ZyXEL Communications USG40 User Manual
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Firewall
  5. USG40
  6. User manual

ZyXEL Communications USG40 User Manual

Zywall/usg series
Hide thumbs Also See for USG40:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
Table of Contents

Advertisement

Quick Links

See also: Handbook , Handbook of Instructions
ZyWALL/USG Series
ZyWALL 110 / 310 / 1100
USG40 / USG40W / USG60 / USG60W / USG110 / USG210 /
USG310 / USG1100 / USG1900
UTM Security Firewalls
USG20-VPN / USG20W-VPN / USG2200-VPN
VPN Firewalls
Version 4.20
Edition 1, 8/2016
Quick Start Guide
User's Guide
Default Login Details
LAN Port IP Address
User Name
www.zyxel.com
Password
https://192.168.1.1
admin
1234
Copyright © 2016 Zyxel Communications Corporation

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the USG40 and is the answer not in the manual?

Questions and answers

Related Manuals for ZyXEL Communications USG40

Summary of Contents for ZyXEL Communications USG40

  • Page 1 ZyWALL/USG Series ZyWALL 110 / 310 / 1100 USG40 / USG40W / USG60 / USG60W / USG110 / USG210 / USG310 / USG1100 / USG1900 UTM Security Firewalls USG20-VPN / USG20W-VPN / USG2200-VPN VPN Firewalls Version 4.20 Edition 1, 8/2016 Quick Start Guide User’s Guide...
  • Page 2 IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a User’s Guide for a series of products. Not all products support all firmware features. Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system.

  • Page 3: Table Of Contents

    Part I: User’s Guide ..................23 Chapter 1 Introduction............................25 1.1 Overview ............................25 1.1.1 Applications ..........................26 1.2 Management Overview ........................28 1.3 Web Configurator ..........................29 1.3.1 Web Configurator Access ......................30 1.3.2 Web Configurator Screens Overview ..................32 1.3.3 Navigation Panel ........................36 1.3.4 Tables and Lists ........................43 Chapter 2 Installation Setup Wizard ........................46 2.1 Installation Setup Wizard Screens ....................46...
  • Page 4 4.1.2 Easy Mode Settings .........................72 4.1.3 Easy Mode Dashboard ......................73 4.2 Initial Setup Wizard Screen 1 - Language and Overview ..............75 4.2.1 Initial Setup Wizard Screen 2 - Internet ................77 4.2.2 Initial Setup Wizard Screen 2 - Internet Access Errors ............78 4.2.3 Initial Setup Wizard Screen 3 - Date and Time ..............79...
  • Page 5 4.10 Wi-Fi and Guest Network Wizard ....................117 4.10.1 Guest LAN (Wired Network) ....................118 4.10.2 Connecting AP Scenarios ....................119 4.11 Security Service Wizard ......................120 4.11.1 Security Service Wizard 2 - Content Filter Categories .............121 4.11.2 Security Service Wizard 3 - Websites ................123 4.11.3 Security Service Wizard 4 - Exemptions ................124...
  • Page 6 5.5.1 L2TP VPN Settings ........................158 5.5.2 L2TP VPN Settings ........................159 5.5.3 VPN Settings for L2TP VPN Setting Wizard - Summary ............160 5.5.4 VPN Settings for L2TP VPN Setting Wizard Completed ............161 Chapter 6 Dashboard ............................162 6.1 Overview ............................162 6.1.1 What You Can Do in this Chapter ..................162 6.2 Main Dashboard Screen .........................162 6.2.1 Device Information Screen ....................164 6.2.2 System Status Screen ......................165...
  • Page 7 7.8 IP/MAC Binding ..........................193 7.9 The Login Users Screen ........................193 7.10 The Dynamic Guest Screen ......................194 7.11 Cellular Status Screen ........................196 7.11.1 More Information ........................198 7.12 The UPnP Port Status Screen ......................199 7.13 USB Storage Screen ........................200 7.14 Ethernet Neighbor Screen ......................201 7.15 Wireless ............................202 7.15.1 Wireless AP Information: AP List ..................202 7.15.2 AP List More Information ....................204...
  • Page 8 8.2.2 The Anti-Virus Update Screen ....................237 8.2.3 The IDP/AppPatrol Update Screen ..................239 Chapter 9 Wireless .............................241 9.1 Overview ............................241 9.1.1 What You Can Do in this Chapter ..................241 9.2 Controller Screen ...........................241 9.3 AP Management Screens .......................242 9.3.1 Mgnt. AP List ........................242 9.3.2 AP Policy ..........................246 9.3.3 AP Group ..........................247 9.3.4 Firmware ..........................251...
  • Page 9 10.5.2 Add / Edit Cellular Configuration ..................299 10.6 Tunnel Interfaces ..........................305 10.6.1 Configuring a Tunnel ......................307 10.6.2 Tunnel Add or Edit Screen ....................308 10.7 VLAN Interfaces ...........................312 10.7.1 VLAN Summary Screen ......................313 10.7.2 VLAN Add/Edit ........................315 10.8 Bridge Interfaces ..........................324 10.8.1 Bridge Summary ........................326 10.8.2 Bridge Add/Edit ........................327 10.9 LAG ..............................336...
  • Page 10 Chapter 12 DDNS..............................382 12.1 DDNS Overview ..........................382 12.1.1 What You Can Do in this Chapter ..................382 12.1.2 What You Need to Know ......................382 12.2 The DDNS Screen ........................383 12.2.1 The Dynamic DNS Add/Edit Screen ..................384 Chapter 13 NAT..............................388 13.1 NAT Overview ..........................388 13.1.1 What You Can Do in this Chapter ..................388 13.1.2 What You Need to Know ......................388 13.2 The NAT Screen ..........................388...
  • Page 11 16.4.1 Turning on UPnP in Windows 7 Example ................411 16.4.2 Using UPnP in Windows XP Example .................413 16.4.3 Web Configurator Easy Access ...................415 Chapter 17 IP/MAC Binding..........................418 17.1 IP/MAC Binding Overview ......................418 17.1.1 What You Can Do in this Chapter ..................418 17.1.2 What You Need to Know ......................418 17.2 IP/MAC Binding Summary ......................419 17.2.1 IP/MAC Binding Edit ......................419...
  • Page 12 20.4.3 Enable Web Authentication ....................453 20.4.4 Create a Security Policy ......................454 20.4.5 Configure User Information ....................455 20.4.6 Configure an Authentication Method ...................456 20.4.7 Configure Active Directory ....................457 20.5 SSO Agent Configuration ......................458 Chapter 21 Hotspot ..............................462 21.1 Overview ............................462 21.2 Billing Overview ..........................462 21.2.1 What You Need to Know ......................462 21.3 The General Screen ........................463 21.4 The Billing Profile Screen ......................466...
  • Page 13 23.2 The Free Time Screen ........................492 Chapter 24 SMS ..............................496 24.1 SMS Overview ..........................496 24.1.1 What You Can Do in this Chapter ..................496 24.2 The SMS Screen ...........................496 Chapter 25 IPnP..............................498 25.1 IPnP Overview ..........................498 25.1.1 What You Can Do in this Chapter ..................498 25.2 IPnP Screen ..........................499 Chapter 26 Walled Garden...........................500...
  • Page 14 28.6 The Session Control Screen ......................529 28.6.1 The Session Control Add/Edit Screen .................530 28.7 Security Policy Example Applications ...................531 Chapter 29 IPSec VPN............................534 29.1 Virtual Private Networks (VPN) Overview ..................534 29.1.1 What You Can Do in this Chapter ..................536 29.1.2 What You Need to Know ......................537 29.1.3 Before You Begin .........................539 29.2 The VPN Connection Screen ......................539 29.2.1 The VPN Connection Add/Edit Screen ................541...
  • Page 15 31.7.1 The Main File Sharing Screen .....................588 31.7.2 Opening a File or Folder ......................589 31.7.3 Downloading a File ......................590 31.7.4 Saving a File ........................590 31.7.5 Creating a New Folder ......................591 31.7.6 Renaming a File or Folder ....................591 31.7.7 Deleting a File or Folder ......................592 31.7.8 Uploading a File ........................592 Chapter 32 ZyWALL/USG SecuExtender (Windows) ..................594...
  • Page 16 Chapter 36 Content Filtering ..........................624 36.1 Overview ............................624 36.1.1 What You Can Do in this Chapter ..................624 36.1.2 What You Need to Know ......................624 36.1.3 Before You Begin .........................626 36.2 Content Filter Profile Screen ......................626 36.3 Content Filter Profile Add or Edit Screen ..................628 36.3.1 Content Filter Add Profile Category Service ................628 36.3.2 Content Filter Add Filter Profile Custom Service ..............636 36.4 Content Filter Trusted Web Sites Screen ..................639...
  • Page 17 38.4 AV Signature Searching ........................677 38.5 Anti-Virus Technical Reference .....................678 Chapter 39 Anti-Spam ............................680 39.1 Overview ............................680 39.1.1 What You Can Do in this Chapter ..................680 39.1.2 What You Need to Know ......................680 39.2 Before You Begin ..........................681 39.3 The Anti-Spam Profile Screen .......................682 39.3.1 The Anti-Spam Profile Add or Edit Screen ................683 39.4 The Mail Scan Screen ........................685 39.5 The Anti-Spam Black List Screen ....................687...
  • Page 18 41.6 Device HA Technical Reference ....................719 Chapter 42 Object..............................723 42.1 Zones Overview ..........................723 42.1.1 What You Need to Know ......................723 42.1.2 The Zone Screen .........................724 42.2 User/Group Overview ........................725 42.2.1 What You Need To Know .....................726 42.2.2 User/Group User Summary Screen ..................728 42.2.3 User/Group Group Summary Screen ..................731 42.2.4 User/Group Setting Screen ....................733 42.2.5 User/Group MAC Address Summary Screen ..............737...
  • Page 19 42.9.6 RADIUS Server Summary ....................790 42.10 Auth. Method Overview ......................792 42.10.1 Before You Begin .......................792 42.10.2 Example: Selecting a VPN Authentication Method ............792 42.10.3 Authentication Method Objects ..................793 42.11 Certificate Overview ........................795 42.11.1 What You Need to Know ....................795 42.11.2 Verifying a Certificate ......................797 42.11.3 The My Certificates Screen ....................798 42.11.4 The Trusted Certificates Screen ..................805 42.11.5 Certificates Technical Reference ..................810...
  • Page 20 43.6.13 Editing a Security Option Control ..................837 43.6.14 Adding a DNS Service Control Rule ..................838 43.7 WWW Overview ..........................839 43.7.1 Service Access Limitations ....................839 43.7.2 System Timeout ........................839 43.7.3 HTTPS ..........................840 43.7.4 Configuring WWW Service Control ..................841 43.7.5 Service Control Rules ......................844 43.7.6 Customizing the WWW Login Page ..................844 43.7.7 HTTPS Example ........................849 43.8 SSH...
  • Page 21 44.3.4 Edit Remote Server Log Settings ..................888 44.3.5 Log Category Settings Screen .....................891 Chapter 45 File Manager............................896 45.1 Overview ............................896 45.1.1 What You Can Do in this Chapter ..................896 45.1.2 What you Need to Know ......................896 45.2 The Configuration File Screen ......................898 45.3 Firmware Management ......................902 45.3.1 Cloud Helper ........................903 45.3.2 The Firmware Management Screen ..................905...
  • Page 22 49.2 Getting More Troubleshooting Help ....................941 Appendix A Customer Support ......................942 Appendix B Legal Information......................948 Appendix C Product Features......................965 Index ..............................976 ZyWALL/USG Series User’s Guide...

  • Page 23: Part I User's Guide

    User’s Guide...

  • Page 25: Chapter 1 Introduction

    • Configuration > Anti-Virus > Black/White List • Configuration > Anti-Spam > Black/White List • ZyWALL models do not support SSL Inspection • USG40 / USG40W / USG60 / USG60W support UTM but not SSL Inspection. • The following models support Hotspot management: • ZyWALL 310 •...

  • Page 26: Applications

    Chapter 1 Introduction • USG2200-VPN • USG40W / USG60W have built-in Wi-Fi functionality • ZyWALL 110, ZyWALL 310, ZyWALL 1100, USG110, USG210, USG310, USG1100, and USG1900 support Device HA (High Availability) • Some interface names vary by model - see Table 17 on page 68 for default port / interface name mapping.

  • Page 27: Vpn Connectivity

    Chapter 1 Introduction Figure 2 Applications: IPv6 Routing VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also purchase the ZyWALL/USG OTPv2 One-Time Password System for strong two-factor authentication for Web Configurator, Web access, SSL VPN, and Zyxel IPSec VPN client user logins.

  • Page 28: Management Overview

    Chapter 1 Introduction User-Aware Access Control Set up security policies to restrict access to sensitive information and shared resources based on the user who is trying to access it. In the following figure user A can access both the Internet and an internal file server.

  • Page 29: Web Configurator

    Chapter 1 Introduction Figure 7 Managing the ZyWALL/USG: Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL/USG. Access it using remote management (for example, SSH or Telnet) or via the physical or Web Configurator console port.

  • Page 30: Web Configurator Access

    Chapter 1 Introduction • Use one of the following web browser versions or later: • Internet Explorer 10.x, 11.x • Chrome latest version (45 or above) • Firefox latest version (45 or above) • Safari latest version (9.0 or avove) •...
  • Page 31 Chapter 1 Introduction The Network Risk Warning screen displays any unregistered or disabled security services. Select how often to display the screen and click OK. If you select Never and you later want to bring this screen back, use these commands (note the space before the underscore).

  • Page 32: Web Configurator Screens Overview

    Chapter 1 Introduction Follow the directions in the Update Admin Info screen. If you change the default password, the Login screen appears after you click Apply. If you click Ignore, the Installation Setup Wizard opens if the ZyWALL is using its default configuration; otherwise the dashboard appears. 1.3.2 Web Configurator Screens Overview The Web Configurator screen is divided into these parts (as illustrated on page...
  • Page 33 Chapter 1 Introduction Table 3 Title Bar: Web Configurator Icons (continued) LABEL DESCRIPTION Console Click this to open a Java-based console window from which you can run command line interface (CLI) commands. You will be prompted to enter your user name and password. See the Command Reference Guide for information about the commands.
  • Page 34 Chapter 1 Introduction Figure 10 Site Map Object Reference Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object. Figure 11 Object Reference The fields vary with the type of object.
  • Page 35 Chapter 1 Introduction Table 5 Object References (continued) LABEL DESCRIPTION Priority If it is applicable, this field lists the referencing configuration item’s position in its list, otherwise N/A displays. Name This field identifies the configuration item that references the object. Description If the referencing configuration item has a description configured, it displays here.

  • Page 36: Navigation Panel

    Chapter 1 Introduction Figure 13 CLI Messages 1.3.3 Navigation Panel Use the navigation panel menu items to open status and configuration screens. Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The following sections introduce the ZyWALL/USG’s navigation panel menus and their screens.
  • Page 37 Chapter 1 Introduction Monitor Menu The monitor menu screens display status and statistics information. Table 6 Monitor Menu Screens Summary FOLDER OR LINK TAB FUNCTION System Status Port Statistics Port Displays packet statistics for each physical port. Statistics Interface Interface Displays general interface information and packet statistics.

  • Page 38: Configuration Menu

    Chapter 1 Introduction Table 6 Monitor Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION AppPatrol AppPatrol Displays application patrol statistics. Statistics Content Filter Report Collect and display content filter statistics Collect and display statistics on the intrusions that the ZyWALL/USG has detected.
  • Page 39 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Interface Port Role Use this screen to set the ZyWALL/USG’s flexible ports such as LAN, OPT, WLAN, or DMZ. Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces. Create and manage PPPoE and PPTP interfaces.
  • Page 40 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Free Time Free Time Allow users to get a free account for Internet surfing during the specified time period. Enable the SMS service to send dynamic guest account information in text messages.
  • Page 41 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Signature Search for signatures by signature name or attributes and configure how the ZyWALL/USG uses them. Anti-Spam Profile Turn anti-spam on or off and manage anti-spam policies. Create anti-spam template(s) of settings to apply to a traffic flow using a security policy.
  • Page 42 Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION AAA Server Active Directory Configure the Active Directory settings. LDAP Configure the LDAP settings. RADIUS Configure the RADIUS settings. Auth. Method Authentication Create and manage ways of authenticating users. Method Certificate My Certificates...

  • Page 43: Tables And Lists

    Chapter 1 Introduction Maintenance Menu Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the ZyWALL/USG. Table 8 Maintenance Menu Screens Summary FOLDER FUNCTION OR LINK File Configuration File Manage and upload configuration files for the ZyWALL/USG. Manager Firmware Package View the current firmware version and upload firmware.
  • Page 44 Chapter 1 Introduction Figure 16 Common Table Column Options Select a column heading cell’s right border and drag to re-size the column. Figure 17 Resizing a Table Column Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location.
  • Page 45 Chapter 1 Introduction Figure 20 Common Table Icons Here are descriptions for the most common table icons. Table 9 Common Table Icons LABEL DESCRIPTION Click this to create a new entry. For features where the entry’s position in the numbered list is important (features where the ZyWALL/USG applies the table’s entries in order like the security policy for example), you can select an entry and click Add to create a new entry after the selected entry.

  • Page 46: Installation Setup Wizard

    H A PT ER Installation Setup Wizard 2.1 Installation Setup Wizard Screens When you log into the Web Configurator for the first time or when you reset the ZyWALL/USG to its default configuration, the Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services.

  • Page 47: Internet Access: Ethernet

    Chapter 2 Installation Setup Wizard Figure 23 Internet Access: Step 1 • I have two ISPs: Select this option to configure two Internet connections. Leave it cleared to configure just one. This option appears when you are configuring the first WAN interface. •...

  • Page 48: Internet Access: Pppoe

    Chapter 2 Installation Setup Wizard Figure 24 Internet Access: Ethernet Encapsulation • Encapsulation: This displays the type of Internet connection you are configuring. • First WAN Interface: This is the number of the interface that will connect with your ISP. •...
  • Page 49 Chapter 2 Installation Setup Wizard Figure 25 Internet Access: PPPoE Encapsulation 2.1.3.1 ISP Parameters • Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and -_@$./ characters, and it can be up to 64 characters long.

  • Page 50: Internet Access: Pptp

    Chapter 2 Installation Setup Wizard • First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.

  • Page 51: Internet Access: L2Tp

    Chapter 2 Installation Setup Wizard • Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server. 2.1.4.2 PPTP Configuration • Base Interface: This identifies the Ethernet interface you configure to connect with a modem or router.
  • Page 52 Chapter 2 Installation Setup Wizard Figure 27 Internet Access: L2TP Encapsulation 2.1.5.1 ISP Parameters • Authentication Type - Select an authentication protocol for outgoing connection requests. Options are: • CHAP/PAP - Your ZyWALL/USG accepts either CHAP or PAP when requested by the remote node.

  • Page 53: Internet Access Setup - Second Wan Interface

    Chapter 2 Installation Setup Wizard 2.1.5.3 WAN IP Address Assignments • WAN Interface: This is the name of the interface that will connect with your ISP. • Zone: This is the security zone to which this interface and Internet connection will belong. •...

  • Page 54: Wireless Settings: Ap Controller

    Chapter 2 Installation Setup Wizard Figure 29 Internet Access Succeed 2.1.8 Wireless Settings: AP Controller The ZyWALL/USG can act as an AP Controller that can manage APs in the same network as the ZyWALL/USG. Figure 30 Wireless Settings: AP Controller Select Yes if you want your ZyWALL/USG to manage APs in your network;...

  • Page 55: Internet Access - Device Registration

    Chapter 2 Installation Setup Wizard Figure 31 Wireless Settings: SSID & Security SSID Setting • SSID - Enter a descriptive name of up to 32 printable characters for the wireless LAN. • Security Mode - Select Pre-Shared Key to add security on this wireless network. Otherwise, select None to allow any wireless client to associate this network without authentication.
  • Page 56 Chapter 2 Installation Setup Wizard Figure 32 Internet Access: Device Registration You will need the ZyWALL/USG’s serial number and LAN MAC address to register it if you have not already done so. Use the Configuration > Licensing > Registration > Service screen to update your service subscription status.

  • Page 57: Hardware, Interfaces And Zones

    The LED indicators are located on the front panel. Figure 33 ZyWALL 110 / USG110 / USG210 Front Panel Figure 34 ZyWALL 310 / ZyWALL 1100 / USG310 / USG1100 / USG1900 Front Panel Figure 35 USG40 Front Panel ZyWALL/USG Series User’s Guide...
  • Page 58 Chapter 3 Hardware, Interfaces and Zones Figure 36 USG40W Front Panel Figure 37 USG20-VPN Front Panel Figure 38 USG20W-VPN Front Panel Figure 39 USG60 Front Panel Figure 40 USG60W Front Panel Figure 41 USG2200-VPN Front Panel ZyWALL/USG Series User’s Guide...
  • Page 59 Chapter 3 Hardware, Interfaces and Zones The following table describes the LEDs. Table 11 LED Descriptions COLOR STATUS DESCRIPTION The ZyWALL/USG is turned off. Green The ZyWALL/USG is turned on. There is a hardware component failure. Shut down the device, wait for a few minutes and then restart the device.
  • Page 60 Chapter 3 Hardware, Interfaces and Zones Table 12 USG2200-VPN LED Descriptions (continued) COLOR STATUS DESCRIPTION P5-P16 Green There is no connection on this port. (WAN/ This port has a successful 10/100Mbps link. LAN)) Blinking The ZyWALL/USG is sending or receiving packets on this port. Orange There is no connection on this port.

  • Page 61: Rear Panels

    Chapter 3 Hardware, Interfaces and Zones Table 14 USG2200-VPN Front Panel Ports (continued) LABEL DESCRIPTION CONSOLE You can use the console port to manage the ZyWALL/USG using CLI commands. You will be prompted to enter your user name and password. See the Command Reference Guide for more information about the CLI.
  • Page 62 Chapter 3 Hardware, Interfaces and Zones Figure 44 USG40 / USG40W Rear Panel Figure 45 USG20-VPN / USG20W-VPN Rear Panel Figure 46 USG60 / USG60W Rear Panel Figure 47 USG2200-VPN Rear Panel The following table describes the items on the rear panel.

  • Page 63: Mounting

    3.2 Mounting Some models can be mounted in a rack, and some can be mounted on a wall. Table 16 Mounting Method RACK-MOUNTING WALL-MOUNTING • ZyWALL 110 • USG40 • ZyWALL 310 • USG40W • ZyWALL 1100 • USG60 •...

  • Page 64: Usg2200-Vpn Rack Mounting

    Chapter 3 Hardware, Interfaces and Zones After attaching both mounting brackets, position the ZyWALL/USG in the rack and match up the bracket holes with the rack holes. Secure the ZyWALL/USG to the rack with the rack-mounting screws. 3.2.2 USG2200-VPN Rack Mounting 3.2.2.1 Installation Requirements •...
  • Page 65 Chapter 3 Hardware, Interfaces and Zones • Rack M6 Screws and Nuts Note: Failure to use the proper screws may damage the unit. 3.2.2.2 Procedure Connect the front brackets to the USG2200-VPN using the M3 bracket screws. To separate the inner and outer railings, press tab B (white) and slide out the outer railing. ZyWALL/USG Series User’s Guide...
  • Page 66 Chapter 3 Hardware, Interfaces and Zones Connect the inner railing to the USG2200-VPN as shown. Align the holes on the inner rail with the screws on the side of the USG2200-VPN and slide until it clicks in place. Do the same for the other inner rail on the other side of the USG2200-VPN.

  • Page 67: Wall-Mounting

    Chapter 3 Hardware, Interfaces and Zones 3.2.3 Wall-mounting Table 16 on page 63 for the ZyWALL/USG models that can be wall-mounted. Do the following to attach your ZyWALL/USG to a wall. Drill two holes 3 mm ~ 4 mm (0.12" ~ 0.16") wide, 20 mm ~ 30 mm (0.79” ~ 1.18”) deep and 150 mm apart, into a wall.

  • Page 68: Default Zones, Interfaces, And Ports

    An OPT (optional) Ethernet port can be configured as an additional WAN port, LAN, WLAN, or DMZ port. The following table shows the default physical port and interface mapping for each model at the time of writing. Table 17 Default Physical Port - Interface Mapping PORT / INTERFACE • USG40 wan1 lan1 lan1 lan1 • USG40W...
  • Page 69 The following table shows the default interface and zone mapping for each model at the time of writing. Table 18 Default Zone - Interface Mapping ZONE / INTERFACE LAN1 LAN2 DEFAULT ZONE • USG40 WAN1 LAN1 LAN2 WAN1_PPP OPT_PPP • USG40W WAN1...

  • Page 70: Stopping The Zywall/Usg

    Chapter 3 Hardware, Interfaces and Zones Table 19 Default Zone - Interface Mapping USG2200-VPN ZONE / INTERFACE LAN1 LAN2 DEFAULT ZONE • USG2200-VPN GE5, GE5_PPP GE9, GE10 TE17, GE1, GE1_PPP TE17_PPP GE6, GE6_PPP GE2, GE2_PPP TE18, GE3, GE3_PPP TE18_PPP GE4, GE4_PPP GE7_PPP GE8_PPP GE9_PPP...

  • Page 71: Chapter 4 Easy Mode

    H A PT ER Easy Mode 4.1 Overview Welcome to the Easy Mode screens. This mode contains wizards that help you configure the ZyWALL/USG, links to portals and the advanced menus in Expert Mode. Use the Easy Mode screens if you have a relatively simple network environment with one WAN (WAN1) and one LAN (LAN1) connections.

  • Page 72: Easy Mode Settings

    Chapter 4 Easy Mode • Initial Setup Wizard for Internet access - you should have your Internet access account information at hand • VPN Wizard for a site-to-site tunnel between ZyWALL/USG networks, a tunnel from a remote client using the Zyxel client VPN software to the ZyWALL/USG network, or a tunnel from a remote client using other VPN software to the ZyWALL/USG network •...

  • Page 73: Easy Mode Dashboard

    Chapter 4 Easy Mode 4.1.3 Easy Mode Dashboard Cloud Helper Click the Cloud Helper icon to check if there is new firmware available at myZyXEL.com. If there is new firmware available at myZyXEL.com, then the icon displays a red N .
  • Page 74 Chapter 4 Easy Mode Figure 53 Easy Mode Dashboard The Easy Mode dashboard contains the following. • System information, such as firmware version, the length of time the ZyWALL/USG has been on, date and time. • Internet information such as Internet connection type, WAN IP address and a button to test the connection.

  • Page 75: Initial Setup Wizard Screen 1 - Language And Overview

    Chapter 4 Easy Mode Click the settings icon to manage clients. Click + to add a new network client. In the pop-up screen, you can add a new client by entering its interface (LAN1 or Guest), IP Address, MAC Address and Name. This is the information you see under Network Client: •...
  • Page 76 Chapter 4 Easy Mode Choose the language for the Easy Mode and Expert Mode screens. The initial wizard helps you set up basic options as shown in the screen. At the end, you will have the choice of finishing the wizard or continuing the wizard to configure the optional features as listed.

  • Page 77: Initial Setup Wizard Screen 2 - Internet

    Chapter 4 Easy Mode 4.2.1 Initial Setup Wizard Screen 2 - Internet Figure 55 Initial Setup Wizard 2 This screen displays the Internet settings if the ZyWALL/USG can detect them automatically. ZyWALL/USG Series User’s Guide...

  • Page 78: Initial Setup Wizard Screen 2 - Internet Access Errors

    Chapter 4 Easy Mode If the ZyWALL/USG cannot detect the Internet settings automatically, then you have to enter them manually. • Choose DHCP if you were not given a specific IP address for the ZyWALL/USG. This allows the ZyWALL/USG to be able to get one automatically. •...

  • Page 79: Initial Setup Wizard Screen 3 - Date And Time

    Chapter 4 Easy Mode 4.2.3 Initial Setup Wizard Screen 3 - Date and Time Figure 56 Initial Setup Wizard 3 It’s important to have correct date and time values in the logs. The ZyWALL/USG can automatically update the time and date by detecting your time zone and whether Daylight Savings is in effect in that time zone.

  • Page 80: Initial Setup Wizard Screen 4 - Wi-Fi

    Chapter 4 Easy Mode 4.2.4 Initial Setup Wizard Screen 4 - Wi-Fi Figure 57 Initial Setup Wizard 4 Select Enable Wi-Fi Network if you want wireless devices to be able to wirelessly access the ZyWALL/USG and all resources connected to the ZyWALL/USG. Configure a descriptive name of from 1 to 32 alpha-numeric characters, hyphens or underscores (a-z A-Z 0-9 -_) for the wireless network name (Wi-Fi).

  • Page 81: Initial Setup Wizard Screen 5 - Register

    Chapter 4 Easy Mode 4.2.5 Initial Setup Wizard Screen 5 - Register Figure 58 Initial Setup Wizard 5 This screen shows if you have registered your ZyWALL/USG at portal.myZyXEL.com. After you register your ZyWALL/USG, you can register for the services supported by your model. For example, some models only support content filtering.

  • Page 82: Initial Setup Wizard Screen 6 - Congratulations

    Chapter 4 Easy Mode 4.2.6 Initial Setup Wizard Screen 6 - Congratulations Figure 59 Initial Setup Wizard 6 This screen shows if your Internet access is successfully configured. You can save changes and exit the Initial Wizard here by clearing Security Service, Port Forwarding, Guest LAN and VPN service selections and clicking Finish.

  • Page 83: Initial Setup Wizard Screen 7 - Security Service

    Chapter 4 Easy Mode 4.3 Initial Setup Wizard Screen 7 - Security Service Figure 60 Initial Setup Wizard 7 Configure licensed (non-grayed-out) services in this screen. After you buy a license for a service, you must activate it at myZyXEL.com. Make sure the ZyWALL/USG Internet connection is working correctly.
  • Page 84 Chapter 4 Easy Mode • Illegal Software: Sites that illegally distribute software or copyrighted materials such as movies or music, software cracks, illicit serial numbers, illegal license key generators. For example, www.zhaokey.com.cn, www.tiansha.net. • Instant Messaging: Sites that enable logging in to instant messaging services such as ICQ, AOL Instant Messenger, IRC, MSN, Jabber, Yahoo Messenger, and the like.

  • Page 85: Initial Setup Wizard Screen 8 - Port Forwarding

    Chapter 4 Easy Mode 4.4 Initial Setup Wizard Screen 8 - Port Forwarding Figure 61 Initial Setup Wizard 8 NAT port forwarding allows the ZyWALL/USG to direct incoming traffic from the Internet to the correct virtual server in your network. For example, if you have a NAS server in your network that you or other people need access to from outside your network, select the IP address of the NAS from Client.

  • Page 86: Initial Setup Wizard Screen 9 - Guest Lan

    Chapter 4 Easy Mode 4.5 Initial Setup Wizard Screen 9 - Guest LAN Figure 62 Initial Setup Wizard 9 Select Enable Guest Network (for wired clients) to convert the OPT or P6 port (depending on your model) to be a guest port and isolate it from the LAN/DMZ ports. Devices connected to the guest port are allowed Internet access only and do not have access to networks connected to the other ports.

  • Page 87: Connecting Ap Scenarios

    Chapter 4 Easy Mode 4.5.1 Connecting AP Scenarios If you connect an AP to a LAN port, then users can use the AP’s SSID to wirelessly access all wired resources connected to the LAN ports and Internet access. If you connect an AP to the Guest port, then users can use the AP’s SSID to wirelessly access all wired resources connected to the Guest port (only) and Internet access.

  • Page 88: Initial Setup Wizard Screen 10 - Vpn

    Chapter 4 Easy Mode 4.6 Initial Setup Wizard Screen 10 - VPN Figure 63 Initial Setup Wizard 10 A VPN is a secure, private connection between two end points. An end point could be a VPN gateway like the ZyWALL/USG itself or a computer with VPN software installed. Select a VPN wizard type and click Launch to begin that wizard and end the Initial Setup Wizard with changes saved.

  • Page 89: Vpn Setup Wizard: Wizard Type

    Chapter 4 Easy Mode • Select VPN Settings for L2TP VPN Settings to create a secure, private connection between the ZyWALL/USG and a computer with L2TP VPN software installed. Many computer operating systems come with L2TP installed. See your computer’s help to see how to configure it. The L2TP computer and the ZyWALL/USG will then communicate securely with each other.
  • Page 90 Chapter 4 Easy Mode Figure 65 VPN Express Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.

  • Page 91: Vpn Express Wizard - Configuration

    Chapter 4 Easy Mode • Site-to-site with Dynamic Peer - choose this if the remote IPSec router has a dynamic IP address. You don’t specify the remote IPSec router’s address, but you specify the remote policy (the addresses of the devices behind the remote IPSec router). This ZyWALL/USG must have a static IP address or a domain name.

  • Page 92: Vpn Express Wizard - Summary

    Chapter 4 Easy Mode 4.6.4 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’s configuration and commands that you can copy and paste into another ZLD-based ZyWALL/USG’s command line interface to configure Figure 67 VPN Express Wizard: Summary •...

  • Page 93: Vpn Advanced Wizard - Scenario

    Chapter 4 Easy Mode Figure 68 VPN Express Wizard: Finish Click Close to exit the wizard. 4.6.6 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 64 on page 89 to display the following screen. ZyWALL/USG Series User’s Guide...

  • Page 94: Vpn Advanced Wizard - Phase 1 Settings

    Chapter 4 Easy Mode Figure 69 VPN Advanced Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.
  • Page 95 Chapter 4 Easy Mode Figure 70 VPN Advanced Wizard: Phase 1 Settings • Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec device by its IP address or a domain name.

  • Page 96: Vpn Advanced Wizard - Phase 2

    Chapter 4 Easy Mode Note: The remote IPSec device must also have NAT traversal enabled. See the help in the main IPSec VPN screens for more information. • Dead Peer Detection (DPD) has the ZyWALL/USG make sure the remote IPSec device is there before transmitting data through the IKE SA.

  • Page 97: Vpn Advanced Wizard - Summary

    Chapter 4 Easy Mode 4.6.9 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings. Figure 72 VPN Advanced Wizard: Summary • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: IP address or domain name of the remote IPSec device. •...

  • Page 98: Vpn Advanced Wizard - Finish

    Chapter 4 Easy Mode 4.6.10 VPN Advanced Wizard - Finish Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN >...

  • Page 99: Configuration Provisioning Express Wizard - Vpn Settings

    Chapter 4 Easy Mode VPN rules for the ZyWALL/USG IPSec VPN Client have certain restrictions. They must not contain the following settings: • AH active protocol • NULL encryption • SHA512 authentication • A subnet or range remote policy Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key.

  • Page 100: Configuration Provisioning Vpn Express Wizard - Configuration

    Chapter 4 Easy Mode Figure 75 VPN for Configuration Provisioning Express Wizard: Settings Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.

  • Page 101: Vpn Settings For Configuration Provisioning Express Wizard - Summary

    Chapter 4 Easy Mode Figure 76 VPN for Configuration Provisioning Express Wizard: Configuration • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client. • Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”) characters.

  • Page 102: Vpn Settings For Configuration Provisioning Express Wizard - Finish

    Chapter 4 Easy Mode Figure 77 VPN for Configuration Provisioning Express Wizard: Summary • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client. •...

  • Page 103: Vpn Settings For Configuration Provisioning Advanced Wizard - Scenario

    Chapter 4 Easy Mode Figure 78 VPN for Configuration Provisioning Express Wizard: Finish Click Close to exit the wizard. 4.7.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario Click the Advanced radio button as shown in the screen shown in Figure 74 on page 99 to display the following screen.

