1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Gateway
  5. ZyWALL USG Series
  6. Application notes

ZyXEL Communications ZyWALL USG Series Application Notes

Unified security gateway
Hide thumbs Also See for ZyWALL USG Series:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference Manual, User Manual
ZyWALL USG Series
Unified Security Gateway
Version 4.10
Edition 1, 05/2014
Application Notes
Copyright © 2014 ZyXEL Communications Corporation
0

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications ZyWALL USG Series

Summary of Contents for ZyXEL Communications ZyWALL USG Series

  • Page 1 ZyWALL USG Series Unified Security Gateway Version 4.10 Edition 1, 05/2014 Application Notes Copyright © 2014 ZyXEL Communications Corporation...

  • Page 2: Table Of Contents

    ZyXEL – USG Application Notes Table of Contents Scenario 1 — Connecting your USG to the Internet ........4 1.1 Application Scenario ..................4 1.2 Configuration Guide ..................4 Scenario 2 — WAN Load Balancing and Customized Usage of WAN Connection for Specific Traffic --Dual WAN setting ........
  • Page 3 ZyXEL – USG Application Notes Scenario 11 –configure unified policy (firewall policy + UTM profile) ..70 11.1 Application Scenario ..................71 11.2 Configuration Guide ..................71 Scenario 12 – Block HTTPs web site by Content Filter ......74 12.1 Application Scenario ..................74 12.2 Configuration Guide ..................
  • Page 4 ZyXEL – USG Application Notes Tutorial 1: How to Set Up Your Network ............. 98 1.1 Wizard Overview ..................98 1.2 How to Configure Interfaces, Port Roles, and Zones ......98 1.3 How to Configure a Cellular Interface ..........101 1.4 How to Set Up a Wireless LAN ............

  • Page 5: Scenario 1 - Connecting Your Usg To The Internet

    ZyXEL – USG Application Notes Scenario 1 — Connecting your USG to the Internet 1.1 Application Scenario Nowadays, many Internet service providers offer an IPv6 environment. With an IPv6 feature enabled on the USG, it can assign an IPv6 address to clients and pass IPv6 traffic through IPv4 environment to access a remote IPv6 network.
  • Page 6 ZyXEL – USG Application Notes Step 2: Setting the static IP on WAN1 Configuration > Interface > Ethernet > double-click on WAN1 interface and configure with static IP address 59.124.163.150. Step 3: Setting IPv6 IP address on LAN1 (1) Configuration > Interface > Ethernet > double-click LAN1 interface in IPv6 configuration.
  • Page 7 ZyXEL – USG Application Notes (2) Convert WAN1 IP address to hexadecimal. 59.124.163.150(Decimal) = 3b7c:a396(Hex). Fill-in 2002:3b7c:a396::1/128 in the prefix table as the LAN interface IPv6 address. (3) Check the IPv6 Router Advertisement Setting box and add the prefix in the Advertised Prefix Table.
  • Page 8 ZyXEL – USG Application Notes (2) Select the 6to4 in that Tunnel Mode. (3) Check the Prefix in the 6tp4 tunnel Parameter. (4) Select the WAN1 interface as the gateway in the Gateway Setting.

  • Page 9: Scenario 2 - Wan Load Balancing And Customized Usage Of Wan

    ZyXEL – USG Application Notes Scenario 2 — WAN Load Balancing and Customized Usage of WAN Connection for Specific Traffic -- Dual WAN setting 2.1 Application Scenario The company has two WAN connections for sharing outbound internet traffic. WAN1 uses a static IP address, and WAN2 uses a PPPoE connection. Since WAN1 ISP is also the company’s VoIP provider, the network administrator wants VoIP traffic primarily sent out over WAN1.
  • Page 10 ZyXEL – USG Application Notes Load Balancing algorithm. USG configuration Step 1. Configure a PPPoE account on WAN2 interface. (1) Go to CONFIGURATION > Object > ISP Account, add a PPPoE account: (2) Go to CONFIGURATION > Network > Interface > PPP, add a new PPP interface, which is based on WAN 2 interface:...
  • Page 11 ZyXEL – USG Application Notes Step 2. Go to CONFIGURATION > Network > Interface > Trunk. Add WAN Trunks. (1) Add WAN trunk for VoIP traffic — Set WAN1 as Active mode, while setting WAN2_ppp as Passive mode. (2) Add WAN trunk for HTTP traffic — Set WAN2_ppp as Active mode, while setting WAN1 as Passive mode.
  • Page 12 ZyXEL – USG Application Notes routes for VoIP traffic and HTTP traffic. (1) Add a policy route for VoIP traffic: Source: LAN1_subnet Destination: Any Service: SIP Next Hop: select the newly created WAN trunk WAN_Trunk_VoIP Please note that to make sure this policy route applies to all VoIP traffic, including both the SIP signaling and RTP (voice data), we need to enable SIP ALG.
  • Page 13 ZyXEL – USG Application Notes (3) For all other traffic, use SYSTEM_DEFAULT_WAN_TRUNK to perform load balancing. Go to Configuration > Network > Interface > Trunk. Click on Show Advanced Settings. Make sure Default SNAT is enabled. Select SYSTEM_DEFAULT_WAN_TRUNK in Default Trunk Selection.

  • Page 14: Scenario 3 - How To Configure Nat If You Have Internet-Facing Public Servers

    ZyXEL – USG Application Notes Scenario 3 — How to Configure NAT if you have Internet-facing Public Servers 3.1 Application Scenario It is a common practice to place company servers behind the USG’s protection; while at the same time letting WAN side clients/servers access the intranet servers. To give an example, the company may have an internal FTP server, which needs to be accessible from the Internet as well.
  • Page 15 ZyXEL – USG Application Notes Step 2. Click on the Add button to create a mapping rule. Step 3. In this page, the user needs to configure: - Rule’s name - Select Virtual Server type to let USG-50 do packet forwarding - Fill-in the Original IP (WAN IP) address - Fill-in the Mapped IP (Internal FTP server IP) address - Select the service to be mapped (FTP);...
  • Page 16 ZyXEL – USG Application Notes Step 6. The user can create an address object for the internal FTP server for further configuration usage. Click on Create new Object for this function. Step 7. Configure the rule to: - Allow access from WAN to LAN1 - Source IP address is not specific - Destination IP address is the FTP server’s address - Select FTP service (with port 20/21) to be enabled...
  • Page 17 ZyXEL – USG Application Notes Step 8: Click on the OK button, you will see the rule in policy control.

