ZyWALL USG 100/200 Series Unified Security Gateway User’s Guide Version 2.10 5/2008 Edition 1 DEFAULT LOGIN LAN1 Port P4 IP Address http://192.168.1.1 User Name admin Password 1234 www.zyxel.
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to want to configure the ZyWALL using the web configurator. How To Use This Guide • Read Chapter 1 on page 53 chapter for an overview of features available on the ZyWALL. • Read Chapter 3 on page 65 for web browser requirements and an introduction to the main components, icons and menus in the ZyWALL web configurator.
About This User's Guide Click the help icon in any screen for help in configuring that screen and supplementary information. • Supporting Disk Refer to the included CD for support documents. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead.
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. 1 " Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations. Syntax Conventions • The ZyWALL USG 100 and ZyWALL USG 200 may be referred to as the “ZyWALL”, the “device”, the “system” or the “product” in this User’s Guide.
Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device.
Safety Warnings Safety Warnings 1 For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. • Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. • Connect ONLY suitable accessories to the device.
Safety Warnings 8 ZyWALL USG 100/200 Series User’s Guide
Contents Overview Contents Overview Getting Started ....................................................................................................................... 51 Introducing the ZyWALL ............................................................................................................ 53 Features and Applications ......................................................................................................... 57 Web Configurator .................................................
Contents Overview Anti-X .................................................................................................................................... 467 Anti-Virus ................................................................................................................................. 469 IDP .......................................................................................................................................... 483 ADP .....................................................
Table of Contents Table of Contents About This User's Guide .......................................................................................................... 3 Document Conventions............................................................................................................ 5 Safety Warnings........................................................................................................................ 7 Contents Overview .......................................................
Table of Contents 3.1 Web Configurator Requirements ......................................................................................... 65 3.2 Web Configurator Access .................................................................................................... 65 3.3 Web Configurator Main Screen ........................................................................................... 67 3.3.1 Title Bar ..........................................................................................
Table of Contents 5.2 Zones, Interfaces, and Physical Ports ................................................................................110 5.2.1 Interface Types ..........................................................................................................110 5.2.2 Default Interface and Zone Configuration .................................................................111 5.3 Terminology in the ZyWALL .........................................................................................
Table of Contents 6.3 How to Set Up a WLAN Interface ...................................................................................... 131 6.3.1 How to Set Up User Accounts .................................................................................. 131 6.3.2 How to Create the WLAN Interface .......................................................................... 132 6.3.3 How to Set Up the Wireless Clients to Use the WLAN Interface ............................. 134 6.
Table of Contents 7.2.4 The VPN Status Screen ........................................................................................... 178 7.2.5 The DHCP Table Screen .......................................................................................... 179 7.2.6 The Port Statistics Screen ........................................................................................ 180 7.2.7 The Port Statistics Graph Screen .............................................................................
Table of Contents 10.5.6 Interface Wizard: Summary (Non-WAN) ................................................................ 219 10.5.7 Interface Wizard: Summary (WAN) ........................................................................ 219 10.6 The PPP Interfaces Screen ............................................................................................. 221 10.6.1 PPP Interface Edit Screen ..................................................................................... 222 10.
Table of Contents 12.4 Policy Routing Technical Reference ................................................................................ 285 Chapter 13 Routing Protocols................................................................................................................. 287 13.1 Routing Protocols Overview ............................................................................................ 287 13.1.1 What You Can Do in the RIP and OSPF Screens .........................................
Table of Contents 17.1.2 What You Need to Know About HTTP Redirect ..................................................... 322 17.2 The HTTP Redirect Screen ............................................................................................. 322 17.2.1 The HTTP Redirect Edit Screen ............................................................................. 323 Chapter 18 ALG ...........................................................................................................................
Table of Contents 20.4.1 The VPN Concentrator Add/Edit Screen ................................................................ 370 20.5 The SA Monitor Screen .................................................................................................. 371 20.6 IPSec VPN Background Information ............................................................................... 373 Chapter 21 SSL VPN.............................................................................................................
Table of Contents Chapter 25 L2TP VPN............................................................................................................................... 409 25.1 Overview .......................................................................................................................... 409 25.1.1 What You Can Do in the L2TP VPN Screens ......................................................... 409 25.1.2 What You Need to Know About L2TP VPN ................................................
Table of Contents Chapter 28 Anti-Virus............................................................................................................................... 469 28.1 Overview .......................................................................................................................... 469 28.1.1 What You Can Do in the Anti-Virus Screens .......................................................... 469 28.1.2 What You Need to Know About Anti-Virus .........................................
Table of Contents Chapter 30 ADP ....................................................................................................................................... 513 30.1 Overview .......................................................................................................................... 513 30.1.1 ADP and IDP Comparison ..................................................................................... 513 30.1.2 What You Can Do Using the ADP Screens ................................
Table of Contents 33.2 Before You Begin ............................................................................................................. 561 33.3 The Anti-Spam General Screen ....................................................................................... 561 33.3.1 The Anti-Spam Policy Add or Edit Screen .............................................................. 563 33.4 The Anti-Spam Black List Screen ................................................................................
Table of Contents 35.4.1 Force User Authentication Policy Add/Edit Screen ................................................ 602 35.4.2 User Aware Login Example .................................................................................... 603 35.5 User /Group Technical Reference ................................................................................... 604 Chapter 36 Addresses.....................................................................................................................
Table of Contents 39.3 Active Directory or LDAP Group Summary Screen ......................................................... 629 39.3.1 Creating an Active Directory or LDAP Group ......................................................... 629 39.4 Configuring a Default RADIUS Server ............................................................................. 631 39.5 Configuring a Group of RADIUS Servers ....................................................................... 632 39.5.
Table of Contents Chapter 43 System ................................................................................................................................. 665 43.1 Overview .......................................................................................................................... 665 43.1.1 What You Can Do In The System Screens ............................................................ 665 43.2 Host Name ...........................................................................
Table of Contents 43.12 Vantage CNM ............................................................................................................... 700 43.12.1 Configuring Vantage CNM ................................................................................... 700 43.13 Language Screen ......................................................................................................... 702 Part X: Maintenance, Troubleshooting, & Specifications................. 703 Chapter 44 File Manager ......
Table of Contents Chapter 48 Reboot.................................................................................................................................... 743 48.1 Overview .......................................................................................................................... 743 48.1.1 What You Need To Know About Reboot ................................................................ 743 48.2 The Reboot Screen ................................................................
List of Figures List of Figures Figure 1 ZyWALL USG 200 Front Panel ................................................................................................ 53 Figure 2 ZyWALL USG 100 Front Panel ................................................................................................ 54 Figure 3 Managing the ZyWALL: Web Configurator ............................................................................... 55 Figure 4 Applications: VPN Connectivity .....................................
List of Figures Figure 39 VPN Advanced Wizard: Step 2 ............................................................................................ 100 Figure 40 VPN Advanced Wizard: Step 3 ............................................................................................. 101 Figure 41 VPN Advanced Wizard: Step 4 ............................................................................................ 103 Figure 42 VPN Advanced Wizard: Step 5 ...................................................
List of Figures Figure 82 Network > Routing > Policy Route ....................................................................................... 146 Figure 83 Network > Routing > Policy Route > Add ............................................................................. 147 Figure 84 Object > User/Group > User > Add ...................................................................................... 148 Figure 85 Object > User/Group > Group > Add ...................................................
List of Figures Figure 125 Creating the Address Object for the wan2 Public IP Address ............................................ 168 Figure 126 Creating the Virtual Server ................................................................................................. 168 Figure 127 Status ................................................................................................................................ 172 Figure 128 Status > CPU Usage ......................................................
List of Figures Figure 168 Network > Interface > Ethernet > Edit > Edit static DHCP table ......................................... 240 Figure 169 Network > Interface > WLAN > Add (WEP Security) ......................................................... 242 Figure 170 Network > Interface > WLAN > Add (WPA-PSK/WPA2-PSK Security) ............................. 242 Figure 171 Network > Interface > WLAN > Add (WPA/WPA2 Security) ..............................................
List of Figures Figure 211 Multiple Servers Behind NAT Example ............................................................................... 309 Figure 212 Network > Virtual Server .................................................................................................... 310 Figure 213 Network > Virtual Server > Edit ...........................................................................................311 Figure 214 NAT 1:1 Example Network Topology .........................................
List of Figures Figure 254 VPN > IPSec VPN > VPN Gateway ................................................................................... 363 Figure 255 VPN > IPSec VPN > VPN Gateway > Edit ......................................................................... 365 Figure 256 VPN Topologies (Fully Meshed and Hub and Spoke) ........................................................ 369 Figure 257 VPN > IPSec VPN > Concentrator ..............................................................................
List of Figures Figure 297 VPN > L2TP VPN ................................................................................................................411 Figure 298 VPN > L2TP VPN > Session Monitor ................................................................................. 412 Figure 299 L2TP VPN Example ........................................................................................................... 415 Figure 300 VPN > IPSec VPN > VPN Gateway > Edit ...................................
List of Figures Figure 340 IP Security Policy Properties: IP Filter List ......................................................................... 434 Figure 341 Console: L2TP to ZyWALL Assign ..................................................................................... 434 Figure 342 Start New Connection Wizard ............................................................................................ 435 Figure 343 New Connection Wizard: Network Connection Type ..................................
List of Figures Figure 383 Anti-X > IDP > Profile > Edit > IDP Service Group ............................................................. 495 Figure 384 Anti-X > IDP > Profile: Query View ..................................................................................... 496 Figure 385 Query Example Search Criteria .......................................................................................... 497 Figure 386 Query Example Search Results ........................................................
List of Figures Figure 426 Anti-X > Anti-Spam > Black/White List > White List ........................................................... 567 Figure 427 Anti-X > Anti-Spam > DNSBL ............................................................................................. 569 Figure 428 Anti-X > Anti-Spam > DNSBL > Add .................................................................................. 570 Figure 429 Anti-X > Anti-Spam > Status ...............................................................
List of Figures Figure 469 Object > AAA Server > RADIUS > Group > Add ............................................................... 632 Figure 470 Example: Using Authentication Method in VPN ................................................................ 636 Figure 471 Object > Auth. Method ....................................................................................................... 636 Figure 472 Object > Auth. Method > Add .....................................................................
List of Figures Figure 512 SSL Client Authentication ................................................................................................... 689 Figure 513 Secure Web Configurator Login Screen ............................................................................. 689 Figure 514 SSH Communication Over the WAN Example ................................................................... 690 Figure 515 How SSH v1 Works Example ..................................................................
List of Figures Figure 555 WLAN Card Installation ...................................................................................................... 754 Figure 556 Windows XP: Opening the Services Window .................................................................... 819 Figure 557 Windows XP: Starting the Messenger Service .................................................................. 820 Figure 558 Windows 2000: Opening the Services Window ....................................................
List of Tables List of Tables Table 1 Front Panel LEDs ...................................................................................................................... 54 Table 2 Managing the ZyWALL: Console Port ....................................................................................... 55 Table 3 Starting and Stopping the ZyWALL ........................................................................................... 55 Table 4 Packet Flow Key .........................................
List of Tables Table 39 Status > Port Statistics > Switch to Graphic View ................................................................. 182 Table 40 Status > Current Users .......................................................................................................... 183 Table 41 Status > Cellular Detail .......................................................................................................... 183 Table 42 Licensing > Registration .............................................
List of Tables Table 82 Network > Interface > Bridge > Add ...................................................................................... 264 Table 83 Example: Routing Table Entries for Interfaces ...................................................................... 265 Table 84 Example: Routing Table Entry for a Gateway ....................................................................... 266 Table 85 Example: Assigning IP Addresses from a Pool ..................................................
List of Tables Table 125 Objects ................................................................................................................................ 386 Table 126 VPN > SSL VPN > Access Privilege ................................................................................... 387 Table 127 VPN > SSL VPN > Access Privilege > Add/Edit ................................................................. 388 Table 128 VPN > SSL VPN > Connection Monitor .............................................
List of Tables Table 168 ADP > Profile > Traffic Anomaly ......................................................................................... 520 Table 169 ADP > Profile > Protocol Anomaly ...................................................................................... 523 Table 170 HTTP Inspection and TCP/UDP/ICMP Decoders ............................................................... 527 Table 171 Anti-X > Content Filter > General ..............................................................
List of Tables Table 211 Object > AAA Server > Active Directory (or LDAP) > Default ............................................. 628 Table 212 Object > AAA Server > Active Directory (or LDAP) > Group .............................................. 629 Table 213 Object > AAA Server > Active Directory (or LDAP) > Group > Add .................................... 630 Table 214 Object > AAA Server > RADIUS > Default ..........................................................................
List of Tables Table 254 Maintenance > Log > Log Setting ....................................................................................... 718 Table 255 Maintenance > Log > Log Setting > Edit (System Log) ...................................................... 721 Table 256 Maintenance > Log > Log Setting > Edit (Remote Server) ................................................. 724 Table 257 Maintenance > Log > Log Setting > Active Log Summary ..................................................
List of Tables Table 297 Device HA Logs .................................................................................................................. 797 Table 298 Routing Protocol Logs ......................................................................................................... 799 Table 299 NAT Logs ............................................................................................................................ 802 Table 300 PKI Logs ...........................................
P ART I Getting Started Introducing the ZyWALL (53) Features and Applications (57) Web Configurator (65) Configuration Basics (109) Tutorials (125) Status (171) Registration (185) Signature Update (191) 51
CHAPTER 1 Introducing the ZyWALL This chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is a comprehensive security device designed for Small and Medium Businesses (SMB) and branch offices.
Chapter 1 Introducing the ZyWALL Figure 2 ZyWALL USG 100 Front Panel The following table describes the LEDs. Table 1 Front Panel LEDs LED COLOR STATUS DESCRIPTION Off The ZyWALL is turned off. Green On The ZyWALL is turned on. Red On There is a hardware component failure. Shut down the device, wait for a few minutes and then restart the device (see Section 1.4 on page 55). If the LED turns red again, then please contact your vendor. Green Off The ZyWALL is not ready or has failed.
Chapter 1 Introducing the ZyWALL Figure 3 Managing the ZyWALL: Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port. See the Command Reference Guide for more information about the CLI. Console Port You can use the console port to manage the ZyWALL. You have to use CLI commands, which are explained in the Command Reference Guide.
Chapter 1 Introducing the ZyWALL Table 3 Starting and Stopping the ZyWALL " METHOD DESCRIPTION Using the shutdown command The shutdown command writes all cached data to the local storage and stops the system processes. It does not turn off the power.You have to turn the power off and on manually to start the ZyWALL again. You should use this command before you turn off the ZyWALL. Disconnecting the power Power off occurs when you turn off the power to the ZyWALL. The ZyWALL simply turns off.
CHAPTER 2 Features and Applications This chapter introduces the main features and applications of the ZyWALL. 2.1 Features The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features.
Chapter 2 Features and Applications Intrusion Detection and Prevention (IDP) IDP (Intrusion Detection and Protection) can detect malicious or suspicious packets and respond instantaneously. It detects pattern-based attacks in order to protect against networkbased intrusions. See Section 29.6.2 on page 493 for a list of attacks that the ZyWALL can protect against. You can also create your own custom IDP rules.
Chapter 2 Features and Applications Application Patrol Application patrol (App. Patrol) manages instant messenger (IM), peer-to-peer (P2P) applications like MSN and BitTorrent. You can even control the use of a particular application’s individual features (like text messaging, voice, video conferencing, and file transfers). Application patrol has powerful bandwidth management including traffic prioritization to enhance the performance of delay-sensitive applications like voice and video.
Chapter 2 Features and Applications 2.2.2 Interface to Interface (To/From ZyWALL) To: Ethernet -> VLAN -> Encap -> ALG -> DNAT -> Routing -> zFW -> ADP -> RM From: RM -> Routing -> BWM -> Encap -> VLAN -> Ethernet 2.2.3 Interface to Interface (From VPN Tunnel) This example shows the flow from a VPN tunnel though the ZyWALL, not to the ZyWALL or to another VPN tunnel (VPN concentrator).
Chapter 2 Features and Applications Figure 4 Applications: VPN Connectivity 2.3.2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote users. There are two SSL VPN network access modes: reverse proxy and full tunnel. 2.3.2.1 Reverse Proxy Mode In reverse proxy mode, the ZyWALL is a proxy that acts on behalf of the local network servers (such as your web and mail servers). As the final destination, the ZyWALL appears to be the server to remote users.
Chapter 2 Features and Applications Figure 6 Network Access Mode: Full Tunnel Mode 2.3.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 7 Applications: User-Aware Access Control 2.3.4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them.
Chapter 2 Features and Applications Figure 8 Applications: Multiple WAN Interfaces 2.3.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network.
Chapter 2 Features and Applications 64 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 3 Web Configurator The ZyWALL web configurator allows easy ZyWALL setup and management using an Internet browser. Unless otherwise specified, the ZyWALL USG 200 screens are shown. 3.1 Web Configurator Requirements In order to use the web configurator, you must • • • • • Use Internet Explorer 6.0 or later, Netscape Navigator 7.2 or later, or Firefox 1.0.
Chapter 3 Web Configurator Figure 10 Login Screen 3 Type the user name (default: “admin”) and password (default: “1234”). If your account is configured to use an ASAS authentication server, use the OTP (OneTime Password) token to generate a number. Enter it in the One-Time Password field. The number is only good for one login. You must use the token to generate a new number the next time you log in. 4 Click Login.
Chapter 3 Web Configurator Follow the directions in this screen. If you change the default password, the Login screen (Figure 10 on page 66) appears after you click Apply. If you click Ignore, the main screen appears. Figure 12 Main Screen A C B D 3.3 Web Configurator Main Screen As illustrated in Figure 12 on page 67, the main screen is divided into these parts: • • • • A - title bar B - navigation panel C - main window D - status bar 3.3.
Chapter 3 Web Configurator The icons provide the following functions. Table 5 Title Bar: Web Configurator Icons ICON DESCRIPTION Help: Click this icon to open the help page for the current screen. Wizards: Click this icon to open one of the web configurator wizards. See Chapter 4 on page 75 for more information. Console: Click this icon to open the console in which you can use the command line interface (CLI). Site Map: Click this icon to display the site map for the web configurator.
Chapter 3 Web Configurator Table 6 Navigation Panel Summary (continued) LINK Interface Routing TAB FUNCTION Status Use this screen to see information about all of the ZyWALL’s interfaces and their connection status. Port Role Use this screen to set the ZyWALL’s flexible ports as LAN1, WLAN, or DMZ. Ethernet Use this screen to manage Ethernet interfaces and virtual Ethernet interfaces. PPP Use this screen to create and manage PPPoE and PPTP interfaces.
Chapter 3 Web Configurator Table 6 Navigation Panel Summary (continued) LINK TAB FUNCTION AppPatrol General Use this screen to enable or disable traffic management by application and see registration and signature information. Common Use this screen to manage traffic of the most commonly used web, file transfer and e-mail protocols. Instant Messenger Use this screen to manage instant messenger traffic. Peer to Peer Use this screen to manage peer-to-peer traffic.
Chapter 3 Web Configurator Table 6 Navigation Panel Summary (continued) LINK User/Group Address Service TAB FUNCTION User Use this screen to create and manage users. Group Use this screen to create and manage groups of users. Setting Use this screen to manage default settings for all users, general settings for user sessions, and rules to force user authentication. Address Use this screen to create and manage host, range, and network (subnet) addresses.
Chapter 3 Web Configurator Table 6 Navigation Panel Summary (continued) LINK TAB FUNCTION Vantage CNM Use this screen to configure and allow your ZyWALL to be managed by the Vantage CNM server. Language Use this screen to select the language of the ZyWALL’s web configurator screens. Maintenance File Manager Configuration File Use this screen to manage and upload configuration files for the ZyWALL.
Chapter 3 Web Configurator Figure 14 Warning Messages Click Refresh Now to update the screen. Close the popup window when you are done with it. Click Clear Warning Messages to remove the current warning messages from the window. 3.3.4.2 CLI Messages Click CLI to look at the CLI commands sent by the web configurator. These commands appear in a popup window, such as the following.
Chapter 3 Web Configurator Click Refresh Now to update the screen. For example, if you just enabled a particular feature, you can look at the commands the web configurator generated to enable it. Close the popup window when you are done with it. See the Command Reference Guide for information about the commands.
CHAPTER 4 Wizard Setup 4.1 Wizard Setup Overview The web configurator's setup wizards help you configure initial configuration (Internet) and VPN connection settings. This chapter provides information on configuring the Wizard setup screens in the web configurator. See the feature-specific chapters in this User’s Guide for background information. " Use the installation wizards only for initial configuration starting from the default configuration.
Chapter 4 Wizard Setup Figure 16 Wizard Setup Welcome 4.2 Installation Setup, One ISP The wizard screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information. " Enter the Internet access information exactly as your ISP gave it to you.
Chapter 4 Wizard Setup The following table describes the labels in this screen. Table 7 Internet Access: Step 1 LABEL DESCRIPTION ISP Parameters Encapsulation Choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP. WAN IP Address Assignments WAN Interface This is the interface you are configuring for Internet access.
Chapter 4 Wizard Setup Figure 18 Ethernet Encapsulation: Auto: Finish You have set up your ZyWALL to access the Internet. " If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 91). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.3.
Chapter 4 Wizard Setup Figure 19 Ethernet Encapsulation: Static The following table describes the labels in this screen. Table 8 Ethernet Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. WAN IP Address Assignments WAN Interface This displays the identity of the interface you configure to connect with your ISP. Zone This field displays to which security zone this interface and Internet connection will belong.
Chapter 4 Wizard Setup " Enter the Internet access information exactly as given to you by your ISP. WAN Interface: This is the number of the interface that will connect with your ISP. Zone: This is the security zone to which this interface and Internet connection will belong. IP Address: Enter your (static) public IP address. IP Subnet Mask: Enter the subnet mask for this WAN connection's IP address.
Chapter 4 Wizard Setup 4.3.4 PPPoE: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays after you click Next. Figure 21 PPPoE Encapsulation: Auto The following table describes the labels in this screen. Table 9 PPPoE Encapsulation: Auto LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. Service Name Type the PPPoE service name given to you by your ISP.
Chapter 4 Wizard Setup Figure 22 PPPoE Encapsulation: Auto: Finish You have set up your ZyWALL to access the Internet. " If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 91). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.3.
Chapter 4 Wizard Setup Figure 23 PPPoE Encapsulation: Static The following table describes the labels in this screen. Table 10 PPPoE Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. Service Name Type the PPPoE service name given to you by your ISP. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and _@$./ characters, and it can be up to 64 characters long.
Chapter 4 Wizard Setup Table 10 PPPoE Encapsulation: Static (continued) LABEL DESCRIPTION First DNS Server Second DNS Server Enter the DNS server's IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it. Next Click Next to continue. 4.3.
Chapter 4 Wizard Setup Figure 24 PPPoE Encapsulation: Static: Finish You have set up your ZyWALL to access the Internet. " If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 91). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.3.
Chapter 4 Wizard Setup Figure 25 PPTP Encapsulation: Auto The following table describes the labels in this screen. Table 11 PPTP Encapsulation: Auto LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. User Name Type the user name given to you by your ISP. You can use alphanumeric and _@$./ characters, and it can be up to 31 characters long. Password Type the password associated with the user name above.
Chapter 4 Wizard Setup Table 11 PPTP Encapsulation: Auto (continued) LABEL DESCRIPTION Zone This field displays to which security zone this interface and Internet connection will belong. IP Address Enter your WAN IP address in this field. DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Chapter 4 Wizard Setup 4.3.8 PPTP: Static IP Address Assignment If you select Static as the IP Address Assignment, the following screen displays. Figure 27 PPTP Encapsulation: Static The following table describes the labels in this screen. Table 12 PPTP Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. User Name Type the user name given to you by your ISP. You can use alphanumeric and _@$.
Chapter 4 Wizard Setup Table 12 PPTP Encapsulation: Static (continued) LABEL DESCRIPTION Connection ID Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your DSL modem. You can use alphanumeric and -_: characters, and it can be up to 31 characters long. This field can be blank.
Chapter 4 Wizard Setup 4.3.9.3 WAN IP Address Assignments You do not configure this section if you selected Auto as the IP Address Assignment in the previous screen. WAN Interface: This is the connection type on the interface you are configuring to connect with your ISP. Zone: This is the security zone to which this interface and Internet connection will belong. IP Address: Enter your (static) public IP address. DNS Server: The Domain Name System (DNS) maps a domain name to an IP address and vice versa.
Chapter 4 Wizard Setup 4.4 Device Registration Use this screen to register your ZyWALL with myZXEL.com and activate trial periods of subscription security features if you have not already done so. " You must be connected to the Internet to register. This screen displays a read-only user name and password if the ZyWALL is already registered. It also shows which trial services are activated (if any). You can still select the unchecked trial service(s) to activate it after registration.
Chapter 4 Wizard Setup Table 13 Registration (continued) LABEL DESCRIPTION Password Enter a password of between six and 20 alphanumeric characters (and the underscore). Spaces are not allowed. Confirm Password Enter the password again for confirmation. E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. Country Code Select your country from the drop-down box list.
Chapter 4 Wizard Setup Figure 31 Internet Access: Step 1: First WAN Interface After you configure the First WAN Interface, you can configure the Second WAN Interface. Click Next to continue. Figure 32 Internet Access: Step 3: Second WAN Interface After you configure the Second WAN Interface, a summary of configuration settings display for both WAN interfaces.
Chapter 4 Wizard Setup Figure 33 Internet Access: Finish " You can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Use the myZyXEL.com link if you do already have a myZyXEL.com account. If you already have a myZyXEL.com account, you can click Next and use the following screen to register your ZyWALL and activate service trials (see Section 4.4 on page 91). Alternatively, click Close to exit the wizard. 4.5.
Chapter 4 Wizard Setup Figure 34 VPN Wizard: Wizard Type The following table describes the labels in this screen. Table 14 VPN Wizard: Step 1: Wizard Type LABEL DESCRIPTION Express Use this wizard to create a VPN connection with another ZLD-based ZyWALL using a pre-shared key and default security settings. Advanced Use this wizard to configure detailed VPN security settings such as using certificates. The VPN connection can be to another ZLD-based ZyWALL or other IPSec device.
Chapter 4 Wizard Setup Figure 35 VPN Express Wizard: Step 2 The following table describes the labels in this screen. Table 15 VPN Express Wizard: Step 2 LABEL DESCRIPTION Name Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 4 Wizard Setup Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 16 to 62 hexadecimal (“0-9”, “A-F”) characters. Proceed hexadecimal characters with “0x”. Figure 36 VPN Express Wizard: Step 3 The following table describes the labels in this screen.
Chapter 4 Wizard Setup Figure 37 VPN Express Wizard: Step 4 The following table describes the labels in this screen. Table 17 VPN Express Wizard: Step 4 LABEL DESCRIPTION Summary Name This is the name of the VPN connection (and VPN gateway). Secure Gateway This is the WAN IP address or domain name of the remote IPSec router. If this field displays 0.0.0.0, only the remote IPSec router can initiate the VPN connection.
Chapter 4 Wizard Setup Local Policy: IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel. Remote Policy: IP address and subnet mask of the computers on the network behind the peer IPSec device that can use the tunnel. You can copy and paste the Configuration for Remote Gateway commands into another ZLD-based ZyWALL’s command line interface. Figure 38 VPN Express Wizard: Step 6 " If you have not already done so, use the myZyXEL.
Chapter 4 Wizard Setup 4.8.4 VPN Advanced Wizard Click the Advanced radio button as shown in Figure 34 on page 95 to display the following screen. Figure 39 VPN Advanced Wizard: Step 2 The following table describes the labels in this screen. Table 18 VPN Advanced Wizard: Step 2 LABEL DESCRIPTION Remote Gateway Name Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
Chapter 4 Wizard Setup Table 18 VPN Advanced Wizard: Step 2 (continued) LABEL DESCRIPTION Certificate Use the drop-down list box to select the certificate to use for this VPN tunnel. You must have certificates already configured in the My Certificates screen. Click Certificate under the Object menu to go to the My Certificates screen where you can view the ZyWALL's list of certificates. Next Click Next to continue. 4.8.
Chapter 4 Wizard Setup The following table describes the labels in this screen. Table 19 VPN Advanced Wizard: Step 3 LABEL DESCRIPTION Negotiation Mode Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords. Note: Multiple SAs (security associations) connecting through a secure gateway must have the same negotiation mode.
Chapter 4 Wizard Setup " Multiple SAs connecting through a secure gateway must have the same negotiation mode. Negotiation Mode: Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords. Proposal: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption. Authentication Algorithm: MD5 gives minimal security. SHA-1 gives higher security.
Chapter 4 Wizard Setup The following table describes the labels in this screen. Table 20 VPN Advanced Wizard: Step 4 LABEL DESCRIPTION Phase 2 Setting Active Protocol Select the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Encapsulation Tunnel is compatible with NAT, Transport is not. Tunnel mode encapsulates the entire IP packet to transmit it securely.
Chapter 4 Wizard Setup 4.8.7 VPN Advanced Wizard - Phase 2 Active Protocol: ESP is compatible with NAT, AH is not. Encapsulation: Tunnel is compatible with NAT, Transport is not. Proposal: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption. Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the peer IPSec device.
Chapter 4 Wizard Setup Table 21 VPN Advanced Wizard: Step 5 (continued) LABEL Remote Policy DESCRIPTION This is a (static) IP address and Subnet Mask on the network behind the remote IPSec router. Remote Gateway CLI These commands set the matching VPN connection settings for the remote gateway. If the remote gateway is a ZLD-based ZyWALL, you can copy and paste this list into its command line interface in order to configure it for the VPN tunnel.
Chapter 4 Wizard Setup Figure 43 VPN Wizard: Step 6: Advanced " If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 91). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard.
Chapter 4 Wizard Setup 108 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 5 Configuration Basics This section provides information to help you configure the ZyWALL effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you configure various features in the ZyWALL. • Section 5.1 on page 109 introduces the ZyWALL’s object-based configuration. • Section 5.2 on page 110 introduces zones, interfaces, and port roles. • Section 5.
Chapter 5 Configuration Basics 5.2 Zones, Interfaces, and Physical Ports Zones (groups of interfaces and VPN tunnels) simplify security settings. Here is an overview of zones, interfaces, and physical ports in the ZyWALL.
Chapter 5 Configuration Basics • Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Then, you can configure the IP address and subnet mask of the bridge. It is also possible to configure zone-level security between the member interfaces in the bridge. • Virtual interfaces increase the amount of routing information in the ZyWALL.
