Interface and ge7. For the Peer Gateway Address, select Static Address and enter 2.2.2.2 in field 1. For the Authentication, Select Pre-Shared Key and enter 12345678. Click OK. ZyWALL USG 300 User’s Guide...
3 Click VPN > IPSec VPN > VPN Connection. Click the Add icon. 4 Give the VPN connection a name (“VPN_CONN_EXAMPLE”). Under VPN Gateway select Site-to-site and the VPN gateway (VPN_GW_EXAMPLE). Under Policy, select LAN_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote. Click OK. ZyWALL USG 300 User’s Guide...
1 Click Network > Routing > Policy Route. You want this policy route to have higher priority than the default policy route for the trunk, so click the Add icon at the top of the column, not the one next to the existing policy route. ZyWALL USG 300 User’s Guide...
To trigger the VPN, either try to connect to a device on the peer IPSec router’s LAN or click VPN > IPSec VPN > VPN Connection and use the VPN connection screen’s Connect icon. ZyWALL USG 300 User’s Guide...
1 Click Object > User/Group > User. Click the Add icon. 2 Enter the same user name that is used in the RADIUS server, and set the User Type to Ext-User because this user account is authenticated by an external server. Click OK. ZyWALL USG 300 User’s Guide...
Finally, force users to log in to the ZyWALL before it routes traffic for them. 1 Click Object > AAA Server > RADIUS > Default. Configure the RADIUS server, and click Apply. ZyWALL USG 300 User’s Guide...
ZyWALL routes traffic for them. Select Enable. Then, select force in the Authentication field. Keep the rest of the default settings, and click OK. The users will have to log in using the Web Configurator login screen before they can use HTTP or MSN. ZyWALL USG 300 User’s Guide...
1 Click AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply. Figure 67 AppPatrol > General 2 Click the Common tab and then the Edit icon next to the default http service. ZyWALL USG 300 User’s Guide...
Inbound and Outbound fields. Click OK. Repeat this process to add exceptions for all the other user groups that are allowed to browse the web. ZyWALL USG 300 User’s Guide...
1 Click Firewall. In From Zone, select LAN; in To Zone, select DMZ and click Refresh. The default rule for LAN-to-DMZ traffic allows all traffic. You want to limit access to specific groups, so change the default rule first. Click the Add icon next to it. ZyWALL USG 300 User’s Guide...
4 Select one of the user groups that is allowed to access the DMZ, and click OK. Figure 75 Firewall > Add 5 Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ. ZyWALL USG 300 User’s Guide...
This example configures service control to block administrator HTTPS access from all zones except the LAN. 1 Click System > WWW. 2 In HTTPS Admin Service Control, click the Add icon. Figure 76 System > WWW 3 In the Zone field select LAN and click OK. ZyWALL USG 300 User’s Guide...
Figure 78 System > WWW (First Example Admin Service Rule Configured) 5 In the Zone field select ALL and set the Action to Deny. Click OK. Figure 79 System > WWW > Service Control Rule Edit 6 Click Apply. ZyWALL USG 300 User’s Guide...
(port forwarding) and firewall rules to have the ZyWALL forward H.323 traffic destined for ge2 IP address 10.0.0.8 to a H.323 device located on the LAN and using IP address 192.168.1.56. Figure 81 WAN to LAN H.323 Peer-to-peer Calls Example 192.168.1.56 10.0.0.8 ZyWALL USG 300 User’s Guide...
1 Use Object > Address > Add to create address objects for the private and public IP addresses (WAN_IP-for-H323 and LAN_H323) as shown next. Figure 83 Create Address Objects 2 Click Network > Virtual Server > Add. 3 Configure the screen as follows and click OK. ZyWALL USG 300 User’s Guide...
Figure 85 Firewall: WAN to LAN 3 Configure the screen as follows and click OK. LAN_H323 is the destination because the ZyWALL applies the virtual server to traffic before applying the firewall rule. ZyWALL USG 300 User’s Guide...
Each ZyWALL’s ge1 interface also has a separate management IP address that stays the same whether the ZyWALL functions as the master or a backup. ZyWALL A’s management IP address is 192.168.1.3 and ZyWALL B’s is 192.168.1.5. ZyWALL USG 300 User’s Guide...
3 Set the Device Role to Master. This example focuses on the connection from the LAN (ge1) to the Internet through the ge2 interface, so turn on monitoring for the ge1 and ge2 interfaces. Enter a Synchronization Password (“mySyncPassword” in this example) and click Apply. ZyWALL USG 300 User’s Guide...
2 In ZyWALL B click Device HA > Active-Passive Mode. Click ge1’s Edit icon. 3 Configure 192.168.1.5 as the Management IP and 255.255.255.0 as the Subnet Mask. Click OK. ZyWALL USG 300 User’s Guide...
“mySyncPassword”. Select Auto Synchronize and set the Interval to 60. Click Apply. Figure 93 Device HA > Active-Passive Mode: Backup ZyWALL Example 5 Click the General tab. Turn on device HA and click Apply. ZyWALL USG 300 User’s Guide...
Internet (the WAN zone). You will use a public IP address of 1.1.1.2 on the ge3 interface and map it to the HTTP server’s private IP address of 192.168.3.7. Figure 95 Public Server Example Network Topology 192.168.3.7 1.1.1.2 ZyWALL USG 300 User’s Guide...
• Select Add corresponding Policy Route rule for NAT Loopback to allow local users to use a domain name to access the HTTP server. See NAT Loopback Example on page 291 for details. ZyWALL USG 300 User’s Guide...
Now the public can go to IP address 1.1.1.2 to access the HTTP server. If a domain name is registered for IP address 1.1.1.2, users can just go to the domain name to access the web server. ZyWALL USG 300 User’s Guide...
The Status screen displays when you log into the ZyWALL or click Status. Use this screen to look at the ZyWALL’s general device information, system status, system resource usage, licensed service status, and interface status. ZyWALL USG 300 User’s Guide...
This field displays the version number and date of the firmware the ZyWALL is Version currently running. Click the icon to open the screen where you can upload firmware. Section 46.3 on page 700. System Resources ZyWALL USG 300 User’s Guide...
Page 153
Click the Disconnect icon to stop a PPPoE/PPTP or auxiliary interface’s connection. Extension Slot This section of the screen displays the status of the extension card slot and the USB ports. Slot This field displays the name of each extension slot. ZyWALL USG 300 User’s Guide...
Page 154
Signature This field displays the version number, date, and time of the current set of Version signatures the ZyWALL is using. Last Update This field displays the last time the ZyWALL received updated signatures. Time ZyWALL USG 300 User’s Guide...
This is the name of the virus that the ZyWALL has detected. 7.2.1 The CPU Usage Screen Use this screen to look at a chart of the ZyWALL’s recent CPU usage. To access this screen, click CPU Usage in the Status screen. ZyWALL USG 300 User’s Guide...
Click this to update the information in the window right away. 7.2.2 The Memory Usage Screen Use this screen to look at a chart of the ZyWALL’s recent memory (RAM) usage. To access this screen, click Memory Usage in the Status screen. ZyWALL USG 300 User’s Guide...
Click this to update the information in the window right away. 7.2.3 The Session Usage Screen Use this screen to look at a chart of the ZyWALL’s recent traffic session usage. To access this screen, click Session Usage in the Status screen. ZyWALL USG 300 User’s Guide...
Click this to update the information in the window right away. 7.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in the Status screen. ZyWALL USG 300 User’s Guide...
Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click the icon beside DHCP Table in the Status screen. Figure 104 Status > DHCP Table ZyWALL USG 300 User’s Guide...
Click this to update the screen immediately. 7.2.6 The Port Statistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen, click Port Statistics in the Status screen. ZyWALL USG 300 User’s Guide...
Set Interval Click this to set the Poll Interval the screen uses. Stop Click this to stop the window from updating automatically. You can start it again by setting the Poll Interval and clicking Set Interval. ZyWALL USG 300 User’s Guide...
This field displays how long the ZyWALL has been running since it last restarted or was turned on. Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. ZyWALL USG 300 User’s Guide...
This field displays the way the user logged in to the ZyWALL. IP address This field displays the IP address of the computer used to log in to the ZyWALL. Force Logout Click this icon to end a user’s session. ZyWALL USG 300 User’s Guide...
Page 164
Chapter 7 Status ZyWALL USG 300 User’s Guide...
ZyWALL’s serial number and LAN MAC address to register it. Refer to the web site’s on- line help for details. To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL. ZyWALL USG 300 User’s Guide...
8.2 The Registration Screen Use this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Licensing > Registration in the navigation panel to open the screen as shown next. ZyWALL USG 300 User’s Guide...
Select the check box to activate a trial service subscription. The trial period starts the day you activate the trial. After the trial expires, you can buy an iCard and enter the license key in the Registration Service screen to extend the service. ZyWALL USG 300 User’s Guide...
(if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Service screen to update your service subscription status. Figure 109 Licensing > Registration: Registered Device ZyWALL USG 300 User’s Guide...
(specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Click this button to renew service license information (such as the Refresh registration status and expiration day). ZyWALL USG 300 User’s Guide...
• Your custom signature configurations are not over-written when you download new signatures. The ZyWALL does not have to reboot when you upload new signatures. 9.2 The Antivirus Update Screen Click Licensing > Update > Anti-Virus to display the following screen. ZyWALL USG 300 User’s Guide...
The time format is the 24 hour clock, so ‘23’ means 11PM for example. Weekly Select this option to have the ZyWALL check for new signatures once a week on the day and at the time specified. ZyWALL USG 300 User’s Guide...
Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones. Released This field displays the date and time the set was released. Date ZyWALL USG 300 User’s Guide...
Click this button to return the screen to its last-saved settings. Figure 113 Downloading IDP Signatures Figure 114 Successful IDP Signature Download 9.4 The System Protect Update Screen Click Licensing > Update > System Protect to display the following screen. ZyWALL USG 300 User’s Guide...
The time format is the 24 hour clock, so ‘23’ means 11PM for example. Weekly Select this option to have the ZyWALL check for new signatures once a week on the day and at the time specified. ZyWALL USG 300 User’s Guide...
Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. Figure 116 Downloading System Protect Signatures Figure 117 Successful System Protect Signature Download ZyWALL USG 300 User’s Guide...
Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • Use the Trunks screens (Chapter 11 on page 243) to configure load balancing. ZyWALL USG 300 User’s Guide...
• The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the AUX port. • Trunks manage load balancing between interfaces. ZyWALL USG 300 User’s Guide...
Chapter 11 on page 243 to configure load balancing using trunks. 10.2 Interface Summary Screen This screen lists all of the ZyWALL’s interfaces and gives packet statistics for them. Click Network > Interface to access this screen. ZyWALL USG 300 User’s Guide...
This field displays the name of each interface. Click + or - in the heading cell to display or hide all virtual interfaces. Click a name’s + or - to display or hide the virtual interfaces on top of that interface. ZyWALL USG 300 User’s Guide...
Page 184
DHCP request to a DHCP server. Click the Connect icon to try to connect the auxiliary interface or a PPPoE/PPTP interface. If the interface cannot use one of these ways to get or to update its IP address, this field displays n/a. ZyWALL USG 300 User’s Guide...
• There is a layer-2 Ethernet switch between physical ports in the port group. This provides wire-speed throughput but no security. • It can increase the bandwidth between the port group and other interfaces. In the example below, you might combine physical ports 3 and 4 into port group ge3. ZyWALL USG 300 User’s Guide...
The Ethernet interface is still displayed in the screen, however, and the existing configuration remains. 10.3.2 Port Grouping Screen Define the relationship between physical ports, port groups, and Ethernet interfaces in the Port Grouping screen. To access this screen, click Network > Interface > Port Grouping. ZyWALL USG 300 User’s Guide...
Click this button to change the port groups to their current configuration (last- saved values). 10.4 Ethernet Summary Screen This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. To access this screen, click Network > Interface. ZyWALL USG 300 User’s Guide...
The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP settings, OSPF settings, DHCP settings, and ping check settings. To access this screen, click an Edit icon in the Ethernet Summary screen. (See Section 10.4 on page 187.) ZyWALL USG 300 User’s Guide...
Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ZyWALL divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500. ZyWALL USG 300 User’s Guide...
Page 191
If this field is blank, the Pool Size must also be blank. In this case, the ZyWALL can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. ZyWALL USG 300 User’s Guide...
Page 192
This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information. Out-Only - This interface sends routing information. ZyWALL USG 300 User’s Guide...
Page 193
It will not change unless you change the setting or upload a different configuration file. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 300 User’s Guide...
10.6 The PPP Interfaces Screen Use PPP interfaces (PPPoE/PPTP interfaces) to connect to your ISP so you do not have to install or manage PPPoE or PPTP software on each computer in the network. Figure 125 Example: PPPoE/PPTP Interfaces ZyWALL USG 300 User’s Guide...
Dial-on-Demand PPPoE/PPTP interface. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
This screen lets you configure new or existing PPPoE/PPTP interfaces. To access this screen, click the Edit icon in the PPP Interface screen. The PPP interface Edit > Configuration screen is shown here as an example. Figure 127 Network > Interface > PPP > Add > Configuration ZyWALL USG 300 User’s Guide...
Allowed values are 0 - 1048576. Ingress This is reserved for future use. Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from the network through the interface. Allowed values are 0 - 1048576. ZyWALL USG 300 User’s Guide...
To change your 3G WAN settings, click Network > Interface > Cellular. Install (or connect) a compatible 3G card to use a cellular connection. See Chapter 52 on page 739 for details. ZyWALL USG 300 User’s Guide...
10.7.1 Cellular Add/Edit Screen To change your 3G settings, click Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that you want to configure. The following screen displays. ZyWALL USG 300 User’s Guide...
Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: None: No authentication for outgoing calls. CHAP - Your ZyWALL accepts CHAP requests only. PAP - Your ZyWALL accepts PAP requests only. ZyWALL USG 300 User’s Guide...
Page 203
Check Period Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure. ZyWALL USG 300 User’s Guide...
Page 204
3.5G network (respectively). You may want to do this if you want to make sure the interface does not use the GSM network. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 300 User’s Guide...
This field is a sequential value, and it is not associated with any interface. Extension Slot This field displays where the entry’s cellular card is located. Connected Device This field displays the model name of the cellular card. ZyWALL USG 300 User’s Guide...
Page 206
This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider’s base station. More Info. This field displays other details about the 3G connection. ZyWALL USG 300 User’s Guide...
Security stops unauthorized devices from using the wireless network and can protect the information that is sent in the wireless network. Click Network > Interface > WLAN to open the following screen. See Appendix F on page for more details on wireless LANs. ZyWALL USG 300 User’s Guide...
Set the RTS/CTS equal to or higher than the fragmentation threshold to turn RTS/CTS off. Fragmentation This is the threshold (number of bytes) for the fragmentation boundary for directed Threshold messages. It is the maximum data fragment size that can be sent. ZyWALL USG 300 User’s Guide...
LEVEL Weakest No Security MAC Address Filtering WEP Encryption IEEE 802.1x EAP with RADIUS Server Authentication WPA-PSK (Wi-Fi Protected Access Pre-Shared Key) WPA (Wi-Fi Protected Access) Strongest WPA-PSK2 WPA2 WPA2 or WPA2-PSK security is recommended. ZyWALL USG 300 User’s Guide...
Page 210
Click Network > Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. The screen varies according to the security features you select. It displays as shown next when you set the Security Type to none. ZyWALL USG 300 User’s Guide...
Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. Interface Click Advanced to display more settings. Click Basic to display fewer settings. Parameters ZyWALL USG 300 User’s Guide...
Page 213
Server, Second you want to send to the DHCP clients. The WINS server keeps a mapping table of WINS Server the computer names on your network and the IP addresses that they are currently using. ZyWALL USG 300 User’s Guide...
Page 214
This field is available if the Authentication is MD5. Type the password for MD5 Authentication authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. ZyWALL USG 300 User’s Guide...
The default time interval is 1800 seconds (30 minutes). Alternatively, enter “0” to turn reauthentication off. Note: If a RADIUS server authenticates wireless stations, the reauthentication timer on the RADIUS server has priority. ZyWALL USG 300 User’s Guide...