  • Page 18: Scenario 4 - Secure Site-To-Site Connections By Using Ipsec Vpn - Ipv4 With Ikev2 / Ipv6

    ZyXEL – USG Application Notes Scenario 4 — Secure Site-to-site Connections using IPSec VPN – IPv4 with IKEv2 / IPv6 4.1 Application Scenario IPv4 with IKEv2 We want to use IKEv2 to establish a VPN tunnel between the HQ and Branch Office. IPv6 (with IKEv2 only) ISP has changed the environment to IPv6.
  • Page 19 ZyXEL – USG Application Notes USG-40W with PPPOE WAN: - PPPOE IP: 220.137.67.76 - Local subnet: 192.168.200.0/24 IPSec VPN Conditions: Phase 1: Phase 2: IKE version: IKEv2 Active Protocol: ESP Authentication: 1234567890 Encapsulation Mode: Tunnel Local/Peer ID type: IPv4 0.0.0.0 / Any Encryption Algorithm: DES Encryption Algorithm: 3DES Authentication Algorithm: SHA1...
  • Page 20 ZyXEL – USG Application Notes...
  • Page 21 ZyXEL – USG Application Notes Step 4. Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to open the configuration screen to configure the phase-2 rule. Step 5. Click on the Add button to add a rule. Step 6. To configure the phase-2 rule, the user needs to fill-in: - VPN connection name - VPN gateway selection -Policy for...
  • Page 22 ZyXEL – USG Application Notes...
  • Page 23 ZyXEL – USG Application Notes Step 7. After setting the rule, the user can select the rule and click on the Connect button to establish the VPN link. Once the tunnel is established, a connected icon will be displayed in front of the rule. ...
  • Page 24 ZyXEL – USG Application Notes VPN > VPN Connection. VPN Gateway: USG1_GW Local policy: 2002:3b7c:a397:2222::/64 Remote policy: 2002:3b7c:a397:1111::/64 Step 3. Add an IPV6 VPN phase I on USG2. Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway. My Address: 2002:3b7c:a397:2:b2b2:dcff:fe70:c1d6 Peer Gateway Address: 2002:3b7c:a397:2:ee43:f6ff:fefc:c4b3 Pre-Shared Key: 12345678 Step 4.
  • Page 25 ZyXEL – USG Application Notes VPN > VPN Connection. VPN Gateway: USG2_GW Local policy: 2002:3b7c:a397:1111::/64 Remote policy: 2002:3b7c:a397:2222::/64 Step 5. When the VPN tunnel is established, the user can find the SA information on MONITOR > VPN MONITOR > IPSec.

  • Page 26: Scenario 5 - Connect To Usg By Using Ipsec Ikev2 In Windows 7

    ZyXEL – USG Application Notes Scenario 5 — Connect to USG using IPSec IKEv2 in Windows 7 5.1 Application Scenario usg210.dyndns-ip.com 192.168.100.1/24 INTERNET 192.168.100.0/24 Windows 7 supports IPSec IKEv2 with certificate authentication. This section provides information on how to configure the IKEv2 (Internet Key Exchange) on a Windows 7 PC via certificates.
  • Page 27 ZyXEL – USG Application Notes Step 2. Go to CONFIGURATION > Object > User/Group to create a user account. Add this account into IKEv2 users group object. This group object will be used in IPSec VPN phase-1 EAP (Extended Authentication Protocol) field.
  • Page 28 ZyXEL – USG Application Notes Step 3. Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway to open the configuration screen. Step 4. Click on the Add button to add a VPN gateway rule. Step 5. To configure the VPN gateway rule, the user needs to fill-in: - VPN gateway name: - IKE Version: IKEv2 - Gateway address: both local (My Address) and peer (Dynamic Address)
  • Page 29 ZyXEL – USG Application Notes Step 6. Go to CONFIGURATION > Object > Address to create an address object. This...
  • Page 30 ZyXEL – USG Application Notes address object's IP address will be assigned to the Windows IKEv2 client's machine. Step 7. Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to open the configuration screen to configure the phase-2 rule. Step 8.
  • Page 31 ZyXEL – USG Application Notes...
  • Page 32 ZyXEL – USG Application Notes Step 10. Export the certificate, which was generated in step 1, and save it to the Windows 7 machine. Step 11. In the Windows 7 machine, go to Start > mmc >...
  • Page 33 ZyXEL – USG Application Notes Step 12. In the mmc console, click on File > Add/Remove Snap-in... >...
  • Page 34 ZyXEL – USG Application Notes Step 13. In the left panel, select the Certificates and click on the Add button. Step 14. Select the Computer account > Next button > select Local computer > Finish button > OK button.
  • Page 35 ZyXEL – USG Application Notes Step 15. Open up the Certificates (Local Computer) > Trusted Root Certification Authorities > right-click on Certificate > All Tasks > Import.
  • Page 36 ZyXEL – USG Application Notes Step 16. Select the certificate, which was generated by the USG.
  • Page 37 ZyXEL – USG Application Notes Step 17. Create the Windows IPSec connection profile.
  • Page 38 ZyXEL – USG Application Notes Step 18. Modify the IPSec connection profile. Go to Security > Type of VPN: IKEv2 Data encryption: Requires encryption (disconnect if server declines) Authentication: Use Extensible Authentication Protocol (EAP)
  • Page 39 ZyXEL – USG Application Notes Step 19. Modify IPSec connection profile. Go to Networking > and disable the TCP/IPv6 checkbox. Note: USG 4.10 firmware does not support multiple proposals. It only supports IPv4 proposal selection. Step 20. Establish the IPSec tunnel from the Windows 7 machine, and the tunnel will be established successfully.
  • Page 40 ZyXEL – USG Application Notes...