  • Page 104: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 1 Settings

    Chapter 4 Easy Mode Figure 79 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.
  • Page 105 Chapter 4 Easy Mode Figure 80 VPN for Configuration Provisioning Advanced Wizard: Phase 1 Settings • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client. •...

  • Page 106: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 2

    Chapter 4 Easy Mode 4.7.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 81 VPN for Configuration Provisioning Advanced Wizard: Phase 2 Settings •...
  • Page 107 Chapter 4 Easy Mode Figure 82 VPN for Configuration Provisioning Advanced Wizard: Summary Summary • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client.

  • Page 108: Vpn Settings For Configuration Provisioning Advanced Wizard- Finish

    Chapter 4 Easy Mode • Encryption Algorithm: This displays the encryption method used. The longer the key, the higher the security, the lower the throughput (possibly). • DES uses a 56-bit key. • 3DES uses a 168-bit key. • AES128 uses a 128-bit key •...

  • Page 109: Vpn Settings For L2Tp Vpn Settings Wizard

    Chapter 4 Easy Mode > VPN Connection screen. Enter the IP address of the ZyWALL/USG in the ZyWALL/USG IPSec VPN Client to get all these VPN settings automatically from the ZyWALL/USG. Figure 83 VPN for Configuration Provisioning Advanced Wizard: Finish Click Close to exit the wizard.

  • Page 110: L2Tp Vpn Settings 1

    Chapter 4 Easy Mode Figure 84 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings Click Next to continue the wizard. 4.8.1 L2TP VPN Settings 1 Figure 85 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings • Rule Name: Type the name used to identify this L2TP VPN connection (and L2TP VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.

  • Page 111: L2Tp Vpn Settings 2

    Chapter 4 Easy Mode • My Address (interface): Select one of the interfaces from the pull down menu to apply the L2TP VPN rule. • Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”) characters.

  • Page 112: Vpn Settings For L2Tp Vpn Setting Wizard - Summary

    Chapter 4 Easy Mode Note: DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyWALL/USG uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

  • Page 113: Vpn Settings For L2Tp Vpn Setting Wizard Completed

    Chapter 4 Easy Mode 4.8.4 VPN Settings for L2TP VPN Setting Wizard Completed Figure 88 VPN Settings for L2TP VPN Settings Wizard: Finish Now the rule is configured on the ZyWALL/USG. The L2TP VPN rule settings appear in the VPN > L2TP VPN screen and also in the VPN >...

  • Page 114: Port Forwarding

    Chapter 4 Easy Mode 4.9 Port Forwarding Figure 89 PortForwarding > Wizard 1 NAT port forwarding allows the ZyWALL/USG to direct incoming traffic from the Internet to the correct virtual server in your network. Even though the NAS is in your local network receiving the protection of the ZyWALL/USG, you can still access that NAS using these services from anywhere outside your network.

  • Page 115: Port Forwarding > Add Client

    Chapter 4 Easy Mode 4.9.1 Port Forwarding > Add Client Click the Edit icon next to Client List if you cannot see the client in the list. In the pop-up screen, you can add a new client by entering its Name, IP Address and MAC Address. A client or device in your network acting as a server for forwarded services (for example, the NAS) needs to have a static address.
  • Page 116 Chapter 4 Easy Mode Click Finish to complete the Port Forwarding Wizard. ZyWALL/USG Series User’s Guide...

  • Page 117: Wi-Fi And Guest Network Wizard

    Chapter 4 Easy Mode 4.10 Wi-Fi and Guest Network Wizard Figure 90 Wi-Fi and Guest Network Setup Select Enable Wi-Fi Network if you want wireless devices to be able to wirelessly access the ZyWALL/USG and all resources connected to the ZyWALL/USG. Configure a descriptive name of from 1 to 32 alpha-numeric characters, hyphens or underscores (a-z A-Z 0-9 -_) for the wireless network name (Wi-Fi).

  • Page 118: Guest Lan (Wired Network)

    Chapter 4 Easy Mode 4.10.1 Guest LAN (Wired Network) Figure 91 Wi-Fi and Guest Network Setup Select Enable Guest Network (for wired clients) to convert the OPT or P6 port (depending on your model) to be a guest port and isolate it from the LAN/DMZ ports. Devices connected to the guest port are allowed Internet access only and do not have access to networks connected to the other ports.

  • Page 119: Connecting Ap Scenarios

    Chapter 4 Easy Mode 4.10.2 Connecting AP Scenarios If you connect an AP to a LAN port, then users can use the AP’s SSID to wirelessly access all wired resources connected to the LAN ports and Internet access. If you connect an AP to the Guest port, then users can use the AP’s SSID to wirelessly access all wired resources connected to the Guest port (only) and Internet access.

  • Page 120: Security Service Wizard

    Chapter 4 Easy Mode 4.11 Security Service Wizard Figure 92 Register First You must first register the ZyWALL/USG at portal.myzyxel.com and activate licenses for required services. Figure 93 Security Service Wizard 1 - Service License Status This screen shows if you have registered your ZyWALL/USG at portal.myZyXEL.com. After you register your ZyWALL/USG, you can register for the services supported by your model.

  • Page 121: Security Service Wizard 2 - Content Filter Categories

    Chapter 4 Easy Mode To check your Internet connection, try to access the Internet from a computer connected to a LAN port on the ZyWALL/USG. If you cannot, then check your Internet access settings on the ZyWALL/ USG. 4.11.1 Security Service Wizard 2 - Content Filter Categories Figure 94 Security Service Wizard 2 - Content Filter Categories Configure licensed (non-grayed-out) services in this screen.
  • Page 122 Chapter 4 Easy Mode • Games: Sites relating to computer or other games, information about game producers, or how to obtain cheat codes. Game-related publication sites. For example, www.gamer.com.tw, www.wowtaiwan.com.tw, tw.lineage.gamania.com. • Streaming Media & Downloads: Sites that deliver streaming content, such as Internet radio, Internet TV or MP3 and live or archived media download sites.

  • Page 123: Security Service Wizard 3 - Websites

    Chapter 4 Easy Mode • Social Networking: Sites that enable social networking for online communities of various topics, for friendship, dating, or professional reasons. For example, www.facebook.com, www.flickr.com, www.groups.google.com. • Commerce • Job Search: Sites containing job listings, career information, assistance with job searches (such as resume writing, interviewing tips, etc.), employment agencies or head hunters.

  • Page 124: Security Service Wizard 4 - Exemptions

    Chapter 4 Easy Mode so on. You can also enter just a top level domain. For example, enter “*.com” to allow or forbid all .com domains. Use up to 127 characters (0-9a-z-). The casing does not matter. “*” can be used as a wildcard to match any string.

  • Page 125: Security Service Wizard 5 - Idp/Av

    Chapter 4 Easy Mode 4.11.4 Security Service Wizard 5 - IDP/AV Figure 97 Security Wizard 5 - IDP/AV IDP (Intrusion, Detection and Prevention) consists of a set of signatures which examine packet content for known malicious data. You need to subscribe for IDP service in order to be able to download new signatures.

  • Page 126: Myzyxel Portal

    Chapter 4 Easy Mode 4.12 MyZyXEL Portal Figure 98 MyZyXEL Portal MyZyXEL.com is Zyxel’s online services center where you can register your ZyWALL/USG and manage subscription services available for the ZyWALL/USG. To update signature files or use a subscription service, you have to register the ZyWALL/USG and activate the corresponding service at myZyXEL.com (through the ZyWALL/USG).

  • Page 127: One Security Portal

    Chapter 4 Easy Mode 4.13 One Security Portal Figure 99 One Security Portal OneSecurity.com is a website with guidance on configuration walkthroughs, troubleshooting, and other information. In the ZyWALL/USG advanced menus, you will see icons that link to OneSecurity walkthroughs, troubleshooting and so on as shown in the following table. Table 20 OneSecurity Links ONESECURITY ICON SCREEN...
  • Page 128 Chapter 4 Easy Mode Table 20 OneSecurity Links (continued) ONESECURITY ICON SCREEN Application Patrol Click this icon for more information on Application Patrol, which identifies traffic that passes through the ZyWALL/USG, so you can decide what to do with specific types of traffic. Traffic not recognized by application patrol is ignored.

  • Page 129: Quick Setup Wizards

    H A PT ER Quick Setup Wizards 5.1 Quick Setup Overview The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information. In the Web Configurator, click Configuration >...

  • Page 130: Wan Interface Quick Setup

    Chapter 5 Quick Setup Wizards • Wizard Help If the help does not automatically display when you run the wizard, click teh arrow to display it. 5.2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen.

  • Page 131: Select Wan Type

    Chapter 5 Quick Setup Wizards Figure 102 Choose an Ethernet Interface 5.2.2 Select WAN Type WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP.

  • Page 132: Isp And Wan And Isp Connection Settings

    Chapter 5 Quick Setup Wizards Figure 104 WAN Interface Setup: Step 2 Dynamic IP Figure 105 WAN Interface Setup: Step 2 Fixed IP • WAN Interface: This is the interface you are configuring for Internet access. • Zone: This is the security zone to which this interface and Internet connection belong. •...
  • Page 133 Chapter 5 Quick Setup Wizards Figure 106 WAN and ISP Connection Settings: (PPTP Shown) The following table describes the labels in this screen. Table 21 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection. Encapsulation This displays the type of Internet connection you are configuring.

  • Page 134: Quick Setup Interface Wizard: Summary

    Chapter 5 Quick Setup Wizards Table 21 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION Base Interface This displays the identity of the Ethernet interface you configure to connect with a modem or router. Base IP Address Type the (static) IP address assigned to you by your ISP. IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).

  • Page 135: Vpn Setup Wizard

    Chapter 5 Quick Setup Wizards Figure 107 Interface Wizard: Summary WAN (PPTP Shown) The following table describes the labels in this screen. Table 22 Interface Wizard: Summary WAN LABEL DESCRIPTION Encapsulation This displays what encapsulation this interface uses to connect to the Internet. Service Name This field only appears for a PPPoE interface.

  • Page 136: Welcome

    Chapter 5 Quick Setup Wizards Figure 108 VPN Setup Wizard 5.3.1 Welcome Use wizards to create Virtual Private Network (VPN) rules. After you complete the wizard, the Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...

  • Page 137: Vpn Setup Wizard: Wizard Type

    Chapter 5 Quick Setup Wizards 5.3.2 VPN Setup Wizard: Wizard Type Choose Express to create a VPN rule with the default phase 1 and phase 2 settings to connect to another ZLD-based ZyWALL/USG using a pre-shared key. Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device.
  • Page 138 Chapter 5 Quick Setup Wizards Figure 111 VPN Express Wizard: Scenario IKE (Internet Key Exchange) Version: IKEv1 and IKEv2 IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.

  • Page 139: Vpn Express Wizard - Configuration

    Chapter 5 Quick Setup Wizards 5.3.4 VPN Express Wizard - Configuration Figure 112 VPN Express Wizard: Configuration • Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name.

  • Page 140: Vpn Express Wizard - Finish

    Chapter 5 Quick Setup Wizards Figure 113 VPN Express Wizard: Summary • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: IP address or domain name of the remote IPSec device. If this field displays Any, only the remote IPSec device can initiate the VPN connection. •...

  • Page 141: Vpn Advanced Wizard - Scenario

    Chapter 5 Quick Setup Wizards Figure 114 VPN Express Wizard: Finish Click Close to exit the wizard. 5.3.7 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 110 on page 137 to display the following screen.
  • Page 142 Chapter 5 Quick Setup Wizards Figure 115 VPN Advanced Wizard: Scenario IKE (Internet Key Exchange) Version: IKEv1 and IKEv2 IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.

  • Page 143: Vpn Advanced Wizard - Phase 1 Settings

    Chapter 5 Quick Setup Wizards • Remote Access (Client Role) - Connect to an IPSec server. This ZyWALL/USG is the client (dial-in user) and can initiate the VPN tunnel. 5.3.8 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange).

  • Page 144: Vpn Advanced Wizard - Phase 2

    Chapter 5 Quick Setup Wizards • Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number.

  • Page 145: Vpn Advanced Wizard - Summary

    Chapter 5 Quick Setup Wizards • Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is less secure. Select DH1, DH2 or DH5 to enable PFS. DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number.

  • Page 146: Vpn Advanced Wizard - Finish

    Chapter 5 Quick Setup Wizards • Click Save to save the VPN rule. 5.3.11 VPN Advanced Wizard - Finish Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN >...

  • Page 147: Configuration Provisioning Express Wizard - Vpn Settings

    Chapter 5 Quick Setup Wizards VPN rules for the ZyWALL/USG IPSec VPN Client have certain restrictions. They must not contain the following settings: • AH active protocol • NULL encryption • SHA512 authentication • A subnet or range remote policy Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key.

  • Page 148: Configuration Provisioning Vpn Express Wizard - Configuration

    Chapter 5 Quick Setup Wizards Figure 121 VPN for Configuration Provisioning Express Wizard: Settings Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.

  • Page 149: Vpn Settings For Configuration Provisioning Express Wizard - Summary

    Chapter 5 Quick Setup Wizards Figure 122 VPN for Configuration Provisioning Express Wizard: Configuration • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client. •...

  • Page 150: Vpn Settings For Configuration Provisioning Express Wizard - Finish

    Chapter 5 Quick Setup Wizards Figure 123 VPN for Configuration Provisioning Express Wizard: Summary • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client.

  • Page 151: Vpn Settings For Configuration Provisioning Advanced Wizard - Scenario

    Chapter 5 Quick Setup Wizards Figure 124 VPN for Configuration Provisioning Express Wizard: Finish Click Close to exit the wizard. 5.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario Click the Advanced radio button as shown in the screen shown in Figure 120 on page 147 display the following screen.

  • Page 152: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 1 Settings

    Chapter 5 Quick Setup Wizards Figure 125 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.
  • Page 153 Chapter 5 Quick Setup Wizards Figure 126 VPN for Configuration Provisioning Advanced Wizard: Phase 1 Settings • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client. •...

  • Page 154: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 2

    Chapter 5 Quick Setup Wizards 5.4.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 127 VPN for Configuration Provisioning Advanced Wizard: Phase 2 Settings •...
  • Page 155 Chapter 5 Quick Setup Wizards Figure 128 VPN for Configuration Provisioning Advanced Wizard: Summary Summary • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL/USG IPSec VPN Client.

  • Page 156: Vpn Settings For Configuration Provisioning Advanced Wizard- Finish

    Chapter 5 Quick Setup Wizards • Encryption Algorithm: This displays the encryption method used. The longer the key, the higher the security, the lower the throughput (possibly). • DES uses a 56-bit key. • 3DES uses a 168-bit key. • AES128 uses a 128-bit key •...

  • Page 157: Vpn Settings For L2Tp Vpn Settings Wizard

    Chapter 5 Quick Setup Wizards > VPN Connection screen. Enter the IP address of the ZyWALL/USG in the ZyWALL/USG IPSec VPN Client to get all these VPN settings automatically from the ZyWALL/USG. Figure 129 VPN for Configuration Provisioning Advanced Wizard: Finish Click Close to exit the wizard.

  • Page 158: L2Tp Vpn Settings

    Chapter 5 Quick Setup Wizards Figure 130 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings Click Next to continue the wizard. 5.5.1 L2TP VPN Settings Figure 131 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings • Rule Name: Type the name used to identify this L2TP VPN connection (and L2TP VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number.

  • Page 159: L2Tp Vpn Settings

    Chapter 5 Quick Setup Wizards • My Address (interface): Select one of the interfaces from the pull down menu to apply the L2TP VPN rule. • Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”) characters.

  • Page 160: Vpn Settings For L2Tp Vpn Setting Wizard - Summary

    Chapter 5 Quick Setup Wizards Note: DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyWALL/USG uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

  • Page 161: Vpn Settings For L2Tp Vpn Setting Wizard Completed

    Chapter 5 Quick Setup Wizards 5.5.4 VPN Settings for L2TP VPN Setting Wizard Completed Figure 134 VPN Settings for L2TP VPN Settings Wizard: Finish Now the rule is configured on the ZyWALL/USG. The L2TP VPN rule settings appear in the VPN > L2TP VPN screen and also in the VPN >...

  • Page 162: Chapter 6 Dashboard

    H A PT ER Dashboard 6.1 Overview Use the Dashboard screens to check status information about the ZyWALL/USG. 6.1.1 What You Can Do in this Chapter Use the main Dashboard screen to see the ZyWALL/USG’s general device information, system status, system resource usage, licensed service status, and interface status. You can also display other status screens for more information.
  • Page 163 Chapter 6 Dashboard Click on the icon to go to the OneSecurity.com website where there is guidance on configuration walkthroughs, troubleshooting, and other information. Figure 135 Dashboard The following table describes the labels in this screen. Table 23 Dashboard LABEL DESCRIPTION Widget Setting Use this link to open or close widgets by selecting/clearing the associated checkbox.

  • Page 164: Device Information Screen

    Chapter 6 Dashboard Table 23 Dashboard (continued) LABEL DESCRIPTION Front Panel Click this to view details about the status of the ZyWALL/USG’s front panel LEDs and connections. See Section 3.1.1 on page 57 for LED descriptions. An unconnected interface or slot appears grayed out. The following front and rear panel labels display when you hover your cursor over a connected interface or slot.

  • Page 165: System Status Screen

    Chapter 6 Dashboard Figure 136 Dashboard > Device Information (Example) This tabel describes the fields in the above screen. Table 24 Dashboard > Device Information LABEL DESCRIPTION Device Information This identifies a device installed in one of the ZyWALL/USG’s extension slots, the Security Extension Module slot, or USB ports.

  • Page 166: Vpn Status Screen

    Chapter 6 Dashboard This table describes the fields in the above screen. Table 25 Dashboard > System Status LABEL DESCRIPTION System Uptime This field displays how long the ZyWALL/USG has been running since it last restarted or was turned on. Current Date/Time This field displays the current date and time in the ZyWALL/USG.
  • Page 167 Chapter 6 Dashboard Figure 138 Dashboard > System Status > VPN Status This table describes the fields in the above screen. Table 26 Dashboard > System Status > VPN Status LABLE DESCRIPTION This field is a sequential value, and it is not associated with a specific SA. Name This field displays the name of the IPSec SA.

  • Page 168: Dhcp Table Screen

    Chapter 6 Dashboard 6.2.4 DHCP Table Screen Click on the DHCP Table link to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. The following screen will show. Figure 139 Dashboard > System Status > DHCP Table This table describes the fields in the above screen.

  • Page 169: Number Of Login Users Screen

    Chapter 6 Dashboard 6.2.5 Number of Login Users Screen Click the Number of Login Users link to see the following screen. Figure 140 Dashboard > System Status > Number of Login Users This table describes the fields in the above screen. Table 28 Dashboard >...

  • Page 170: Cpu Usage Screen

    Chapter 6 Dashboard Figure 141 Dashboard > System Resources This table describes the fields in the above screen. Table 29 .Dashboard > System Resources LABEL DESCRIPTION CPU Usage This field displays what percentage of the ZyWALL/USG’s processing capability is currently being used. Hover your cursor over this field to display the Show CPU Usage icon that takes you to a chart of the ZyWALL/USG’s recent CPU usage.

  • Page 171: Memory Usage Screen

    Chapter 6 Dashboard Figure 142 Dashboard > CPU Usage screen This table describes the fields in the above screen. Table 30 Dashboard > CPU Usage LABEL DESCRIPTION The y-axis represents the percentage of CPU usage. The x-axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated.

  • Page 172: Active Session Screen

    Chapter 6 Dashboard This table describes the fields in the above screen. Table 31 Dashboard > Memory Usage screen. LABEL DESCRIPTION The y-axis represents the percentage of RAM usage. The x-axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated.

  • Page 173: Extension Slot Screen

    Chapter 6 Dashboard 6.2.10 Extension Slot Screen Figure 145 Dashboard > Extension Slot This table describes the fields in the above screen. Table 33 Dashboard > Extension Slot LABEL DESCRIPTION This is the index number of the entry. Extension Slot This field displays the name of each extension slot.
  • Page 174 Chapter 6 Dashboard Figure 146 Dashboard > Interface Status Summary This table describes the fields in the above screen. Table 34 Dashboard > Interface Status Summary LABEL DESCRIPTION Name This field displays the name of each interface. Status This field displays the current status of each interface. The possible values depend on what type of interface it is.

  • Page 175: Secured Service Status Screen

    Chapter 6 Dashboard Table 34 Dashboard > Interface Status Summary LABEL DESCRIPTION HA Status This field displays the status of the interface in the virtual router. Active - This interface is the master interface in the virtual router. Stand-By - This interface is a backup interface in the virtual router. Fault - This VRRP group is not functioning in the virtual router right now.

  • Page 176: Content Filter Statistics Screen

    Chapter 6 Dashboard Table 35 Dashboard > Secured Service Status LABEL DESCRIPTION Version This field displays the version number of the services. Expiration This field displays the number of days remaining before the license expires. 6.2.13 Content Filter Statistics Screen Configure Configuration >...

  • Page 177: Top 5 Intrusions Screen

    Chapter 6 Dashboard This table describes the fields in the above screen. Table 37 Dashboard > Top 5 Viruses LABEL DESCRIPTION This is the entry’s rank in the list of the most commonly detected viruses. Virus ID This is the IDentification number of the anti-virus signature. Virus Name This is the name of a detected virus.

  • Page 178: The Latest Alert Logs Screen

    Chapter 6 Dashboard Table 39 Dashboard > Top 5 IPv4/IPv6 Security Policy Rules that Blocked Traffic LABEL DESCRIPTION This shows the zone packets went to that the triggered security policy. Description This field displays the descriptive name (if any) of the triggered security policy. Hits This field displays how many times the security policy was triggered.

  • Page 179: Part Ii: Technical Reference

    Technical Reference...

  • Page 181: Chapter 7 Monitor

    H A PT ER Monitor 7.1 Overview Use the Monitor screens to check status and statistics information. 7.1.1 What You Can Do in this Chapter Use the Monitor screens for the following. • Use the System Status > Port Statistics screen (see Section 7.2 on page 182) to look at packet statistics for each physical port.

  • Page 182: The Port Statistics Screen

    Chapter 7 Monitor • Use the Wireless > Station Info screen (Section 7.15.6 on page 210) to view information on connected wireless stations. • Use the Wireless > Detected Device screen (Section 7.15.6 on page 210) to view information about suspected rogue APs. •...
  • Page 183 Chapter 7 Monitor Figure 153 Monitor > System Status > Port Statistics The following table describes the labels in this screen. Table 41 Monitor > System Status > Port Statistics LABEL DESCRIPTION Poll Interval Enter how often you want this window to be updated automatically, and click Set Interval.

  • Page 184: The Port Statistics Graph Screen

    Chapter 7 Monitor 7.2.1 The Port Statistics Graph Screen Use this screen to look at a line graph of packet statistics for each physical port. To access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button. Figure 154 Monitor >...

  • Page 185: Interface Status Screen

    Chapter 7 Monitor 7.3 Interface Status Screen This screen lists all of the ZyWALL/USG’s interfaces and gives packet statistics for them. Click Monitor > System Status > Interface Status to access this screen. Figure 155 Monitor > System Status > Interface Status Each field is described in the following table.
  • Page 186 Chapter 7 Monitor Table 43 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: • Inactive - The Ethernet interface is disabled.

  • Page 187: The Traffic Statistics Screen

    Chapter 7 Monitor Table 43 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Tunnel Interface This displays the details of the ZyWALL/USG’s configured tunnel interfaces. Status Name This field displays the name of the interface. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
  • Page 188 Chapter 7 Monitor You use the Traffic Statistics screen to tell the ZyWALL/USG when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually in the Traffic Statistics screen. Figure 156 Monitor >...
  • Page 189 Chapter 7 Monitor Table 44 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION Direction This field indicates whether the IP address or user is sending or receiving traffic. • Ingress- traffic is coming from the IP address or user to the ZyWALL/USG. •...

  • Page 190: The Session Monitor Screen

    Chapter 7 Monitor 7.5 The Session Monitor Screen The Session Monitor screen displays all established sessions that pass through the ZyWALL/USG for debugging or statistical analysis. It is not possible to manage sessions in this screen. The following information is displayed. •...

  • Page 191: Igmp Statistics

    Chapter 7 Monitor Table 46 Monitor > System Status > Session Monitor (continued) LABEL DESCRIPTION Service This field displays when View is set to all sessions. Select the service or service group whose sessions you want to view. The ZyWALL/USG identifies the service by comparing the protocol and destination port of each packet to the protocol and port of each services that is defined.

  • Page 192: The Ddns Status Screen

    Chapter 7 Monitor Figure 158 Monitor > System Status > IGMP Statistics The following table describes the labels in this screen. Table 47 Monitor > System Status > IGMP Statistics LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific I GMP Statistics.

  • Page 193: Ip/Mac Binding

    Chapter 7 Monitor Table 48 Monitor > System Status > DDNS Status (continued) LABEL DESCRIPTION Last Update Status This shows whether the last attempt to resolve the IP address for the domain name was successful or not. Updating means the ZyWALL/USG is currently attempting to resolve the IP address for the domain name.

  • Page 194: The Dynamic Guest Screen

    Chapter 7 Monitor Figure 161 Monitor > System Status > Login Users The following table describes the labels in this screen. Table 50 Monitor > System Status > Login Users LABEL DESCRIPTION Force Logout Select a user ID and click this icon to end a user’s session. This field is a sequential value and is not associated with any entry.
  • Page 195 Chapter 7 Monitor ZyWALL/USG’s local database. To access this screen, click Monitor > System Status > Dynamic Guest. Figure 162 Monitor > System Status > Dynamic Guest The following table describes the labels in this screen. Table 51 Monitor > System Status > Dynamic Guest LABEL DESCRIPTION Remove...

  • Page 196: Cellular Status Screen

    Chapter 7 Monitor The following table describes the icons in this screen. Table 52 Monitor > System Status > Dynamic Guest Icons LABEL DESCRIPTION This guest account is un-used. This guest account is in use and online. This guest account has been used but is offline now. This guest account expired.
  • Page 197 Chapter 7 Monitor Table 53 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Status • No device - no mobile broadband device is connected to the ZyWALL/USG. • No Service - no mobile broadband network is available in the area; you cannot connect to the Internet.

  • Page 198: More Information

    Chapter 7 Monitor Table 53 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Cellular System This field displays what type of cellular network the mobile broadband connection is using. The network type varies depending on the mobile broadband card you inserted and could be UMTS, UMTS/HSDPA, GPRS or EDGE when you insert a GSM mobile broadband card, or 1xRTT, EVDO Rev.0 or EVDO Rev.A when you insert a CDMA mobile broadband card.

  • Page 199: The Upnp Port Status Screen

    Chapter 7 Monitor Table 54 Monitor > System Status > More Information (continued) LABEL DESCRIPTION Signal Strength This is the Signal Quality measured in dBm. Signal Quality This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL/USG and the service provider’s base station.

  • Page 200: Usb Storage Screen

    Chapter 7 Monitor Table 55 Monitor > System Status > UPnP Port Status (continued) LABEL DESCRIPTION External Port This field displays the port number that the ZyWALL/USG “listens” on (on the WAN port) for connection requests destined for the NAT rule’s Internal Port and Internal Client. The ZyWALL/USG forwards incoming packets (from the WAN) with this port number to the Internal Client on the Internal Port (on the LAN).

  • Page 201: Ethernet Neighbor Screen

    Chapter 7 Monitor Table 56 Monitor > System Status > USB Storage (continued) LABEL DESCRIPTION Status Ready - you can have the ZyWALL/USG use the USB storage device. Click Remove Now to stop the ZyWALL/USG from using the USB storage device so you can remove it.

  • Page 202: Wireless

    Chapter 7 Monitor The following table describes the fields in the previous screen. Table 57 Monitor > System Status > Ethernet Neighbor LABEL DESCRIPTION Local Port (Description) This field displays the port of the ZyWALL/USG, on which the neighboring device is discovered.
  • Page 203 Chapter 7 Monitor The following table describes the labels in this screen. Table 58 Monitor > Wireless > AP Information LABEL DESCRIPTION Add to Mgnt AP List Click this to add new Access Points More Information Click this icon to see AP Information and Station count. Reboot Select an AP and click this button to force it to restart.

  • Page 204: Ap List More Information

    Chapter 7 Monitor Table 59 Monitor > Wireless > AP Information > AP List Icons (continued) LABEL DESCRIPTION This AP is on the management list but offline. This indicates one of the following cases: • This AP has a runtime management VLAN ID setting that conflicts with the VLAN ID setting on the Access Controller (the ZyWALL/USG).
  • Page 205 Chapter 7 Monitor The following table describes the labels in this screen. Table 60 Monitor > Wireless > AP Information > AP List > More Information LABEL DESCRIPTION Configuration This displays whether or not any of the AP’s configuration is in conflict with the ZyWALL/ Status USG’s settings for the AP.

  • Page 206: Config Ap

    Chapter 7 Monitor 7.15.3 Config AP Select an AP and click the Config AP button in the Monitor > Wireless > AP List table to display this screen. Figure 170 Monitor > Wireless > AP List > Config AP Each field is described in the following table. Table 61 Monitor >...

  • Page 207: Wireless Ap Information: Radio List

    Chapter 7 Monitor Table 61 Monitor > Wireless > AP List > Config AP (continued) LABEL DESCRIPTION Radio 1/2 OP Mode Select the operating mode for radio 1 or radio 2. AP Mode means the AP can receive connections from wireless clients and pass their data traffic through to the ZyWALL/USG to be managed (or subsequently passed on to an upstream gateway for managing).
  • Page 208 Chapter 7 Monitor The following table describes the labels in this screen. Table 62 Monitor > Wireless > Radio List LABEL DESCRIPTION More Information Click this icon to see the traffic statistics, station count, SSID, Security Mode and VLAN ID information on the AP. This field is a sequential value, and it is not associated with a specific radio.

  • Page 209: Radio List More Information

    Chapter 7 Monitor 7.15.5 Radio List More Information This screen allows you to view detailed information about a selected radio’s SSID(s), wireless traffic and wireless clients for the preceding 24 hours. To access this window, select an entry and click the More Information button in the Radio List screen.

  • Page 210: Wireless Station Info

    Chapter 7 Monitor The following table describes the labels in this screen. Table 63 Monitor > Wireless > AP Info > Radio List > More Information LABEL DESCRIPTION MBSSID Detail This list shows information about the SSID(s) that is associated with the radio over the preceding 24 hours.

  • Page 211: Detected Device

    Chapter 7 Monitor Table 64 Monitor > Wireless > Station List LABEL DESCRIPTION Tx Rate This field displays the transmit data rate of the station. Rx Rate This field displays the receive data rate of the station. Association Time This field displays the time duration the station was online and offline. 7.15.7 Detected Device Use this screen to view information about wireless devices detected by the AP.

  • Page 212: The Printer Status Screen

    Chapter 7 Monitor Table 65 Monitor > Wireless > Detected Device (continued) LABEL DESCRIPTION MAC Address This indicates the detected device’s MAC address. SSID Name This indicates the detected device’s SSID. Channel ID This indicates the detected device’s channel ID. 802.11 Mode This indicates the 802.11 mode (a/b/g/n) transmitted by the detected device.

  • Page 213: The Ipsec Monitor Screen

    Chapter 7 Monitor 7.17 The IPSec Monitor Screen You can use the IPSec Monitor screen to display and to manage active IPSec To access this screen, click Monitor > VPN Monitor > IPSec. The following screen appears. SAs. Click a column’s heading cell to sort the table entries by that column’s criteria.

  • Page 214: Regular Expressions In Searching Ipsec Sas

    Chapter 7 Monitor 7.17.1 Regular Expressions in Searching IPSec SAs A question mark (?) lets a single character in the VPN connection or policy name vary. For example, use “a?c” (without the quotation marks) to specify abc, acc and so on. Wildcards (*) let multiple VPN connection or policy names match the pattern.

  • Page 215: The L2Tp Over Ipsec Session Monitor Screen

    Chapter 7 Monitor Table 68 Monitor > VPN Monitor > SSL (continued) LABEL DESCRIPTION Login Address This field displays the IP address the user used to establish this SSL VPN connection. Connected Time This field displays the time this connection was established. Inbound (Bytes) This field displays the number of bytes received by the ZyWALL/USG on this connection.
  • Page 216 Chapter 7 Monitor Click Monitor > UTM Statistics > App Patrol to display the following screen. This screen displays Application Patrol statistics based on the App Patrol profiles bound to Security Policy profiles. Figure 179 Monitor > UTM Statistics > App Patrol The following table describes the labels in this screen.

  • Page 217: The Content Filter Screen

    Chapter 7 Monitor 7.21 The Content Filter Screen Click Monitor > UTM Statistics > Content Filter to display the following screen. This screen displays content filter statistics. Figure 180 Monitor > UTM Statistics > Content Filter The following table describes the labels in this screen. Table 71 Monitor >...

  • Page 218: The Idp Screen

    Chapter 7 Monitor Table 71 Monitor > UTM Statistics > Content Filter (continued) LABEL DESCRIPTION Blocked This is the number of web pages that the ZyWALL/USG blocked access. Warned This is the number of web pages for which the ZyWALL/USG displayed a warning message to the access requesters.
  • Page 219 Chapter 7 Monitor Figure 181 Monitor > UTM Statistics > IDP: Signature Name The following table describes the labels in this screen. Table 72 Monitor > UTM Statistics > IDP LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL/USG collect IDP statistics. The collection starting time displays after you click Apply.

  • Page 220: The Anti-Virus Screen

    Chapter 7 Monitor Table 72 Monitor > UTM Statistics > IDP (continued) LABEL DESCRIPTION Signature ID This column displays when you display the entries by Signature Name. The signature ID is a unique value given to each intrusion detected. Type This column displays when you display the entries by Signature Name.
  • Page 221 Chapter 7 Monitor Figure 184 Monitor > UTM Statistics > Anti-Virus: Virus Name The following table describes the labels in this screen. Table 73 Monitor > UTM Statistics > Anti-Virus LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL/USG collect anti-virus statistics. The collection starting time displays after you click Apply.

  • Page 222: The Anti-Spam Screens

    Chapter 7 Monitor Table 73 Monitor > UTM Statistics > Anti-Virus (continued) LABEL DESCRIPTION Destination IP This column displays when you display the entries by Destination. It shows the destination IP address of virus-infected files that the ZyWALL/USG has detected. Occurrences This field displays how many times the ZyWALL/USG has detected the event described in the entry.
  • Page 223 Chapter 7 Monitor Figure 187 Monitor > UTM Statistics > Anti-Spam The following table describes the labels in this screen. Table 74 Monitor > UTM Statistics > Anti-Spam LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL/USG collect anti-spam statistics. The collection starting time displays after you click Apply.
  • Page 224 Chapter 7 Monitor Table 74 Monitor > UTM Statistics > Anti-Spam (continued) LABEL DESCRIPTION Spam Mails Detected by This is the number of e-mails that matched an entry in the ZyWALL/USG’s anti- Black List spam black list. Spam Mails Detected by This is the number of e-mails that the ZyWALL/USG has determined to be spam by IP Reputation IP Reputation.

  • Page 225: The Anti-Spam Status Screen

    Chapter 7 Monitor 7.24.2 The Anti-Spam Status Screen Click Monitor > UTM Statistics > Anti-Spam > Status to display the Anti-Spam Status screen. Use the Anti-Spam Status screen to see how many e-mail sessions the anti-spam feature is scanning and statistics for the DNSBLs. Figure 188 Monitor >...

  • Page 226: The Ssl Inspection Screens

    Chapter 7 Monitor Table 75 Monitor > UTM Statistics > Anti-Spam > Status (continued) LABEL DESCRIPTION DNSBL Domain These are the DNSBLs the ZyWALL/USG uses to check sender and relay IP addresses in e-mails. Total Queries This is the total number of DNS queries the ZyWALL/USG has sent to this DNSBL. Avg.