The ZyWALL’s default configuration also includes an authentication method object named “default” that you can use. You can configure the “default” authentication method object, but it’s default configuration uses the ZyWALL’s local database for authentication. ZyWALL USG 300 User’s Guide...
(allow association) or block specific devices from accessing the ZyWALL (deny association) based on the devices’ MAC addresses. To display your ZyWALL’s MAC filter settings, click Network > Interface > WLAN > MAC Filter. The screen appears as shown. ZyWALL USG 300 User’s Guide...
To change your ZyWALL’s MAC filter settings, click Network > Interface > WLAN > MAC Filter > Add (or Edit). The screen appears as shown when you click Add. You cannot edit the MAC address if you click Edit. ZyWALL USG 300 User’s Guide...
This displays the MAC address (in XX:XX:XX:XX:XX:XX format) of a connected Address wireless station. Strength This displays the strength of the wireless client’s radio signal. The signal strength mainly depends on the antenna output power and the wireless client’s distance from the ZyWALL. ZyWALL USG 300 User’s Guide...
In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs. ZyWALL USG 300 User’s Guide...
VLAN interfaces, but it does not route traffic within a VLAN interface. All traffic for each VLAN interface can go through only one Ethernet interface, though each Ethernet interface can have one or more VLAN interfaces. ZyWALL USG 300 User’s Guide...
To remove an interface, click the Remove icon next to it. The ZyWALL confirms you want to remove it before doing so. To activate or deactivate an interface, click the Active icon next to it. Make sure you click Apply to save and apply the change. ZyWALL USG 300 User’s Guide...
VLAN interface. To access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen. The following screen appears. ZyWALL USG 300 User’s Guide...
Each field is explained in the following table. Table 67 Network > Interface > VLAN > Edit LABEL DESCRIPTION General Settings Enable Interface Select this to turn this interface on. Clear this to disable this interface. Interface Properties ZyWALL USG 300 User’s Guide...
Page 226
ZyWALL stops routing to the gateway. The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check. ZyWALL USG 300 User’s Guide...
Page 227
If this field is blank, the IP Pool Start Address must also be blank. In this case, the ZyWALL can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. ZyWALL USG 300 User’s Guide...
Virtual VLAN interfaces recognize and use the same VLAN ID. Otherwise, there is no difference between each type of virtual interface. Network policies (for example, firewall rules) that apply to the underlying interface automatically apply to the virtual interface as well. ZyWALL USG 300 User’s Guide...
Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. ZyWALL USG 300 User’s Guide...
MAC address is located, it sends the packet to that port. If the destination MAC address is not in the table, the bridge broadcasts the packet on every port (except the one on which it was received). ZyWALL USG 300 User’s Guide...
In this example, virtual Ethernet interface ge1:1 is also removed from the routing table when ge1 is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed. ZyWALL USG 300 User’s Guide...
To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears. ZyWALL USG 300 User’s Guide...
Click WAN TRUNK to go to a screen where you can configure the interface as TRUNK part of a WAN trunk for load balancing. Configure Policy Click Policy Route to go to the screen where you can manually configure a Route policy route to associate traffic with this interface. ZyWALL USG 300 User’s Guide...
Page 235
From ISP - select the DNS server that another interface received from its DHCP Server server. ZyWALL - the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay. ZyWALL USG 300 User’s Guide...
Page 236
This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 300 User’s Guide...
When the ZyWALL hangs up the call, it drops the Data Terminal Ready (DTR) signal and issues the command 10.15.2 Configuring the Auxiliary Interface Use the Auxiliary screen to configure the ZyWALL’s auxiliary interface. Click Network > Interface > Auxiliary to open it. ZyWALL USG 300 User’s Guide...
(+). Use a comma to pause during dialing. Use a plus sign to tell the external modem to make an international call. User Name Enter the user name required for authentication. Password Enter the password required for authentication. ZyWALL USG 300 User’s Guide...
In most interfaces, you can enter the IP address and subnet mask manually. In PPPoE/PPTP interfaces, however, the subnet mask is always 255.255.255.255 because it is a point-to-point interface. For these interfaces, you can only enter the IP address. ZyWALL USG 300 User’s Guide...
On the other hand, some communication channels, such as Ethernet over ATM, might not be able to handle large data packets. At the time of writing, the ZyWALL does not support ingress bandwidth management. ZyWALL USG 300 User’s Guide...
• Subnet mask - The interface provides the same subnet mask you specify for the interface. IP Address Assignment on page 239. • Gateway - The interface provides the same gateway you specify for the interface. See Address Assignment on page 239. ZyWALL USG 300 User’s Guide...
Page 242
1 The first one runs on TCP port 1723. It is used to start and manage the second one. 2 The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. ZyWALL USG 300 User’s Guide...
If one interface's connection goes down, the ZyWALL can automatically send its traffic through another interface. You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic. ZyWALL USG 300 User’s Guide...
ZyWALL refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using. In the load balancing section, a session may refer to normal connection-oriented, UDP and SNMP2 traffic. ZyWALL USG 300 User’s Guide...
512K. You can set the ZyWALL to distribute the network traffic between the two interfaces by setting the weight of ge2 and ge3 to 2 and 1 respectively. The ZyWALL assigns the traffic of two sessions to ge2 for every session's traffic assigned to ge3. ZyWALL USG 300 User’s Guide...
11.2 The Trunk Summary Screen Click Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. ZyWALL USG 300 User’s Guide...
Reset Click this button to return the screen to its last-saved settings. 11.3 Configuring a Trunk Click Network > Interface > Trunk and then the Add (or Edit) icon to open the Trunk Edit screen. ZyWALL USG 300 User’s Guide...
Egress This field displays with the least load first or spillover load balancing algorithm.It Bandwidth displays the maximum number of kilobits of data the ZyWALL is to send out through the interface per second. ZyWALL USG 300 User’s Guide...
The next queue is given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty. ZyWALL USG 300 User’s Guide...
You can generally just use policy routes. You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to propagate routing information to other routers. ZyWALL USG 300 User’s Guide...
Configure static routes if you need to use RIP or OSPF to propagate the routing information to other routers. See Chapter 13 on page 261 for more on RIP and OSPF. ZyWALL USG 300 User’s Guide...
IPPR follows the existing packet filtering facility of RAS in style and in implementation. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 156 Network > Routing > Policy Route ZyWALL USG 300 User’s Guide...
The ordering of your rules is important as they are applied in order of their numbering. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
If the next hop is a dynamic VPN tunnel and you enable Auto Destination Address, the ZyWALL uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here. ZyWALL USG 300 User’s Guide...
Page 256
Note: You need to create a firewall rule to allow an incoming service before using a port triggering rule. This is the rule index number. ZyWALL USG 300 User’s Guide...
Click Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. ZyWALL USG 300 User’s Guide...
If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID. Subnet Mask Enter the IP subnet mask here. ZyWALL USG 300 User’s Guide...
When the ZyWALL receives a new connection (trigger service) from the remote server, the ZyWALL forwards the traffic to the IP address of the client computer that sent the request. In the following example, you configure two services for port triggering: ZyWALL USG 300 User’s Guide...
(as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level. ZyWALL USG 300 User’s Guide...
Small (with up to 15 routers) Large Metric Hop count Bandwidth, hop count, throughput, round trip time and reliability. Convergence Slow Fast Finding Out More Section 13.4 on page 269 for background information on routing protocols. ZyWALL USG 300 User’s Guide...
The key can consist of alphanumeric characters and the underscore, and it can be up to 8 characters long. This field is available if the Authentication is MD5. Type the ID for MD5 Authentication authentication. The ID can be between 1 and 255. ZyWALL USG 300 User’s Guide...
IP address. There are several types of areas. • The backbone is the transit area that routes packets between other areas. All other areas are connected to the backbone. ZyWALL USG 300 User’s Guide...
Each type is really just a different role, and it is possible for one router to play multiple roles at one time. • An internal router (IR) only exchanges routing information with other routers in the same area. ZyWALL USG 300 User’s Guide...
In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area to logically connect the area to the backbone. This is illustrated in the following example. ZyWALL USG 300 User’s Guide...
In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them. Click Network > Routing > OSPF to open the following screen. Figure 165 Network > Routing > OSPF ZyWALL USG 300 User’s Guide...
The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see Section 13.3 on page 263), and click either the Add icon or an Edit icon. ZyWALL USG 300 User’s Guide...
ABR that is connected to the backbone. This field is a sequential value, and it is not associated with a specific area. Peer Router ID Type the 32-bit ID (in IP address format) of the other ABR in the virtual link. ZyWALL USG 300 User’s Guide...
It also includes an authentication ID, which can be set to any value between 1 and 255. The ZyWALL only accepts packets if these conditions are satisfied. • The packet’s authentication ID is the same as the authentication ID of the interface that received it. ZyWALL USG 300 User’s Guide...
Page 270
Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. ZyWALL USG 300 User’s Guide...
Virtual interfaces are automatically assigned to the same zone as the interface on which they run. Figure 167 Example: Zones 14.1.1 What You Can Do in the Zones Screens Use the Zone screens (see Section 14.2 on page 274) to view, add, and edit the ZyWALL’s zones. ZyWALL USG 300 User’s Guide...
14.2 The Zone Screen The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and zones. To access this screen, click Network > Zone. ZyWALL USG 300 User’s Guide...
The Zone Add/Edit screen allows you to define a zone or edit an existing one. To access this screen, go to the Zone screen (see Section 14.2 on page 274), and click either the Add icon or an Edit icon. Figure 169 Network > Zone > Edit ZyWALL USG 300 User’s Guide...
Member lists the interfaces that belong to the zone. Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them. ZyWALL USG 300 User’s Guide...
- The IP address comes from the specified interface. auto detected -The DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name. custom - The IP address is static. ZyWALL USG 300 User’s Guide...
The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. Click Network > DDNS and then an Add or Edit icon to open this screen. Figure 171 Network > DDNS > Add ZyWALL USG 300 User’s Guide...
Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select None to not use a backup address. ZyWALL USG 300 User’s Guide...
15.3 The DDNS Status Screen The DDNS Status screen shows the status of the ZyWALL’s DDNS domain names. Click Network > DDNS > Status to open the following screen. Figure 172 Network > DDNS > Status ZyWALL USG 300 User’s Guide...
Click this to have the ZyWALL update the profile to the DDNS server. The ZyWALL attempts to resolve the IP address for the domain name. Refresh Click this to update the information displayed in the screen. ZyWALL USG 300 User’s Guide...
16.1.2 What You Need to Know About Virtual Servers Virtual server is also known as port forwarding or port translation. The virtual server changes the destination address of packets. This is also known as Destination NAT (DNAT). ZyWALL USG 300 User’s Guide...
This field displays the new destination IP address for the packet. Protocol This field displays the service used by the packets for this virtual server. It displays any if there is no restriction on the services. ZyWALL USG 300 User’s Guide...
Type in the name of the virtual server. The name is used to refer to the virtual server. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL USG 300 User’s Guide...
Page 286
This field is available if Mapping Type is Ports. Enter the end of the range of Port translated destination ports if this virtual server forwards the packet. The original port range and the mapped port range must be the same size. ZyWALL USG 300 User’s Guide...
1:1 NAT mapping from the public IP address to the server’s private one. The firewall is enabled, so you also need to create a rule to allow traffic in from the WAN zone. ZyWALL USG 300 User’s Guide...
This section sets up a virtual server rule that changes the destination of SMTP traffic coming to IP address 1.1.1.1 at the ZyWALL’s ge3 interface, to the LAN SMTP server’s IP address (192.168.1.21). This is also called Destination NAT (DNAT) ZyWALL USG 300 User’s Guide...
This section sets up a policy route for the traffic coming from the LAN SMTP server to the ZyWALL’s ge1 interface. It changes the source address from 192.168.1.21 to 1.1.1.1. This is also called Source NAT (SNAT). It sends the traffic out through the ge3 interface. ZyWALL USG 300 User’s Guide...
Create a firewall rule to allow access from the WAN zone to the mail server in the LAN zone. Be careful of where you create the rule as firewall rules are ordered in descending priority. ZyWALL USG 300 User’s Guide...
A LAN user computer at IP address 192.168.1.89 queries the domain name (xxx.LAN- SMTP.com in this example) from a public DNS server and gets the SMTP server’s 1-1 NAT mapped public IP address of 1.1.1.1. ZyWALL USG 300 User’s Guide...
IP address 1.1.1.1 and coming in on WAN2 to the SMTP server (IP address 192.168.1.21). In this example the SMTP server also uses port 25, so the Mapped Port is set to 25. Figure 185 Create a Virtual Server ZyWALL USG 300 User’s Guide...
Be careful of where you create the route as routes are ordered in descending priority. This policy route applies source NAT to traffic sent from LAN to the SMTP server. Even if the packets go through the ZyWALL, they only undergo layer 2 switching, not NAT. ZyWALL USG 300 User’s Guide...
1.1.1.1 before sending it to the LAN user’s computer. The source in the return traffic matches the original destination address (1.1.1.1) and the LAN user can use the LAN SMTP server. Figure 189 NAT Loopback Successful Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 ZyWALL USG 300 User’s Guide...
A then forwards the response to the client. Figure 190 HTTP Redirect Example 17.1.1 What You Can Do in the HTTP Redirect Screens Use the HTTP Redirect screens (see Section 17.2 on page 296) to display and edit the HTTP redirect rules. ZyWALL USG 300 User’s Guide...
17.2 The HTTP Redirect Screen To configure redirection of a HTTP request to a proxy server, click Network > HTTP Redirect. This screen displays the summary of the HTTP redirect rules. ZyWALL USG 300 User’s Guide...
Click Network > HTTP Redirect to open the HTTP Redirect screen. Then click the Add or Edit icon to open the HTTP Redirect Edit screen where you can configure the rule. Figure 192 Network > HTTP Redirect > Edit ZyWALL USG 300 User’s Guide...
Enter the IP address of the proxy server. Port Enter the port number that the proxy server uses. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 300 User’s Guide...
The ZyWALL only needs to use the ALG feature for traffic that goes through the ZyWALL’s NAT. 18.1.1 What You Can Do in the ALG Screen Use the ALG screen (Section 18.2 on page 302) to set up SIP, H.323, and FTP ALG settings. ZyWALL USG 300 User’s Guide...
• The SIP ALG supports peer-to-peer SIP calls. The firewall (by default) allows peer to peer calls from the LAN zone to go to the WAN zone and blocks peer to peer calls from the WAN zone to the LAN zone. ZyWALL USG 300 User’s Guide...
LAN or DMZ IP addresses go out through the same WAN IP address that calls come in on. The policy routing lets the ZyWALL correctly forward the return traffic for the calls initiated from the LAN IP addresses. ZyWALL USG 300 User’s Guide...
SIP ALG time outs. If the ZyWALL provides an ALG for a service, you must enable the ALG in order to perform bandwidth management on that service’s traffic. ZyWALL USG 300 User’s Guide...
ZyWALL. Enabling the H.323 ALG allows you to use bandwidth management on H.323 traffic. H.323 Signaling If you are using a custom TCP port number (not 1720) for H.323 traffic, enter it here. Port ZyWALL USG 300 User’s Guide...
(that was set to passive) in order to have the connection go through the second interface. VoIP clients usually re-register automatically at set intervals or the users can manually force them to re-register. ZyWALL USG 300 User’s Guide...
Page 305
When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL USG 300 User’s Guide...
ZyWALL does not apply IP/MAC binding. • The Monitor screen (Section 19.4 on page 311) lists the devices that have received an IP address from ZyWALL interfaces with IP/MAC binding enabled. ZyWALL USG 300 User’s Guide...
Apply to save and apply the change. Click the Edit icon to go to the screen where you can edit an interface’s IP/MAC binding settings. Apply Click Apply to save your changes back to the ZyWALL. ZyWALL USG 300 User’s Guide...
Click the Remove icon to delete an entry. A window displays asking you to confirm that you want to delete it. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 300 User’s Guide...
Click Network > IP/MAC Binding > Exempt List to open the IP/MAC Binding Exempt List screen. Use this screen to configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. Figure 202 Network > IP/MAC Binding > Exempt List ZyWALL USG 300 User’s Guide...