  • Page 41: Scenario 6 - Gre Over Ipsec Vpn Tunnel -Vpn Fail Over

    ZyXEL – USG Application Notes Scenario 6 — GRE over IPSec VPN Tunnel –VPN Failover 6.1 Application scenario We want to use VPN tunnels to transfer important files between the branch Office and HQ. To prevent the network from getting disconnected, we configure four WAN interfaces to do redundancy.
  • Page 42 a. Add the first tunnel IP Address: 10.0.0.1, Subnet Mask: 255.255.255.0 My Address: WAN1, Remote Gateway Address: 192.168.3.33 Place a check in the Enable Connectivity Check checkbox. Ensure that the Address is the remote GRE tunnel interface. b. Add the second tunnel IP Address: 10.10.0.2, Subnet Mask: 255.255.255.0 My Address: WAN2, Remote Gateway Address: 192.168.4.33...
  • Page 43 Place a check in the Enable Connectivity Check checkbox. Ensure that the Address is the remote GRE tunnel interface. Step 2. Add a GRE tunnel trunk on USG1. Go to CONFIGURATION > Network > Interface > Trunk. gre_trunk member: tunnel0: Active tunnel1: Passive...
  • Page 44 Step3. Add two IPSec VPN tunnels on USG1. Go to CONFIGURATION > VPN > IPSec VPN. a. Add two VPN gateway policies. First VPN Gateway policy (USG1 wan1 to USG2 wan1) My Address: wan1, Peer Gateway Address: 192.168.3.33 Pre-Shared Key: 12345678...
  • Page 45 Secondary Gateway policy (USG1 wan2 to USG2 wan2) My Address: wan2, Peer Gateway Address: 192.168.4.33 Pre-Shared Key: 12345678 b. Add two VPN Connections First VPN Connection Enable Nailed-Up Application Scenario: Site-to-Site VPN Gateway: GRE0_GW Local policy: 192.168.1.33 Remote policy: 192.168.3.33...
  • Page 46 Enable GRE over IPSec Second VPN Connection Enable Nailed-Up Application Scenario: Site-to-Site VPN Gateway: GRE1_GW Local policy: 192.168.2.33 Remote policy: 192.168.4.33 Enable GRE over IPSec...
  • Page 47 Step 4. Add a policy routes on USG1. Go to CONFIGURATION> Network > Routing. Source: LAN1_Subnet Destination: Remote subnet Next-Hop: gre_trunk SNAT: none...
  • Page 48 Step5. Add two GRE tunnels on the USG2. Go to CONFIGURATION > Tunnel. a. Add first tunnel IP Address: 10.0.0.3, Subnet Mask: 255.255.255.0 My Address: WAN1, Remote Gateway Address: 192.168.1.33 Place a check in the Enable Connectivity Check checkbox. Ensure that the Address is the remote GRE tunnel interface.
  • Page 49 b. Add Second tunnel IP Address: 10.10.0.4, Subnet Mask: 255.255.255.0 My Address: WAN2, Remote Gateway Address: 192.168.2.33 Place a check in the Enable Connectivity Check checkbox. Ensure that the Address is the remote GRE tunnel interface.
  • Page 50 Step6. Add a GRE tunnel trunk on USG2. Go to CONFIGURATION > Network > Interface > Trunk. gre_trunk member: tunnel0: Active Tunnel1: Passive Step 7. Add two IPSec VPN tunnels on USG2. Go to CONFIGURATION > VPN > IPSec VPN.
  • Page 51 a. Add two VPN Gateways. First VPN Gateway My Address: wan1, Peer Gateway Address: 192.168.1.33 Pre-Shared Key: 12345678 Second VPN Gateway My Address: wan2, Peer Gateway Address: 192.168.2.33 Pre-Shared Key: 12345678 b. Add two VPN Connections. First VPN connection Application Scenario: Site-to-Site VPN Gateway: GRE0_GW Local policy: 192.168.3.33...
  • Page 52 Remote policy: 192.168.1.33 Enable GRE over IPSec Second VPN connection Enable Nailed-Up Application Scenario: Site-to-Site VPN Gateway: GRE1_GW Local policy: 192.168.4.33 Remote policy: 192.168.2.33 Enable GRE over IPSec...
  • Page 53 Step 8. Add a policy routes on USG2. Go to CONFIGURATION > Network > Routing. Source: LAN1_Subnet Destination: Remote subnet Next-Hop: gre_trunk SNAT: none...

  • Page 55: Scenario 7 - Deploying Ssl Vpn For Tele-Workers To Access Company Resources -Ssl Vpn With Apple Mac Osx

    Scenario 7 - Deploying SSL VPN for Tele-workers to Access Company Resources –SSL VPN with Apple Mac OS X 7.1 Application Scenario Tele-workers who work away from the office, sometimes need to access company resources in a secured way. USG supports hybrid VPN for client dial-up, and provides an SSL VPN function, which allowing tele-workers to access company resources through a secured VPN tunnel with little effort.
  • Page 56 Step 3. Go to Configuration > Object > SSL Application, add a web link with the URL for the SSL VPN client to access. Step 4. Go to Configuration > VPN > SSL VPN > Access Privilege (1) Add one SSL VPN rule and select User/Group Objects with “test” and SSL Application “Test” which you have already created.
  • Page 57 Step 5. Establish an SSL VPN on Apple Mac OS X (1) When establishing an SSL VPN on Apple Mac OSX, the Status will become “Connected”, and you can check the IP address information in the details. In the first tab – “Traffic Graph”, it will automatically scale to match the maximum traffic rate. (2) In the second tab –...
  • Page 58 (3) In the third tab – “Log”, the log will contain important information if you are having trouble connecting.

  • Page 59: Scenario 8 - Reserving Highest Bandwidth Management Priority For Voip Traffic

    Scenario 8 — Reserving Highest Bandwidth Management Priority for VoIP traffic 8.1 Application Scenario In an enterprise network, there are various types of traffic. But the company Internet connection bandwidth is limited to a specific value. All this traffic will contend to use the limited bandwidth, which may result in some important traffic, for example, VoIP traffic getting slow or even starved.
  • Page 60 priority. When this option is enabled the system ignores the bandwidth management settings of all application patrol rules for SIP traffic and does not record SIP traffic bandwidth usage statistics.

  • Page 61: Scenario 9 - Reserving Highest Bandwidth Management Priority For A Superior User And Control Session Per Host - Bwm Per Ip Or Per User

    Scenario 9 - Reserving Highest Bandwidth Management Priority for a Superior User and Control Session per Host – BWM Per IP or Per User 9.1 Application Scenario In an enterprise network, there are various types of traffic. But the company Internet connection bandwidth is limited to a specific value.
  • Page 62 (2) Inbound = 2000Kbps, Out bound = 2000Kbps, Priority = 1 Step 2. Go to Configuration > BWM > Enable BWM function. Step 3. Use the PC’s IP address of “192.168.1.33” to connect to the USG. Visit the website http://www.speedtest.net/ to test the speed.
  • Page 63 Step 4. Use the PC’s IP address of “192.168.1.40” to connect to the USG. Visit the website http://www.speedtest.net/ ” to test the speed. The test result is around 2 Mbps, which is the same as our setup to manage per source IP 2 Mbps. BWM Per User- Step 1.
  • Page 64 (2) Add these two accounts “user-phone” and “user-pc” into the group as “user_local”. Step 2. Go to Configuration > BWM > Add the policy to limit the Bandwidth by BWM type – Per user. (1) BWM Type : Per user, User: user_local (2) Inbound=2000Kbps, Out bound=2000Kbps, Priority =1...
  • Page 65 Step 3. Go to Configuration > BWM > Enable BWM function. Step 4. Verify with the “user-phone” account. (1) Enter the “user-phone” user name and password and Login. (2) Visit the website “ http://www.speedtest.net/ ” to test the speed. The test result is around 2 Mbps, which is the same as our setup to manage per user 2 Mbps.