Chapter 5 Configuration Basics Table 24 ZyWALL USG 100 Default Port, Interface, and Zone Configuration PORT ADDRESS AND DHCP INTERFACE ZONE IP SETTINGS SUGGESTED USE WITH DEFAULT SETTINGS P1, P2 wan1, wan2 WAN DHCP clients Connections to the Internet P3, P4, P5 lan1 LAN1 192.168.1.1, DHCP server enabled Protected LAN P6 ext-wlan WLAN 10.59.0.1, DHCP server enabled Wireless access points P7 dmz DMZ Public servers (such as web, e-mail and FTP) 192.168.3.
Chapter 5 Configuration Basics Table 27 NAT: Differences Between the ZyWALL and ZyNOS ZYNOS FEATURE / SCREEN ZYWALL FEATURE / SCREEN Port forwarding Virtual server Trigger port, port triggering Policy route Address mapping Policy route Address mapping (VPN) IPSec VPN Table 28 Bandwidth Management: Differences Between the ZyWALL and ZyNOS ZYNOS FEATURE / SCREEN ZYWALL FEATURE / SCREEN Interface bandwidth management (outbound) Interface OSI level-7 bandwidth management Application patrol Gene
Chapter 5 Configuration Basics " PREQUISITES or WHERE USED does not appear if there are no prerequisites or references in other features to this one. For example, no other features reference DDNS entries, so there is no WHERE USED entry. 5.4.2 Interface See Section 5.2 on page 110 for background information. " When you create an interface, there is no security applied on it until you assign it to a zone.
Chapter 5 Configuration Basics Example: See Chapter 6 on page 125. 5.4.5 SSL VPN Use SSL VPN to provide secure network access to remote users. MENU ITEM(S) VPN > SSL VPN PREREQUISITES Interfaces, SSL application, users, user groups, addresses (network list, IP pool for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 6 on page 125. 5.4.
Chapter 5 Configuration Basics PREREQUISITES Interfaces (with a static IP address), to-ZyWALL firewall Example: See Chapter 6 on page 125. 5.4.9 DDNS Dynamic DNS maps a domain name to a dynamic IP address. The ZyWALL helps maintain this mapping. MENU ITEM(S) Network > DDNS PREREQUISITES Interface 5.4.10 Policy Routes Use policy routes to control the routing of packets through the ZyWALL’s interfaces, trunks, and send traffic through VPN connections.
Chapter 5 Configuration Basics " The ZyWALL checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that would also match the FTP traffic. 5.4.11 Static Routes Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL. MENU ITEM(S) Network > Routing > Static Route PREREQUISITES Interfaces 5.4.12 Firewall The firewall controls the travel of traffic between or within zones.
Chapter 5 Configuration Basics 5.4.13 Application Patrol Use application patrol to control which individuals can use which services through the ZyWALL (and when they can do so). You can also specify allowed amounts of bandwidth and priorities. You must subscribe to use application patrol. You can subscribe using the Licensing > Registration screens or one of the wizards.
Chapter 5 Configuration Basics 5.4.16 ADP Use ADP to detect and take action on traffic and protocol anomalies. MENU ITEM(S) Anti-X > ADP PREREQUISITES Zones 5.4.17 Content Filter Use content filtering to block or allow access to specific categories of web site content, individual web sites and web features (such as cookies). You can define which user accounts (or groups) can access what content and at what times. You must have a subscription in order to use the category-based content filtering.
Chapter 5 Configuration Basics The ZyWALL does not check to-ZyWALL firewall rules for packets that are redirected by virtual server. It does check regular (through-ZyWALL) firewall rules. MENU ITEM(S) Network > Virtual Server PREREQUISITES Interfaces, addresses (HOST) Example: Suppose you have an FTP server with a private IP address connected to a DMZ port. You could configure a virtual server rule to forwards FTP sessions from the WAN to the DMZ.
Chapter 5 Configuration Basics 5.5 Objects Objects store information and are referenced by other features. If you update this information in response to changes, the ZyWALL automatically propagates the change through the features that use the object. The following table introduces the objects. You can also use this table when you want to delete an object because you have to delete references to the object first.
Chapter 5 Configuration Basics WHERE USED Policy routes, firewall, application patrol, content filter, user groups, VPN, WLAN 5.6 System Management and Maintenance This section introduces some of the management and maintenance features in the ZyWALL. Use Host Name to configure the system and domain name for the ZyWALL. Use Date/Time to configure the current date, time, and time zone in the ZyWALL. Use Console Speed to set the console speed.
Chapter 5 Configuration Basics 5.6.3 Licensing Registration Use these screens to register your ZyWALL and subscribe to services like anti-virus, IDP and application patrol, more SSL VPN tunnels, and content filtering. You must have Internet access to myZyXEL.com. MENU ITEM(S) Licensing > Registration PREREQUISITES Internet access to myZyXEL.com 5.6.4 Licensing Update Use these screens to update the ZyWALL’s signature packages for the anti-virus, IDP and application patrol, and system protect features.
Chapter 5 Configuration Basics 124 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 6 Tutorials This chapter provides some examples of using the web configurator to set up features in the ZyWALL. See also Chapter 26 on page 415 for an example of configuring L2TP. 6.1 How to Configure Ethernet Interfaces and Port Roles This tutorial shows how to configure Ethernet interfaces and port roles for the following example configuration (see Section 5.2.2 on page 111 for the default configuration). • The wan1 interface uses a static IP address of 1.2.3.4.
Chapter 6 Tutorials Click Network > Interface > Ethernet and the wan1 interface’s Edit icon. Configure the IP address, subnet mask, and default gateway settings as follows and click OK. Figure 47 Network > Interface > Ethernet > Edit wan1 6.1.2 How to Configure the OPT Interface for a Local Network Here is how to set the opt interface for a separate local network. It uses 192.168.4.1 as its IP address and has a DHCP server to distribute IP addresses to connected DHCP clients.
Chapter 6 Tutorials Figure 48 Network > Interface > Ethernet > Edit opt 2 Set DHCP to DHCP Server and click OK.
Chapter 6 Tutorials Figure 49 Network > Interface > Ethernet > Edit opt > More Settings 6.1.3 How to Configure Port Roles Here is how to remove port P6 from the ext-wlan interface and add it to the dmz interface. 1 Click Network > Interface > Port Role. 2 Under P6 select the dmz (DMZ) radio button and click Apply.
Chapter 6 Tutorials 6.2 How to Configure a Cellular Interface Use 3G cards for cellular WAN (Internet) connections. You can have up to three simultaneous 3G connections (one 3G device in the ZyWALL’s PCIMCIA slot and one connected to each of the ZyWALL’s two USB ports). Table 267 on page 749 lists the compatible 3G devices. In this example you install or connect the 3G card before you configure the cellular interfaces but is also possible to reverse the sequence.
Chapter 6 Tutorials Figure 52 Network > Interface > Cellular > Edit 5 Go to the Status screen. The Interface Status Summary section should contain a “cellular” entry. When its connection status is “Connected” you can use the 3G connection to access the Internet.
Chapter 6 Tutorials Figure 53 Status The ZyWALL automatically balances the traffic load amongst the available WAN connections. This enhances overall network throughput. Plus, if a WAN connection goes down, the ZyWALL sends traffic through the remaining WAN connections. For a simple test, disconnect all of the ZyWALL’s wired WAN connections. If you can still access the Internet, your cellular interface is properly configured and your cellular device is working.
Chapter 6 Tutorials 1 Click Object > User/Group > User and the Add wlan_user Edit icon. 2 Set the User Name to wlan_user. Enter (and re-enter) the user’s password. Click OK. Figure 54 Object > User/Group > User > Add 3 Use the Add icon in the Object > User/Group > User screen to set up the remaining user accounts in similar fashion. 6.3.2 How to Create the WLAN Interface 1 Click Network > Interface > WLAN > Add to open the WLAN Edit screen. 2 Edit this screen as follows.
Chapter 6 Tutorials Figure 55 Network > Interface > WLAN > Add (WPA/WPA2 Security) 3 Turn on the wireless LAN and click Apply.
Chapter 6 Tutorials 6.3.3 How to Set Up the Wireless Clients to Use the WLAN Interface The following sections show you how to have a wireless client (not included with the ZyWALL) use the wireless network. 6.3.3.1 How to Configure the ZyXEL Wireless Client Utility This example shows how to configure ZyXEL’s wireless client utility (not included with the ZyWALL) to use the WLAN interface. See Section 6.3.3.
Chapter 6 Tutorials Figure 58 ZyXEL Wireless Client > Profile 3 Select WPA2 as the security type and click Next. Figure 59 ZyXEL Wireless Client > Profile: Security Type 4 Set the encryption type to TKIP and the EAP type to TTLS. Configure wlan_user as the Login Name and enter the account’s password (also wlan_user in this example. In TTLS Protocol, select PAP. Click Next.
Chapter 6 Tutorials Figure 60 ZyXEL Wireless Client > Profile: Security Settings 5 Confirm your settings and click Save. Figure 61 ZyXEL Wireless Client > Profile: Save 6 Click Activate Now. Figure 62 ZyXEL Wireless Client > Profile: Activate 7 The ZYXEL_WPA profile displays in your list of profiles.
Chapter 6 Tutorials Figure 63 ZyXEL Wireless Client > Profile: Activate Since the ZyXEL utility does not have the wireless client validate the ZyWALL’s certificate, you can go to Section 6.3.3.4 on page 143. 6.3.3.2 How to Configure the Funk Odyssey Wireless Client This example shows how to configure Funk’s Odyssey Access Client Manager wireless client software (not included with the ZyWALL) to use the WLAN interface. 1 Open the Odyssey wireless client software and click Profiles > Add.
Chapter 6 Tutorials Figure 65 Odyssey Access Client Manager > Profiles > User Info 3 Click the Authentication tab and select Validate server certificate. Figure 66 Odyssey Access Client Manager > Profiles > Authentication 4 Click the TTLS tab and select PAP. Then click OK.
Chapter 6 Tutorials Figure 67 Odyssey Access Client Manager > Profiles > Authentication 5 Click Networks > Add. Figure 68 Odyssey Access Client Manager > Networks 6 Enter the name of the wireless network (“ZYXEL_WPA” in this example) or click Scan to look for it. Then select Authenticate using profile and select the profile you configured (“ZYXEL_WPA” in this example). Click OK.
Chapter 6 Tutorials Figure 69 Odyssey Access Client Manager > Networks > Add Use the next section to import the ZyWALL’s certificate into the wireless client. 6.3.3.3 How the Wireless Clients Import the ZyWALL’s Certificate You must import the ZyWALL’s certificate into the wireless clients if they are to validate the ZyWALL’s certificate. Use the My Certificate Edit screen (see Section 41.2.2 on page 646) to export the certificate the ZyWALL is using for the WLAN interface.
Chapter 6 Tutorials 2 Click Import. Figure 71 Internet Explorer: Tools > Internet Options > Content > Certificates 3 Use the wizard screens to import the certificate. You may need to change the Files of Type setting to All Files in order to see the certificate file. Figure 72 Internet Explorer Certificate Import Wizard File Open Screen 4 When you get to the Certificate Store screen, you can just leave it at the default setting.
Chapter 6 Tutorials Figure 73 Internet Explorer Certificate Import Wizard Certificate Store Screen 5 If you get a security warning screen, click Yes to proceed. Figure 74 Internet Explorer Certificate Import Wizard Security Warning Screen 6 The Internet Explorer Certificates screen remains open after the import is done. You can see the newly imported certificate listed in the Trusted Root Certification Authorities tab.
Chapter 6 Tutorials Figure 75 Internet Explorer: Trusted Root Certification Authorities As shown here, the My Certificates screen uses a prefix, followed by a hyphen, to indicate what type of information is being displayed, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). Figure 76 Object > Certificate > My Certificates Repeat the steps to import the certificate into each wireless client that is to validate the ZyWALL’s certificate when using the WLAN interface. 6.3.
Chapter 6 Tutorials Figure 77 Funk Odyssey Access Wireless Client Login Example 6.4 How to Set Up an IPSec VPN This example shows how to create the VPN tunnel illustrated below. Figure 78 VPN Example LAN LAN 1.2.3.4 192.168.1.0/24 2.2.2.2 172.16.1.0/24 In this example, the ZyWALL is router X (1.2.3.4), and the remote IPSec router is router Y (2.2.2.2). Create the VPN tunnel between ZyWALL X’s LAN subnet (192.168.1.0/24) and the LAN subnet behind peer IPSec router Y (172.16.1.0/24). 6.4.
Chapter 6 Tutorials Figure 79 VPN > IPSec VPN > VPN Gateway > Add 6.4.2 How to Set Up the VPN Connection The VPN connection manages the IPSec SA. You have to set up the address objects for the local network and remote network before you can set up the VPN connection. 1 Click Object > Address > Address. Click the Add icon. 2 Give the new address object a name (“VPN_REMOTE_SUBNET”), change the Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK.
Chapter 6 Tutorials Figure 81 VPN > IPSec VPN > VPN Connection > Add 6.4.3 How to Set Up the Policy Route for the VPN Tunnel Do the following to create a policy route to have the ZyWALL send traffic through the VPN tunnel. 1 Click Network > Routing > Policy Route. You want this policy route to have higher priority than the default policy route for the trunk, so click the Add icon at the top of the column, not the one next to the existing policy route.
Chapter 6 Tutorials and destination address objects here. The next-hop is the VPN connection that you created. Click OK. Figure 83 Network > Routing > Policy Route > Add 3 Now set up the VPN settings on the peer IPSec router and try to establish the VPN tunnel. To trigger the VPN, either try to connect to a device on the peer IPSec router’s LAN or click VPN > IPSec VPN > VPN Connection and use the VPN connection screen’s Connect icon. 6.4.
Chapter 6 Tutorials 6.5 How to Configure User-aware Access Control You can configure many policies and security settings for specific users or groups of users. This is illustrated in the following example, where you will set up the following policies. This is a simple example that does not include priorities for different types of traffic. See Bandwidth Management on page 444 for more on bandwidth management.
Chapter 6 Tutorials 2 Enter the name of the group that is used in Table 31 on page 148. In this example, it is “Finance”. Then, select User/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK. Of course you could add more members later. Figure 85 Object > User/Group > Group > Add 3 Repeat this process to set up the remaining user groups. 6.5.
Chapter 6 Tutorials Figure 87 Object > Auth. method > Add 4 Click System > WWW. In the Authentication section, select the new authentication method in the Client Authentication Method field. Click Apply. Figure 88 System > WWW (Authentication) 5 Click Object > User/Group > Setting. In the Force User Authentication Policy section, click the Add icon. 6 Set up a default policy that forces every user to log in to the ZyWALL before the ZyWALL routes traffic for them. Select Enable.
Chapter 6 Tutorials 1 Click AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply. Figure 90 AppPatrol > General 2 Click the Common tab and then the Edit icon next to the default http service. Figure 91 AppPatrol > Common 3 Click the Default policy’s Edit icon. Figure 92 AppPatrol > Common > http 4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK.
Chapter 6 Tutorials Figure 93 AppPatrol > Common > http > Edit Default 5 Click the Add icon in the policy list. In the new policy, select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fields. Click OK. Repeat this process to add exceptions for all the other user groups that are allowed to browse the web. Figure 94 AppPatrol > Common> http > Edit Default 6.5.
Chapter 6 Tutorials Figure 95 Object > Schedule > Add (Recurring) 3 Follow the steps in Section 6.5.4 on page 150 to set up the appropriate policies for MSN in application patrol. Make sure to specify the schedule when you configure the policy for the Sales group’s MSN access. 6.5.6 How to Set Up Firewall Rules Use the firewall to control access from LAN1 to the DMZ. 1 Click Firewall. In From Zone, select LAN1; in To Zone, select DMZ and click Refresh.
Chapter 6 Tutorials Figure 97 Firewall > LAN1 to DMZ > Edit 3 Click the Add icon at the top of the rule list to create a rule for one of the user groups that is allowed to access the DMZ. 4 Select one of the user groups that is allowed to access the DMZ, and click OK. Figure 98 Firewall > Add 5 Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ. 6.
Chapter 6 Tutorials You do not have to change many of the ZyWALL’s settings from the defaults to set up this trunk. You only have to set up the bandwidth on wan1 and wan2 and change the algorithm that WAN_TRUNK uses. 6.6.1 How to Set Up Available Bandwidth on Ethernet Interfaces 1 Click Network > Interface > Ethernet and the wan1 Edit icon. Enter the available bandwidth (1000 kbps) in the Egress Bandwidth field. Click OK.
Chapter 6 Tutorials Figure 101 Network > Interface > Trunk > WAN_TRUNK > Edit 6.7 How to Configure Service Control Service control lets you configure rules that control HTTP and HTTPS management access (to the web configurator) and separate rules that control HTTP and HTTPS user access (logging into SSL VPN for example). See Chapter 43 on page 665 for more on service control. The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to the ZyWALL.
Chapter 6 Tutorials Figure 102 System > WWW 3 In the Zone field select LAN1 and click OK. Figure 103 System > WWW > Service Control Rule Edit 4 Click the new rule’s Add icon.
Chapter 6 Tutorials Figure 104 System > WWW (First Example Admin Service Rule Configured) 5 Set the Zone to ALL and set the Action to Deny. Click OK. Figure 105 System > WWW > Service Control Rule Edit 6 Click Apply.
Chapter 6 Tutorials Figure 106 System > WWW (Second Example Admin Service Rule Configured) Now administrator access to the web configurator can only come from the LAN1 zone. Nonadmin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL’s zones (to use SSL VPN for example). 6.8 How to Allow Incoming H.323 Peer-to-peer Calls Suppose you have a H.323 device on LAN1 for VoIP calls and you want it to be able to receive peer-to-peer calls from the WAN.
Chapter 6 Tutorials 6.8.1 How to Turn On the ALG Click Network > ALG. Select Enable H.323 transformations and click Apply. Figure 108 Network > ALG 6.8.2 How to Set Up a Virtual Server Policy For H.323 In this example, you need a virtual server policy to forward H.323 (TCP port 1720) traffic received on the ZyWALL’s 10.0.0.8 WAN IP address to LAN1 IP address 192.168.1.56.
Chapter 6 Tutorials Figure 110 Network > Virtual Server > Add 6.8.3 How to Set Up a Firewall Rule For H.323 Here is how to configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN1 IP address 192.168.1.56. 1 Click Firewall. In From Zone, select WAN; in To Zone, select LAN1. 2 The default rule for WAN-to-LAN1 traffic drops all traffic. You want to allow H.323 access through IP address 10.0.0.8, so add a rule before the default rule.
Chapter 6 Tutorials Figure 112 Firewall > Add 4 Configure an address object for the ZyWALL’s 10.0.0.8 WAN IP address as follows and click OK. Figure 113 Object > Address > Add 5 Configure the screen as follows and click OK. Figure 114 Firewall > WAN to LAN > Add Now people can call the H.323 device through the Internet. 6.9 How to Use Device HA Here is an example of using device HA (High Availability) to backup ZyWALL A (the master) with ZyWALL B.
Chapter 6 Tutorials An Ethernet switch connects both ZyWALLs’ lan1 interfaces to LAN1. Whichever ZyWALL is functioning as the master uses the default gateway IP address of the LAN1 computers (192.168.1.1) for its lan1 interface and the static public IP address (1.1.1.1) for its wan1 interface. If ZyWALL A recovers (has both its lan1 and wan1 interfaces connected), it resumes its role as the master and takes over all of its functions again. Figure 115 Device HA: Master Fails and Backup Takes Over LAN1 192.
Chapter 6 Tutorials 2 Configure 192.168.1.3 as the Management IP and 255.255.255.0 as the Subnet Mask. Click OK. Figure 117 Device HA > Active-Passive Mode > Edit: Master ZyWALL Example 3 Set the Device Role to Master. This example focuses on LAN1’s connection to the Internet through the wan1 interface, so turn on monitoring for the wan1 and lan1 interfaces. Enter a Synchronization Password (“mySyncPassword” in this example) and click Apply.
Chapter 6 Tutorials Figure 119 Device HA > General: Master ZyWALL Example 6.9.3 How to Configure the Backup ZyWALL 1 Connect a computer to ZyWALL B’s lan1 interface and log into its web configurator. Connect ZyWALL B to the Internet and subscribe it to the same subscription services (like content filtering and anti-virus) to which ZyWALL A is subscribed. See Chapter 8 on page 185 for more on the subscription services. 2 In ZyWALL B click Device HA > Active-Passive Mode. Click lan1’s Edit icon.
Chapter 6 Tutorials Figure 121 Device HA > Active-Passive Mode: Backup ZyWALL Example 5 Click the General tab. Turn on device HA and click Apply. Figure 122 Device HA > General: Master ZyWALL Example 6.9.4 How to Deploy the Backup ZyWALL Connect ZyWALL B’s lan1 interface to the LAN1 network. Connect ZyWALL B’s wan1 interface to the same router that ZyWALL A’s wan1 interface uses for Internet access. ZyWALL B copies A’s configuration (and resychronizes with A every hour).
Chapter 6 Tutorials Maintenance > File Manager > Configuration File screen to save copies of the ZyWALLs’ configuration files that you can compare. 2 To test your device HA configuration, disconnect ZyWALL A’s lan1 or wan1 interface. Computers on LAN1 should still be able to access the Internet. If they cannot, check your connections and device HA configuration. Congratulations! Now that you have configured device HA for LAN1, you can use the same process for any of the ZyWALL’s other local networks.
Chapter 6 Tutorials Figure 125 Creating the Address Object for the wan2 Public IP Address 6.10.2 How to Configure a Virtual Server You need a virtual server to send HTTP traffic coming to IP address 1.1.1.2 on wan2 to the HTTP server’s private IP address of 192.168.3.7. In the Network > Virtual Server screen, click the + symbol and create a new virtual server entry as shown next. • This virtual server is for traffic coming in on wan2 to IP address 1.1.1.2 (defined in the WAN2_HTTP object).
Chapter 6 Tutorials The firewall allows traffic from the WAN zone to the DMZ zone by default so your configuration is done. Now the public can go to IP address 1.1.1.2 to access the HTTP server. If a domain name is registered for IP address 1.1.1.2, users can just go to the domain name to access the web server.
Chapter 6 Tutorials 170 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 7 Status 7.1 Overview Use the Status screens to check status information about the ZyWALL. 7.1.1 What You Can Do in the Status Screens Use the Status screens for the following. • Use the main Status screen (see Section 7.2 on page 171) to see the ZyWALL’s general device information, system status, system resource usage, licensed service status, and interface status. You can also go to the other status screens for more information. • Use the VPN status screen (see Section 7.2.
Chapter 7 Status Figure 127 Status The following table describes the labels in this screen. Table 32 Status LABEL DESCRIPTION Refresh Interval Select how often you want the screen to automatically refresh. Refresh Now Click this to update the screen immediately. Device Information System Name This field displays the name used to identify the ZyWALL on any network. Click the icon to open the screen where you can change it. See Section 43.2 on page 666.
Chapter 7 Status Table 32 Status (continued) LABEL DESCRIPTION Current Date/ Time This field displays the current date and time in the ZyWALL. The format is yyyymm-dd hh:mm:ss. VPN Status Click this to look at the VPN tunnels that are currently established. See Section 7.2.4 on page 178. DHCP Table Click this to look at the IP addresses currently assigned to the ZyWALL’s DHCP clients and the IP addresses reserved for specific MAC addresses. See Section 7.2.5 on page 179.
Chapter 7 Status Table 32 Status (continued) LABEL DESCRIPTION Signature Version This field displays the version number, date, and time of the current set of signatures the ZyWALL is using. Last Update Time This field displays the last time the ZyWALL received updated signatures. Total Signature Number This field displays the total number of signatures in the current signature version.
Chapter 7 Status Table 32 Status (continued) LABEL DESCRIPTION HA Status This field displays the status of the interface in the virtual router. Active - This interface is the master interface in the virtual router. Stand-By - This interface is a backup interface in the virtual router. Fault - This VRRP group is not functioning in the virtual router right now. For example, this might happen if the interface is down. n/a - Device HA is not active on the interface.
Chapter 7 Status Figure 128 Status > CPU Usage The following table describes the labels in this screen. Table 33 Status > CPU Usage LABEL DESCRIPTION 100 % The y-axis represents the percentage of CPU usage. time The x-axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. 7.2.
Chapter 7 Status Figure 129 Status > Memory Usage The following table describes the labels in this screen. Table 34 Status > Memory Usage LABEL DESCRIPTION 100 % The y-axis represents the percentage of RAM usage. time The x-axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. 7.2.
Chapter 7 Status Figure 130 Status > Session Usage The following table describes the labels in this screen. Table 35 Status > Session Usage LABEL DESCRIPTION Sessions The y-axis represents the number of session. time The x-axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. 7.2.
Chapter 7 Status Figure 131 Status > VPN Status The following table describes the labels in this screen. Table 36 Status > VPN Status LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific SA. Name This field displays the name of the IPSec SA. Encapsulation This field displays how the IPSec SA is encapsulated. IPSec Algorithm This field displays the encryption and authentication algorithms used in the SA.
Chapter 7 Status The following table describes the labels in this screen. Table 37 Status > DHCP Table LABEL DESCRIPTION Interface Select for which interface you want to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. # This field is a sequential value, and it is not associated with a specific entry. IP Address This field displays the IP address currently assigned to a DHCP client or reserved for a specific MAC address.
Chapter 7 Status The following table describes the labels in this screen. Table 38 Status > Port Statistics LABEL DESCRIPTION Switch to Graphic View Click this to display the port statistics as a line graph. Port This field displays the physical port number. Status This field displays the current status of the physical port. Down - The physical port is not connected. Speed / Duplex - The physical port is connected. This field displays the port speed and duplex setting (Full or Half).
Chapter 7 Status Figure 134 Status > Port Statistics > Switch to Graphic View The following table describes the labels in this screen. Table 39 Status > Port Statistics > Switch to Graphic View LABEL DESCRIPTION Port Select the number of the physical port for which you want to display graphics. Switch to Table View Click this to display the port statistics as a table. bps The y-axis represents the speed of transmission or reception.
Chapter 7 Status Figure 135 Status > Current Users The following table describes the labels in this screen. Table 40 Status > Current Users LABEL DESCRIPTION # This field is a sequential value and is not associated with any entry. User ID This field displays the user name of each user who is currently logged in to the ZyWALL. Reauth Lease T. This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user. See Chapter 35 on page 593.
Chapter 7 Status Table 41 Status > Cellular Detail (continued) 184 LABEL DESCRIPTION Cellular System This field displays the type of the network to which the ZyWALL is connected. The network type varies depending on the 3G card you inserted and could be UMTS, UMTS/HSDPA, GPRS or EDGE when you insert a GSM 3G card, or 1xRTT, EVDO Rev.0 or EVDO Rev.A when you insert a CDMA 3G card. Signal Strength This displays the strength of the signal.
CHAPTER 8 Registration 8.1 Overview Use the Licensing > Registration screens to register your ZyWALL and manage its service subscriptions. 8.1.1 What You Can Do in the Registration Screens • Use the Registration screen (see Section 8.2 on page 186) to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. • Use the Service screen (see Section 8.3 on page 189) to display the status of your service registrations and upgrade licenses. 8.1.
Chapter 8 Registration Subscription Services Available on the ZyWALL You can have the ZyWALL use anti-virus, IDP/AppPatrol (Intrusion Detection and Prevention and application patrol), and content filtering subscription services. You can also purchase and enter a license key to have the ZyWALL use more SSL VPN tunnels. See the respective User’s Guide chapters for more information about these features. Anti-Virus Engines Subscribe to signature files for ZyXEL’s anti-virus engine or one powered by Kaspersky.
Chapter 8 Registration Figure 137 Licensing > Registration The following table describes the labels in this screen. Table 42 Licensing > Registration LABEL DESCRIPTION General Setup If you select existing myZyXEL.com account, only the User Name and Password fields are available. new myZyXEL.com account If you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL. existing myZyXEL.
Chapter 8 Registration Table 42 Licensing > Registration (continued) " LABEL DESCRIPTION Anti-Virus Signature Service The ZyWALL’s anti-virus packet scanner uses the signature files on the ZyWALL to detect virus files. Select ZyXEL’s anti-virus engine or the Kaspersky anti-virus engine. During the trial you can use these fields to change from one anti-virus engine to the other.
Chapter 8 Registration 8.3 The Service Screen Use this screen to display the status of your service registrations and upgrade licenses. To activate or extend a standard service subscription, purchase an iCard and enter the iCard’s PIN number (license key) in this screen. Click Licensing > Registration > Service to open the screen as shown next. Figure 139 Licensing > Registration > Service The following table describes the labels in this screen.
Chapter 8 Registration 190 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 9 Signature Update 9.1 Overview This chapter shows you how to update the ZyWALL’s signature packages. 9.1.1 What You Can Do in the Update Screens • Use the Licensing > Update > Anti-virus screen (Section 9.2 on page 191) to update the anti-virus signatures. See Chapter 28 on page 469 for details on anti-virus. • Use the Licensing > Update > IDP/AppPatrol screen (Section 9.3 on page 193) to update the signatures used for IDP and application patrol. See Chapter 29 on page 483 for details on IDP.
Chapter 9 Signature Update Figure 140 Licensing > Update >Anti-Virus The following table describes the labels in this screen. LABEL DESCRIPTION Signature Information The following fields display information on the current signature set that the ZyWALL is using. Anti-Virus Engine Type This field displays whether the ZyWALL is set to use ZyXEL’s anti-virus engine or the one powered by Kaspersky. Current Version This field displays the anti-virus signatures version number currently used by the ZyWALL.
Chapter 9 Signature Update 9.3 The IDP/AppPatrol Update Screen Click Licensing > Update > IDP/AppPatrol to display the following screen. The ZyWALL comes with signatures for the IDP and application patrol features. These signatures are continually updated as new attack types evolve. New signatures can be downloaded to the ZyWALL periodically if you have subscribed for the IDP/AppPatrol signatures service. You need to create an account at myZyXEL.
Chapter 9 Signature Update Table 44 Licensing > Update > IDP/AppPatrol (continued) LABEL DESCRIPTION Daily Select this option to have the ZyWALL check for new IDP signatures everyday at the specified time. The time format is the 24 hour clock, so ‘23’ means 11PM for example. Weekly Select this option to have the ZyWALL check for new IDP signatures once a week on the day and at the time specified. Apply Click this button to save your changes to the ZyWALL.
Chapter 9 Signature Update Figure 144 Licensing > Update > System Protect The following table describes the fields in this screen. Table 45 Licensing > Update > System Protect LABEL DESCRIPTION Signature Information The following fields display information on the current signature set that the ZyWALL is using. Current Version This field displays the system protect signature and anomaly rule set version number. This number gets larger as the set is enhanced.