This field displays the MAC address to which the IP address is currently assigned. Last Access This is when the device last established a session with the ZyWALL through this interface. Refresh Click this button to update the information in the screen. ZyWALL USG 300 User’s Guide...
322) to enable or disable the firewall and asymmetrical routes, and manage and configure firewall rules. • Use the Session Limit screens (see Section 20.3 on page 327) to limit the number of concurrent NAT/firewall sessions a client can use. ZyWALL USG 300 User’s Guide...
Traffic from the DMZ to the ZyWALL is allowed. To-ZyWALL Rules Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default: • The firewall allows only LAN computers to access or manage the ZyWALL. ZyWALL USG 300 User’s Guide...
Page 317
VPN tunnel to a new zone (the VPN zone for example), you can configure rules for VPN traffic between the VPN zone and other zones or From VPN To-ZyWALL rules for VPN traffic destined for the ZyWALL. ZyWALL USG 300 User’s Guide...
• The first row blocks LAN access to the IRC service on the WAN. • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN. ZyWALL USG 300 User’s Guide...
• The second row blocks LAN access to the IRC service on the WAN. • The third row is the firewall’s default policy of allowing all traffic from the LAN to go to the WAN. ZyWALL USG 300 User’s Guide...
IP addresses 192.168.1.10 through 192.168.1.15 (Dest_1) on the LAN. 1 Click Firewall. Click the Add icon ( ) in the heading row to configure a new first entry. Remember the sequence (priority) of the rules is important since they are applied in order. ZyWALL USG 300 User’s Guide...
5 The screen for configuring a service object opens. Configure it as follows and click OK. Figure 209 Firewall Example: Create a Service Object 6 Select From WAN and To LAN. 7 Enter the name of the firewall rule. ZyWALL USG 300 User’s Guide...
If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the connection, as the connection has not been acknowledged. ZyWALL USG 300 User’s Guide...
LAN IP address as the destination. See Section 6.6 on page 141 for an example. • The ordering of your rules is very important as rules are applied in sequence. ZyWALL USG 300 User’s Guide...
Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets. ZyWALL USG 300 User’s Guide...
Page 325
TCP reset packet to the sender (reject) or permits the passage of packets (allow). This field shows you whether a log (and alert) is created when packets match this rule or not. ZyWALL USG 300 User’s Guide...
VPN tunnels. ZyWALL means packets destined for the ZyWALL itself. Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. ZyWALL USG 300 User’s Guide...
NAT/firewall sessions a client can use. You can apply a default limit for all users and individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. ZyWALL USG 300 User’s Guide...
The ordering of your rules is important as they are applied in order of their numbering. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
For this rule’s users and addresses, this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 300 User’s Guide...
338) to manage the ZyWALL’s VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway. ZyWALL USG 300 User’s Guide...
Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. ZyWALL USG 300 User’s Guide...
21.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel. ZyWALL USG 300 User’s Guide...
The VPN wizard automatically creates a corresponding policy route. If you create the VPN connection in the VPN > IPSec VPN screens, you need to manually create a corresponding policy route. Figure 219 VPN > IPSec VPN > VPN Connection ZyWALL USG 300 User’s Guide...
To connect or disconnect an IPSec SA, click the Connect icon next to the VPN connection. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
336), and click either the Add icon or an Edit icon. If you click the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the following screen appears. ZyWALL USG 300 User’s Guide...
Selecting this restricts who can use the VPN tunnel. The ZyWALL drops traffic with source and destination IP addresses that do not match the local and remote policy. Phase 2 Settings Click Advanced to display more settings. Click Basic to display fewer settings. ZyWALL USG 300 User’s Guide...
Page 341
PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. ZyWALL USG 300 User’s Guide...
Page 342
Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). Inbound Traffic ZyWALL USG 300 User’s Guide...
IKE key management. To access this screen, go to the VPN Connection summary screen (see Section 21.2 on page 336), and click either the Add icon or an existing manual key entry’s Edit icon. In the VPN Gateway section of the screen, select Manual Key. ZyWALL USG 300 User’s Guide...
DESCRIPTION Manual Key My Address Type the IP address of the ZyWALL in the IPSec SA. 0.0.0.0 is invalid. Secure Type the IP address of the remote IPSec router in the IPSec SA. Gateway Address ZyWALL USG 300 User’s Guide...
Page 345
The ZyWALL ignores any characters above the minimum number of characters required by the algorithm. For example, if you enter for a DES 1234567890XYZ encryption key, the ZyWALL only uses 12345678 . The ZyWALL still stores the longer key. ZyWALL USG 300 User’s Guide...
Type a page number to go to or use the arrows to navigate the pages of entries. This field is a sequential value, and it is not associated with a specific VPN gateway. Name This field displays the name of the VPN gateway ZyWALL USG 300 User’s Guide...
The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 21.3 on page 346), and click either the Add icon or an Edit icon. ZyWALL USG 300 User’s Guide...
If you select Domain Name / IP, enter the domain name or the IP address of the ZyWALL. The IP address of the ZyWALL in the IKE SA is the specified IP address or the IP address corresponding to the domain name. 0.0.0.0 is invalid. ZyWALL USG 300 User’s Guide...
Page 349
E-mail - the ZyWALL is identified by an e-mail address; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. ZyWALL USG 300 User’s Guide...
Page 350
The ZyWALL and the remote IPSec router must use the same negotiation mode. Proposal This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. ZyWALL USG 300 User’s Guide...
Page 351
Server Mode Select this if the ZyWALL authenticates the user name and password from the remote IPSec router. You also have to select the authentication method, which specifies how the ZyWALL authenticates this information. ZyWALL USG 300 User’s Guide...
VPN traffic from one spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it, and sends it to the appropriate spoke. Therefore, a VPN concentrator is more suitable when there is a minimum amount of traffic between spoke routers. ZyWALL USG 300 User’s Guide...
), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is a sequential value, and it is not associated with a specific member in the concentrator. ZyWALL USG 300 User’s Guide...
VPN > IPSec VPN > SA Monitor. The following screen appears. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
This field is displayed if the IPSec SA does not use manual keys. Click the Disconnect icon next to an IPSec SA to disconnect it. Refresh Click Refresh to update the information in the display. ZyWALL USG 300 User’s Guide...
SA. In main mode, this is done in steps 1 and 2, as illustrated next. Figure 229 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal One or more proposals, each one consisting of: - encryption algorithm - authentication algorithm - Diffie-Hellman key group ZyWALL USG 300 User’s Guide...
The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as illustrated next. Figure 230 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange Diffie-Hellman key exchange ZyWALL USG 300 User’s Guide...
You have to create (and distribute) a pre-shared key. The ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. The ZyWALL and the remote IPSec router must use the same pre-shared key. ZyWALL USG 300 User’s Guide...
(for example, extended authentication) or if you are troubleshooting a VPN tunnel. Additional Topics for IKE SA This section provides more information about IKE SA. Negotiation Mode There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. ZyWALL USG 300 User’s Guide...
• Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header.) The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the ZyWALL and remote IPSec router support. ZyWALL USG 300 User’s Guide...
“abc” and ending in “123” matches, no matter how many characters are in between. The whole VPN connection or policy name has to match if you do not use a question mark or asterisk. ZyWALL USG 300 User’s Guide...
Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. The ZyWALL and remote IPSec router must use the same encapsulation. ZyWALL USG 300 User’s Guide...
IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. Additional Topics for IPSec SA This section provides more information about IPSec SA in your ZyWALL. ZyWALL USG 300 User’s Guide...
Page 364
(for example, mail) from the remote network to a specific computer (like the mail server) in the local network. Each kind of translation is explained below. The following example is used to help explain each one. ZyWALL USG 300 User’s Guide...
For example, in Figure 234 on page 365, you can configure this kind of translation if you want to forward mail from the remote network to the mail server in the local network (A). ZyWALL USG 300 User’s Guide...
Page 366
(A). • Mapped Port - the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size. ZyWALL USG 300 User’s Guide...
With reverse proxy mode, remote users can easily access any web-based applications on the local network by clicking on links or entering the provided URL. You do not have to install additional client software on the remote user computers for access. Figure 235 Network Access Mode: Reverse Proxy ZyWALL USG 300 User’s Guide...
VPN connection. You cannot delete an object that is referenced by an SSL access policy. To delete the object, you must first unassociate the object from the SSL access policy. ZyWALL USG 300 User’s Guide...
Click Reset to discard all changes. 22.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. ZyWALL USG 300 User’s Guide...
>> to add to the Selected User/Group Objects list. You can select more than one name. To remove a user or user group, select the name(s) in the Selected User/Group Objects list and click <<. ZyWALL USG 300 User’s Guide...
Click VPN > SSL VPN in the navigation panel and click the Connection Monitor tab to display the user list. Use this screen to do the following: • View a list of active SSL VPN connections. • Log out individual users and delete related session information. ZyWALL USG 300 User’s Guide...
IP address of the ZyWALL (or a gateway device) on your network for full tunnel mode access, enter access messages or upload a custom logo to be displayed on the remote user screen. ZyWALL USG 300 User’s Guide...
Click Reset Logo to Default to display the ZyXEL company logo on the remote Default user’s web browser. Apply Click Apply to save the changes and/or start the logo file upload process. Reset Click Reset to start configuring this screen again. ZyWALL USG 300 User’s Guide...
3 Click Login. 4 SSL VPN connection starts. This may take several minutes depending on your network connection. Once the connection is up, you should see the client portal screen. The following shows an example. ZyWALL USG 300 User’s Guide...
If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated” message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal screens, refer to Chapter 23 on page 377. ZyWALL USG 300 User’s Guide...
Here are the browser and computer system requirements for remote user access. • Windows 2000 and Windows XP • Internet Explorer 5.5 and above (for IE7, JRE 1.6 must be enabled) • Netscape 7.2 and above ZyWALL USG 300 User’s Guide...
1 Open a web browser and enter the web site address or IP address of the ZyWALL. For example, “http://sslvpn.mycompany.com”. Figure 244 Enter the Address in a Web Browser 2 Click OK or Yes if a security screen displays. ZyWALL USG 300 User’s Guide...
If a certificate warning screen displays, click OK, Yes or Continue. Figure 247 Java Needed Message 6 The following status screen displays indicating the progress of the secure SSL VPN connection setup. ZyWALL USG 300 User’s Guide...
Available resource links vary depending on the configuration your network administrator made. 23.3 The SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 249 Remote User Screen ZyWALL USG 300 User’s Guide...
1 Click the Logout icon in any remote user screen. 2 A prompt window displays. Click OK to continue. Figure 251 Logout: Prompt 3 An information screen displays to indicate that the SSL VPN connection is about to terminate. ZyWALL USG 300 User’s Guide...
Microsoft Outlook Web Access (OWA). To access a web-based application, simply click a link in the Application screen to display the web screen in a separate browser window. Figure 253 Application ZyWALL USG 300 User’s Guide...
25.2 The Main File Sharing Screen The first File Sharing screen displays the name(s) of the shared folder(s) available. The following figure shows an example with one file share. ZyWALL USG 300 User’s Guide...
3 If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue. Figure 255 File Sharing: Enter Access User Name and Password ZyWALL USG 300 User’s Guide...
25.3.2 Saving a File After you have opened a file in a web browser, you can save a copy of the file by clicking File > Save As and following the on-screen instructions. ZyWALL USG 300 User’s Guide...
Make sure the length of the folder name does not exceed the maximum allowed on the file server. Figure 258 File Sharing: Save a Word File 25.5 Renaming a File or Folder To rename a file or folder, click the Rename icon next to the file/folder. ZyWALL USG 300 User’s Guide...
- so be sure you really do not want the item before you click. 25.7 Uploading a File Follow the steps below to upload a file to the file server. ZyWALL USG 300 User’s Guide...
4 After the file is uploaded successfully, you should see the name of the file and a message in the screen. Figure 261 File Sharing: File Upload Uploading a file with the same name and file extension replaces the existing file on the file server. No warning message is displayed. ZyWALL USG 300 User’s Guide...
You must configure an IPSec VPN connection for L2TP VPN to use (see Chapter 21 on page for details). The IPSec VPN connection must: • Be enabled. • Use transport mode. • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. ZyWALL USG 300 User’s Guide...
Finding Out More • See Section 5.4.6 on page 113 for related information on these screens. • See Chapter 27 on page 395 for an example of how to create a basic L2TP VPN tunnel. ZyWALL USG 300 User’s Guide...
Select a user or user group that can use the L2TP VPN tunnel. Select Create Object to configure a new user account (see Section 36.2.1 on page 578 details). Otherwise, select any to allow any user with a valid account and password on the ZyWALL to log in. ZyWALL USG 300 User’s Guide...
This field displays the public IP address that the remote user is using to connect to the Internet. Action Click the Disconnect icon next to an L2TP VPN connection to disconnect it. Refresh Click Refresh to update the information in the display. ZyWALL USG 300 User’s Guide...
• For the Remote Policy, create an address object that uses host type and an IP address of 0.0.0.0. It is named L2TP_HOST in this example. 3 Click the Default_L2TP_VPN_Connection entry’s Enable icon and click Apply to turn on the entry. Figure 270 VPN > IPSec VPN > VPN Connection (Enable) ZyWALL USG 300 User’s Guide...
L2TP-test has been created. • The other fields are left to the defaults in this example, click Apply. 27.5 Configuring the Policy Route for L2TP Example 1 Click Routing > Add to open the following screen. ZyWALL USG 300 User’s Guide...
• For Windows 2000, use net start "ipsec policy agent". 27.6.1 Configuring L2TP in Windows XP In Windows XP do the following to establish an L2TP VPN connection. 1 Click Start > Control Panel > Network Connections > New Connection Wizard. ZyWALL USG 300 User’s Guide...
3 Select Connect to the network at my workplace and click Next. Figure 273 New Connection Wizard: Network Connection Type 4 Select Virtual Private Network connection and click Next. Figure 274 New Connection Wizard: Network Connection 5 Type L2TP to ZyWALL as the Company Name. ZyWALL USG 300 User’s Guide...
Figure 276 New Connection Wizard: Public Network 7 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). ZyWALL USG 300 User’s Guide...
11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Figure 280 Connect ZyWALL L2TP: Security > Advanced 12 Click IPSec Settings. ZyWALL USG 300 User’s Guide...
Figure 282 L2TP to ZyWALL Properties > Security > IPSec Settings 14 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. Figure 283 L2TP to ZyWALL Properties: Networking 15 Enter the user name and password of your ZyWALL account. Click Connect. ZyWALL USG 300 User’s Guide...
L2TP client. 27.6.2.1 Editing the Windows 2000 Registry In Windows 2000, you need to create a registry entry and restart the computer to have it use pre-shared keys. ZyWALL USG 300 User’s Guide...
3 Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parame ters. Figure 288 Registry Key 4 Right-click Parameters and select New > DWORD Value. Figure 289 New DWORD Value 5 Enter ProhibitIpSec as the name. And make sure the Data displays as 0’s. ZyWALL USG 300 User’s Guide...
4 Right-click IP Security Policies on Local Machine and click Create IP Security Policy. Click Next in the welcome screen. Figure 294 Create IP Security Policy 5 Name the IP security policy L2TP to ZyWALL, and click Next. ZyWALL USG 300 User’s Guide...
6 Clear the Activate the default response rule check box and click Next. Figure 296 IP Security Policy: Request for Secure Communication 7 Leave the Edit Properties check box selected and click Finish. Figure 297 IP Security Policy: Completing the IP Security Policy Wizard ZyWALL USG 300 User’s Guide...
Figure 298 IP Security Policy Properties > Add 9 Select This rule does not specify a tunnel and click Next. Figure 299 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next. ZyWALL USG 300 User’s Guide...
Figure 300 IP Security Policy Properties: Network Type 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 301 IP Security Policy Properties: Authentication Method 12 Click Add. ZyWALL USG 300 User’s Guide...
ZyWALL’s WAN IP address (172.16.1.2 in this example) in the IP Address field. Make certain the Mirrored. Also match packets with the exact opposite source and destination addresses check box is selected and click Apply. ZyWALL USG 300 User’s Guide...