  • Page 227: Certificate Cache List

    Chapter 7 Monitor Table 76 Monitor > UTM Statistics > SSL Inspection > Report (continued) LABEL DESCRIPTION Flush Data Click this button to discard all of the screen’s statistics and update the report display. Status Maximum Concurrent This shows the maximum number of simultaneous SSL Inspection sessions Sessions allowed for your ZyWALL/USG model.

  • Page 228: Log Screens

    Chapter 7 Monitor The following table describes the labels in this screen. Table 77 Monitor > UTM Statistics > SSL Inspection > Certificate Cache List LABEL DESCRIPTION Certificate Cache List Add to Exclude list Select and item in the list and click this icon to add the common name (CN) to the Exclude List.
  • Page 229 Chapter 7 Monitor heading cell again to reverse the sort order. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. Figure 191 Monitor > Log > View Log The following table describes the labels in this screen. Table 78 Monitor >...

  • Page 230: View Ap Log

    Chapter 7 Monitor Table 78 Monitor > Log > View Log (continued) LABEL DESCRIPTION Message This field displays the reason the log message was generated. The text “[count=x]”, where x is a number, appears at the end of the Message field if log consolidation is turned on and multiple entries were aggregated to generate into this one.
  • Page 231 Chapter 7 Monitor Figure 192 Monitor > Log > View AP Log The following table describes the labels in this screen. LABEL DESCRIPTION Show Filter Click this button to show or hide the filter settings. If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear Log fields are available.
  • Page 232 Chapter 7 Monitor LABEL DESCRIPTION Destination Address Type the IP ad re ss of the destination. Destination Interface Select the destination interface from the pull down menu. ZyWALL/USG Keyword Type a keyword of the policy service available from to search for a log.

  • Page 233: Dynamic Users Log

    Chapter 7 Monitor 7.26.3 Dynamic Users Log Use this screen to view the ZyWALL/USG’s dynamic guest account log messages. Click Monitor > Log > Dynamic Users Log to access this screen. Figure 193 Monitor > Log > Dynamic Users Log The following table describes the labels in this screen.
  • Page 234 Chapter 7 Monitor Table 79 Monitor > Log > Dynamic Users Log (continued) LABEL DESCRIPTION Bandwidth (U/D) This field displays the maximum upstream (Upload) and downstream (Download) bandwidth allowed for the user account in kilobits per second. Charge This field displays the total cost of the account. Payment Info This field displays the method of payment for each account.

  • Page 235: Chapter 8 Licensing

    H A PT ER Licensing 8.1 Registration Overview Use the Configuration > Licensing > Registration screens to register your ZyWALL/USG and manage its service subscriptions. • Use the Registration screen (see Section 8.1.2 on page 236) to go to portal.myzyxel.com to register your ZyWALL/USG and activate a service, such as content filtering.

  • Page 236: Registration Screen

    Chapter 8 Licensing 8.1.2 Registration Screen Click the link in this screen to register your ZyWALL/USG at myZyXEL.com. The ZyWALL/USG should already have Internet access before you can access it. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next. Click on the icon to go to the OneSecurity.com website where there is guidance on configuration walkthrough and other information.

  • Page 237: Signature Update

    Chapter 8 Licensing Table 80 Configuration > Licensing > Registration > Service (continued) LABEL DESCRIPTION Status This field displays whether a service is activated (Licensed) or not (Not Licensed) or expired (Expired). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
  • Page 238 Chapter 8 Licensing Figure 196 Configuration > Licensing > Signature Update >Anti-Virus The following table describes the labels in this screen. Table 81 Configuration > Licensing > Signature Update >Anti-Virus LABEL DESCRIPTION Signature Information The following fields display information on the current signature set that the ZyWALL/USG is using.

  • Page 239: The Idp/Apppatrol Update Screen

    Chapter 8 Licensing Table 81 Configuration > Licensing > Signature Update >Anti-Virus (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL/USG. Reset Click this button to return the screen to its last-saved settings. 8.2.3 The IDP/AppPatrol Update Screen Click Configuration >...
  • Page 240 Chapter 8 Licensing Table 82 Configuration > Licensing > Signature Update > IDP/AppPatrol (continued) LABEL DESCRIPTION Signature Number This field displays the number of IDP signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.

  • Page 241: Wireless

    H A PT ER Wireless 9.1 Overview Use the Wireless screens to configure how the ZyWALL/USG manages the Access Points (APs) that are connected to it. 9.1.1 What You Can Do in this Chapter • Use the Controller screen (Section 9.2 on page 241) to set how the ZyWALL/USG allows new APs to connect to the network.

  • Page 242: Ap Management Screens

    Chapter 9 Wireless Each field is described in the following table. Table 83 Configuration > Wireless > Controller LABEL DESCRIPTION Registration Select Manual to add each AP to the ZyWALL/USG for management, or Always Accept to Type automatically add APs to the ZyWALL/USG for management. If you select Manual, then go to Monitor >...
  • Page 243 Chapter 9 Wireless Each field is described in the following table. Table 84 Configuration > Wireless > AP Management > Mgnt. AP List LABEL DESCRIPTION Edit Select an AP and click this button to edit its properties. Remove Select an AP and click this button to remove it from the list. Note: If in the Configuration >...
  • Page 244 Chapter 9 Wireless 9.3.1.1 Edit AP List Select an AP and click the Edit button in the Configuration > Wireless > AP Management table to display this screen. Figure 200 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List Each field is described in the following table.
  • Page 245 Chapter 9 Wireless Table 85 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List (continued) LABEL DESCRIPTION Radio 1/2 OP Mode Select the operating mode for radio 1 or radio 2. AP Mode means the AP can receive connections from wireless clients and pass their data traffic through to the ZyWALL/USG to be managed (or subsequently passed on to an upstream gateway for managing).

  • Page 246: Ap Policy

    Chapter 9 Wireless 9.3.2 AP Policy Use this screen to configure the AP controller’s IP address on the managed APs and determine the action the managed APs take if the current AP controller fails. Click Configuration > Wireless > AP Management > AP Policy to access this screen. Figure 201 Configuration >...

  • Page 247: Ap Group

    Chapter 9 Wireless 9.3.3 AP Group Use this screen to configure AP groups, which define the radio, port, VLAN and load balancing settings and apply the settings to all APs in the group. An AP can belong to one AP group at a time. Click Configuration >...
  • Page 248 Chapter 9 Wireless 9.3.3.1 Add/Edit AP Group Click Add or select an AP group and click the Edit button in the Configuration > Wireless > AP Management > AP Group table to display this screen. Figure 203 Configuration > Wireless > AP Management > AP Group > Add/Edit ZyWALL/USG Series User’s Guide...
  • Page 249 Chapter 9 Wireless Each field is described in the following table. Table 88 Configuration > Wireless > AP Management > AP Group > Add/Edit LABEL DESCRIPTION General Settings Group Name Enter a name for this group. You can use up to 31 alphanumeric characters. Dashes and underscores are also allowed.
  • Page 250 Chapter 9 Wireless Table 88 Configuration > Wireless > AP Management > AP Group > Add/Edit (continued) LABEL DESCRIPTION This is the VLAN’s index number in this list. Status This displays whether or not the VLAN is activated. Name This shows the name of the VLAN. This shows the VLAN ID number.

  • Page 251: Firmware

    Chapter 9 Wireless Table 88 Configuration > Wireless > AP Management > AP Group > Add/Edit (continued) LABEL DESCRIPTION Disassociate This function is enabled by default and the disassociation priority is always Signal station when Strength when you set Mode to By Smart Classroom. overloaded Select this option to disassociate wireless clients connected to the AP when it becomes overloaded.
  • Page 252 Chapter 9 Wireless Click Configuration > Wireless > AP Management > Firmware to access this screen. Figure 204 Configuration > Wireless > AP Management > Firmware Each field is described in the following table. Table 89 Configuration > Wireless > AP Management > Firmware LABEL DESCRIPTION AP Firmware...

  • Page 253: Mon Mode

    Chapter 9 Wireless Table 89 Configuration > Wireless > AP Management > Firmware (continued) LABEL DESCRIPTION Last Check Success This displays the date and time the last check for new firmware was made and whether the check is in progress (checking), was successful (success), or has failed (fail). Apply AP Firmware Due to space limitations, the ZyWALL/USG only downloads and keeps AP firmware for APs it is currently managing.

  • Page 254: Add/Edit Rogue/Friendly List

    Chapter 9 Wireless Each field is described in the following table. Table 90 Configuration > Wireless > MON Mode LABEL DESCRIPTION General Settings Enable Rogue AP Select this to enable rogue AP containment. Containment Rogue/Friendly AP List Click this button to add an AP to the list and assign it either friendly or rogue status.

  • Page 255: Auto Healing

    Chapter 9 Wireless Each field is described in the following table. Table 91 Configuration > Wireless > MON Mode > Add/Edit Rogue/Friendly LABEL DESCRIPTION Enter the MAC address of the AP you want to add to the list. A MAC address is a unique hardware identifier in the following hexadecimal format: xx:xx:xx:xx:xx:xx where xx is a hexadecimal number separated by colons.

  • Page 256: Rtls Overview

    Chapter 9 Wireless Table 92 Configuration > Wireless > Auto Healing (continued) LABEL DESCRIPTION Power Threshold Set the power level (in dBm) to which the neighbor APs of the failed AP increase their output power in order to extend their wireless service coverage areas. When the failed AP is working again, its neighbor APs return their output power to the original level.

  • Page 257: What You Can Do In This Chapter

    Chapter 9 Wireless 9.6.1 What You Can Do in this Chapter Use the RTLS screen (Section 9.6.3 on page 257) to use the managed APs as part of an Ekahau RTLS (Real Time Location Service) to track the location of Ekahau Wi-Fi tags. 9.6.2 Before You Begin You need: •...

  • Page 258: Technical Reference

    Chapter 9 Wireless Figure 209 Configuration > Wireless > RTLS The following table describes the labels in this screen. Table 94 Configuration > Wireless > RTLS LABEL DESCRIPTION Enable Select this to use Wi-Fi to track the location of Ekahau Wi-Fi tags. IP Address Specify the IP address of the Ekahau RTLS Controller.

  • Page 259: Load Balancing

    Chapter 9 Wireless Figure 210 An Example Three-Channel Deployment Three channels are situated in such a way as to create almost no interference with one another if used exclusively: 1, 6 and 11. When an AP broadcasts on any of these three channels, it should not interfere with neighboring APs as long as they are also limited to same trio.
  • Page 260 Chapter 9 Wireless There are two kinds of wireless load balancing available on the ZyWALL/USG: Load balancing by station number limits the number of devices allowed to connect to your AP. If you know exactly how many stations you want to let connect, choose this option. For example, if your company’s graphic design team has their own AP and they have 10 computers, you can load balance for 10.

  • Page 261: Chapter 10 Interfaces

    HAPTER Interfaces 10.1 Interface Overview Use the Interface screens to configure the ZyWALL/USG’s interfaces. You can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. • Interfaces are used within the system operationally. You use them in configuring various features.

  • Page 262: What You Need To Know

    Chapter 10 Interfaces 10.1.2 What You Need to Know Interface Characteristics Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface). • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
  • Page 263 Chapter 10 Interfaces characteristics. These characteristics are listed in the following table and discussed in more detail below. Table 95 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics CHARACTERISTICS ETHERNET ETHERNET CELLULAR VLAN BRIDGE VIRTUAL Name* wan1, wan2 lan1, lan2, pppx cellularx vlanx...
  • Page 264 Chapter 10 Interfaces Table 96 Relationships Between Different Types of Interfaces (continued) INTERFACE REQUIRED PORT / INTERFACE PPP interface Ethernet interface* VLAN interface* bridge interface WAN1, WAN2, OPT* virtual interface (virtual Ethernet interface) Ethernet interface* (virtual VLAN interface) VLAN interface* (virtual bridge interface) bridge interface trunk...
  • Page 265 Chapter 10 Interfaces compose the network address. The prefix length is written as “/x” where x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32 means that the first 32 bits (2001:db8) from the left is the network prefix. Link-local Address A link-local address uniquely identifies a device on the local network (the LAN). It is similar to a “private IP address”...

  • Page 266: What You Need To Do First

    The following table shows the models that support port role at the time of writing. Table 98 Models with Port Role MODEL WITH PORT ROLE MODEL WITH PORT ROLE ZyWALL 110 USG60W USG40 USG110 USG40W USG210 USG60 Note the following if you are configuring from a computer connected to a lan1, lan2, ext-wlanext- lan or dmz port and change the port's role: •...

  • Page 267: Ethernet Summary Screen

    Chapter 10 Interfaces Figure 213 Configuration > Network > Interface > Port Role Physical Ports Default interface (ZONE) The physical Ethernet ports are shown at the top and the Ethernet interfaces and zones are shown at the bottom of the screen. Use the radio buttons to select for which interface (network) you want to use each physical port.
  • Page 268 Chapter 10 Interfaces exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. The ZyWALL/USG supports two routing protocols, RIP and OSPF. See Chapter 11 on page 371 for background information about these routing protocols.

  • Page 269: Ethernet Edit

    Chapter 10 Interfaces Table 99 Configuration > Network > Interface > Ethernet (continued) LABEL DESCRIPTION IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0 (in the IPv4 network) or :: (in the IPv6 network), the interface does not have an IP address yet.

  • Page 270: Igmp Proxy

    Chapter 10 Interfaces Set the priority used to identify the DR or BDR if one does not exist. IGMP Proxy Internet Group Management Protocol (IGMP) proxy is used for multicast routing. IGMP proxy enables the ZyWALL/USG ZyWALL/USG to issue IGMP host messages on behalf of hosts that the discovered on its IGMP- ZyWALL/USG enabled interfaces.
  • Page 271 Chapter 10 Interfaces Figure 215 Configuration > Network > Interface > Ethernet > Edit (External Type) ZyWALL/USG Series User’s Guide...
  • Page 272 Chapter 10 Interfaces Configuration > Network > Interface > Ethernet > Edit (External Type ZyWALL/USG Series User’s Guide...
  • Page 273 Chapter 10 Interfaces Figure 216 Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL/USG Series User’s Guide...
  • Page 274 Chapter 10 Interfaces Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL/USG Series User’s Guide...
  • Page 275 Chapter 10 Interfaces Figure 217 Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL/USG Series User’s Guide...
  • Page 276 Chapter 10 Interfaces Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL/USG Series User’s Guide...
  • Page 277 Chapter 10 Interfaces This screen’s fields are described in the table below. Table 100 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION IPv4/IPv6 View / Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration IPv4 View / IPv6 fields.
  • Page 278 Chapter 10 Interfaces Table 100 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.
  • Page 279 Chapter 10 Interfaces Table 100 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Delegated Select the DHCPv6 request object to use from the drop-down list. Prefix Suffix Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The Address ZyWALL/USG will append it to the delegated prefix.
  • Page 280 Chapter 10 Interfaces Table 100 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Enable Router Select this to enable this interface to send router advertisement messages periodically. Advertisement IPv6 Router Advertisement on page 266 for more information. Advertised Hosts Select this to have the ZyWALL/USG indicate to hosts to obtain network settings (such Get Network...
  • Page 281 Chapter 10 Interfaces Table 100 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Address This is the final network prefix combined by the delegated prefix and the suffix. Note: This field displays the combined address after you click OK and reopen this screen.
  • Page 282 Chapter 10 Interfaces Table 100 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION DHCP Select what type of DHCP service the ZyWALL/USG provides to the network. Choices are: None - the ZyWALL/USG does not provide any DHCP services. There is already a DHCP server on the network.
  • Page 283 Chapter 10 Interfaces Table 100 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Extended This table is available if you selected DHCP server. Options Configure this table if you want to send more information to DHCP clients through DHCP packets.
  • Page 284 Chapter 10 Interfaces Table 100 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR). The highest-priority interface identifies the DR, and the second-highest-priority interface identifies the BDR.

  • Page 285: Virtual Interfaces

    Chapter 10 Interfaces 10.3.2 Virtual Interfaces Use virtual interfaces to tell the ZyWALL/USG where to route packets. Virtual interfaces can also be used in VPN gateways (see Chapter 29 on page 534) and VRRP groups (see Chapter 41 on page 707).

  • Page 286: Object References

    Chapter 10 Interfaces Table 101 Configuration > Network > Interface > Create Virtual Interface (continued) LABEL DESCRIPTION IP Address Assignment IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.

  • Page 287: Add/Edit Dhcpv6 Request/Release Options

    Chapter 10 Interfaces The following table describes labels that can appear in this screen. Table 102 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window. This field is a sequential value, and it is not associated with any entry.
  • Page 288 Chapter 10 Interfaces Figure 221 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options The following table describes labels that can appear in this screen. Table 103 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options LABEL DESCRIPTION Option...

  • Page 289: Ppp Interfaces

    Chapter 10 Interfaces The following table lists the available DHCP extended options (defined in RFCs) on the ZyWALL/ USG. See RFCs for more information. Table 104 DHCP Extended Options OPTION NAME CODE DESCRIPTION Time Offset This option specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC).

  • Page 290: Ppp Interface Summary

    Chapter 10 Interfaces PPPoE/PPTP/L2TP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available. There are two main differences between PPPoE/ PPTP/L2TP interfaces and other interfaces.

  • Page 291: Ppp Interface Add Or Edit

    Chapter 10 Interfaces Table 105 Configuration > Network > Interface > PPP (continued) LABEL DESCRIPTION Connect To connect an interface, select it and click Connect. You might use this in testing the interface or to manually establish the connection for a Dial-on-Demand PPPoE/PPTP interface.
  • Page 292 Chapter 10 Interfaces Figure 224 Configuration > Network > Interface > PPP > Add ZyWALL/USG Series User’s Guide...
  • Page 293 Chapter 10 Interfaces Each field is explained in the following table. Table 106 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION IPv4/IPv6 View / Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration IPv4 View / IPv6 fields.
  • Page 294 Chapter 10 Interfaces Table 106 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION IP Address This field is enabled if you select Use Fixed IP Address. Enter the IP address for this interface. Metric Enter the priority of the gateway (the ISP) on this interface. The ZyWALL/USG decides which gateway to use based on this priority.
  • Page 295 Chapter 10 Interfaces Table 106 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Enable Rapid Select this to shorten the DHCPv6 message exchange process from four to two steps. Commit This function helps reduce heavy network traffic load. Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.

  • Page 296: Cellular Configuration Screen

    Chapter 10 Interfaces Table 106 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Check this Select this to specify a domain name or IP address for the connectivity check. Enter address that domain name or IP address in the field next to it. Check Port This field only displays when you set the Check Method to tcp.
  • Page 297 Chapter 10 Interfaces Note: The actual data rate you obtain varies depending on your mobile environment. The environmental factors may include the number of mobile devices which are currently connected to the mobile network, the signal strength to the mobile network, and so on.
  • Page 298 Chapter 10 Interfaces Figure 225 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. Table 108 Configuration > Network > Interface > Cellular LABEL DESCRIPTION Click this to create a new cellular interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

  • Page 299: Cellular Choose Slot

    Chapter 10 Interfaces Table 108 Configuration > Network > Interface > Cellular (continued) LABEL DESCRIPTION Current This displays the currently supported (by the ZyWALL/USG) mobile broadband dongle list Version version number. Update Now If the latest version number is greater than the current version number, then click this button to download the latest list of supported mobile broadband dongle devices to the ZyWALL/USG.
  • Page 300 Chapter 10 Interfaces Figure 226 Configuration > Network > Interface > Cellular > Add / Edit ZyWALL/USG Series User’s Guide...
  • Page 301 Chapter 10 Interfaces The following table describes the labels in this screen. Table 109 Configuration > Network > Interface > Cellular > Add / Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings General Settings...
  • Page 302 Chapter 10 Interfaces Table 109 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION User Name This field displays when you select an authentication type other than None. This field is read-only if you selected Device in the profile selection. If this field is configurable, enter the user name for this mobile broadband card exactly as the service provider gave it to you.
  • Page 303 Chapter 10 Interfaces Table 109 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION Check Method Select the method that the gateway allows. Select icmp to have the ZyWALL/USG regularly ping the gateway you specify to make sure it is still available.
  • Page 304 Chapter 10 Interfaces Table 109 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION Band Selection This field appears if you selected a mobile broadband device that allows you to select the type of network to use. Select the type of mobile broadband service for your mobile broadband connection.

  • Page 305: Tunnel Interfaces

    Chapter 10 Interfaces Table 109 Configuration > Network > Interface > Cellular > Add / Edit (continued) LABEL DESCRIPTION Reset time and This button is available only when you enable budget control in this screen. data budget counters Click this button to reset the time and data budgets immediately. The count starts over with the mobile broadband connection’s full configured monthly time and data budgets.
  • Page 306 Chapter 10 Interfaces Figure 227 GRE Tunnel Example IPv4 Internet IPv6 Over IPv4 Tunnels To route traffic between two IPv6 networks over an IPv4 network, an IPv6 over IPv4 tunnel has to be used. Figure 228 IPv6 over IPv4 Network IPv4 IPv6 IPv6...

  • Page 307: Configuring A Tunnel

    Chapter 10 Interfaces In the ZyWALL/USG, you must also manually configure a policy route for an IPv6-in-IPv4 tunnel to make the tunnel work. 6to4 Tunneling This mode also enables IPv6 packets to cross IPv4 networks. Unlike IPv6-in-IPv4 tunneling, you do not need to configure a policy route for a 6to4 tunnel.

  • Page 308: Tunnel Add Or Edit Screen

    Chapter 10 Interfaces Figure 231 Network > Interface > Tunnel Each field is explained in the following table. Table 110 Network > Interface > Tunnel LABEL DESCRIPTION Click this to create a new GRE tunnel interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
  • Page 309 Chapter 10 Interfaces Figure 232 Network > Interface > Tunnel > Add/Edit Each field is explained in the following table. Table 111 Network > Interface > Tunnel > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings General Settings...
  • Page 310 Chapter 10 Interfaces Table 111 Network > Interface > Tunnel > Add/Edit (continued) LABEL DESCRIPTION Tunnel Mode Select the tunneling protocol of the interface (GRE, IPv6-in-IPv4 or 6to4). See Section 10.6 on page 305 for more information. IP Address This section is available if you are configuring a GRE tunnel. Assignment IP Address Enter the IP address for this interface.
  • Page 311 Chapter 10 Interfaces Table 111 Network > Interface > Tunnel > Add/Edit (continued) LABEL DESCRIPTION Interface Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can send Bandwidth through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management.

  • Page 312: Vlan Interfaces

    Chapter 10 Interfaces 10.7 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 233 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router.

  • Page 313: Vlan Summary Screen

    Chapter 10 Interfaces This approach provides a few advantages. • Increased performance - In VLAN 2, the extra switch should route traffic inside the sales department faster than the router does. In addition, broadcasts are limited to smaller, more logical groups of users. •...
  • Page 314 Chapter 10 Interfaces Figure 235 Configuration > Network > Interface > VLAN Each field is explained in the following table. Table 112 Configuration > Network > Interface > VLAN LABEL DESCRIPTION Configuration Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration / IPv6 section for IPv6 network settings if you connect your ZyWALL/USG to an IPv6 network.

  • Page 315: Vlan Add/Edit

    Chapter 10 Interfaces 10.7.2 VLAN Add/Edit Select an existing entry in the previous scrren and click Edit or click Add to create a new entry. The following screen appears. ZyWALL/USG Series User’s Guide...
  • Page 316 Chapter 10 Interfaces Figure 236 Configuration > Network > Interface > VLAN > Add /Edit ZyWALL/USG Series User’s Guide...
  • Page 317 Chapter 10 Interfaces Each field is explained in the following table. Table 113 Configuration > Network > Interface > VLAN > Add / Edit LABEL DESCRIPTION IPv4/IPv6 View / Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration IPv4 View / IPv6 fields.
  • Page 318 Chapter 10 Interfaces Table 113 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Subnet Mask This field is enabled if you select Use Fixed IP Address. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.
  • Page 319 Chapter 10 Interfaces Table 113 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Delegated Select the DHCPv6 request object to use from the drop-down list. Prefix Suffix Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The Address ZyWALL/USG will append it to the delegated prefix.
  • Page 320 Chapter 10 Interfaces Table 113 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Enable Router Select this to enable this interface to send router advertisement messages periodically. Advertisement IPv6 Router Advertisement on page 266 for more information.
  • Page 321 Chapter 10 Interfaces Table 113 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Address This is the final network prefix combined by the delegated prefix and the suffix. Note: This field displays the combined address after you click OK and reopen this screen.
  • Page 322 Chapter 10 Interfaces Table 113 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION These fields appear if the ZyWALL/USG is a DHCP Relay. Relay Server 1 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional.
  • Page 323 Chapter 10 Interfaces Table 113 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Value This is the option’s value. Enable IP/MAC Select this option to have the ZyWALL/USG enforce links between specific IP addresses Binding and specific MAC addresses for this VLAN.

  • Page 324: Bridge Interfaces

    Chapter 10 Interfaces Table 113 Configuration > Network > Interface > VLAN > Add / Edit (continued) LABEL DESCRIPTION Authentication Select an authentication method, or disable authentication. To exchange OSPF routing information with peer border routers, you must use the same authentication method that they use.
  • Page 325 Chapter 10 Interfaces When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table. It also looks up the destination MAC address in the table. If the bridge knows on which port the destination MAC address is located, it sends the packet to that port.

  • Page 326: Bridge Summary

    Chapter 10 Interfaces Table 116 Example: Routing Table Before and After Bridge Interface br0 Is Created (continued) IP ADDRESS(ES) DESTINATION IP ADDRESS(ES) DESTINATION 241.241.241.241/32 242.242.242.242/32 In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1 is added to br0.

  • Page 327: Bridge Add/Edit

    Chapter 10 Interfaces Table 117 Configuration > Network > Interface > Bridge (continued) LABEL DESCRIPTION Object References Select an entry and click Object Reference to open a screen that shows which settings use the entry. See Section 10.3.4 on page 286 for an example.
  • Page 328 Chapter 10 Interfaces Figure 238 Configuration > Network > Interface > Bridge > Add / Edit ZyWALL/USG Series User’s Guide...
  • Page 329 Chapter 10 Interfaces Configuration > Network > Interface > Bridge > Add Each field is described in the table below. Table 118 Configuration > Network > Interface > Bridge > Add / Edit LABEL DESCRIPTION IPv4/IPv6 View / Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration IPv4 View / IPv6 fields.
  • Page 330 Chapter 10 Interfaces Table 118 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Enable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it. Interface Properties Interface Type Select one of the following option depending on the type of network to which the ZyWALL/USG is connected or if you want to additionally manually configure some related settings.
  • Page 331 Chapter 10 Interfaces Table 118 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Enable IGMP Select this to allow the ZyWALL/USG to act as an IGMP proxy for hosts connected on Support the IGMP downstream interface. IGMP Version: Select the IGMP version to be used on this ZyWALL/USG interface.
  • Page 332 Chapter 10 Interfaces Table 118 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION DHCPv6 Setting DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others.
  • Page 333 Chapter 10 Interfaces Table 118 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Router Select the router preference (Low, Medium or High) for the interface. The interface Preference sends this preference in the router advertisements to tell hosts what preference they should use for the ZyWALL/USG.
  • Page 334 Chapter 10 Interfaces Table 118 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Ingress This is reserved for future use. Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL/USG can receive from the network through the interface.
  • Page 335 Chapter 10 Interfaces Table 118 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Default Router If you set this interface to DHCP Server, you can select to use either the interface’s IP address or another IP address as the default router. This default router will become the DHCP clients’...

  • Page 336: Lag

    Chapter 10 Interfaces Table 118 Configuration > Network > Interface > Bridge > Add / Edit (continued) LABEL DESCRIPTION Check Method Select the method that the gateway allows. Select icmp to have the ZyWALL/USG regularly ping the gateway you specify to make sure it is still available.
  • Page 337 Chapter 10 Interfaces Figure 239 Configuration > Network > Interface > LAG Each field is described in the following table. Table 119 Configuration > Network > Interface > LAG LABEL DESCRIPTION Configuration Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

  • Page 338: Lag Add/Edit

    Chapter 10 Interfaces Table 119 Configuration > Network > Interface > LAG (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL/USG. Reset Click Reset to return the screen to its last-saved settings. 10.9.2 LAG Add/Edit This screen lets you configure Interface and LAG parameters for each LAG interface.
  • Page 339 Chapter 10 Interfaces Each field is described in the following table. Table 120 Configuration > Network > Interface > LAG > Add LABEL DESCRIPTION General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Type Select one of the following option depending on the type of network to which the...
  • Page 340 Chapter 10 Interfaces Table 120 Configuration > Network > Interface > LAG > Add (continued) LABEL DESCRIPTION ARP Interval This field displays for arp Link Monitoring. Select the frequency of ARP requests sent to confirm a that slave interface is up. ARP IP Target This field displays for arp Link Monitoring.
  • Page 341 Chapter 10 Interfaces Table 120 Configuration > Network > Interface > LAG > Add (continued) LABEL DESCRIPTION DHCP Select what type of DHCP service the ZyWALL/USG provides to the network. Choices are: None - the ZyWALL/USG does not provide any DHCP services. There is already a DHCP server on the network.
  • Page 342 Chapter 10 Interfaces Table 120 Configuration > Network > Interface > LAG > Add (continued) LABEL DESCRIPTION Extended This table is available if you selected DHCP server. Options Configure this table if you want to send more information to DHCP clients through DHCP packets.

  • Page 343: Vti

    Chapter 10 Interfaces Table 120 Configuration > Network > Interface > LAG > Add (continued) LABEL DESCRIPTION Check Default Select this to use the default gateway for the connectivity check. Gateway Check this Select this to specify a domain name or IP address for the connectivity check. Enter address that domain name or IP address in the field next to it.

  • Page 344: Vti Screen

    Chapter 10 Interfaces 10.10.2 VTI Screen To access this screen, click Configuration > Network > Interface > VTI. Figure 242 Configuration > Network > Interface > VTI The following table describes the fields in this screen. Table 121 Configuration > Network > Interface > VTI LABEL DESCRIPTION Configuration...
  • Page 345 Chapter 10 Interfaces Figure 243 Configuration > Network > Interface > VTI > Add Each field is described in the table below. Table 122 Configuration > Network > Interface > VTI > Add LABEL DESCRIPTION General Settings Enable Select this to enable VTI. Clear this to disable it. Interface Properties Interface Name This field is read-only if you are editing an existing VPN tunnel interface.

  • Page 346: Trunk Overview

    Chapter 10 Interfaces Table 122 Configuration > Network > Interface > VTI > Add (continued) LABEL DESCRIPTION Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. Gateway Enter the IP address of the gateway.

  • Page 347: What You Need To Know

    Chapter 10 Interfaces Maybe you have two Internet connections with different bandwidths. You could set up a trunk that uses spillover or weighted round robin load balancing so time-sensitive traffic (like video) usually goes through the higher-bandwidth interface. For other traffic, you might want to use least load first load balancing to even out the distribution of the traffic load.
  • Page 348 Chapter 10 Interfaces Load Balancing Algorithms The following sections describe the load balancing algorithms the ZyWALL/USG can use to decide which interface the traffic (from the LAN) should use for a session. In the load balancing section, a session may refer to normal connection-oriented, UDP or SNMP2 traffic The available bandwidth you configure on the ZyWALL/USG refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using.

  • Page 349: The Trunk Summary Screen

    Chapter 10 Interfaces turn. In addition, the WAN interfaces are assigned weights. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight. For example, in the figure below, the configured available bandwidth of WAN1 is 1M and WAN2 is 512K.
  • Page 350 Chapter 10 Interfaces Figure 247 Configuration > Network > Interface > Trunk The following table describes the items in this screen. Table 124 Configuration > Network > Interface > Trunk LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Configuration...

  • Page 351: Configuring A User-Defined Trunk

    Chapter 10 Interfaces Table 124 Configuration > Network > Interface > Trunk (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with any interface. Name This field displays the label that you specified to identify the trunk. Algorithm This field displays the load balancing method the trunk is set to use.
  • Page 352 Chapter 10 Interfaces Table 125 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Load Balancing This field is available if you selected to use the Least Load First or Spillover method. Index(es) Select Outbound, Inbound, or Outbound + Inbound to set the traffic to which the ZyWALL/USG applies the load balancing method.

  • Page 353: Configuring The System Default Trunk

    Chapter 10 Interfaces Table 125 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Spillover This field displays with the spillover load balancing algorithm. Specify the maximum bandwidth of traffic in kilobits per second (1~1048576) to send out through the interface before using another interface.

  • Page 354: Interface Technical Reference

    Chapter 10 Interfaces Each field is described in the table below. Table 126 Configuration > Network > Interface > Trunk > Edit (System Default) LABEL DESCRIPTION Name This field displays the name of the selected system default trunk. Load Balancing Select the load balancing method to use for the trunk.
  • Page 355 Chapter 10 Interfaces IP Address Assignment Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routing table. Figure 250 Example: Entry in the Routing Table Derived from Interfaces lan1 wan1 Table 127 Example: Routing Table Entries for Interfaces IP ADDRESS(ES)
  • Page 356 Chapter 10 Interfaces If the interface gets its IP address and subnet mask from a DHCP server, the DHCP server also specifies the gateway, if any. Interface Parameters The ZyWALL/USG restricts the amount of traffic into and out of the ZyWALL/USG through each interface.
  • Page 357 Chapter 10 Interfaces • IP address - If the DHCP client’s MAC address is in the ZyWALL/USG’s static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size. Table 129 Example: Assigning IP Addresses from a Pool START IP ADDRESS POOL SIZE...
  • Page 358 Chapter 10 Interfaces • PPPoE does not usually require any special configuration of the modem. PPTP is used to set up virtual private networks (VPN) in unsecured TCP/IP environments. It sets up two sessions. The first one runs on TCP port 1723. It is used to start and manage the second one. The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers.

  • Page 359: Routing

    HAPTER Routing 11.1 Policy and Static Routes Overview Use policy routes and static routes to override the ZyWALL/USG’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the ZyWALL/USG’s LAN interface. The ZyWALL/USG routes most traffic from A to the Internet through the ZyWALL/USG’s default gateway (R1).

  • Page 360: What You Need To Know

    Chapter 11 Routing 11.1.2 What You Need to Know Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL/USG takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.

  • Page 361: Policy Route Screen

    Chapter 11 Routing DiffServ QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types.
  • Page 362 Chapter 11 Routing Click on the icons to go to the OneSecurity.com website where there is guidance on configuration walkthroughs, troubleshooting, and other information. Figure 252 Configuration > Network > Routing > Policy Route The following table describes the labels in this screen. Table 130 Configuration >...

  • Page 363: Policy Route Edit Screen

    Chapter 11 Routing Table 130 Configuration > Network > Routing > Policy Route (continued) LABEL DESCRIPTION Move To change a rule’s position in the numbered list, select the rule and click Move to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
  • Page 364 Chapter 11 Routing Policy Route Edit screen opens. Use this screen to configure or edit a policy route. Both IPv4 and IPv6 policy route have similar settings except the Address Translation (SNAT) settings. Figure 253 Configuration > Network > Routing > Policy Route > Add/Edit (IPv4 Configuration) ZyWALL/USG Series User’s Guide...
  • Page 365 Chapter 11 Routing Figure 254 Configuration > Network > Routing > Policy Route > Add/Edit (IPv6 Configuration) The following table describes the labels in this screen. Table 131 Configuration > Network > Routing > Policy Route > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields.
  • Page 366 Chapter 11 Routing Table 131 Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL DESCRIPTION DSCP Code Select a DSCP code point value of incoming packets to which this policy route applies or select User Define to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment.
  • Page 367 Chapter 11 Routing Table 131 Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL DESCRIPTION DSCP Marking Set how the ZyWALL/USG handles the DSCP value of the outgoing packets that match this route. Select one of the pre-defined DSCP values to apply or select User Define to specify another DSCP value.