Chapter 9 Signature Update Figure 145 Downloading System Protect Signatures Figure 146 Successful System Protect Signature Download 196 ZyWALL USG 100/200 Series User’s Guide
P ART II Network Interface (199) Trunks (269) Policy and Static Routes (277) Routing Protocols (287) Zones (299) DDNS (303) Virtual Servers (309) HTTP Redirect (321) ALG (325) 197
CHAPTER 10 Interface 10.1 Interface Overview Use the Interface screens to configure the ZyWALL’s interfaces. You can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. • Interfaces are used within the system operationally. You use them in configuring various features. An interface also describes a network that is directly connected to the ZyWALL. For example, You connect the LAN1 network to the LAN1 interface.
Chapter 10 Interface 10.1.2 What You Need to Know About Interfaces Interface Characteristics Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface). • • • • • • An interface is a logical entity through which (layer-3) packets pass. An interface is bound to a physical port or another interface. Many interfaces can share the same physical port. An interface belongs to at most one zone. Many interfaces can belong to the same zone.
Chapter 10 Interface Trunks and the auxiliary interface have many characteristics that are specific to each type of interface. See Chapter 11 on page 269 and Section 10.14 on page 261 for details. The other types of interfaces--Ethernet, VLAN, bridge, PPPoE/PPTP, and virtual--have a lot of similar characteristics. These characteristics are listed in the following table and discussed in more detail below.
Chapter 10 Interface Table 47 Relationships Between Different Types of Interfaces (continued) INTERFACE REQUIRED PORT / INTERFACE PPPoE/PPTP interface WAN1, WAN2, OPT* virtual interface (virtual Ethernet interface) (virtual VLAN interface) (virtual bridge interface) Ethernet interface* VLAN interface* bridge interface trunk Ethernet interface Cellular interface VLAN interface bridge interface PPPoE/PPTP interface auxiliary interface * - You cannot set up a PPPoE/PPTP interface, virtual Ethernet int
Chapter 10 Interface Figure 147 Network > Interface > Status Each field is described in the following table. Table 48 Network > Interface > Status LABEL DESCRIPTION Interface Status If an Ethernet interface does not have any physical ports associated with it, its entry is displayed in light gray text. Expand/Close Click this button to show or hide the status of all the virtual interfaces on top of the Ethernet interfaces. Name This field displays the name of each interface.
Chapter 10 Interface Table 48 Network > Interface > Status (continued) 204 LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface does not have any physical ports associated with it or is enabled but not connected. Speed / Duplex - The Ethernet interface is enabled and connected.
Chapter 10 Interface Table 48 Network > Interface > Status (continued) LABEL DESCRIPTION Expand/Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces. Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to the name, click this to look at the statistics for virtual interfaces on top of this interface. Status This field displays the current status of the interface.
Chapter 10 Interface Each section in this screen is described below. Table 49 Network > Interface > Port Role LABEL DESCRIPTION LAN1/WLAN/DMZ PX~P7 These are physical Ethernet ports. lan1 (LAN1) ext-wlan (WLAN) dmz (DMZ) These are Ethernet interfaces and the zone to which each belongs. Use the radio buttons to select for which interface (network) you want to use each physical port. For example, select a port’s LAN1 radio button to use the port as part of the lan1 interface.
Chapter 10 Interface Figure 149 Network > Interface > Ethernet Each field is described in the following table. Table 50 Network > Interface > Ethernet LABEL DESCRIPTION # This field is a sequential value, and it is not associated with any interface. Name This field displays the name of the interface. IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet.
Chapter 10 Interface " If you create IP address objects based on an interface’s IP address, subnet, or gateway, the ZyWALL automatically updates every rule or setting that uses the object whenever the interface’s IP address settings change. For example, if you change LAN1’s IP address, the ZyWALL automatically updates the corresponding interface-based, LAN1 subnet address object. With RIP, you can use Ethernet interfaces to do the following things.
Chapter 10 Interface Figure 150 Network > Interface > Ethernet > Edit (Opt) ZyWALL USG 100/200 Series User’s Guide 209
Chapter 10 Interface Each field is described in the table below. The OPT interface’s Edit > Configuration screen contains all of the following fields. Not every field is included in other interface edit screens. Table 51 Network > Interface > Ethernet > Edit LABEL DESCRIPTION General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Name This field is read-only. This is the name of the Ethernet interface.
Chapter 10 Interface Table 51 Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Ingress Bandwidth This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from the network through the interface. Allowed values are 0 - 1048576. MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ZyWALL divides it into smaller fragments.
Chapter 10 Interface Table 51 Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION More Settings/Less Settings Click this button to display a greater or lesser number of configuration fields. RIP Setting See Section 13.2 on page 288 for more information about RIP. Enable RIP Select this to enable RIP in this interface. Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box.
Chapter 10 Interface Table 51 Network > Interface > Ethernet > Edit (continued) LABEL Overwrite Default MAC Address DHCP Settings DHCP DESCRIPTION Select this option to have the interface use a different MAC address. Either enter the MAC address in the fields or click Clone by host and enter the IP address of the device or computer whose MAC you are cloning. Once it is successfully configured, the address will be copied to the configuration file.
Chapter 10 Interface Table 51 Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire. days, hours, and minutes - select this to enter how long IP addresses are valid. Edit static DHCP table Click this if you want the ZyWALL to assign static IP addresses to computers.
Chapter 10 Interface Figure 152 Interface Wizard: OPT Interface First Screen The following table describes the labels in this screen. Table 52 Interface Wizard: OPT Interface First Screen LABEL DESCRIPTION Would you like to configure OPT interface as a WAN interface? Select Yes to use the OPT interface as a WAN interface (for an Internet connection). select No to use the OPT interface for a local network (similar to a lan1, ext-wlan, or dmz interface).
Chapter 10 Interface Figure 154 Interface Wizard: Non-WAN OPT Interface Setup The following table describes the labels in this screen. Table 54 Interface Wizard: Non-WAN OPT Interface Setup LABEL DESCRIPTION Zone Select the security zone to which you want this interface to belong. IP Address Enter the IP address for this interface. IP Subnet Mask Enter the subnet mask of this interface in dot decimal notation.
Chapter 10 Interface Figure 155 Interface Wizard: WAN Interface Zone and IP Address Setup The following table describes the labels in this screen. Table 55 Interface Wizard: WAN Interface Zone and IP Address Setup LABEL DESCRIPTION WAN Interface This is the interface you are configuring for Internet access. Zone Select to which zone this interface and Internet connection will belong to. You configure security policies by zone.
Chapter 10 Interface The following table describes the labels in this screen. Table 56 Interface Wizard: WAN ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection. User Name Type the user name given to you by your ISP. You can use alphanumeric and _@$./ characters, and it can be up to 31 characters long. Password Type the password associated with the user name above. Use up to 64 ASCII characters except the [] and ?.
Chapter 10 Interface 10.5.6 Interface Wizard: Summary (Non-WAN) Use this screen to review the local interface’s settings. Figure 157 Interface Wizard: Summary (Non-WAN) The following table describes the labels in this screen. Table 57 Interface Wizard: Summary (Non-WAN) LABEL DESCRIPTION Zone This is the security zone to which you want this interface belongs. IP Address This is the interface’s IP address. IP Subnet Mask This is the interface’s subnet mask in dot decimal notation.
Chapter 10 Interface Figure 158 Interface Wizard: Summary WAN (PPTP Shown) The following table describes the labels in this screen. Table 58 Interface Wizard: Summary WAN 220 LABEL DESCRIPTION Encapsulation This displays what encapsulation this interface uses to connect to the Internet. Base Interface This field only appears for a PPTP interface. It displays the identity of the Ethernet interface for connecting with a modem or router. Base IP Address This field only appears for a PPTP interface.
Chapter 10 Interface 10.6 The PPP Interfaces Screen Use PPP interfaces (PPPoE/PPTP interfaces) to connect to your ISP so you do not have to install or manage PPPoE or PPTP software on each computer in the network. Figure 159 Example: PPPoE/PPTP Interfaces PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available.
Chapter 10 Interface Table 59 Network > Interface > PPP (continued) LABEL DESCRIPTION Add icon This column lets you create, edit, remove, activate, deactivate, connect and disconnect interfaces. To edit an interface, click the Edit icon next to it. The PPPoE/PPTP Interface Add/Edit screen appears. To activate or deactivate an interface, click the Active icon next to it. Make sure you click Apply to save and apply the change. To connect or disconnect an interface, click the Connect icon next to it.
Chapter 10 Interface Figure 161 Network > Interface > PPP > Edit > Configuration Each field is explained in the following table. Table 60 Network > Interface > PPP > Edit > Configuration LABEL DESCRIPTION General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Name This field is read-only and displays the name of the PPP interface. The format is the name of the physical port followed by “ppp”.
Chapter 10 Interface Table 60 Network > Interface > PPP > Edit > Configuration (continued) LABEL Description DESCRIPTION Enter a description of this interface. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Connectivity Nailed-Up Select this if the PPPoE/PPTP connection should always be up. Clear this to have the ZyWALL to establish the PPPoE/PPTP connection only when there is traffic.
Chapter 10 Interface Table 60 Network > Interface > PPP > Edit > Configuration (continued) LABEL DESCRIPTION Ingress Bandwidth This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from the network through the interface. Allowed values are 0 - 1048576. MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface.
Chapter 10 Interface 10.7 Cellular Configuration Screen (3G) 3G (Third Generation) is a digital, packet-switched wireless technology. Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data. It allows fast transfer of voice and non-voice data and provides broadband Internet access to mobile devices.
Chapter 10 Interface " " Install (or connect) a compatible 3G card to use a cellular connection. See Chapter 50 on page 749 for details. The WAN IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets. Figure 162 Network > Interface > Cellular The following table describes the labels in this screen. Table 62 Network > Interface > Cellular LABEL DESCRIPTION # This field is a sequential value, and it is not associated with any interface.
Chapter 10 Interface 10.7.1 Cellular Add/Edit Screen To change your 3G settings, click Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that you want to configure. The following screen displays.
Chapter 10 Interface The following table describes the labels in this screen. Table 63 Interface > Cellular > Add LABEL DESCRIPTION Enable Interface Select this option to turn on this interface. Interface Properties Interface Name This field is read-only. This is the name of the cellular interface. Zone Select the zone to which you want the cellular interface to belong. The zone determines the security settings the ZyWALL uses for the interface.
Chapter 10 Interface Table 63 Interface > Cellular > Add (continued) LABEL PIN Code Interface Parameters DESCRIPTION This field displays with a GSM or HSDPA 3G card. A PIN (Personal Identification Number) code is a key to a 3G card. Without the PIN code, you cannot use the 3G card. Enter the 4-digit PIN code (0000 for example) provided by your ISP. If you enter the PIN code incorrectly, the 3G card may be blocked by your ISP and you cannot use the account to access the Internet.
Chapter 10 Interface Table 63 Interface > Cellular > Add (continued) LABEL DESCRIPTION More Settings/ Less Settings Click this button to display a greater or lesser number of configuration fields. IP Address Get Automatically Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP Address Select this option If the ISP assigned a fixed IP address.
Chapter 10 Interface The following table describes the labels in this screen. Table 64 Interface > Cellular > Status 232 LABEL DESCRIPTION Refresh Click this button to update the information in the screen. # This field is a sequential value, and it is not associated with any interface. Extension Slot This field displays where the entry’s cellular card is located. Connected Device This field displays the model name of the cellular card.
Chapter 10 Interface Table 64 Interface > Cellular > Status (continued) LABEL DESCRIPTION Signal Quality This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider’s base station. More Info. This field displays other details about the 3G connection. 10.9 WLAN Interface General Screen The following figure provides an example of a wireless network. The wireless network is in the blue circle.
Chapter 10 Interface Figure 166 Network > Interface > WLAN The following table describes the general wireless LAN labels in this screen. Table 65 Network > Interface > WLAN LABEL DESCRIPTION WLAN Device Settings 234 Enable WLAN Device Select this option to turn on the wireless LAN card. It is recommended that you configure the wireless security settings before you use this option to turn on a wireless LAN card. 802.
Chapter 10 Interface Table 65 Network > Interface > WLAN LABEL DESCRIPTION Name This field displays the name of the WLAN interface. SSID This is the SSID (Service Set IDentity) of the WLAN interface. IP Address This field displays the current IP address of the WLAN interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet. This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP).
Chapter 10 Interface • WPA2-PSK and WPA-PSK do not employ user authentication and are known as the personal version of WPA. • WEP is better than no security, but it is still possible for unauthorized devices to figure out the original information pretty quickly. Click Network > Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. The screen varies according to the security features you select. It displays as shown next when you set the Security Type to none.
Chapter 10 Interface Figure 167 Network > Interface > WLAN > Add (No Security) ZyWALL USG 100/200 Series User’s Guide 237
Chapter 10 Interface The following table describes the general wireless LAN labels in this screen. Table 67 Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION General Settings Enable Interface Select this option to turn on the wireless LAN interface. Interface Name Specify a number from 1~8 to complete the name for this wireless LAN interface. Description Enter a description of this interface. It is not used elsewhere.
Chapter 10 Interface Table 67 Network > Interface > WLAN > Add (No Security) (continued) LABEL DESCRIPTION Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management. Ingress Bandwidth This is reserved for future use.
Chapter 10 Interface Table 67 Network > Interface > WLAN > Add (No Security) (continued) LABEL DESCRIPTION Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire. days, hours, and minutes - select this to enter how long IP addresses are valid. Edit static DHCP table Click this if you want the ZyWALL to assign static IP addresses to computers.
Chapter 10 Interface Table 67 Network > Interface > WLAN > Add (No Security) (continued) LABEL DESCRIPTION Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR). The highestpriority interface identifies the DR, and the second-highest-priority interface identifies the BDR. Set the priority to zero if the interface can not be the DR or BDR.
Chapter 10 Interface Figure 169 Network > Interface > WLAN > Add (WEP Security) The following table describes the WEP-related wireless LAN security labels in this screen. See Table 67 on page 238 for information on the 802.1x fields. Table 68 Network > Interface > WLAN > Add (WEP Security) LABEL DESCRIPTION WEP Encryption WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network.
Chapter 10 Interface The following table describes the WPA-PSK/WPA2-PSK-related wireless LAN security labels in this screen. Table 69 Network > Interface > WLAN > Add (WPA-PSK/WPA2-PSK Security) LABEL DESCRIPTION Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials.
Chapter 10 Interface The following table describes the WPA/WPA2-related wireless LAN security labels. Table 70 Network > Interface > WLAN > Add (WPA/WPA2 Security) LABEL DESCRIPTION Authentication Type Select what the ZyWALL uses to authenticate the wireless clients. Select Auth Method to be able to specify an authentication method object that you have already configured.
Chapter 10 Interface 10.10 WLAN Interface MAC Filter Screen The MAC filter allows you to give specific wireless clients exclusive access to the ZyWALL (allow association) or block specific devices from accessing the ZyWALL (deny association) based on the devices’ MAC addresses. To display your ZyWALL’s MAC filter settings, click Network > Interface > WLAN > MAC Filter. The screen appears as shown. Figure 172 Network > Interface > WLAN > MAC Filter The following table describes the labels in this menu.
Chapter 10 Interface If you set the filter to deny access and add the MAC address of a connected device, the ZyWALL drops the device’s connection immediately. However, if you set the filter to allow only the specified MAC addresses, the ZyWALL does not immediately disconnect all connected wireless clients. To change your ZyWALL’s MAC filter settings, click Network > Interface > WLAN > MAC Filter > Add (or Edit). The screen appears as shown when you click Add.
Chapter 10 Interface Table 73 Network > Interface > WLAN > Station Monitor LABEL DESCRIPTION MAC Address This displays the MAC address (in XX:XX:XX:XX:XX:XX format) of a connected wireless station. Strength This displays the strength of the wireless client’s radio signal. The signal strength mainly depends on the antenna output power and the wireless client’s distance from the ZyWALL. Connect Rate This displays what data transfer rate of the wireless client’s connection to the ZyWALL.
Chapter 10 Interface Figure 176 Example: After VLAN A B Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each VLAN also has a unique identification number (ID). The ID is a 12-bit value that is stored in the MAC header. The VLANs are connected to switches, and the switches are connected to the router. (If one switch has enough connections for the entire network, the network does not need switches A and B.
Chapter 10 Interface " Each VLAN interface is created on top of only one Ethernet interface. Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. 10.12.1 Configuring the VLAN Summary Screen This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces.
Chapter 10 Interface Table 74 Network > Interface > VLAN (continued) LABEL DESCRIPTION Add icon This column lets you create, edit, remove, activate, and deactivate interfaces. To create a VLAN interface, click the Add icon at the top of the column. The VLAN Add/Edit screen appears. To create a virtual VLAN interface, click the Add icon next to the corresponding VLAN interface. The Virtual Interface Add/Edit screen appears. See Section 10.15 on page 263.
Chapter 10 Interface Figure 178 Network > Interface > VLAN > Edit Each field is explained in the following table. Table 75 Network > Interface > VLAN > Edit LABEL DESCRIPTION General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface.
Chapter 10 Interface Table 75 Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Interface Name This field is read-only if you are editing an existing VLAN interface. Enter the number of the VLAN interface. You can use a number from 0~4094. See Chapter 50 on page 749 for the total number of VLANs you can configure on the ZyWALL. For example, vlan0, vlan8, and so on. Zone Use this field to select the zone to which this interface belongs.
Chapter 10 Interface Table 75 Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Connectivity Check The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the ZyWALL stops routing to the gateway.
Chapter 10 Interface Table 75 Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION IP Pool Start Address Enter the IP address from which the ZyWALL begins allocating IP addresses. If you want to assign a static IP address to a specific computer, click Add Static DHCP. If this field is blank, the Pool Size must also be blank.
Chapter 10 Interface 10.13 Bridge Interface Screen A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. Unlike the device-wide bridge mode in ZyNOS-based ZyWALLs, this ZyWALL can bridge traffic between some interfaces while it routes traffic for other interfaces. The bridge interfaces also support more functions, like interface bandwidth parameters, DHCP settings, and ping check.
Chapter 10 Interface Bridge Interface Overview A bridge interface creates a software bridge between the members of the bridge interface. It also becomes the ZyWALL’s interface for the resulting network.
Chapter 10 Interface Table 79 Network > Interface > Bridge (continued) LABEL DESCRIPTION IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet. This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces.
Chapter 10 Interface Figure 182 Network > Interface > Bridge > Add 258 ZyWALL USG 100/200 Series User’s Guide
Chapter 10 Interface Each field is described in the table below. Table 80 Network > Interface > Bridge > Add LABEL DESCRIPTION General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Name This field is read-only if you are editing the interface. Enter the number of the bridge interface (0 ~ 31). For example, br0, br3, and so on. Zone Use this field to select the zone to which this interface belongs.
Chapter 10 Interface Table 80 Network > Interface > Bridge > Add (continued) LABEL DESCRIPTION Interface Parameters Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576. Ingress Bandwidth This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from the network through the interface. Allowed values are 0 - 1048576.
Chapter 10 Interface Table 80 Network > Interface > Bridge > Add (continued) LABEL DESCRIPTION First WINS Server, Second WINS Server Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.
Chapter 10 Interface " You must connect an external modem to use the auxiliary port. The ZyWALL uses the auxiliary interface to dial out in two situations. 1 You click the Connect icon on the ZyWALL Status screen. 2 The load auxiliary interface must connect to satisfy load-balancing requirements. You have to add the auxiliary interface to a trunk first. When the ZyWALL hangs up the call, it drops the Data Terminal Ready (DTR) signal and issues the command ATH.
Chapter 10 Interface Table 81 Network > Interface > Auxiliary (continued) LABEL DESCRIPTION Port Speed Select the speed of the connection between the ZyWALL and external computer. Dialing Type Tone - select this if the telephone uses tone-based dialing. Pulse - select this if the telephone uses pulse-based dialing. Initial String Enter the AT command string to initialize the external modem. ATZ is the most common string, but you should check the manual for the external modem for additional commands.
Chapter 10 Interface Like other interfaces, virtual interfaces have an IP address, subnet mask, and gateway used to make routing decisions. However, you have to manually specify the IP address and subnet mask; virtual interfaces cannot be DHCP clients. Like other interfaces, you can restrict bandwidth through virtual interfaces, but you cannot change the MTU. The virtual interface uses the same MTU that the underlying interface uses.
Chapter 10 Interface Table 82 Network > Interface > Bridge > Add (continued) LABEL DESCRIPTION Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576. Ingress Bandwidth This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from the network through the interface. Allowed values are 0 - 1048576. 10.
Chapter 10 Interface In the example above, if the ZyWALL gets a packet with a destination address of 5.5.5.5, it might not find any entries in the routing table. In this case, the packet is dropped. However, if there is a default router to which the ZyWALL should send this packet, you can specify it as a gateway in one of the interfaces. For example, if there is a default router at 200.200.200.100, you can create a gateway at 200.200.200.100 on wan1.
Chapter 10 Interface In DHCP, every network has at least one DHCP server. When a computer (a DHCP client) joins the network, it submits a DHCP request. The DHCP servers get the request; assign an IP address; and provide the IP address, subnet mask, gateway, and available network information to the DHCP client. When the DHCP client leaves the network, the DHCP servers can assign its IP address to another DHCP client. In the ZyWALL, some interfaces can provide DHCP services to the network.
Chapter 10 Interface WINS WINS (Windows Internet Naming Service) is a Windows implementation of NetBIOS Name Server (NBNS) on Windows. It keeps track of NetBIOS computer names. It stores a mapping table of your network’s computer names and IP addresses. The table is dynamically updated for IP addresses assigned by DHCP. This helps reduce broadcast traffic since computers can query the server instead of broadcasting a request for a computer name’s IP address.
CHAPTER 11 Trunks 11.1 Overview Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links. Maybe you have two Internet connections with different bandwidths.
Chapter 11 Trunks • If that interface’s connection goes down, the ZyWALL can still send its traffic through another interface. • You can define multiple trunks for the same physical interfaces. Link Sticking You can have the ZyWALL send each local computer’s traffic through a single WAN interface for a specified period of time. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file.
Chapter 11 Trunks Least Load First The least load first algorithm uses the current (or recent) outbound bandwidth utilization of each trunk member interface as the load balancing index(es) when making decisions about to which interface a new session is to be distributed. The outbound bandwidth utilization is defined as the measured outbound throughput over the available outbound bandwidth. Here the ZyWALL has two WAN interfaces connected to the Internet.
Chapter 11 Trunks Figure 189 Weighted Round Robin Algorithm Example Spillover The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the interface’s maximum allowable load is reached, then sends the excess network traffic of new sessions to the next interface in the trunk member list. This continues as long as there are more member interfaces and traffic to be sent through them.
Chapter 11 Trunks Figure 191 Network > Interface > Trunk The following table describes the items in this screen. Table 87 Network > Interface > Trunk LABEL DESCRIPTION Enable Link Sticking Select this option to have the ZyWALL send all of each local computer’s traffic through one WAN interface for the number of seconds that you specify. This is useful when a redirect server forwards a local user’s request for a file and informs the file server that a particular WAN IP address is requesting the file.
Chapter 11 Trunks Figure 192 Network > Interface > Trunk > Edit Each field is described in the table below. Table 88 Network > Interface > Trunk > Edit 274 LABEL DESCRIPTION Name This is the descriptive name for this trunk. Load Balancing Algorithm Select a load balancing method to use from the drop-down list box. Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights.
Chapter 11 Trunks Table 88 Network > Interface > Trunk > Edit (continued) LABEL DESCRIPTION Add icon This column lets you add, remove and move trunk members. To add an interface to the trunk, click an Add icon. The Trunk Member Select screen appears. To remove an interface from a trunk, click the Remove icon next to it. The ZyWALL confirms you want to remove it before doing so. To move an interface to a different number in the list, click the Move icon next to it.
Chapter 11 Trunks 276 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 12 Policy and Static Routes 12.1 Policy and Static Routes Overview Use policy routes and static routes to override the ZyWALL’s default routing behavior in order to send packets through the appropriate the interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the ZyWALL’s LAN interface. The ZyWALL routes most traffic from A to the Internet through the ZyWALL’s default gateway (R1).
Chapter 12 Policy and Static Routes 12.1.1 What You Can Do in the Policy and Static Route Screens • Use the Policy Route screens (see Section 12.2 on page 279) to list and configure policy routes. • Use the Static Route screens (see Section 12.3 on page 283) to list and configure static routes. 12.1.2 What You Need to Know About Policy and Static Routing Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Chapter 12 Policy and Static Routes Policy Routes Versus Static Routes • Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management. • Policy routes are only used within the ZyWALL itself. Static routes can be propagated to other routers using RIP or OSPF. • Policy routes take priority over static routes.
Chapter 12 Policy and Static Routes The following table describes the labels in this screen. Table 89 Network > Routing > Policy Route 280 LABEL DESCRIPTION Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL. You must enable this setting to have individual policy routes or application patrol policies apply bandwidth management. This same setting also appears in the AppPatrol > General screen.
Chapter 12 Policy and Static Routes 12.2.1 Policy Route Edit Screen Click Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or edit a policy route. See NAT Loopback Example on page 317 for an example of NAT loopback. Figure 195 Network > Routing > Policy Route > Edit The following table describes the labels in this screen.
Chapter 12 Policy and Static Routes Table 90 Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Schedule Select a schedule or select Create Object to configure a new one (see Chapter 38 on page 619 for details). none means the route is active at all times if enabled. Service Select a service or service group from the drop-down list box. Select Create Object to add a new service. See Section 37.2.1 on page 615 for more information.
Chapter 12 Policy and Static Routes Table 90 Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Incoming Service Select the service that the client computer sends to a remote server. The incoming service should have the same service or protocol type as what you configured in the Service field. Trigger Service Select a service that a remote server sends.
Chapter 12 Policy and Static Routes Figure 196 Network > Routing > Static Route The following table describes the labels in this screen. Table 91 Network > Routing > Static Route LABEL DESCRIPTION # This is the number of an individual static route. Destination This is the destination IP address. Subnet Mask This is the IP subnet mask. Next-Hop This is the IP address of the next-hop gateway or the interface through which the traffic is routed.
Chapter 12 Policy and Static Routes Table 92 Network > Routing > Static Route > Edit (continued) LABEL DESCRIPTION Gateway IP Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your ZyWALL's interface(s). The gateway helps forward packets to their destinations. Interface Select the radio button and a predefined interface through which the traffic is sent.
Chapter 12 Policy and Static Routes Incoming service: Game (UDP: 1234) Trigger service: Game-1 (UDP: 5670-5678) 1 Computer A wants to play a multiplayer online game and tries to connect to game server 1 using port 1234. The ZyWALL records the IP address of computer A when the packets match a policy with SNAT configured. 2 Game server 1 responds using a port number ranging between 5670 - 5678. The ZyWALL allows and forwards the traffic to computer A.
CHAPTER 13 Routing Protocols 13.1 Routing Protocols Overview Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL stores this routing information in the routing table it uses to make routing decisions. In turn, the ZyWALL can also use routing protocols to propagate routing information to other routers. See Section 5.5 on page 121 for related information on the RIP and OSPF screens.
Chapter 13 Routing Protocols 13.2 The RIP Screen RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other routers. RIP is a vector-space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest. Unfortunately, it also broadcasts its routes asynchronously to the network and converges slowly. Therefore, RIP is more suitable for small networks (up to 15 routers).
Chapter 13 Routing Protocols Table 94 Network > Routing Protocol > RIP (continued) LABEL DESCRIPTION MD5 Authentication ID This field is available if the Authentication is MD5. Type the ID for MD5 authentication. The ID can be between 1 and 255. MD5 Authentication Key This field is available if the Authentication is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.
Chapter 13 Routing Protocols • A normal area is a group of adjacent networks. A normal area has routing information about the OSPF AS, any networks outside the OSPF AS to which it is directly connected, and any networks outside the OSPF AS that provide routing information to any area in the OSPF AS. • A stub area has routing information about the OSPF AS. It does not have any routing information about any networks outside the OSPF AS, including networks to which it is directly connected.
Chapter 13 Routing Protocols • An Area Border Router (ABR) connects two or more areas. It is a member of all the areas to which it is connected, and it filters, summarizes, and exchanges routing information between them. • An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF.
Chapter 13 Routing Protocols Figure 202 OSPF: Virtual Link In this example, area 100 does not have a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virtual link becomes the connection between area 100 and the backbone. You cannot create a virtual link to a router in a different area. OSPF Configuration Follow these steps when you configure OSPF on the ZyWALL. 1 2 3 4 Enable OSPF. Set up the OSPF areas. Configure the appropriate interfaces.
Chapter 13 Routing Protocols The following table describes the labels in this screen. See Section 13.3.2 on page 293 for more information as well. Table 96 Network > Routing Protocol > OSPF LABEL DESCRIPTION OSPF Router ID Select the 32-bit ID the ZyWALL uses in the OSPF AS. Default - the highest available IP address assigned to the interfaces is the ZyWALL’s ID. User Define - enter the ID (in IP address format) in the field that appears when you select User Define.
Chapter 13 Routing Protocols Figure 204 Network > Routing > OSPF > Edit The following table describes the labels in this screen. Table 97 Network > Routing > OSPF > Edit 294 LABEL DESCRIPTION Area ID Type the unique, 32-bit identifier for the area in IP address format. Type Select the type of area. Normal - This area is a normal area. It has routing information about the OSPF AS and about networks outside the OSPF AS. Stub - This area is an stub area.
Chapter 13 Routing Protocols Table 97 Network > Routing > OSPF > Edit (continued) LABEL DESCRIPTION Authentication Select which authentication method to use in the virtual link. This authentication protects the integrity, but not the confidentiality, of routing updates. None uses no authentication. Text uses a plain text password that is sent over the network (not very secure). MD5 uses an MD5 password and authentication ID (most secure).
Chapter 13 Routing Protocols • The packet’s message-digest is the same as the one the ZyWALL calculates using the MD5 password. For RIP, authentication is not available in RIP version 1. In RIP version 2, you can only select one authentication type for all interfaces. For OSPF, the ZyWALL supports a default authentication type by area. If you want to use this default in an interface or virtual link, you set the associated Authentication Type field to Same as Area.
Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 297
Chapter 13 Routing Protocols 298 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 14 Zones 14.1 Zones Overview Set up zones to configure network security and network policies in the ZyWALL. A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management. Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/ PPTP interface, auxiliary interface, and VPN tunnel can be assigned to at most one zone.
Chapter 14 Zones 14.1.2 What You Need to Know About Zones Effects of Zones on Different Types of Traffic Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic--which are affected differently by zone-based security and policy settings. Intra-zone Traffic • Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, in Figure 205 on page 299, traffic between VLAN 2 and the Ethernet is intrazone traffic.