15 Configure the following in the Filter Properties window’s Protocol tab. Set the protocol type to UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 305 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next. ZyWALL USG 300 User’s Guide...
17 Select Require Security and click Next. Then click Finish and Close. Figure 307 IP Security Policy Properties: IP Filter List 18 In the Console window, right-click L2TP to ZyWALL and select Assign. Figure 308 Console: L2TP to ZyWALL Assign ZyWALL USG 300 User’s Guide...
Figure 310 New Connection Wizard: Network Connection Type 3 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click Next. ZyWALL USG 300 User’s Guide...
Figure 311 New Connection Wizard: Destination Address 172.16.1.2 4 Select For all users and click Next. Figure 312 New Connection Wizard: Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish. Figure 313 New Connection Wizard: Naming the Connection ZyWALL USG 300 User’s Guide...
8 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Click Yes if a screen pops up. ZyWALL USG 300 User’s Guide...
Click OK. Figure 317 Connect L2TP to ZyWALL: Networking 10 Enter your user name and password and click Connect. It may take up to one minute to establish the connection and register on the network. ZyWALL USG 300 User’s Guide...
12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 320 L2TP to ZyWALL Status: Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works. ZyWALL USG 300 User’s Guide...
28.1.2 What You Need to Know About Application Patrol If you want to use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. ZyWALL USG 300 User’s Guide...
Page 424
When you allow an application, you can restrict the bandwidth it uses or even the bandwidth that particular features in the application (like voice, video, or file sharing) use. This restriction may be ineffective in certain cases, however, such as using MSN to send files via P2P. ZyWALL USG 300 User’s Guide...
• Outbound traffic is limited to 200 kbps. The connection initiator is on the LAN so outbound means the traffic traveling from the LAN to the WAN. Each of the WAN zone’s two interfaces can send the limit of 200 kbps of traffic. ZyWALL USG 300 User’s Guide...
DMZ to WAN policies for FTP servers A and B. Each server tries to send 1000 kbps, but the WAN is set to a maximum outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and policy B for server B’s traffic. ZyWALL USG 300 User’s Guide...
200 kbps plus 250 kbps for a total of 450 kbps. Table 135 Maximize Bandwidth Usage Effect POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE 300 kbps 550 kbps 200 kbps 450 kbps ZyWALL USG 300 User’s Guide...
• FTP traffic from the LAN to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but it must be the lowest priority and limited so it does not interfere with SIP and HTTP traffic. ZyWALL USG 300 User’s Guide...
ZyWALL applies this limit before sending the traffic to LAN or DMZ. • Highest priority (1). Set policies for other applications to lower priorities so the SIP traffic always gets the best treatment. • Enable maximize bandwidth usage so the SIP traffic can borrow unused bandwidth. ZyWALL USG 300 User’s Guide...
• ADSL supports more downstream than upstream so you allow remote users 300 kbps for uploads to the DMZ FTP server (outbound) but only 100 kbps for downloads (inbound). • Third highest priority (3). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. ZyWALL USG 300 User’s Guide...
Use this screen to enable and disable application patrol. It also lists the registration status and details about the signature set the ZyWALL is using. You must register for the IDP/AppPatrol signature service (at least the trial) before you can use it. ZyWALL USG 300 User’s Guide...
This link appears if you have not registered for the service or only have the trial Registration registration. Click this link to go to the screen where you can register for the service. Signature The following fields display information on the current signature set that the Information ZyWALL is using. ZyWALL USG 300 User’s Guide...
To activate or deactivate patrol for an application, click the Active icon for the corresponding application. Make sure you click Apply to save and apply the change. To edit the settings for an application, click the Edit icon next to the application. The Configuration Edit screen appears. ZyWALL USG 300 User’s Guide...
Service Ports - the ZyWALL identifies this application by looking at the destination port in the IP header. Service Port This is available if the Classification is Service Ports. You can view and edit the ports used to identify this application. ZyWALL USG 300 User’s Guide...
Page 435
In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration. This field shows whether the ZyWALL generates a log (log), a log and alert (log alert) or neither (no) when the application’s traffic matches this policy. ZyWALL USG 300 User’s Guide...
Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 39 on page 601 for details). Otherwise, select none to make the policy always effective. ZyWALL USG 300 User’s Guide...
Page 437
If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. ZyWALL USG 300 User’s Guide...
You can also control the bandwidth used by these other applications.This screen also allows you to add, edit, and remove conditions to this default policy. Click AppPatrol > Other to open the Other (applications) screen. Figure 333 AppPatrol > Other ZyWALL USG 300 User’s Guide...
(7) regardless of this field’s configuration. Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this policy. See Chapter 47 on page 705 more on logs. ZyWALL USG 300 User’s Guide...
Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 39 on page 601 for details). Otherwise, select any to make the policy always effective. ZyWALL USG 300 User’s Guide...
Page 441
The number in this field is ignored if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration. ZyWALL USG 300 User’s Guide...
Click Expand to display individual protocols. Collapse hides them. Statistics for the selected protocols display after you click Apply. 28.5.2 Application Patrol Statistics: Bandwidth Statistics The middle of the AppPatrol > Statistics screen displays a bandwidth usage line graph for the selected protocols. ZyWALL USG 300 User’s Guide...
ZyWALL sends out from the initiator of the connection. • Different colors represent different protocols. 28.5.3 Application Patrol Statistics: Protocol Statistics The bottom of the AppPatrol > Statistics screen displays statistics for each of the selected protocols. ZyWALL USG 300 User’s Guide...
So for a connection initiated from the LAN to the WAN, the traffic sent from the LAN to the WAN is the outbound traffic. Forwarded This is how much of the application’s traffic the ZyWALL has sent (in kilobytes). Data (KB) ZyWALL USG 300 User’s Guide...
Page 445
This is how much of the application’s traffic the ZyWALL has discarded and notified Data (KB) the client that the traffic was rejected (in kilobytes). This traffic was rejected because it matched a policy set to “reject”. ZyWALL USG 300 User’s Guide...
(Section 29.3 on page 455) to set up anti-virus black (blocked) and white (allowed) lists of virus file patterns. • Use the Signature screen (Section 29.6 on page 458) to search signatures to get more information about signatures. ZyWALL USG 300 User’s Guide...
The un-infected portion of the file before a virus pattern was matched still goes through. 5 If the send alert message function is enabled, the ZyWALL sends an alert to the file’s intended destination computer(s). ZyWALL USG 300 User’s Guide...
• You may need to customize the zones (in the Network > Zone) used for the anti-virus scanning direction. 29.2 Anti-Virus Summary Screen Click Anti-X > Anti-Virus to display the configuration screen as shown next. ZyWALL USG 300 User’s Guide...
HTTP applies to traffic using TCP ports 80, 8080 and 3128. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. IMAP4 applies to traffic using TCP port 143. ZyWALL USG 300 User’s Guide...
Click Reset to start configuring this screen again. 29.2.1 Anti-Virus Policy Add or Edit Screen Click the Add or Edit icon in the Anti-X > Anti-Virus > General screen to display the configuration screen as shown next. ZyWALL USG 300 User’s Guide...
Select this check box to set the ZyWALL to send a message alert to files’ intended Message user(s) using Microsoft Windows computers connected to the to interface. Refer to Appendix C on page 807 if your Windows computer does not display the alert messages. ZyWALL USG 300 User’s Guide...
Black List screen to set up the Anti-Virus black (blocked) list of virus file patterns. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
• For a black list entry, enter a file pattern that should cause the ZyWALL to log and delete a file. • For a white list entry, enter a file pattern that should cause the ZyWALL to allow a file. ZyWALL USG 300 User’s Guide...
Use the Black/White List screen to set up Anti-Virus black (blocked) and white (allowed) lists of virus file patterns. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
Click a signature’s name to see details about the virus. This is the IDentification number of the anti-virus signature. Click the ID column header to sort your search results in ascending or descending order according to the ID. ZyWALL USG 300 User’s Guide...
A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in the network. It inspects files for virus patterns as they are moved in and out of the hard drive. However, host-based anti-virus scanners cannot eliminate all viruses for a number of reasons: ZyWALL USG 300 User’s Guide...
Page 461
• NAV scanners stops virus threats at the network edge before they enter or exit a network. • NAV scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. ZyWALL USG 300 User’s Guide...
You can apply IDP profiles to traffic flowing from one zone to another. For example, apply the default LAN_IDP profile to any traffic going to the LAN zone in order to protect your LAN computers. ZyWALL USG 300 User’s Guide...
You must register in order to use packet inspection signatures. See the Registration screens. If you try to enable IDP when the IDP service has not yet been registered, a warning screen displays and IDP is not enabled. ZyWALL USG 300 User’s Guide...
From WAN To WAN means packets that come in from the WAN zone and the ZyWALL routes back out through the WAN zone. IDP Profile This field shows which IDP profile is bound to which traffic direction. Click the popup icon to change to a different profile. ZyWALL USG 300 User’s Guide...
30.2.1 Configuring IDP Policies Click Anti-X > IDP > General and then an Add or Edit icon to display the following screen. Use this screen to apply an IDP profile to traffic flowing from one zone to another. ZyWALL USG 300 User’s Guide...
30.3.1 Base Profiles The ZyWALL comes with several base profiles. You use base profiles to create new profiles. In the Anti-X > IDP > Profile screen, click the Add icon to display the following screen. ZyWALL USG 300 User’s Guide...
• Add a new profile • Edit an existing profile • Delete an existing profile. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
468) and then click OK to go to the profile details screen. If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. ZyWALL USG 300 User’s Guide...
Select Anti-X > IDP > Profile and then add a new or edit an existing profile select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer- 4 to layer-7. 30.6.1 Profile > Group View Screen ZyWALL USG 300 User’s Guide...
ZyWALL create a log when a packet matches a signature(s). log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the ZyWALL send an alert when a packet matches a signature(s). ZyWALL USG 300 User’s Guide...
After you enter a chat (or chat room), any room member can type a message that will appear on the monitors of all the other participants. SPAM Spam is unsolicited “junk” e-mail sent to large numbers of people to promote products or services. ZyWALL USG 300 User’s Guide...
An IDP service group is a set of related packet inspection signatures. Table 158 IDP Service Groups WEB_PHP WEB_MISC WEB_IIS WEB_FRONTPAGE WEB_CGI WEB_ATTACKS TFTP TELNET SNMP SMTP RSERVICES POP3 POP2 ORACLE NNTP NETBIOS MYSQL MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC ZyWALL USG 300 User’s Guide...
In the query view screen, you can search for signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions. ZyWALL USG 300 User’s Guide...
Hold down the [Ctrl] key if you want to make multiple selections. Activation Search for enabled and/or disabled signatures here. Search for signatures by log option here. See Table 156 on page 472 for option details. ZyWALL USG 300 User’s Guide...
This example shows a search with these criteria: • Severity: severe and high • Attack Type: DDoS • Platform: Windows 2000 and Windows XP computers • Service: Any • Actions: Any Figure 352 Query Example Search Criteria ZyWALL USG 300 User’s Guide...
You need some knowledge of packet headers and attack types to create your own custom signatures. 30.7.1 IP Packet Header These are the fields in an Internet Protocol (IP) version 4 packet header. ZyWALL USG 300 User’s Guide...
IP network. Source IP Address This is the IP address of the original sender of the packet. Destination IP Address This is the IP address of the final destination of the packet. ZyWALL USG 300 User’s Guide...
If a packet matches a rule for reject-receiver and it also matches a rule for reject- sender, then the ZyWALL will reject-both. Figure 355 Anti-X > IDP > Custom Signatures ZyWALL USG 300 User’s Guide...
(including packet contents), then the fewer false positives the signature will trigger. Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. ZyWALL USG 300 User’s Guide...
Some intrusions can be identified by the number in this field. Select the check box, select Equal, Smaller or Greater and then type in a number. ZyWALL USG 300 User’s Guide...
Page 484
ICMP fields when they communicate. Payload Options The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature. ZyWALL USG 300 User’s Guide...
As an example, say you want to create a signature for the ‘Microsoft Windows Plug-and-Play Service Remote Overflow (MS-05-39)’ attack. Search the Security Focus web site and you will find it uses the NetBIOS service in established TCP connections to a server using port 445. ZyWALL USG 300 User’s Guide...
Figure 359 Custom Signature Example Patterns 3 and 4 The final custom signature should look like as shown in the following figure. If the attack occurs, check the logs for a log of your custom signature. This indicates the signature works correctly. ZyWALL USG 300 User’s Guide...
The Note column displays ACCESS FORWARD when no action is configured for the signature. It displays ACCESS DENIED if you configure the signature action to drop the packet. The destination port is the service port (NetBIOS in this case) that the attack tries to exploit. ZyWALL USG 300 User’s Guide...
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are the option keywords. ZyWALL USG 300 User’s Guide...
Sequence Number icmp_seq Payload Options (Snort rule options) Payload Size dsize Offset (relative to start of payload) offset Relative to end of last match distance Content content Case-insensitive nocase Decode as URI uricontent ZyWALL USG 300 User’s Guide...
Page 491
Chapter 30 IDP Not all Snort functionality is supported in the ZyWALL. ZyWALL USG 300 User’s Guide...
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated when you upload new firmware. ZyWALL USG 300 User’s Guide...
The following table describes the screens in this screen. Table 164 Anti-X > ADP > General LABEL DESCRIPTION General Settings Enable Anomaly Select this check box to enable traffic anomaly and protocol anomaly Detection detection. ZyWALL USG 300 User’s Guide...
Click Anti-X > ADP > General and then an Add or Edit icon to display the following screen. Use this screen to apply an ADP profile to a traffic direction. Figure 364 Anti-X > ADP > General > Add ZyWALL USG 300 User’s Guide...
• Create a new profile using an existing base profile • Edit an existing profile • Delete an existing profile 31.3.1 Base Profiles The ZyWALL comes with base profiles. You use base profiles to create new profiles. Figure 365 Base Profiles ZyWALL USG 300 User’s Guide...
A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the ZyWALL. As each network is different, false positives and false negatives are common on initial ADP deployment. ZyWALL USG 300 User’s Guide...
Edit icon or click the Add icon and choose a base profile. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. ZyWALL USG 300 User’s Guide...
Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (PA) rules check for protocol compliance against the relevant RFC (Request for Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder, and ICMP Decoder where each category reflects the packet type inspected. ZyWALL USG 300 User’s Guide...
Protocol Anomaly tab. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab. ZyWALL USG 300 User’s Guide...
31.3.4 on page 498) Port Scanning An attacker scans device(s) to determine what types of network protocols or services a device supports. One of the most common port scanning tools in use today is Nmap. ZyWALL USG 300 User’s Guide...
Page 504
These are some filtered port scan examples. • TCP Filtered Portscan • UDP Filtered Portscan • IP Filtered Portscan • TCP Filtered Decoy • UDP Filtered Decoy • IP Filtered Decoy Portscan Portscan Portscan ZyWALL USG 300 User’s Guide...
Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. ZyWALL USG 300 User’s Guide...
ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered to ports on victim, the system will go down. ZyWALL USG 300 User’s Guide...
NULL bytes in the request-URI. NON-RFC-HTTP- This is when a newline “\n” character is detected as a delimiter. This DELIMITER ATTACK is non-standard but is accepted by both Apache and IIS web servers. ZyWALL USG 300 User’s Guide...
Page 508
20 bytes.This may cause some applications to crash. UDP Decoder OVERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length field of greater than the actual packet length. This may cause some applications to crash. ZyWALL USG 300 User’s Guide...
Page 509
TRUNCATED-TIMESTAMP- This is when an ICMP packet is sent which has an ICMP datagram HEADER ATTACK length of less than the ICMP Time Stamp header length. This may cause some applications to crash. ZyWALL USG 300 User’s Guide...
A content filtering profile conveniently stores your custom settings for the following features. • Category-based Blocking The ZyWALL can block access to particular categories of web site content, such as pornography or racial intolerance. • Restrict Web Features ZyWALL USG 300 User’s Guide...
• You must configure an address object, a schedule object and a filtering profile before you can set up a content filter policy. • You must subscribe to use the external database content filtering (see the Licensing > Registration screens). ZyWALL USG 300 User’s Guide...