  • Page 368: Ip Static Route Screen

    Chapter 11 Routing 11.3 IP Static Route Screen Click Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers.
  • Page 369 Chapter 11 Routing Figure 256 Configuration > Network > Routing > Static Route > Add (IPv4 Configuration) Figure 257 Configuration > Network > Routing > Static Route > Add (IPv6 Configuration) The following table describes the labels in this screen. Table 133 Configuration >...

  • Page 370: Policy Routing Technical Reference

    Chapter 11 Routing 11.4 Policy Routing Technical Reference Here is more detailed information about some of the features you can configure in policy routing. NAT and SNAT NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network.

  • Page 371: Routing Protocols Overview

    Chapter 11 Routing 11.5 Routing Protocols Overview Routing protocols give the ZyWALL/USG routing information about the network from other routers. The ZyWALL/USG stores this routing information in the routing table it uses to make routing decisions. In turn, the ZyWALL/USG can also use routing protocols to propagate routing information to other routers.
  • Page 372 Chapter 11 Routing • Second, the ZyWALL/USG can also redistribute routing information from non-RIP networks, specifically OSPF networks and static routes, to the RIP network. Costs might be calculated differently, however, so you use the Metric field to specify the cost in RIP terms. •...

  • Page 373: The Ospf Screen

    Chapter 11 Routing Table 136 Configuration > Network > Routing Protocol > RIP (continued) LABEL DESCRIPTION Active Static Route Select this to use RIP to advertise routes that were learned through the static route configuration. Metric Type the cost for routes provided by the static route configuration. The metric represents the “cost”...
  • Page 374 Chapter 11 Routing • A Not So Stubby Area (NSSA, RFC 1587) has routing information about the OSPF AS and networks outside the OSPF AS to which the NSSA is directly connected. It does not have any routing information about other networks outside the OSPF AS. Each type of area is illustrated in the following figure.
  • Page 375 Chapter 11 Routing • A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR. Each type of router is illustrated in the following example. Figure 260 OSPF: Types of Routers In order to reduce the amount of traffic between routers, a group of routers that are directly connected to each other selects a designated router (DR) and a backup designated router (BDR).

  • Page 376: Configuring The Ospf Screen

    Chapter 11 Routing OSPF Configuration Follow these steps when you configure OSPF on the ZyWALL/USG. Enable OSPF. Set up the OSPF areas. Configure the appropriate interfaces. See Section 10.3.1 on page 269. Set up virtual links, as needed. 11.7.1 Configuring the OSPF Screen Use the first OSPF screen to specify the OSPF router the ZyWALL/USG uses in the OSPF AS and maintain the policies for redistribution.

  • Page 377: Ospf Area Add/Edit Screen

    Chapter 11 Routing Table 138 Configuration > Network > Routing Protocol > OSPF (continued) LABEL DESCRIPTION Active RIP Select this to advertise routes that were learned from RIP. The ZyWALL/USG advertises routes learned from RIP to Normal and NSSA areas but not to Stub areas.
  • Page 378 Chapter 11 Routing Figure 263 Configuration > Network > Routing > OSPF > Add The following table describes the labels in this screen. Table 139 Configuration > Network > Routing > OSPF > Add LABEL DESCRIPTION Area ID Type the unique, 32-bit identifier for the area in IP address format. Type Select the type of OSPF area.

  • Page 379: Virtual Link Add/Edit Screen

    Chapter 11 Routing Table 139 Configuration > Network > Routing > OSPF > Add (continued) LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so.

  • Page 380: Routing Protocol Technical Reference

    Chapter 11 Routing The following table describes the labels in this screen. Table 140 Configuration > Network > Routing > OSPF > Add > Add LABEL DESCRIPTION Peer Router ID Enter the 32-bit ID (in IP address format) of the other ABR in the virtual link. Authentication Select the authentication method the virtual link uses.
  • Page 381 Chapter 11 Routing • The packet’s message-digest is the same as the one the ZyWALL/USG calculates using the MD5 password. For RIP, authentication is not available in RIP version 1. In RIP version 2, you can only select one authentication type for all interfaces. For OSPF, the ZyWALL/USG supports a default authentication type by area.

  • Page 382: Chapter 12 Ddns

    HAPTER DDNS 12.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 12.1.1 What You Can Do in this Chapter • Use the DDNS screen (see Section 12.2 on page 383) to view a list of the configured DDNS domain names and their details.

  • Page 383: The Ddns Screen

    Chapter 12 DDNS 12.2 The DDNS Screen The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. Click Configuration > Network > DDNS to open the following screen.

  • Page 384: The Dynamic Dns Add/Edit Screen

    Chapter 12 DDNS Table 142 Configuration > Network > DDNS (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL/USG. Reset Click this button to return the screen to its last-saved settings. 12.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL/USG or to edit the configuration of an existing domain name.
  • Page 385 Chapter 12 DDNS Figure 267 Configuration > Network > DDNS > Add - Custom The following table describes the labels in this screen. Table 143 Configuration > Network > DDNS > Add LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Enable DDNS Profile...
  • Page 386 Chapter 12 DDNS Table 143 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION DDNS Settings Domain name Type the domain name you registered. You can use up to 255 characters. Primary Binding Use these fields to set how the ZyWALL/USG determines the IP address that is mapped Address to your domain name in the DDNS server.
  • Page 387 Chapter 12 DDNS Table 143 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Mail Exchanger This option is only available with a DynDNS account. DynDNS can route e-mail for your domain name to a mail server (called a mail exchanger).

  • Page 388: Nat

    HAPTER 13.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Network Address Translation (NAT) to make computers on a private network behind the ZyWALL/USG available outside the private network.
  • Page 389 Chapter 13 NAT screen, login to the Web Configurator and click Configuration > Network > NAT. The following screen appears, providing a summary of the existing NAT rules. Click on the icons to go to the OneSecurity.com website where there is guidance on configuration walkthroughs, troubleshooting, and other information.

  • Page 390: The Nat Add/Edit Screen

    Chapter 13 NAT Table 144 Configuration > Network > NAT (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL/USG. Reset Click this button to return the screen to its last-saved settings. 13.2.1 The NAT Add/Edit Screen The NAT Add/Edit screen lets you create new NAT rules and edit existing ones.
  • Page 391 Chapter 13 NAT Table 145 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Classification Select what kind of NAT this rule is to perform. Virtual Server - This makes computers on a private network behind the ZyWALL/USG available to a public network outside the ZyWALL/USG (like the Internet). 1:1 NAT - If the private network server will initiate sessions to the outside clients, select this to have the ZyWALL/USG translate the source IP address of the server’s outgoing traffic to the same public IP address that the outside clients use to access the...
  • Page 392 Chapter 13 NAT Table 145 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Port Mapping Type Use the drop-down list box to select how many original destination ports this NAT rule supports for the selected destination IP address (Original IP). Choices are: Any - this NAT rule supports all the destination ports.

  • Page 393: Nat Technical Reference

    Chapter 13 NAT 13.3 NAT Technical Reference Here is more detailed information about NAT on the ZyWALL/USG. NAT Loopback Suppose an NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP e-mail server to give WAN users access. NAT loopback allows other users to also use the rule’s original IP to access the mail server.
  • Page 394 Chapter 13 NAT Figure 272 LAN to LAN Traffic Source 192.168.1.1 Source 192.168.1.89 SMTP SMTP 192.168.1.21 192.168.1.89 The LAN SMTP server replies to the ZyWALL/USG’s LAN IP address and the ZyWALL/USG changes the source address to 1.1.1.1 before sending it to the LAN user. The return traffic’s source matches the original destination address (1.1.1.1).

  • Page 395: Chapter 14 Redirect Service

    HAPTER Redirect Service 14.1 Overview Redirect Service redirects HTTP and SMTP traffic. 14.1.1 HTTP Redirect HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL/USG) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN1 zone wants to open a web page, its HTTP request is redirected to proxy server A first.

  • Page 396: What You Can Do In This Chapter

    Chapter 14 Redirect Service Figure 275 SMTP Redirect Example 14.1.3 What You Can Do in this Chapter Use the Redirect Service screens (see Section 14.2 on page 398) to display and edit the HTTP and SMTP redirect rules. 14.1.4 What You Need to Know Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
  • Page 397 Chapter 14 Redirect Service Even if you set a policy route to the same incoming interface and service as a HTTP redirect rule, the ZyWALL/USG checks the HTTP redirect rules first and forwards HTTP traffic to a proxy server if matched.

  • Page 398: The Redirect Service Screen

    Chapter 14 Redirect Service For SMTP traffic between lan1 and lan2: • a from LAN1 to LAN2 firewall rule to allow SMTP messages from lan1 to lan2. Responses to this request are allowed automatically. • a SMTP redirect rule to forward SMTP traffic from lan1 to SMTP server A. For SMTP traffic between lan2 and wan1: •...

  • Page 399: The Redirect Service Edit Screen

    Chapter 14 Redirect Service Table 146 Configuration > Network > Redirect Service (continued) LABEL DESCRIPTION Interface This is the interface on which the request must be received. Source Address This is the name of the source IP address object from which the traffic should be sent. If any displays, the rule is effective for every source.
  • Page 400 Chapter 14 Redirect Service Table 147 Network > Redirect Service > Edit (continued) LABEL DESCRIPTION User Select the user account or user group name to which this rule is applied. Interface Select the interface on which the request must be received for the ZyWALL/USG to forward it to the specified server.

  • Page 401: Alg

    HAPTER 15.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyWALL/USG’s NAT. • SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice and multimedia sessions over Internet. •...

  • Page 402: Sip Alg

    Chapter 15 ALG FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through. If the FTP server is located on the LAN, you must also configure NAT (port forwarding) and security policies if you want to allow access to the server from the WAN.
  • Page 403 Chapter 15 ALG • The ZyWALL/USG allows SIP audio connections. • You do not need to use TURN (Traversal Using Relay NAT) for VoIP devices behind the ZyWALL/ USG when you enable the SIP ALG. • Configuring the SIP ALG to use custom port numbers for SIP traffic also configures the application patrol (see Chapter 35 on page 618) to use the same port numbers for SIP traffic.

  • Page 404: Before You Begin

    Chapter 15 ALG corresponding policy routes to have calls from LAN IP address A go out through WAN IP address and calls from LAN IP address B go out through WAN IP address 2. Figure 281 VoIP with Multiple WAN IP Addresses 15.1.2 Before You Begin You must also configure the security policy and enable NAT in the ZyWALL/USG to allow sessions initiated from the WAN.
  • Page 405 Chapter 15 ALG Figure 282 Configuration > Network > ALG The following table describes the labels in this screen. Table 148 Configuration > Network > ALG LABEL DESCRIPTION Enable SIP ALG Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the ZyWALL/USG’s NAT.
  • Page 406 Chapter 15 ALG Table 148 Configuration > Network > ALG (continued) LABEL DESCRIPTION SIP Signaling Inactivity Most SIP clients have an “expire” mechanism indicating the lifetime of signaling Timeout sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL/USG.

  • Page 407: Alg Technical Reference

    Chapter 15 ALG 15.3 ALG Technical Reference Here is more detailed information about the Application Layer Gateway. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’ data payload. The ZyWALL/USG examines and uses IP address and port number information embedded in the VoIP traffic’s data stream.
  • Page 408 Chapter 15 ALG When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL/USG Series User’s Guide...

  • Page 409: Upnp

    HAPTER UPnP 16.1 UPnP and NAT-PMP Overview The ZyWALL/USG supports both UPnP and NAT-PMP to permit networking devices to discover each other and connect seamlessly. Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.

  • Page 410: Cautions With Upnp And Nat-Pmp

    Chapter 16 UPnP 16.2.2 Cautions with UPnP and NAT-PMP The automated nature of NAT traversal applications in establishing their own services and opening security policy ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP or NAT-PMP device joins a network, it announces its presence with a multicast message.

  • Page 411: Technical Reference

    Chapter 16 UPnP The following table describes the fields in this screen. Table 149 Configuration > Network > UPnP LABEL DESCRIPTION Enable UPnP Select this check box to activate UPnP on the ZyWALL/USG. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the ZyWALL/USG's IP address (although you must still enter the password to access the web configurator).
  • Page 412 Chapter 16 UPnP Click Change Advanced Sharing Settings. Select Turn on network discovery and click Save Changes. Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer. This makes it easier to share files and printers. ZyWALL/USG Series User’s Guide...

  • Page 413: Using Upnp In Windows Xp Example

    Chapter 16 UPnP 16.4.2 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyWALL/USG. Make sure the computer is connected to a LAN port of the ZyWALL/USG. Turn on your computer and the ZyWALL/USG.
  • Page 414 Chapter 16 UPnP Figure 286 Internet Connection Properties: Advanced Settings Figure 287 Internet Connection Properties: Advanced Settings: Add Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.

  • Page 415: Web Configurator Easy Access

    Chapter 16 UPnP Figure 289 Internet Connection Status 16.4.3 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyWALL/USG without finding out the IP address of the ZyWALL/USG first. This comes helpful if you do not know the IP address of the ZyWALL/USG.
  • Page 416 Chapter 16 UPnP Figure 290 Network Connections An icon with the description for each UPnP-enabled device displays under Local Network. Right-click on the icon for your ZyWALL/USG and select Invoke. The web configurator login screen displays. Figure 291 Network Connections: My Network Places Right-click on the icon for your ZyWALL/USG and select Properties.
  • Page 417 Chapter 16 UPnP Figure 292 Network Connections: My Network Places: Properties: Example ZyWALL/USG Series User’s Guide...

  • Page 418: Ip/Mac Binding

    HAPTER IP/MAC Binding 17.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The ZyWALL/USG uses DHCP to assign IP addresses and records the MAC address it assigned to each IP address.

  • Page 419: Ip/Mac Binding Summary

    Chapter 17 IP/MAC Binding Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN, and WLAN interfaces. You can also enable or disable IP/MAC binding and logging in an interface’s configuration screen. 17.2 IP/MAC Binding Summary Click Configuration >...

  • Page 420: Static Dhcp Edit

    Chapter 17 IP/MAC Binding Figure 295 Configuration > Network > IP/MAC Binding > Edit The following table describes the labels in this screen. Table 151 Configuration > Network > IP/MAC Binding > Edit LABEL DESCRIPTION IP/MAC Binding Settings Interface Name This field displays the name of the interface within the ZyWALL/USG and the interface’s IP address and subnet mask.

  • Page 421: Ip/Mac Binding Exempt List

    Chapter 17 IP/MAC Binding Figure 296 Configuration > Network > IP/MAC Binding > Edit > Add The following table describes the labels in this screen. Table 152 Configuration > Network > IP/MAC Binding > Edit > Add LABEL DESCRIPTION Interface Name This field displays the name of the interface within the ZyWALL/USG and the interface’s IP address and subnet mask.
  • Page 422 Chapter 17 IP/MAC Binding Table 153 Configuration > Network > IP/MAC Binding > Exempt List (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. This is the index number of the IP/MAC binding list entry. Name Enter a name to help identify this entry.

  • Page 423: Layer 2 Isolation

    HAPTER Layer 2 Isolation 18.1 Overview Layer-2 isolation is used to prevent connected devices from communicating with each other in the ZyWALL/USG’s local network(s), except for the devices in the white list, when layer-2 isolation is enabled on the ZyWALL/USG and the local interface(s). Note: The security policy control must be enabled before you can use layer-2 isolation.

  • Page 424: Layer-2 Isolation General Screen

    Chapter 18 Layer 2 Isolation 18.2 Layer-2 Isolation General Screen This screen allows you to enable Layer-2 isolation on the ZyWALL/USG and specific internal interface(s). To access this screen click Configuration > Network > Layer 2 Isolation. Figure 299 Configuration > Network > Layer 2 Isolation The following table describes the labels in this screen.

  • Page 425: Add/Edit White List Rule

    Chapter 18 Layer 2 Isolation Figure 300 Configuration > Network > Layer 2 Isolation > White List The following table describes the labels in this screen. Table 155 Configuration > Network > Layer 2 Isolation > White List LABEL DESCRIPTION Enable White List Select this option to turn on the white list on the ZyWALL/USG.
  • Page 426 Chapter 18 Layer 2 Isolation Figure 301 Configuration > Network > Layer 2 Isolation > White List > Add/Edit The following table describes the labels in this screen. Table 156 Configuration > Network > Layer 2 Isolation > White List > Add/Edit LABEL DESCRIPTION Enable...

  • Page 427: Dns Inbound Lb

    HAPTER DNS Inbound LB 19.1 DNS Inbound Load Balancing Overview Inbound load balancing enables the ZyWALL/USG to respond to a DNS query message with a different IP address for DNS name resolution. The ZyWALL/USG checks which member interface has the least load and responds to the DNS query message with the interface’s IP address. In the following figure, an Internet host (A) sends a DNS query message to the DNS server (D) in order to resolve a domain name of www.example.com.

  • Page 428: The Dns Inbound Lb Screen

    Chapter 19 DNS Inbound LB • Use the Inbound LB Add/Edit screen (see Section 19.2.1 on page 429) to add or edit a DNS load balancing rule. 19.2 The DNS Inbound LB Screen The Inbound LB screen provides a summary of all DNS load balancing rules and the details. You can also use this screen to add, edit, or remove the rules.

  • Page 429: The Dns Inbound Lb Add/Edit Screen

    Chapter 19 DNS Inbound LB Table 157 Configuration > Network > DNS Inbound LB (continued) LABEL DESCRIPTION Query From Address This field displays the source IP address of the DNS query messages to which the ZyWALL/USG applies the DNS load balancing rule. Query From Zone The ZyWALL/USG applies the DNS load balancing rule to the query messages received from this zone.
  • Page 430 Chapter 19 DNS Inbound LB Figure 304 Configuration > Network > DNS Inbound LB > Add The following table describes the labels in this screen. Table 158 Configuration > Network > DNS Inbound LB > Add/Edit LABEL DESCRIPTION Create New Object Use this to configure any new setting objects that you need to use in this screen.

  • Page 431: The Dns Inbound Lb Add/Edit Member Screen

    Chapter 19 DNS Inbound LB Table 158 Configuration > Network > DNS Inbound LB > Add/Edit (continued) LABEL DESCRIPTION Load Balancing Member Load Balancing Select a load balancing method to use from the drop-down list box. Algorithm Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights.
  • Page 432 Chapter 19 DNS Inbound LB Figure 305 Configuration > Network > DNS Inbound LB > Add/Edit > Add The following table describes the labels in this screen. Table 159 Configuration > Network > DNS Inbound LB > Add/Edit > Add/Edit LABEL DESCRIPTION Member...

  • Page 433: Chapter 20 Web Authentication

    HAPTER Web Authentication 20.1 Web Auth Overview Web authentication can intercept network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions.

  • Page 434: What You Need To Know

    Chapter 20 Web Authentication 20.1.2 What You Need to Know Single Sign-On A SSO (Single Sign On) agent integrates Domain Controller and ZyWALL/USG authentication mechanisms, so that users just need to log in once (single) to get access to permitted resources. Forced User Authentication Instead of making users for which user-aware policies have been configured go to the ZyWALL/USG Login screen manually, you can configure the ZyWALL/USG to display the Login screen...
  • Page 435 Chapter 20 Web Authentication Figure 307 Configuration > Web Authentication > General The following table gives an overview of the objects you can configure. Table 160 Configuration > Web Authentication > General LABEL DESCRIPTION Global Setting Enable Web Select the check box to turn on the web authentication feature. Otherwise, clear the check Authentication box to turn it off.
  • Page 436 Chapter 20 Web Authentication Table 160 Configuration > Web Authentication > General (continued) LABEL DESCRIPTION Exceptional Use this table to list services that users can access without logging in. Services Click Add to change the list’s membership. A screen appears. Available services appear on the left.
  • Page 437 Chapter 20 Web Authentication Table 160 Configuration > Web Authentication > General (continued) LABEL DESCRIPTION Authentication This field displays the authentication requirement for users when their traffic matches this policy. unnecessary - Users do not need to be authenticated. required - Users need to be authenticated. They must manually go to the login screen or or user agreement page.
  • Page 438 Chapter 20 Web Authentication Creating/Editing an Authentication Policy Open the Configuration > Web Authentication > General screen, then click the Add icon or select an entry and click the Edit icon in the Web Authentication Policy Summary section to open the Auth. Policy Add/Edit screen. Use this screen to configure an authentication policy. Figure 310 Configuration >...

  • Page 439: User-Aware Access Control Example

    Chapter 20 Web Authentication Table 161 Configuration > Web Authentication > General > Add Authentication Policy (continued) LABEL DESCRIPTION Authentication Select the authentication requirement for users when their traffic matches this policy. unnecessary - Users do not need to be authenticated. required - Users need to be authenticated.
  • Page 440 Chapter 20 Web Authentication Figure 311 Configuration > Object > User/Group > User > Add Repeat this process to set up the remaining user accounts. 20.2.1.2 Set Up User Groups Set up the user groups and assign the users to the user groups. Click Configuration >...
  • Page 441 Chapter 20 Web Authentication 20.2.1.3 Set Up User Authentication Using the RADIUS Server This step sets up user authentication using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and configure the ZyWALL/USG to use the authentication method.
  • Page 442 Chapter 20 Web Authentication Figure 314 Configuration > Object > Auth. method > Edit Click Configuration > Web Authentication. In the Web Authentication > General screen, select Enable Web Authentication to turn on the web authentication feature and click Apply. Figure 315 Configuration >...
  • Page 443 Chapter 20 Web Authentication Figure 316 Configuration > Web Authentication: General: Add When the users try to browse the web (or use any HTTP application), the login screen appears. They have to log in using the user name and password in the RADIUS server. 20.2.1.4 User Group Authentication Using the RADIUS Server The previous example showed how to have a RADIUS server authenticate individual user accounts.
  • Page 444 Chapter 20 Web Authentication Figure 317 Configuration > Object > AAA Server > RADIUS > Add Now you add ext-group-user user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click Configuration >...

  • Page 445: Authentication Type Screen

    Chapter 20 Web Authentication Figure 318 Configuration > Object > User/Group > User > Add Repeat this process to set up the remaining groups of user accounts. 20.2.2 Authentication Type Screen Use this screen to view, create and manage the authentication type profiles on the ZyWALL/USG. An authentication type profile decides which type of web authentication pages to be used for user authentication.
  • Page 446 Chapter 20 Web Authentication Table 162 Configuration > Web Authentication > Authentication Type (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. This field is a sequential value, and it is not associated with a specific entry. Name This field displays the name of the profile.
  • Page 447 Chapter 20 Web Authentication Figure 321 Configuration > Web Authentication > Authentication Type: Add/Edit (User Agreement) The following table describes the labels in this screen. Table 163 Configuration > Web Authentication > Authentication Type: Add/Edit LABEL DESCRIPTION Type Select the type of the web authentication page through which users authenticate their connections.
  • Page 448 Chapter 20 Web Authentication Table 163 Configuration > Web Authentication > Authentication Type: Add/Edit (continued) LABEL DESCRIPTION External Web Select this to use a custom login page from an external web portal instead of the one Portal uploaded to the ZyWALL/USG. You can configure the look and feel of the web portal page. Login URL Specify the login page’s URL;...

  • Page 449: Custom Web Portal / User Agreement File Screen

    Chapter 20 Web Authentication Table 163 Configuration > Web Authentication > Authentication Type: Add/Edit (continued) LABEL DESCRIPTION Agreement Specify the user agreement page’s URL; for example, http://IIS server IP Address/ logout.html. The Internet Information Server (IIS) is the web server on which the user agreement files are installed.

  • Page 450: Sso Overview

    Chapter 20 Web Authentication Figure 323 Configuration > Web Authentication > Custom User Agreement File The following table describes the labels in this screen. Table 164 Configuration > Web Authentication > Custom Web Portal / User Agreement File LABEL DESCRIPTION Remove Click a file’s row to select it and and click Remove to delete it from the ZyWALL/USG.
  • Page 451 Chapter 20 Web Authentication Note: The ZyWALL/USG, the DC, the SSO agent and the AD server must all be in the same domain and be able to communicate with each other. SSO does not support IPv6, LDAP or RADIUS; you must use it in an IPv4 network environment with Windows AD (Active Directory) authentication database.

  • Page 452: Sso - Zywall/Usg Configuration

    Chapter 20 Web Authentication 20.4 SSO - ZyWALL/USG Configuration This section shows what you have to do on the ZyWALL/USG in order to use SSO. Table 165 ZyWALL/USG - SSO Agent Field Mapping ZYWALL/USG SCREEN FIELD SCREEN FIELD Web Authentication > Listen Port Agent Configuration Gateway Port...

  • Page 453: Enable Web Authentication

    Chapter 20 Web Authentication Figure 325 Configuration > Web Authentication > SSO The following table gives an overview of the objects you can configure. Table 166 Configuration > Web Authentication > SSO LABEL DESCRIPTION Listen Port The default agent listening port is 2158. If you change it on the ZyWALL/USG, then change it to the same number in the Gateway Port field on the SSO agent too.

  • Page 454: Create A Security Policy

    Chapter 20 Web Authentication Make sure you select Enable Policy, Single Sign-On and choose required in Authentication. Do NOT select any as the source address unless you want all incoming connections to be authenticated! Table 160 on page 435 Table 161 on page 438 for more information on configuring these screens.

  • Page 455: Configure User Information

    Chapter 20 Web Authentication Configure the fields as shown in the following screen. Configure the source and destination addresses according to the SSO web authrntication traffic in your network. 20.4.5 Configure User Information Configure a User account of the ext-group-user type. ZyWALL/USG Series User’s Guide...

  • Page 456: Configure An Authentication Method

    Chapter 20 Web Authentication Configure Group Identifier to be the same as Group Membership on the SSO agent. 20.4.6 Configure an Authentication Method Configure Active Directory (AD) for authentication with SSO. Choose group ad as the authentication server for SSO. ZyWALL/USG Series User’s Guide...

  • Page 457: Configure Active Directory

    Chapter 20 Web Authentication 20.4.7 Configure Active Directory You must configure an Active Directory (AD) server in AAA Setup to be the same as AD configured on the SSO agent. The default AD server port is 389. If you change this, make sure you make the same changes on the SSO.

  • Page 458: Sso Agent Configuration

    Chapter 20 Web Authentication 20.5 SSO Agent Configuration This section shows what you have to do on the SSO agent in order to work with the ZyWALL/USG. After you install the SSO agent, you will see an icon in the system tray (bottom right of the screen) ZyWALL/USG Series User’s Guide...
  • Page 459 Chapter 20 Web Authentication Right-click the SSO icon and select Configure ZyXEL SSO Agent. Configure the Agent Listening Port, AD server exactly as you have done on the ZyWALL/USG. Add the ZyWALL/USG IP address as the Gateway. Make sure the ZyWALL/USG and SSO agent are able to communicate with each other.
  • Page 460 Chapter 20 Web Authentication Configure the Server Address, Port, Base DN, Bind DN, Login Name Attribute and Group Membership for the AD server settings exactly as you have done on the ZyWALL/USG. Group Membership is called Group Identifier on the ZyWALL/USG. LDAP/AD Server Configuration ZyWALL/USG Series User’s Guide...
  • Page 461 Chapter 20 Web Authentication Configure the Gateway IP address, Gateway Port and PreShareKey exactly as you have done in the ZyWALL/USG Configuration > Web Authentication > SSO screen. If you want to use Generate Key to have the SSO create a random password, select Check to show PreShareKey as clear Text so as to see the password, then copy and paste it to the ZyWALL/USG.

  • Page 462: Hotspot

    HAPTER Hotspot 21.1 Overview At the time of writing, the following models support Hotspot management: • ZyWALL 310 • ZyWALL 1100 • USG310 • USG1100 • USG1900 • USG2200-VPN You can use the built-in billing function to setup billing profiles. A billing profile describes how to charge users.

  • Page 463: The General Screen

    Chapter 21 Hotspot Time-to-finish Accounting Method The time-to-finish accounting method is good for one-time logins. Once a user logs in, the ZyWALL/ USG stores the IP address of the user’s computer for the duration of the time allocated. Thus the user does not have to enter the user name and password again for re-login within the allocated time.
  • Page 464 Chapter 21 Hotspot Figure 326 Configuration > Hotspot > Billing > General The following table describes the labels in this screen. Table 167 Configuration > Hotspot > Billing > General LABEL DESCRIPTION General Settings Unused account Enter the number and select a time unit from the drop-down list box to specify how long to will be deleted wait before the ZyWALL/USG deletes an account that has not been used.
  • Page 465 Chapter 21 Hotspot Table 167 Configuration > Hotspot > Billing > General (continued) LABEL DESCRIPTION User idle The ZyWALL/USG automatically disconnects a computer from the network after a period of timeout inactivity. The user may need to enter the username and password again before access to the network is allowed.

  • Page 466: The Billing Profile Screen

    Chapter 21 Hotspot 21.4 The Billing Profile Screen Use this screen to configure the billing profiles that defines the maximum Internet access time and charge per time unit. Click Configuration > Hotspot > Billing > Billing Profile to open the following screen.

  • Page 467: The Account Generator Screen

    Chapter 21 Hotspot Table 168 Configuration > Hotspot > Billing > Billing Profile (continued) LABEL DESCRIPTION Name This field displays the descriptive profile name for this entry. Time Period This field displays the duration of the billing period. Quota (T/U/D) This field displays how much data in both directions (Total) or upstream data (Upload) and downstream data (Download) can be transmitted through the WAN interface before the account expires.
  • Page 468 Chapter 21 Hotspot Figure 328 Account Generator The following table describes the labels in this screen. Table 169 Account Generator LABEL DESCRIPTION Account Select a button and specify how many units of billing period to be charged for new account Generator in the Button x Unit field.
  • Page 469 Chapter 21 Hotspot Table 169 Account Generator (continued) LABEL DESCRIPTION This shows the tax rate. Grand Total This shows the total price including tax. Quantity Specify the number of account to be created. Generate Click Generate to generate an account based on the billing settings you configure for the selected button in the Billing Profile screen.

  • Page 470: The Account Redeem Screen

    Chapter 21 Hotspot The Printer screen shows a printout preview example. Click Printer to print this subscriber statement. Click Cancel to close this window when you are finished viewing it. 21.4.2 The Account Redeem Screen The Account Redeem screen allows you to send SMS messages for certain accounts. Click the Account Redeem tab in the Account Generator screen to open this screen.

  • Page 471: The Following Table Describes The Labels In This Screen

    Chapter 21 Hotspot Figure 329 Account Redeem The following table describes the labels in this screen. Table 170 Account Redeem LABEL DESCRIPTION Query Account Information Phone Number Enter the country code and mobile phone number and click Query to display only the accout(S) that has the specified phone number.

  • Page 472: The Billing Profile Add/Edit Screen

    Chapter 21 Hotspot Table 170 Account Redeem (continued) LABEL DESCRIPTION Cancel Click Cancel to exit this screen without saving. Logout Click Logout to log out of the web configurator. This button is available only when you open this screen by logging in with the guest-manager account. 21.4.3 The Billing Profile Add/Edit Screen The Billing Profile Add/Edit screen allows you to create a new billing profile or edit an existing one.

  • Page 473: The Discount Screen

    Chapter 21 Hotspot Table 171 Configuration > Hotspot > Billing > Billing Profile > Add/Edit (continued) LABEL DESCRIPTION Quota Type The quota settings section is NOT available when you set Accounting Method to Time to Finish in the Billing > General screen. Set a limit for the user accounts.

  • Page 474: Settings

    Chapter 21 Hotspot Figure 331 Configuration > Hotspot > Billing > Discount The following table describes the labels in this screen. Table 172 Configuration > Hotspot > Billing > Discount LABEL DESCRIPTION Discount Settings Enable Discount Select the check box to activate the discount price plan. Button Select Select a button from the drop-down list box to assign the base charge.

  • Page 475: The Discount Add/Edit Screen

    Chapter 21 Hotspot 21.5.1 The Discount Add/Edit Screen The Discount Add/Edit screen allows you to create a new discount level or edit an existing one. Click Configuration > Hotspot > Billing > Discount and then an Add or Edit icon to open this screen.
  • Page 476 Chapter 21 Hotspot Figure 333 Configuration > Hotspot > Billing > Payment Service > General The following table describes the labels in this screen. Table 174 Configuration > Hotspot > Billing > Payment Service > General LABEL DESCRIPTION General Setting Enable Payment Select the check box to use PayPal to authorize credit card payments.

  • Page 477: The Payment Service Desktop View / Mobile View Screen

    Chapter 21 Hotspot Table 174 Configuration > Hotspot > Billing > Payment Service > General (continued) LABEL DESCRIPTION Delivery Method Specify how the ZyWALL/USG provides dynamic guest account information after the user’s online payment is done. Select On-Screen to display the user account information in the web screen. Select SMS to use Short Message Service (SMS) to send account information in a text message to the user’s mobile device.
  • Page 478 Chapter 21 Hotspot Figure 334 Configuration > Hotspot > Billing > Payment Service > Desktop View ZyWALL/USG Series User’s Guide...
  • Page 479 Chapter 21 Hotspot Figure 335 Configuration > Hotspot > Billing > Payment Service > Mobile View ZyWALL/USG Series User’s Guide...
  • Page 480 Chapter 21 Hotspot The following table describes the labels in this screen. Table 175 Configuration > Hotspot > Billing > Payment Service > Desktop View or Mobile View LABEL DESCRIPTION Select Type Use Default Page Select this to use the default online payment service page built into the device. If you later create a custom online payment service page, you can still return to the ZyWALL/USG’s default page as it is saved indefinitely.

  • Page 481: Printer Manager

    HAPTER Printer Manager 22.1 Printer Manager Overview You can create dynamic guest accounts and print guest account information by pressing the button on an external statement printer, such as SP350E. Make sure that the printer is connected to the appropriate power and the ZyWALL/USG, and that there is printing paper in the printer.
  • Page 482 Chapter 22 Printer Manager Figure 336 Configuration > Hotspot > Printer Manager > General The following table describes the labels in this screen. Table 176 Configuration > Hotspot > Printer Manager > General LABEL DESCRIPTION General Setting Enable Printer Select the check box to allow the ZyWALL/USG to manage and monitor the printer status. Manager Printer Settings Encryption...
  • Page 483 Chapter 22 Printer Manager Table 176 Configuration > Hotspot > Printer Manager > General (continued) LABEL DESCRIPTION Discover Click this to discover the printer(s) that is connected to the ZyWALL/USG and display the Printer printer information in a pop-up window. IPnP is enabled while discovering the printer and disabled when the discovering process has finished.

  • Page 484: Add Printer Rule

    Chapter 22 Printer Manager 22.2.1 Add Printer Rule Click the Add icon to open the following screen. Use this screen to add a new printer. Figure 337 Configuration > Hotspot > Printer Manager > General: Add The following table describes the labels in this screen. Table 177 Configuration >...

  • Page 485: Discover Printer

    Chapter 22 Printer Manager The following table describes the labels in this screen. Table 178 Configuration > Hotspot > Printer Manager > General: Edit LABEL DESCRIPTION Enable Printer Select this option to turn on this entry in order to allow the ZyWALL/USG to manage this Manager printer.

  • Page 486: Edit Printer Manager (Discover Printer)

    Chapter 22 Printer Manager The following table describes the labels in this screen. Table 179 Configuration > Hotspot > Printer Manager > General > Discover Printer LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

  • Page 487: The Printout Configuration Screen

    Chapter 22 Printer Manager The following table describes the labels in this screen. Table 180 Configuration > Hotspot > Printer Manager > General > Discover Printer: Edit LABEL DESCRIPTION General Settings Nickname Type an optional friendly name for the printer. A nickname must begin with a letter and cannot exceed 15 characters.