Chapter 14 Zones Figure 206 Network > Zone The following table describes the labels in this screen. Table 98 Network > Zone LABEL DESCRIPTION Name This field displays the name of the zone. Block Intra-zone This field indicates whether or not the ZyWALL blocks network traffic between members in the zone. Member This field displays the names of the interfaces that belong to each zone. Modify This column provides icons to edit zones. To edit a zone, click the Edit icon next to the zone.
Chapter 14 Zones Table 99 Network > Zone > Edit (continued) 302 LABEL DESCRIPTION Member List Available Interface lists the interfaces that do not belong to any zone. The word in front of the name indicates whether this member is an interface or a VPN tunnel. Select any interfaces that you want to add to the zone you are editing, and click the right arrow button to add them. Member lists the interfaces that belong to the zone.
CHAPTER 15 DDNS 15.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 15.1.1 What You Can Do in the DDNS Screens • Use the DDNS screen (see Section 15.2 on page 304) to view a list of the configured DDNS domain names and their details. • Use the DDNS Add/Edit screen (see Section 15.2.1 on page 305) to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. • Use the DDNS Status screen (see Section 15.
Chapter 15 DDNS " Record your DDNS account’s user name, password, and domain name to use to configure the ZyWALL. After, you configure the ZyWALL, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. Finding Out More See Section 5.4.9 on page 116 for related information on these screens. 15.2 The DDNS Screen The DDNS screen provides a summary of all DDNS domain names and their configuration.
Chapter 15 DDNS Table 101 Network > DDNS (continued) LABEL DESCRIPTION Backup Interface/IP This field displays the alternate interface to use for updating the IP address mapped to the domain name followed by how the ZyWALL determines the IP address for the domain name. The ZyWALL uses the backup interface and IP address when the primary interface is disabled, its link is down or its ping check fails. from interface - The IP address comes from the specified interface.
Chapter 15 DDNS The following table describes the labels in this screen. Table 102 Network > DDNS > Add LABEL DESCRIPTION Enable DDNS Profile Select this check box to use this DDNS entry. Profile Name When you are adding a DDNS entry, type a descriptive name for this DDNS entry in the ZyWALL. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is read-only when you are editing an entry.
Chapter 15 DDNS Table 102 Network > DDNS > Add (continued) LABEL IP Address DESCRIPTION The options available in this field vary by DDNS provider. Interface -The ZyWALL uses the IP address of the specified interface. This option appears when you select a specific interface in the Backup Binding Address Interface field. Auto -The DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name.
Chapter 15 DDNS Figure 210 Network > DDNS > Status The following table describes the labels in this screen. Table 103 Network > DDNS > Status 308 LABEL DESCRIPTION Profile Name This field displays the descriptive profile name for this entry. Domain Name This field displays each domain name the ZyWALL can route. Effective IP This is the (resolved) IP address of the domain name.
CHAPTER 16 Virtual Servers 16.1 Virtual Servers Overview Virtual servers are computers on a private network behind the ZyWALL that you make available outside the private network. If the ZyWALL has only one public IP address, you can make the computers in the private network available by using ports to forward packets to the appropriate private IP address.
Chapter 16 Virtual Servers Finding Out More • See Section 5.4.19 on page 119 for related information on these screens. • See Section 6.8.2 on page 160 for an example of how to configure a virtual server to allow H.323 traffic from the WAN to LAN1. • See Section 16.3 on page 313 for examples of manually configuring NAT 1:1 mapping and manually configuring a policy route rule for NAT loopback. (Although you can have the ZyWALL automatically configure these for you instead.) 16.
Chapter 16 Virtual Servers Table 104 Network > Virtual Server (continued) LABEL DESCRIPTION Add icon This column provides icons to add, edit, and remove virtual servers. In addition, you can activate and deactivate virtual servers. To add a virtual server, click the Add icon at the top of the column. The Virtual Server Add/Edit screen appears. To activate / deactivate a virtual server, click the Active icon next to the virtual server.
Chapter 16 Virtual Servers Table 105 Network > Virtual Server > Edit (continued) LABEL DESCRIPTION Original IP Use the drop-down list box to indicate which destination IP address this virtual server supports. Choices are: Any - this virtual server supports the IP address of the selected interface. User Defined - this virtual server supports a specific IP address, specified in the User Defined field. HOST address - the drop-down box lists all the HOST address objects in the ZyWALL.
Chapter 16 Virtual Servers Table 105 Network > Virtual Server > Edit (continued) LABEL DESCRIPTION Add corresponding Policy Route rule for NAT Loopback. Select this to allow local users to use a domain name to access this virtual server. By default this virtual server entry only applies this address mapping to packets coming in from the WAN. Or you can click Policy Route to go to the screens where you can manually configure a NAT loopback policy route for this virtual server.
Chapter 16 Virtual Servers NAT 1:1 Address Objects First create two address objects for the private and public IP addresses (LAN_SMTP and WAN_EG) in the Object > Address screen as shown next. Figure 215 Create Address Objects Figure 216 Address Objects NAT 1:1 Virtual Server This section sets up a virtual server rule that changes the destination of SMTP traffic coming to IP address 1.1.1.1 at the ZyWALL’s wan2 interface, to the LAN1 SMTP server’s IP address (192.168.1.21).
Chapter 16 Virtual Servers Figure 217 NAT 1:1 Example Virtual Server LAN1 Destination 192.168.1.21 SMTP NAT Destination 1.1.1.1 SMTP 192.168.1.21 The wan2 interface has a different IP address than 1.1.1.1, so in order for the ZyWALL gateway to be able to do ARP resolution correctly, you need to create a wan2 virtual server entry. In the Network > Virtual Server screen, click the + symbol and create a new virtual server entry as shown next.
Chapter 16 Virtual Servers Figure 219 NAT 1:1 Example Policy Route LAN1 Source 192.168.1.1 SMTP Source 1.1.1.1 NAT SMTP 192.168.1.21 Click Network > Routing > Policy Route > Add and configure the screen as shown next. Be careful of where you create the route as routes are ordered in descending priority. Figure 220 Create a Policy Route NAT 1:1 Firewall Rule Create a firewall rule to allow access from the WAN zone to the mail server in the LAN1 zone.
Chapter 16 Virtual Servers Figure 221 Create a Firewall Rule NAT Loopback Example The NAT 1:1 Example on page 313 maps a public IP address to the private IP address of a LAN1 SMTP mail server to allow users to access the SMTP mail server from the WAN. LAN1 users can also use an IP address to access the mail server. However, you need to configure NAT loopback for LAN1 users to use a domain name to access the server. Figure 222 LAN1 Computer Queries the DNS Server DNS xxx.LAN-SMTP.com = 1.1.1.1 xxx.
Chapter 16 Virtual Servers NAT Loopback Virtual Server When a LAN1 user sends SMTP traffic to IP address 1.1.1.1, the traffic comes into the ZyWALL through the LAN1 interface, thus it does not match the NAT 1:1 mapping’s virtual server rule for SMTP traffic coming to IP 1.1.1.1 from WAN2. So you must configure a similar virtual server rule for WAN2. Figure 223 NAT Loopback Virtual Server NAT Destination 192.168.1.21 1.1.1.1 Destination 1.1.1.1 SMTP SMTP LAN1 192.168.1.21 192.168.1.
Chapter 16 Virtual Servers NAT Loopback Policy Route Without a NAT loopback policy route, the LAN1 user SMTP traffic goes to the LAN1 SMTP server with the LAN1 computer’s IP address as the source. The source address is in the same subnet, so the LAN1 SMTP server replies directly. The return traffic uses the SMTP server’s LAN1 IP address as the source address3. This creates a triangle route since the source does not match the original destination address (1.1.1.1).
Chapter 16 Virtual Servers Figure 227 Create a Policy Route Now the LAN1 SMTP server replies to the ZyWALL’s LAN1 IP address and the ZyWALL changes the source address to 1.1.1.1 before sending it to the LAN1 user’s computer. The source in the return traffic matches the original destination address (1.1.1.1) and the LAN1 user can use the LAN1 SMTP server. Figure 228 NAT Loopback Successful NAT Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP LAN1 192.168.1.21 320 192.168.1.
CHAPTER 17 HTTP Redirect 17.1 Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. In the following example, proxy server A is connected to the dmz interface. When a client connected to the lan1 zone wants to open a web page, its HTTP request is redirected to proxy server A first. If proxy server A cannot find the web page in its cache, a policy route allows it to access the Internet to get them from a server.
Chapter 17 HTTP Redirect 17.1.2 What You Need to Know About HTTP Redirect Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services. A proxy server can act as a firewall or an ALG (application layer gateway) between the private network and the Internet or other networks. It also keeps hackers from knowing internal IP addresses. A client connects to a web proxy server each time he/she wants to access the Internet.
Chapter 17 HTTP Redirect " You can configure up to one HTTP redirect rule for each (incoming) interface. Figure 230 Network > HTTP Redirect The following table describes the labels in this screen. Table 106 Network > HTTP Redirect LABEL DESCRIPTION Name This is the descriptive name (up to 31 printable characters) of a rule. Interface This is the interface on which the request must be received. Proxy Server This is the IP address of the proxy server.
Chapter 17 HTTP Redirect The following table describes the labels in this screen. Table 107 Network > HTTP Redirect > Edit 324 LABEL DESCRIPTION Enable Use this option to turn the HTTP redirect rule on or off. Name Enter a name to identify this rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
CHAPTER 18 ALG 18.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyWALL’s NAT. • FTP - File Transfer Protocol (FTP) is an Internet file transfer service. • SIP - Session Initiation Protocol (SIP) is an application-layer protocol that can be used to create voice and multimedia sessions over Internet. • H.323 - This is a teleconferencing protocol suite that provides audio, data and video conferencing.
Chapter 18 ALG 18.1.2 What You Need to Know About ALG Application Layer Gateway (ALG), NAT and Firewall The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT unfriendly applications (such as SIP) to operate properly through the ZyWALL’s NAT and firewall. The ZyWALL dynamically creates an implicit NAT session and firewall session for the application’s traffic from the WAN to the LAN. The ALG on the ZyWALL supports all of the ZyWALL’s NAT mapping types.
Chapter 18 ALG • The SIP ALG allows UDP packets with a specified port destination to pass through. • The ZyWALL allows SIP audio connections. • You do not need to use STUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) for VoIP devices behind the ZyWALL when you enable the SIP ALG. Peer-to-Peer Calls and the ZyWALL The ZyWALL ALG can allow peer-to-peer VoIP calls for both H.323 and SIP.
Chapter 18 ALG For example, you configure firewall and virtual server rules to allow LAN IP address A to receive calls through public WAN IP address 1. You configure different firewall and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2. You configure corresponding policy routes to have calls from LAN IP address A go out through WAN IP address 1 and calls from LAN IP address B go out through WAN IP address 2.
Chapter 18 ALG Figure 236 Network > ALG The following table describes the labels in this screen. Table 108 Network > ALG LABEL DESCRIPTION Enable SIP Transformations Turn on the SIP ALG to allow SIP sessions to pass through the ZyWALL. SIP is a signaling protocol used in VoIP (Voice over IP), the sending of voice signals over Internet Protocol. Enabling the SIP ALG allows you to use bandwidth management on SIP traffic.
Chapter 18 ALG Table 108 Network > ALG (continued) LABEL DESCRIPTION Enable FTP Transformations Turn on the FTP ALG to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) enables fast transfer of files, including large files that may not be possible by e-mail. Using the FTP ALG allows you to use bandwidth management on FTP traffic. FTP Signaling Port If you are using a custom TCP port number (not 21) for FTP traffic, enter it here.
Chapter 18 ALG H.323 H.323 is a standard teleconferencing protocol suite that provides audio, data and video conferencing. It allows for real-time point-to-point and multipoint communication between client computers over a packet-based network that does not provide a guaranteed quality of service. NetMeeting uses H.323.
Chapter 18 ALG 332 ZyWALL USG 100/200 Series User’s Guide
P ART III Firewall Firewall (335) 333
CHAPTER 19 Firewall 19.1 Overview Use the firewall to block or allow services that use static port numbers. Use application patrol (see Chapter 27 on page 443) to control services using flexible/dynamic port numbers. This figure shows the ZyWALL’s default firewall rules in action and demonstrates how stateful inspection works. User 1 can initiate a Telnet session from within the LAN1 zone and responses to this request are allowed.
Chapter 19 Firewall 19.1.2 What You Need to Know About the Firewall Stateful Inspection The ZyWALL has a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Zones A zone is a group of interfaces or VPN tunnels. Group the ZyWALL’s interfaces into different zones based on your needs.
Chapter 19 Firewall To-ZyWALL Rules Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default: • The firewall allows LAN1 and WLAN computers to access or manage the ZyWALL. • The ZyWALL drops most packets from the WAN zone to the ZyWALL itself, except for VRRP traffic for Device HA and ESP/AH/IKE/NATT/HTTPS services for VPN tunnels, and generates a log.
Chapter 19 Firewall Firewall and VPN Traffic After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN1 zone for example), you can configure a new LAN to LAN firewall rule or use intra-zone traffic blocking to allow or block VPN traffic transmitting between the VPN tunnel and other interfaces in the LAN zone.
Chapter 19 Firewall • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN. The ZyWALL applies the firewall rules in order. So for this example, when the ZyWALL receives traffic from LAN1, it checks it against the first rule. If the traffic matches (if it is IRC traffic) the firewall takes the action in the rule (drop) and stops checking the firewall rules.
Chapter 19 Firewall • The third row is (still) the firewall’s default policy of allowing all traffic from LAN1 to go to the WAN. Alternatively, you configure a LAN to WAN rule with the CEO’s user name (say CEO) to allow IRC traffic from any source IP address to go to any destination address. Your firewall would have the following configuration.
Chapter 19 Firewall Figure 240 Firewall Example: Select the Traveling Direction of Traffic 2 Select From WAN and To LAN1. Select Create Object in the Destination drop-down list box. Figure 241 Firewall Example: Edit a Firewall Rule 1 3 The screen for configuring an address object opens. Configure it as follows and click OK. Figure 242 Firewall Example: Create an Address Object 4 Select Create Object in the Service drop-down list box. 5 The screen for configuring a service object opens.
Chapter 19 Firewall Figure 243 Firewall Example: Create a Service Object 6 Enter the name of the firewall rule. 7 Make sure Dest_1 is selected for the Destination and MyService is selected as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done. Figure 244 Firewall Example: Edit a Firewall Rule 8 The firewall rule appears in the firewall rule summary.
Chapter 19 Firewall 19.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on LAN1 has an IP address in the same subnet as the ZyWALL’s LAN1 IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the connection, as the connection has not been acknowledged. You can have the ZyWALL permit the use of asymmetrical route topology on the network (not reset the connection).
Chapter 19 Firewall • Besides configuring the firewall, you also need to configure virtual servers (NAT port forwarding) to allow computers on the WAN to access LAN devices. See Chapter 16 on page 309 for more information. • The ordering of your rules is very important as rules are applied in sequence. Figure 247 Firewall The following table describes the labels in this screen. Table 113 Firewall LABEL DESCRIPTION Global Setting Enable Firewall Select this check box to activate the firewall.
Chapter 19 Firewall Table 113 Firewall (continued) LABEL DESCRIPTION From Zone To Zone This is the direction of travel of packets. Select from which zone the packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of packets to which they apply. For example, from LAN1 to LAN1 means packets traveling from a computer or subnet on LAN1 to either another computer or subnet on LAN1. From any displays all the firewall rules for traffic going to the selected To Zone.
Chapter 19 Firewall Table 113 Firewall (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the rule is enabled or not. Click it to activate or deactivate the rule. Make sure you click Apply to save and apply the change. Click the Edit icon to go to the screen where you can edit the rule on the ZyWALL. Click the Add icon in an entry to add a rule below the current entry.
Chapter 19 Firewall Table 114 Firewall > Edit (continued) LABEL DESCRIPTION Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. Schedule Select a schedule that defines when the rule applies or select Create Object to configure a new one (see Chapter 38 on page 619 for details). Otherwise, select none and the rule is always effective. User This field is not available when you are configuring a to-ZyWALL rule.
Chapter 19 Firewall 348 ZyWALL USG 100/200 Series User’s Guide
P ART IV VPN IPSec VPN (351) SSL VPN (385) SSL User Screens (395) SSL User Application Screens (401) SSL User File Sharing (403) L2TP VPN (409) L2TP VPN Example (415) 349
CHAPTER 20 IPSec VPN 20.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Chapter 20 IPSec VPN • Use the VPN Concentrator screens (see Section 20.4 on page 369) to combine several IPSec VPN connections into a single secure network. • Use the SA Monitor screen (see Section 20.5 on page 371) to display and manage the active IPSec SAs. 20.1.2 What You Need to Know About IPSec VPN An IPSec VPN tunnel is usually established in two phases.
Chapter 20 IPSec VPN You should set up the following features before you set up the VPN tunnel. • In any VPN connection, you have to select address objects to specify the local policy and remote policy. You should set up the address objects first. • In a VPN gateway, you can select an Ethernet interface, virtual Ethernet interface, cellular interface, VLAN interface, or virtual VLAN interface to specify what address the ZyWALL uses as its IP address when it establishes the IKE SA.
Chapter 20 IPSec VPN Each field is discussed in the following table. See Section 20.2.2 on page 360 and Section 20.2.1 on page 355 for more information. Table 115 VPN > IPSec VPN > VPN Connection 354 LABEL DESCRIPTION Use Policy Route to control dynamic IPSec rules Leave this cleared to have the ZyWALL automatically obtain source and destination addresses for dynamic IPSec rules. When you leave this option’s check box cleared, you do not need to configure policy routes for the dynamic IPSec tunnels.
Chapter 20 IPSec VPN 20.2.1 The VPN Connection Add/Edit (IKE) Screen The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection policy or edit an existing one. To access this screen, go to the VPN Connection screen (see Section 20.2 on page 353), and click either the Add icon or an Edit icon. If you click the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the following screen appears.
Chapter 20 IPSec VPN Figure 252 VPN > IPSec VPN > VPN Connection > Edit (IKE) 356 ZyWALL USG 100/200 Series User’s Guide
Chapter 20 IPSec VPN Each field is described in the following table. Table 116 VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION General Settings Click Advanced to display more settings. Click Basic to display fewer settings. Connection Name Type the name used to identify this IPSec SA. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 20 IPSec VPN Table 116 VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION SA Life Time Type the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The ZyWALL automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources. Active Protocol Select which protocol you want to use in the IPSec SA.
Chapter 20 IPSec VPN Table 116 VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Related Settings Add this VPN connection to IPSec_VPN zone. Select this check box to add the VPN connection policy to the IPSec_VPN security zone. Any security rules or settings configured for the IPSec_VPN security zone will also apply to this VPN connection policy. More Settings/Less Settings Click this button to show or hide the Inbound/Outbound traffic NAT fields.
Chapter 20 IPSec VPN Table 116 VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Original Port These fields are available if the protocol is TCP or UDP. Enter the original destination port or range of original destination ports. The size of the original port range must be the same size as the size of the mapped port range. Mapped Port These fields are available if the protocol is TCP or UDP. Enter the translated destination port or range of translated destination ports.
Chapter 20 IPSec VPN Figure 253 VPN > IPSec VPN > VPN Connection > Manual Key > Edit This table describes labels specific to manual key configuration. See Section 20.2 on page 353 for descriptions of the other fields. Table 117 VPN > IPSec VPN > VPN Connection > Manual Key > Edit LABEL DESCRIPTION Manual Key My Address Type the IP address of the ZyWALL in the IPSec SA. 0.0.0.0 is invalid. Secure Gateway Address Type the IP address of the remote IPSec router in the IPSec SA.
Chapter 20 IPSec VPN Table 117 VPN > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL 362 DESCRIPTION Encapsulation Mode Select which type of encapsulation the IPSec SA uses. Choices are Tunnel - this mode encrypts the IP header information and the data Transport - this mode only encrypts the data. You should only select this if the IPSec SA is used for communication between the ZyWALL and remote IPSec router.
Chapter 20 IPSec VPN Table 117 VPN > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL Authentication Key DESCRIPTION Enter the authentication key, which depends on the authentication algorithm. MD5 - type a unique key 16-20 characters long SHA1 - type a unique key 20 characters long You can use any alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./<>=-". If you want to enter the key in hexadecimal, type “0x” at the beginning of the key.
Chapter 20 IPSec VPN Table 118 VPN > IPSec VPN > VPN Gateway (continued) LABEL DESCRIPTION Name This field displays the name of the VPN gateway My address This field displays the interface or a domain name the ZyWALL uses for the VPN gateway. Secure Gateway This field displays the IP address(es) of the remote IPSec routers. VPN Connection This field displays VPN connections that use this VPN gateway.
Chapter 20 IPSec VPN Figure 255 VPN > IPSec VPN > VPN Gateway > Edit Each field is described in the following table. Table 119 VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION General Settings VPN Gateway Name Type the name used to identify this VPN gateway. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Gateway Settings My Address Select how the IP address of the ZyWALL in the IKE SA is defined.
Chapter 20 IPSec VPN Table 119 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Peer Gateway Address Authentication DESCRIPTION Select how the IP address of the remote IPSec router in the IKE SA is defined. Select Static Address to enter the domain name or the IP address of the remote IPSec router. You can provide a second IP address or domain name for the ZyWALL to try if it cannot establish an IKE SA with the first one.
Chapter 20 IPSec VPN Table 119 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Peer ID Type Select which type of identification is used to identify the remote IPSec router during authentication.
Chapter 20 IPSec VPN Table 119 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL 368 DESCRIPTION Encryption Select which key size and encryption algorithm to use in the IKE SA.
Chapter 20 IPSec VPN Table 119 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION User Name This field is required if the ZyWALL is in Client Mode for extended authentication. Type the user name the ZyWALL sends to the remote IPSec router. The user name can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed. Password This field is required if the ZyWALL is in Client Mode for extended authentication. Type the password the ZyWALL sends to the remote IPSec router.
Chapter 20 IPSec VPN Figure 257 VPN > IPSec VPN > Concentrator Each field is discussed in the following table. See Section 20.4.1 on page 370 for more information. Table 120 VPN > IPSec VPN > Concentrator LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific concentrator. Name This field displays the name of the VPN concentrator. Add icon This column provides icons to add, edit, and remove VPN concentrators.
Chapter 20 IPSec VPN Table 121 VPN > IPSec VPN > Concentrator > Edit (continued) LABEL DESCRIPTION Member This field displays the name of each member in the concentrator. Note: You must disable policy enforcement in each member. See Section 20.2.1 on page 355. Click the Popup icon to change this member in the group. The following screen appears. IPSec VPN connection policies that do not belong to a VPN concentrator appear on the left.
Chapter 20 IPSec VPN Figure 260 VPN > IPSec VPN > SA Monitor Each field is described in the following table. Table 122 VPN > IPSec VPN > SA Monitor 372 LABEL DESCRIPTION Name Enter the name of a IPSec SA here and click Search to find it (if it is associated). You can use a keyword or regular expression. Use up to 30 alphanumeric and _+-.()!$*^:?|{}[]<>/ characters. See Regular Expressions in Searching IPSec SAs on page 378 for more details.
Chapter 20 IPSec VPN 20.6 IPSec VPN Background Information Here is some more detailed IPSec VPN background information. IKE SA Overview The IKE SA provides a secure connection between the ZyWALL and remote IPSec router. It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. " Both routers must use the same negotiation mode.
Chapter 20 IPSec VPN The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you can only set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA. The remote IPSec router selects an acceptable proposal and sends the accepted proposal back to the ZyWALL. If the remote IPSec router rejects all of the proposals, the ZyWALL and remote IPSec router cannot establish an IKE SA.
Chapter 20 IPSec VPN DH public-key cryptography is based on DH key groups. Each key group is a fixed number of bits long. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt. Authentication Before the ZyWALL and remote IPSec router establish an IKE SA, they have to verify each other’s identity.
Chapter 20 IPSec VPN Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properly-formatted) domain name, IP address, or email address. The content is only used for identification. Any domain name or e-mail address that you enter does not have to actually exist. Similarly, any domain name or IP address that you enter does not have to correspond to the ZyWALL’s or remote IPSec router’s properties.
Chapter 20 IPSec VPN Main mode takes six steps to establish an IKE SA. Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL. Steps 3 - 4: The ZyWALL and the remote IPSec router exchange pre-shared keys for authentication and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a shared secret.
Chapter 20 IPSec VPN Extended Authentication Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters. In extended authentication, one of the routers (the ZyWALL or the remote IPSec router) provides a user name and password to the other router, which uses a local user database and/or an external server to verify the user name and password.
Chapter 20 IPSec VPN IPSec SA Overview Once the ZyWALL and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks. " The IPSec SA stays connected even if the underlying IKE SA is not available anymore. This section introduces the key components of an IPSec SA. Local Network and Remote Network In an IPSec SA, the local network, the one(s) connected to the ZyWALL, may be called the local policy.
Chapter 20 IPSec VPN These modes are illustrated below. Figure 265 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header Data Transport Mode Packet IP Header AH/ESP Header TCP Header Data Tunnel Mode Packet IP Header AH/ESP Header IP Header TCP Header Data In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet.
Chapter 20 IPSec VPN IPSec SA using Manual Keys You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA. In IPSec SAs using manual keys, the ZyWALL and remote IPSec router do not establish an IKE SA. They only establish an IPSec SA.
Chapter 20 IPSec VPN Figure 266 VPN Example: NAT for Inbound and Outbound Traffic Source Address in Outbound Packets (Outbound Traffic, Source NAT) This translation lets the ZyWALL route packets from computers that are not part of the specified local network (local policy) through the IPSec SA. For example, in Figure 266 on page 382, you have to configure this kind of translation if you want computer M to establish a connection with any computer in the remote network (B).
Chapter 20 IPSec VPN You have to specify one or more rules when you set up this kind of NAT. The ZyWALL checks these rules similar to the way it checks rules for a firewall. The first part of these rules define the conditions in which the rule apply. • Original IP - the original destination address; the remote network (B). • Protocol - the protocol [TCP, UDP, or both] used by the service requesting the connection.
Chapter 20 IPSec VPN 384 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 21 SSL VPN 21.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VPN router or VPN client software. 21.1.1 What You Can Do in the SSL VPN Screens • Use the VPN > SSL VPN > Access Privilege screens (see Section 21.2 on page 387) to configure SSL access policies. • Use the VPN > SSL VPN > Connection Monitor screen (see Section 21.3 on page 389) to list the users currently logged into the VPN SSL client portal.
Chapter 21 SSL VPN Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network. This allows them to access network resources in the same way as if they were part of the internal network. Figure 268 Network Access Mode: Full Tunnel Mode SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: • limit user access to specific applications or files on the network.
Chapter 21 SSL VPN Finding Out More • See Section 5.4.5 on page 115 for related information on these screens. • See Section 21.5 on page 392 for how to establish an SSL VPN connection to the ZyWALL (after you have configured the SSL VPN settings on the ZyWALL). 21.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies.
Chapter 21 SSL VPN Figure 270 VPN > SSL VPN > Access Privilege > Add/Edit The following table describes the labels in this screen. Table 127 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Configuration 388 Enable Select this option to activate this SSL access policy. Name Enter a descriptive name to identify this policy. You can enter up to 15 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed.
Chapter 21 SSL VPN Table 127 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION User/Group The Available list displays the name(s) of the user account and/or user group(s) to which you have not applied an SSL access policy yet. To associate a user or user group to this SSL access policy, select a user account or user group and click >> to add to the Member list. You can select more than one name. To remove a user or user group, select the name(s) in the Member list and click <<.
Chapter 21 SSL VPN • Log out individual users and delete related session information. Once a user logs out, the corresponding entry is removed from the Connection Monitor screen. Figure 271 VPN > SSL VPN > Connection Monitor The following table describes the labels in this screen. Table 128 VPN > SSL VPN > Connection Monitor LABEL DESCRIPTION # This field displays the index number. User This field displays the account user name used to establish this SSL VPN connection.
Chapter 21 SSL VPN Figure 272 VPN > SSL VPN > Global Setting The following table describes the labels in this screen. Table 129 VPN > SSL VPN > Global Setting LABEL DESCRIPTION Global Setting Network Extension IP Address Specify the IP address of the ZyWALL (or a gateway device) for full tunnel mode SSL VPN access. Leave this field to the default settings unless it conflicts with another interface.
Chapter 21 SSL VPN 21.4.1 How to Upload a Custom Logo Follow the steps below to upload a custom logo to display on the remote user SSL VPN screens. 1 Click VPN > SSL VPN and click the Global Setting tab to display the configuration screen. 2 Click Browse to locate the logo graphic. Make sure the file is in GIF, JPG, or PNG format. 3 Click Apply to start the file transfer process. 4 Log in as a user to verify that the new logo displays properly. The following shows an example logo on the remote user screen.
Chapter 21 SSL VPN Figure 274 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated” message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal screens, refer to Chapter 22 on page 395.
Chapter 21 SSL VPN 394 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 22 SSL User Screens 22.1 Overview This chapter introduces the remote user SSL VPN screens. The following figure shows a network example where a remote user (A) logs into the ZyWALL from the Internet to access the web server (WWW) on the local network. Figure 275 Network Example Internet Internet WWW A 22.1.
Chapter 22 SSL User Screens • Firefox 1.0 and above • Mozilla 1.7.3 and above • Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.4. Required Information A remote user needs the following information from the network administrator to log in and access network resources.
Chapter 22 SSL User Screens Figure 277 Login Security Screen 3 A login screen displays. Enter the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field. 4 Select Log into SSL VPN and click Login to log in and establish an SSL VPN connection to the network to access network resources. Figure 278 Login Screen 5 Your computer starts establishing a secure connection to the ZyWALL after a successful login. This may take up to two minutes.
Chapter 22 SSL User Screens Figure 280 SecuExtender Progress 7 The Application screen displays showing the list of resources available to you. See Figure 281 on page 398 for a screen example. " Available resource links vary depending on the configuration your network administrator made. 22.3 The SSL VPN User Screens This section describes the main elements in the remote user screens.
Chapter 22 SSL User Screens The following table describes the various parts of a remote user screen. Table 130 Remote User Screen Overview # DESCRIPTION 1 Click on a menu tab to go to the Application or File Sharing screen. 2 Click this icon to create a bookmark to the SSL VPN user screen in your web browser. 3 Click this icon to display the on-line help window. 4 Click this icon to log out and terminate the secure connection. 5 Select your preferred language for the interface.
Chapter 22 SSL User Screens Figure 284 Logout: Connection Termination Progress 400 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 23 SSL User Application Screens 23.1 SSL User Application Screens Overview Use the Application screen to access web-based applications (such as web sites and e-mail) on the network through the SSL VPN connection. Which applications you can access depends on the ZyWALL’s configuration. 23.2 The Application Screen Click the Application tab to display the screen. The Name field displays the descriptive name for an application.