User This column displays the individual or group to which this policy applies. any means the content filter policy applies to all of the web access requests that the ZyWALL receives from any user. ZyWALL USG 300 User’s Guide...
Page 514
None displays if you have not successfully registered and activated the service. Standard displays if you have successfully registered the ZyWALL and activated the service. Trial displays if you have successfully registered the ZyWALL and activated the trial service subscription. ZyWALL USG 300 User’s Guide...
Select Create Object to configure a new user account (see Section 36.2.1 on page for details). Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any user. ZyWALL USG 300 User’s Guide...
You must register for external content filtering before you can use it. See Section 8.2 on page 166 for how to register. Chapter 33 on page 533 for how to view content filtering reports. ZyWALL USG 300 User’s Guide...
Content Filter General screen along with the category of the blocked web page. Select Log to record attempts to access web pages that match the other categories that you select below. ZyWALL USG 300 User’s Guide...
Page 519
These are categories of web pages that are known to pose a threat to users or their computers. Phishing This category includes pages that are designed to appear as a legitimate bank or retailer with the intent to fraudulently capture sensitive data (i.e. credit card numbers, pin numbers). ZyWALL USG 300 User’s Guide...
Page 520
It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco. It does not include pages that sell alcohol or tobacco as a subset of other products. ZyWALL USG 300 User’s Guide...
Page 521
Includes sites that endorse or offer methods, means of instruction, or other resources to affect or influence real events through the use of spells, incantations, curses and magic powers. This category includes sites which discuss or deal with paranormal or unexplained events. ZyWALL USG 300 User’s Guide...
Page 522
Internet and technology-related organizations and companies. Search Engines/Portals This category includes pages that support searching the Internet, indices, and directories. Job Search/Careers This category includes pages that provide assistance in finding employment, and tools for locating prospective employers. ZyWALL USG 300 User’s Guide...
Page 523
It does not include pages that can be classified in other categories (such as vehicles or weapons). Auctions This category includes pages that support the offering and purchasing of goods between individuals. This does not include classified advertisements. ZyWALL USG 300 User’s Guide...
Page 524
This does not include advertising servers that serve adult- oriented advertisements. Web Hosting This category includes pages of organizations that provide top-level domain pages, as well as web communities or hosting services. Test Web Site Category ZyWALL USG 300 User’s Guide...
(blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list. ZyWALL USG 300 User’s Guide...
ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX ActiveX controls are downloaded to your browser, where they remain in case you visit the site again. ZyWALL USG 300 User’s Guide...
Page 527
(such as Bad for example). Blocked URL Keywords This list displays the keywords already added. Click this button when you have finished adding the key words field above. ZyWALL USG 300 User’s Guide...
Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries. This is the index number of a categorized web site address record. ZyWALL USG 300 User’s Guide...
2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache. The ZyWALL blocks, blocks and logs or just logs the request based on your configuration. ZyWALL USG 300 User’s Guide...
Page 531
5 The external content filter server sends the category information back to the ZyWALL, which then blocks and/or logs access to the web site based on the settings in the content filter profile. The web site’s address and category are then stored in the ZyWALL’s content filter cache. ZyWALL USG 300 User’s Guide...
You need to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days). 1 Go to http://www.myZyXEL.com. ZyWALL USG 300 User’s Guide...
Chapter 33 Content Filter Reports 2 Fill in your myZyXEL.com account information and click Login. Figure 380 myZyXEL.com: Login ZyWALL USG 300 User’s Guide...
Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 382 on page 536). Figure 381 myZyXEL.com: Welcome ZyWALL USG 300 User’s Guide...
4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 382 myZyXEL.com: Service Management 5 In the Web Filter Home screen, click the Reports tab. Figure 383 Content Filter Reports Main Screen ZyWALL USG 300 User’s Guide...
Taken field and click Run Report. The screens vary according to the report type you selected in the Report Home screen. 8 A chart and/or list of requested web site categories display in the lower half of the screen. Figure 385 Global Report Screen Example ZyWALL USG 300 User’s Guide...
Chapter 33 Content Filter Reports 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 386 Requested URLs Example ZyWALL USG 300 User’s Guide...
IP address or uses a specified header field and header value as being spam. If an e-mail does not match any of the white list entries, the ZyWALL checks it against the black list entries. The ZyWALL classifies an e-mail that ZyWALL USG 300 User’s Guide...
Page 542
ZyWALL can check the routing addresses of e-mail against DNSBLs and classify an e-mail as spam if it was sent or forwarded by a computer with an IP address in the DNSBL. Here’s how the ZyWALL uses DNSBLs. ZyWALL USG 300 User’s Guide...
Click Anti-X > Anti-Spam to open the Anti-Spam General screen. Use this screen to turn the anti-spam feature on or off and manage anti-spam policies. You can also select the action the ZyWALL takes when the mail sessions threshold is reached. ZyWALL USG 300 User’s Guide...
The anti-spam policy has the ZyWALL scan e-mail traffic that is going to this zone from the From zone. Protocol These are the protocols of traffic to scan for spam. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. ZyWALL USG 300 User’s Guide...
Use this screen to configure an anti-spam policy that controls what traffic direction of e-mail to check, which e-mail protocols to scan, the scanning options, and the action to take on spam traffic. Figure 389 Anti-X > Anti-Spam > General > Add ZyWALL USG 300 User’s Guide...
Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
Click Reset to begin configuring this screen afresh. 34.4.1 The Anti-Spam Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the following screen. ZyWALL USG 300 User’s Guide...
63 ASCII characters. For example, if you want the entry to check the “Received:” header for a specific mail server’s domain, enter the mail server’s domain here. Section 34.4.2 on page 549 for more details. ZyWALL USG 300 User’s Guide...
LABEL DESCRIPTION General Settings Enable White List Select this check box to have the ZyWALL forward e-mail that matches (an Checking active) white list entry without doing any more anti-spam checking on that individual e-mail. ZyWALL USG 300 User’s Guide...
Click Anti-X > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to configure the ZyWALL to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). ZyWALL USG 300 User’s Guide...
This is the IP of the last server that forwarded the mail. Actions when Query Use this section to set what the ZyWALL does if the queries to the DNSBL Timeout domains time out. ZyWALL USG 300 User’s Guide...
(identifying legitimate e-mail as spam). Different DNSBLs have different usage policies. For example, you can check http:// www.spamhaus.org or https://www.sorbs.net for more information. Figure 394 Anti-X > Anti-Spam > DNSBL > Add ZyWALL USG 300 User’s Guide...
DNSBL Domain These are the DNSBLs the ZyWALL uses to check sender and relay IP addresses in e-mails. Total Queries This is the total number of DNS queries the ZyWALL has sent to this DNSBL. ZyWALL USG 300 User’s Guide...
Page 554
This is the average for how long it takes to receive a reply from this DNSBL. Time (sec) No Response This is how many DNS queries the ZyWALL sent to this DNSBL without receiving a reply. ZyWALL USG 300 User’s Guide...
Legacy mode configuration involves a greater degree of complexity. Active-passive mode is recommended for general failover deployments. • The ZyWALLs must all support and be set to use the same device HA mode (either active- passive or legacy). ZyWALL USG 300 User’s Guide...
35.2 Device HA General The Device HA General screen lets you enable or disable device HA, and displays which device HA mode the ZyWALL is set to use along with a summary of the monitored interfaces. ZyWALL USG 300 User’s Guide...
ZyWALL can take over all of the master ZyWALL’s functions. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
Enable monitoring for the same interfaces on the master and backup ZyWALLs. Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL. ZyWALL USG 300 User’s Guide...
The Device HA Active-Passive Mode screen lets you configure general active-passive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup ZyWALLs. To access this screen, click Device HA > Active-Passive Mode. ZyWALL USG 300 User’s Guide...
Type the cluster ID number. A virtual router consists of a master ZyWALL and all of its backup ZyWALLs. If you have multiple ZyWALL virtual routers on your network, use a different cluster ID for each virtual router. ZyWALL USG 300 User’s Guide...
Page 563
If you leave this field blank in the master ZyWALL, no backup ZyWALLs can synchronize from it. If you leave this field blank in a backup ZyWALL, it cannot synchronize from the master ZyWALL. ZyWALL USG 300 User’s Guide...
ZyWALL whether it is the master or a backup. This management IP address should be in the same subnet as the interface IP address. Subnet Mask Enter the subnet mask of the interface’s management IP address. ZyWALL USG 300 User’s Guide...
Link monitoring has a backup ZyWALL take over all of an unavailable master ZyWALL’s static IP addresses. This way the backup ZyWALL takes over all of the master ZyWALL’s functions. This also means you can only access the original master ZyWALL through its management IP address. ZyWALL USG 300 User’s Guide...
VRRP interface link goes down. monitored interface is fault Monitored Interface Summary Name This field displays the name of the VRRP group. Interface This field displays which interface is part of the virtual router. ZyWALL USG 300 User’s Guide...
Page 567
HA. Apply This appears when the ZyWALL is currently using legacy mode device HA. Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
IP address should be in the same subnet as the interface IP address so the backup ZyWALL cannot synchronize with the master via this VRRP interface. Subnet Mask Enter the subnet mask of the interface’s management IP address. ZyWALL USG 300 User’s Guide...
Page 569
(+-/*= :; .! @$&%#~ ‘ \ () ), and it can be up to eight characters long. Authentication Types on page 269 for more information about authentication methods. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 300 User’s Guide...
The other backup ZyWALLs remain backups. If ZyWALL A becomes available again, ZyWALL A preempts ZyWALL B and becomes the master again (the network returns to the state shown in Figure 405 on page 570). ZyWALL USG 300 User’s Guide...
Page 571
• The backup ZyWALL cannot be the master in any active VRRP group. This refers to the actual role at the time of synchronization, not the role setting in the VRRP group. The backup applies the entire configuration if it is different from the backup’s current configuration. ZyWALL USG 300 User’s Guide...
Page 576
User Groups User groups may consist of user accounts or other user groups. Use user groups when you want to create the same rule for several user accounts, instead of creating separate rules for each one. ZyWALL USG 300 User’s Guide...
36.2 User Summary Screen The User screen provides a summary of all user accounts. To access this screen, login to the Web Configurator, and click Object > User/Group. ZyWALL USG 300 User’s Guide...
• Reserved user names are listed in the following table. Table 192 Reserved User Names • • admin • • • daemon • debug • devicehaecived • • games • halt • ldap-users • • mail • news • nobody ZyWALL USG 300 User’s Guide...
Default descriptions are provided. Authentication If you want to set authentication timeout to a value other than the default settings, Timeout Settings select Use Manual Settings then fill your preferred values in the fields that follow. ZyWALL USG 300 User’s Guide...
To delete a user group, click the Remove icon next to the user group. The Web Configurator confirms that you want to delete the user group before doing so. If you delete the group, you do not delete the users in the group. ZyWALL USG 300 User’s Guide...
ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. To access this screen, login to the Web Configurator, and click Object > User/Group > Setting. ZyWALL USG 300 User’s Guide...
Settings Allow renewing Select this check box if access users can renew lease time automatically, as lease time ... well as manually, simply by checking the Updating lease time automatically check box on their screen. ZyWALL USG 300 User’s Guide...
Page 583
This field is a sequential value, and it is not associated with a specific condition. Schedule This field displays the schedule object that specifies when this condition applies. It displays none if this condition always applies. ZyWALL USG 300 User’s Guide...
Use this screen to specify a condition when users must log in or do not have to log in to the ZyWALL before their HTTP traffic can pass through the ZyWALL. Figure 412 Object > User/Group > Setting > Add/Edit ZyWALL USG 300 User’s Guide...
Access users cannot use the Web Configurator to browse the configuration of the ZyWALL. Instead, when access users log in to the ZyWALL (forced in the screen as shown in Figure 411 on page 582 or otherwise), the following screen appears. Figure 413 Web Configurator for Non-Admin Users ZyWALL USG 300 User’s Guide...
The following examples show you how you might set up user attributes in LDAP and RADIUS servers. Figure 414 LDAP Example: Keywords for User Attributes type: admin leaseTime: 99 reauthTime: 199 Figure 415 RADIUS Example: Keywords for User Attributes type=user;leaseTime=222;reauthTime=222 ZyWALL USG 300 User’s Guide...
Page 587
Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 46 on page 695 for more information about shell scripts. ZyWALL USG 300 User’s Guide...
The Address screen provides a summary of all addresses in the ZyWALL. To access this screen, click Object > Address > Address. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
The Address Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 37.2 on page 589), and click either the Add icon or an Edit icon. Figure 417 Object > Address > Address > Edit ZyWALL USG 300 User’s Guide...
Object > Address > Address Group. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 418 Object > Address > Address Group ZyWALL USG 300 User’s Guide...
This field displays the names of the address and address group objects that can be added to the address group. Select address and address group objects that you want to be members of this group and click the right arrow to add them to the member list. ZyWALL USG 300 User’s Guide...
Page 593
The order of members is not important. To remove members, select them and click the left arrow. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 300 User’s Guide...
Another use is ping. ICMP does not guarantee delivery, but networks often treat ICMP messages differently, sometimes looking at the message itself to decide where to send it. ZyWALL USG 300 User’s Guide...
To access this screen, log in to the Web Configurator, and click Object > Service > Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 420 Object > Service > Service ZyWALL USG 300 User’s Guide...
This field appears if the IP Protocol is TCP or UDP. Specify the port number(s) used by this service. If you fill in one of these fields, the service uses that port. If Ending Port you fill in both fields, the service uses the range of ports. ZyWALL USG 300 User’s Guide...
To edit a service group, click the Edit icon next to the service group. The Service Group Add/Edit screen appears. To delete a service group, click on the Remove icon next to the service group. The Web Configurator confirms that you want to delete the service group. ZyWALL USG 300 User’s Guide...
The order of members is not important. To remove members, select them and click the left arrow. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 300 User’s Guide...
Finding Out More • See Section 5.5 on page 118 for related information on these screens. • See Section 45.3 on page 652 for information about the ZyWALL’s current date and time. ZyWALL USG 300 User’s Guide...
To edit a schedule, click the Edit icon next to the schedule. The Schedule Add/ Edit screen appears. To delete a schedule, click the Remove icon next to the schedule. The Web Configurator confirms that you want to delete the schedule before doing so. ZyWALL USG 300 User’s Guide...
Hour - 0 - 23 Minute - 0 - 59 All of these fields are required. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 300 User’s Guide...
Hour - 0 - 23 Minute - 0 - 59 The Hour and Minute fields are both required. To set all day (24 hours), configure the stop hour to 23 and minute to 59. Weekly ZyWALL USG 300 User’s Guide...
Page 605
DESCRIPTION Week Days Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 300 User’s Guide...
(or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location. ZyWALL USG 300 User’s Guide...
The directory consists of a database specialized for fast information retrieval and filtering activities. You create and store user profile and login information on the external server. • RADIUS ZyWALL USG 300 User’s Guide...
A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and/or country. For example, o=MyCompany, c=UK where o means organization and c means country. ZyWALL USG 300 User’s Guide...
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the AD or LDAP server. In this case, user authentication fails. The search timeout occurs when either the user information is not in the LDAP server or the server is down. ZyWALL USG 300 User’s Guide...
Click Object > AAA Server > Active Directory (or LDAP) > Group to display the Active Directory (or LDAP) > Group screen. Click the Add icon or an Edit icon to display the configuration fields. ZyWALL USG 300 User’s Guide...
Specify the URI (Uniform Resource Identifier) of an AD or LDAP server. You can enter the IP address (in dotted decimal notation) or the fully qualified domain name (FQDN; up to 63 alphanumerical characters) of the AD or LDAP server. ZyWALL USG 300 User’s Guide...
Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. Apply Click Apply to save the changes. Reset Click Reset to start configuring this screen again. ZyWALL USG 300 User’s Guide...
Click Object > AAA Server > RADIUS > Group to display the RADIUS > Group screen. Click the Add icon or an Edit icon to display the configuration fields. Figure 435 Object > AAA Server > RADIUS > Group > Add ZyWALL USG 300 User’s Guide...
Click Add to add a new RADIUS server. You can add up to four RADIUS member servers. Click Delete to remove a RADIUS server. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 300 User’s Guide...