  • Page 488: Printer Reports Overview

    Chapter 22 Printer Manager The following table describes the labels in this screen. Table 181 Configuration > Hotspot > Printer Manager > Printout Configuration LABEL DESCRIPTION Use Default Select this to use the default account printout format built into the device. If you later Printout create a custom account printout format, you can still return to the ZyWALL/USG’s default Configuration...

  • Page 489: Daily Account Summary

    Chapter 22 Printer Manager Note: You must press the key combination on the SP350E within five seconds to print. Table 182 Report Printing Key Combinations REPORT TYPE KEY COMBINATION Daily Account Summary A B C A A Monthly Account Summary A B C B A Last Month Account Summary A B C B B...

  • Page 490: Account Report Notes

    Chapter 22 Printer Manager Figure 343 Monthly Account Example Monthly Account ---------------------------- 2013/05 Username Price ---------------------------- p2m6pf52 1.00 s4pcms28 2.00 7ufm7z22 2.00 qm5fxn95 6.00 ---------------------------- TOTAL ACCOUNTS: 4 TOTAL PRICE: $ 11.00 ---------------------------- 2013/05/17 20:00:11 ---End--- 22.4.4 Account Report Notes The daily, monthly or last month account report holds up to 2000 entries.
  • Page 491 Chapter 22 Printer Manager Figure 344 System Status Example System Status -------------------------------------- Item Description -------------------------------------- SYST 02:02:35 WAST Link up WLST Activate FWVR 2.50(AACG.0) BTVR 1.22 WAMA 00-90-0E-00-4A-29 LAMA 00-90-0E-00-4A-30 WAIP 10.21.2.267 LAIP 172.16.0.1 WLIP 10.59.1.1 DHSP 10.59.1.33 DHEP 10.59.1.254 -------------------------------------- CPUS MEMS...

  • Page 492: Freetime

    HAPTER FreeTime 23.1 Free Time Overview With Free Time, the ZyWALL/USG can create dynamic guest accounts that allow users to browse the Internet free of charge for a specified period of time. 23.1.1 What You Can Do in this Chapter Use the Free Time screen (see Section 23.2 on page 492) to turn on this feature to allow users to...
  • Page 493 Chapter 23 FreeTime The following table describes the labels in this screen. Table 184 Configuration > Hotspot > Free Time LABEL DESCRIPTION Enable Free Select the check box to turn on the free time feature. Time Note: After you set up web authentication policies and enable the free time feature on the ZyWALL/USG, a link displays in the login screen when users try to access the Internet.
  • Page 494 Chapter 23 FreeTime Table 184 Configuration > Hotspot > Free Time (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL/USG. Reset Click this button to return the screen to its last-saved settings. The following figure shows an example login screen with a link to create a free guest account. If you enable both online payment service and free time feature on the ZyWALL/USG, the link description in the login screen will be mainly for online payment service.
  • Page 495 Chapter 23 FreeTime If SMS is enabled on the ZyWALL/USG, you have to enter your mobile phone number before clicking OK to get a free guest account. The guest account information then displays in the screen and/or is sent to the configured mobile phone number.

  • Page 496: Sms

    HAPTER 24.1 SMS Overview The ZyWALL/USG supports Short Message Service (SMS) to send short text messages to mobile phone devices. At the time of writing, the ZyWALL/USG uses ViaNett as the SMS gateway to help forward SMS messages. You must already have a Vianett account in order to use the SMS service. 24.1.1 What You Can Do in this Chapter Use the SMS screen (see Section 24.2 on page...
  • Page 497 Chapter 24 SMS The following table describes the labels in this screen. Table 185 Configuration > Hotspot > SMS LABEL DESCRIPTION General Settings Enable SMS Select the check box to turn on the SMS service. Default country Enter the default country code for the mobile phone number to which you want to send code for phone SMS messages.

  • Page 498: Ipnp

    HAPTER IPnP 25.1 IPnP Overview IP Plug and Play (IPnP) allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, even when the IP addresses of the computer and the ZyWALL/USG are not in the same subnet. When you disable the IPnP feature, only computers with dynamic IP addresses or static IP addresses in the same subnet as the ZyWALL/USG’s LAN IP address can connect to the ZyWALL/ USG or access the Internet through the ZyWALL/USG.

  • Page 499: Ipnp Screen

    Chapter 25 IPnP 25.2 IPnP Screen This screen allows you to enable IPnP on the ZyWALL/USG and specific internal interface(s). To access this screen click Configuration > Hotspot > Network > IPnP. Figure 348 Configuration > Hotspot > Network > IPnP The following table describes the labels in this screen.

  • Page 500: Chapter 26 Walled Garden

    HAPTER Walled Garden 26.1 Walled Garden Overview A user must log in before the ZyWALL/USG allows the user’s access to the Internet. However, with a walled garden, you can define one or more web site addresses that all users can access without logging in.

  • Page 501: Url Base Screen

    Chapter 26 Walled Garden The following table describes the labels in this screen. Table 187 Configuration > Hotspot > Walled Garden: General LABEL DESCRIPTION Enable Walled Select this to turn on the walled garden feature. Garden Note: This feature works only with the web portal authentication type. Hotspot License Status License...

  • Page 502: Adding/Editing A Walled Garden Url

    Chapter 26 Walled Garden Table 188 Configuration > Hotspot > Walled Garden: URL Based (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate.

  • Page 503: Domain/Ip Base Screen

    Chapter 26 Walled Garden Table 189 Configuration > Hotspot > Walled Garden: URL Base: Add/Edit (continued) LABEL DESCRIPTION Enter the URL of the web site. Use “http://” or “https://” followed by up to 262 characters (0-9a-zA-Z;/?:@&=+$\.- _!~*'()%). For example, http://www.example.com or http://172.16.1.35. Preview Click this button to open the specified web site in a new frame.

  • Page 504: Adding/Editing A Walled Garden Domain Or Ip

    Chapter 26 Walled Garden Table 190 Configuration > Hotspot > Walled Garden: Domain/IP Based (continued) LABEL DESCRIPTION Domain Name/IP This field displays the domain name or IP address and subnet mask of the web site. Address Apply Click this button to save your changes to the ZyWALL/USG. Reset Click this button to return the screen to its last-saved settings.
  • Page 505 Chapter 26 Walled Garden Figure 354 Walled Garden Login Example ZyWALL/USG Series User’s Guide...

  • Page 506: Chapter 27 Advertisement Screen

    HAPTER Advertisement Screen 27.1 Advertisement Overview Use this screen to set the ZyWALL/USG to display an advertisement web page as the first web page whenever the user connects to the Internet. Click Configuration > Hotspot > Advertisement to display the screen. Figure 355 Configuration >...

  • Page 507: Adding/Editing An Advertisement Url

    Chapter 27 Advertisement Screen Table 192 Configuration > Hotspot > Advertisement (continued) LABEL DESCRIPTION Name This field displays the descriptive name of web site. This field displays the address of web site. Hotspot License Status License This field displays whether the service is activated (Licensed) or not (Not Licensed). Status License Type This shows whether you have a trial or standard license or none (Trial, Standard, None).

  • Page 508: Chapter 28 Security Policy

    HAPTER Security Policy 28.1 Overview A security policy is a template of security settings that can be applied to specific traffic at specific times. The policy can be applied: • to a specific direction of travel of packets (from / to) •...

  • Page 509: One Security

    Chapter 28 Security Policy 28.2 One Security OneSecurity.com is a website with guidance on configuration walkthroughs, troubleshooting, and other information. This is an example of a port forwarding configuration walkthrough. Figure 358 Example of a Port Forwarding Configuration Walkthrough. This is an example of L2TP over IPSec VPN Troubleshooting troubleshooting. ZyWALL/USG Series User’s Guide...
  • Page 510 Chapter 28 Security Policy Figure 359 Example of L2TP over IPSec Troubleshooting - 1 ZyWALL/USG Series User’s Guide...
  • Page 511 Chapter 28 Security Policy Figure 360 Example of L2TP over IPSec Troubleshooting - 2 In the ZyWALL/USG, you will see icons that link to OneSecurity walkthroughs, troubleshooting and so on in certain screens. For example, at the time of writing, these are the OneSecurity icons you can see. Table 194 OneSecurity Icons ONESECURITY ICON SCREEN...

  • Page 512: What You Can Do In This Chapter

    Chapter 28 Security Policy Table 194 OneSecurity Icons (continued) ONESECURITY ICON SCREEN Click this icon for more information on Application Patrol, which identifies traffic that passes through the ZyWALL/USG, so you can decide what to do with specific types of traffic. Traffic not recognized by application patrol is ignored. •...

  • Page 513: What You Need To Know

    Chapter 28 Security Policy 28.3.1 What You Need to Know Stateful Inspection The ZyWALL/USG uses stateful inspection in its security policies. The ZyWALL/USG restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Zones A zone is a group of interfaces.

  • Page 514: The Security Policy Screen

    Chapter 28 Security Policy A From Any To Device direction policy applies to traffic from an interface which is not in a zone. Global Security Policies Security Policies with from any and/or to any as the packet direction are called global Security Policies.

  • Page 515: Configuring The Security Policy Control Screen

    Chapter 28 Security Policy By putting LAN 1 and the alternate gateway (A in the figure) in different subnets, all returning network traffic must pass through the ZyWALL/USG to the LAN. The following steps and figure describe such a scenario. A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the WAN.
  • Page 516 Chapter 28 Security Policy Figure 362 Configuration > Security Policy > Policy Control The following table describes the labels in this screen. Table 196 Configuration > Security Policy > Policy Control LABEL DESCRIPTION Show Filter/Hide Click Show Filter to display IPv4 and IPv6 (if enabled) security policy search filters. Filter IPv4 / IPv6 Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies...
  • Page 517 Chapter 28 Security Policy Table 196 Configuration > Security Policy > Policy Control (continued) LABEL DESCRIPTION IPv4 / IPv6 Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 Destination destination address object used. •...

  • Page 518: The Security Policy Control Add/Edit Screen

    Chapter 28 Security Policy Table 196 Configuration > Security Policy > Policy Control (continued) LABEL DESCRIPTION Name This is the name of the Security policy. From / To This is the direction of travel of packets. Select from which zone the packets come and to which zone they go.
  • Page 519 Chapter 28 Security Policy Figure 363 Configuration > Security Policy > Policy Control > Add The following table describes the labels in this screen. Table 197 Configuration > Security Policy > Policy Control > Add LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this screen. Object Enable Select this check box to activate the Security policy.

  • Page 520: Anomaly Detection And Prevention Overview

    Chapter 28 Security Policy Table 197 Configuration > Security Policy > Policy Control > Add (continued) LABEL DESCRIPTION User This field is not available when you are configuring a to-ZyWALL/USG policy. Select a user name or user group to which to apply the policy. The Security Policy is activated only when the specified user logs into the system and the policy will be disabled when the user logs out.

  • Page 521: The Anomaly Detection And Prevention General Screen

    Chapter 28 Security Policy Traffic Anomalies Traffic anomaly policies look for abnormal behavior or events such as port scanning, sweeping or network flooding. They operate at OSI layer-2 and layer-3. Traffic anomaly policies may be updated when you upload new firmware. Protocol Anomalies Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments).

  • Page 522: Creating New Adp Profiles

    Chapter 28 Security Policy Table 198 Configuration > Security Policy > ADP > General LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate.

  • Page 523: Traffic Anomaly Profiles

    Chapter 28 Security Policy Figure 365 Configuration > Security Policy > ADP > Profile The following table describes the labels in this screen. Table 199 Configuration > Security Policy > ADP > Profile LABEL DESCRIPTION Profile Management Create ADP profiles here and then apply them in the Configuration > Security Policy >...
  • Page 524 Chapter 28 Security Policy Figure 366 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly The following table describes the labels in this screen. Table 200 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly LABELS DESCRIPTION Name A name is automatically generated that you can edit.
  • Page 525 Chapter 28 Security Policy Table 200 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly (continued) LABELS DESCRIPTION Scan/Flood Detection Scan detection, such as port scanning, tries to find attacks where an attacker scans device(s) to determine what types of network protocols or services a device supports.

  • Page 526: Protocol Anomaly Profiles

    Chapter 28 Security Policy 28.5.4 Protocol Anomaly Profiles Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes: • TCP Decoder • UDP Decoder • ICMP Decoder • IP Decoder Teardrop When an IP packet is larger than the Maximum Transmission Unit (MTU) configured in the ZyWALL/ USG, it is fragmented using the TCP or ICMP protocol.
  • Page 527 Chapter 28 Security Policy Figure 367 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly ZyWALL/USG Series User’s Guide...
  • Page 528 Chapter 28 Security Policy The following table describes the labels in this screen. Table 201 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly LABEL DESCRIPTION Name A name is automatically generated that you can edit. The name must be the same in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile.

  • Page 529: The Session Control Screen

    Chapter 28 Security Policy Table 201 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly LABEL DESCRIPTION Name This is the name of the anomaly policy. Click the Name column heading to sort in ascending or descending order according to the protocol anomaly policy name.

  • Page 530: The Session Control Add/Edit Screen

    Chapter 28 Security Policy The following table describes the labels in this screen. Table 202 Configuration > Security Policy > Session Control LABEL DESCRIPTION General Settings UDP Session Set how many seconds the ZyWALL/USG will allow a UDP session to remain idle (without Time Out UDP traffic) before closing it.

  • Page 531: Security Policy Example Applications

    Chapter 28 Security Policy Figure 369 Configuration > Security Policy > Session Control > Edit The following table describes the labels in this screen. Table 203 Configuration > Security Policy > Session Control > Add / Edit LABEL DESCRIPTION Create new Use to configure new settings for User or Address objects that you need to use in this Object screen.Click on the down arrow to see the menu.
  • Page 532 Chapter 28 Security Policy Figure 370 Blocking All LAN to WAN IRC Traffic Example Your Security Policy would have the following settings. Table 204 Blocking All LAN to WAN IRC Traffic Example USER SOURCE DESTINATION SCHEDULE UTM PROFILE ACTION Deny Allow •...
  • Page 533 Chapter 28 Security Policy Figure 371 Limited LAN to WAN IRC Traffic Example Your security policy would have the following configuration. Table 205 Limited LAN1 to WAN IRC Traffic Example 1 USER SOURCE DESTINATION SCHEDULE UTM PROFILE ACTION 172.16.1.7 Allow Deny Allow •...

  • Page 534: Chapter 29 Ipsec Vpn

    HAPTER IPSec VPN 29.1 Virtual Private Networks (VPN) Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
  • Page 535 Chapter 29 IPSec VPN Main Mode or Aggressive Mode. Main Mode protects the identity of the peers, but Aggressive Mode does not. During Phase 2, the remote IPSec routers use the secure channel established in Phase 1 to negotiate Security Associations for IPsec. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound).

  • Page 536: What You Can Do In This Chapter

    Chapter 29 IPSec VPN Figure 373 SSL VPN LAN (192.168.1.X) https:// Web Mail File Share Web-based Application Application Non-Web Server L2TP VPN L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, or Windows operating systems for secure connections to the network behind the ZyWALL/USG. The remote users do not need their own IPSec gateways or third-party VPN client software.

  • Page 537: What You Need To Know

    Chapter 29 IPSec VPN 29.1.2 What You Need to Know An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL/USG and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL/USG and remote IPSec router.
  • Page 538 Chapter 29 IPSec VPN Application Scenarios The ZyWALL/USG’s application scenarios make it easier to configure your VPN connection settings. Table 207 IPSec VPN Application Scenarios REMOTE SITE-TO-SITE WITH REMOTE ACCESS VPN TUNNEL SITE-TO-SITE ACCESS (CLIENT DYNAMIC PEER (SERVER ROLE) INTERFACE ROLE) Choose this if the Choose this if the...

  • Page 539: Before You Begin

    Chapter 29 IPSec VPN • See the help in the IPSec VPN quick setup wizard screens. 29.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel.
  • Page 540 Chapter 29 IPSec VPN Figure 376 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following table. Table 208 Configuration > VPN > IPSec VPN > VPN Connection LABEL DESCRIPTION Global Setting The following two fields are for all IPSec VPN policies. Click on the VPN icon to go to the Zyxel VPN Client product page at the Zyxel website.

  • Page 541: The Vpn Connection Add/Edit Screen

    Chapter 29 IPSec VPN Table 208 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate.
  • Page 542 Chapter 29 IPSec VPN Figure 377 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit ZyWALL/USG Series User’s Guide...
  • Page 543 Chapter 29 IPSec VPN Each field is described in the following table. Table 209 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create new Object...
  • Page 544 Chapter 29 IPSec VPN Table 209 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION Application Select the scenario that best describes your intended VPN connection. Scenario Site-to-site - Choose this if the remote IPSec router has a static IP address or a domain name.
  • Page 545 Chapter 29 IPSec VPN Table 209 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION First DNS Server The Domain Name System (DNS) maps a domain name to an IP address and vice (optional) versa. The ZyWALL/USG uses these (in the order you specify here) to resolve domain names for VPN.
  • Page 546 Chapter 29 IPSec VPN Table 209 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION Encryption This field is applicable when the Active Protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA. Choices are: NULL - no encryption key or algorithm DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm...
  • Page 547 Chapter 29 IPSec VPN Table 209 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION Check Period Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure. Check Fail Enter the number of consecutive failures allowed before the ZyWALL/USG disconnects Tolerance...

  • Page 548: The Vpn Gateway Screen

    Chapter 29 IPSec VPN Table 209 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed.

  • Page 549: The Vpn Gateway Add/Edit Screen

    Chapter 29 IPSec VPN Each field is discussed in the following table. See Section 29.3.1 on page 549 for more information. Table 210 Configuration > VPN > IPSec VPN > VPN Gateway LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
  • Page 550 Chapter 29 IPSec VPN Figure 379 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit ZyWALL/USG Series User’s Guide...
  • Page 551 Chapter 29 IPSec VPN Each field is described in the following table. Table 211 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create New Object...
  • Page 552 Chapter 29 IPSec VPN Table 211 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Pre-Shared Key Select this to have the ZyWALL/USG and remote IPSec router use a pre-shared key (password) to identify each other when they negotiate the IKE SA. Type the pre-shared key in the field to the right.
  • Page 553 Chapter 29 IPSec VPN Table 211 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Peer ID Type Select which type of identification is used to identify the remote IPSec router during authentication. Choices are: IP - the remote IPSec router is identified by an IP address DNS - the remote IPSec router is identified by a domain name E-mail - the remote IPSec router is identified by the string specified in this field...
  • Page 554 Chapter 29 IPSec VPN Table 211 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it.
  • Page 555 Chapter 29 IPSec VPN Table 211 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION X Auth / Extended This part of the screen displays X-Auth when using IKEv1 and Extended Authentication Authentication Protocol when using IKEv2. Protocol X-Auth This displays when using IKEv1.

  • Page 556: Vpn Concentrator

    Chapter 29 IPSec VPN 29.4 VPN Concentrator A VPN concentrator combines several IPSec VPN connections into one secure network. Figure 380 VPN Topologies (Fully Meshed and Hub and Spoke) In a fully-meshed VPN topology (1 in the figure), there is a VPN connection between every pair of routers.

  • Page 557: Vpn Concentrator Screen

    Chapter 29 IPSec VPN 29.4.2 VPN Concentrator Screen The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL/USG. To access this screen, click Configuration > VPN > IPSec VPN > Concentrator. Figure 381 Configuration > VPN > IPSec VPN > Concentrator Each field is discussed in the following table.

  • Page 558: Zywall/Usg Ipsec Vpn Client Configuration Provisioning

    Chapter 29 IPSec VPN Figure 382 Configuration > VPN > IPSec VPN > Concentrator > Add/Edit Each field is described in the following table. Table 213 VPN > IPSec VPN > Concentrator > Add/Edit LABEL DESCRIPTION Name Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores( or dashes (-), but the first character cannot be a number.
  • Page 559 Chapter 29 IPSec VPN • A subnet or range remote policy The following VPN Gateway rules configured on the ZyWALL/USG cannot be provisioned to the IPSec VPN Client: • IPv4 rules with IKEv2 version • IPv4 rules with User-based PSK authentication Note: You must enable IPv6 in System >...

  • Page 560: Ipsec Vpn Background Information

    Chapter 29 IPSec VPN Table 214 Configuration > VPN > IPSec VPN > Configuration Provisioning (continued) LABEL DESCRIPTION Click Add to bind a configured VPN rule to a user or group. Only that user or group may then retrieve the specified VPN rule settings. If you click Add without selecting an entry in advance then the new entry appears as the first entry.
  • Page 561 Chapter 29 IPSec VPN It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Note: Both routers must use the same negotiation mode. These modes are discussed in more detail in Negotiation Mode on page 564.
  • Page 562 Chapter 29 IPSec VPN In most ZyWALL/USGs, you can select one of the following encryption algorithms for each proposal. The algorithms are listed in order from weakest to strongest. • Data Encryption Standard (DES) is a widely used method of data encryption. It applies a 56-bit key to each 64-bit block of data.
  • Page 563 Chapter 29 IPSec VPN In main mode, the ZyWALL/USG and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL/USG and remote IPSec router selected in previous steps. Figure 386 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued) Step 5: pre-shared key...
  • Page 564 Chapter 29 IPSec VPN Table 216 VPN Example: Mismatching ID Type and Content ZYWALL/USG REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.20 Peer ID content: tom@yourcompany.com It is also possible to configure the ZyWALL/USG to ignore the identity of the remote IPSec router.
  • Page 565 Chapter 29 IPSec VPN Most routers like router A now have an IPSec pass-thru feature. This feature helps router A recognize VPN packets and route them appropriately. If router A has this feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Active Protocol on page 566 for more information about active protocols.)
  • Page 566 Chapter 29 IPSec VPN • Instead of using the pre-shared key, the ZyWALL/USG and remote IPSec router check the signatures on each other’s certificates. Unlike pre-shared keys, the signatures do not have to match. • The local and peer ID type and content come from the certificates. Note: You must set up the certificates for the ZyWALL/USG and remote IPSec router first.
  • Page 567 Chapter 29 IPSec VPN Figure 388 VPN: Transport and Tunnel Mode Encapsulation Tunnel Mode Packet IP Header AH/ESP IP Header Data Header Header In tunnel mode, the ZyWALL/USG uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: •...
  • Page 568 Chapter 29 IPSec VPN • Source address in outbound packets - this translation is necessary if you want the ZyWALL/USG to route packets from computers outside the local network through the IPSec SA. • Source address in inbound packets - this translation hides the source address of computers in the remote network.
  • Page 569 Chapter 29 IPSec VPN • Destination - the original destination address; the local network (A). • SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address. Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) You can set up this translation if you want the ZyWALL/USG to forward some packets from the remote network to a specific computer in the local network.

  • Page 570: Chapter 30 Ssl Vpn

    HAPTER SSL VPN 30.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login. The remote users do not need a VPN router or VPN client software. 30.1.1 What You Can Do in this Chapter •...

  • Page 571: The Ssl Access Privilege Screen

    Chapter 30 SSL VPN • allow user access to specific networks. • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. SSL Access Policy Objects The SSL access policies reference the following objects. If you update this information, in response to changes, the ZyWALL/USG automatically propagates the changes through the SSL policies that use the object(s).

  • Page 572: The Ssl Access Privilege Policy Add/Edit Screen

    Chapter 30 SSL VPN The following table describes the labels in this screen. Table 218 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Access Policy This screen shows a summary of SSL VPN policies created. Summary Click on the VPN icon to go to the Zyxel VPN Client product page at the Zyxel website. Click this to create a new entry.
  • Page 573 Chapter 30 SSL VPN Figure 393 VPN > SSL VPN > Add/Edit The following table describes the labels in this screen. Table 219 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this screen. Object Configuration Enable Policy...
  • Page 574 Chapter 30 SSL VPN Table 219 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION Name Enter a descriptive name to identify this policy. You can enter up to 31 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed. Zone Select the zone to which to add this SSL access policy.

  • Page 575: The Ssl Global Setting Screen

    Chapter 30 SSL VPN Table 219 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION Network List To allow user access to local network(s), select a network name in the Selectable Address Objects list and click the right arrow button to add to the Selected Address Objects list.

  • Page 576: How To Upload A Custom Logo

    Chapter 30 SSL VPN The following table describes the labels in this screen. Table 220 VPN > SSL VPN > Global Setting LABEL DESCRIPTION Global Setting Network Specify the IP address of the ZyWALL/USG (or a gateway device) for full tunnel mode SSL Extension Local VPN access.

  • Page 577: Zywall/Usg Secuextender

    Chapter 30 SSL VPN The following shows an example logo on the remote user screen. Figure 395 Example Logo Graphic Display 30.4 ZyWALL/USG SecuExtender The ZyWALL/USG automatically loads the ZyWALL/USG SecuExtender client program to your computer after a successful login to an SSL VPN tunnel with network extension support enabled. The ZyWALL/USG SecuExtender lets you: •...

  • Page 578: Example: Configure Zywall/Usg For Secuextender

    Chapter 30 SSL VPN The following table describes the labels in this screen. Table 221 Configuration > VPN > SSL VPN > SecuExtender LABEL DESCRIPTION Latest Version This displays the latest version of the ZyWALL/USG Security SecuExtender that is available. Current Version This displays the current version of SecuExtender that is installed in the ZyWALL/USG.
  • Page 579 Chapter 30 SSL VPN Figure 398 Create an SSL VPN Access Privilege Policy Then create File Sharing and Web Application SSL Application objects. Using the ZyWALL/USG web configurator, go to Configuration > Object > SSL Application > Add and select the Type accordingly.
  • Page 580 Chapter 30 SSL VPN Create a Web Application SSL Application Object ZyWALL/USG Series User’s Guide...

  • Page 581: Ssl User Screens

    HAPTER SSL User Screens 31.1 Overview This chapter introduces the remote user SSL VPN screens. The following figure shows a network example where a remote user (A) logs into the ZyWALL/USG from the Internet to access the web server (WWW) on the local network. Figure 400 Network Example Internet 31.1.1 What You Need to Know...

  • Page 582: Remote Ssl User Login

    Chapter 31 SSL User Screens • Using RDP requires Internet Explorer • Sun’s Runtime Environment (JRE) version 1.6 or later installed and enabled. Required Information A remote user needs the following information from the network administrator to log in and access network resources.
  • Page 583 Chapter 31 SSL User Screens Figure 402 Login Security Screen A login screen displays. Enter the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field. Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources.
  • Page 584 Chapter 31 SSL User Screens Figure 405 ActiveX Object Installation Blocked by Browser Figure 406 SecuExtender Blocked by Internet Explorer The ZyWALL/USG tries to run the “ssltun” application. You may need to click something to get your browser to allow this. In Internet Explorer, click Run. Figure 407 SecuExtender Progress Click Next to use the setup wizard to install the SecuExtender client on your computer.

  • Page 585: The Ssl Vpn User Screens

    Chapter 31 SSL User Screens Figure 408 SecuExtender Progress If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender client on your computer. Figure 409 Installation Warning The Application screen displays showing the list of resources available to you. See Figure 410 on page 586 for a screen example.

  • Page 586: Bookmarking The Zywall/Usg

    Chapter 31 SSL User Screens Figure 410 Remote User Screen The following table describes the various parts of a remote user screen. Table 222 Remote User Screen Overview DESCRIPTION Click on a menu tab to go to the Application or File Sharing screen. Click this icon to log out and terminate the secure connection.

  • Page 587: Logging Out Of The Ssl Vpn User Screens

    Chapter 31 SSL User Screens A screen displays. Accept the default name in the Name field or enter a descriptive name to identify this link. Click OK to create a bookmark in your web browser. Figure 411 Add Favorite 31.5 Logging Out of the SSL VPN User Screens To properly terminate a connection, click on the Logout icon in any remote user screen.

  • Page 588: Ssl User File Sharing

    Chapter 31 SSL User Screens Figure 413 Application 31.7 SSL User File Sharing The File Sharing screen lets you access files on a file server through the SSL VPN connection. Use it to display and access shared files/folders on a file server. You can also perform the following actions: •...

  • Page 589: Opening A File Or Folder

    Chapter 31 SSL User Screens Figure 414 File Sharing 31.7.2 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer. Log in as a remote user and click the File Sharing tab. Click on a file share icon.

  • Page 590: Downloading A File

    Chapter 31 SSL User Screens A list of files/folders displays. Double click a file to open it in a separate browser window or select a file and click Download to save it to your computer. You can also click a folder to access it. For this example, click on a .doc file to open the Word document.

  • Page 591: Creating A New Folder

    Chapter 31 SSL User Screens Figure 417 File Sharing: Save a Word File 31.7.5 Creating a New Folder To create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add. Note: Make sure the length of the folder name does not exceed the maximum allowed on the file server.

  • Page 592: Deleting A File Or Folder

    Chapter 31 SSL User Screens A popup window displays. Specify the new name and/or file extension in the field provided. You can enter up to 356 characters. Then click Apply. Note: Make sure the length of the name does not exceed the maximum allowed on the file server.
  • Page 593 Chapter 31 SSL User Screens Note: Uploading a file with the same name and file extension replaces the existing file on the file server. No warning message is displayed. ZyWALL/USG Series User’s Guide...

  • Page 594: Zywall/Usg Secuextender (Windows)

    HAPTER ZyWALL/USG SecuExtender (Windows) The ZyWALL/USG automatically loads the ZyWALL/USG SecuExtender for Windows client program to your computer after a successful login to an SSL VPN tunnel with network extension support enabled. Note: For information on using the ZyWALL/USG SecuExtender for Mac client program, please see its User’s Guide at the download library on the Zyxel website.

  • Page 595: View Log

    Chapter 32 ZyWALL/USG SecuExtender (Windows) Figure 423 ZyWALL/USG SecuExtender Status The following table describes the labels in this screen. Table 223 ZyWALL/USG SecuExtender Status LABEL DESCRIPTION Connection Status SecuExtender IP This is the IP address the ZyWALL/USG assigned to this remote user computer for an SSL Address VPN connection.

  • Page 596: Suspend And Resume The Connection

    Chapter 32 ZyWALL/USG SecuExtender (Windows) Figure 424 ZyWALL/USG SecuExtender Log Example ################################################################################## ############## [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Build Datetime: Feb 24 2009/ 10:25:07 [ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] rasphone.pbk: C:\Documents and Settings\11746\rasphone.pbk [ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] SecuExtender.log: C:\Documents and Settings\11746\SecuExtender.log [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Check Parameters [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL]...
  • Page 597 Chapter 32 ZyWALL/USG SecuExtender (Windows) Figure 425 Uninstalling the ZyWALL/USG SecuExtender Confirmation Windows uninstalls the ZyWALL/USG SecuExtender. Figure 426 ZyWALL/USG SecuExtender Uninstallation ZyWALL/USG Series User’s Guide...

  • Page 598: L2Tp Vpn

    HAPTER L2TP VPN 33.1 Overview L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, Windows or Mac OS X operating systems for secure connections to the network behind the ZyWALL/USG. The remote users do not need their own IPSec gateways or third-party VPN client software. Figure 427 L2TP VPN Overview 33.1.1 What You Can Do in this Chapter •...

  • Page 599: L2Tp Vpn Screen

    Chapter 33 L2TP VPN Using the Quick Setup VPN Setup Wizard The VPN Setup Wizard is an easy and convenient way to configure the L2TP VPN settings. Click Configuration > Quick Setup > VPN Setup > VPN Settings for L2TP VPN Settings to get started.
  • Page 600 Chapter 33 L2TP VPN Figure 429 Configuration > VPN > L2TP VPN The following table describes the fields in this screen. Table 224 Configuration > VPN > L2TP VPN LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Create new Object...

  • Page 601: Example: L2Tp And Zywall/Usg Behind A Nat Router

    Chapter 33 L2TP VPN Table 224 Configuration > VPN > L2TP VPN (continued) LABEL DESCRIPTION Allowed User The remote user must log into the ZyWALL/USG to use the L2TP VPN tunnel. Select a user or user group that can use the L2TP VPN tunnel. Use Create new Object if you need to configure a new user account.
  • Page 602 Chapter 33 L2TP VPN Select the NAT router WAN IP address object as the Local Policy. Go to Configuration > VPN > L2TP VPN and select the VPN Connection just configured. ZyWALL/USG Series User’s Guide...

  • Page 603: Bwm (Bandwidth Management)

    HAPTER BWM (Bandwidth Management) 34.1 Overview Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video. 34.1.1 What You Can Do in this Chapter Use the BWM screens (see Section 34.2 on page...
  • Page 604 Chapter 34 BWM (Bandwidth Management) In the following example, you configure a Per user bandwidth management rule for radius-users to limit outgoing traffic to 300 kbs. Then all radius-users (A, B and C) can send 300 kbps of traffic. DiffServ and DSCP Marking QoS is used to prioritize source-to-destination traffic flows.
  • Page 605 Chapter 34 BWM (Bandwidth Management) LAN1 to WAN Connection and Packet Directions Figure 430 Connection LAN1 Outbound Inbound Outbound and Inbound Bandwidth Limits You can limit an application’s outbound or inbound bandwidth. This limit keeps the traffic from using up too much of the out-going interface’s bandwidth. This way you can make sure there is bandwidth for other applications.
  • Page 606 Chapter 34 BWM (Bandwidth Management) Maximize Bandwidth Usage Maximize bandwidth usage allows applications with maximize bandwidth usage enabled to “borrow” any unused bandwidth on the out-going interface. After each application gets its configured bandwidth rate, the ZyWALL/USG uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications that need more bandwidth and have maximize bandwidth usage enabled.

  • Page 607: The Bandwidth Management Screen

    Chapter 34 BWM (Bandwidth Management) Maximize Bandwidth Usage Effect With maximize bandwidth usage enabled, after each server gets its configured rate, the rest of the available bandwidth is divided equally between the two. So server A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps.
  • Page 608 Chapter 34 BWM (Bandwidth Management) Configuration > Bandwidth Management Figure 433 The following table describes the labels in this screen. See Section 34.2.1 on page 610 for more information as well. Configuration > Bandwidth Management Table 229 LABEL DESCRIPTION Enable BWM Select this check box to activate management bandwidth.
  • Page 609 Chapter 34 BWM (Bandwidth Management) Configuration > Bandwidth Management Table 229 LABEL DESCRIPTION Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. DSCP Code These are the DSCP code point values of incoming and outgoing packets to which this policy applies.