Chapter 23 SSL User Application Screens 402 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 24 SSL User File Sharing 24.1 Overview The File Sharing screen lets you access files on a file server through the SSL VPN connection. 24.1.1 What You Need to Know About the SSL VPN File Sharing Use the File Sharing screen to display and access shared files/folders on a file server. You can also perform the following actions: • • • • • • • " Access a folder. Open a file (if your web browser cannot open the file, you are prompted to download it). Save a file to your computer. Create a new folder.
Chapter 24 SSL User File Sharing Figure 286 File Sharing 24.3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer. 1 Log in as a remote user and click the File Sharing tab. 2 Click on a file share icon. 3 If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue.
Chapter 24 SSL User File Sharing 4 A list of files/folders displays. Click on a file to open it in a separate browser window. You can also click a folder to access it. For this example, click on a .doc file to open the Word document. Figure 288 File Sharing: Open a Word File 24.3.1 Downloading a File You are prompted to download a file which cannot be opened using a web browser. Follow the on-screen instructions to download and save the file to your computer.
Chapter 24 SSL User File Sharing Figure 289 File Sharing: Save a Word File 24.4 Creating a New Folder To create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add. " Make sure the length of the folder name does not exceed the maximum allowed on the file server. Figure 290 File Sharing: Save a Word File 24.
Chapter 24 SSL User File Sharing Figure 291 File Sharing: Rename A popup window displays. Specify the new name and/or file extension in the field provided. You can enter up to 356 characters. Then click Apply. " Make sure the length of the name does not exceed the maximum allowed on the file server. You may not be able to open a file if you change the file extension. Figure 292 File Sharing: Rename 24.
Chapter 24 SSL User File Sharing 24.7 Uploading a File Follow the steps below to upload a file to the file server. 1 Log into the remote user screen and click the File Sharing tab. 2 Specify the location and/or name of the file you want to upload. Or click Browse to locate it. 3 Click Upload to send the file to the file server. 4 After the file is uploaded successfully, you should see the name of the file and a message in the screen.
CHAPTER 25 L2TP VPN 25.1 Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL. The remote users do not need their own IPSec gateways or VPN client software. Figure 295 L2TP VPN Overview IPSec VPN Tunnel L2TP Tunnel 25.1.1 What You Can Do in the L2TP VPN Screens • Use the L2TP VPN screen (see Section 25.2 on page 411) to configure the ZyWALL’s L2TP VPN settings.
Chapter 25 L2TP VPN IPSec Configuration Required for L2TP VPN You must configure an IPSec VPN connection for L2TP VPN to use (see Chapter 20 on page 351 for details). The IPSec VPN connection must: • • • • • Be enabled. Use transport mode. Not be a manual key VPN connection. Use Pre-Shared Key authentication. Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address.
Chapter 25 L2TP VPN Finding Out More • See Section 5.4.6 on page 115 for related information on these screens. • See Chapter 26 on page 415 for an example of how to create a basic L2TP VPN tunnel. 25.2 L2TP VPN Screen Click VPN > L2TP VPN to open the following screen. Use this screen to configure the ZyWALL’s L2TP VPN settings. " Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings.
Chapter 25 L2TP VPN Table 131 VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION Authentication Method Select how the ZyWALL authenticates a remote user before allowing access to the L2TP VPN tunnel. The authentication method has the ZyWALL check a user’s user name and password against the ZyWALL’s local database, a remote LDAP, RADIUS, a Active Directory server, or more than one of these. See Chapter 40 on page 635 for how to create authentication method objects.
Chapter 25 L2TP VPN Table 132 VPN > L2TP VPN > Session Monitor (continued) LABEL DESCRIPTION Hostname This field displays the name of the computer that has this L2TP VPN connection with the ZyWALL. Assigned IP This field displays the IP address that the ZyWALL assigned for the remote user’s computer to use within the L2TP VPN tunnel. Public IP This field displays the public IP address that the remote user is using to connect to the Internet.
Chapter 25 L2TP VPN 414 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 26 L2TP VPN Example This chapter shows how to create a basic L2TP VPN tunnel. 26.1 L2TP VPN Example This chapter uses the following settings in creating a basic L2TP VPN tunnel. Figure 299 L2TP VPN Example 172.16.1.2 L2TP_POOL: 192.168.10.10~192.168.10.20 LAN_SUBNET: 192.168.1.x • The ZyWALL’s has a static IP address of 172.16.1.2 for the wan1 interface. • The remote user has a dynamic public IP address and connects through the Internet.
Chapter 26 L2TP VPN Example Figure 300 VPN > IPSec VPN > VPN Gateway > Edit • Configure the My Address setting. This example uses interface wan1 with static IP address 172.16.1.2. • Select Pre-Shared Key and configure a password. This example uses top-secret. Click OK. 2 Click the Default_L2TP_VPN_GW entry’s Enable icon and click Apply to turn on the entry. Figure 301 VPN > IPSec VPN > VPN Gateway (Enable) 26.
Chapter 26 L2TP VPN Example Figure 302 VPN > IPSec VPN > VPN Connection > Edit 2 Click the Policy Advanced button. Enforce and configure the local and remote policies. • For the Local Policy, create an address object that uses host type and contains the My Address IP address that you configured in the Default_L2TP_VPN_GW. The address object in this example uses the wan1 interface’s IP address (172.16.1.2) and is named L2TP_IFACE.
Chapter 26 L2TP VPN Example 26.4 Configuring the L2TP VPN Settings Example 1 Click VPN > L2TP VPN to open the following screen. Figure 304 VPN > L2TP VPN Example 2 Configure the following. • Enable the connection. • Set it to use the Default_L2TP_VPN_Connection VPN connection. • Configure an IP address pool for the range of 192.168.10.10 to 192.168.10.20. It is called L2TP_POOL here. • This example uses the default authentication method (the ZyWALL’s local user data base).
Chapter 26 L2TP VPN Example Figure 305 Routing > Add: L2TP VPN Example 2 Configure the following. • Enable the policy route. • Set the policy route’s Source Address to the address object that you want to allow the remote users to access (LAN1_SUBNET in this example). • Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users (L2TP_POOL in this example). • Set the next hop to be the Default_L2TP_VPN_Connection VPN tunnel. • Click OK. 26.
Chapter 26 L2TP VPN Example 2 Click Next in the Welcome screen. 3 Select Connect to the network at my workplace and click Next. Figure 306 New Connection Wizard: Network Connection Type 4 Select Virtual Private Network connection and click Next. Figure 307 New Connection Wizard: Network Connection 5 Type L2TP to ZyWALL as the Company Name.
Chapter 26 L2TP VPN Example Figure 308 New Connection Wizard: Connection Name 6 Select Do not dial the initial connection and click Next. Figure 309 New Connection Wizard: Public Network 7 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example).
Chapter 26 L2TP VPN Example Figure 310 New Connection Wizard: VPN Server Selection 172.16.1.2 8 Click Finish. 9 The Connect L2TP to ZyWALL screen appears. Click Properties > Security. Figure 311 Connect L2TP to ZyWALL 10 Click Security, select Advanced (custom settings) and click Settings.
Chapter 26 L2TP VPN Example Figure 312 Connect L2TP to ZyWALL: Security 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Figure 313 Connect ZyWALL L2TP: Security > Advanced 12 Click IPSec Settings.
Chapter 26 L2TP VPN Example Figure 314 L2TP to ZyWALL Properties > Security 13 Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK. Figure 315 L2TP to ZyWALL Properties > Security > IPSec Settings 14 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. Figure 316 L2TP to ZyWALL Properties: Networking 15 Enter the user name and password of your ZyWALL account.
Chapter 26 L2TP VPN Example Figure 317 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified. 17 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 318 ZyWALL-L2TP System Tray Icon 18 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20).
Chapter 26 L2TP VPN Example 1 Click Start > Run. Type regedit and click OK. Figure 320 Starting the Registry Editor 2 Click Registry > Export Registry File and save a backup copy of your registry. You can go back to using this backup if you misconfigure the registry settings. 3 Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parame ters. Figure 321 Registry Key 4 Right-click Parameters and select New > DWORD Value. Figure 322 New DWORD Value 5 Enter ProhibitIpSec as the name.
Chapter 26 L2TP VPN Example Figure 323 ProhibitIpSec DWORD Value 6 Restart the computer and continue with the next section. 26.6.2.2 Configure the Windows 2000 IPSec Policy After you have created the registry entry and restarted the computer, use these directions to configure an IPSec policy for the computer to use. 1 Click Start > Run. Type mmc and click OK. Figure 324 Run mmc 2 Click Console > Add/Remove Snap-in.
Chapter 26 L2TP VPN Example Figure 326 Add > IP Security Policy Management > Finish 4 Right-click IP Security Policies on Local Machine and click Create IP Security Policy. Click Next in the welcome screen. Figure 327 Create IP Security Policy 5 Name the IP security policy L2TP to ZyWALL, and click Next.
Chapter 26 L2TP VPN Example Figure 328 IP Security Policy: Name 6 Clear the Activate the default response rule check box and click Next. Figure 329 IP Security Policy: Request for Secure Communication 7 Leave the Edit Properties check box selected and click Finish.
Chapter 26 L2TP VPN Example 8 In the properties dialog box, click Add > Next. Figure 331 IP Security Policy Properties > Add 9 Select This rule does not specify a tunnel and click Next. Figure 332 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next.
Chapter 26 L2TP VPN Example Figure 333 IP Security Policy Properties: Network Type 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 334 IP Security Policy Properties: Authentication Method 12 Click Add.
Chapter 26 L2TP VPN Example Figure 335 IP Security Policy Properties: IP Filter List 13 Type ZyWALL WAN_IP in the Name field. Clear the Use Add Wizard check box and click Add. Figure 336 IP Security Policy Properties: IP Filter List > Add 14 Configure the following in the Addressing tab. Select My IP Address in the Source address drop-down list box. Select A specific IP Address in the Destination address drop-down list box and type the ZyWALL’s WAN IP address (172.16.1.
Chapter 26 L2TP VPN Example Figure 337 Filter Properties: Addressing 172 . 16 . 1 . 2 15 Configure the following in the Filter Properties window’s Protocol tab. Set the protocol type to UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 338 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next.
Chapter 26 L2TP VPN Example Figure 339 IP Security Policy Properties: IP Filter List 17 Select Require Security and click Next. Then click Finish and Close. Figure 340 IP Security Policy Properties: IP Filter List 18 In the Console window, right-click L2TP to ZyWALL and select Assign.
Chapter 26 L2TP VPN Example 26.6.2.3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy, use these directions to create a network connection. 1 Click Start > Settings > Network and Dial-up connections > Make New Connection. In the wizard welcome screen, click Next. Figure 342 Start New Connection Wizard 2 Select Connect to a private network through the Internet and click Next.
Chapter 26 L2TP VPN Example Figure 344 New Connection Wizard: Destination Address 172.16.1.2 4 Select For all users and click Next. Figure 345 New Connection Wizard: Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish.
Chapter 26 L2TP VPN Example 6 Click Properties. Figure 347 Connect L2TP to ZyWALL 7 Click Security and select Advanced (custom settings) and click Settings. Figure 348 Connect L2TP to ZyWALL: Security 8 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Click Yes if a screen pops up.
Chapter 26 L2TP VPN Example Figure 349 Connect L2TP to ZyWALL: Security > Advanced 9 Click Networking and select Layer 2 Tunneling Protocol (L2TP) from the drop-down list box. Click OK. Figure 350 Connect L2TP to ZyWALL: Networking 10 Enter your user name and password and click Connect. It may take up to one minute to establish the connection and register on the network.
Chapter 26 L2TP VPN Example Figure 351 Connect L2TP to ZyWALL 11 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 352 ZyWALL-L2TP System Tray Icon 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 353 L2TP to ZyWALL Status: Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works.
Chapter 26 L2TP VPN Example 440 ZyWALL USG 100/200 Series User’s Guide
P ART V Application Patrol Application Patrol (443) 441
CHAPTER 27 Application Patrol 27.1 Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, http and ftp) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control the use of a particular application’s individual features (like text messaging, voice, video conferencing, and file transfers).
Chapter 27 Application Patrol 27.1.2 What You Need to Know About Application Patrol " The ZyWALL checks firewall rules before it checks application patrol rules for traffic going through the ZyWALL. If you want to use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. Application patrol examines every TCP and UDP connection passing through the ZyWALL and identifies what application is using the connection.
Chapter 27 Application Patrol The application patrol bandwidth management is more flexible and powerful than the bandwidth management in policy routes. Application patrol controls TCP and UDP traffic. Use policy routes to manage other types of traffic (like ICMP). " Bandwidth management in policy routes has priority over application patrol bandwidth management. It is recommended to use application patrol instead of policy routes to manage the bandwidth of TCP and UDP traffic.
Chapter 27 Application Patrol • Inbound traffic is limited to 500 kbs. The connection initiator is on LAN1 so inbound means the traffic traveling from the WAN to the LAN1. Figure 355 LAN 1to WAN, Outbound 200 kbps, Inbound 500 kbps Outbound 200 kbps Outbound 200 kbps Inbound 500 kbps Bandwidth Management Priority • The ZyWALL gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate. • Then lower-priority traffic gets bandwidth.
Chapter 27 Application Patrol Figure 356 Bandwidth Management Behavior BWM 1000 kbps 1000 kbps 1000 kbps Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Table 133 Configured Rate Effect POLICY CONFIGURED RATE MAX. B. U.
Chapter 27 Application Patrol Priority and Over Allotment of Bandwidth Effect Server A has a configured rate that equals the total amount of available bandwidth and a higher priority. You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error. Even though the ZyWALL still attempts to let all traffic get through and not be lost, regardless of its priority, server B gets almost no bandwidth with this configuration.
Chapter 27 Application Patrol Figure 357 Application Patrol Bandwidth Management Example SIP: Any to WAN Outbound: 200 Kbps Inbound: 200 Kbps Priority: 1 Max. B. U. SIP: WAN to Any Outbound: 200 Kbps Inbound: 200 Kbps Priority: 1 Max. B. U. HTTP: Any to WAN Outbound: 100 Kbps Inbound: 500 Kbps Priority: 2 Max. B. U. ADSL Up: 1 Mbps Down 8 Mbps FTP: WAN to DMZ Outbound: 100 Kbps Inbound: 300 Kbps Priority: 3 No Max. B. U. FTP: LAN to DMZ Outbound: 50 Mbps Inbound: 50 Mbps Priority: 4 No Max. B. U. 27.1.
Chapter 27 Application Patrol Figure 358 SIP Any to WAN Bandwidth Management Example Outbound: 200 kbps BWM BWM Inbound: 200 kbps 27.1.3.3 SIP WAN to Any Bandwidth Management Example You also create a policy for calls coming in from the SIP server on the WAN. It is the same as the SIP Any to WAN policy, but with the directions reversed (WAN to Any instead of Any to WAN). 27.1.3.
Chapter 27 Application Patrol Figure 360 FTP WAN to DMZ Bandwidth Management Example Outbound: 300 kbps BWM BWM Inbound: 100 kbps 27.1.3.6 FTP LAN to DMZ Bandwidth Management Example • The LAN and DMZ zone interfaces are connected to Ethernet networks (not an ADSL device) so you limit both outbound and inbound traffic to 50 Mbps. • Fourth highest priority (4). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth.
Chapter 27 Application Patrol " You must register for the IDP/AppPatrol signature service (at least the trial) before you can use it. See Chapter 8 on page 185 for how to register. Click AppPatrol to open the following screen. Figure 362 AppPatrol > General The following table describes the labels in this screen. See Section 27.3.1 on page 454 for more information as well. Table 137 AppPatrol > General LABEL DESCRIPTION Enable Application Patrol Select this check box to turn on application patrol.
Chapter 27 Application Patrol Table 137 AppPatrol > General (continued) LABEL Apply new Registration Signature Information DESCRIPTION This link appears if you have not registered for the service or only have the trial registration. Click this link to go to the screen where you can register for the service. The following fields display information on the current signature set that the ZyWALL is using. Current Version This field displays the IDP signature and anomaly rule set version number.
Chapter 27 Application Patrol Table 138 AppPatrol > Common (continued) LABEL DESCRIPTION Modify This column provides icons to activate and deactivate each application and to edit the settings for each one. To activate or deactivate patrol for an application, click the Active icon for the corresponding application. Make sure you click Apply to save and apply the change. To edit the settings for an application, click the Edit icon next to the application. The Configuration Edit screen appears.
Chapter 27 Application Patrol Table 139 Application Edit (continued) LABEL DESCRIPTION Service Port This is available if the Classification is Service Ports. You can view and edit the ports used to identify this application. Add icon When the Classification is Service Ports, this column provides icons to add and remove port numbers used to identify the application. Click Add add a port number. Type the destination port number in the Service Port field. Click Remove to delete a port number.
Chapter 27 Application Patrol Table 139 Application Edit (continued) LABEL DESCRIPTION Log This field shows whether the ZyWALL generates a log (log), a log and alert (log alert) or neither (no) when the application’s traffic matches this policy. Add icon Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the entry is enabled or not. Click the Active icon to activate or deactivate the entry. Make sure you click Apply to save and apply the change.
Chapter 27 Application Patrol Table 140 Application Policy Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 38 on page 619 for details). Otherwise, select none to make the policy always effective. User Select a user name or user group to which to apply the policy. Select Create Object to configure a new user account (see Section 35.2.1 on page 596 for details).
Chapter 27 Application Patrol Table 140 Application Policy Edit (continued) LABEL DESCRIPTION Outbound kbps Type how much outbound bandwidth, in kilobits per second, this policy allows the application to use. Outbound refers to the traffic the ZyWALL sends out from a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the application’s traffic that the ZyWALL sends out from the initiator.
Chapter 27 Application Patrol Figure 366 AppPatrol > Other The following table describes the labels in this screen. See Section 27.4.1 on page 460 for more information as well. Table 141 AppPatrol > Other LABEL DESCRIPTION Policy This table lists the policies configured for traffic which does not match an application. # This field is a sequential value, and it is not associated with a specific condition. Note: The ZyWALL checks conditions in the order they appear in the list.
Chapter 27 Application Patrol Table 141 AppPatrol > Other (continued) LABEL DESCRIPTION BWM These fields show the amount of bandwidth the traffic can use. These fields only apply when Access is set to forward. In - This is how much inbound bandwidth, in kilobits per second, this policy allows the matching traffic to use. Inbound refers to the traffic the ZyWALL sends to a connection’s initiator. If no displays here, this policy does not apply bandwidth management for the inbound traffic.
Chapter 27 Application Patrol Figure 367 AppPatrol > Other > Edit The following table describes the labels in this screen. Table 142 AppPatrol > Other > Edit LABEL DESCRIPTION Enable Select this check box to turn on this policy. Port Use this field to specify a specific port number to which to apply this policy. Type zero, if this policy applies for every port number.
Chapter 27 Application Patrol Table 142 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Inbound kbps Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the ZyWALL sends to a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the ZyWALL sends to the initiator.
Chapter 27 Application Patrol Figure 368 AppPatrol > Statistics: General Setup The following table describes the labels in this screen. Table 143 AppPatrol > Statistics: General Setup LABEL DESCRIPTION Refresh Interval Select how often you want the statistics display to update. Display Protocols Select the protocols for which to display statistics. Select All selects all of the protocols. Clear All clears all of the protocols. Click Expand to display individual protocols. Collapse hides them.
Chapter 27 Application Patrol • Different colors represent different protocols. 27.5.3 Application Patrol Statistics: Protocol Statistics The bottom of the AppPatrol > Statistics screen displays statistics for each of the selected protocols. Figure 370 AppPatrol > Statistics: Protocol Statistics The following table describes the labels in this screen. Table 144 AppPatrol > Statistics: Protocol Statistics LABEL DESCRIPTION Service This is the protocol.
Chapter 27 Application Patrol Table 144 AppPatrol > Statistics: Protocol Statistics (continued) LABEL DESCRIPTION Inbound Kbps This is the incoming bandwidth usage for traffic that matched this protocol rule, in kilobits per second. This is the protocol’s traffic that the ZyWALL sends to the initiator of the connection. So for a connection initiated from the LAN to the WAN, the traffic sent from the WAN to the LAN is the inbound traffic.
Chapter 27 Application Patrol 466 ZyWALL USG 100/200 Series User’s Guide
P ART VI Anti-X Anti-Virus (469) IDP (483) ADP (513) Content Filtering (531) Content Filter Reports (551) Anti-Spam (559) 467
CHAPTER 28 Anti-Virus 28.1 Overview Use the ZyWALL’s anti-virus feature to protect your connected network from virus/spyware infection. The ZyWALL checks traffic going in the direction(s) you specify for signature matches. In the following figure the ZyWALL is set to check traffic coming from the WAN zone (which includes two interfaces) to the LAN zone. Figure 371 ZyWALL Anti-Virus Example 28.1.1 What You Can Do in the Anti-Virus Screens • Use the General screens (Section 28.
Chapter 28 Anti-Virus 28.1.2 What You Need to Know About Anti-Virus Anti-Virus Engines Subscribe to signature files for ZyXEL’s anti-virus engine or one powered by Kaspersky. When using the trial, you can switch from one engine to the other in the Registration screen. After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and register it in the Registration > Service screen.
Chapter 28 Anti-Virus " Since the ZyWALL erases the infected portion of the file before sending it, you may not be able to open the file. Notes About the ZyWALL Anti-Virus The following lists important notes about the anti-virus scanner: 1 The ZyWALL anti-virus scanner can detect polymorphic viruses. 2 When a virus is detected, an alert message is displayed in Microsoft Windows computers. Refer to Appendix C on page 819 if your Windows computer does not display the alert messages.
Chapter 28 Anti-Virus Figure 372 Anti-X > Anti-Virus > General The following table describes the labels in this screen. Table 145 Anti-X > Anti-Virus > General 472 LABEL DESCRIPTION General Settings Click Advanced to display more settings. Click Basic to display fewer settings. Enable Anti-Virus and Anti-Spyware Select this check box to check traffic for viruses and spyware. The following table lists policies that define which traffic the ZyWALL scans and the action it takes upon finding a virus.
Chapter 28 Anti-Virus Table 145 Anti-X > Anti-Virus > General (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active displays whether the entry is enabled or not. Click it to activate or deactivate the entry. Make sure you click Apply to save and apply the change. Click the Edit icon to go to the screen where you can edit the entry on the ZyWALL. Click the Add icon in an entry to add a policy below the current entry.
Chapter 28 Anti-Virus Figure 373 Anti-X > Anti-Virus > General > Add The following table describes the labels in this screen. Table 146 Anti-X > Anti-Virus > General > Add LABEL DESCRIPTION Enable Select this check box to have the ZyWALL apply this anti-virus policy to check traffic for viruses. From To Select source and destination zones for traffic to scan for viruses. The anti-virus policy has the ZyWALL scan traffic coming from the From zone and going to the To zone.
Chapter 28 Anti-Virus Table 146 Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Log These are the log options: no: Do not create a log when a packet matches a signature(s). log: Create a log on the ZyWALL when a packet matches a signature(s). log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the ZyWALL send an alert when a packet matches a signature(s).
Chapter 28 Anti-Virus Figure 374 Anti-X > Anti-Virus > Black/White List > Black List The following table describes the labels in this screen. Table 147 Anti-X > Anti-Virus > Black/White List > Black List LABEL DESCRIPTION Enable Black List Select this check box to log and delete files with names that match the black list patterns. Use the black list to log and delete files with names that match the black list patterns. Total Rule This is the number of entries configured.
Chapter 28 Anti-Virus Figure 375 Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add The following table describes the labels in this screen. Table 148 Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION Enable If this is a black list entry, select this option to have the ZyWALL apply this entry when using the black list. If this is a white list entry, select this option to have the ZyWALL apply this entry when using the white list.
Chapter 28 Anti-Virus Figure 376 Anti-X > Anti-Virus > Black/White List > White List The following table describes the labels in this screen. Table 149 Anti-X > Anti-Virus > Black/White List > White List LABEL DESCRIPTION Enable White List Select this check box to have the ZyWALL not perform the anti-virus check on files with names that match the white list patterns. Use the white list to have the ZyWALL not perform the anti-virus check on files with names that match the white list patterns.
Chapter 28 Anti-Virus Figure 377 Anti-X > Anti-Virus > Signature: Search by Severity The following table describes the labels in this screen. Table 150 Anti-X > Anti-Virus > Signature LABEL DESCRIPTION Signatures Search Select the criteria on which to perform the search. Select By Name from the drop down list box and type the name or part of the name of the signature(s) you want to find. This search is not case-sensitive.
Chapter 28 Anti-Virus Table 150 Anti-X > Anti-Virus > Signature (continued) LABEL DESCRIPTION Severity This is the severity level of the anti-virus signature. Click the severity column header to sort your search results by ascending or descending severity. Category This column displays whether the signature is for identifying a virus or spyware. Click the column heading to sort your search results by category. 28.
Chapter 28 Anti-Virus • HAV scanners are slow in stopping virus threats through real-time traffic (such as from the Internet). • HAV scanners may reduce computing performance as they also share the resources (such as CPU time) on the computer for file inspection. • You have to update the virus signatures and/or perform virus scans on all computers in the network regularly. A network-based anti-virus (NAV) scanner is often deployed as a dedicated security device (such as your ZyWALL) on the network edge.
Chapter 28 Anti-Virus 482 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 29 IDP 29.1 Overview This chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic flow, custom signatures and updating signatures. An IDP system can detect malicious or suspicious packets and respond instantaneously. IDP on the ZyWALL protects against network-based intrusions. 29.1.1 What You Can Do Using the IDP Screens • Use the Anti-X > IDP > General screen (Section 29.
Chapter 29 IDP " You can only apply one IDP profile to one traffic flow. Base IDP Profiles Base IDP profiles are templates that you use to create new IDP profiles.The ZyWALL comes with several base profiles. See Table 154 on page 488 for details on base profiles. IDP Policies An IDP policy refers to application of an IDP profile to a traffic flowing from one zone to another.
Chapter 29 IDP Figure 378 Anti-X > IDP > General The following table describes the screens in this screen. Table 152 Anti-X > IDP > General LABEL DESCRIPTION General Setup Enable Signature Detection Policies You must register for IDP service in order to use packet inspection signatures. If you don’t have a standard license, you can register for a once-off trial one. Use this list to specify which IDP profile the ZyWALL uses for traffic flowing in a specific direction.
Chapter 29 IDP Table 152 Anti-X > IDP > General (continued) LABEL (Icons) License DESCRIPTION Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the entry is enabled or not. Click it to activate or deactivate the entry. Make sure you click Apply to save and apply the change. Click the Edit icon to go to the screen where you can edit the entry. Click the Add icon in an entry to add an entry below the current entry.
Chapter 29 IDP Figure 379 Anti-X > IDP > General > Add The following table describes the screens in this screen. Table 153 Anti-X > IDP > General > Add LABEL DESCRIPTION Enable Select this check box to turn on this IDP profile to traffic direction binding. From Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to. Use the From field to specify the zone from which the traffic is coming.
Chapter 29 IDP Figure 380 Base Profiles The following table describes this screen. Table 154 Base Profiles BASE PROFILE DESCRIPTION all All signatures are enabled. Signatures with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped. Signatures with a very low, low or medium severity level (less than or equal to three) generate logs (not log alerts) and no action is taken on packets that trigger them.
Chapter 29 IDP Figure 381 Anti-X > IDP > Profile The following table describes the fields in this screen. Table 155 Anti-X > IDP > Profile LABEL DESCRIPTION Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created. (Icons) Click the Add icon in the column header to create a new profile. A pop-up screen displays requiring you to choose a base profile from which to create the new profile. Click an Edit icon to edit an existing profile.
Chapter 29 IDP 3 Type a new profile name 4 Enable or disable individual signatures. 5 Edit the default log options and actions. 29.6 Profiles: Packet Inspection Select Anti-X > IDP > Profile and then add a new or edit an existing profile select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer4 to layer-7. 29.6.
Chapter 29 IDP Figure 382 Anti-X > IDP > Profile > Edit : Group View ZyWALL USG 100/200 Series User’s Guide 491
Chapter 29 IDP The following table describes the fields in this screen. Table 156 Anti-X > IDP > Profile > Group View 492 LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 29 IDP Table 156 Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION Action Select what action the ZyWALL should take when a packet matches a signature here. original setting: Select this action to return each signature in a service group to its previously saved configuration. none: Select this action on an individual signature or a complete service group to have the ZyWALL take no action when a packet matches the signature(s).
Chapter 29 IDP Table 157 Policy Types (continued) POLICY TYPE DESCRIPTION DoS/DDoS The goal of Denial of Service (DoS) attacks is not to steal information, but to disable a device or network on the Internet. A distributed denial-of-service (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system. Scan A scan describes the action of searching a network for an exposed service.
Chapter 29 IDP Table 158 IDP Service Groups (continued) IMAP IM FINGER DNS ICMP FTP The following figure shows the WEB_PHP service group that contains signatures related to attacks on web servers using PHP exploits. PHP (PHP: Hypertext Preprocessor) is a serverside HTML embedded scripting language that allows web developers to build dynamic websites. Logs and actions applied to a service group apply to all signatures within that group.
Chapter 29 IDP Figure 384 Anti-X > IDP > Profile: Query View The following table describes the fields in this screen. Table 159 Anti-X > IDP > Profile: Query View 496 LABEL DESCRIPTION Name This is the name of the profile that you created in the IDP > Profiles > Group View screen. Switch to group view Click this button to go to the IDP profile group view screen where IDP signatures are grouped by service and you can configure activation, logs and/or actions.
Chapter 29 IDP Table 159 Anti-X > IDP > Profile: Query View (continued) LABEL DESCRIPTION Search Click this button to begin the search. The results display at the bottom of the screen. Results may be spread over several pages depending on how broad the search criteria selected were. The tighter the criteria selected, the fewer the signatures returned.
Chapter 29 IDP Figure 386 Query Example Search Results 29.7 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures. 29.7.1 IP Packet Header These are the fields in an Internet Protocol (IP) version 4 packet header.
Chapter 29 IDP Figure 387 IP v4 Packet Headers The header fields are discussed below: Table 160 IP v4 Packet Headers HEADER DESCRIPTION Version The value 4 indicates IP version 4. IHL IP Header Length is the number of 32 bit words forming the total length of the header (usually five). Type of Service The Type of Service, (also known as Differentiated Services Code Point (DSCP)) is usually set to 0, but may indicate particular quality of service needs from the network.