  • Page 67: Scenario 10 - Using Usg To Control Popular Applications -App Patrol

    Scenario 10 - Using USG to Control Popular Applications –APP Patrol 10.1 Application Scenario In the company, the network administrator will need to control access to the Internet for internal managers and employees. The USG’s Application Patrol function can take corresponding actions according to the configuration in App Patrol.
  • Page 68 Step 3. Go to Configuration > UTM Profile > App Patrol > Profile > Add rule For example Name: teamviewer_rule. Step 4. Go to Profile Management > Add Application For example Application: choose the application object of “Teamviewer” which you have already created. Action: drop Log: log >...
  • Page 69 Step 5. Go to Configuration > Security policy > Policy Control > Policy > Add corresponding > Enable rule For example Name: teamviewer_drop From: LAN1 UTM Profiles: Enable Application Patrol: choose the application profile of “teamviewer_rule” which you have already created. Log: by profile >...

  • Page 71: Scenario 11 -Configure Unified Policy (Firewall Policy + Utm Profile)

    Scenario 11 – Configure Unified Policy (Firewall Policy + UTM Profile) Introduction: The unified policy is merging with firewall rule and UTM functions. The flow will check the firewall rule first, and then check the UTM function. If the packets are already dropped by the firewall rule, then it will not check the UTM rule any more.

  • Page 72: Application Scenario

    11.1 Application Scenario The customer wants to block Skype and all social networks in LAN1. 11.2 Configuration Guide (1) Add a Skype object in Application. Go to Configuration > Object > Application, and click on the “Add” button. (2) Add to the App Patrol profile...
  • Page 73 Go to Configuration > UTM profile > App Patrol, and click on the “Add” button to add the application object into the profile. Add a social network in Content Filter function to drop social networks. (4) Add a SSL inspection rule to drop the SSL web site to access the social network. Go to Configuration >...
  • Page 74 After configuring these rule, then you can drop Skype and all of the social networks successfully.

  • Page 75: Scenario 12 - Block Https Web Site By Content Filter

    Scenario 12 – Block HTTPS Websites by Content Filter Introduction: The Content Filter function can distinguish between websites by categories. Since the Content Filter does not know that the traffic has already been encrypted, so the HTTPS websites cannot be detected. But now can we use the “SSL Inspection”...
  • Page 76 The default setting of “Action Managed Web Page” is “Block”. In the Managed Categories select “Search Engines/ Portals” to block the search engine. (3) After Create SSL Inspection and Content Filter profiles, then go to the Policy Control function to setup the rule.
  • Page 77 Verification: Access to https:yahoo.com...

  • Page 78: Scenario 13: Single Sign-On With Usg And Windows Platform

    Scenario 13: Single Sign-on with USG and Windows Platform 13.1 Application Scenario When the employee’s PC is connected to the company’s network, usually he needs to login to the domain first, and then login to the USG with the same username and password again, to pass the web authentication before accessing the Internet and the company’s resources.
  • Page 79 1. Go to Active Directory Users and Computers to create a new domain account and add it to the group of "Domain Admins". Example: ssoadmin Create some domain users. Example: Amy SSO Agent Installation 1. Prepare the package of SSO Agent. 2.
  • Page 80 3. Install Visual C++ Double-click on the “vcredist_x86.exe”.
  • Page 81 4. Double-click on "SSOAgentInstaller.exe" to install SSO Agent. Click on “Next” to proceed.
  • Page 82 Select a folder or setup with default location and click on “Next”. In this scenario, SSO Agent is installed on the Domain Controller. Select “DC”.
  • Page 83 Click on “Next” to start the installation. A dialog box called “Set SSO Agent Service” will pop-up. Enter the Domain\Username and password of the domain account that was created in Domain Controller configuration. Click on ”OK” to continue.
  • Page 84 SSO Agent is installed successfully. SSO Agent Installation 1. Click on “Configure ZyXEL SSO Agent”.
  • Page 85 2. Click on “Configure” to configure the LDAP query to get group information of users from the Active Directory. Configure the IP address of the AD server, Base DN, and Bind DN.
  • Page 86 Under Gateway Settings, click on “Add” to configure the IP address of the USG and the Pre-Shared Key. Enable SSO service.
  • Page 87 When the SSO service is started successfully, the icon is enabled. USG Configuration 1. Go to CONFIGURATION > Object > AAA server > Active Directory > Edit Active Directory. Configure the AD server that has the same settings as step 2 of “SSO Agent Installation”. 2.
  • Page 88 3. Go to CONFIGURATION > Object > Auth. Method and add “group ad” in the default authentication method. 4. Go to CONFIGURATION > Web Authentication > SSO. Fill-in the Pre-Shared Key which is configured in the SSO Configuration. 5. Go to CONFIGURATION > Web Authentication > Web Authentication Policy Summary to add a new authentication policy.
  • Page 89 Verification 1. On the client's laptop, login using the domain account "Amy". Example: CSO\Amy Open the browser or application on the client's laptop to trigger traffic to pass to the USG. The client “Amy” can surf the Internet directly without extra authentication. 2.
  • Page 90 3. Check the Logon user lists on the SSO Agent. The user “Amy” is in the logon list. 4. Go to MONITOR > System Status > Login Users. The client “Amy” is on the current user list with type SSO.

  • Page 91: Scenario 14 - Wlan Controller Function On Usg

    Scenario 14 – WLAN Controller Function on USG 14.1 Application Scenario USG with 4.10 firmware supports the AP controller function. You can follow the steps to control your AP device. 14.2 Configuration Guide Management of external AP device (1) Add an SSID object on the device Go to Configuration >...
  • Page 92 (3) Connect your AP to the LAN interface (this document is using NWA 3560-N to test). a. The AP must be set as managed mode. b. After the connection is successful, the NWA will start upgrading the firmware from the USG. After upgrading the firmware successful, you will see the MAC address and model name in the GUI.
  • Page 93 Management of Local AP interface (Only for USG40W & USG60W) (1) Add 2 SSIDs in the SSID list (LAN1 and LAN2 subnet) Go to Configuration > Object > AP Profile > SSID > SSID list and click on the “Add” button to create SSID object. Disable “VLAN support”...
  • Page 94 2.4G Band 5G Band (3) Apply AP profiles to the Local AP interface Go to Configuration > Wireless > AP Management and click the local AP (IP address is 172.0.0.1) to edit the rule. Apply the AP profiles to this rule. Verification: If you have connected to For_LAN1 SSID, then you will get the LAN1 subnet IP address.