  • Page 610: The Bandwidth Management Add/Edit Screen

    Chapter 34 BWM (Bandwidth Management) 34.2.1 The Bandwidth Management Add/Edit Screen The Configuration > Bandwidth Management Add/Edit screen allows you to create a new condition or edit an existing one. 802.1P Marking Use 802.1P to prioritize outgoing traffic from a VLAN interface. The Priority Code is a 3-bit field within a 802.1Q VLAN tag that’s used to prioritize associated outgoing VLAN traffic.
  • Page 611 Chapter 34 BWM (Bandwidth Management) Configuration > Bandwidth Management > Add/Edit Figure 435 The following table describes the labels in this screen. Configuration > Bandwidth Management > Add/Edit Table 233 LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration Enable Select this check box to turn on this policy.
  • Page 612 Chapter 34 BWM (Bandwidth Management) Configuration > Bandwidth Management > Add/Edit Table 233 LABEL DESCRIPTION BWM Type This field displays the below types of BWM rule: • Shared, when the policy is set for all users • Per User, when the policy is set for an individual user or a user group •...
  • Page 613 Chapter 34 BWM (Bandwidth Management) Configuration > Bandwidth Management > Add/Edit Table 233 LABEL DESCRIPTION Inbound kbps Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the ZyWALL/USG sends to a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the ZyWALL/USG sends to the initiator.
  • Page 614 Chapter 34 BWM (Bandwidth Management) 34.2.1.1 Adding Objects for the BWM Policy Objects are parameters to which the Policy rules are built upon. There are three kinds of objects you can add/edit for the BWM policy, they are User, Schedule and Address objects. Click Configuration >...
  • Page 615 Chapter 34 BWM (Bandwidth Management) Table 234 Configuration > BWM > Create New Object > Add User LABEL DESCRIPTION Password Type a password for the user object. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ‘...
  • Page 616 Chapter 34 BWM (Bandwidth Management) Configuration > BWM > Create New Object > Add Schedule Figure 437 The following table describes the fields in the above screen. Table 235 Configuration > BWM > Create New Object > Add Schedule LABEL DESCRIPTION Name Enter a name for the schedule object of the rule.
  • Page 617 Chapter 34 BWM (Bandwidth Management) Figure 438 Configuration > BWM > Create New Object > Add Address The following table describes the fields in the above screen. Table 236 Configuration > BWM > Create New Object > Add Address LABEL DESCRIPTION Name Enter a name for the Address object of the rule.

  • Page 618: Chapter 35 Application Patrol

    HAPTER Application Patrol 35.1 Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control the use of a particular application’s individual features (like text messaging, voice, video conferencing, and file transfers).

  • Page 619: Application Patrol Profile

    Chapter 35 Application Patrol Classification of Applications There are two ways the ZyWALL/USG can identify the application. The first is called auto. The ZyWALL/USG looks at the IP payload (OSI level-7 inspection) and attempts to match it with known patterns for specific applications. Usually, this occurs at the beginning of a connection, when the payload is more consistent across connections, and the ZyWALL/USG examines several packets to make sure the match is correct.
  • Page 620 Chapter 35 Application Patrol Figure 439 Configuration > UTM Profile > App Patrol > Profile The following table describes the labels in this screen. Table 237 Configuration > UTM Profile > App Patrol > Profile LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.

  • Page 621: The Application Patrol Profile Add/Edit Screen

    Chapter 35 Application Patrol Table 237 Configuration > UTM Profile > App Patrol > Profile LABEL DESCRIPTION Released Date This field displays the date and time the set was released. Update Click this link to go to the screen you can use to download signatures from the update Signatures server.

  • Page 622: The Application Patrol Profile Rule Add Application Screen

    Chapter 35 Application Patrol Table 238 Configuration > UTM Profile > App Patrol > Profile > Add/Edit (continued) LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Remove Select an entry and click Remove to delete the selected entry.
  • Page 623 Chapter 35 Application Patrol Table 239 Configuration > UTM Profile > App Patrol > Profile > Profile Management > Add/Edit LABEL DESCRIPTION Action Select the default action for all signatures in this category. forward - the ZyWALL/USG routes packets that matches these signatures. drop - the ZyWALL/USG silently drops packets that matches these signatures without notification.

  • Page 624: Chapter 36 Content Filtering

    HAPTER Content Filtering 36.1 Overview Use the content filtering feature to control access to specific web sites or web content. 36.1.1 What You Can Do in this Chapter • Use the Filter Profile screens (Section Figure 443 on page 629) to set up content filtering profiles.
  • Page 625 Chapter 36 Content Filtering • Restrict Web Features The ZyWALL/USG can disable web proxies and block web features such as ActiveX controls, Java applets and cookies. • Customize Web Site Access You can specify URLs to which the ZyWALL/USG blocks access. You can alternatively block access to all URLs except ones that you specify.

  • Page 626: Before You Begin

    Chapter 36 Content Filtering Finding Out More • See Section 36.6 on page 641 for content filtering background/technical information. 36.1.3 Before You Begin • You must configure an address object, a schedule object and a filtering profile before you can set up a content security policy.
  • Page 627 Chapter 36 Content Filtering The following table describes the labels in this screen. Table 240 Configuration > UTM Profile > Content Filter > Profile LABEL DESCRIPTION General Settings Enable Content Filter Select this check box to have the ZyWALL/USG collect category-based content Report Service filtering statistics.

  • Page 628: Content Filter Profile Add Or Edit Screen

    Chapter 36 Content Filtering Table 240 Configuration > UTM Profile > Content Filter > Profile (continued) LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration. Not Licensed displays if you have not successfully registered and activated the service.
  • Page 629 Chapter 36 Content Filtering Figure 443 Content Filter > Profile > Add Filter Profile > Category Service ZyWALL/USG Series User’s Guide...
  • Page 630 Chapter 36 Content Filtering The following table describes the labels in this screen. Table 241 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration.
  • Page 631 Chapter 36 Content Filtering Table 241 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service LABEL DESCRIPTION Action for Managed Web Select Pass to allow users to access web pages that match the other Pages categories that you select below. Select Block to prevent users from accessing web pages that match the other categories that you select below.
  • Page 632 Chapter 36 Content Filtering Table 241 Configuration > UTM Profile> Content Filter > Profile > Add > Category Service LABEL DESCRIPTION Malware Sites that install unwanted software on a user's computer with the intent to enable third-party monitoring or make system changes without the user's consent.
  • Page 633 Chapter 36 Content Filtering Table 242 Managed Category Descriptions (continued) Business Sites that provide business related information such as corporate Web sites. Information, services, or products that help businesses of all sizes to do their day-to-day commercial activities. For example, www.kinkos.com, www.proctorgamble.com, www.bbb.org.
  • Page 634 Chapter 36 Content Filtering Table 242 Managed Category Descriptions (continued) Greeting cards Sites that allow people to send and receive greeting cards and postcards. For example, www.e-card.com.tw, card.ivy.net.tw. Hacking Sites that promote or give advice about how to gain unauthorized access to proprietary computer systems, for the purpose of stealing information, perpetrating fraud, creating viruses, or committing other illegal activity related to theft of digital information.
  • Page 635 Chapter 36 Content Filtering Table 242 Managed Category Descriptions (continued) Politics Sites that promote political parties or political advocacy, or provide information about political parties, interest groups, elections, legislation or lobbying. Also includes sites that offer legal information and advice. For example, www.kmt.org.tw, www.dpp.org.tw, cpc.people.com.cn.

  • Page 636: Content Filter Add Filter Profile Custom Service

    Chapter 36 Content Filtering Table 242 Managed Category Descriptions (continued) Transportation Sites that provide information about motor vehicles such as cars, motorcycles, boats, trucks, RVs and the like. Includes manufacturer sites, dealerships, review sites, pricing, , online purchase sites, enthusiasts clubs, etc. For example, www.toyota.com.tw, www.ford.com.tw, www.sym.com.tw.
  • Page 637 Chapter 36 Content Filtering Figure 444 Configuration > UTM Profile > Content Filter > Filter Profile > Custom Service The following table describes the labels in this screen. Table 243 Configuration > UTM Profile > Content Filter > Profile > Custom Service LABEL DESCRIPTION Name...
  • Page 638 Chapter 36 Content Filtering Table 243 Configuration > UTM Profile > Content Filter > Profile > Custom Service (continued) LABEL DESCRIPTION Allow Web traffic for trusted When this box is selected, the ZyWALL/USG blocks Web access to sites that web sites only are not on the Trusted Web Sites list.

  • Page 639: Content Filter Trusted Web Sites Screen

    Chapter 36 Content Filtering Table 243 Configuration > UTM Profile > Content Filter > Profile > Custom Service (continued) LABEL DESCRIPTION Remove Select an entry and click this to delete it. This displays the index number of the forbidden web sites. Forbidden Web Sites This list displays the forbidden web sites already added.

  • Page 640: Content Filter Forbidden Web Sites Screen

    Chapter 36 Content Filtering Figure 445 Configuration > UTM Profile > Content Filter > Trusted Web Sites The following table describes the labels in this screen. Table 244 Configuration > UTM Profile > Content Filter > Trusted Web Sites LABEL DESCRIPTION Common Trusted Web Sites These are sites that you want to allow access to, regardless of their content...

  • Page 641: Content Filter Technical Reference

    Chapter 36 Content Filtering Figure 446 Configuration > UTM Profile > Content Filter > Forbidden Web Sites The following table describes the labels in this screen. Table 245 Configuration > UTM Profile > Content Filter > Forbidden Web Sites LABEL DESCRIPTION Forbidden Web Site List Sites that you want to block access to, regardless of their content rating, can...
  • Page 642 Chapter 36 Content Filtering Figure 447 Content Filter Lookup Procedure A computer behind the ZyWALL/USG tries to access a web site. The ZyWALL/USG looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL/USG’s cache.

  • Page 643: Chapter 37 Idp

    HAPTER 37.1 Overview This chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic flow, custom signatures and updating signatures. An IDP system can detect malicious or suspicious packets and respond instantaneously. IDP on the ZyWALL/USG protects against network-based intrusions.

  • Page 644: The Idp Profile Screen

    Chapter 37 IDP 37.2 The IDP Profile Screen An IDP profile is a set of packet inspection signatures. Packet inspection signatures examine packet content for malicious data. Packet inspection applies to OSI (Open System Interconnection) layer-4 to layer-7 contents. You need to subscribe for IDP service in order to be able to download new signatures.

  • Page 645: Base Profiles

    Chapter 37 IDP Table 246 Configuration > UTM Profile > IDP > Profile (continued) LABEL DESCRIPTION Object Reference Select an entry and click Object References to open a screen that shows which settings use the entry. Click Refresh to update information on this screen. Clone Use Clone to create a new entry by modifying an existing one.

  • Page 646: Adding / Editing Profiles

    Chapter 37 IDP The following table describes this screen. Table 247 Base Profiles BASE PROFILE DESCRIPTION none All signatures are disabled. No logs are generated nor actions are taken. All signatures are enabled. Signatures with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped.

  • Page 647: Profile > Group View Screen

    Chapter 37 IDP 37.2.3 Profile > Group View Screen Select Configuration > UTM Profile > IDP > Profile and then click Add to create a new profile or select an existing profile, then click a group in the base profile box (or double-click the existing profile) to modify it.
  • Page 648 Chapter 37 IDP Table 248 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued) LABEL DESCRIPTION Switch to query Click this button to go to a screen where you can search for signatures by criteria such as view name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions.
  • Page 649 Chapter 37 IDP Table 248 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued) LABEL DESCRIPTION Severity These are the severities as defined in the ZyWALL/USG. The number in brackets is the number you use if using commands. Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.

  • Page 650: Add Profile > Query View

    Chapter 37 IDP Table 248 Configuration > UTM Profile> IDP > Profile > Add > Group View (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL/USG takes when a packet matches a signature, select the signature and use the Action icon. none: Select this action on an individual signature or a complete service group to have the ZyWALL/USG take no action when a packet matches the signature(s).

  • Page 651: Policy Types

    Chapter 37 IDP Policy Types This table describes Policy Types as categorized in the ZyWALL/USG. Table 249 Policy Types POLICY TYPE DESCRIPTION Access Control Access control refers to procedures and controls that limit or detect access. Access control attacks try to bypass validation checks in order to access network resources such as servers, directories, and files.

  • Page 652: Idp Service Groups

    Chapter 37 IDP Table 249 Policy Types (continued) POLICY TYPE DESCRIPTION Scan A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels.
  • Page 653 Chapter 37 IDP Figure 451 Configuration > UTM Profile> IDP > Profile: Query View The following table describes the fields specific to this screen’s query view. Table 251 Configuration > UTM Profile > IDP > Profile: Query View LABEL DESCRIPTION Name This is the name of the profile that you created in the IDP >...

  • Page 654: Query Example

    Chapter 37 IDP Table 251 Configuration > UTM Profile > IDP > Profile: Query View (continued) LABEL DESCRIPTION Severity Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections. These are the severities as defined in the ZyWALL/USG. The number in brackets is the number you use if using commands.

  • Page 655: Idp Custom Signatures

    Chapter 37 IDP Figure 452 Query Example Search 37.3 IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures.
  • Page 656 Chapter 37 IDP Figure 453 IP v4 Packet Headers The header fields are discussed in the following table. Table 252 IP v4 Packet Headers HEADER DESCRIPTION Version The value 4 indicates IP version 4. IP Header Length is the number of 32 bit words forming the total length of the header (usually five).
  • Page 657 Chapter 37 IDP Select Configuration > UTM Profile > IDP > Custom Signatures. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature. You can also delete custom signatures here or save them to your computer.

  • Page 658: Add / Edit Custom Signatures

    Chapter 37 IDP Table 253 Configuration > UTM Profile> IDP > Custom Signatures (continued) LABEL DESCRIPTION Customer Use this part of the screen to import custom signatures (previously saved to your Signature Rule computer) to the ZyWALL/USG. Importing Note: The name of the complete custom signature file on the ZyWALL/USG is ‘custom.rules’.
  • Page 659 Chapter 37 IDP Figure 455 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit ZyWALL/USG Series User’s Guide...
  • Page 660 Chapter 37 IDP The following table describes the fields in this screen. Table 254 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
  • Page 661 Chapter 37 IDP Table 254 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION IP Options IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed...

  • Page 662: Custom Signature Example

    Chapter 37 IDP Table 254 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overflows Select the check box, then select Equal, Smaller or Greater and then type the payload size.
  • Page 663 Chapter 37 IDP 37.3.2.1 Understand the Vulnerability Check the ZyWALL/USG logs when the attack occurs. Use web sites such as Google or Security Focus to get as much information about the attack as you can. The more specific your signature, the less chance it will cause false positives.

  • Page 664: Applying Custom Signatures

    Chapter 37 IDP From the details about DNS query you see that the protocol is UDP and the port is 53. The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as the first pattern.

  • Page 665: Verifying Custom Signatures

    Chapter 37 IDP 37.3.4 Verifying Custom Signatures Configure the signature to create a log when traffic matches the signature. (You may also want to configure an alert if it is for a serious attack and needs immediate attention.) After you apply the signature to a zone, you can see if it works by checking the logs (Monitor >...
  • Page 666 Chapter 37 IDP the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/ server.
  • Page 667 Chapter 37 IDP Table 255 ZyWALL/USG - Snort Equivalent Terms (continued) ZYWALL/USG TERM SNORT EQUIVALENT TERM Transport Protocol: ICMP Type itype Code icode icmp_id Sequence Number icmp_seq Payload Options (Snort rule options) Payload Size dsize Offset (relative to start of payload) offset Relative to end of last match distance...

  • Page 668: Chapter 38 Anti-Virus

    HAPTER Anti-Virus 38.1 Overview Use the ZyWALL/USG’s anti-virus feature to protect your connected network from virus/spyware infection. The ZyWALL/USG checks traffic going in the direction(s) you specify for signature matches. In the following figure the ZyWALL/USG is set to check traffic coming from the WAN zone (which includes two interfaces) to the LAN zone.

  • Page 669: What You Need To Know

    Chapter 38 Anti-Virus 38.1.2 What You Need to Know Anti-Virus Engines Subscribe to signature files for Kaspersky’s anti-virus engine. After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and register it in the Registration > Service screen.

  • Page 670: Anti-Virus Profile Screen

    Chapter 38 Anti-Virus Notes About the ZyWALL/USG Anti-Virus The following lists important notes about the anti-virus scanner: The ZyWALL/USG anti-virus scanner can detect polymorphic viruses. When a virus is detected, an alert message is displayed in Microsoft Windows computers. Changes to the ZyWALL/USG’s anti-virus settings affect new sessions (not the sessions that already existed before you applied the changed settings).
  • Page 671 Chapter 38 Anti-Virus Figure 460 Configuration > UTM Profile > Anti-Virus > Profile The following table describes the labels in this screen. Table 256 Configuration > UTM Profile > Anti-Virus > Profile LABEL DESCRIPTION General Setting Scan and detect Select this option to have the ZyWALL/USG check for the EICAR test file and treat it in EICAR test virus the same way as a real virus file.

  • Page 672: Anti-Virus Profile Add Or Edit

    Chapter 38 Anti-Virus Table 256 Configuration > UTM Profile > Anti-Virus > Profile (continued) LABEL DESCRIPTION License The following fields display information about the current state of your subscription for virus signatures. License Status This field displays whether a service is activated (Licensed) or not (Not Licensed) or expired (Expired).
  • Page 673 Chapter 38 Anti-Virus Figure 461 Configuration > UTM Profile > Anti-Virus > Profile: Profile Management > Add The following table describes the labels in this screen. Table 257 Configuration > UTM > Anti-Virus > Profile: Profile Management > Add LABEL DESCRIPTION Configuration Name...

  • Page 674: Anti-Virus Black List

    Chapter 38 Anti-Virus Table 257 Configuration > UTM > Anti-Virus > Profile: Profile Management > Add (continued) LABEL DESCRIPTION Enable file Select this check box to have the ZyWALL/USG scan a ZIP file (the file does not have decompression (ZIP to have a “zip”...

  • Page 675: Anti-Virus Black List Or White List Add/Edit

    Chapter 38 Anti-Virus The following table describes the labels in this screen. Table 258 Configuration > UTM Profile > Anti-Virus > Black/White List > Black List LABEL DESCRIPTION Enable Black List Select this check box to log and delete files with names that match the black list patterns.

  • Page 676: Anti-Virus White List

    Chapter 38 Anti-Virus The following table describes the labels in this screen. Table 259 Configuration > UTM Profile > Anti-Virus > Black/White List > Black List (or White List) > LABEL DESCRIPTION Enable If this is a black list entry, select this option to have the ZyWALL/USG apply this entry when using the black list.

  • Page 677: Av Signature Searching

    Chapter 38 Anti-Virus Figure 464 Configuration > UTM Profile > Anti-Virus > Black/White List > White List The following table describes the labels in this screen. Table 260 Configuration > UTM Profile > Anti-Virus > Black/White List > White List LABEL DESCRIPTION Enable White List...

  • Page 678: Anti-Virus Technical Reference

    Chapter 38 Anti-Virus Figure 465 Configuration > UTM Profile > Anti-Virus > Signature The following table describes the labels in this screen. Table 261 Configuration > UTM > Anti-Virus > Signature LABEL DESCRIPTION Signatures Search Enter the name,part of the name or keyword of the signature(s) you want to find. This search is not case-sensitive and accepts numerical strings.
  • Page 679 Chapter 38 Anti-Virus Computer Virus Infection and Prevention The following describes a simple life cycle of a computer virus. A computer gets a copy of a virus from a source such as the Internet, e-mail, file sharing or any removable storage media. The virus is harmless until the execution of an infected program. The virus spreads to other files and programs on the computer.

  • Page 680: Anti-Spam

    HAPTER Anti-Spam 39.1 Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL/USG can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.

  • Page 681: Before You Begin

    Chapter 39 Anti-Spam that individual e-mail. A properly configured black list helps catch spam e-mail and increases the ZyWALL/USG’s anti-spam speed and efficiency. SMTP and POP3 Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard. It controls the sending of e-mail messages between servers.

  • Page 682: The Anti-Spam Profile Screen

    Chapter 39 Anti-Spam • Configure your zones before you configure anti-spam. 39.3 The Anti-Spam Profile Screen Click Configuration > UTM Profile > Anti-Spam to open the Anti-Spam Profile screen. Use this screen to turn the anti-spam feature on or off and manage anti-spam policies. You can also select the action the ZyWALL/USG takes when the mail sessions threshold is reached.

  • Page 683: The Anti-Spam Profile Add Or Edit Screen

    Chapter 39 Anti-Spam Table 263 Configuration > UTM Profile > Anti-Spam > Profile LABEL DESCRIPTION Remove Select an entry and click this to delete it. Object Select an entry and click Object References to open a screen that shows which settings Reference use the entry.
  • Page 684 Chapter 39 Anti-Spam Figure 467 Configuration > UTM Profile > Anti-Spam > Profile > Add The following table describes the labels in this screen. Table 264 Configuration > UTM Profile > Anti-Spam > Profile > Add LABEL DESCRIPTION General Settings Name Enter a descriptive name for this anti-spam rule.

  • Page 685: The Mail Scan Screen

    Chapter 39 Anti-Spam Table 264 Configuration > UTM Profile > Anti-Spam > Profile > Add (continued) LABEL DESCRIPTION Check Mail Select this to identify Spam Email by content, such as malicious content. Content Check Virus Select this to scan emails for attached viruses. Outbreak Check DNSBL Select this check box to check e-mail against the ZyWALL/USG’s configured DNSBL...
  • Page 686 Chapter 39 Anti-Spam Figure 468 Configuration > UTM Profile > Anti-Spam > Mail Scan The following table describes the labels in this screen. Table 265 Configuration > UTM Profile > Anti-Spam > Mail Scan LABEL DESCRIPTION Sender Reputation Enable Sender Select this to have the ZyWALL/USG scan for spam e-mail by IP Reputation.

  • Page 687: The Anti-Spam Black List Screen

    Chapter 39 Anti-Spam Table 265 Configuration > UTM Profile > Anti-Spam > Mail Scan LABEL DESCRIPTION Enable Virus This scans emails for attached viruses. Outbreak Detection Virus Outbreak Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of e-mails that are determined have an attached viruses.
  • Page 688 Chapter 39 Anti-Spam Figure 469 Configuration > UTM Profile > Anti-Spam > Black/White List > Black List The following table describes the labels in this screen. Table 266 Configuration > UTM Profile > Anti-Spam > Black/White List > Black List LABEL DESCRIPTION General Settings...

  • Page 689: The Anti-Spam Black Or White List Add/Edit Screen

    Chapter 39 Anti-Spam 39.5.1 The Anti-Spam Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the following screen. Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create entries based on specific subject text, or the sender’s or relay’s IP address or e-mail address.

  • Page 690: Regular Expressions In Black Or White List Entries

    Chapter 39 Anti-Spam Table 267 Configuration > UTM Profile > Anti-Spam > Black/White List > Black/White List > Add LABEL DESCRIPTION Sender E-Mail This field displays when you select the E-Mail type. Enter a keyword (up to 63 ASCII Address characters).
  • Page 691 Chapter 39 Anti-Spam Figure 471 Configuration > UTM Profile > Anti-Spam > Black/White List > White List The following table describes the labels in this screen. Table 268 Configuration > UTM Profile > Anti-Spam > Black/White List > White List LABEL DESCRIPTION General Settings...

  • Page 692: The Dnsbl Screen

    Chapter 39 Anti-Spam 39.7 The DNSBL Screen Click Configuration > UTM Profile > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to configure the ZyWALL/USG to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). Figure 472 Configuration >...
  • Page 693 Chapter 39 Anti-Spam The following table describes the labels in this screen. Table 269 Configuration > UTM Profile > Anti-Spam > DNSBL LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Enable DNS Black List Select this to have the ZyWALL/USG check the sender and relay IP addresses in e-...

  • Page 694: Anti-Spam Technical Reference

    Chapter 39 Anti-Spam Table 269 Configuration > UTM Profile > Anti-Spam > DNSBL (continued) LABEL DESCRIPTION Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
  • Page 695 Chapter 39 Anti-Spam Figure 473 DNSBL Spam Detection Example DNSBL A IPs: a.a.a.a b.b.b.b a.a.a.a? DNSBL B b.b.b.b? DNSBL C The ZyWALL/USG receives an e-mail that was sent from IP address a.a.a.a and relayed by an e- mail server at IP address b.b.b.b. The ZyWALL/USG sends a separate query to each of its DNSBL domains for IP address a.a.a.a.
  • Page 696 Chapter 39 Anti-Spam Figure 474 DNSBL Legitimate E-mail Detection Example DNSBL A IPs: c.c.c.c d.d.d.d c.c.c.c? DNSBL B d.d.d.d? d.d.d.d Not spam DNSBL C The ZyWALL/USG receives an e-mail that was sent from IP address c.c.c.c and relayed by an e-mail server at IP address d.d.d.d.
  • Page 697 Chapter 39 Anti-Spam Figure 475 Conflicting DNSBL Replies Example DNSBL A IPs: a.b.c.d w.x.y.z a.b.c.d? DNSBL B w.x.y.z? a.b.c.d Spam! DNSBL C The ZyWALL/USG receives an e-mail that was sent from IP address a.b.c.d and relayed by an e- mail server at IP address w.x.y.z. The ZyWALL/USG sends a separate query to each of its DNSBL domains for IP address a.b.c.d.

  • Page 698: Ssl Inspection

    HAPTER SSL Inspection 40.1 Overview Secure Socket Layer (SSL) traffic, such as https://www.google.com/HTTPS, FTPs, POP3s, SMTPs, etc. is encrypted, and cannot be inspected using Unified Threat Management (UTM) profiles such as App Patrol, Content Filter, Intrusion, Detection and Prevention (IDP), or Anti-Virus. The ZyWALL/ USG uses SSL Inspection to decrypt SSL traffic, sends it to the UTM engines for inspection, then encrypts traffic that passes inspection and forwards it to the destination server, such as Google.

  • Page 699: Before You Begin

    Chapter 40 SSL Inspection • RC4 (Rivest Cipher 4) • DES (Data Encryption Standard) • 3DES • AES (Advanced Encryption Standard) • SSLv3/TLS1.0 (Transport Layer Security) Support • SSLv3/TLS1.0 is currently supported with option to pass or block SSLv2 traffic •...

  • Page 700: Add / Edit Ssl Inspection Profiles

    Chapter 40 SSL Inspection Table 270 Configuration > UTM Profile > SSL Inspection > Profile (continued) LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Object Reference Select an entry and click Object References to open a screen that shows which settings use the entry.
  • Page 701 Chapter 40 SSL Inspection Table 271 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit (continued) LABEL DESCRIPTION CA Certificate This contains the default certificate and the certificates created in Object > Certificate > My Certificates. Choose the certificate for this profile. Severity Level Select a severity level and these use the icons to enable/disable and configure logs and actions for all signatures of that level.

  • Page 702: Exclude List Screen

    Chapter 40 SSL Inspection Table 271 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL/USG takes when a packet matches a signature, select the signature and use the Action icon. none: Select this action on an individual signature or a complete service group to have the ZyWALL/USG take no action when a packet matches the signature(s).
  • Page 703 Chapter 40 SSL Inspection Figure 479 Configuration > UTM Profile > SSL Inspection > Exclude List (> Add/Edit) The following table describes the fields in this screen. Table 272 Configuration > UTM Profile > SSL Inspection > Exclude List LABEL DESCRIPTION General Settings Enable Logs...

  • Page 704: Certificate Update Screen

    Chapter 40 SSL Inspection 40.4 Certificate Update Screen Use this screen to update the latest certificates of servers using SSL connections to the ZyWALL/ USG network. User U sends an SSL request to destination server D (1), via the ZyWALL/USG, Z . D replies (2);...

  • Page 705: Install A Ca Certificate In A Browser

    Chapter 40 SSL Inspection Table 273 Configuration > UTM Profile > SSL Inspection > Certificate Update (continued) LABEL DESCRIPTION Update Now Click this button to download the latest certificate set from the myZyXEL.com and update it on the ZyWALL/USG. Auto Update Select this to automatically have the ZyWALL/USG update the certificate set when a new one becomes available on myZyXEL.com.
  • Page 706 Chapter 40 SSL Inspection 40.5.0.1 Firefox Browser If you’re using a Firefox browser, in addition to the above you need to do the following to import a certificate into the browser. Click Tools > Options > Advanced > Encryption > View Certificates, click Import and enter the filename of the certificate you want to import.

  • Page 707: Chapter 41 Device Ha

    HAPTER Device HA 41.1 Overview Device HA lets a backup ZyWALL/USG (B) automatically take over if the master ZyWALL/USG (A) fails. Figure 482 Device HA Backup Taking Over for the Master The following models support Device HA (High Availability): • ZyWALL 110 •...

  • Page 708: Device Ha General

    Chapter 41 Device HA 41.2 Device HA General Active-Passive Mode • Active-passive mode lets a backup ZyWALL/USG take over if the master ZyWALL/USG fails. • The ZyWALL/USGs must be set to use the same Device HA mode (active-passive). Management Access You can configure a separate management IP address for each interface.
  • Page 709 Chapter 41 Device HA Figure 483 Configuration > Device HA > General The following table describes the labels in this screen. Table 274 Configuration > Device HA > General LABEL DESCRIPTION Enable Device Turn the ZyWALL/USG’s Device HA feature on or off. Note: It is not recommended to use STP (Spanning Tree Protocol) with Device HA.

  • Page 710: Device Ha Pro

    Chapter 41 Device HA Table 274 Configuration > Device HA > General (continued) LABEL DESCRIPTION HA Status The text before the slash shows whether the device is configured as the master or the backup role. This text after the slash displays the monitored interface’s status in the virtual router. Active - This interface is up and using the virtual IP address and subnet mask.

  • Page 711: Deploying Device Ha Pro

    Chapter 41 Device HA Failover from the active ZyWALL/USG to the passive ZyWALL/USG is activated when: • A monitored interface is down • A monitored service (daemon) is down • The hearbeat link exceeds the failure tolerance. After failover, the initial active ZyWALL/USG becomes the passive ZyWALL/USG after it recovers. 41.3.1 Deploying Device HA Pro Register either the active or passive ZyWALL/USG with a Device HA Pro license at MyZyXEL.com.
  • Page 712 Chapter 41 Device HA Figure 485 Configuration > Device HA > Device HA Prol The following table describes the labels in this screen. Table 275 Configuration > Device HA > Device HA Pro LABEL DESCRIPTION Enable Configuration Select this to have a passive ZyWALL/USG copy the active ZyWALL/USG’s Provisioning From Active configuration, signatures (anti-virus, IDP/application patrol, and system Device.

  • Page 713: The Active-Passive Mode Screen

    Chapter 41 Device HA Table 275 Configuration > Device HA > Device HA Pro (continued) LABEL DESCRIPTION Password Type a synchronization password of between 1 and 32 single-byte printable characters. You will be prompted for the password before synchronization takes place.
  • Page 714 Chapter 41 Device HA Cluster ID You can have multiple ZyWALL/USG virtual routers on your network. Use a different cluster ID to identify each virtual router. In the following example, ZyWALL/USGs A and B form a virtual router that uses cluster ID 1. ZyWALL/USGs C and D form a virtual router that uses cluster ID 2. Figure 487 Cluster IDs for Multiple Virtual Routers Monitored Interfaces in Active-Passive Mode Device HA You can select which interfaces Device HA monitors.

  • Page 715: Configuring Active-Passive Mode Device Ha

    Chapter 41 Device HA Figure 488 Management IP Addresses 192.168.1.1 192.168.1.5 192.168.1.1 192.168.1.6 41.4.1 Configuring Active-Passive Mode Device HA The Device HA Active-Passive Mode screen lets you configure general active-passive mode Device HA settings, view and manage the list of monitored interfaces, and synchronize backup ZyWALL/USGs.
  • Page 716 Chapter 41 Device HA The following table describes the labels in this screen. See Section 41.5 on page 718 for more information as well. Table 276 Configuration > Device HA > Active-Passive Mode LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings...
  • Page 717 Chapter 41 Device HA Table 276 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Virtual Router IP / This is the master ZyWALL/USG’s (static) IP address and subnet mask for this interface. Netmask If a backup takes over for the master, it uses this IP address. These fields are blank if the interface is a DHCP client or has no IP settings.

  • Page 718: Active-Passive Mode Edit Monitored Interface

    Chapter 41 Device HA 41.5 Active-Passive Mode Edit Monitored Interface The Device HA Active-Passive Mode Monitored Interface Edit screen lets you enable or disable monitoring of an interface and set the interface’s management IP address and subnet mask. To access this screen, click Configuration > Device HA > Active-Passive Mode > Edit. If you configure Device HA settings for an Ethernet interface and later add the Ethernet interface to a bridge, the ZyWALL/USG retains the interface’s Device HA settings and uses them again if you later remove the interface from the bridge.

  • Page 719: Device Ha Technical Reference

    Chapter 41 Device HA Table 277 Configuration > Device HA > Active-Passive Mode > Edit (continued) LABEL DESCRIPTION Manage IP Enter the interface’s IP address for management access. You can use this IP address to access the ZyWALL/USG whether it is the master or a backup. This management IP address should be in the same subnet as the interface IP address.
  • Page 720 Chapter 41 Device HA Br0 {ge4, ge5} Configure the bridge interface on the backup ZyWALL/USG, set the bridge interface as a monitored interface, and activate Device HA. Br0 {ge4, ge5} Br0 {ge4, ge5} Connect the ZyWALL/USGs. Br0 {ge4, ge5} Br0 {ge4, ge5} Second Option for Connecting the Bridge Interfaces on Two ZyWALL/USGs Another option is to disable the bridge interfaces, connect the bridge interfaces, activate Device HA, and finally reactivate the bridge interfaces as shown in the following example.
  • Page 721 Chapter 41 Device HA In this case the ZyWALL/USGs are already connected, but the bridge faces have not been configured yet. Configure a disabled bridge interface on the master ZyWALL/USG but disable it. Then set the bridge interface as a monitored interface, and activate Device HA. Br0 {ge4, ge5} Disabled Configure a corresponding disabled bridge interface on the backup ZyWALL/USG.
  • Page 722 Chapter 41 Device HA Br0 {ge4, ge5} Br0 {ge4, ge5} Synchronization During synchronization, the master ZyWALL/USG sends the following information to the backup ZyWALL/USG. • Startup configuration file (startup-config.conf) • AV signatures • IDP and application patrol signatures • System protect signatures •...

  • Page 723: Object

    HAPTER Object 42.1 Zones Overview Set up zones to configure network security and network policies in the ZyWALL/USG. A zone is a group of interfaces and/or VPN tunnels. The ZyWALL/USG uses zones instead of interfaces in many security and policy settings, such as Secure Policies rules, UTM Profile, and remote management. Zones cannot overlap.

  • Page 724: The Zone Screen

    Chapter 42 Object Inter-zone Traffic Inter-zone traffic is traffic between interfaces or VPN tunnels in different zones. For example, in Figure 492 on page 723, traffic between VLAN 1 and the Internet is inter-zone traffic. This is the normal case when zone-based security and policy settings apply. Extra-zone Traffic •...

  • Page 725: User/Group Overview

    Chapter 42 Object 42.1.2.1 Zone Edit The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 42.8.2 on page 779), and click the Add icon or an Edit icon. Figure 494 Configuration >...

  • Page 726: What You Need To Know

    Chapter 42 Object • The Group screen (see Section 42.2.3 on page 731) provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. User groups may consist of access users and other user groups. You cannot put admin users in user groups •...
  • Page 727 Chapter 42 Object All ext-user users should be authenticated by an external server, such as AD, LDAP or RADIUS. If the ZyWALL/USG tries to use the local database to authenticate an ext-user, the authentication attempt always fails. (This is related to AAA servers and authentication methods, which are discussed in those chapters in this guide.) Note: If the ZyWALL/USG tries to authenticate an ext-user using the local database, the attempt always fails.

  • Page 728: User/Group User Summary Screen

    Chapter 42 Object Note: You cannot put the default admin account into any user group. The sequence of members in a user group is not important. User Awareness By default, users do not have to log into the ZyWALL/USG to use the network services it provides. The ZyWALL/USG automatically routes packets for everyone.
  • Page 729 Chapter 42 Object Table 281 Configuration > Object > User/Group > User (continued) LABEL DESCRIPTION User Type This field displays the types of user accounts the ZyWALL/USG uses: • admin - this user can look at and change the configuration of the ZyWALL/USG •...
  • Page 730 Chapter 42 Object Figure 496 Configuration > Object > User/Group > User > Add The following table describes the labels in this screen. Table 282 Configuration > Object > User/Group > User > Add LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.