Chapter 29 IDP Table 160 IP v4 Packet Headers (continued) HEADER DESCRIPTION Options IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed by the datagr
Chapter 29 IDP The following table describes the fields in this screen. Table 161 Anti-X > IDP > Custom Signatures LABEL DESCRIPTION Creating Use this part of the screen to create, edit, delete or export (save to your computer) custom signatures. SID SID is the signature ID that uniquely identifies a signature. Click the SID header to sort signatures in ascending or descending order. It is automatically created when you click the Add icon to create a new signature.
Chapter 29 IDP Figure 389 Anti-X > IDP > Custom Signatures > Add/Edit 502 ZyWALL USG 100/200 Series User’s Guide
Chapter 29 IDP The following table describes the fields in this screen. Table 162 Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 29 IDP Table 162 Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION IP Options IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY b
Chapter 29 IDP Table 162 Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overflows. Select the check box, then select Equal, Smaller or Greater and then type the payload size. Stream rebuilt packets are not checked regardless of the size of the payload. Offset This field specifies where to start searching for a pattern within a packet.
Chapter 29 IDP 29.8.2.2 Analyze Packets Then use a packet sniffer such as TCPdump or Ethereal to investigate some more. From the NetBIOS header you see that the first byte ‘00’ defines the message type. The next three bytes represent the length of data, so you can ignore it. Therefore enter |00| as the first pattern. Figure 390 Custom Signature Example Pattern 1 Next, check the content of the SMB header. Add |FF|SMB% and ‘TransactionNmPipe’ to the signature as the next patterns.
Chapter 29 IDP Figure 393 Example Custom Signature ZyWALL USG 100/200 Series User’s Guide 507
Chapter 29 IDP 29.8.3 Applying Custom Signatures After you create your custom signature, it becomes available in the IDP service group category in the IDP > Profile > Packet Inspection screen. Custom signatures have an SID from 9000000 to 9999999. You can activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile. Then bind the profile to a zone. Figure 394 Example: Custom Signature in IDP Profile 29.8.
Chapter 29 IDP Figure 395 Custom Signature Log 29.9 IDP Technical Reference This section contains some background information on IDP. Host Intrusions The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer. You must install a host IDP directly on the system being protected.
Chapter 29 IDP The rule header contains the rule's: • • • • Action Protocol Source and destination IP addresses and netmasks Source and destination ports information. The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken. These are some equivalent Snort terms in the ZyWALL.
Chapter 29 IDP " Not all Snort functionality is supported in the ZyWALL.
Chapter 29 IDP 512 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 30 ADP 30.1 Overview This chapter introduces ADP (Anomaly Detection and Prevention), anomaly profiles and applying an ADP profile to a traffic direction. ADP protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans. 30.1.
Chapter 30 ADP ADP Profile An ADP profile is a set of traffic anomaly rules and protocol anomaly rules that you can activate as a set and configure common log and action settings. You can apply ADP profiles to traffic flowing from one zone to another. Base ADP Profiles Base ADP profiles are templates that you use to create new ADP profiles.The ZyWALL comes with several base profiles. See Table 166 on page 517 for details on ADP base profiles.
Chapter 30 ADP The following table describes the screens in this screen. Table 164 Anti-X > ADP > General LABEL DESCRIPTION General Settings Enable Anomaly Detection Policies Select this check box to enable traffic anomaly and protocol anomaly detection. Use this list to specify which anomaly profile the ZyWALL uses for traffic flowing in a specific direction. Priority This is the rank in the list of anomaly profile policies. The list is applied in order of priority.
Chapter 30 ADP The following table describes the screens in this screen. Table 165 Anti-X > ADP > General > Add LABEL DESCRIPTION Enable Select this check box to turn on this anomaly profile to traffic direction policy. From Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to. Use the From field to specify the zone from which the traffic is coming. Select ZyWALL to specify traffic coming from the ZyWALL itself.
Chapter 30 ADP These are the default base profiles at the time of writing. Table 166 Base Profiles BASE PROFILE DESCRIPTION all All traffic anomaly and protocol anomaly rules are enabled. Rules with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped. Rules with a very low, low or medium severity level (less than or equal to three) generate logs (not log alerts) and no action is taken on packets that trigger them.
Chapter 30 ADP ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles. To create a new profile, select a base profile (see Table 166 on page 517) and then click OK to go to the profile details screen. Type a new profile name, enable or disable individual rules and then edit the default log options and actions. 30.3.4 Traffic Anomaly Profiles The traffic anomaly screen is the second screen in an ADP profile.
Chapter 30 ADP Figure 400 Profiles: Traffic Anomaly ZyWALL USG 100/200 Series User’s Guide 519
Chapter 30 ADP The following table describes the fields in this screen. Table 168 ADP > Profile > Traffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 30 ADP Protocol anomaly rules may be updated when you upload new firmware. 30.3.6 Protocol Anomaly Configuration In the Anti-X > ADP > Profile screen, click the Edit icon or click the Add icon and choose a base profile, then select the Protocol Anomaly tab. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab.
Chapter 30 ADP Figure 401 Profiles: Protocol Anomaly 522 ZyWALL USG 100/200 Series User’s Guide
Chapter 30 ADP The following table describes the fields in this screen. Table 169 ADP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 30 ADP Many connection attempts to different ports (services) may indicate a port scan. These are some port scan types: • TCP Portscan • UDP Portscan • IP Portscan An IP port scan searches not only for TCP, UDP and ICMP protocols in use by the remote computer, but also additional IP protocols such as EGP (Exterior Gateway Protocol) or IGP (Interior Gateway Protocol). Determining these additional protocols can help reveal if the destination device is a workstation, a printer, or a router.
Chapter 30 ADP • TCP Filtered Portsweep • UDP Filtered Portsweep • IP Filtered Portsweep • ICMP Filtered Portsweep • TCP Filtered Distributed Portscan • UDP Filtered Distributed Portscan • IP Filtered Distributed Portscan Flood Detection Flood attacks saturate a network with useless data, use up all available bandwidth, and therefore make communications in the network impossible.
Chapter 30 ADP Figure 403 TCP Three-Way Handshake A SYN flood attack is when an attacker sends a series of SYN packets. Each packet causes the receiver to reply with a SYN-ACK response. The receiver then waits for the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses on a backlog queue. SYNACKs are only moved off the queue when an ACK comes back or when an internal timer ends the three-way handshake.
Chapter 30 ADP Protocol Anomaly Background Information The following sections may help you configure the protocol anomaly profile screen (see Section 30.3.5 on page 520) HTTP Inspection and TCP/UDP/ICMP Decoders The following table gives some information on the HTTP inspection, TCP decoder, UDP decoder and ICMP decoder ZyWALL protocol anomaly rules.
Chapter 30 ADP Table 170 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION OVERSIZE-CHUNKENCODING ATTACK This rule is an anomaly detector for abnormally large chunk sizes. This picks up the apache chunk encoding exploits and may also be triggered on HTTP tunneling that uses chunk encoding. OVERSIZE-REQUEST-URIDIRECTORY ATTACK This rule takes a non-zero positive integer as an argument. The argument specifies the max character directory length for URL directory.
Chapter 30 ADP Table 170 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION TRUNCATED-HEADER ATTACK This is when a UDP packet is sent which has a UDP datagram length of less the UDP header length. This may cause some applications to crash. UNDERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length field of less than 8 bytes. This may cause some applications to crash.
Chapter 30 ADP 530 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 31 Content Filtering 31.1 Overview Use the content filtering feature to control access to specific web sites or web content. 31.1.1 What You Can Do in the Content Filter Screens • Use the General screens (Section 31.2 on page 533) to configure global content filtering settings, configure content filtering policies, and check the content filtering license status. • Use the Filter Profile screens (Section 31.4 on page 536) to set up content filtering profiles. • Use the Cache screen (Section 31.
Chapter 31 Content Filtering The ZyWALL can disable web proxies and block web features such as ActiveX controls, Java applets and cookies. • Customize Web Site Access You can specify URLs to which the ZyWALL blocks access. You can alternatively block access to all URLs except ones that you specify. You can also have the ZyWALL block access to URLs that contain particular keywords.
Chapter 31 Content Filtering 31.2 Content Filter General Screen Click Anti-X > Content Filter > General to open the Content Filter General screen. Use this screen to enable content filtering, view and order your list of content filter policies, create a denial of access message or specify a redirect URL and check your external web filtering service registration status. Figure 405 Anti-X > Content Filter > General The following table describes the labels in this screen.
Chapter 31 Content Filtering Table 171 Anti-X > Content Filter > General (continued) 534 LABEL DESCRIPTION Filter Profile This column displays the name of the content filter profile that each content filter policy uses. The content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied. Add Click the Add icon at the top of the column to create a new content filter policy at the top of the list. The Active icon shows the entry is enabled.
Chapter 31 Content Filtering Table 171 Anti-X > Content Filter > General (continued) LABEL DESCRIPTION Apply new Registration This link appears if you have not registered for the service or only have the trial registration. Click this link to go to the screen where you can register for the service. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 31.
Chapter 31 Content Filtering Table 172 Anti-X > Content Filter > General > Add (continued) LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 31.4 Content Filter Profile Screen Click Anti-X > Content Filter > Filter Profile to open the Filter Profile screen. A content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied.
Chapter 31 Content Filtering 1 Log into myZyXEL.com and click your device’s link to open it’s Service Management screen. 2 Click Content Filter in the Service Name field to open the Blue Coat login screen. 3 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 414 on page 552). Type your myZyXEL.com account password in the Password field. Click Submit.
Chapter 31 Content Filtering Table 174 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Unrated Web Pages Select Block to prevent users from accessing web pages that the external web filtering service has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page.
Chapter 31 Content Filtering Table 174 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Alcohol/Tobacco Selecting this category excludes pages that promote or offer the sale alcohol/tobacco products, or provide the means to create them. It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco. It does not include pages that sell alcohol or tobacco as a subset of other products.
Chapter 31 Content Filtering Table 174 Anti-X > Content Filter > Filter Profile > Add (continued) 540 LABEL DESCRIPTION Alternative Spirituality/ Occult Selecting this category excludes pages that promote and provide information on religions such as Wicca, Witchcraft or Satanism. Occult practices, atheistic views, voodoo rituals or any other form of mysticism are represented here.
Chapter 31 Content Filtering Table 174 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Computers/Internet Selecting this category excludes pages that sponsor or provide information on computers, technology, the Internet and technologyrelated organizations and companies. Search Engines/Portals Selecting this category excludes pages that support searching the Internet, indices, and directories.
Chapter 31 Content Filtering Table 174 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Religion Selecting this category excludes pages that promote and provide information on conventional or unconventional religious or quasi-religious subjects, as well as churches, synagogues, or other houses of worship. It does not include pages containing alternative religions such as Wicca or witchcraft or atheist beliefs (Alternative Spirituality/Occult).
Chapter 31 Content Filtering Table 174 Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Vehicles Selecting this category excludes pages that provide information on or promote vehicles, boats, or aircraft, including pages that support online purchase of vehicles or parts. Humor/Jokes Selecting this category excludes pages that primarily focus on comedy, jokes, fun, etc. This may include pages containing jokes of adult or mature nature.
Chapter 31 Content Filtering Figure 409 Anti-X > Content Filter > Filter Profile > Customization The following table describes the labels in this screen. Table 175 Anti-X > Content Filter > Filter Profile > Customization 544 LABEL DESCRIPTION Name Enter a descriptive name for this content filtering profile name. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 31 Content Filtering Table 175 Anti-X > Content Filter > Filter Profile > Customization (continued) LABEL DESCRIPTION Java Java is a programming language and development environment for building downloadable Web components or Internet and intranet business applications of all kinds. Cookies Cookies are files stored on a computer’s hard drive. Some web servers use them to track usage and provide service based on ID.
Chapter 31 Content Filtering Table 175 Anti-X > Content Filter > Filter Profile > Customization (continued) LABEL DESCRIPTION Add Click this button when you have finished adding the key words field above. Delete Select a keyword from the Blocked URL Keywords list, and then click this button to delete it from that list. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 31.
Chapter 31 Content Filtering Figure 410 Anti-X > Content Filter > Cache The following table describes the labels in this screen. Table 176 Anti-X > Content Filter > Cache LABEL DESCRIPTION URL Cache Entry Flush Click this button to clear all web site addresses from the cache manually. Refresh Click this button to reload the list of content filter cache entries. Total cache entries This is the number of web site addresses in the content filter cache.
Chapter 31 Content Filtering Table 176 Anti-X > Content Filter > Cache (continued) LABEL DESCRIPTION Category This field shows whether access to the web site’s URL was blocked or allowed. Click the column heading to sort the entries. Point the triangle up to display the blocked URLs before the URLs to which access was allowed. Point the triangle down to display the URLs to which access was allowed before the blocked URLs.
Chapter 31 Content Filtering 3 Use the Content Filter Cache screen to configure how long a web site address remains in the cache as well as view those web site addresses (see Section 31.7 on page 546). All of the web site address records are also cleared from the local cache when the ZyWALL restarts. 4 If the ZyWALL has no record of the web site, it queries the external content filter database and simultaneously sends the request to the web server.
Chapter 31 Content Filtering 550 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 32 Content Filter Reports 32.1 Overview You can view content filtering reports after you have activated the category-based content filtering subscription service. See Chapter 8 on page 185 on how to create a myZyXEL.com account, register your device and activate the subscription services. 32.2 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen.
Chapter 32 Content Filter Reports 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 414 on page 552). Figure 413 myZyXEL.com: Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen. Figure 414 myZyXEL.
Chapter 32 Content Filter Reports 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 414 on page 552). Type your myZyXEL.com account password in the Password field. 6 Click Submit. Figure 415 Blue Coat: Login 7 In the Web Filter Home screen, click the Reports tab. Figure 416 Blue Coat Content Filter Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports.
Chapter 32 Content Filter Reports Figure 417 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen. 10 A chart and/or list of requested web site categories display in the lower half of the screen.
Chapter 32 Content Filter Reports Figure 418 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.
Chapter 32 Content Filter Reports Figure 419 Requested URLs Example 32.3 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review. 1 Log into the content filtering reports web site (see Section 32.2 on page 551).
Chapter 32 Content Filter Reports Figure 420 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed.
Chapter 32 Content Filter Reports 558 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 33 Anti-Spam 33.1 Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers. 33.1.1 What You Can Do in the Anti-Spam Screens • Use the General screens (Section 33.
Chapter 33 Anti-Spam matches a black list entry as spam and immediately takes the configured action for dealing with spam. If an e-mail matches a blacklist entry, the ZyWALL does not perform any more anti-spam checking on that individual e-mail. A properly configured black list helps catch spam e-mail and increases the ZyWALL’s anti-spam speed and efficiency. SMTP and POP3 Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard.
Chapter 33 Anti-Spam Figure 421 DNSBL Example DNSBL 1 2 1 Not spam. IPs: a.b.c.d w.x.y.z DNSBL 2 3 4 Spam! DNSBL 3 1 The ZyWALL checks the e-mail’s header for sender or relay IP addresses and sends them to all of the DNSBL domains configured in the ZyWALL. 2 The DNSBL servers reply as to whether or not the IP addresses match an entry in their list. In this example, DNSBL 1’s reply came first. Since DNSBL 1 says the IP addresses are not in its list, the ZyWALL waits for more responses.
Chapter 33 Anti-Spam Figure 422 Anti-X > Anti-Spam > General The following table describes the labels in this screen. Table 177 Anti-X > Anti-Spam > General LABEL DESCRIPTION General Settings Click Advanced to display more settings. Click Basic to display fewer settings. Enable AntiSpam Select this check box to check SMTP (TCP port 25) and POP3 (TCP port 110) traffic for spam e-mail.
Chapter 33 Anti-Spam Table 177 Anti-X > Anti-Spam > General LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active displays whether the entry is enabled or not. Click it to activate or deactivate the entry. Make sure you click Apply to save and apply the change. Click the Edit icon to go to the screen where you can edit the entry on the ZyWALL. Click the Add icon in an entry to add an entry below the current entry.
Chapter 33 Anti-Spam The following table describes the labels in this screen. Table 178 Anti-X > Anti-Virus > General > Add LABEL DESCRIPTION Enable Policy Select this check box to have the ZyWALL apply this anti-spam policy to check email traffic for spam. Log Select how the ZyWALL is to log the event when the DNSBL times out or an e-mail matches the white list, black list, or DNSBL. no: Do not create a log. log: Create a log on the ZyWALL.
Chapter 33 Anti-Spam Figure 424 Anti-X > Anti-Spam > Black/White List > Black List The following table describes the labels in this screen. Table 179 Anti-X > Anti-Spam > Black/White List > Black List LABEL DESCRIPTION General Settings Enable Black List Checking Select this check box to have the ZyWALL treat e-mail that matches (an active) black list entry as spam.
Chapter 33 Anti-Spam Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create entries based on specific subject text, or the sender’s or relay’s IP address or e-mail address. You can also create entries that check for particular header fields and values. Figure 425 Anti-X > Anti-Spam > Black/White List > Black List (or White List) > Add The following table describes the labels in this screen.
Chapter 33 Anti-Spam Table 180 Anti-X > Anti-Spam > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION OK Click OK to save your changes. Cancel Click Cancel to exit this screen without saving your changes. 33.4.2 Regular Expressions in Black or White List Entries The following applies for a black or white list entry based on an e-mail subject, e-mail address, or e-mail header value. • Use a question mark (?) to let a single character vary.
Chapter 33 Anti-Spam Table 181 Anti-X > Anti-Spam > Black/White List > White List (continued) LABEL DESCRIPTION Total Rule This is the number of entries configured. rules per page Select how many entries you want to display on each page. Page x of x This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries. # This is the entry’s index number in the list.
Chapter 33 Anti-Spam Figure 427 Anti-X > Anti-Spam > DNSBL The following table describes the labels in this screen. Table 182 Anti-X > Anti-Spam > DNSBL LABEL DESCRIPTION Enable DNS Black List (DNSBL) Checking Select this to have the ZyWALL check the sender and relay IP addresses in email headers against the DNSBL servers maintained by the DNSBL domains listed in the ZyWALL. The ZyWALL checks public IP addresses (it does not check private IP addresses).
Chapter 33 Anti-Spam Table 182 Anti-X > Anti-Spam > DNSBL (continued) LABEL DESCRIPTION SMTP Select how the ZyWALL is to handle SMTP mail (mail going to an e-mail server) if the queries to the DNSBL domains time out. Select drop to discard SMTP mail. Select forward to allow SMTP mail to go through. Select forward with tag to add a DNSBL timeout tag to the mail subject of an SMTP mail and send it.
Chapter 33 Anti-Spam The following table describes the labels in this screen. Table 183 Anti-X > Anti-Spam > DNSBL > Add LABEL DESCRIPTION General Settings Enable DNSBL Domain Select this check box to have the ZyWALL check the sender and relay IP addresses in e-mails against this DNSBL. DNSBL Domain Enter the domain that is maintaining a DNSBL. OK Click OK to save your changes. Cancel Click Cancel to exit this screen without saving your changes. 33.
Chapter 33 Anti-Spam Table 184 Anti-X > Anti-Spam > Status (continued) 572 LABEL DESCRIPTION Avg. Response Time (sec) This is the average for how long it takes to receive a reply from this DNSBL. No Response This is how many DNS queries the ZyWALL sent to this DNSBL without receiving a reply.
P ART VII Device HA Device HA (575) 573
CHAPTER 34 Device HA 34.1 Overview Device HA lets a backup ZyWALL (B) automatically take over if a master ZyWALL (A) fails. Figure 430 Device HA Backup Taking Over for the Master A B 34.1.1 What You Can Do in the Device HA Screens • Use the General screen (Section 34.2 on page 576) to configure device HA global settings, and see the status of each interface monitored by device HA. • Use the Active-Passive Mode screens (Section 34.3.1 on page 579) to use active-passive mode device HA.
Chapter 34 Device HA Management Access You can configure a separate management IP address for each interface. You can use it to access the ZyWALL for management whether the ZyWALL is the master or a backup. The management IP address should be in the same subnet as the interface IP address. Synchronization Use synchronization to have a backup ZyWALL copy the master ZyWALL’s configuration, signatures (anti-virus, IDP/application patrol, and system protect), and certificates.
Chapter 34 Device HA Figure 431 Device HA > General The following table describes the labels in this screen. Table 185 Device HA > General LABEL DESCRIPTION Enable Device HA Turn the ZyWALL’s device HA feature on or off. Device HA Mode This displays whether the ZyWALL is currently set to use active-passive mode device HA or legacy mode device HA. Active-passive mode is recommended for general device failover deployments.
Chapter 34 Device HA 34.3 The Active-Passive Mode Screen Virtual Router The master and backup ZyWALL form a single ‘virtual router’. In the following example, master ZyWALL A and backup ZyWALL B form a virtual router. Figure 432 Virtual Router A B Cluster ID You can have multiple ZyWALL virtual routers on your network. Use a different cluster ID to identify each virtual router. In the following example, ZyWALLs A and B form a virtual router that uses cluster ID 1.
Chapter 34 Device HA Enable monitoring for the same interfaces on the master and backup ZyWALLs. Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL. Virtual Router and Management IP Addresses • If a backup takes over for the master, it uses the master’s IP addresses. These IP addresses are know as the virtual router IP addresses. • Each interface can also have a management IP address.
Chapter 34 Device HA Figure 435 Device HA > Active-Passive Mode The following table describes the labels in this screen. See Section 34.4 on page 582 for more information as well. Table 186 Device HA > Active-Passive Mode LABEL DESCRIPTION Device Role Select the device HA role that the ZyWALL plays in the virtual router. Choices are: Master - This ZyWALL is the master ZyWALL in the virtual router. This ZyWALL uses the virtual IP address for each monitored interface.
Chapter 34 Device HA Table 186 Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Authentication Select the authentication method the virtual router uses. Every interface in a virtual router must use the same authentication method and password. Choices are: None - this virtual router does not use any authentication method. Text - this virtual router uses a plain text password for authentication. Type the password in the field next to the radio button.
Chapter 34 Device HA Table 186 Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Auto Synchronize Select this to get the updated configuration automatically from the specified ZyWALL according to the specified Interval. The first synchronization begins after the specified Interval; the ZyWALL does not synchronize immediately. Interval When you select Auto Synchronize, set how often the ZyWALL synchronizes with the master.
Chapter 34 Device HA 34.5 The Legacy Mode Screen Virtual Router Redundancy Protocol (VRRP) Legacy mode device HA uses Virtual Router Redundancy Protocol (VRRP) to create redundant backup gateways to ensure that a default gateway is always available. The ZyWALL uses a custom VRRP implementation and is not compatible with standard VRRP.
Chapter 34 Device HA Figure 437 Device HA > Legacy Mode The following table describes the labels in this screen. See Table 189 on page 586 for more information as well. Table 188 Device HA > Legacy Mode LABEL DESCRIPTION Link Monitoring Enable link monitoring to have the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down. This way the backup ZyWALL takes over all of the master ZyWALL’s functions.
Chapter 34 Device HA Table 188 Device HA > Legacy Mode (continued) LABEL DESCRIPTION Add icon This column provides icons to activate, deactivate, add, edit, and remove VRRP groups. To activate or deactivate a VRRP group, click the Active icon next to the group. Make sure you click Apply to save and apply the change. Activating a VRRP group has the ZyWALL monitor the connection of the group’s interface.
Chapter 34 Device HA Figure 438 Device HA > Legacy Mode > Add The following table describes the labels in this screen. Table 189 Device HA > Legacy Mode > Add LABEL DESCRIPTION Enable VRRP Group Select this to make the specified interface part of the virtual router. Clear this to take the specified interface out of the virtual router. Enabling a VRRP group has the ZyWALL monitor the connection of the group’s interface. Name This field is read-only if you are editing the VRRP group.
Chapter 34 Device HA Table 189 Device HA > Legacy Mode > Add (continued) LABEL DESCRIPTION Preempt This field is available if the selected interface is a Backup interface. Select this if the selected interface should become the master interface if a lower-priority interface is the master when this one is enabled. (If the role is Master, the interface preempts by default.) Virtual Router Settings Click Advanced to display more settings. Click Basic to display fewer settings.
Chapter 34 Device HA Figure 439 Example: VRRP, Normal Operation The VR ID is not shown. In normal operation, ZyWALL A is the master. It has the same IP address as the default gateway and forwards traffic for the network. ZyWALL B is a backup. It is using its management IP address 192.168.10.112. ZyWALL A sends regular messages to ZyWALL B to let ZyWALL B know that ZyWALL A is available. If ZyWALL A becomes unavailable, it stops sending messages to ZyWALL B.
Chapter 34 Device HA • System protect signatures • Certificates (My Certificates, and Trusted Certificates) Synchronization does not change the device HA settings in the backup ZyWALL. Synchronization affects the entire device configuration. You can only configure one set of settings for synchronization, regardless of how many VRRP groups you might configure.
Chapter 34 Device HA 590 ZyWALL USG 100/200 Series User’s Guide
P ART VIII Objects User/Group (593) Addresses (607) Services (613) Schedules (619) AAA Server (625) Authentication Method (635) Certificates (639) SSL Application (657) 591
CHAPTER 35 User/Group 35.1 Overview This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them. 35.1.1 What You Can Do Using The User/Group Screens • The User screen (see Section 35.2 on page 595) provides a summary of all user accounts. • The Group screen (see Section 35.3 on page 598) provides a summary of all user groups.
Chapter 35 User/Group Table 190 Types of User Accounts (continued) " TYPE ABILITIES LOGIN METHOD(S) Guest Access network services WWW Ext-User External User Account WWW The default admin account is always authenticated locally, regardless of the authentication method setting. (See Chapter 39 on page 625 for more information about authentication methods.
Chapter 35 User/Group " You cannot put access users and admin users in the same user group. " You cannot put the default admin account into any user group. The sequence of members in a user group is not important. User Awareness By default, users do not have to log into the ZyWALL to use the network services it provides. The ZyWALL automatically routes packets for everyone.
Chapter 35 User/Group Figure 441 Object > User/Group The following table describes the labels in this screen. Table 191 Object > User/Group LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific user. User Name This field displays the user name of each user. Description This field displays the description for each user. Add icon This column provides icons to add, edit, and remove users. To add a user, click the Add icon at the top of the column.
Chapter 35 User/Group Table 192 Reserved User Names (continued) • operator • radius-users • root • sync • uucp • zyxel • shutdown • sshd To access this screen, go to the User screen (see Section 35.2 on page 595), and click either the Add icon or an Edit icon. Figure 442 User/Group > User > Edit The following table describes the labels in this screen. Table 193 User/Group > User > Edit LABEL DESCRIPTION User Name Type the user name for this user account.
Chapter 35 User/Group Table 193 User/Group > User > Edit (continued) LABEL DESCRIPTION Reauthentication Time Type the number of minutes this user can be logged into the ZyWALL in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time, the user has no opportunity to renew the session without logging out. OK Click OK to save your changes back to the ZyWALL.
Chapter 35 User/Group Figure 444 User/Group > Group > Add The following table describes the labels in this screen. Table 195 User/Group > Group > Add LABEL DESCRIPTION Name Type the name for this user group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User group names have to be different than user names. Description Enter the description of the user group, if any.
Chapter 35 User/Group Figure 445 Object > User/Group > Setting The following table describes the labels in this screen. Table 196 Object > User/Group > Setting LABEL DESCRIPTION User Default Setting User Type Select the default user type when you create a new user account. You can still change the user type for each user account. Lease Time Select the default lease time when you create a new user account. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited.
Chapter 35 User/Group Table 196 Object > User/Group > Setting (continued) LABEL Maximum number per access account DESCRIPTION This field is effective when Limit ... for access account is checked. Type the maximum number of simultaneous logins by each access user. User Lockout Setting Enable logon retry limit Select this check box to set a limit on the number of times each user can login unsuccessfully (for example, wrong password) before the IP address is locked out for a specified amount of time.
Chapter 35 User/Group Table 196 Object > User/Group > Setting (continued) LABEL DESCRIPTION Source This field displays the source address object of traffic to which this condition applies. It displays any if this condition applies to traffic from all source addresses. Destination This field displays the destination address object of traffic to which this condition applies. It displays any if this condition applies to traffic from all destination addresses.
Chapter 35 User/Group The following table describes the labels in this screen. Table 197 Object > User/Group > Setting > Add/Edit LABEL DESCRIPTION Enable Select this if you want this condition to be active. Description Enter a description for this condition. It can be up to 60 printable ASCII characters long. Authentication Select whether users must log in (force) or whether users do not have to log in (skip) when this condition is checked and satisfied.
Chapter 35 User/Group The following table describes the labels in this screen. Table 198 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined lease time (max ... minutes) Access users can specify a lease time shorter than or equal to the one that you specified. The default value is the lease time that you specified. Renew Access users can click this button to reset the lease time, the amount of time remaining before the ZyWALL automatically logs them out.
Chapter 35 User/Group Creating a Large Number of Ext-User Accounts If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the web configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 44 on page 705 for more information about shell scripts.
Chapter 35 User/Group 606 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 36 Addresses 36.1 Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. 36.1.1 What You Can Do Using The Addresses Screens • The Address screen (Section 36.2 on page 607) provides a summary of all addresses in the ZyWALL. Use the Address Add/Edit screen to create a new address or edit an existing one. • Use the Address Group summary screen (Section 36.
Chapter 36 Addresses Figure 450 Object > Address > Address The following table describes the labels in this screen. See Section 36.2.1 on page 608 for more information as well. Table 200 Object > Address > Address LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific address. Name This field displays the configured name of each address object. Type This field displays the type of each address object.
Chapter 36 Addresses The following table describes the labels in this screen. Table 201 Object > Address > Address > Edit LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Address Type Select the type of address you want to create. Choices are: HOST, RANGE, SUBNET, INTERFACE IP, INTERFACE SUBNET, and INTERFACE GATEWAY.
Chapter 36 Addresses The following table describes the labels in this screen. See Section 36.3.1 on page 610 for more information as well. Table 202 Object > Address > Address Group LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific address group. Name This field displays the name of each address group. Description This field displays the description of each address group, if any.
Chapter 36 Addresses Table 203 Object > Address > Address Group > Add (continued) LABEL DESCRIPTION Available This field displays the names of the address and address group objects that can be added to the address group. Select address and address group objects that you want to be members of this group and click the right arrow to add them to the member list. Member This field displays the names of the address and address group objects that have been added to the address group.
Chapter 36 Addresses 612 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 37 Services 37.1 Overview Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 37.1.1 What You Can Do in the Services Screens • Use the Service screens (Section 37.2 on page 614) to view and configure the ZyWALL’s list of services and their definitions. • Use the Service Group screens (Section 37.2 on page 614) to view and configure the ZyWALL’s list of service groups. 37.1.