1 Access the VPN > IPSec VPN > VPN Gateway > Edit screen. 2 Select Enable Extended Authentication. 3 Select Server Mode and select an authentication method object from the drop-down list box. 4 Click OK to save the settings. ZyWALL USG 300 User’s Guide...
Method List This field displays the authentication method(s) for this entry. Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to remove an entry. ZyWALL USG 300 User’s Guide...
You can NOT select two server objects of the same type. 7 Click OK to save the settings or click Cancel to discard all changes and return to the previous screen. Figure 438 Object > Auth. Method > Add ZyWALL USG 300 User’s Guide...
Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 300 User’s Guide...
3 Tim uses his private key to sign the message and sends it to Jenny. 4 Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the ZyWALL USG 300 User’s Guide...
Page 622
A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The ZyWALL currently allows the importation of a PKS#7 file that contains a single certificate. ZyWALL USG 300 User’s Guide...
2 Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 439 Remote Host Certificates 3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. ZyWALL USG 300 User’s Guide...
When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates. This field displays the certificate index number. The certificates are listed in alphabetical order. ZyWALL USG 300 User’s Guide...
Click Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. ZyWALL USG 300 User’s Guide...
@ symbol, periods and the underscore. Organizational Unit Identify the organizational unit or department to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. ZyWALL USG 300 User’s Guide...
Page 627
You must have the certification authority’s certificate already imported in the Trusted Certificates screen. Click Trusted CAs to go to the Trusted Certificates screen where you can view (and manage) the ZyWALL's list of certificates of trusted certification authorities. ZyWALL USG 300 User’s Guide...
42.2.2 The My Certificates Edit Screen Click Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. ZyWALL USG 300 User’s Guide...
“Not trusted” in this field if any certificate on the path has expired or been revoked. Refresh Click Refresh to display the certification path. Certificate These read-only fields display detailed information about the certificate. Information ZyWALL USG 300 User’s Guide...
Page 630
You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example). ZyWALL USG 300 User’s Guide...
The certificate you import replaces the corresponding request in the My Certificates screen. You must remove any spaces from the certificate’s filename before you can import it. Figure 444 Object > Certificate > My Certificates > Import ZyWALL USG 300 User’s Guide...
With self-signed certificates, this is the same information as in the Subject field. Valid From This field displays the date that the certificate becomes applicable. ZyWALL USG 300 User’s Guide...
Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate’s name and set whether or not you want the ZyWALL to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. ZyWALL USG 300 User’s Guide...
(along with the end entity’s own certificate). The ZyWALL does not trust the end entity’s certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked. ZyWALL USG 300 User’s Guide...
Page 635
This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm). ZyWALL USG 300 User’s Guide...
Click Object > Certificate > Trusted Certificates > Import to open the Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the ZyWALL. You must remove any spaces from the certificate’s filename before you can import the certificate. ZyWALL USG 300 User’s Guide...
ZyWALL only gets information on the certificates that it needs to verify, not a huge list. When the ZyWALL requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response. ZyWALL USG 300 User’s Guide...
This field displays the profile name of the ISP account. This name is used to identify the ISP account. Protocol This field displays the protocol used by the ISP account. Authentication This field displays the authentication type used by the ISP account. Type ZyWALL USG 300 User’s Guide...
This field is read-only if you are editing an existing account. Select the protocol used by the ISP account. Options are: pppoe - This ISP account uses the PPPoE protocol. pptp - This ISP account uses the PPTP protocol. ZyWALL USG 300 User’s Guide...
Page 641
ISP Account Edit screen. Cancel Click Cancel to return to the ISP Account screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists). ZyWALL USG 300 User’s Guide...
Available SSL application names are displayed as links in remote user screens. Depending on the application type, remote users can simply click the links or follow the steps in the pop-up dialog box to access. ZyWALL USG 300 User’s Guide...
5 In the Server Type field, select Web Server. 6 Select Web Page Encryption to prevent users from saving the web content. 7 Click Apply to save the settings. The configuration screen should look similar to the following figure. ZyWALL USG 300 User’s Guide...
A web-based application allows remote users to access an application via standard web browsers. To configure a web-based application, click the Add or Edit button in the SSL Application screen and select Web Application in the Type field to display the configuration screen as shown. ZyWALL USG 300 User’s Guide...
This field displays if the Server Type is set to RDP or VNC. Address(es) Specify the IP address or Fully-Qualified Domain Name (FQDN) of the computer(s) that you want to allow the remote users to manage. ZyWALL USG 300 User’s Guide...
Select File Sharing to create a file share application for VPN SSL. File Sharing Name Enter a descriptive name to identify this object. You can enter up to 31 characters (“0- 9”, “a-z”, “A-Z”, “-” and “_”). Spaces are not allowed. ZyWALL USG 300 User’s Guide...
Page 648
Click Cancel to discard the changes and return to the main SSL Application Configuration screen. You must then configure the shared folder on the file server for remote access. Refer to the document that comes with your file server. ZyWALL USG 300 User’s Guide...
• Connect an external serial modem to the AUX port to provide a management connection in case the ZyWALL’s other WAN connections are down. Use the System > Dial-in Mgmt. screen (see Section 45.11 on page 687) to configure the external serial modem. ZyWALL USG 300 User’s Guide...
To change your ZyWALL’s time based on your local time zone and date, click System > Date/Time. The screen displays as shown. You can manually set the ZyWALL’s time and date or have the ZyWALL get the date and time from a time server. ZyWALL USG 300 User’s Guide...
When you click Apply or Synchronize Now in this screen. • 24-hour intervals after starting up. Time Server Enter the IP address or URL of your time server. Check with your ISP/network Address administrator if you are unsure of this information. ZyWALL USG 300 User’s Guide...
When you turn on the ZyWALL for the first time, the date and time start at 2003-01-01 00:00:00. The ZyWALL then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers. ZyWALL USG 300 User’s Guide...
4 As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for daylight savings. 5 Under Time and Date Setup, enter a Time Server Address (Table 233 on page 655). 6 Click Apply. ZyWALL USG 300 User’s Guide...
• If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL’s WAN IP address), set the DNS server fields to get the DNS server address from the ISP. • You can manually enter the IP addresses of other DNS servers. ZyWALL USG 300 User’s Guide...
A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The ZyWALL uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records. ZyWALL USG 300 User’s Guide...
Page 658
This is the zone on the ZyWALL the user is allowed or denied to access. Address This is the object name of the IP address(es) with which the computer is allowed or denied to send DNS queries. ZyWALL USG 300 User’s Guide...
IP address to a domain name. 45.5.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/PTR record. Figure 460 System > DNS > Address/PTR Record Edit ZyWALL USG 300 User’s Guide...
45.5.7 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 461 System > DNS > Domain Zone Forwarder Add ZyWALL USG 300 User’s Guide...
Enter the domain name where the mail is destined for. IP Address/FQDN Enter the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above. ZyWALL USG 300 User’s Guide...
Click Cancel to exit this screen without saving 45.6 WWW Overview The following figure shows secure and insecure management of the ZyWALL coming in from the WAN. HTTPS and SSH access are secure. HTTP, Telnet, and dial-in management access are not secure. ZyWALL USG 300 User’s Guide...
Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires. You can change the timeout settings in the User/Group screens. ZyWALL USG 300 User’s Guide...
2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s web server. Figure 465 HTTP/HTTPS Implementation If you disable HTTP in the WWW screen, then the ZyWALL blocks all HTTP connection attempts. ZyWALL USG 300 User’s Guide...
Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs connections. ZyWALL USG 300 User’s Guide...
Page 666
User Service Control specifies from which zones a user can use HTTP to log into the ZyWALL (to log into SSL VPN for example). You can also specify the IP addresses from which the users can access the ZyWALL. ZyWALL USG 300 User’s Guide...
45.6.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. Figure 467 System > Service Control Rule > Edit ZyWALL USG 300 User’s Guide...
Internet. See Chapter 36 on page 575 for more on access user accounts. Figure 468 System > WWW > Login Page The following figures identify the parts you can customize in the login and access pages. ZyWALL USG 300 User’s Guide...
• Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)” for black. ZyWALL USG 300 User’s Guide...
Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. Message Color Specify the color of the screen’s text. Note Message Enter a note to display below the title. Use up to 64 printable ASCII characters. Spaces are allowed. ZyWALL USG 300 User’s Guide...
Certificate if you want to verify that the certificate is from the ZyWALL. If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape. Select Accept this certificate permanently to import the ZyWALL’s certificate into the SSL client. ZyWALL USG 300 User’s Guide...
Appendix D on page 813 for details. 45.6.7.4 Login Screen After you accept the certificate, the ZyWALL login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection. ZyWALL USG 300 User’s Guide...
The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). 45.6.7.5.1 Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next. ZyWALL USG 300 User’s Guide...
Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. Figure 477 Personal Certificate Import Wizard 1 ZyWALL USG 300 User’s Guide...
Figure 479 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. ZyWALL USG 300 User’s Guide...
5 Click Finish to complete the wizard and begin the import process. Figure 481 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 482 Personal Certificate Import Wizard 6 ZyWALL USG 300 User’s Guide...
ZyWALL. This screen displays even if you only have a single certificate as in the example. Figure 484 SSL Client Authentication 3 You next see the Web Configurator login screen. Figure 485 Secure Web Configurator Login Screen ZyWALL USG 300 User’s Guide...
The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. ZyWALL USG 300 User’s Guide...
SSH can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 488 System > SSH ZyWALL USG 300 User’s Guide...
1 Launch the SSH client and specify the connection information (IP address, port number) for the ZyWALL. 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prompting you to store the host key in you computer. Click Yes to continue. ZyWALL USG 300 User’s Guide...
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: 3 The CLI screen displays next. ZyWALL USG 300 User’s Guide...
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed. ZyWALL USG 300 User’s Guide...
ZyWALL for FTP connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 42 on page 621 details). Service Control This specifies from which computers you can access which ZyWALL zones. ZyWALL USG 300 User’s Guide...
Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation. ZyWALL USG 300 User’s Guide...
Get operation, followed by a series of GetNext operations. • Set - Allows the manager to set values for object variables within an agent. • Trap - Used by the agent to inform the manager of some events. ZyWALL USG 300 User’s Guide...
Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 495 System > SNMP ZyWALL USG 300 User’s Guide...
Connect an external serial modem to the AUX port to provide a management connection in case the ZyWALL’s other WAN connections are down. This is like an auxiliary interface, except it is used for management connections coming into the ZyWALL instead of as a backup WAN connection. ZyWALL USG 300 User’s Guide...
Port Speed Use the drop-down list box to select the speed of the connection between the ZyWALL’s auxiliary port and the external modem. Available speeds are: 9600, 19200, 38400, 57600, or 115200 bps. ZyWALL USG 300 User’s Guide...
Table 249 System > Vantage CNM LABEL DESCRIPTION Vantage CNM Click Advanced to display more configuration fields or click Basic to display fewer fields. Enable Select this check box to allow Vantage CNM to manage your ZyWALL. ZyWALL USG 300 User’s Guide...
Click Reset to begin configuring this screen afresh. 45.13 Language Screen Click System > Language to open the following screen. Use this screen to select a display language for the ZyWALL’s Web Configurator screens. Figure 498 System > Language ZyWALL USG 300 User’s Guide...
When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. ZyWALL USG 300 User’s Guide...
ZyWALL treat the line as a comment. Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode. ZyWALL USG 300 User’s Guide...
Use the Configuration File screen to store, run, and name configuration files. You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL. ZyWALL USG 300 User’s Guide...
The ZyWALL still generates a log for any errors. Figure 500 Maintenance > File Manager > Configuration File Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL USG 300 User’s Guide...
Click a configuration file’s row to select it and click Run to have the ZyWALL use that configuration file. The ZyWALL does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures. ZyWALL USG 300 User’s Guide...
See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”. ZyWALL USG 300 User’s Guide...
(.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes. After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. ZyWALL USG 300 User’s Guide...
You should include commands in your scripts. If you do not use the write command, the changes will be lost when the ZyWALL restarts. You write could use multiple commands in a long script. write ZyWALL USG 300 User’s Guide...
A pop-up window asks you to confirm that you want to delete the shell script file. Click OK to delete the shell script file or click Cancel to close the screen without deleting the shell script file. ZyWALL USG 300 User’s Guide...
Page 704
Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. ZyWALL USG 300 User’s Guide...
Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL USG 300 User’s Guide...
If a match is found in any field, the log message is displayed. You can use up to 63 alphanumeric characters and the underscore, as well as punctuation marks ()’ ,:;?! +-*/= #$% @ ; the period, double quotes, and brackets are not allowed. ZyWALL USG 300 User’s Guide...
Page 707
This field displays the destination IP address and the port number of the event that generated the log message. Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. ZyWALL USG 300 User’s Guide...
Active Log Summary screen to edit this information for all logs at the same time. 47.4.1 Log Setting Summary To access this screen, click Maintenance > Log > Log Setting. Figure 511 Maintenance > Log > Log Setting ZyWALL USG 300 User’s Guide...
The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 47.4.1 on page 708), and click the system log Edit icon. ZyWALL USG 300 User’s Guide...
(green checkmark) and/or in alerts (yellow exclamation point) for the e- mail settings specified in E-Mail Server 2. The ZyWALL does not e-mail debugging information, even if it is recorded in the System log. Log Consolidation ZyWALL USG 300 User’s Guide...
The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 47.4.1 on page 708), and click a remote server Edit icon. ZyWALL USG 300 User’s Guide...
(for example, where and how often log information is e-mailed or remote server names).To access this screen, go to the Log Settings Summary screen (see Section 47.4.1 on page 708), and click the Active Log Summary button. ZyWALL USG 300 User’s Guide...
This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 47.4.2 on page 709, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL USG 300 User’s Guide...
If you check one of the check boxes for All Logs, it affects the settings for every category. Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 300 User’s Guide...
• Most-used protocols or service ports and the amount of traffic on each one • LAN IP with heaviest traffic and how much traffic has been sent to and from each one ZyWALL USG 300 User’s Guide...
This field indicates whether the IP address or user is sending or receiving traffic. Ingress- traffic is coming from the IP address or user to the ZyWALL. Egress - traffic is going from the ZyWALL to the IP address or user. ZyWALL USG 300 User’s Guide...
Table 261 Maximum Values for Reports LABEL DESCRIPTION Maximum Number of Records Byte Count Limit bytes; this is just less than 17 million terabytes. Hit Count Limit hits; this is over 1.8 x 10 hits. ZyWALL USG 300 User’s Guide...
You can also filter the information by user, protocol / service or service group, source address, and/or destination address and view it by user. Click Maintenance > Report > Session Monitor to display the following screen. Figure 516 Maintenance > Report > Session Monitor ZyWALL USG 300 User’s Guide...
IP address’s sessions. This field displays the amount of information received by the source in the active session. This field displays the amount of information transmitted by the source in the active session. ZyWALL USG 300 User’s Guide...
Select Source to list the source IP addresses from which the ZyWALL has detected the most virus-infected files. Select Destination to list the most common destination IP addresses for virus- infected files that ZyWALL has detected. ZyWALL USG 300 User’s Guide...
The statistics display as follows when you display the top entries by destination. Figure 519 Maintenance > Report > Anti-Virus: Destination 48.5 The IDP Report Screen Click Maintenance > Report > IDP to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. ZyWALL USG 300 User’s Guide...
Severity This column displays when you display the entries by Signature Name. It shows the level of threat that the intrusions may pose. See Table 156 on page 472 for more information. ZyWALL USG 300 User’s Guide...
The statistics display as follows when you display the top entries by destination. Figure 522 Maintenance > Report > IDP: Destination 48.6 The Content Filter Report Screen Click Maintenance > Report > Content Filter to display the following screen. This screen displays content filter statistics. ZyWALL USG 300 User’s Guide...
Custom Service Restricted This is the number of web pages to which the ZyWALL did not allow access due to the content filtering custom service’s restricted web features configuration. Features ZyWALL USG 300 User’s Guide...
IP address of spam e-mails that the ZyWALL has detected. Sender Mail This column displays when you display the entries by Sender Mail Address. This Address column displays the e-mail addresses from which the ZyWALL has detected the most spam. ZyWALL USG 300 User’s Guide...