  • Page 96: Scenario 15 - Device Ha On The Usg

    Scenario 15 – Device HA on the USG 15.1 Application Scenario Setup the Device HA environment. Master device Backup device WAN interface IP 10.59.3.100/24 10.59.3.100/24 WAN Management IP 10.59.3.101/24 10.59.3.102/24 LAN1 Interface IP 192.168.1.1/24 192.168.1.1/24 LAN1 Management IP 192.168.1.11/24 192.168.1.12/24 Cluster ID 15.2 Configuration Guide On Master setting:...
  • Page 97 (2) Go to Configuration > Device HA > Activate-Passive Mode to add the management interface on the master device. The Device Role must be set as “Master”. WAN management IP address is: 10.59.3.101 LAN management IP address is: 192.168.1.11 (3) Go to Configuration > Device HA > General to enable the Device HA function. After you have enabled the Device HA function, you will see the interface that was monitored above.
  • Page 98 (6) Go to Configuration > Device HA > General to enable Device HA function. After you have enabled the Device HA function, you will saw the interface that was monitored above. Verification: You can check the status of the Device HA in the GUI. The status of the master device will be “Master/Activate”.

  • Page 99: Tutorial 1: How To Set Up Your Network

    Tutorial 1: How to Set Up Your Network Here are examples of using the Web Configurator to set up your network in the USG. Note: The tutorials featured here require a basic understanding of connecting to and using the Web Configurator ,.

  • Page 100: Configure A Wan Ethernet Interface

    • Add P5 (lan2) to the DMZ interface (Note: In USG 20/20W , use P4 (lan2) instead of P5 in this example). The DMZ interface is used for a protected local network. It uses IP address 192.168.3.1 and serves as a DHCP server by default. •...

  • Page 101: Configure Zones

    Under P5 select the dmz (DMZ) radio button and click Apply. 1.2.3 Configure Zones In this example you have created a WIZ_VPN tunnel through the Quick Setup - VPN Setup wizard. By default, it is assigned to the IPSec_VPN zone. Do the following to move WIZ_VPN from the IPSec_VPN zone to a new zone.

  • Page 102: How To Configure A Cellular Interface

    Then you can configure firewall rules to apply specific security settings to this VPN zone. 1.3 How to Configure a Cellular Interface Use 3G cards for cellular WAN (Internet) connections. See www.zyxel.com for a supported 3G card. In this example you connect the 3G USB card before you configure the cellular interfaces but is also possible to reverse the sequence.
  • Page 103 Note: The Network Selection is set to auto by default. This means that the 3G USB modem may connect to another 3G network when your service provider is not in range or when necessary. Select Home to have the 3G device connect only to your home network or local service provider .

  • Page 104: How To Set Up A Wireless Lan

    1.4 How to Set Up a Wireless LAN This tutorial applies only to models that include wireless LAN. You can configure different interfaces to use on the wireless LAN card. This lets you have different wireless LAN networks using different SSIDs. You can configure the WLAN interfaces before or after you install the wireless LAN card.
  • Page 105 USG can use its default authentication method (the local user database) and its default certificate to authenticate the users. Configure the interface’s IP address and set it to DHCP Server. Click OK. T urn on the wireless LAN and click Apply. Configure your wireless clients to connect to the wireless network.
  • Page 106 1.4.2.1 Wireless Clients Import the USG’s Certificate You must import the USG’s certificate into the wireless clients if they are to validate the USG’s certificate. Use the Configuration > Object > Certificate > Edit screen to export the certificate the USG is using for the WLAN interface. Then do the following to import the certificate into each wireless client computer .
  • Page 107 Repeat the steps to import the certificate into each wireless client computer that is to validate the USG’s certificate when using the WLAN interface. 1.4.2.2 Wireless Clients Use the WLAN Interface Wireless clients enter their username and password when they connect to the wireless network.
  • Page 108 1.5 How to Configure Ethernet, PPP , VLAN, Bridge and Policy Routing The following table describes when to configure the Ethernet, PPP , VLAN, Bridge screens under Configuration > Network > Interface and the Configuration > Network > Routing > Policy Routing screen.

  • Page 109: How To Set Up Ipv6 Interfaces For Pure Ipv6 Routing

    1.6 How to Set Up IPv6 Interfaces For Pure IPv6 Routing This example shows how to configure your USG Z’s WAN and LAN interfaces which connects two IPv6 networks. USG Z periodically advertises a network prefix of 2006:1111:1111:1111::/64 to the LAN through router advertisements.
  • Page 110 In the CONFIGURATION > Network > Interface > Ethernet screen, double-click the lan1 in the IPv6 Configuration section. The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6. Select Enable Router Advertisement and click Add and configure a network prefix for the LAN1 (2006:1111:1111:1111::/64 in this example).
  • Page 111 1.6.3.2 Setting Up the WAN IPv6 Interface In the Configuration > Network > Interface > Ethernet screen’s IPv6 Configuration section, double-click the wan1. The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6. Click Create new Object to add a DHCPv6 Request object with the Prefix Delegation type. Select Enable Auto-Configuration.
  • Page 112 1.6.3.3 Setting Up the LAN Interface In the Configuration > Network > Interface > Ethernet screen, double-click the lan1 in the IPv6 Configuration section. The Edit Ethernet screen appears. Click Show Advanced Settings to display more settings on this screen. Select Enable Interface and Enable IPv6.
  • Page 113 1.6.4 Test Connect a computer to the USG’s LAN1.

  • Page 114: How To Set Up An Ipv6 6To4 Tunnel

    Enable IPv6 support on you computer . In Windows XP , you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center >...
  • Page 115 the LAN1 network address is assigned to use 2002:7a64:dcee:1::/64 and the LAN1 IP address is set to 2002:7a64:dcee:1::111/128. A relay router R (192.99.88.1) is used in this example in order to forward 6to4 packets to any unknown IPv6 addresses. 1.7.1 Configuration Concept After the 6to4 tunnel settings are complete, IPv4 and IPv6 packets transmitted between WAN1 and LAN1 will be handled by the USG through the following flow.
  • Page 116 1.7.3 Setting Up the 6to4 Tunnel Click Add in the CONFIGURATION > Network > Interface > Tunnel screen. The Add Tunnel screen appears. Select Enable. Enter tunnel0 as the Interface Name and select 6to4 as the Tunnel Mode. In the 6to4 Tunnel Parameter section, this example just simply uses the default 6to4 Prefix, 2002:://16.
  • Page 117 1.7.4 Testing the 6to4 Tunnel Connect a computer to the USG’s LAN1. Enable IPv6 support on you computer . In Windows XP , you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center >...