Chapter 37 Services Service Objects and Service Groups Use service objects to define IP protocols. • • • • TCP applications UDP applications ICMP messages user-defined services (for other types of IP protocols) These objects are used in policy routes, firewall rules, and IDP profiles. Use service groups when you want to create the same rule for several services, instead of creating separate rules for each service. Service groups may consist of services and other service groups.
Chapter 37 Services The following table describes the labels in this screen. Table 204 Object > Service > Service LABEL DESCRIPTION Total Services This displays the total number of services configured on the ZyWALL. services per page Select the number of services you want to appear per page here. Page x of x This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries.
Chapter 37 Services Table 205 Object > Service > Service > Edit (continued) LABEL DESCRIPTION ICMP Type This field appears if the IP Protocol is ICMP Type. Select the ICMP message used by this service. This field displays the message text, not the message number. IP Protocol Number This field appears if the IP Protocol is User Defined. Enter the number of the next-level protocol (IP protocol). Allowed values are 0 255. OK Click OK to save your changes back to the ZyWALL.
Chapter 37 Services 37.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. To access this screen, go to the Service Group screen (see Section 37.3 on page 616), and click either the Add icon or an Edit icon. Figure 457 Object > Service > Service Group > Edit The following table describes the labels in this screen.
Chapter 37 Services 618 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 38 Schedules 38.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. The ZyWALL supports one-time and recurring schedules. One-time schedules are effective only once, while recurring schedules usually repeat. Both types of schedules are based on the current date and time in the ZyWALL. " Schedules are based on the ZyWALL’s current date and time. 38.1.
Chapter 38 Schedules 38.2 The Schedule Summary Screen The Schedule summary screen provides a summary of all schedules in the ZyWALL. To access this screen, click Object > Schedule. Figure 458 Object > Schedule The following table describes the labels in this screen. See Section 38.2.1 on page 621 and Section 38.2.2 on page 622 for more information as well. Table 208 Object > Schedule LABEL DESCRIPTION One Time # This field is a sequential value, and it is not associated with a specific schedule.
Chapter 38 Schedules 38.2.1 The One-Time Schedule Add/Edit Screen The One-Time Schedule Add/Edit screen allows you to define a one-time schedule or edit an existing one. To access this screen, go to the Schedule screen (see Section 38.2 on page 620), and click either the Add icon or an Edit icon in the One Time section. Figure 459 Object > Schedule > Edit (One Time) The following table describes the labels in this screen.
Chapter 38 Schedules 38.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to define a recurring schedule or edit an existing one. To access this screen, go to the Schedule screen (see Section 38.2 on page 620), and click either the Add icon or an Edit icon in the Recurring section. Figure 460 Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen.
Chapter 38 Schedules Table 210 Object > Schedule > Edit (Recurring) (continued) LABEL Week Days DESCRIPTION Select each day of the week the recurring schedule is effective. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes.
Chapter 38 Schedules 624 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 39 AAA Server 39.1 Overview You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory, LDAP, or RADIUS server. Use the AAA Server screens to create and manage objects that contain settings for using individual AAA servers or groups of AAA servers. You use AAA server objects in configuring authentication method objects (see Chapter 40 on page 635). 39.1.
Chapter 39 AAA Server Figure 462 RADIUS Server Network Example 39.1.3 ASAS ASAS (Authenex Strong Authentication System) is a RADIUS server that works with the One-Time Password (OTP) feature. Purchase a ZyWALL OTP package in order to use this feature. The package contains server software and physical OTP tokens (PIN generators). Do the following to use OTP. See the documentation included on the ASAS’ CD for details. 1 2 3 4 5 Install the ASAS server software on a computer.
Chapter 39 AAA Server RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external or built-in RADIUS server. RADIUS authentication allows you to validate a large number of users from a central location. Finding Out More See Section 6.5.3 on page 149 for an example of how to set up user authentication using a radius server. 39.
Chapter 39 AAA Server Bind DN A bind DN is used to authenticate with an LDAP/AD server. For example a bind DN of cn=zywallAdmin allows the ZyWALL to log into the LDAP/AD server using the user name of zywallAdmin. The bind DN is used in conjunction with a bind password. When a bind DN is not specified, the ZyWALL will try to log in as an anonymous user. If the bind password is incorrect, the login will fail. 39.2.
Chapter 39 AAA Server Table 211 Object > AAA Server > Active Directory (or LDAP) > Default (continued) LABEL DESCRIPTION Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server. Apply Click Apply to save the changes. Reset Click Reset to start configuring this screen again. 39.3 Active Directory or LDAP Group Summary Screen You can configure a group of AD or LDAP servers in the Active Directory (or LDAP) > Group screen.
Chapter 39 AAA Server Figure 466 Object > AAA Server > Active Directory (or LDAP) > Group > Add The following table describes the labels in this screen. Table 213 Object > AAA Server > Active Directory (or LDAP) > Group > Add LABEL DESCRIPTION Configuration All AD or LDAP servers in a group share the same settings in the fields below. Name Enter a descriptive name (up to 63 alphanumerical characters). for identification purposes.
Chapter 39 AAA Server Table 213 Object > AAA Server > Active Directory (or LDAP) > Group > Add (continued) LABEL Add icon DESCRIPTION Click Add to add a new AD or LDAP server. You can add up to four AD or LDAP member servers. Click Delete to remove an AD or LDAP server. OK Click OK to save the changes. Cancel Click Cancel to discard the changes. 39.
Chapter 39 AAA Server 39.5 Configuring a Group of RADIUS Servers You can configure a group of RADIUS servers in the RADIUS > Group screen. This is useful if you have more than one authentication server for user authentication in a network. Click Object > AAA Server > RADIUS > Group to display the RADIUS > Group screen. Figure 468 Object > AAA Server > RADIUS > Group The following table describes the labels in this screen.
Chapter 39 AAA Server The following table describes the labels in this screen. Table 216 Object > AAA Server > RADIUS > Group > Add LABEL DESCRIPTION Configuration All RADIUS servers in a group share the same settings in the fields below. Name Enter a descriptive name (up to 63 alphanumeric characters) for identification purposes. Key Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL.
Chapter 39 AAA Server 634 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 40 Authentication Method 40.1 Overview Authentication method objects set how the ZyWALL authenticates HTTP/HTTPS clients, peer IPSec routers (extended authentication), L2TP VPN, and wireless clients. Configure authentication method objects to have the ZyWALL use the local user database, and/or the authentication servers and authentication server groups specified by AAA server objects. By default, user accounts created and stored on the ZyWALL are authenticated locally. 40.1.
Chapter 40 Authentication Method Figure 470 Example: Using Authentication Method in VPN 40.2 Viewing Authentication Method Objects Click Object > Auth. Method to display the screen as shown. " You can create up to 16 authentication method objects. Figure 471 Object > Auth. Method The following table describes the labels in this screen. Table 217 Object > Auth. Method 636 LABEL DESCRIPTION # This field displays the index number.
Chapter 40 Authentication Method 40.3 Creating an Authentication Method Object Follow the steps below to create an authentication method object. 1 Click Object > Auth. Method. 2 Click Add. 3 Specify a descriptive name for identification purposes in the Name field. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, “My_Device”. 4 Click Add to insert an authentication method in the table.
Chapter 40 Authentication Method The following table describes the labels in this screen. Table 218 Object > Auth. Method > Add 638 LABEL DESCRIPTION Name Specify a descriptive name for identification purposes. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, “My_Device”. Method List Select a server object from the drop-down list box.
CHAPTER 41 Certificates 41.1 Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. 41.1.1 What You Can Do in the Certificate Screens • Use the My Certificate screens (see Section 41.2 on page 642 to Section 41.2.
Chapter 41 Certificates message, no-one can have altered it (because they cannot re-sign the message with Tim’s private key). 5 Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny’s public key to verify the message. The ZyWALL uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection.
Chapter 41 Certificates • PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form. • Binary PKCS#12: This is a format for transferring public key and private key certificates.The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords.
Chapter 41 Certificates Figure 474 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 41.2 The My Certificates Screen Click Object > Certificate > My Certificates to open the My Certificates screen.
Chapter 41 Certificates Table 219 Object > Certificate > My Certificates (continued) LABEL DESCRIPTION Name This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate.
Chapter 41 Certificates Figure 476 Object > Certificate > My Certificates > Add The following table describes the labels in this screen. Table 220 Object > Certificate > My Certificates > Add 644 LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Subject Information Use these fields to record information that identifies the owner of the certificate.
Chapter 41 Certificates Table 220 Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Organization Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. Country Identify the nation where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Chapter 41 Certificates Table 220 Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Request Authentication When you select Create a certification request and enroll for a certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request. Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol.
Chapter 41 Certificates Figure 477 Object > Certificate > My Certificates > Edit The following table describes the labels in this screen. Table 221 Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Certification Path This field displays for a certificate, not a certification request.
Chapter 41 Certificates Table 221 Object > Certificate > My Certificates > Edit 648 LABEL DESCRIPTION Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). “X.509” means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.
Chapter 41 Certificates Table 221 Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Export This button displays for a certification request. Use this button to save a copy of the request without its private key. Click this button and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. Export Certificate Only Use this button to save a copy of the certificate without its private key.
Chapter 41 Certificates The following table describes the labels in this screen. Table 222 Object > Certificate > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL. Browse Click Browse to find the certificate file you want to upload.
Chapter 41 Certificates Table 223 Object > Certificate > Trusted Certificates (continued) LABEL DESCRIPTION Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. (icons) Click the Edit icon to open a screen with an in-depth list of information about the certificate. The ZyWALL keeps all of your certificates unless you specifically delete them.
Chapter 41 Certificates Figure 480 Object > Certificate > Trusted Certificates > Edit The following table describes the labels in this screen. Table 224 Object > Certificate > Trusted Certificates > Edit 652 LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=characters.
Chapter 41 Certificates Table 224 Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Refresh Click Refresh to display the certification path. Enable X.509v3 CRL Distribution Points and OCSP checking Select this check box to have the ZyWALL check incoming certificates that are signed by this certificate against a Certificate Revocation List (CRL) or an OCSP server. You also need to configure the OSCP or LDAP server details.
Chapter 41 Certificates Table 224 Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. Valid To This field displays the date that the certificate expires.
Chapter 41 Certificates Figure 481 Object > Certificate > Trusted Certificates > Import The following table describes the labels in this screen. Table 225 Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL. Browse Click Browse to find the certificate file you want to upload.
Chapter 41 Certificates 656 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 42 SSL Application 42.1 Overview You use SSL application objects in SSL VPN. Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user account/user group. 42.1.1 What You Can Do in the SSL Application Screens • Use the SSL Application screen (Section 42.2 on page 658) to view the ZyWALL’s configured SSL application objects.
Chapter 42 SSL Application 1 2 3 4 5 6 7 Click Object > SSL Application in the navigation panel. Click the Add button and select Web Application in the Type field. Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”. In the Address field, enter “http://info”. In the Server Type field, select Web Server. Select Web Page Encryption to prevent users from saving the web content. Click Apply to save the settings.
Chapter 42 SSL Application 42.2.1 Creating/Editing a Web-based SSL Application Object A web-based application allows remote users to access an application via standard web browsers. To configure a web-based application, click the Add or Edit button in the SSL Application screen and select Web Application in the Type field to display the configuration screen as shown. Figure 484 Object > SSL Application > Add/Edit: Web Application The following table describes the labels in this screen.
Chapter 42 SSL Application Table 227 Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Entry Point This field is optional. You only need to configure this field if you need to specify the name of the directory or file on the local server as the home page or home directory on the user screen. Server Type Specify the type of service for this SSL application. Select Web Server to allow access to the specified web site hosted on the local network.
Chapter 42 SSL Application Table 228 Object > SSL Application > Add/Edit: Web Application " LABEL DESCRIPTION Shared Path Specify the IP address, domain name or NetBIOS name (computer name) of the file server and the name of the share to which you want to allow user access. Enter the path in one of the following formats.
Chapter 42 SSL Application 662 ZyWALL USG 100/200 Series User’s Guide
P ART IX System System (665) 663
CHAPTER 43 System 43.1 Overview Use the system screens to configure general ZyWALL settings. 43.1.1 What You Can Do In The System Screens • Use the System > Host Name screen (Figure 486 on page 666) to configure a unique name for the ZyWALL in your network. • Use the System > Date/Time screen (Figure 487 on page 667) to configure the date and time for the ZyWALL.
Chapter 43 System • Vantage CNM (Centralized Network Management) is a browser-based global management tool that allows an administrator to manage ZyXEL devices. Use the System > Vantage CNM screen (Figure 525 on page 701) to allow your ZyWALL to be managed by the Vantage CNM server. • Use the System > Language screen (Figure 526 on page 702) to set a language for the ZyWALL’s web configurator screens. " See each section for related background information and term definitions. 43.
Chapter 43 System Figure 487 System > Date and Time The following table describes the labels in this screen. Table 230 System > Date and Time LABEL DESCRIPTION Current Time and Date Current Time This field displays the present time of your ZyWALL. Current Date This field displays the present date of your ZyWALL. Time and Date Setup Manual Select this radio button to enter the time and date manually.
Chapter 43 System Table 230 System > Date and Time (continued) LABEL DESCRIPTION Synchronize Now Click this button to have the ZyWALL get the time and date from a time server (see the Time Server Address field). This also saves your changes (except the daylight saving settings). Time Zone Setup Time Zone Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT).
Chapter 43 System The ZyWALL continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified. Table 231 Default Time Servers 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org When the ZyWALL uses the pre-defined list of NTP time servers, it randomly selects one server and tries to synchronize with it.
Chapter 43 System 43.4 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program. See Table 2 on page 55 for default console port settings. Click System > Console Speed to open the Console Speed screen. Figure 489 System > Console Speed The following table describes the labels in this screen.
Chapter 43 System 43.5.2 Configuring the DNS Screen Click System > DNS to change your ZyWALL’s DNS settings. Use the DNS screen to configure the ZyWALL to use a DNS server to resolve domain names for ZyWALL system features like VPN, DDNS and the time server. You can also configure the ZyWALL to accept or discard DNS queries. Use the Network > Interface screens to configure the DNS server information that the ZyWALL sends to the specified DHCP client devices.
Chapter 43 System Table 233 System > DNS (continued) 672 LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. A “*” means all domain zones. From This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually. DNS Server This is the IP address of a DNS server.
Chapter 43 System Table 233 System > DNS (continued) LABEL DESCRIPTION Action This displays whether the ZyWALL accepts DNS queries from the computer with the IP address specified above through the specified zone (Accept) or discards them (Deny). Add icon Click the Add icon in the heading row to open a screen where you can add a new rule. Refer to Table 237 on page 676 for information on the fields. Click the Edit icon to go to the screen where you can edit the rule.
Chapter 43 System The following table describes the labels in this screen. Table 234 System > DNS > Address/PTR Record Edit LABEL DESCRIPTION FQDN Type a fully qualified domain name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Chapter 43 System The following table describes the labels in this screen. Table 235 System > DNS > Domain Zone Forwarder Add LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address.
Chapter 43 System Table 236 System > DNS > MX Record Add (continued) LABEL DESCRIPTION OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving 43.5.10 Adding a DNS Service Control Rule Click the Add icon in the Service Control table to add a service control rule. Figure 494 System > DNS > Service Control Rule Add The following table describes the labels in this screen.
Chapter 43 System Figure 495 Secure and Insecure Service Access From the WAN • See Section 5.6.1 on page 122 for related information on these screens. " To allow the ZyWALL to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-ZyWALL firewall rule to block that traffic. • See To-ZyWALL Rules on page 337 for more on To-ZyWALL firewall rules. • See Section 6.
Chapter 43 System 43.6.3 HTTPS You can set the ZyWALL to use HTTP or HTTPS (HTTPS adds security) for web configurator sessions. Specify which zones allow web configurator access and from which IP address the access can come. HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages.
Chapter 43 System 43.6.4 Configuring WWW Click System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ZyWALL using HTTP or HTTPS. You can also specify which IP addresses the access can come from. " Admin Service Control deals with management access (to the web configurator). User Service Control deals with user access to the ZyWALL (logging into SSL VPN for example). Figure 497 System > WWW The following table describes the labels in this screen.
Chapter 43 System Table 238 System > WWW (continued) LABEL DESCRIPTION Server Port The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the ZyWALL, for example 8443, then you must notify people who need to access the ZyWALL web configurator to use “https://ZyWALL IP Address:8443” as the URL.
Chapter 43 System Table 238 System > WWW (continued) LABEL DESCRIPTION # This is the index number of the service control rule. The entry with a hyphen (-) instead of a number is the ZyWALL’s (non-configurable) default policy. The ZyWALL applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the ZyWALL will not have to use the default policy.
Chapter 43 System The following table describes the labels in this screen. Table 239 Edit Service Control Rule LABEL DESCRIPTION Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL using this service. Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the ZyWALL using this service. Zone Select ALL to allow or prevent any ZyWALL zones from being accessed using this service.
Chapter 43 System 43.6.6.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL. If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape.
Chapter 43 System • For the browser to trust a self-signed certificate, import the self-signed certificate into your operating system as a trusted certificate. • To have the browser trust the certificates issued by a certificate authority, import the certificate authority’s certificate into your operating system as a trusted certificate. Refer to Appendix D on page 825for details. 43.6.6.4 Login Screen After you accept the certificate, the ZyWALL login screen appears.
Chapter 43 System 43.6.6.5.1 Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next. Figure 504 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. 43.6.6.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Chapter 43 System Figure 505 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 506 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
Chapter 43 System Figure 507 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 508 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
Chapter 43 System Figure 509 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 510 Personal Certificate Import Wizard 6 43.6.6.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field.
Chapter 43 System Figure 512 SSL Client Authentication 3 You next see the web configurator login screen. Figure 513 Secure Web Configurator Login Screen 43.7 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s command line interface. Specify which zones allow SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Chapter 43 System Figure 514 SSH Communication Over the WAN Example 43.7.1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1. Figure 515 How SSH v1 Works Example 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
Chapter 43 System 43.7.2 SSH Implementation on the ZyWALL Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour and Blowfish). The SSH server is implemented on the ZyWALL for management using port 22 (by default). 43.7.3 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH. 43.7.
Chapter 43 System Table 240 System > SSH (continued) LABEL DESCRIPTION Service Control This specifies from which computers you can access which ZyWALL zones. # This the index number of the service control rule. Zone This is the zone on the ZyWALL the user is allowed or denied to access. Address This is the object name of the IP address(es) with which the computer is allowed or denied to access.
Chapter 43 System 43.7.5.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions. 1 Test whether the SSH service is available on the ZyWALL. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the ZyWALL (using the default IP address of 192.168.1.1). A message displays indicating the SSH protocol version supported by the ZyWALL.
Chapter 43 System Figure 520 System > Telnet The following table describes the labels in this screen. Table 241 System > Telnet LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Chapter 43 System 43.9.1 Configuring FTP To change your ZyWALL’s FTP settings, click System > FTP tab. The screen appears as shown. Use this screen to specify from which zones FTP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 521 System > FTP The following table describes the labels in this screen.
Chapter 43 System Table 242 System > FTP (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to open a screen where you can add a new rule. Refer to Table 239 on page 682 for information on the fields. Click the Edit icon to go to the screen where you can edit the rule. Click the Add icon in an entry to add a rule below the current entry. Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule.
Chapter 43 System An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.
Chapter 43 System 43.10.3 Configuring SNMP To change your ZyWALL’s SNMP settings, click System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 523 System > SNMP The following table describes the labels in this screen.
Chapter 43 System Table 244 System > SNMP (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to open a screen where you can add a new rule. Refer to Table 239 on page 682 for information on the fields. Click the Edit icon to go to the screen where you can edit the rule. Click the Add icon in an entry to add a rule below the current entry. Click the Delete icon to remove an existing rule. A window display asking you to confirm that you want to delete the rule.
Chapter 43 System Figure 524 System > Dial-in Mgmt The following table describes the labels in this screen. Table 245 System > Dial-in Mgmt LABEL DESCRIPTION Dial-in Server Properties Click Advanced to display more configuration fields and edit the details of your dial-in management setup. Click Basic to display fewer fields. Enable Select this check box to turn on dial-in management. Description Enter some information about this connection.
Chapter 43 System Figure 525 System > Vantage CNM The following table describes the labels in this screen. Table 246 System > Vantage CNM LABEL DESCRIPTION Vantage CNM Click Advanced to display more configuration fields or click Basic to display fewer fields. Enable Select this check box to allow Vantage CNM to manage your ZyWALL. Server IP Address/FQDN Enter the IP address or fully qualified domain name of the Vantage server.
Chapter 43 System Table 246 System > Vantage CNM (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 43.13 Language Screen Click System > Language to open the following screen. Use this screen to select a display language for the ZyWALL’s web configurator screens. Figure 526 System > Language The following table describes the labels in this screen.
P ART X Maintenance, Troubleshooting, & Specifications File Manager (705) Logs (715) Reports (727) Diagnostics (741) Reboot (743) Troubleshooting (745) Product Specifications (749) 703
CHAPTER 44 File Manager 44.1 Overview Configuration files define the ZyWALL’s settings. Shell scripts are files of commands that you can store on the ZyWALL and run when you need them. You can apply a configuration file or run a shell script without the ZyWALL restarting. You can store multiple configuration files and shell script files on the ZyWALL. You can edit configuration files or shell scripts in a text editor and upload them to the ZyWALL. Configuration files use a .
Chapter 44 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 527 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure dmz interface dmz ip address 172.23.37.240 255.255.255.0 ip gateway 172.23.37.
Chapter 44 File Manager " “exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode. Line 3 in the following example exits sub command mode. interface dmz ip address 192.168.5.1 ! Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. ! interface dmz # this is a note about the interface ! Lines 1 and 2 are comments. Line 5 exits sub command mode. ! this is from Joe # on 2008/02/26 interface dmz ip address 192.168.5.
Chapter 44 File Manager Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. Configuration File Flow at Restart • If there is not a startup-config.
Chapter 44 File Manager The following table describes the labels in this screen. Table 249 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Download Click a configuration file’s row to select it and click Download to save the configuration to your computer. Copy Use this button to save a duplicate of a configuration file on the ZyWALL. Click a configuration file’s row to select it and click Copy to open the Copy File screen.
Chapter 44 File Manager Table 249 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION # This column displays the number for each configuration file entry. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space. File Name This column displays the label that identifies a configuration file. You cannot delete the following configuration files or change their file names. The system-default.
Chapter 44 File Manager The ZyWALL’s firmware package cannot go through the ZyWALL when you enable the antivirus Destroy compressed files that could not be decompressed option. The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it. You can upload the firmware package to the ZyWALL with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package. See Section 28.2.
Chapter 44 File Manager " The ZyWALL automatically reboots after a successful upload. The ZyWALL automatically restarts causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 533 Network Temporarily Disconnected After five minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following message appears in the status bar at the bottom of the screen.
Chapter 44 File Manager Each field is described in the following table. Table 251 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Download Click a shell script file’s row to select it and click Download to save the configuration to your computer. Copy Use this button to save a duplicate of a shell script file on the ZyWALL. Click a shell script file’s row to select it and click Copy to open the Copy File screen.
Chapter 44 File Manager Table 251 Maintenance > File Manager > Shell Script (continued) 714 LABEL DESCRIPTION Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes.
CHAPTER 45 Logs 45.1 Overview This chapter provides general information about the ZyWALL’s log feature. See Appendix A on page 759 for individual log descriptions. The following table displays the maximum number of system log messages in the ZyWALL.
Chapter 45 Logs Figure 538 Maintenance > Log > View Log Events that generate an alert (as well as a log message) display in red. Regular logs display in black. The following table describes the labels in this screen. Table 253 Maintenance > Log > View Log LABEL DESCRIPTION Show Filter / Hide Filter Click this button to show or hide the filter settings. If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear Log fields are available.
Chapter 45 Logs Table 253 Maintenance > Log > View Log (continued) LABEL Search DESCRIPTION Click this button to update the log using the current filter settings. Total Logging Entries This is the number of logs recorded in the ZyWALL. entries per page Select the number of log messages you would like to see on one screen. Choices are: 30, 50, and 80. Page x of x This is the number of the page of entries currently displayed and the total number of pages of entries.
Chapter 45 Logs The Log Settings Summary screen provides a summary of all the settings. You can use the Log Settings Edit screen to maintain the detailed settings (such as log categories, e-mail addresses, server names, etc.) for any log. Alternatively, if you want to edit what events is included in each log, you can also use the Active Log Summary screen to edit this information for all logs at the same time. 45.4.1 Log Setting Summary To access this screen, click Maintenance > Log > Log Setting.
Chapter 45 Logs Table 254 Maintenance > Log > Log Setting (continued) LABEL DESCRIPTION Active Log Summary Click this button to open the Active Log Summary Edit screen. Apply Click this button to save your changes (activate and deactivate logs) and make them take effect. 45.4.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 45.4.
Chapter 45 Logs Figure 540 Maintenance > Log > Log Setting > Edit (System Log) 720 ZyWALL USG 100/200 Series User’s Guide
Chapter 45 Logs The following table describes the labels in this screen. Table 255 Maintenance > Log > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section. You specify what kinds of log messages are included in log information and what kinds of log messages are included in alerts in the Active Log and Alert section. Mail Server Type the name or IP address of the outgoing SMTP server.
Chapter 45 Logs Table 255 Maintenance > Log > Log Setting > Edit (System Log) (continued) LABEL DESCRIPTION Active Select this to activate log consolidation. Log consolidation aggregates multiple log messages that arrive within the specified Log Consolidation Interval. In the View Log tab, the text “[count=x]”, where x is the number of original log messages, is appended at the end of the Message field, when multiple log messages were aggregated.
Chapter 45 Logs Figure 541 Maintenance > Log > Log Setting > Edit (Remote Server) ZyWALL USG 100/200 Series User’s Guide 723
Chapter 45 Logs The following table describes the labels in this screen. Table 256 Maintenance > Log > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for Remote Server 1 Active Select this check box to send log information according to the information in this section. You specify what kinds of messages are included in log information in the Active Log section. Log Format Select the format of the log information. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format.
Chapter 45 Logs Figure 542 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 45.4.2 on page 719, where this process is discussed. (The Default category includes debugging messages generated by open source software.) The following table describes the fields in this screen.
Chapter 45 Logs Table 257 Maintenance > Log > Log Setting > Active Log Summary (continued) LABEL Selection 726 DESCRIPTION Select what information you want to log from each Log Category (except All Logs; see below).
CHAPTER 46 Reports 46.1 Overview This chapter provides information about the report screens. Use the Report screens to start or stop data collection and view various statistics about traffic passing through your ZyWALL. " Data collection may decrease the ZyWALL’s traffic throughput rate. 46.1.1 What You Can Do in the Report Screens • Use the Traffic Statistics screen (see Section 46.2 on page 727) to start or stop data collection and view statistics. • Use the Session screen (see Section 46.
Chapter 46 Reports Figure 543 Maintenance > Report > Traffic Statistics There is a limit on the number of records shown in the report. Please see Table 259 on page 730 for more information. The following table describes the labels in this screen. Table 258 Maintenance > Report > Traffic Statistics LABEL DESCRIPTION Data Collection Collect Statistics Select this to have the ZyWALL collect data for the report. If the ZyWALL has already been collecting data, the collection period displays to the right.
Chapter 46 Reports Table 258 Maintenance > Report > Traffic Statistics (continued) LABEL DESCRIPTION Flush Data Click this button to discard all of the screen’s statistics and update the report display. These fields are available when the Traffic Type is Host IP Address/User. # This field is the rank of each record. The IP addresses and users are sorted by the amount of traffic. IP Address/User This field displays the IP address or user in this record.
Chapter 46 Reports The following table displays the maximum number of records shown in the report, the byte count limit, and the hit count limit. Table 259 Maximum Values for Reports LABEL DESCRIPTION Maximum Number of Records 20 Byte Count Limit 264 bytes; this is just less than 17 million terabytes. Hit Count Limit 264 hits; this is over 1.8 x 1019 hits. 46.3 The Session Screen The Session screen displays information about active sessions for debugging or statistical analysis.
Chapter 46 Reports Figure 544 Maintenance > Report > Session The following table describes the labels in this screen. Table 260 Maintenance > Report > Session LABEL DESCRIPTION View Select how you want the information to be displayed.
Chapter 46 Reports Table 260 Maintenance > Report > Session (continued) LABEL DESCRIPTION User This field displays the user in each active session. If you are looking at the sessions by users or all sessions report, click the blue plus sign (+) next to each user to look at detailed session information by protocol. Protocol Service This field displays the protocol used in each active session.
Chapter 46 Reports Table 261 Maintenance > Report > Anti-Virus (continued) LABEL DESCRIPTION Total Viruses Detected This field displays the number of different viruses that the ZyWALL has detected. Infected Files Detected This field displays the number of files in which the ZyWALL has detected a virus. Top Entry By Use this field to have the following (read-only) table display the top anti-virus entries by Virus Name, Source or Destination.
Chapter 46 Reports Figure 548 Maintenance > Report > IDP: Signature Name The following table describes the labels in this screen. Table 262 Maintenance > Report > IDP LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect IDP statistics. The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second.
Chapter 46 Reports Table 262 Maintenance > Report > IDP (continued) LABEL DESCRIPTION Severity This column displays when you display the entries by Signature Name. It shows the level of threat that the intrusions may pose. See Table 156 on page 492 for more information. Source IP This column displays when you display the entries by Source. It shows the source IP address of the intrusion attempts. Destination IP This column displays when you display the entries by Destination.
Chapter 46 Reports Figure 551 Maintenance > Report > Anti-Spam: Sender IP The following table describes the labels in this screen. Table 263 Maintenance > Report > Anti-Spam LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect anti-spam statistics. The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second.
Chapter 46 Reports Table 263 Maintenance > Report > Anti-Spam (continued) LABEL DESCRIPTION Mail Sessions Forwarded This is how many e-mail sessions the ZyWALL allowed because they exceeded the maximum number of e-mail sessions that the anti-spam feature can check at a time. You can see the ZyWALL’s threshold of concurrent e-mail sessions in the AntiSpam > Status screen. Use the Anti-Spam > General screen to set whether the ZyWALL forwards or drops sessions that exceed this threshold.
Chapter 46 Reports Figure 552 Maintenance > Report > Email Daily Report The following table describes the labels in this screen. Table 264 Maintenance > Report > Email Daily Report 738 LABEL DESCRIPTION Enable Email Daily Report Select this to send reports by e-mail every day. Mail Server Type the name or IP address of the outgoing SMTP server. Mail Subject Type the subject line for the outgoing e-mail. Select Append system name to add the ZyWALL’s system name to the subject.