Click Maintenance > Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day. Figure 525 Maintenance > Report > Email Daily Report ZyWALL USG 300 User’s Guide...
Click this to discard all report data and start all of the counters over at zero. Counters Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL USG 300 User’s Guide...
This is the size of the most recently created diagnostic file. Collect Now Click this to have the ZyWALL create a new diagnostic file. Download Click this to save the most recent diagnostic file to a computer. ZyWALL USG 300 User’s Guide...
Click the Reboot button to restart the ZyWALL. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command to restart the ZyWALL. reboot ZyWALL USG 300 User’s Guide...
UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the To-ZyWALL firewall rules allow UDP port 4500 too. ZyWALL USG 300 User’s Guide...
Page 736
The ZyWALL’s firmware package cannot go through the ZyWALL when you enable the anti- virus Destroy compressed files that could not be decompressed option. The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it. ZyWALL USG 300 User’s Guide...
3 Release the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. 51.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL USG 300 User’s Guide...
Humidity: 20% to 95% (non-condensing ) MTBF Mean Time Between Failures: 180,382 hours Dimensions 430 (W) x 201.2 (D) x 42.0 (H) mm Weight 2.8 kg Rack-mounting Rack-mountable (rack-mount kit included) This table gives details about the ZyWALL’s features. ZyWALL USG 300 User’s Guide...
Address Space Number USER PROFILES Maximum Local Users Maximum Admin Users Maximum User Groups Maximum Users in One User Group OBJECTS Address Objects 1000 1000 Address Groups Maximum address object in one group Service Objects 1000 1000 ZyWALL USG 300 User’s Guide...
Page 741
Maximum DHCP Host Pool Maximum Number of DDNS Profiles DHCP Relay 2 per interface 2 per interface CENTRALIZED LOG Log Entries Debug Log Entries 1024 1024 Admin E-mail Addresses Syslog Servers Maximum Number of IDP Profiles Custom Signatures ZyWALL USG 300 User’s Guide...
Page 743
Used by Time service RFCs 3339 Used by Telnet service RFCs 318, 854, 1413 Used by SIP ALG RFCs 3261, 3264 DHCP relay RFC 1541 ZySH W3C XML standard RFC 826 IP/IPv4 RFC 791 RFC 793 ZyWALL USG 300 User’s Guide...
Appendices and Index Common Services (803) Displaying Anti-Virus Alert Messages in Windows (807) Importing Certificates (813) Open Software Announcements (837) Wireless LANs (875) Legal Information (889) Customer Support (893) Index (899)
%s: website host The device allowed access to a web site. The content filtering service %s: Service is not is unregistered and the default policy is not set to block. registered %s: website host ZyWALL USG 300 User’s Guide...
The web content matched a user defined keyword. %s: Keyword blocking %s: website host No content filter policy is applied and access was blocked since the %s: Blocking by default action is block. default policy %s: website host ZyWALL USG 300 User’s Guide...
The anti-spam black list rule with the specified index number (%d) Black List rule %d has has been turned off. been deactivated. anti-spam DNSBL (DNS Black List) server checking has been turned DNSBL checking has been activated. ZyWALL USG 300 User’s Guide...
IP address given to the SSL user. established An SSL tunnel has been disconnected. The source is the login IP SSL tunnel is address. The destination is the IP address given to the SSL user. disconnected ZyWALL USG 300 User’s Guide...
Page 751
%s) in the listed SSL VPN policy (second %s), so the listed address subnet with %s in SSL (third %s) will not be given to an SSL VPN client. VPN policy %s. So %s will not be injected to client side. ZyWALL USG 300 User’s Guide...
Page 752
(login on a lockout address) The listed user (%s) failed to log into SSL VPN because the maximum Failed login attempt number of users were already logged in. to SSLVPN from %s (reach the max. number of user) ZyWALL USG 300 User’s Guide...
An attempted login to the L2TP over IPSec service failed because the User has been denied L2TP over IPSec IP address pool does not have any more IP from L2TP service. addresses to give out. (address pool exhausted) ZyWALL USG 300 User’s Guide...
1st:zysh entry name can't alloc entry: %s! 1st:zysh entry name can't retrieve entry: 1st:zysh entry name can't get entry: %s! 1st:zysh entry name can't print entry: %s! 1st:zysh list name %s: cannot retrieve entries from list! ZyWALL USG 300 User’s Guide...
Page 755
1st:zysh entry num Unable to move entry #%d! 1st:zysh table name %s: apply failed at initial stage! 1st:zysh table name %s: apply failed at main stage! 1st:zysh table name %s: apply failed at closing stage! ZyWALL USG 300 User’s Guide...
The ZyWALL failed to initialize the anti-virus signatures due to an Initializing Anti-Virus internal error. signature reference table has failed. The ZyWALL failed to reload the anti-virus signatures due to an Reloading Anti-Virus internal error. signature database has failed. ZyWALL USG 300 User’s Guide...
Page 757
AV signature update has have enough system resources free to finish the signature update. failed. (Memory not enough) An anti-virus signatures update failed because the anti-virus AV signature size is signature file was too large. over system limitation ZyWALL USG 300 User’s Guide...
Page 758
2nd %s: The white list or black list. An anti-virus file pattern white list or black list was turned on or off. %s has been %s 1st %s: The white list or black list. 2nd %s: Activated/deactivated. ZyWALL USG 300 User’s Guide...
The ZyWALL blocked a login because the maximum login capacity Failed login attempt to for the particular service has already been reached. ZyWALL from %s (reach %s: service name the max. number of user) ZyWALL USG 300 User’s Guide...
%s: service name succeeded. The device received an incomplete response from the myZyXEL.com Trial service server and it caused a parsing error for the device. activation has failed. Because of lack must fields. ZyWALL USG 300 User’s Guide...
Page 761
The device failed to change the type of anti-virus engine. %s is the Change Anti-Virus server response error message. engine has failed:%s. The device successfully changed the type of anti-virus engine. Change Anti-Virus engine has succeeded. ZyWALL USG 300 User’s Guide...
Page 762
The device started an IDP signature update. Starting signature update. The device successfully downloaded an IDP signature file. IDP signature download has succeeded. The device successfully downloaded and applied an IDP signature file. IDP signature update has succeeded. ZyWALL USG 300 User’s Guide...
Page 763
Before the device sends an expiration day check packet, it needs to Expiration daily- check whether or not it will trigger a PPP connection. check will trigger PPP interface. Do self- check. ZyWALL USG 300 User’s Guide...
Page 764
The wrong format for HTTP header. After the device sent packets to a server, the device did not receive Timeout for get server any response from the server. The root cause may be a network delay response. issue. ZyWALL USG 300 User’s Guide...
IDP signatures. license is not registered. Update signature failed. An attempt to add a custom IDP signature failed. The error sid and Custom signature add message are displayed. error: sid <sid>, <error_message>. ZyWALL USG 300 User’s Guide...
Page 766
IDP device HA synchronized file failed. failed. Can not update synchronized file. An IDP signature update succeeded. The previous and updated IDP IDP signature update signature versions are listed. from version <version> to version <version> has succeeded. ZyWALL USG 300 User’s Guide...
Page 767
The device could not get the signature version from the new Can not get signature signature package it downloaded from the update server. version. An IDP system-protect signature update failed. IDP system-protect signature update failed. Invalid IDP config file. ZyWALL USG 300 User’s Guide...
Page 768
See the CLI reference guide for how to restore the default system please refer to your database. user documentation to recover the default database file The IDP signature set is too large (exceeds the ZyWALL’s system IDP signature size is limitation). over system limitation. ZyWALL USG 300 User’s Guide...
An application patrol rule has been deleted. Rule %s:%s has been removed. 1st %s: Protocol name 2nd %s: From rule index number 3rd %s: To rule index number The device failed to initiate the application patrol daemon. System fatal error: 60011001. ZyWALL USG 300 User’s Guide...
When selecting a matched proposal in phase-1 or phase-2, so [SA] : No proposal proposal was selected. chosen %s is the tunnel name. When negotiating Phase-1, the authentication [SA] : Tunnel [%s] algorithm did not match. Phase 1 authentication algorithm mismatch ZyWALL USG 300 User’s Guide...
Page 771
1st %s is my ip address. 2nd %s is the tunnel name. When selecting a Cannot resolve My IP matched proposal in phase-1, the engine could not get My-IP address. Addr %s for Tunnel [%s] ZyWALL USG 300 User’s Guide...
Page 772
%s is the tunnel name. When negotiating phase-1, the pre-shared key Tunnel [%s] Phase 1 did not match. pre-shared key mismatch %s is the tunnel name. The device received an IKE request. Tunnel [%s] Recving IKE request ZyWALL USG 300 User’s Guide...
Page 773
Sending IKE request The variables represent the tunnel name and the SPI of a tunnel that Tunnel [%s:0x%x] is was disconnected. disconnected %s is the tunnel name. The tunnel was rekeyed successfully. Tunnel [%s] rekeyed successfully ZyWALL USG 300 User’s Guide...
3rd is the to zone, 4th is the service name, 5th is ACCEPT/DROP/ REJECT. Firewall is dead, trace to %s is which file, %d is which line, %s is which %s:%d: in %s(): function %s is enabled/disabled Firewall has been %s. ZyWALL USG 300 User’s Guide...
HTTPS %s is certificate name assigned by user service will not work. An administrator changed the port number for HTTPS. HTTPS port has been changed to port %s. %s is port number ZyWALL USG 300 User’s Guide...
Page 777
If interface is stand-by mode for device HA, DHCP server can't be run. DHCP Server on Otherwise it has conflict with the interface in master mode. Interface %s will not %s is interface name work due to Device HA status is Stand-By ZyWALL USG 300 User’s Guide...
Page 778
Zone Forwarder have reached the maximum number of 128 DNS servers. Ping check ok, add DNS servers in bind. Interface %s ping check is successful. %s is interface name Zone Forwarder adds DNS servers in records. ZyWALL USG 300 User’s Guide...
Table 292 System Logs LOG MESSAGE DESCRIPTION When LINK is up, %d is the port number. Port %d is up!! When LINK is down, %d is the port number. Port %d is down!! ZyWALL USG 300 User’s Guide...
Page 780
IP address The ARP cache was cleared successfully. Clear arp cache successfully. A client MAC address is not an Ethernet address. Client MAC address is not an Ethernet address ZyWALL USG 300 User’s Guide...
Page 781
FQDN %s was blocked for abuse. Try to update profile, but failed, because of authentication fail, %s is Update the profile %s the profile name. has failed because of authentication fail. ZyWALL USG 300 User’s Guide...
Page 782
The profile is paused by device-HA, because the VRRP status of that The profile %s has iface is standby, %s is the profile name. been paused because the VRRP status of WAN interface was standby. ZyWALL USG 300 User’s Guide...
Page 783
Rename DDNS profile, 1st %s is the original profile name, 2nd %s is DDNS profile %s has the new profile name. been renamed as %s. Delete DDNS profile, %s is the profile name, DDNS profile %s has been deleted. ZyWALL USG 300 User’s Guide...
The connectivity check process can't get interface configuration. Can't get flags of %s interface %s: interface name The connectivity check process can't get remote address of PPP Can't get remote interface address of %s %s: interface name interface ZyWALL USG 300 User’s Guide...
The System Startup configuration file synchronized from the Master is Master configuration the same with the one in the Backup, so the configuration does not is the same with have to be updated. Backup. Skip updating ZyWALL USG 300 User’s Guide...
Page 786
A VRRP group’s Authentication Type (Md5 or IPSec AH) configuration Device HA may not match between the Backup and the Master. %s: The name of authentication type the VRRP group. for VRRP group %s maybe wrong. ZyWALL USG 300 User’s Guide...
Page 787
%s for %s due to transmission timeout. %s: The name of the VRRP interface. VRRP interface %s has been shutdown. %s: The name of the VRRP interface. VRRP interface %s has been brought up. ZyWALL USG 300 User’s Guide...
Name interface %s has been changed to BiDir. RIP text or md5 authentication has been disabled. RIP authentication has benn disabled. RIP text authentication key has been deleted. RIP text authentication key has been deleted. ZyWALL USG 300 User’s Guide...
Page 789
%s: Virtual-Link ID link %d md5 authentication of area Virtual-link %s text authentication has been set without setting text Invalid OSPF virtual- authentication key first. %s: Virtual-Link ID link %s text authentication of area ZyWALL USG 300 User’s Guide...
Signal port of SIP ALG has been modified. SIP ALG apply additional signal port failed. Register SIP ALG extra port=%d failed. %d: Port number SIP ALG apply signal port failed. Register SIP ALG signal port=%d failed. %d: Port number ZyWALL USG 300 User’s Guide...
The device was unable to use SCEP to enroll a certificate. 1st %s is a SCEP enrollment "%s" request name, 2nd %s is the CA name, 3rd %s is the URL failed, CA "%s", URL "%s" ZyWALL USG 300 User’s Guide...
Page 792
"%s" from "My Certificate" successfully The device exported a x509 format certificate from Trusted Export X509 Certificates. %s is the certificate request name. certificate "%s" from "Trusted Certificate" successfully ZyWALL USG 300 User’s Guide...
Page 793
CRL decoding failed. CRL is not currently valid, but in the future. CRL contains duplicate serial numbers. Time interval is not continuous. Time information not available. Database method failed due to timeout. Database method failed. ZyWALL USG 300 User’s Guide...
An administrator added a new interface. %s: interface name. Interface %s has been added. An administrator enabled an interface. %s: interface name. Interface %s is enabled. An administrator disabled an interface. %s: interface name. Interface %s is disabled. ZyWALL USG 300 User’s Guide...
Page 795
CHAP server does not support CHAP). CHAP: interface name. authentication failed. A PPP or AUX interface connected successfully. %s: interface name. Interface %s is connected. ZyWALL USG 300 User’s Guide...
Page 796
You entered an incorrect PUK code so you were not able to unlock the "Incorrect PUK code of SIM card for the cellular device associated with the listed cellular interface cellular%d. interface (%d). Please check the PUK code setting. ZyWALL USG 300 User’s Guide...
Page 797
%s, but current inserted device is %s. The cellular device (identified by its manufacturer and model) has been "Cellular device [%s inserted in or connected to the specified slot. %s] has been inserted into %s. ZyWALL USG 300 User’s Guide...
Station association connect to the specified WLAN interface (first %s) because the WLAN has failed. Maximum interface already has its maximum number of wireless clients. associations have reached the maximum number. Interface: %s, MAC: %s. ZyWALL USG 300 User’s Guide...
DHCP client and has more than one member in its group. In this case client. the DHCP client will renew. %s: interface name. An administrator configured port-grouping, %s: interface name. Port Grouping %s has been changed. ZyWALL USG 300 User’s Guide...
DHCP clients, so there is no IP address to give to the listed DHCP client. DHCP server offered %s to The DHCP server feature gave the listed IP address to the computer %s(%s) with the listed hostname and MAC address. ZyWALL USG 300 User’s Guide...
LOG MESSAGE DESCRIPTION Drop packet %s- The IP-MAC binding feature dropped an Ethernet packet. The %u.%u.%u.%u- interface the packet came in through and the sender’s IP address and %02X:%02X:%02X:%02X:% MAC address are also shown. 02X:%02X ZyWALL USG 300 User’s Guide...
Page 802
The interface the packet came in through, the sender’s IP %s#%u.%u.%u.%u#%02X:% address and MAC address, are also shown along with the binding type 02X:%02X:%02X:%02X:%02 (“s” for static or “d” for dynamic). ZyWALL USG 300 User’s Guide...
User-Defined The IPSEC ESP (Encapsulation Security (IPSEC_TUNNEL) Protocol) tunneling protocol uses this service. FINGER Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. ZyWALL USG 300 User’s Guide...
Page 804
This is the data channel. RCMD Remote Command Service. REAL_AUDIO 7070 A streaming audio service that enables real time sound over the web. REXEC Remote Execution Daemon. RLOGIN Remote Login. RTELNET Remote Telnet. ZyWALL USG 300 User’s Guide...
Page 805
TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. ZyWALL USG 300 User’s Guide...
Page 806
Appendix B Common Services ZyWALL USG 300 User’s Guide...