  • Page 118: How To Set Up An Ipv6-In-Ipv4 Tunnel

    In Windows, some IPv6 related tunnels may be enabled by default such as T eredo and 6to4 tunnels. It may cause your computer to handle IPv6 packets in an unexpected way. It is recommended to disable those tunnels on your computer . 1.8 How to Set Up an IPv6-in-IPv4 Tunnel This example shows how to use the interface and policy route configuration screens to create an IPv6-in-IPv4 tunnel.
  • Page 119 The Edit Tunnel screen appears. Select Enable. Enter tunnel0 as the Interface Name and select IPv6-in-IPv4 as the Tunnel Mode. Select wan1 in the Interface field in the Gateway Settings section. Enter 5.6.7.8 as the remote gateway’s IP address. Click OK. 1.8.3 Setting Up the LAN IPv6 Interface Select lan1 in the IPv6 Configuration section in the CONFIGURATION >...
  • Page 120 1.8.4 Setting Up the Policy Route Go to the CONFIGURATION > Network > Routing screen and click Add in the IPv6 Configuration table. The Add Policy Route screen appears. Click Create New Object to create an IPv6 address object with the address prefix of 2003:1111:1111:1::/64. Select Enable.
  • Page 121 1.8.5 Testing the IPv6-in-IPv4 Tunnel Connect a computer to the USG’s LAN1. Enable IPv6 support on you computer . In Windows XP , you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center >...

  • Page 122: Tutorial 2: Protecting Your Network

    Tutorial 2: Protecting Your Network These sections cover configuring the USG to protect your network. 2.1 Firewall The firewall controls the travel of traffic between or within zones for services using static port numbers. Use application patrol to control services using flexible/dynamic port numbers. The firewall can also control traffic for NAT (DNAT) and policy routes (SNAT).

  • Page 123: User-Aware Access Control

    2.1.1 What Can Go Wrong • The USG checks the firewall rules in order and applies the first firewall rule the traffic matches. If traffic is unexpectedly blocked or allowed, make sure the firewall rule you want to apply to the traffic comes before any other rules that the traffic would also match.

  • Page 124: Device And Service Registration

    access users and admin users in the same user group. • Attempts to add the default admin account to a user group will fail. You cannot put the default admin account into any user group. 2.3 Device and Service Registration This tutorial shows you how to create a myZyXEL.com account and register the USG.

  • Page 125: Anti-Virus Policy Configuration

    2.4 Anti-Virus Policy Configuration This tutorial shows you how to configure an Anti-Virus policy. Note: You need to first activate your Anti-Virus service license or trial. See Click Configuration > Anti-X > Anti-Virus to display the Anti-Virus General screen. In the Policies section click Add to display the Add Rule screen.
  • Page 126 2 The policy configured in the previous step will display in the Policies section. Select Enable Anti- Virus and Anti-Spyware and click Apply. 2.4.1 What Can Go Wrong • The USG does not scan the following file/traffic types: • Simultaneous downloads of a file using multiple connections. For example, when you use FlashGet to download sections of a file simultaneously.

  • Page 127: Idp Profile Configuration

    2.5 IDP Profile Configuration IDP (Intrusion, Detection and Prevention) detects malicious or suspicious packets and protects against network-based intrusions. Note: You need to first activate your IDP service license or trial. You may want to create a new profile if not all signatures in a base profile are applicable to your network.

  • Page 128: Adp Profile Configuration

    Edit the default log options and actions. 2.6 ADP Profile Configuration ADP (Anomaly Detection and Prevention) protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal traffic flows such as port scans. You may want to create a new profile if not all traffic or protocol rules in a base profile are applicable to your network.
  • Page 129 Note: If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. The Traffic Anomaly screen will display . T ype a new profile Name. Enable or disable individual scan or flood types by selecting a row and clicking Activate or Inactivate.

  • Page 130: Content Filter Profile Configuration

    2.7 Content Filter Profile Configuration Content filter allows you to control access to specific web sites or filter web content by checking against an external database. This tutorial shows you how to configure a Content Filter profile. Note: You need to first activate your Content Filter service license or trial to use Commtouch or BlueCoat content filtering service.
  • Page 131 Click the General tab and in the Policies section click Add. In the Add Policy screen that appears, select the Filter Profile you created in the previous step. Click OK. In the General screen, the configured policy will appear in the Policies section. Select Enable Content Filter and select BlueCoat.

  • Page 132: Viewing Content Filter Reports

    2.8 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen. You need to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days).
  • Page 133 In the Service Management screen click Content Filter (BlueCoat) or Content Filter (Commtouch) in the Service Name column to open the content filter reports screens. In the Web Filter Home screen, click Commtouch Report or BlueCoat Report. Select items under Global Reports to view the corresponding reports. Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.
  • Page 134 The screens vary according to the report type you selected in the Report Home screen. A chart and/or list of requested web site categories display in the lower half of the screen. You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.

  • Page 135: Anti-Spam Policy Configuration

    Anti-Spam Policy Configuration This tutorial shows you how to configure an Anti-Spam policy with Mail Scan functions and DNS Black List (DNSBL). Note: You need to first activate your Anti-Spam service license or trial to use the Mail Scan functions (Sender Reputation, Mail Content Analysis and Virus Outbreak Detection).
  • Page 136 Click the General tab. In the Policy Summary section, click Add to display the Add rule screen. Select from the list of available Scan Options and click OK to return to the General screen. In the General screen, the policy configured in the previous step will display in the Policy Summary section.

  • Page 137: Tutorial 3: Create Secure Connections Across The Internet

    Tutorial 3: Create Secure Connections Across the Internet These sections cover using VPN to create secure connections across the Internet. 3.1 IPSec VPN Besides using the VPN quick setup wizard to configure settings for an IPSec VPN tunnel, you can use the Configuration >...

  • Page 138: Configure Security Policies For The Vpn Tunnel

    After you configure the VPN gateway and VPN connection settings, set up the VPN settings on the peer IPSec router and try to establish the VPN tunnel. T o trigger the VPN, either try to connect to a device on the peer IPSec router’s LAN or click Configuration > VPN > IPSec VPN > VPN Connection and use the VPN connection screen’s Connect icon.

  • Page 139: Vpn Concentrator Example

    remote IPSec router’s certificate. • Multiple SAs connecting through a secure gateway must have the same negotiation mode. If you have the Configuration > VPN > IPSec VPN > VPN Connection screen’s Use Policy Route to control dynamic IPSec rules option enabled and the VPN connection is up but VPN traffic cannot be transmitted through the VPN tunnel, check the routing policies to see if they are sending traffic elsewhere instead of through the VPN tunnels.
  • Page 140 • Destination: 192.168.12.0 • Next Hop: VPN T unnel 1 Headquarters VPN Gateway (VPN Tunnel 1): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.2 VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.1.0/255.255.255.0 • Remote Policy: 192.168.11.0/255.255.255.0 • Disable Policy Enforcement VPN Gateway (VPN Tunnel 2): •...