  • Page 731: User/Group Group Summary Screen

    Chapter 42 Object Table 282 Configuration > Object > User/Group > User > Add (continued) LABEL DESCRIPTION Lease Time If you select Use Default Settings in the Authentication Timeout Settings field, the default lease time is shown. If you select Use Manual Settings, you need to enter the number of minutes this user has to renew the current session before the user is logged out.
  • Page 732 Chapter 42 Object Table 283 Configuration > Object > User/Group > Group (continued) LABEL DESCRIPTION Object Select an entry and click Object References to open a screen that shows which settings References use the entry. This field is a sequential value, and it is not associated with a specific user group. Group Name This field displays the name of each user group.

  • Page 733: User/Group Setting Screen

    Chapter 42 Object 42.2.4 User/Group Setting Screen The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL/USG. You can also use this screen to specify when users must log in to the ZyWALL/USG before it routes traffic for them. To access this screen, login to the Web Configurator, and click Configuration >...
  • Page 734 Chapter 42 Object Table 285 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific entry. User Type These are the kinds of user account the ZyWALL/USG supports. •...
  • Page 735 Chapter 42 Object Table 285 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION Maximum number per This field is effective when Limit ... for access account is checked. Type access account the maximum number of simultaneous logins by each access user. User Lockout Settings Enable logon retry limit Select this check box to set a limit on the number of times each user can...

  • Page 736: User Aware Login Example

    Chapter 42 Object The following table describes the labels in this screen. Table 286 Configuration > Object > User/Group > Setting > Edit LABEL DESCRIPTION User Type This read-only field identifies the type of user account for which you are configuring the default settings.

  • Page 737: User/Group Mac Address Summary Screen

    Chapter 42 Object Figure 501 Web Configurator for Non-Admin Users The following table describes the labels in this screen. Table 287 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined Access users can specify a lease time shorter than or equal to the one that you specified. lease time (max The default value is the lease time that you specified.
  • Page 738 Chapter 42 Object Figure 502 Configuration > Object > User/Group > MAC Address The following table describes the labels in this screen. Table 288 Configuration > Object > User/Group > MAC Address LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

  • Page 739: User /Group Technical Reference

    Chapter 42 Object The following table describes the labels in this screen. Table 289 Configuration > Object > User/Group > MAC Address > Add LABEL DESCRIPTION MAC Address/ Type the MAC address (six hexadecimal number pairs separated by colons or hyphens) or OUI (three hexadecimal number pairs separated by colons or hyphens) to identify specific wireless clients for MAC authentication using the ZyWALL/USG local user database.

  • Page 740: Ap Profile Overview

    Chapter 42 Object 42.3 AP Profile Overview This section shows you how to configure preset profiles for the Access Points (APs) connected to your ZyWALL/USG’s wireless network. • The Radio screen (Section 42.3.1 on page 741) creates radio configurations that can be used by the APs.

  • Page 741: Radio Screen

    Chapter 42 Object WPA and WPA2 Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA(2) and WEP are improved data encryption and user authentication.
  • Page 742 Chapter 42 Object Table 291 Configuration > Object > AP Profile > Radio (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL/USG. Reset Click Reset to return the screen to its last-saved settings. 42.3.1.1 Add/Edit Radio Profile This screen allows you to create a new radio profile or edit an existing one.
  • Page 743 Chapter 42 Object The following table describes the labels in this screen. Table 292 Configuration > Object > AP Profile > Add/Edit Radio Profile LABEL DESCRIPTION Hide / Show Click this to hide or show the Advanced Settings in this window. Advanced Settings General Settings Activate...
  • Page 744 Chapter 42 Object Table 292 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION Enable DCS This field is available when you set Channel Selection to DCS. Client Aware Select this to have the AP wait until all connected clients have disconnected before switching channels.
  • Page 745 Chapter 42 Object Table 292 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION Enable A-MPDU Select this to enable A-MPDU aggregation. Aggregation Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates.

  • Page 746: Ssid Screen

    Chapter 42 Object Table 292 Configuration > Object > AP Profile > Add/Edit Radio Profile (continued) LABEL DESCRIPTION Transmission Set how the AP handles multicast traffic. Mode Select Multicast to Unicast to broadcast wireless multicast traffic to all of the wireless clients as unicast traffic.
  • Page 747 Chapter 42 Object The following table describes the labels in this screen. Table 293 Configuration > Object > AP Profile > SSID List LABEL DESCRIPTION Click this to add a new SSID profile. Edit Click this to edit the selected SSID profile. Remove Click this to remove the selected SSID profile.
  • Page 748 Chapter 42 Object The following table describes the labels in this screen. Table 294 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile LABEL DESCRIPTION Create new Select an object type from the list to create a new one associated with this SSID profile. Object Profile Name Enter up to 31 alphanumeric characters for the profile name.
  • Page 749 Chapter 42 Object Table 294 Configuration > Object > AP Profile > SSID > Add/Edit SSID Profile (continued) LABEL DESCRIPTION Band Select: To improve network performance and avoid interference in the 2.4 GHz frequency band, you can enable this feature to use the 5 GHz band first. You should set 2.4GHz and 5 GHz radio profiles to use the same SSID and security settings.
  • Page 750 Chapter 42 Object The following table describes the labels in this screen. Table 295 Configuration > Object > AP Profile > SSID > Security List LABEL DESCRIPTION Click this to add a new security profile. Edit Click this to edit the selected security profile. Remove Click this to remove the selected security profile.
  • Page 751 Chapter 42 Object 42.3.2.4 Add/Edit Security Profile This screen allows you to create a new security profile or edit an existing one. To access this screen, click the Add button or select a security profile from the list and click the Edit button. Note: This screen’s options change based on the Security Mode selected.
  • Page 752 Chapter 42 Object Table 296 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile LABEL DESCRIPTION Primary / Select this to have the ZyWALL/USG use the specified RADIUS server. Secondary Radius Server Activate Radius Server IP Enter the IP address of the RADIUS server to be used for authentication.
  • Page 753 Chapter 42 Object Table 296 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile LABEL DESCRIPTION The following fields are available if you set Security Mode to wpa, wpa2 or wpa2-mix. Select this option to use a Pre-Shared Key with WPA encryption. Pre-Shared Key Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters.
  • Page 754 Chapter 42 Object Table 297 Configuration > Object > AP Profile > SSID > MAC Filter List (continued) LABEL DESCRIPTION Remove Click this to remove the selected MAC filtering profile. Object Reference Click this to view which other objects are linked to the selected MAC filtering profile (for example, SSID profile).

  • Page 755: Mon Profile

    Chapter 42 Object Table 298 SSID > MAC Filter List > Add/Edit MAC Filter Profile (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL/USG. Cancel Click Cancel to exit this screen without saving your changes. 42.4 MON Profile 42.4.1 Overview This screen allows you to set up monitor mode configurations that allow your connected APs to scan for other wireless devices in the vicinity.
  • Page 756 Chapter 42 Object Figure 514 Configuration > Object > MON Profile The following table describes the labels in this screen. Table 299 Configuration > Object > MON Profile LABEL DESCRIPTION Click this to add a new monitor mode profile. Edit Click this to edit the selected monitor mode profile.
  • Page 757 Chapter 42 Object Figure 515 Configuration > Object > MON Profile > Add/Edit MON Profile The following table describes the labels in this screen. Table 300 Configuration > Object > MON Profile > Add/Edit MON Profile LABEL DESCRIPTION Activate Select this to activate this monitor mode profile. Profile Name This field indicates the name assigned to the monitor mode profile.

  • Page 758: Technical Reference

    Chapter 42 Object Table 300 Configuration > Object > MON Profile > Add/Edit MON Profile (continued) LABEL DESCRIPTION Set Scan Channel Move a channel from the Available channels column to the Channels selected List (5 GHz) column to have the APs using this profile scan that channel when Scan Channel Mode is set to manual.

  • Page 759: Application

    Chapter 42 Object Friendly APs If you have more than one AP in your wireless network, you should also configure a list of “friendly” APs. Friendly APs are other wireless access points that are detected in your network, as well as any others that you know are not a threat (those from recognized networks, for example).
  • Page 760 Chapter 42 Object • Use the Application screen (Section on page 760) to create application objects that can be used in App Patrol profiles. • Use the Application Group screen (Section 42.5.2 on page 764) to group application objects as an individual object that can be used in App Patrol profiles.

  • Page 761: Add Application Rule

    Chapter 42 Object Table 302 Configuration > Object > Application > Application (continued) LABEL DESCRIPTION Signature An activated license allows you to download signatures to the ZyWALL/USG from Information myZyXEL.com. These fields show details on the signatures downloaded. Current The version number increments when signatures are updated at myZyXEL.com. This field Version shows the current version downloaded to the ZyWALL/USG.
  • Page 762 Chapter 42 Object Table 303 Configuration > Object > Application > Application (continued)> Add Application Rule LABEL DESCRIPTION Application This displays the name of the application signature used in this application rule. Click OK to save your changes back to the ZyWALL/USG. Cancel Click Cancel to exit this screen without saving your changes.
  • Page 763 Chapter 42 Object Figure 521 Configuration > Object > Application > Application > Add Application Rule > Add By Service The following table describes the labels in this screen. Table 304 Configuration > Object > Application > Application > Add Application Rule > Add Application Object LABEL DESCRIPTION...

  • Page 764: Application Group Screen

    Chapter 42 Object 42.5.2 Application Group Screen This screen allows you to group individual application objects to be treated as a single application object. To access this screen click Configuration > Object > Application > Application Group. Figure 522 Configuration > Object > Application > Application Group The following table describes the labels in this screen.

  • Page 765: Address/Geo Ip Overview

    Chapter 42 Object 42.5.2.1 Add Application Group Rule Click Add in Configuration > Object > Application > Application Group to select already created application rules and combine them as a single new rule. Figure 523 Configuration > Object > Application > Application > Add Application Group Rule The following table describes the labels in this screen.

  • Page 766: What You Need To Know

    Chapter 42 Object • Use the Address Group summary screen (Section 42.6.3 on page 769) and the Address Group Add/Edit screen, to maintain address groups in the ZyWALL/USG. • Use the Geo IP screen (Section 42.6.4 on page 771) to update the database of country-to-IP address mappings and to manually configure country-to-IP address mappings.
  • Page 767 Chapter 42 Object The following table describes the labels in this screen. See Section 42.6.2.1 on page 767 for more information as well. Table 307 Configuration > Object > Address/Geo IP > Address LABEL DESCRIPTION IPv4 Address Configuration Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.
  • Page 768 Chapter 42 Object The following table describes the labels in this screen. Table 308 IPv4 Address Configuration > Add/Edit LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

  • Page 769: Address Group Summary Screen

    Chapter 42 Object The following table describes the labels in this screen. Table 309 IPv6 Address Configuration > Add/Edit LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
  • Page 770 Chapter 42 Object The following table describes the labels in this screen. See Section 42.6.3.1 on page 770 for more information as well. Table 310 Configuration > Object > Address/Geo IP > Address Group LABEL DESCRIPTION IPv4 Address Group Configuration Click this to create a new entry.

  • Page 771: Geo Ip Summary Screen

    Chapter 42 Object Figure 528 IPv4/IPv6 Address Group Configuration > Add The following table describes the labels in this screen. Table 311 IPv4/IPv6 Address Group Configuration > Add LABEL DESCRIPTION Name Enter a name for the address group. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
  • Page 772 Chapter 42 Object Figure 529 Configuration > Object > Address/Geo IP > Geo IP The following table describes the labels in this screen. Table 312 Configuration > Object > Address/Geo IP > Geo IP LABEL DESCRIPTION Country Database Update Latest Version This is the latest country-to-IP address database version on myzyxel.com.

  • Page 773: Service Overview

    Chapter 42 Object Table 312 Configuration > Object > Address/Geo IP > Geo IP (continued) LABEL DESCRIPTION Type This field displays whether this address object is HOST, RANGE or SUBNET. IPv4 Address This field displays the IPv4 addresses represented by the type of address object. 42.6.4.1 Add Custom IPv4/IPv6 Address to Geography Screen This screen allows you to create a new geography-to-IP address mapping.

  • Page 774: What You Need To Know

    Chapter 42 Object • Use the Service Group screens (Section 42.7.2 on page 775) to view and configure the ZyWALL/USG’s list of service groups. 42.7.1 What You Need to Know IP Protocols IP protocols are based on the eight-bit protocol field in the IP header. This field represents the next- level protocol that is sent in this packet.

  • Page 775: The Service Summary Screen

    Chapter 42 Object 42.7.2 The Service Summary Screen The Service summary screen provides a summary of all services and their definitions. In addition, this screen allows you to add, edit, and remove services. To access this screen, log in to the Web Configurator, and click Configuration > Object > Service >...

  • Page 776: The Service Group Summary Screen

    Chapter 42 Object Figure 532 Configuration > Object > Service > Service > Edit The following table describes the labels in this screen. Table 315 Configuration > Object > Service > Service > Edit LABEL DESCRIPTION Name Type the name used to refer to the service. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
  • Page 777 Chapter 42 Object Figure 533 Configuration > Object > Service > Service Group The following table describes the labels in this screen. See Section 42.7.3.1 on page 777 for more information as well. Table 316 Configuration > Object > Service > Service Group LABEL DESCRIPTION Click this to create a new entry.

  • Page 778: Schedule Overview

    Chapter 42 Object Figure 534 Configuration > Object > Service > Service Group > Edit The following table describes the labels in this screen. Table 317 Configuration > Object > Service > Service Group > Edit LABEL DESCRIPTION Name Enter the name of the service group. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.

  • Page 779: What You Need To Know

    Chapter 42 Object • Use the One-Time Schedule Add/Edit screen (Section 42.8.2.1 on page 780) to create or edit a one-time schedule. • Use the Recurring Schedule Add/Edit screen (Section 42.8.2.2 on page 781) to create or edit a recurring schedule. •...
  • Page 780 Chapter 42 Object Table 318 Configuration > Object > Schedule (continued) LABEL DESCRIPTION Object Select an entry and click Object References to open a screen that shows which settings References use the entry. This field is a sequential value, and it is not associated with a specific schedule. Name This field displays the name of the schedule, which is used to refer to the schedule.
  • Page 781 Chapter 42 Object The following table describes the labels in this screen. Table 319 Configuration > Object > Schedule > Edit (One Time) LABEL DESCRIPTION Configuration Name Type the name used to refer to the one-time schedule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.

  • Page 782: The Schedule Group Screen

    Chapter 42 Object The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen. The following table describes the remaining labels in this screen. Table 320 Configuration > Object > Schedule > Edit (Recurring) LABEL DESCRIPTION Configuration...
  • Page 783 Chapter 42 Object Table 321 Configuration > Object > Schedule > Schedule Group LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific schedule. Name This field displays the name of the schedule group, which is used to refer to the schedule.

  • Page 784: Aaa Server Overview

    Chapter 42 Object Table 322 Configuration > Schedule > Schedule Group > Add LABEL DESCRIPTION Member List The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not important.

  • Page 785: Radius Server

    Chapter 42 Object 42.9.2 RADIUS Server RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location.
  • Page 786 Chapter 42 Object • Local user database The ZyWALL/USG uses the built-in local user database to authenticate administrative users logging into the ZyWALL/USG’s Web Configurator or network access users logging into the network through the ZyWALL/USG. You can also use the local user database to authenticate VPN users.

  • Page 787: Active Directory Or Ldap Server Summary

    Chapter 42 Object Base DN A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and/or country. For example, o=MyCompany, c=UK where o means organization and c means country. Bind DN A bind DN is used to authenticate with an LDAP/AD server.
  • Page 788 Chapter 42 Object 42.9.5.1 Adding an Active Directory or LDAP Server Click Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one.
  • Page 789 Chapter 42 Object The following table describes the labels in this screen. Table 324 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add LABEL DESCRIPTION Name Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.

  • Page 790: Radius Server Summary

    Chapter 42 Object Table 324 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add (continued) LABEL DESCRIPTION Retype to Confirm Retype your new password for confirmation. This is only for Active Directory. Realm Enter the realm FQDN. This is only for Active Directory.
  • Page 791 Chapter 42 Object 42.9.6.1 Adding a RADIUS Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one.

  • Page 792: Auth. Method Overview

    Chapter 42 Object Table 326 Configuration > Object > AAA Server > RADIUS > Add (continued) LABEL DESCRIPTION Timeout Specify the timeout period (between 1 and 300 seconds) before the ZyWALL/USG disconnects from the RADIUS server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.

  • Page 793: Authentication Method Objects

    Chapter 42 Object Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen. Click Show Advance Setting and select Enable Extended Authentication. Select Server Mode and select an authentication method object from the drop-down list box. Click OK to save the settings.

  • Page 794: Creating An Authentication Method Object

    Chapter 42 Object 42.10.3.1 Creating an Authentication Method Object Follow the steps below to create an authentication method object. Click Configuration > Object > Auth. Method. Click Add. Specify a descriptive name for identification purposes in the Name field. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.

  • Page 795: Certificate Overview

    Chapter 42 Object Table 328 Configuration > Object > Auth. Method > Add (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. Move To change a method’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
  • Page 796 Chapter 42 Object Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key).

  • Page 797: Verifying A Certificate

    Chapter 42 Object Certificate File Formats Any certificate that you want to import has to be in one of these file formats: • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. • PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.

  • Page 798: The My Certificates Screen

    Chapter 42 Object Figure 551 Certificate Details Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 42.11.3 The My Certificates Screen Click Configuration >...

  • Page 799: The My Certificates Add Screen

    Chapter 42 Object The following table describes the labels in this screen. Table 329 Configuration > Object > Certificate > My Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL/USG’s PKI storage space that is currently Space in Use in use.
  • Page 800 Chapter 42 Object Figure 553 Configuration > Object > Certificate > My Certificates > Add The following table describes the labels in this screen. Table 330 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
  • Page 801 Chapter 42 Object Table 330 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Organization Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
  • Page 802 Chapter 42 Object 42.11.3.2 The My Certificates Edit Screen Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name.
  • Page 803 Chapter 42 Object The following table describes the labels in this screen. Table 331 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.

  • Page 804: The My Certificates Import Screen

    Chapter 42 Object Table 331 Configuration > Object > Certificate > My Certificates > Edit (continued) LABEL DESCRIPTION MD5 Fingerprint This is the certificate’s message digest that the ZyWALL/USG calculated using the MD5 algorithm. SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL/USG calculated using the SHA1 algorithm.

  • Page 805: The Trusted Certificates Screen

    Chapter 42 Object Figure 555 Configuration > Object > Certificate > My Certificates > Import The following table describes the labels in this screen. Table 332 Configuration > Object > Certificate > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.

  • Page 806: The Trusted Certificates Edit Screen

    Chapter 42 Object The following table describes the labels in this screen. Table 333 Configuration > Object > Certificate > Trusted Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL/USG’s PKI storage space that is currently Space in Use in use.
  • Page 807 Chapter 42 Object Figure 557 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL/USG Series User’s Guide...
  • Page 808 Chapter 42 Object The following table describes the labels in this screen. Table 334 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.

  • Page 809: The Trusted Certificates Import Screen

    Chapter 42 Object Table 334 Configuration > Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field.

  • Page 810: Certificates Technical Reference

    Chapter 42 Object Figure 558 Configuration > Object > Certificate > Trusted Certificates > Import The following table describes the labels in this screen. Table 335 Configuration > Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.

  • Page 811: Isp Account Summary

    Chapter 42 Object 42.12.1 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL/USG. To access this screen, click Configuration > Object > ISP Account. Figure 559 Configuration > Object > ISP Account The following table describes the labels in this screen. See the ISP Account Add/Edit section below for more information as well.
  • Page 812 Chapter 42 Object Figure 560 Configuration > Object > ISP Account > Edit The following table describes the labels in this screen. Table 337 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you are editing an existing account. Type in the profile name of the ISP account.

  • Page 813: Ssl Application Overview

    Chapter 42 Object Table 337 Configuration > Object > ISP Account > Edit (continued) LABEL DESCRIPTION Server IP If this ISP account uses the PPPoE protocol, this field is not displayed. If this ISP account uses the PPTP protocol, type the IP address of the PPTP server. Connection ID This field is available if this ISP account uses the PPTP protocol.
  • Page 814 Chapter 42 Object Remote User Screen Links Available SSL application names are displayed as links in remote user screens. Depending on the application type, remote users can simply click the links or follow the steps in the pop-up dialog box to access.

  • Page 815: The Ssl Application Screen

    Chapter 42 Object Click the Add button and select Web Application in the Type field. In the Server Type field, select Web Server. Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”. In the URLAddress field, enter “http://my-info”. Select Web Page Encryption to prevent users from saving the web content.
  • Page 816 Chapter 42 Object The following table describes the labels in this screen. Table 338 Configuration > Object > SSL Application LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
  • Page 817 Chapter 42 Object Figure 565 Configuration > Object > SSL Application > Add/Edit: File Sharing The following table describes the labels in this screen. Table 339 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this screen.

  • Page 818: Dhcpv6 Overview

    Chapter 42 Object Table 339 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing LABEL DESCRIPTION Preview This field only appears when you choose Web Application or File Sharing as the object type. This field displays if the Server Type is set to Web Server, OWA or Weblink. Note: If your Internet Explorer or other browser screen doesn’t show a preview, it may be due to your web browser security settings.

  • Page 819: The Dhcpv6 Request Screen

    Chapter 42 Object 42.14.1 The DHCPv6 Request Screen The Request screen allows you to add, edit, and remove DHCPv6 request type objects. To access this screen, login to the Web Configurator, and click Configuration > Object > DHCPv6 > Request. Figure 566 Configuration >...

  • Page 820: The Dhcpv6 Lease Screen

    Chapter 42 Object The following table describes the labels in this screen. Table 341 Configuration > DHCPv6 > Request > Add LABEL DESCRIPTION Name Type the name for this request object. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
  • Page 821 Chapter 42 Object Figure 569 Configuration > DHCPv6 > Lease > Add The following table describes the labels in this screen. Table 343 Configuration > DHCPv6 > Lease > Add/Edit LABEL DESCRIPTION Name Type the name for this lease object. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.

  • Page 822: Chapter 43 System

    HAPTER System 43.1 Overview Use the system screens to configure general ZyWALL/USG settings. 43.1.1 What You Can Do in this Chapter • Use the System > Host Name screen (see Section 43.2 on page 823) to configure a unique name for the ZyWALL/USG in your network. •...

  • Page 823: Host Name

    Chapter 43 System • Use the System > IPv6 screen (see Section 43.15 on page 873) to enable or disable IPv6 support on the ZyWALL/USG. • Use the System > ZON screen (see Section 43.16 on page 874) to enable or disable the Zyxel One Network (ZON) utility that uses Zyxel Discovery Protocol (ZDP) for discovering and configuring ZDP-aware Zyxel devices in the same network as the computer on which ZON is installed.

  • Page 824: Date And Time

    Chapter 43 System Figure 571 Configuration > System > USB Storage The following table describes the labels in this screen. Table 345 Configuration > System > USB Storage LABEL DESCRIPTION Activate USB Select this if you want to use the connected USB device(s). storage service Disk full warning Set a number and select a unit (MB or %) to have the ZyWALL/USG send a warning...
  • Page 825 Chapter 43 System Figure 572 Configuration > System > Date and Time The following table describes the labels in this screen. Table 346 Configuration > System > Date and Time LABEL DESCRIPTION Current Time and Date Current Time This field displays the present time of your ZyWALL/USG. Current Date This field displays the present date of your ZyWALL/USG.
  • Page 826 Chapter 43 System Table 346 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Get from Time Select this radio button to have the ZyWALL/USG get the time and date from the time Server server you specify below. The ZyWALL/USG requests time and date settings from the time server under the following circumstances.

  • Page 827: Pre-Defined Ntp Time Servers List

    Chapter 43 System Table 346 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Offset Specify how much the clock changes when daylight saving begins and ends. Enter a number from 1 to 5.5 (by 0.5 increments). For example, if you set this field to 3.5, a log occurred at 6 P.M. in local official time will appear as if it had occurred at 10:30 P.M.

  • Page 828: Console Port Speed

    Chapter 43 System Click System > Date/Time. Select Manual under Time and Date Setup. Enter the ZyWALL/USG’s time in the New Time field. Enter the ZyWALL/USG’s date in the New Date field. Under Time Zone Setup, select your Time Zone from the list. As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL/USG clock for daylight savings.

  • Page 829: Dns Overview

    Chapter 43 System The following table describes the labels in this screen. Table 348 Configuration > System > Console Speed LABEL DESCRIPTION Console Port Speed Use the drop-down list box to change the speed of the console port. Your ZyWALL/USG supports 9600, 19200, 38400, 57600, and 115200 bps (default) for the console port.
  • Page 830 Chapter 43 System An open DNS server is a DNS server which is willing to resolve recursive DNS queries from anyone on the Internet. In a DNS amplification attack, an attacker sends a DNS name lookup request to an open DNS server with the source address spoofed as the victim’s address.
  • Page 831 Chapter 43 System The following table describes the labels in this screen. Table 349 Configuration > System > DNS LABEL DESCRIPTION Address/PTR This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP Record address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www”...
  • Page 832 Chapter 43 System Table 349 Configuration > System > DNS (continued) LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. A “*”...

  • Page 833: Ipv6) Address Record

    Chapter 43 System Table 349 Configuration > System > DNS (continued) LABEL DESCRIPTION This the index number of the service control rule. The ordering of your rules is important as rules are applied in sequence. The entry with a hyphen (-) instead of a number is the ZyWALL/USG’s (non-configurable) default policy.

  • Page 834: Cname Record

    Chapter 43 System The following table describes the labels in this screen. Table 350 Configuration > System > DNS > (IPv6) Address/PTR Record Edit LABEL DESCRIPTION FQDN Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name.

  • Page 835: Domain Zone Forwarder

    Chapter 43 System The following table describes the labels in this screen. Table 351 Configuration > System > DNS > CNAME Record > Add LABEL DESCRIPTION Alias name Enter an Alias Name. Use "*." as a prefix in the Alias name for a wildcard domain name (for example, *.example.com).

  • Page 836: Mx Record

    Chapter 43 System The following table describes the labels in this screen. Table 352 Configuration > System > DNS > Domain Zone Forwarder Add LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.

  • Page 837: Security Option Control

    Chapter 43 System The following table describes the labels in this screen. Table 353 Configuration > System > DNS > MX Record Add LABEL DESCRIPTION Domain Name Enter the domain name where the mail is destined for. IP Address/FQDN Enter the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above.

  • Page 838: Adding A Dns Service Control Rule

    Chapter 43 System The following table describes the labels in this screen. Table 354 Configuration > System > DNS > Security Option Control Edit (Customize) LABEL DESCRIPTION Name You may change the name for the customized security option control policy. The customized security option control policy is checked first and if an address object match is not found, the Default control policy is checked Query Recursion...

  • Page 839: Www Overview

    Chapter 43 System Table 355 Configuration > System > DNS > Service Control Rule Add (continued) LABEL DESCRIPTION Action Select Accept to have the ZyWALL/USG allow the DNS queries from the specified computer. Select Deny to have the ZyWALL/USG reject the DNS queries from the specified computer. Click OK to save your customized settings and exit this screen.

  • Page 840: Https

    Chapter 43 System 43.7.3 HTTPS You can set the ZyWALL/USG to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions. Specify which zones allow Web Configurator access and from which IP address the access can come. HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages.

  • Page 841: Configuring Www Service Control

    Chapter 43 System 43.7.4 Configuring WWW Service Control Click Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ZyWALL/USG using HTTP or HTTPS. You can also specify which IP addresses the access can come from.
  • Page 842 Chapter 43 System Table 356 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Server Port The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the ZyWALL/USG, for example 8443, then you must notify people who need to access the ZyWALL/USG Web Configurator to use “https:// ZyWALL/USG IP Address:8443”...
  • Page 843 Chapter 43 System Table 356 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Admin/User Service Admin Service Control specifies from which zones an administrator can use HTTP to Control manage the ZyWALL/USG (using the Web Configurator). You can also specify the IP addresses from which the administrators can manage the ZyWALL/USG.

  • Page 844: Service Control Rules

    Chapter 43 System Table 356 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL/USG. Reset Click Reset to return the screen to its last-saved settings. 43.7.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule.
  • Page 845 Chapter 43 System Figure 585 Configuration > System > WWW > Login Page (Desktop View) ZyWALL/USG Series User’s Guide...
  • Page 846 Chapter 43 System Figure 586 Configuration > System > WWW > Login Page (Mobile View) The following figures identify the parts you can customize in the login and access pages. ZyWALL/USG Series User’s Guide...
  • Page 847 Chapter 43 System Figure 587 Login Page Customization Title Logo Message (color of all text) Background Note Message (last line of text) Figure 588 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways:...
  • Page 848 Chapter 43 System • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...

  • Page 849: Https Example

    Chapter 43 System Table 358 Configuration > System > WWW > Login Page (continued) LABEL DESCRIPTION Background Set how the window’s background looks. To use a graphic, select Picture and upload a graphic. Specify the location and file name of the logo graphic or click Browse to locate it.
  • Page 850 Chapter 43 System Figure 590 Security Certificate 1 (Firefox) Figure 591 Security Certificate 2 (Firefox) 43.7.7.3 Avoiding Browser Warning Messages Here are the main reasons your browser displays warnings about the ZyWALL/USG’s HTTPS server certificate and what you can do to avoid seeing the warnings: •...
  • Page 851 Chapter 43 System Figure 592 Login Screen (Internet Explorer) 43.7.7.5 Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL/ USG. You must have imported at least one trusted CA to the ZyWALL/USG in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
  • Page 852 Chapter 43 System Figure 594 CA Certificate Example Click Install Certificate and follow the wizard as shown earlier in this appendix. 43.7.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
  • Page 853 Chapter 43 System Figure 595 Personal Certificate Import Wizard 1 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 596 Personal Certificate Import Wizard 2 Enter the password given to you by the CA.
  • Page 854 Chapter 43 System Figure 597 Personal Certificate Import Wizard 3 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 598 Personal Certificate Import Wizard 4 Click Finish to complete the wizard and begin the import process.
  • Page 855 Chapter 43 System Figure 599 Personal Certificate Import Wizard 5 You should see the following screen when the certificate is correctly installed on your computer. Figure 600 Personal Certificate Import Wizard 6 43.7.7.6 Using a Certificate When Accessing the ZyWALL/USG Example Use the following procedure to access the ZyWALL/USG via HTTPS.

  • Page 856: Ssh

    Chapter 43 System Figure 602 SSL Client Authentication You next see the Web Configurator login screen. Figure 603 Secure Web Configurator Login Screen 43.8 SSH You can use SSH (Secure SHell) to securely access the ZyWALL/USG’s command line interface. Specify which zones allow SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.

  • Page 857: How Ssh Works

    Chapter 43 System Figure 604 SSH Communication Over the WAN Example 43.8.1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1. Figure 605 How SSH v1 Works Example Host Identification The SSH client sends a connection request to the SSH server.

  • Page 858: Ssh Implementation On The Zywall/Usg

    Chapter 43 System 43.8.2 SSH Implementation on the ZyWALL/USG Your ZyWALL/USG supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the ZyWALL/USG for management using port 22 (by default). 43.8.3 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL/USG over SSH.

  • Page 859: Secure Telnet Using Ssh Examples

    Chapter 43 System Table 359 Configuration > System > SSH (continued) LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 357 on page 844 for details on the screen that opens.

  • Page 860: Telnet

    Chapter 43 System 43.8.5.2 Example 2: Linux This section describes how to access the ZyWALL/USG using the OpenSSH client program that comes with most Linux distributions. Test whether the SSH service is available on the ZyWALL/USG. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the ZyWALL/USG (using the default IP address of 192.168.1.1).
  • Page 861 Chapter 43 System Figure 610 Configuration > System > TELNET The following table describes the labels in this screen. Table 360 Configuration > System > TELNET LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL/USG CLI using this service.

  • Page 862: Ftp

    Chapter 43 System 43.10 FTP You can upload and download the ZyWALL/USG’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 43.10.1 Configuring FTP To change your ZyWALL/USG’s FTP settings, click Configuration > System > FTP tab. The screen appears as shown.

  • Page 863: Snmp

    Chapter 43 System Table 361 Configuration > System > FTP (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL/USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.

  • Page 864: Snmpv3 And Security

    Chapter 43 System Figure 612 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL/USG). An agent translates the local management information from the managed device into a form compatible with SNMP.

  • Page 865: Supported Mibs

    Chapter 43 System Security can be further enhanced by encrypting the SNMP messages sent from the managers. Encryption protects the contents of the SNMP messages. When the contents of the SNMP messages are encrypted, only the intended recipients can read them. 43.11.2 Supported MIBs The ZyWALL/USG supports MIB II that is defined in RFC-1213 and RFC-1215.
  • Page 866 Chapter 43 System Figure 613 Configuration > System > SNMP The following table describes the labels in this screen. Table 363 Configuration > System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL/USG using this service.
  • Page 867 Chapter 43 System Table 363 Configuration > System > SNMP (continued) LABEL DESCRIPTION Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.

  • Page 868: Add Snmpv3 User

    Chapter 43 System 43.11.5 Add SNMPv3 User Click Add under SNMPv3 in Configuration > System > SNMP to create an SNMPv3 user for authentication with managers using SNMP v3. Use the username and password of the login accounts you specify in this screen to create accounts on the SNMP v3 manager. Figure 614 Configuration >...
  • Page 869 Chapter 43 System Figure 615 Configuration > System > Auth. Server The following table describes the labels in this screen. Table 365 Configuration > System > Auth. Server LABEL DESCRIPTION Enable Select the check box to have the ZyWALL/USG act as a RADIUS server. Authentication Server Authentication...

  • Page 870: Add/Edit Trusted Radius Client

    Chapter 43 System 43.12.1 Add/Edit Trusted RADIUS Client Click Configuration > System > Auth. Server to display the Auth. Server screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new entry or edit an existing one.
  • Page 871 Chapter 43 System Figure 617 CloudCNM Example Network Topology CloudCNM features include: • Batch import of managed devices at one time using one CSV file • See an overview of all managed devices and system information in one place • Monitor and manage devices •...
  • Page 872 Chapter 43 System You must configure Configuration > System > CloudCNM to allow the ZyWALL/USG to find the CloudCNM server. Figure 618 Configuration > System > CloudCNM The following table describes the labels in this screen. Table 367 Configuration > System > CloudCNM LABEL DESCRIPTION Show Advanced...

  • Page 873: Language Screen

    Chapter 43 System 43.14 Language Screen Click Configuration > System > Language to open the following screen. Use this screen to select a display language for the ZyWALL/USG’s Web Configurator screens. Figure 619 Configuration > System > Language The following table describes the labels in this screen. Table 368 Configuration >...

  • Page 874: Zyxel One Network (Zon) Utility

    Chapter 43 System 43.16 Zyxel One Network (ZON) Utility The Zyxel One Network (ZON) utility uses the Zyxel Discovery Protocol (ZDP) for discovering and configuring ZDP-aware Zyxel devices in the same broadcast domain as the computer on which ZON is installed. The ZON Utility issues requests via ZDP and in response to the query, the Zyxel device responds with basic information including IP address, firmware version, location, system and model name.

  • Page 875: Zyxel One Network (Zon) System Screen

    Chapter 43 System The following table describes the fields in the ZON Utility main screen. Table 371 ZON Utility Fields LABEL DESCRIPTION Type This field displays an icon of the kind of device discovered. Model This field displays the model name of the discovered device. Firmware Version This field displays the firmware version of the discovered device.
  • Page 876 Chapter 43 System Table 372 Configuration > System > ZON LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL/USG. Reset Click Reset to return the screen to its last-saved settings. ZyWALL/USG Series User’s Guide...