Windows XP 1 Click Start > Control Panel > Administrative Tools > Services. Figure 528 Windows XP: Opening the Services Window 2 Select the Messenger service and click Start. ZyWALL USG 300 User’s Guide...
3 Close the window when you are done. Windows 2000 1 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 530 Windows 2000: Opening the Services Window 2 Select the Messenger service and click Start Service. ZyWALL USG 300 User’s Guide...
98 SE (steps are similar for Windows Me). 1 Right-click on the program task bar and click Properties. Figure 533 WIndows 98 SE: Program Task Bar 2 Click the Start Menu Programs tab and click Advanced ... ZyWALL USG 300 User’s Guide...
3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut. Figure 535 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. ZyWALL USG 300 User’s Guide...
6 Specify a name for the shortcut or accept the default and click Finish. Figure 537 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. ZyWALL USG 300 User’s Guide...
Appendix C Displaying Anti-Virus Alert Messages in Windows Figure 538 Windows 98 SE: Startup: Shortcut The WinPopup window displays after the computer finishes the startup process (see Figure 532 on page 809). ZyWALL USG 300 User’s Guide...
In this appendix, you can import a public key certificate for: • Internet Explorer on page 814 • Firefox on page 822 • Opera on page 827 • Konqueror on page 833 ZyWALL USG 300 User’s Guide...
Figure 539 Internet Explorer 7: Certification Error 2 Click Continue to this website (not recommended). Figure 540 Internet Explorer 7: Certification Error 3 In the Address Bar, click Certificate Error > View certificates. Figure 541 Internet Explorer 7: Certificate Error ZyWALL USG 300 User’s Guide...
Appendix D Importing Certificates 4 In the Certificate dialog box, click Install Certificate. Figure 542 Internet Explorer 7: Certificate 5 In the Certificate Import Wizard, click Next. Figure 543 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 300 User’s Guide...
Figure 545 Internet Explorer 7: Certificate Import Wizard 8 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 546 Internet Explorer 7: Select Certificate Store ZyWALL USG 300 User’s Guide...
9 In the Completing the Certificate Import Wizard screen, click Finish. Figure 547 Internet Explorer 7: Certificate Import Wizard 10 If you are presented with another Security Warning, click Yes. Figure 548 Internet Explorer 7: Security Warning ZyWALL USG 300 User’s Guide...
12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information. Figure 550 Internet Explorer 7: Website Identification ZyWALL USG 300 User’s Guide...
2 In the security warning dialog box, click Open. Figure 552 Internet Explorer 7: Open File - Security Warning 3 Refer to steps 4-12 in the Internet Explorer procedure beginning on page 814 complete the installation process. ZyWALL USG 300 User’s Guide...
1 Open Internet Explorer and click Tools > Internet Options. Figure 553 Internet Explorer 7: Tools Menu 2 In the Internet Options dialog box, click Content > Certificates. Figure 554 Internet Explorer 7: Internet Options ZyWALL USG 300 User’s Guide...
5 In the Root Certificate Store dialog box, click Yes. Figure 557 Internet Explorer 7: Root Certificate Store 6 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. ZyWALL USG 300 User’s Guide...
3 The certificate is stored and you can now connect securely to the Web Configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page’s security information. Figure 559 Firefox 2: Page Info ZyWALL USG 300 User’s Guide...
Firefox 2: Select File 5 The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information. ZyWALL USG 300 User’s Guide...
This section shows you how to remove a public key certificate in Firefox 2. 1 Open Firefox and click Tools > Options. Figure 564 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 565 Firefox 2: Options ZyWALL USG 300 User’s Guide...
4 In the Delete Web Site Certificates dialog box, click OK. Figure 567 Firefox 2: Delete Web Site Certificates 5 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. ZyWALL USG 300 User’s Guide...
3 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Figure 569 Opera 9: Security information ZyWALL USG 300 User’s Guide...
1 Open Opera and click Tools > Preferences. Figure 570 Opera 9: Tools Menu 2 In Preferences, click Advanced > Security > Manage certificates. Figure 571 Opera 9: Preferences ZyWALL USG 300 User’s Guide...
3 In the Certificates Manager, click Authorities > Import. Figure 572 Opera 9: Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open. Figure 573 Opera 9: Import certificate ZyWALL USG 300 User’s Guide...
Figure 575 Opera 9: Install authority certificate 7 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. ZyWALL USG 300 User’s Guide...
This section shows you how to remove a public key certificate in Opera 9. 1 Open Opera and click Tools > Preferences. Figure 576 Opera 9: Tools Menu 2 In Preferences, Advanced > Security > Manage certificates. Figure 577 Opera 9: Preferences ZyWALL USG 300 User’s Guide...
4 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. There is no confirmation when you delete a certificate authority, so be absolutely certain that you want to go through with it before clicking the button. ZyWALL USG 300 User’s Guide...
Figure 580 Konqueror 3.5: Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details. Figure 581 Konqueror 3.5: KDE SSL Information ZyWALL USG 300 User’s Guide...
Figure 584 Konqueror 3.5: Kleopatra 3 The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Information window to view the web page’s security details. ZyWALL USG 300 User’s Guide...
4 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button. ZyWALL USG 300 User’s Guide...
No part may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, except the express written permission of ZyXEL Communications Corporation. This Product includes ppp-2.4.2 software under the PPP License PPP License Copyright (c) 1993 The Australian National University.
Page 838
The University of Delaware makes no representations about the suitability this software for any purpose. It is provided "as is" without express or implied warranty. ZyWALL USG 300 User’s Guide...
Page 839
Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. ZyWALL USG 300 User’s Guide...
Page 840
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR ZyWALL USG 300 User’s Guide...
Page 841
POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] ZyWALL USG 300 User’s Guide...
Page 842
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This Product includes bind-9.2.3 software under the Internet Software Consortium and Nominum License ZyWALL USG 300 User’s Guide...
Page 843
THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY ZyWALL USG 300 User’s Guide...
Page 844
"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). ZyWALL USG 300 User’s Guide...
Page 845
(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and ZyWALL USG 300 User’s Guide...
Page 846
Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS ZyWALL USG 300 User’s Guide...
Page 847
Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign. This Product includes libosip2, libgcgi-0.9.5 and gmp-4.1 software under LGPL license. GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 ZyWALL USG 300 User’s Guide...
Page 848
License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. ZyWALL USG 300 User’s Guide...
Page 849
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the ZyWALL USG 300 User’s Guide...
Page 850
GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. ZyWALL USG 300 User’s Guide...
Page 851
(2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface- ZyWALL USG 300 User’s Guide...
Page 852
License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would ZyWALL USG 300 User’s Guide...
Page 853
16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, ZyWALL USG 300 User’s Guide...
Page 854
You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. ZyWALL USG 300 User’s Guide...
Page 855
License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) ZyWALL USG 300 User’s Guide...
Page 856
Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. ZyWALL USG 300 User’s Guide...
Page 857
Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY ZyWALL USG 300 User’s Guide...
Page 858
Original Code or Modifications or the combination of the Original Code and Modifications, in each case including portions thereof. 1.4. "Electronic Distribution Mechanism" means a mechanism generally accepted in the software development community for the electronic transfer of data. ZyWALL USG 300 User’s Guide...
Page 859
Original Code or another well known, available Covered Code of the Contributor's choice. The Source Code can be in a compressed or archival form, provided the appropriate decompression or de-archiving software is widely available for no charge. 1.12. "You" (or "Your") ZyWALL USG 300 User’s Guide...
Page 860
Modifications made by that Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed by Covered Code in the absence of Modifications made by that Contributor. ZyWALL USG 300 User’s Guide...
Page 861
If Contributor's Modifications include an application programming interface and Contributor has knowledge of patent licenses which are reasonably necessary to implement that API, Contributor must also include this information in the legal file. (c) Representations. ZyWALL USG 300 User’s Guide...
Page 862
Section 3.4 and must be included with all distributions of the Source Code. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 5. Application of this License. ZyWALL USG 300 User’s Guide...
Page 863
60 days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice You either: (i) agree in writing to pay Participant a mutually agreeable reasonable royalty for Your past and future use of Modifications made by such Participant, or ZyWALL USG 300 User’s Guide...
Page 864
License shall be subject to the jurisdiction of the Federal Courts of the Northern District of California, with venue lying in Santa Clara County, California, with the losing party responsible for costs, including without limitation, court costs and reasonable ZyWALL USG 300 User’s Guide...
Page 865
Code files of the Original Code. You should use the text of this Exhibit A rather than the text found in the Original Code Source Code for Your Modifications. This Product includes unzip-5.50 and zip-2.3 software under Info-ZIP license ZyWALL USG 300 User’s Guide...
Page 866
•Info-ZIP retains the right to use the names "Info-ZIP," "Zip," "UnZip," "UnZipSFX," "WiZ," "Pocket UnZip," "Pocket Zip," and "MacZip" for its own source and binary releases. This Product includes libpcap-0.8.3, libnet-1.1.2.1, net-snmp-5.1.1, libpcap-0.9.4, and openssh- software under BSD license 4.3p2 ZyWALL USG 300 User’s Guide...
Page 867
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT ZyWALL USG 300 User’s Guide...
Page 868
Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. ZyWALL USG 300 User’s Guide...
Page 869
(the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following ZyWALL USG 300 User’s Guide...
Page 870
EVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ZyWALL USG 300 User’s Guide...
Page 871
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. NOTE: Some components of the ZyWALL USG 300 incorporate source code covered under the Apache License, GPL License, LGPL License, BSD...
Page 872
ZyXEL Communications Corporation at: ZyXEL Technical Support. End-User License Agreement for “ZyWALL USG 300” WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE ENCLOSED SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AS INSTALLING THE SOFTWARE WILL INDICATE YOUR ASSENT TO THEM.
Page 873
BUT SHALL IN NO EVENT EXCEED THE AMOUNT OF THE PRODUCT. BECAUSE SOME STATES/COUNTRIES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. 8.Export Restrictions ZyWALL USG 300 User’s Guide...
Page 874
License Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this License Agreement shall be interpreted so as to reasonably effect the intention of the parties. ZyWALL USG 300 User’s Guide...
A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. ZyWALL USG 300 User’s Guide...
An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. ZyWALL USG 300 User’s Guide...
(AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. ZyWALL USG 300 User’s Guide...
RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. ZyWALL USG 300 User’s Guide...
RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients. ZyWALL USG 300 User’s Guide...
Page 881
Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. ZyWALL USG 300 User’s Guide...
Page 882
However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. ZyWALL USG 300 User’s Guide...
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication. ZyWALL USG 300 User’s Guide...
Page 884
WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP) ZyWALL USG 300 User’s Guide...
Page 885
4 The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. ZyWALL USG 300 User’s Guide...
4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them. Figure 592 WPA(2)-PSK Authentication ZyWALL USG 300 User’s Guide...
An antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz (IEEE 802.11a) is needed to communicate efficiently in a wireless LAN Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antenna’s coverage area. ZyWALL USG 300 User’s Guide...
For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. ZyWALL USG 300 User’s Guide...
During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the ZyWALL USG 300 User’s Guide...
Page 891
To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/ support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. ZyWALL USG 300 User’s Guide...
Page 892
Appendix G Legal Information ZyWALL USG 300 User’s Guide...
FTP Access Point Name, see APN and NAT and policy routes 255, 256, 585 access point, see AP and SNMP access users 575, 577 and SSH custom page ZyWALL USG 300 User’s Guide...
Page 900
VoIP pass through signatures statistics tutorial trial service activation announcements updating signatures software virus Anomaly Detection and Prevention, see ADP virus types answer rings white list 455, 458 antenna Windows 98/Me requirements directional worm ZyWALL USG 300 User’s Guide...
Page 901
Authentication Header, see AH access control authentication method objects Apache-whitespace and users ASCII-encoding and WWW backdoor create bare byte encoding example base36-encoding where used buffer overflow authentication type 239, 641 Denial of Service (DoS) ZyWALL USG 300 User’s Guide...
Page 902
630, 636 black list importing anti-spam in IPSec in the VPN wizard Blaster not used for encryption bookmarks revoked boot module self-signed 622, 627 boot sector virus serial number 630, 635 bridge interfaces 180, 231 ZyWALL USG 300 User’s Guide...
Page 903
65, 527 downloading copyright downloading with FTP CPU usage 153, 155 editing CTS (Clear to Send) how applied lastgood.conf 698, 700 current date/time 154, 652 ZyWALL USG 300 User’s Guide...
Page 904
Distributed Denial of Service (DDoS) attacks copying configuration distributed port scans device role HA status 609, 610, 612 legacy mode 557, 565 213, 656 link monitoring address records management access domain name forwarders ZyWALL USG 300 User’s Guide...
Page 905
Encapsulating Security Payload, see ESP file infector encapsulation file manager and active protocol configuration overview IPSec file sharing SSL application transport mode create tunnel mode filter, MAC address encryption filtered port scan and anti-virus ZyWALL USG 300 User’s Guide...
Page 906
HSDPA FQDN HTTP fragmentation flag inspection 500, 507 fragmentation offset over SSL, see HTTPS redirect to HTTPS fragmentation threshold vs HTTPS fragmenting IPSec packets HTTP redirect front panel ports ZyWALL USG 300 User’s Guide...
Page 907
VPN monitor profile user name packet inspection profiles packet inspection signatures IM (Instant Messenger) ZyWALL USG 300 User’s Guide...
Page 908
DHCP 194, 241 subnet mask established in two phases trunks, see also trunks fragmentation types L2TP VPN virtual, see also virtual interfaces local network VLAN, see also VLAN interfaces local policy where used manual key ZyWALL USG 300 User’s Guide...
Page 909
IKE SA is disconnected session monitor IPSec VPN where used configuration overview WINS prerequisites see also IPSec interface tutorial IP address where used LAND attack ISP account lastgood.conf 698, 700 CHAP ZyWALL USG 300 User’s Guide...
Page 910
239, 641 logged in users Point-to-Point Encryption (MPPE) login Windows Plug-and-Play Service Remote Overflow custom page (MS-05-39) attack default settings model name SSL user monitor logo in SSL logout monitor profile SSL user Web Configurator logs ZyWALL USG 300 User’s Guide...
Page 911
(cost) Network Address Translation, see NAT routers, see OSPF routers virtual links network list, see SSL vs RIP 261, 263 network policy, see VPN connections OSPF areas 263, 264 Network Time Protocol (NTP) ZyWALL USG 300 User’s Guide...
Page 912
Diffie-Hellman key group and service groups Personal Identification Number code, see PIN code and services PFS (Perfect Forward Secrecy) 341, 363 ports phishing Post Office Protocol, see POP physical ports power off ZyWALL USG 300 User’s Guide...
Page 913
RADIUS 607, 608, 881 anti-virus advantages collecting data and IKE SA configuration overview and PPPoE content filtering and users daily message types daily e-mail messages ZyWALL USG 300 User’s Guide...
Page 915
Manager user screens logout managers user screens required information 685, 686 user screens system requirements network components WINS SSL application object Trap file sharing traps file sharing application versions remote user screen links Snort summary ZyWALL USG 300 User’s Guide...
Page 916
SSL user session flag bits stopping the ZyWALL 55, 56 port numbers streaming protocols management portscan strict source routing portsweep stub area SYN (synchronize) STUN SYN flood and ALG window size ZyWALL USG 300 User’s Guide...
Page 918
154, 163 mutation default lease time polymorphic default reauthentication time scan default type for Ext-User Ext-User (type) VLAN groups, see user groups advantages Guest (type) and MAC address lease time ZyWALL USG 300 User’s Guide...
Page 919
ID (VR ID) security VRRP groups SSID and interfaces wireless security 207, 880 and to-ZyWALL firewall Wizard Setup authentication WLAN role (desired) interference see also VRRP security parameters see also wireless worm 450, 474 attacks ZyWALL USG 300 User’s Guide...
Page 920
SSH and Telnet and VPN 108, 273 and WWW block intra-zone traffic 276, 323 configuration overview default extra-zone traffic inter-zone traffic intra-zone traffic prerequisites types of traffic where used ZyWALL terminology differences ZyXEL web site ZyWALL USG 300 User’s Guide...