  • Page 141: Hub-And-Spoke Ipsec Vpn Without Vpn Concentrator

    Consider the following when using the VPN concentrator . • The local IP addresses configured in the VPN rules should not overlap. • The concentrator must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel.
  • Page 142 • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.2 VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.168.0~192.168.169.255 • Remote Policy: 192.168.167.0/255.255.255.0 • Disable Policy Enforcement VPN Gateway (VPN Tunnel 2): • My Address: 10.0.0.1 • Peer Gateway Address: 10.0.0.3 VPN Connection (VPN Tunnel 2): •...

  • Page 143: Usg Ipsec Vpn Client Configuration Provisioning

    • If a ZyNOS-based USG’s remote network setting overlaps with its local network settings, set ipsec swSkipOverlapIp to on to send traffic destined to A’s local network to A’s local network instead of through the VPN tunnel. 3.4 USG IPSec VPN Client Configuration Provisioning VPN configuration provisioning gives USG IPSec VPN Client users VPN rule settings automatically .
  • Page 144 Click Configuration > Object > User/Group and create a user account for the USG IPSec VPN Client user . Then, enable Configuration Provisioning in Configuration > VPN > IPSec VPN > Configuration Provisioning and configure it to allow the newly created user to retrieve this rule’s settings using the USG IPSec VPN Client.

  • Page 145: Ssl Vpn

    Check that the correct USG IP address and HTTPS port (if the default port was changed) was entered. Ping the USG from the computer on which the USG IPSec VPN Client is installed. If there is no reply, check that the computer has Internet access. If the computer has Internet access, contact the USG administrator .

  • Page 146: L2Tp Vpn With Android, Ios, And Windows

    103 x 29 pixels to avoid distortion when displayed. The USG automatically resizes a graphic of a different resolution to 103 x 29 pixels. The file size must be 100 kilobytes or less. T ransparent background is recommended. • If users can log into the SSL VPN but cannot see some of the resource links check the SSL application object’s configuration.
  • Page 147 • The USG has a WAN interface with a static IP address of 172.16.1.2. • The remote user has a dynamic public IP address and connects through the Internet. • You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel.
  • Page 148 Click Configuration > VPN > IPSec VPN > VPN Gateway and double-click the Default_L2TP_VPN_GW entry. Select Enable. Set My Address. This example uses a WAN interface with static IP address 172.16.1.2. Set Authentication to Pre-Shared Key and configure a password. This example uses top- secret.
  • Page 149 Click Configuration > VPN > L2TP VPN and then Create New Object > Address to create an IP address pool for the L2TP VPN clients. This example uses L2TP_POOL with a range of 192.168.10.10 to 192.168.10.20. Click Create New Object > User/Group to create a user object for the users allowed to use the tunnel.
  • Page 150 USG’s return traffic back through the L2TP VPN tunnel. • Set Incoming to USG. • Set Destination Address to the L2TP address pool. • Set the next hop to be the VPN tunnel that you are using for L2TP . If some of the traffic from the L2TP clients needs to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk.
  • Page 151 • VPN name is for the user to identify the VPN configuration. • Set VPN server is the USG’s WAN IP address. • Set IPSec pre-shared key is the pre-shared key of the IPSec VPN gateway the USG uses for L2TP VPN over IPSec (top-secret in this example).
  • Page 152 Enter your USG user name and password and click Create. Click Close. Configure the Connection Object In the Network and Sharing Center screen, click Connect to a network. Right-click the L2TP VPN connection and select Properties. In Windows 7, click Security and set the Type of VPN to Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec).
  • Page 153 Select Use preshared key for authentication and enter the pre-shared key of the VPN gateway entry the USG is using for L2TP VPN (top-secret in this example). Click OK to save your changes and close the Advanced Properties screen. Then click OK again to close the Properties window. If a warning screen about data encryption not occurring if PAP or CHAP is negotiated, click Yes.
  • Page 154 A window appears while the user name and password are verified. The Connect to a network screen shows Connected after the L2TP over IPSec VPN tunnel is built. After the connection is up a connection icon displays in your system tray. Click it and then the L2TP connection to open a status screen.
  • Page 155 Access a server or other network resource behind the USG to make sure your access works. 3.6.5.2 Configuring L2TP in Windows XP In Windows XP , first issue the following command from the Windows command prompt (including the quotes) to make sure the computer is running the Microsoft IPSec service. net start "ipsec services".
  • Page 156 Select Do not dial the initial connection and click Next. Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the USG is using for L2TP VPN (172.16.1.2 in this example). Click Finish.
  • Page 157 radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click Click IPSec Settings. Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the USG is using for L2TP VPN. Click OK. Click Networking.
  • Page 158 Enter the user name and password of your USG account. Click Connect. A window appears while the user name and password are verified. A USG-L2TP icon displays in your system tray. Double-click it to open a status screen. Click Details to see the address that you received from the L2TP range you specified on the USG (192.168.10.10-192.168.10.20).
  • Page 159 • Use Pre-Shared Key authentication • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings. The remote users must make any needed matching configuration changes and re-establish the sessions using the new settings.

  • Page 160: Tutorial 4: Managing Traffic

    Tutorial 4: Managing Traffic These sections cover controlling the traffic going through the USG. How to Configure Bandwidth Management Bandwidth management is very useful when applications are competing for limited bandwidth. Connection and Packet Directions Bandwidth management looks at the connection’s direction from the interface it was initiated on to the interface it goes out.
  • Page 161 • Outbound traffic goes from a LAN1 device to the WAN. The USG applies bandwidth management before sending the packets out a WAN interface. • Inbound traffic comes back from the WAN to the LAN1 device. The USG applies bandwidth management before sending the traffic out a LAN1 interface.
  • Page 162 • Manage SIP traffic going to WAN1 from users on the LAN or DMZ. • Inbound and outbound traffic are both guaranteed 1000 kbps and limited to 2000 kbps. SIP Any-to-WAN Guaranteed / Maximum Bandwidths Example Figure 37 In the Configuration > BWM screen, click Add. In the Add Policy screen, select Enable and type SIP Any-to-WAN as the policy’s name.
  • Page 163 In the Configuration > BWM screen, click Add. In the Add Policy screen, select Enable and type HTTP Any-to-WAN as the policy’s name. Leave the incoming interface to any and select wan1 as the outgoing interface. Select App Patrol Service and http as the service type. Set the guaranteed inbound bandwidth to 10240 (kbps) and set priority 4.
  • Page 164 4.1.6 FTP WAN-to-DMZ Bandwidth Management Example Suppose the office has an FTP server on the DMZ. Here is how to limit WAN1 to DMZ FTP traffic so it does not interfere with SIP and HTTP traffic. • Allow remote users only 2048 kbps inbound for downloading from the DMZ FTP server but up to 10240 kbps outbound for uploading to the DMZ FTP server .
  • Page 165 4.1.7 FTP LAN-to-DMZ Bandwidth Management Example FTP traffic from the LAN1 to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but give it lower priority and limit it to avoid interference with other traffic. •...
  • Page 166 Select lan1 as the incoming interface and dmz as the outgoing interface. Select App Patrol Service and ftp as the service type. T ype 10240 (kbps) with priority 5 for both the inbound and outbound guaranteed bandwidth. Do not select the Maximize Bandwidth Usage. Set the maximum to 51200 (kbps). Click OK. Finally, in the BWM screen, select Enable BWM.