  • Page 877: Chapter 44 Log And Report

    HAPTER Log and Report 44.1 Overview Use these screens to configure daily reporting and log settings. 44.1.1 What You Can Do In this Chapter • Use the Email Daily Report screen (Section 44.2 on page 877) to configure where and how to send daily reports and what reports to send.
  • Page 878 Chapter 44 Log and Report Figure 623 Configuration > Log & Report > Email Daily Report ZyWALL/USG Series User’s Guide...

  • Page 879: Log Setting Screens

    Chapter 44 Log and Report The following table describes the labels in this screen. Table 373 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Select this to send reports by e-mail every day. Daily Report Mail Server Type the name or IP address of the outgoing SMTP server.

  • Page 880: Log Setting Summary

    Chapter 44 Log and Report to the specific destinations. You can also have the ZyWALL/USG store system logs on a connected USB storage device. The other four logs are stored on specified syslog servers. The Log Setting screens control what information the ZyWALL/USG saves in each log. You can also specify which log messages to e-mail for the system log, and where and how often to e-mail them.

  • Page 881: Edit System Log Settings

    Chapter 44 Log and Report Table 374 Configuration > Log & Report > Log Setting (continued) LABEL DESCRIPTION Log Format This field displays the format of the log. Internal - system log; you can view the log on the View Log tab. VRPT/Syslog - Zyxel’s Vantage Report, syslog-compatible format.
  • Page 882 Chapter 44 Log and Report Figure 625 Configuration > Log & Report > Log Setting > Edit (System Log - E-mail Servers) ZyWALL/USG Series User’s Guide...
  • Page 883 Chapter 44 Log and Report Figure 626 Configuration > Log & Report > Log Setting > Edit (System Log - AC) ZyWALL/USG Series User’s Guide...
  • Page 884 Chapter 44 Log and Report Figure 627 Configuration > Log & Report > Log Setting > Edit (System Log - AP) The following table describes the labels in this screen. Table 375 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2...
  • Page 885 Chapter 44 Log and Report Table 375 Configuration > Log & Report > Log Setting > Edit (System Log) (continued) LABEL DESCRIPTION SMTP Select this check box if it is necessary to provide a user name and password to the Authentication SMTP server.

  • Page 886: Edit Log On Usb Storage Setting

    Chapter 44 Log and Report Table 375 Configuration > Log & Report > Log Setting > Edit (System Log) (continued) LABEL DESCRIPTION E-mail Server 1 Select whether each category of events should be included in the log messages when it is e-mailed (green check mark) and/or in alerts (red exclamation point) for the e- mail settings specified in E-Mail Server 1.
  • Page 887 Chapter 44 Log and Report Figure 628 Configuration > Log & Report > Log Setting > Edit (USB Storage) ZyWALL/USG Series User’s Guide...

  • Page 888: Edit Remote Server Log Settings

    Chapter 44 Log and Report The following table describes the labels in this screen. Table 376 Configuration > Log & Report > Log Setting > Edit (USB Storage) LABEL DESCRIPTION Duplicate logs to Select this to have the ZyWALL/USG save a copy of its system logs to a connected USB USB storage (if storage device.
  • Page 889 Chapter 44 Log and Report Figure 629 Configuration > Log & Report > Log Setting > Edit (Remote Server - AC) ZyWALL/USG Series User’s Guide...
  • Page 890 Chapter 44 Log and Report Configuration > Log & Report > Log Setting > Edit (Remote Server - AP) The following table describes the labels in this screen. Table 377 Configuration > Log & Report > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for...

  • Page 891: Log Category Settings Screen

    Chapter 44 Log and Report Table 377 Configuration > Log & Report > Log Setting > Edit (Remote Server) (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific address. This field displays each category of messages. It is the same value used in the Display and Category Category fields in the View Log tab.
  • Page 892 Chapter 44 Log and Report Figure 630 Log Category Settings AC ZyWALL/USG Series User’s Guide...
  • Page 893 Chapter 44 Log and Report Figure 631 Log Category Settings AP This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 44.3.2 on page 881, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL/USG Series User’s Guide...
  • Page 894 Chapter 44 Log and Report The following table describes the fields in this screen. Table 378 Configuration > Log & Report > Log Setting > Log Category Settings LABEL DESCRIPTION System Log Use the System Log drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not log any information for any category for the system log or e-mail any logs to e-mail server 1 or 2.
  • Page 895 Chapter 44 Log and Report Table 378 Configuration > Log & Report > Log Setting > Log Category Settings (continued) LABEL DESCRIPTION System Log Select which events you want to log by Log Category. There are three choices: disable all logs (red X) - do not log any information from this category enable normal logs (green check mark) - create log messages and alerts from this category enable normal logs and debug logs (yellow check mark) - create log messages, alerts,...

  • Page 896: File Manager

    HAPTER File Manager 45.1 Overview Configuration files define the ZyWALL/USG’s settings. Shell scripts are files of commands that you can store on the ZyWALL/USG and run when you need them. You can apply a configuration file or run a shell script without the ZyWALL/USG restarting. You can store multiple configuration files and shell script files on the ZyWALL/USG.

  • Page 897: Comments In Configuration Files Or Shell Scripts

    Chapter 45 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 632 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...

  • Page 898: The Configuration File Screen

    Chapter 45 File Manager Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface ge1 # this interface is a DHCP client Lines 1 and 2 are comments.
  • Page 899 Chapter 45 File Manager Configuration File Flow at Restart • If there is not a startup-config.conf when you restart the ZyWALL/USG (whether through a management interface or by physically turning the power off and back on), the ZyWALL/USG uses the system-default.conf configuration file with the ZyWALL/USG’s default settings. •...
  • Page 900 Chapter 45 File Manager The following table describes the labels in this screen. Table 380 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the ZyWALL/USG. You can only rename manually saved configuration files.
  • Page 901 Chapter 45 File Manager Table 380 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Apply Use this button to have the ZyWALL/USG use a specific configuration file. Click a configuration file’s row to select it and click Apply to have the ZyWALL/USG use that configuration file.

  • Page 902: Firmware Management

    Chapter 45 File Manager Table 380 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION File Name This column displays the label that identifies a configuration file. You cannot delete the following configuration files or change their file names. The system-default.conf file contains the ZyWALL/USG’s default settings.

  • Page 903: Cloud Helper

    Chapter 45 File Manager firmware package. See Section 38.2.1 on page 672 for more on the anti-virus Destroy compressed files that could not be decompressed option. The firmware update can take up to five minutes. Do not turn off or reset the ZyWALL/USG while the firmware update is in progress! 45.3.1 Cloud Helper Cloud Helper lets you know if there is a later firmware available on the Cloud Helper server and lets...
  • Page 904 Chapter 45 File Manager The following table explains the Upgrade icons. Table 381 Cloud Helper Firmware Icons Cloud Helper New A later firmware is available on the Cloud Helper Server. Click this icon to display a What’s New pop-up screen. You need a Firmware Upgrade license to upgrade the firmware.

  • Page 905: The Firmware Management Screen

    Chapter 45 File Manager 45.3.2 The Firmware Management Screen Click Maintenance > File Manager > Firmware Management to open the Firmware Management screen. Figure 637 Maintenance > File Manager > Firmware Management The following table describes the labels in this screen. Table 382 Maintenance >...
  • Page 906 Chapter 45 File Manager Table 382 Maintenance > File Manager > Firmware Management (continued) LABEL DESCRIPTION Version This is the firmware version and the date created. Released Date This is the date that the version of the firmware was created. Upgrade A cloud helper icon displays if there is a later firmware on the Cloud Server than the firmware in the partition.

  • Page 907: The Shell Script Screen

    Chapter 45 File Manager 45.4 The Shell Script Screen Use shell script files to have the ZyWALL/USG use commands that you specify. Use a text editor to create the shell script files. They must use a “.zysh” filename extension. Click Maintenance > File Manager > Shell Script to open the Shell Script screen. Use the Shell Script screen to store, name, download, upload and run shell script files.
  • Page 908 Chapter 45 File Manager Table 383 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Download Click a shell script file’s row to select it and click Download to save the configuration to your computer. Copy Use this button to save a duplicate of a shell script file on the ZyWALL/USG. Click a shell script file’s row to select it and click Copy to open the Copy File screen.

  • Page 909: Diagnostics

    HAPTER Diagnostics 46.1 Overview Use the diagnostics screens for troubleshooting. 46.1.1 What You Can Do in this Chapter • Use the Diagnostics screen (see Section 46.2 on page 909) to generate a file containing the ZyWALL/USG’s configuration and diagnostic information if you need to provide it to customer support during troubleshooting.

  • Page 910: The Diagnostics Files Screen

    Chapter 46 Diagnostics The following table describes the labels in this screen. Table 384 Maintenance > Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file. Last modified This is the date and time that the last diagnostic file was created. The format is yyyy-mm-dd hh:mm:ss.

  • Page 911: The Packet Capture Screen

    Chapter 46 Diagnostics Table 385 Maintenance > Diagnostics > Files (continued) LABEL DESCRIPTION Size This column displays the size (in bytes) of a file. Last Modified This column displays the date and time that the individual files were saved. 46.3 The Packet Capture Screen Use this screen to capture network traffic going through the ZyWALL/USG’s interfaces.
  • Page 912 Chapter 46 Diagnostics The following table describes the labels in this screen. Table 386 Maintenance > Diagnostics > Packet Capture LABEL DESCRIPTION Interfaces Enabled interfaces (except for virtual interfaces) appear under Available Interfaces. Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list.

  • Page 913: The Packet Capture Files Screen

    Chapter 46 Diagnostics Table 386 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Duration Set a time limit in seconds for the capture. The ZyWALL/USG stops the capture and generates the capture file when either this period of time has passed or the file reaches the size specified in the File Size field.

  • Page 914: The System Log Screen

    Chapter 46 Diagnostics Figure 647 Maintenance > Diagnostics > Packet Capture > Files The following table describes the labels in this screen. Table 387 Maintenance > Diagnostics > Packet Capture > Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL/USG or the connected USB storage device.

  • Page 915: The Network Tool Screen

    Chapter 46 Diagnostics The following table describes the labels in this screen. Table 388 Maintenance > Diagnostics > System Log LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL/USG. Use the [Shift] and/ or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete.

  • Page 916: The Wireless Frame Capture Screen

    Chapter 46 Diagnostics The following table describes the labels in this screen. Table 389 Maintenance > Diagnostics > Network Tool LABEL DESCRIPTION Network Tool Select PING IPv4 to ping the IP address that you entered. Select TRACEROUTE IPv4 to perform the traceroute function. This determines the path a packet takes to the specified computer.
  • Page 917 Chapter 46 Diagnostics The following table describes the labels in this screen. Table 390 Maintenance > Diagnostics > Wireless Frame Capture > Capture LABEL DESCRIPTION MON Mode APs Configure AP to Click this to go the Configuration > Wireless > AP Management screen, where MON Mode you can set one or more APs to monitor mode.

  • Page 918: The Wireless Frame Capture Files Screen

    Chapter 46 Diagnostics 46.6.1 The Wireless Frame Capture Files Screen Click Maintenance > Diagnostics > Wireless Frame Capture > Files to open this screen. This screen lists the files of wireless frame captures the ZyWALL/USG has performed. You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark.

  • Page 919: Chapter 47 Packet Flow Explore

    HAPTER Packet Flow Explore 47.1 Overview Use this to get a clear picture on how the ZyWALL/USG determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot any related problems.
  • Page 920 Chapter 47 Packet Flow Explore Figure 652 Maintenance > Packet Flow Explore > Routing Status (Direct Route) Figure 653 Maintenance > Packet Flow Explore > Dynamic VPN Figure 654 Maintenance > Packet Flow Explore > Routing Status (Policy Route) ZyWALL/USG Series User’s Guide...
  • Page 921 Chapter 47 Packet Flow Explore Figure 655 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) Figure 656 Maintenance > Packet Flow Explore > Routing Status (SiteToSite VPN) Figure 657 Maintenance > Packet Flow Explore > Routing Status (Dynamic VPN) ZyWALL/USG Series User’s Guide...
  • Page 922 Chapter 47 Packet Flow Explore Figure 658 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) Figure 659 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 660 Maintenance > Packet Flow Explore > Routing Status (Main Route) ZyWALL/USG Series User’s Guide...
  • Page 923 Chapter 47 Packet Flow Explore The following table describes the labels in this screen. Table 392 Maintenance > Packet Flow Explore > Routing Status LABEL DESCRIPTION Routing Flow This section shows you the flow of how the ZyWALL/USG determines where to route a packet.

  • Page 924: The Snat Status Screen

    Chapter 47 Packet Flow Explore Table 392 Maintenance > Packet Flow Explore > Routing Status (continued) LABEL DESCRIPTION Outgoing This is the name of an interface which transmits packets out of the ZyWALL/USG. Gateway This is the IP address of the gateway in the same network of the outgoing interface. The following fields are available if you click Dynamic VPN or SiteToSite VPN in the Routing Flow section.
  • Page 925 Chapter 47 Packet Flow Explore Figure 662 Maintenance > Packet Flow Explore > SNAT Status (1-1 SNAT) Figure 663 Maintenance > Packet Flow Explore > SNAT Status (Loopback SNAT) Figure 664 Maintenance > Packet Flow Explore > SNAT Status (Default SNAT) The following table describes the labels in this screen.
  • Page 926 Chapter 47 Packet Flow Explore Table 393 Maintenance > Packet Flow Explore > SNAT Status (continued) LABEL DESCRIPTION This field is a sequential value, and it is not associated with any entry. NAT Rule This is the name of an activated NAT rule which uses SNAT. Source This is the original source IP address(es).

  • Page 927: Chapter 48 Shutdown

    HAPTER Shutdown 48.1 Overview Use this to shutdown the device in preparation for disconnecting the power. Always use the Maintenance > Shutdown > Shutdown screen or the “shutdown” command before you turn off the ZyWALL/USG or remove the power. Not doing so can cause the firmware to become corrupt. 48.1.1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes.

  • Page 928: Chapter 49 Troubleshooting

    HAPTER Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Chapter 7 on page 226). • For the order in which the ZyWALL/USG applies its features and checks, see Chapter 47 on page 919.
  • Page 929 Chapter 49 Troubleshooting • Check the ZyWALL/USG’s connection to the Ethernet jack with Internet access. Make sure the Internet gateway device (such as a DSL modem) is working properly. • Check the WAN interface's status in the Dashboard. Use the installation setup wizard again and make sure that you enter the correct settings.
  • Page 930 Chapter 49 Troubleshooting The ZyWALL/USG checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that the traffic would also match. The ZyWALL/USG is not applying the custom security policy I configured. The ZyWALL/USG checks the security policies in the order that they are listed.
  • Page 931 Chapter 49 Troubleshooting The data rates through my cellular connection are no-where near the rates I expected. The actual cellular data rate you obtain varies depending on the cellular device you use, the signal strength to the service provider’s base station, and so on. I created a cellular interface but cannot connect through it.
  • Page 932 Chapter 49 Troubleshooting The ZyWALL/USG is not applying my application patrol bandwidth management settings. Bandwidth management in policy routes has priority over application patrol bandwidth management. The ZyWALL/USG’s performance slowed down after I configured many new application patrol entries. The ZyWALL/USG checks the ports and conditions configured in application patrol entries in the order they appear in the list.
  • Page 933 Chapter 49 Troubleshooting Depending on your network topology and traffic load, binding every packet direction to an IDP profile may affect the ZyWALL/USG’s performance. You may want to focus IDP scanning on certain traffic directions such as incoming traffic. IDP is dropping traffic that matches a rule that says no action should be taken. The ZyWALL/USG checks all signatures and continues searching even after a match is found.
  • Page 934 Chapter 49 Troubleshooting I cannot get Dynamic DNS to work. • You must have a public WAN IP address to use Dynamic DNS. • Make sure you recorded your DDNS account’s user name, password, and domain name and have entered them properly in the ZyWALL/USG. •...
  • Page 935 Chapter 49 Troubleshooting You can set the ZyWALL/USG’s security policy to permit the use of asymmetrical route topology on the network (so it does not reset the connection) although this is not recommended since allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL/USG.
  • Page 936 Chapter 49 Troubleshooting • Make sure regular security policies allow traffic between the VPN tunnel and the rest of the network. Regular security policies check packets the ZyWALL/USG sends before the ZyWALL/USG encrypts them and check packets the ZyWALL/USG receives after the ZyWALL/USG decrypts them.
  • Page 937 Chapter 49 Troubleshooting I changed the LAN IP address and can no longer access the Internet. The ZyWALL/USG automatically updates address objects based on an interface’s IP address, subnet, or gateway if the interface’s IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface.
  • Page 938 Chapter 49 Troubleshooting I cannot add the default admin account to a user group. You cannot put the default admin account into any user group. The schedule I configured is not being applied at the configured times. Make sure the ZyWALL/USG’s current date and time are correct. I cannot get a certificate to import into the ZyWALL/USG.
  • Page 939 Chapter 49 Troubleshooting I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. I uploaded a logo to use as the screen or window background but it does not display properly.

  • Page 940: Resetting The Zywall/Usg

    Chapter 49 Troubleshooting The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. My packet capture captured less than I wanted or failed.

  • Page 941: Getting More Troubleshooting Help

    Chapter 49 Troubleshooting 49.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL/USG Series User’s Guide...

  • Page 942: Customer Support

    • Brief description of the problem and the steps you took to solve it. Corporate Headquarters (Worldwide) Taiwan • Zyxel Communications Corporation • http://www.zyxel.com Asia China • Zyxel Communications (Shanghai) Corp. Zyxel Communications (Beijing) Corp. Zyxel Communications (Tianjin) Corp. • http://www.zyxel.cn India • Zyxel Technology India Pvt Ltd • http://www.zyxel.in Kazakhstan •...

  • Page 943: Appendix A Customer Support

    • Zyxel Singapore Pte Ltd. • http://www.zyxel.com.sg Taiwan • Zyxel Communications Corporation • http://www.zyxel.com Thailand • Zyxel Thailand Co., Ltd • http://www.zyxel.co.th Vietnam • Zyxel Communications Corporation-Vietnam Office • http://www.zyxel.com/vn/vi Europe Austria • Zyxel Deutschland GmbH • http://www.zyxel.de ZyWALL/USG Series User’s Guide...
  • Page 944 • Zyxel BY • http://www.zyxel.by Belgium • Zyxel Communications B.V. • http://www.zyxel.com/be/nl/ Bulgaria • Zyxel България • http://www.zyxel.com/bg/bg/ Czech • Zyxel Communications Czech s.r.o • http://www.zyxel.cz Denmark • Zyxel Communications A/S • http://www.zyxel.dk Estonia • Zyxel Estonia • http://www.zyxel.com/ee/et/ Finland •...
  • Page 945 • Zyxel Communications Poland • http://www.zyxel.pl Romania • Zyxel Romania • http://www.zyxel.com/ro/ro Russia • Zyxel Russia • http://www.zyxel.ru Slovakia • Zyxel Communications Czech s.r.o. organizacna zlozka • http://www.zyxel.sk Spain • Zyxel Spain • http://www.zyxel.es Sweden • Zyxel Communications • http://www.zyxel.se Switzerland •...
  • Page 946 Ecuador • Zyxel Communication Corporation • http://www.zyxel.com/ec/es/ Middle East Israel • Zyxel Communication Corporation • http://il.zyxel.com/homepage.shtml Middle East • Zyxel Communication Corporation • http://www.zyxel.com/me/en/ North America • Zyxel Communications, Inc. - North America Headquarters • http://www.us.zyxel.com/ ZyWALL/USG Series User’s Guide...
  • Page 947 Appendix A Customer Support Oceania Australia • Zyxel Communications Corporation • http://www.zyxel.com/au/en/ Africa South Africa • Nology (Pty) Ltd. • http://www.zyxel.co.za ZyWALL/USG Series User’s Guide...
  • Page 948 The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.

  • Page 949: Appendix B Legal Information

    Appendix B Legal Information CE EMC statement This is Class A Product. In domestic environment this product may cause radio interference in which case the user may be required to take adequate measures. List of National Codes COUNTRY ISO 3166 2 LETTER CODE COUNTRY ISO 3166 2 LETTER CODE Austria...
  • Page 950 Appendix B Legal Information Environment Statement European Union - Disposal and Recycling Information The symbol below means that according to local regulations your product and/or its battery shall be disposed of separately from domestic waste. If this product is end of life, take it to a recycling station designated by local authorities. At the time of disposal, the separate collection of your product and/or its battery will help save natural resources and ensure that the environment is sustainable development.
  • Page 951 Appendix B Legal Information Environmental Product Declaration ZyWALL/USG Series User’s Guide...
  • Page 952 Appendix B Legal Information 台灣 警告使用者: • 這是甲類的資訊產品,在居住的環境中使用時,可能會造成射頻干擾,在這種情況下,使用者會被要求採取某些適當的對策。」 安全警告 - 為了您的安全,請先閱讀以下警告及指示 : • 請勿將此產品接近水、火焰或放置在高溫的環境。 • 避免設備接觸 - 任何液體 - 切勿讓設備接觸水、雨水、高濕度、污水腐蝕性的液體或其他水份。 - 灰塵及污物 - 切勿接觸灰塵、污物、沙土、食物或其他不合適的材料。 • 雷雨天氣時,不要安裝,使用或維修此設備。有遭受電擊的風險。 • 切勿重摔或撞擊設備,並勿使用不正確的電源變壓器。 • 若接上不正確的電源變壓器會有爆炸的風險。。 • 請勿隨意更換產品內的電池。 • 如果更換不正確之電池型式,會有爆炸的風險,請依製造商說明書處理使用過之電池。 • 請將廢電池丟棄在適當的電器或電子設備回收處。 • 請勿將設備解體。 • 請勿阻礙設備的散熱孔,空氣對流不足將會造成設備損害。 •...
  • Page 953 You can download the latest firmware at www.zyxel.com. To obtain the source code covered under those Licenses, please contact support@zyxel.com.tw to get it. Regulatory Notice and Statement (Class B) Model List: USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W UNITED STATES of AMERICA The following information applies if you use the product within USA area.
  • Page 954 Appendix B Legal Information Industry Canada RSS-GEN & RSS-247 statement • This device complies with Industry Canada license-exempt RSS standard(s). Operation is subject to the following two conditions: (1) this device may not cause interference, and (2) this device must accept any interference, including interference that may cause undesired operation of the device.
  • Page 955 Appendix B Legal Information EUROPEAN UNION The following information applies if you use the product within the European Union. Declaration of Conformity with Regard to EU Directive 1999/5/EC (R&TTE Directive) • Compliance information for 2.4GHz and/or 5GHz wireless products relevant to the EU and other Countries following the EU Directive 1999/5/EC (R&TTE).
  • Page 956 Appendix B Legal Information Svenska Härmed intygar ZyXEL att denna utrustning står I överensstämmelse med de väsentliga egenskapskrav och övriga (Swedish) relevanta bestämmelser som framgår av direktiv 1999/5/EC. Norsk Erklærer herved ZyXEL at dette utstyret er I samsvar med de grunnleggende kravene og andre relevante (Norwegian) bestemmelser I direktiv 1999/5/EF.

  • Page 957: Safety Warnings

    Appendix B Legal Information List of national codes COUNTRY ISO 3166 2 LETTER CODE COUNTRY ISO 3166 2 LETTER CODE Austria Liechtenstein Belgium Lithuania Bulgaria Luxembourg Croatia Malta Cyprus Netherlands Czech Republic Norway Denmark Poland Estonia Portugal Finland Romania France Serbia Germany Slovakia...
  • Page 958 Appendix B Legal Information Die folgende Symbol bedeutet, dass Ihr Produkt und/oder seine Batterie gemäß den örtlichen Bestimmungen getrennt vom Hausmüll entsorgt werden muss. Wenden Sie sich an eine Recyclingstation, wenn dieses Produkt das Ende seiner Lebensdauer erreicht hat. Zum Zeitpunkt der Entsorgung wird die getrennte Sammlung von Produkt und/oder seiner Batterie dazu beitragen, natürliche Ressourcen zu sparen und die Umwelt und die menschliche Gesundheit zu schützen.
  • Page 959 Appendix B Legal Information Environmental Product Declaration ZyWALL/USG Series User’s Guide...
  • Page 960 Appendix B Legal Information 台灣 以下訊息僅適用於產品具有無線功能且銷售至台灣地區 • 第十二條 經型式認證合格之低功率射頻電機,非經許可,公司,商號或使用者均不得擅自變更頻率、加大功率或變更原設計之特性及功能。 • 第十四條 低功率射頻電機之使用不得影響飛航安全及干擾合法通信;經發現有干擾現象時,應立即停用,並改善至無干擾時方得繼續使用。 前項合法通信,指依電信法規定作業之無線電通信。 低功率射頻電機須忍受合法通信或工業、科學及醫療用電波輻射性電機設備之干擾。 • 電磁波曝露量 MPE 標準值 1mW/cm2,送測產品實測值為: 0.150 mW/ cm2 (USG60W); 0.108 mW/ cm2 (USG40W); 0.918 mW/cm2(USG20W-VPN); 本 產品使用時建議應距離人體 20 cm • 無線資訊傳輸設備忍受合法通信之干擾且不得干擾合法通信;如造成干擾,應立即停用, 俟無干擾之虞,始得繼續使用。 • 無線資訊傳設備的製造廠商應確保頻率穩定性,如依製造廠商使用手冊上所述正常操作, 發射的信號應維持於操作頻帶中 以下訊息僅適用於產品操作於 5.25-5.35 秭赫頻帶內並銷售至台灣地區 •...
  • Page 961 Appendix B Legal Information Explanation of the Symbols SYMBOL EXPLANATION Alternating current (AC): AC is an electric current in which the flow of electric charge periodically reverses direction. Direct current (DC): DC if the unidirectional flow or movement of electric charge carriers. Earth;...
  • Page 962 PP EN D I X Product Features Please refer to the product datasheet for the latest product features. Table 394 Product Features 1 MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 # of MAC...
  • Page 963 Appendix C Product Features Table 394 Product Features 1 (continued) MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 Session Limit per Host Rules Max.
  • Page 964 Appendix C Product Features Table 394 Product Features 1 (continued) MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 Schedule Object Schedule Group Max. Schedule Object In One Group Application 1000 1000 1000 1000...

  • Page 965: Appendix C Product Features

    Appendix C Product Features Table 394 Product Features 1 (continued) MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 Max MAC Entry Per Macfilter Profile Max. VPN 1000 1000 2000 Tunnels Number Max. VPN...
  • Page 966 Appendix C Product Features Table 394 Product Features 1 (continued) MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 Log Entries 1024 1024 1024 1024 1024 2048 2048 2048 Debug Log 1024 1024 1024...
  • Page 967 Appendix C Product Features Table 394 Product Features 1 (continued) MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 Maximum White List Rule Support Maximum Black List Rule Support Maximum DNSBL Domain Support Max.
  • Page 968 Appendix C Product Features Table 394 Product Features 1 (continued) MODEL ZYWALL ZYWALL ZYWALL USG40 USG40W USG60 USG60W USG110 USG210 USG310 USG1100 USG1900 NAME 1100 Max. # Of Control AP Others Device HA VRRP Group Max OSPF Areas Maximum 1024...
  • Page 969 Appendix C Product Features Table 395 Product Features 2 (continued) MODEL NAME USG20-VPN USG20W-VPN USG2200-VPN Interface VLAN Virtual (alias) per interface PPP (system default) PPP (user create) Bridge Tunnel (GRE/IPv6 Transition) Routing Static route 1024 Policy route 4000 Sessions (Forwarding, NAT/firewall) 20000 20000 1500000...
  • Page 970 Appendix C Product Features Table 395 Product Features 2 (continued) MODEL NAME USG20-VPN USG20W-VPN USG2200-VPN Max. Service Object In One Group Schedule Object Schedule Group Max. Schedule Object In One Group Application Object 1000 Application Group Max. Application Object In One Group ISP Account 16(PPP+3G) 16(PPP+3G)
  • Page 971 Appendix C Product Features Table 395 Product Features 2 (continued) MODEL NAME USG20-VPN USG20W-VPN USG2200-VPN USB Storage Device Number Centralized Log Log Entries 2048 Debug Log Entries 1024 1024 1024 Admin E-mail Address Syslog Server SSL Inspection Max. SSL Inspection Profile Max.
  • Page 972 Appendix C Product Features Table 395 Product Features 2 (continued) MODEL NAME USG20-VPN USG20W-VPN USG2200-VPN Default # of Control AP Max. # of Control AP Others Device HA VRRP Group Max OSPF Areas Maximum BWM Rule Number 2048 Maximum SIP Concurrent Call Custom Web Portal Page Max internal Web Portal Customize File Upload Zip File Size...
  • Page 973 Index Index logging in Symbols multiple logins see also users Web Configurator access users, see also force user authentication policies Numbers account user 725, 818 3322 Dynamic DNS accounting server 3DES Active Directory, see AD 6in4 tunneling active protocol 6to4 tunneling and encapsulation active sessions 170, 190...
  • Page 974 Index RANGE log options SUBNET mail scan types of mail sessions threshold 766, 771 POP2 address record POP3 admin user registration status troubleshooting 937, 938 regular expressions admin users SMTP multiple logins status see also users white list 680, 684, 689, 690 anti-virus 125, 668, 669 false negatives...
  • Page 975 Index troubleshooting signatures update authentication server updating signatures authentication type 133, 812 AppPatrol, see application patrol Authentication, Authorization, Accounting servers, see AAA server ASAS (Authenex Strong Authentication System) authorization server asymmetrical routes auxiliary interfaces allowing through the security policy vs virtual interfaces attacks access control backdoor...

  • Page 976: Index

    Index verifying fingerprints certification requests certifications viewing and certificates 956, 964 Challenge Handshake Authentication Protocol CA (Certificate Authority), see certificates (CHAP) Calling Station ID CHAP (Challenge Handshake Authentication capturing packets Protocol) card SIM CHAP/PAP CEF (Common Event Format) 881, 890 29, 35 cellular button...
  • Page 977 Index connection custom signatures 655, 658, 933 troubleshooting applying example connection monitor (in SSL) verifying connectivity check 281, 295, 302, 311, 321, 335, 342, custom.rules file 346, 546 658, 933 console port customer support 942, 965 speed contact information 942, 965 content (pattern) content filter troubleshooting...
  • Page 978 Index virtual router DoS (Denial of Service) attacks 710, 713 virtual router and management IP addresses device High Availability see Device HA DSCP 363, 366, 609, 923 DHCP 356, 823 DUID and DNS servers Dynamic Domain Name System, see DDNS and domain name dynamic guest and interfaces...
  • Page 979 Index enforcing policies in IPSec FQDN fragmentation flag 545, 566 and transport mode fragmentation offset Ethernet interfaces free guest account and OSPF free time and RIP configuration and routing protocols enable basic characteristics virtual additional signaling port exceptional services extended authentication and address groups and VPN gateways and address objects...
  • Page 980 Index HTTP query view 648, 650 over SSL, see HTTPS registration status redirect to HTTPS reject sender 528, 648, 650, 702 vs HTTPS reject-both 528, 648, 650, 702 reject-receiver HTTP redirect 528, 648, 650, 702 service group and application patrol severity and interfaces signature ID...
  • Page 981 Index least connection Tunnel, see also Tunnel interfaces. least load types weighted round robin virtual, see also virtual interfaces. VLAN, see also VLAN interfaces. inbound load balancing WLAN, see also WLAN interfaces. time to live Internet access incoming bandwidth 302, 311 troubleshooting 928, 937 ingress bandwidth...
  • Page 982 Index established in two phases IPSec VPN L2TP VPN troubleshooting local network IPv6 local policy link-local address NetBIOS prefix peer prefix delegation Perfect Forward Secrecy prefix length stateless autoconfiguration phase 2 settings IPv6 tunnelings policy enforcement 6in4 tunneling remote access 6to4 tunneling remote IPSec router IPv6-in-IPv4 tunneling...
  • Page 983 Index WINS types of lastgood.conf log options 899, 902 673, 684 (IDP) Layer 2 Tunneling Protocol Virtual Private Network, 525, 529, 648, 649, 650, 701, 702 see L2TP VPN login layer-2 isolation custom page example SSL user logo LDAP troubleshooting and users logo in SSL Base DN...
  • Page 984 Index memory usage and ALG 401, 403 and interfaces Message Digest 5, see MD5 and policy routes 360, 367 messages and security policy and to-ZyWALL security policy metrics, see reports and VoIP pass through Microsoft and VPN Challenge-Handshake Authentication Protocol loopback (MSCHAP) port forwarding, see NAT...
  • Page 985 Index One-Time Password (OTP) Online Certificate Status Protocol (OCSP) vs CRL P2P (Peer-to-peer) Open Shortest Path First, see OSPF attacks see also Peer-to-peer operating mode packet OSI (Open System Interconnection) 643, 644 inspection signatures OSI level-4 644, 646 scan OSI level-7 statistics 182, 184, 204 OSPF...
  • Page 986 Index and NAT printer management and schedules problems 366, 608, 612 and service objects profiles and SMTP redirect packet inspection and trunks 347, 366 proxy servers and user groups 365, 608, 612 web, see web proxy servers and users 365, 608, 612 PTR record and VoIP pass through Public-Key Infrastructure (PKI)
  • Page 987 Index Relative Distinguished Name (RDN) direction 786, 787, 789 redistribute remote access IPSec RIP-2 broadcasting methods Remote Authentication Dial-In User Service, see versions RADIUS vs OSPF remote desktop connections Rivest, Shamir and Adleman public-key algorithm Remote Desktop Protocol (RSA) see RDP round robin remote management routing...
  • Page 988 Index and application patrol sessions usage and H.323 (ALG) severity (IDP) 646, 649 and HTTP redirect SHA1 and IPSec VPN shell script and logs troubleshooting and NAT shell scripts and schedules 438, 520, 608, 612 and users and service groups downloading and service objects editing...
  • Page 989 Index send account information 570, 574, 840 ViaNett account access policy and AAA SMS gateway and AD SMTP and LDAP SMTP redirect certificates and firewall client and policy routes client virtual desktop logo packet flow computer names SNAT connection monitor troubleshooting full tunnel mode SNMP...
  • Page 990 Index stac compression startup-config.conf and synchronization (Device HA) if errors ACK number missing at restart attack packet 528, 648, 650, 702 present at restart connections startup-config-bad.conf flag bits port numbers static DHCP window size static routes Telnet and interfaces and address groups and OSPF and address objects and RIP...
  • Page 991 Index anti-virus member interface mode 929, 932 352, 354 anti-virus signatures update member interfaces 352, 354 application patrol see also load balancing 929, 934, 937 application patrol signatures update Trusted Certificates, see also certificates bandwidth limit tunnel encapsulation bandwidth management Tunnel interfaces cellular certificate...
  • Page 992 Index user groups limited-admin (type) 725, 727, 818 and content filtering lockout and policy routes reauthentication time 365, 608, 612 and security policy types of 520, 531 user (type) user name user names rules user objects 725, 818 user portal links logo see SSL user screens...
  • Page 993 Index web-based SSL application active protocol configuration example and NAT create basic troubleshooting weblink hub-and-spoke, see VPN concentrator weighted round robin (for load balancing) IKE SA, see IKE SA weighted round robin algorithm IPSec 128, 512, 534 WEP (Wired Equivalent Privacy) IPSec SA white list (anti-spam) 680, 684, 689, 690...
  • Page 994 Index and VPN and WWW extra-zone traffic inter-zone traffic intra-zone traffic types of traffic ZyWALL/USG Series User’s Guide...

This manual is also suitable for:

Usg40wUsg60Usg60wUsg210Usg110Usg310 ... Show all

Table of Contents

Save PDF