  • Page 167: How To Configure A Trunk For Wan Load Balancing

    USG’s IDP packet inspection signatures to classify services. 4.2 How to Configure a Trunk for WAN Load Balancing These examples show how to configure a trunk for two WAN connections to the Internet. The available bandwidth for the connections is 1 Mbps (wan1) and 512 Kbps (wan2 or cellular1) respectively.

  • Page 168: Configure The Wan Trunk

    Repeat the process to set the egress bandwidth for wan2 to 512 Kbps. For 3G interface settings, go to Configuration > Network > Interface > Cellular. Double-click the cellular1 entry and set the egress bandwidth for cellular1 to 512 Kbps. 4.2.2 Configure the WAN Trunk Click Configuration >...

  • Page 169: How To Use Multiple Static Public Wan Ip Addresses For Lan-To-Wan Traffic

    Select the trunk as the default trunk and click Apply. 4.3 How to Use Multiple Static Public WAN IP Addresses for LAN-to-WAN Traffic If your ISP gave you a range of static public IP addresses, this example shows how to configure a policy route to have the USG use them for traffic it sends out from the LAN.

  • Page 170: How To Use Device Ha To Backup Your Usg

    4.3.2 Configure the Policy Route Now you need to configure a policy route that has the USG use the range of public IP addresses as the source address for WAN to LAN traffic. Click Configuration > Network > Routing > Policy Route > Add (in IPv4 Configuration). It is recommended to add a description.

  • Page 171: Before You Start

    active-passive or legacy). Management Access IP Addresses For each interface you can configure an IP address in the same subnet as the interface IP address to use to manage the USG whether it is the master or the backup. Synchronization Synchronize USGs of the same model and firmware version to copy the master USG’s configuration, signatures (anti-virus, IDP/application patrol, and system protect), and certificates to the backup USG so you do not need to do it manually.
  • Page 172 avoid an IP address conflict, do not connect USG B to the LAN subnet until after you configure its device HA settings and the instructions tell you to deploy it. 4.4.3 Configure Device HA on the Master USG Log into USG A (the master) and click Configuration > Device HA > Active-Passive Mode. Double-click the LAN interface’s entry.
  • Page 173 4.4.4 Configure the Backup USG Connect a computer to USG B’s LAN interface and log into its Web Configurator . Connect USG B to the Internet and subscribe it to the same subscription services (like content filtering and anti-virus) to which USG A is subscribed.

  • Page 174: How To Configure Dns Inbound Load Balancing

    In the General tab enable device HA and click Apply. 4.4.5 Deploy the Backup USG Connect USG B’s LAN interface to the LAN network. Connect USG B’s WAN interface to the same router that USG A’s WAN interface uses for Internet access. USG B copies A’s configuration (and re-synchronizes with A every hour).
  • Page 175 their computers for 5 minutes. Select any in the IP Address field and WAN in the Zone field to apply this rule for all DNS query messages the WAN zone receives. Select Least Load - Total as the load balancing algorithm. Click Add to add WAN1 and WAN2 as the member interfaces.

  • Page 176: How To Allow Public Access To A Web Server

    4.6 How to Allow Public Access to a Web Server This is an example of making an HTTP (web) server in the DMZ zone accessible from the Internet (the WAN zone). In this example you have public IP address 1.1.1.1 that you will use on the WAN interface and map to the HTTP server’s private IP address of 192.168.3.7.

  • Page 177: Set Up A Firewall Rule

    4.6.2 Set Up a Firewall Rule Create a firewall rule to allow the public to send HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server . If a domain name is registered for IP address 1.1.1.1, users can just go to the domain name to access the web server .

  • Page 178: How To Manage Voice Traffic

    • The USG checks the firewall rules in order and applies the first firewall rule the traffic matches. If traffic matches a rule that comes earlier in the list, it may be unexpectedly blocked. • The USG does not apply the firewall rule. The USG only apply’s a zone’s rules to the interfaces that belong to the zone.
  • Page 179 USG’s 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. Click Configuration > Network > NAT > Add > Create New Object > Address and create an IPv4 host address object for the public WAN IP address (called WAN_IP-for-H323 here). Repeat to create an address object for the H.323 device’s private LAN IP address (called LAN_H323 here).

  • Page 180: How To Use An Ippbx On The Dmz

    4.7.2 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet (the WAN zone). In this example you have public IP address 1.1.1.2 that you will use on the WAN interface and map to the IPPBX’s private IP address of 192.168.3.9.
  • Page 181 • Set the Incoming Interface to use the WAN interface. • Set the Original IP to the WAN address object (IPPBX-Public). If a domain name is registered for IP address 1.1.1.2, users can use it to connect to for making SIP calls. •...

  • Page 182: How To Limit Web Surfing And Msn To Specific People

    4.7.2.4 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks traffic from the DMZ zone to the LAN1 zone by default so you need to create a firewall rule to allow the IPPBX to send SIP traffic to the SIP clients on the LAN. Click Configuration >...
  • Page 183 policies for the sales department of a company. 4.8.1 Set Up Web Surfing Policies Before you configure any policies, you must have already subscribed for the application patrol service. You can subscribe using the Configuration > Licensing > Registration screens or using one of the wizards.

  • Page 184: Set Up Msn Policies

    4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. Click the Add icon in the policy list. In the new policy , select Sales as the user group allowed to browse the web.
  • Page 185 Double-click the Default policy . Change the access to Drop because you do not want anyone except the authorized user group (sales) to use MSN. Click OK. Now you will need to set up a recurring schedule object first. Click Configuration >...
  • Page 186 Click Configuration > AppPatrol > Query, and in the second dropdown menu, select Instant Messager, and click Search. Then, double-click the msn entry to edit it. Click the Add icon in the policy list. In the new policy , select WorkHours as the schedule and Sales as the user group that is allowed to use MSN at the appointed schedule.
  • Page 187 4.8.3 What Can Go Wrong If you have not already subscribed for the application patrol service, you will not be able to configure any policies. You can do so by using the Configuration > Licensing > Registration screens or using one of the wizards.

Table of Contents