Chapter 46 Reports Table 264 Maintenance > Report > Email Daily Report (continued) LABEL DESCRIPTION Password This box is effective when you select the SMTP Authentication check box. Type the password to provide to the SMTP server when the log is e-mailed. Send Report Now Click this button to have the ZyWALL send the daily e-mail report immediately. Time for sending report Select the time of day (hours and minutes) when the log is e-mailed. Use 24-hour notation.
Chapter 46 Reports 740 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 47 Diagnostics 47.1 The Diagnostics Screen The Diagnostics screen provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting. Click Maintenance > Diagnostics to open the Diagnostics screen. Figure 553 Maintenance > Diagnostics The following table describes the labels in this screen.
Chapter 47 Diagnostics 742 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 48 Reboot 48.1 Overview Use this to restart the device (for example, if the device begins behaving erratically). See also Section 1.4 on page 55 for information on different ways to start and stop the ZyWALL. 48.1.1 What You Need To Know About Reboot If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot. If you made changes in the CLI, however, you have to use the write command to save the configuration before you reboot.
Chapter 48 Reboot 744 ZyWALL USG 100/200 Series User’s Guide
CHAPTER 49 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. V I cannot set up an IPSec VPN tunnel to another device. If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both ZyXEL IPSec routers and check the settings in each field methodically and slowly. Make sure both the ZyWALL and remote IPSec router have the same security settings for the VPN tunnel.
Chapter 49 Troubleshooting • If you have the ZyWALL and remote IPSec router use certificates to authenticate each other, make sure they trust each other’s certificates. If the ZyWALL’s certificate is selfsigned, import it into the remote IPsec router. If it is signed by a CA, make sure the remote IPsec router trusts that CA. The ZyWALL uses one of its Trusted Certificates to authenticate the remote IPSec router’s certificate.
Chapter 49 Troubleshooting V I changed the LAN IP address and can no longer access the Internet. The ZyWALL automatically updates address objects based on an interface’s IP address, subnet, or gateway if the interface’s IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface. V I cannot access the ZyWALL or ping any computer from the WLAN. 1 Make sure the WLAN device is installed in the ZyWALL.
Chapter 49 Troubleshooting 49.1 Resetting the ZyWALL If you cannot access the ZyWALL by any method, try restarting it by disconnecting and reconnecting the power. If you still cannot access the ZyWALL by any method or you forget the administrator password(s), you can reset the ZyWALL to its factory-default settings. Any configuration files or shell scripts that you saved on the ZyWALL should still be available afterwards. Use the following procedure to reset the ZyWALL to its factory-default settings.
CHAPTER 50 Product Specifications 50.1 General Specifications The following specifications are subject to change without notice. See Chapter 2 on page 57 for a general overview of key features. This table provides basic device specifications. Table 266 Default Login Information ATTRIBUTE SPECIFICATION Default IP Address (P4) 192.168.1.1 Default Subnet Mask (P4) 255.255.255.0 (24 bits) Default Password 1234 This table provides hardware specifications.
Chapter 50 Product Specifications Table 267 Hardware Specifications (continued) 1 FEATURE SPECIFICATION Rack-mounting Rack-mountable (rack-mount kit included) Wall-mounting The ZyWALL has wall-mounting holes on the bottom panel. The centers of the holes are located 156 mm apart. It is recommended that you do NOT wall-mount the ZyWALL. A wall-mounting kit is not included. This table gives details about the ZyWALL’s features.
Chapter 50 Product Specifications Table 268 Feature Specifications (continued) MODEL USG 200 USG 100 Maximum Local Users 192 128 Maximum Admin Users 5 5 Maximum User Groups 64 32 Maximum Users in One User Group 192 128 Address Objects 500 200 Address Groups 100 50 Service Objects 500 200 Service Groups 100 50 Schedule Objects 64 32 Maximum Number of LDAP Groups 4 2 Maximum Number of LDAP Servers for Each LDAP Group 2 2 Maximum Number of RADIUS Groups 8 8 Maximum Numbe
Chapter 50 Product Specifications Table 268 Feature Specifications (continued) MODEL FEATURE USG 200 USG 100 Admin E-mail Addresses 2 2 Syslog Servers 4 4 Maximum Number of IDP Profiles 8 8 Custom Signatures 64 32 Maximum Number of IDP Rules 32 32 Maximum Number of ADP Profiles 8 8 Maximum Number of ADP Rules 32 32 Maximum Block Host Number 1000 1000 Maximum Block Period 3600 3600 Maximum Number of Content Filter Policies 16 16 Maximum Number of Content Filter Profiles 16
Chapter 50 Product Specifications Table 268 Feature Specifications (continued) MODEL USG 200 FEATURE USG 100 SSL VPN Maximum SSL VPN Connections 2 without a license 2 without a license 10 with license 5 with license OTHERS Maximum Number of Device HA VRRP Groups 16 16 Maximum Number of OSPF Areas 32 32 The following table, which is not exhaustive, lists standards referenced by ZyWALL features.
Chapter 50 Product Specifications Table 269 Standards Referenced by Features (continued) FEATURE STANDARDS REFERENCED IP/IPv4 RFC 791 TCP RFC 793 50.2 3G or WLAN PCMCIA Card Installation Only insert a compatible 802.11b/g-compliant wireless LAN PCMCIA or CardBus card or 3G card. Slide the connector end of the card into the slot as shown next. " Do not force, bend or twist the wireless LAN card, 3G card or ZyWALL Turbo Card. Figure 555 WLAN Card Installation 50.
Chapter 50 Product Specifications Table 270 North American Plug Standards (continued) POWER CONSUMPTION 20 W MAX. SAFETY STANDARDS UL, CUL (UL 60950-1 FIRST EDITIONCSA C22.2 NO. 60950-1-03 1ST.) Table 271 European Plug Standards AC POWER ADAPTOR MODEL PSA18R-120P (ZE)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 3.5A POWER CONSUMPTION 20 W MAX.
Chapter 50 Product Specifications 756 ZyWALL USG 100/200 Series User’s Guide
P ART XI Appendices and Index Common Services (815) Displaying Anti-Virus Alert Messages in Windows (819) Open Software Announcements (845) Legal Information (873) Customer Support (877) Index (883) 757
APPENDIX A Log Descriptions This appendix provides descriptions of example log messages. Table 276 Content Filter Logs LOG MESSAGE DESCRIPTION Content filter has been enabled An administrator turned the content filter on. Content filter has been disabled An administrator turned the content filter off. Table 277 Forward Web Site Logs LOG MESSAGE DESCRIPTION %s: Trusted Web site The device allowed access to a web site in a trusted domain.
Appendix A Log Descriptions Table 278 Blocked Web Site Logs (continued) LOG MESSAGE DESCRIPTION %s: Service is unavailable Content filter rating service is temporarily unavailable and access to the web site was blocked due to: 1. Can't resolve rating server IP (No DNS) 2. Invalid service license 4. Rating service is restarting 5. Can’t connect to rating server 6. Query failed 7. Query timeout 8. Too many queries 9.
Appendix A Log Descriptions Table 279 Anti-Spam Logs (continued) LOG MESSAGE DESCRIPTION Anti-Spam policy %d has been inserted. The anti-spam policy with the specified index number (%d) has been added into the list. Anti-Spam policy %d has been appended. The anti-spam policy with the specified index number (%d) has been added to the end of the list. Anti-Spam policy %d has been deleted. The anti-spam policy with the specified index number (%d) has been removed.
Appendix A Log Descriptions Table 279 Anti-Spam Logs (continued) LOG MESSAGE DESCRIPTION DNSBL domain %s has been deleted. The specified DNSBL domain name (%s) has been removed. DNSBL domain %s has been activated. The specified DNSBL domain name (%s) has been turned on. DNSBL domain %s has been deactivated. The specified DNSBL domain name (%s) has been turned off. Match White List: %d. From:%s Subject:%s An e-mail matched the specified white list rule (%d).
Appendix A Log Descriptions Table 280 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION The %s address-object is wrong type for '1st-dns' in SSL Policy %s. The listed address object (first %s) is not the right kind for the first DNS server specified in the listed SSL VPN policy (second %s). The %s address-object is wrong type for '2nd-dns' in SSL Policy %s. The listed address object (first %s) is not the right kind for the second DNS server specified in the listed SSL VPN policy (second %s).
Appendix A Log Descriptions Table 280 SSL VPN Logs (continued) 764 LOG MESSAGE DESCRIPTION The SSL VPN policy %s does not configure users or user groups. There are no users or user groups configured for the listed SSL VPN policy (%s). SSL VPN policy rule %s has been inserted. The listed SSL VPN policy (%s) has been inserted in the list of SSL VPN policy rules. SSL VPN policy rule %s has been appended. The listed SSL VPN policy (%s) has been added to the end of the list.
Appendix A Log Descriptions Table 280 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION Failed login attempt to SSLVPN from %s (reach the max. number of simultaneous logon) The listed user (%s) failed to log into SSL VPN because the maximum number of simultaneous logons was already reached. Failed login attempt to SSLVPN from %s (incorrect password or inexistent username) The listed user (%s) failed to log into SSL VPN because of entering an incorrect password or a user name that does not exist.
Appendix A Log Descriptions Table 281 L2TP Over IPSec Logs (continued) LOG MESSAGE DESCRIPTION User %s has been granted an L2TP over IPSec session. A user with the specified user name (%s) was given access to the L2TP over IPSec service. L2TP over IPSec sessions have been all disconnected since configuration of Tunnel %s has been changed L2TP over IPSec may not work because the configuration of the IPSec VPN connection it uses (Crypto Map %s) has been changed.
Appendix A Log Descriptions Table 282 ZySH Logs (continued) LOG MESSAGE DESCRIPTION can't get name for entry %d! 1st:zysh entry index can't get reference count: %s! 1st:zysh list name can't print entry name: %s! 1st:zysh entry name Can't append entry: %s! 1st:zysh entry name Can't set entry: %s! 1st:zysh entry name Can't define entry: %s! 1st:zysh entry name %s: list is full! 1st:zysh list name Can't undefine %s 1st:zysh list name Can't remove %s 1st:zysh list name Table OPS %s: cannot retr
Appendix A Log Descriptions Table 283 ADP Logs LOG MESSAGE DESCRIPTION from to [type=] , Action: , Severity: The ZyWALL detected an anomaly in traffic traveling between the specified zones. The = {scan-detection() | flood-detection() | http-inspection() | tcp-decoder()}. The gives details about the attack, although the message is dropped if the log is more than 128 characters.
Appendix A Log Descriptions Table 284 Anti-Virus Logs (continued) LOG MESSAGE DESCRIPTION Reloading Anti-Virus signature reference table has failed. The ZyWALL failed to reload the anti-virus signatures due to an internal error. %s Virus infected ID:%d,%s,%s. The ZyWALL’s anti-virus feature detected a virus-infected file. 1st %s: The protocol of the infected packet.
Appendix A Log Descriptions Table 284 Anti-Virus Logs (continued) 770 LOG MESSAGE DESCRIPTION AV signature update has failed. An anti-virus signatures update failed for unknown reasons. Anti-Virus signatures missing, refer to your user documentation to recover the default database file. When the ZyWALL started it could not find the anti-virus signature file. See the CLI reference guide for how to restore the default system database. Update signature version has failed.
Appendix A Log Descriptions Table 284 Anti-Virus Logs (continued) LOG MESSAGE DESCRIPTION %s, due to decompress malfunction, %s could not be decompressed. Action on file: %s File decompression failed due to an internal error. 1st %s: The protocol of the packet. 2nd %s: The filename of the related file. 3rd %s: Whether the file was deleted (DESTROY) or forwarded (PASS). Update signature info has failed. Updating of the signature file information failed due to an internal error.
Appendix A Log Descriptions Table 285 User Logs (continued) LOG MESSAGE DESCRIPTION Failed login attempt to ZyWALL from %s (reach the max. number of simultaneous logon) The ZyWALL blocked a login because the maximum simultaneous login capacity for the administrator or access account has already been reached. %s: service name User %s has been denied access from %s The ZyWALL blocked a login according to the access control configuration.
Appendix A Log Descriptions Table 286 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Standard service activation has failed:%s. Standard service activation failed, this log will append an error message returned by the MyZyXEL.com server. %s: error message returned by the myZyXEL.com server Standard service activation has succeeded. Standard service activation has succeeded. Standard service activation has failed. Because of lack must fields.
Appendix A Log Descriptions Table 286 myZyXEL.com Logs (continued) 774 LOG MESSAGE DESCRIPTION Change Anti-Virus engine type has failed. Because of lack must fields. The device failed to change the type of anti-virus engine because the response from the server is missing required fields. Resolve server IP has failed. Update stop. The update has stopped because the device couldn’t resolve the myZyXEL.com server's FQDN to an IP address through gethostbyname(). Verify server's certificate has failed.
Appendix A Log Descriptions Table 286 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION IDP signature download has failed. The device still cannot download the IDP signature after 3 retries. Anti-Virus signature download has succeeded. The device successfully downloaded an anti-virus signature file. Anti-Virus signature update has succeeded. The device successfully downloaded and applied an anti-virus signature file. Anti-Virus signature download has failed.
Appendix A Log Descriptions Table 286 myZyXEL.com Logs (continued) 776 LOG MESSAGE DESCRIPTION System bootup. Do expiration dailycheck. The device processes a service expiration day check immediately after it starts up. After register. Do expiration dailycheck immediately. The device processes a service expiration day check immediately after device registration. Time is up. Do expiration dailycheck. The processes a service expiration day check every 24 hrs. Read MyZyXEL.com storage has failed.
Appendix A Log Descriptions Table 286 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Download file size is wrong. The file size downloaded for AS is not identical with content-length Parse HTTP header has failed. Device can't parse the HTTP header in a response returned by a server. Maybe some HTTP headers are missing. Table 287 IDP Logs LOG MESSAGE DESCRIPTION System internal error. Detect IDP engine status failed. There was an internal system error.
Appendix A Log Descriptions Table 287 IDP Logs (continued) 778 LOG MESSAGE DESCRIPTION Custom signature import error: line , sid , . An attempt to import a custom IDP signature failed. The errored line number in the file, the error sid and error message are displayed. Custom signature replace error: line , sid , . Custom IDP signature replacing failed.
Appendix A Log Descriptions Table 287 IDP Logs (continued) LOG MESSAGE DESCRIPTION IDP system-protect signature update from version to version has succeeded. An update of the IDP system-protect signatures succeeded. The previous and updated signature versions are listed. System-protect error. Create IDP debug directory failed The IDP system-protect function had an error. Creation of the IDP debug directory failed. System internal error. Create IDP statistics entry failed.
Appendix A Log Descriptions Table 287 IDP Logs (continued) 780 LOG MESSAGE DESCRIPTION IDP system-protect signature update failed. Invalid signature content. An IDP system-protect signature update failed. Enable IDP systemprotect succeeded. The IDP system-protect feature was successfully turned on. Disable IDP systemprotect succeeded. The IDP system-protect feature was successfully turned off. Check duplicate sid failed. Allocate memory error. Checking for duplicated signature IDs failed.
Appendix A Log Descriptions Table 288 Application Patrol MESSAGE EXPLANATION Service=%s Mode=%s Rule=%s Access=%s Common packet logging. 1st %s: Protocol Name, 2nd %s: "portless" or "port-base", 3rd %s: Rule Index, 4th %s: "forward", "drop" or "reject". Service=%s Rule=%s Action=%s Access=drop Special packet logging for IM action. 1st %s: Protocol Name, 2nd %s: "port-less" or "port-base", 3rd %s: "login", "message", "audio", "video" or "file-transfer". Initialize App. Patrol has succeeded.
Appendix A Log Descriptions Table 288 Application Patrol (continued) MESSAGE EXPLANATION System fatal error: 60011002. The device failed to get the application patrol protocol list. System fatal error: 60011003. The device failed to initiate XML. System fatal error: 60011004. The device failed to turn application patrol off while the system was initiating.
Appendix A Log Descriptions Table 289 IKE Logs (continued) LOG MESSAGE DESCRIPTION [SA] : Tunnel [%s] Phase 1 authentication method mismatch %s is the tunnel name. When negotiating Phase-1, the authentication method did not match. [SA] : Tunnel [%s] Phase 1 encryption algorithm mismatch %s is the tunnel name. When negotiating Phase-1, the encryption algorithm did not match. [SA] : Tunnel [%s] Phase 1 invalid protocol %s is the tunnel name.
Appendix A Log Descriptions Table 289 IKE Logs (continued) LOG MESSAGE DESCRIPTION Cannot resolve Secure Gateway Addr %s for Tunnel [%s] 1st %s is my ip address. 2nd %s is the tunnel name; When selecting a matched proposal in phase-1, the engine could not get the correct secure gateway address. Could not dial dynamic tunnel "%s" %s is the tunnel name. The tunnel is a dynamic tunnel and the device cannot dial it. Could not dial %s is the tunnel name. The tunnel setting is not complete.
Appendix A Log Descriptions Table 289 IKE Logs (continued) LOG MESSAGE DESCRIPTION Tunnel [%s] Sending IKE request %s is the tunnel name. The device sent an IKE request. Tunnel [%s] IKE Negotiation is in process %s is the tunnel name. When IKE request is already sent but still attempting to dial a tunnel. VPN gateway %s was disabled %s is the gateway name. An administrator disabled the VPN gateway. VPN gateway %s was enabled %s is the gateway name. An administrator enabled the VPN gateway.
Appendix A Log Descriptions Table 290 IPSec Logs LOG MESSAGE DESCRIPTION Corrupt packet, Inbound transform operation fail The device received corrupt IPsec packets and could not process them. Encapsulated packet too big with length An outgoing packet needed to be transformed but was longer than 65535. Get inbound transform fail When performing inbound processing for incoming IPSEC packets and ICMPs related to them, the engine cannot obtain the transform context.
Appendix A Log Descriptions Table 291 Firewall Logs (continued) LOG MESSAGE DESCRIPTION Firewall rule %d has been moved to %d. 1st %d is the old global index of rule, 2nd %d is the new global index of rule Firewall rule %d has been deleted. %d is the global index of rule Firewall rules have been flushed. Firewall rules were flushed Firewall rule %d was %s. %d is the global index of rule, %s is appended/inserted/modified Firewall %s %s rule %d was %s.
Appendix A Log Descriptions Table 293 Policy Route Logs (continued) LOG MESSAGE DESCRIPTION To send message to policy route daemon failed! Failed to send control message to policy routing manager. The policy route %d Allocating policy routing rule fails: insufficient memory. allocates memory fail! %d: the policy route rule number The policy route %d Use an empty object group.
Appendix A Log Descriptions Table 294 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION HTTPS port has been changed to default port. An administrator changed the port number for HTTPS back to the default (443). HTTP port has changed to port %s. An administrator changed the port number for HTTP. %s is port number assigned by user HTTP port has changed to default port. An administrator changed the port number for HTTP back to the default (80). SSH port has been changed to port %s.
Appendix A Log Descriptions Table 294 Built-in Services Logs (continued) 790 LOG MESSAGE DESCRIPTION DHCP Server on Interface %s will be reapplied due to Device HA status is Active When an interface has become the HA master, the DHCP server needs to start operating. %s is interface name DHCP's DNS option:%s has changed. DHCP pool's DNS option support from WAN interface. If this interface is unlink/disconnect or link/connect, this log will be shown. %s is interface name.
Appendix A Log Descriptions Table 294 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION Interface %s ping check is failed. Zone Forwarder removes DNS servers in records. Ping check failed, remove DNS servers from bind. %s is interface name Interface %s ping check is disabled. Zone Forwarder adds DNS servers in records. Ping check disabled, add DNS servers in bind. %s is interface name Wizard apply DNS server failed. Wizard apply DNS server failed.
Appendix A Log Descriptions Table 295 System Logs (continued) LOG MESSAGE DESCRIPTION %s is dead at %s A daemon (process) is gone (was killed by the operating system). 1st %s: Daemon Name, 2nd %s: date and time %s process count is incorrect at %s The count of the listed process is incorrect. 1st %s: Daemon Name, 2nd %s: date and time %s becomes Zombie at %s A process is present but not functioning.
Appendix A Log Descriptions Table 295 System Logs (continued) LOG MESSAGE DESCRIPTION DHCP request received via interface %s (%s:%s), src_mac: %s with requested IP: %s The device received a DHCP request through the specified interface. IP confliction is detected. Send back DHCP-NAK. IP conflict was detected. Send back DHCP-NAK. Clear ARP cache done Clear ARP cache done. NTP update successful, current time is %s The device successfully synchronized with a NTP time server . %s is the time format.
Appendix A Log Descriptions Table 295 System Logs (continued) LOG MESSAGE DESCRIPTION Update the profile %s has failed because of invalid system parameters. Some system parameters are invalid to update FQDN, %s is the profile name. Update the profile %s has failed because the FQDN %s was blocked. The FQDN is blocked by DynDNS , 1st %s is the profile name, 2nd %s is the FQDN of the profile. Update the profile %s has failed because too many or too few hosts found. %s is the profile name.
Appendix A Log Descriptions Table 295 System Logs (continued) LOG MESSAGE DESCRIPTION Update the profile %s has failed because WAN interface was linkdown. DDNS profile cannot be updated for WAN IP because WAN iface is link-down, %s is the profile name. Update the profile %s has failed because WAN interface was not connected. DDNS profile cannot be updated for WAN IP because WAN iface is PPP and not connected, %s is the profile name.
Appendix A Log Descriptions Table 295 System Logs (continued) LOG MESSAGE DESCRIPTION DDNS Initialization has failed. Initialize DDNS failed, All DDNS profiles are deleted All DDNS profiles have been removed. Collect Diagnostic Information has failed - Server did not respond. There was an error and the diagnostics were not completed. Collect Diagnostic Infomation has succeeded. The diagnostics scripts were executed successfully.
Appendix A Log Descriptions Table 296 Connectivity Check Logs (continued) LOG MESSAGE DESCRIPTION Can't get BROADCAST address of %s interface The connectivity check process can't get broadcast address of interface %s: interface name Can't use MULTICAST IP for destination The connectivity check process can't use multicast address to check link-status. The destination is invalid, because destination IP is broadcast IP The connectivity check process can't use broadcast address to check link-status.
Appendix A Log Descriptions Table 297 Device HA Logs (continued) 798 LOG MESSAGE DESCRIPTION Master firmware version can not be recognized. Stop syncing from Master. Synchronizing stopped because the firmware version file was not found in the Master. A Backup device only synchronizes from the Master if the firmware versions are the same between the Master and the Backup. Device failed for %s \"Sync HA Sync has when syncing %s due to bad Password\".
Appendix A Log Descriptions Table 297 Device HA Logs (continued) LOG MESSAGE DESCRIPTION Device HA authentication string of AH for VRRP group %s maybe wrong. A VRRP group’s AH String (IPSec AH) configuration may not match between the Backup and the Master. %s: The name of the VRRP group. Retrying to update %s for %s. Retry: %d. An update failed. Retrying to update the failed object again.
Appendix A Log Descriptions Table 298 Routing Protocol Logs (continued) 800 LOG MESSAGE DESCRIPTION Invalid RIP text authentication. RIP text authentication has been set without setting authentication key first RIP on interface %s has been activated. RIP on interface %s has been activated. %s: Interface Name RIP direction on interface %s has been changed to In-Only. RIP direction on interface %s has been changed to In-Only.
Appendix A Log Descriptions Table 298 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION RIP v2-broadcast on interface %s has been enabled. RIP v2-broadcast on interface %s has been enabled. %s: Interface Name. RIP send-version on interface %s has been changed to %s. RIP send-version on interface %s has been changed to version 1 or 2 or both 1 2. %s: Interface Name. RIP receive-version on interface %s has been changed to %s.
Appendix A Log Descriptions Table 298 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION Interface %s does not belong to any OSPF area. Interface %s has been set OSPF authentication same-as-area, however the interface does not belong to any OSPF area. %s: Interface Name Invalid OSPF authentication of area %s on interface %s. Interface %s has been set OSPF authentication same-as-area, however the area has invalid text authentication configuration.
Appendix A Log Descriptions Table 300 PKI Logs LOG MESSAGE DESCRIPTION Generate X509certifiate "%s" successfully The router created an X509 format certificate with the specified name. Generate X509 certificate "%s" failed, errno %d The router was not able to create an X509 format certificate with the specified name. See Table 301 on page 805 for details about the error number. Generate certificate request "%s" successfully The router created a certificate request with the specified name.
Appendix A Log Descriptions Table 300 PKI Logs (continued) 804 LOG MESSAGE DESCRIPTION Import PKCS#7 certificate "%s" into "My Certificate" successfully The device imported a PKCS#7 format certificate into My Certificates. %s is the certificate request name. Import PKCS#7 certificate "%s" into "Trusted Certificate" successfully The device imported a PKCS#7 format certificate into Trusted Certificates. %s is the certificate request name.
Appendix A Log Descriptions CODE DESCRIPTION 1 Algorithm mismatch between the certificate and the search constraints. 2 Key usage mismatch between the certificate and the search constraints. 3 Certificate was not valid in the time interval. 4 (Not used) 5 Certificate is not valid. 6 Certificate signature was not verified correctly. 7 Certificate was revoked by a CRL. 8 Certificate was not added to the cache. 9 Certificate decoding failed. 10 Certificate was not found (anywhere).
Appendix A Log Descriptions Table 301 Interface Logs (continued) 806 LOG MESSAGE DESCRIPTION AUX Interface disconnecting failed. This AUX interface is not enabled. The AUX interface is not enabled and a user tried to use the disconnect aux command. Please type phone number of interface AUX first then dial again. A user tried to dial the AUX interface, but the AUX interface does not have a phone number set. Please type phone number of Interface AUX first then disconnect again.
Appendix A Log Descriptions Table 301 Interface Logs (continued) LOG MESSAGE DESCRIPTION Interface %s links down. Default route will not apply until interface %s links up. An administrator set a static gateway in interface but this interface is link down. At this time the configuration will be saved but route will not take effect until the link becomes up.1st %s: interface name, 2nd %s: interface name. name=%s,status=%s,TxP kts=%u, RxPkts=%u,Colli.=%u,T xB/s=%u, RxB/s=%u,UpTime=%s Port statistics log.
Appendix A Log Descriptions Table 301 Interface Logs (continued) 808 LOG MESSAGE DESCRIPTION Interface %s connect failed: Connect timeout. A PPPOE connection timed out due to a lack of response from the PPPOE server. %s: PPP interface name. Interface %s create failed because has no member. A bridge interface has no member. %s: bridge interface name. "Interface cellular Application Error Code %d\n. The listed error code (%d) was generated due to an internal cellular interface error.
Appendix A Log Descriptions Table 301 Interface Logs (continued) LOG MESSAGE DESCRIPTION "Incorrect PIN code of interface cellular%d. Please check the PIN code setting. The listed cellular interface (%d) does has the wrong PIN code configured. "Unable to query the signal quality from the device in %s. Please try to remove then insert the device. The ZyWALL could not check the signal strength for the listed cellular interface (%d).
Appendix A Log Descriptions Table 302 WLAN Logs (continued) 810 LOG MESSAGE DESCRIPTION Create interface %s has failed. Wlan device does not exist. The wireless device failed to create the specified WLAN interface (%s). Remove the wireless device and reinstall it. System internal error. No 802.1X or WPA enabled! IEEE 802.1x or WPA is not enabled. System internal error. Error configuring WPA state! The ZyWALL was not able to configure the wireless device to use WPA.
Appendix A Log Descriptions Table 303 Account Logs LOG MESSAGE DESCRIPTION Account %s %s has been deleted. A user deleted an ISP account profile. 1st %s: profile type, 2nd %se: profile name. Account %s %s has been changed. A user changed an ISP account profile’s options. 1st %s: profile type, 2nd %s: profile name. Account %s %s has been added. A user added a new ISP account profile. 1st %s: profile type, 2nd %s: profile name.
Appendix A Log Descriptions Table 306 File Manager Logs LOG MESSAGE DESCRIPTION ERROR:#%s, %s Apply configuration failed, this log will be what CLI command is and what error message is. 1st %s is CLI command. 2nd %s is error message when apply CLI command. WARNING:#%s, %s Apply configuration failed, this log will be what CLI command is and what warning message is. 1st %s is CLI command. 2nd %s is warning message when apply CLI command.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Guide 813
Appendix A Log Descriptions 814 ZyWALL USG 100/200 Series User’s Guide
APPENDIX B Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. • Protocol: This is the type of IP protocol used by the service.
Appendix B Common Services Table 308 Commonly Used Services (continued) 816 NAME PROTOCOL PORT(S) DESCRIPTION FTP TCP TCP 20 21 File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.323 TCP 1720 NetMeeting uses this protocol. HTTP TCP 80 Hyper Text Transfer Protocol - a client/ server protocol for the world wide web. HTTPS TCP 443 HTTPS is a secured http session often used in e-commerce.
Appendix B Common Services Table 308 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION RTSP TCP/UDP 554 The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP TCP 115 Simple File Transfer Protocol. SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. SNMP TCP/UDP 161 Simple Network Management Program.
Appendix B Common Services 818 ZyWALL USG 100/200 Series User’s Guide
APPENDIX C Displaying Anti-Virus Alert Messages in Windows With the anti-virus packet scan, when a virus is detected, you can have the ZyWALL display an alert message on Miscrosoft Windows-based computers. If the log shows that virus files are being detected but your Miscrosoft Windows-based computer is not displaying an alert message, use one of the following procedures to make sure your computer is set to display the messages. Windows XP 1 Click Start > Control Panel > Administrative Tools > Services.
Appendix C Displaying Anti-Virus Alert Messages in Windows Figure 557 Windows XP: Starting the Messenger Service 3 Close the window when you are done. Windows 2000 1 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 558 Windows 2000: Opening the Services Window 2 Select the Messenger service and click Start Service.
Appendix C Displaying Anti-Virus Alert Messages in Windows Figure 559 Windows 2000: Starting the Messenger Service 3 Close the window when you are done. Windows 98 SE/Me For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages. Click Start > Run and enter “winpopup” in the field provided and click OK. The WinPopup window displays as shown.
Appendix C Displaying Anti-Virus Alert Messages in Windows Figure 562 Windows 98 SE: Task Bar Properties 3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut. Figure 563 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next.
Appendix C Displaying Anti-Virus Alert Messages in Windows Figure 564 Windows 98 SE: Startup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish. Figure 565 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted.
Appendix C Displaying Anti-Virus Alert Messages in Windows Figure 566 Windows 98 SE: Startup: Shortcut " 824 The WinPopup window displays after the computer finishes the startup process (see Figure 560 on page 821).
APPENDIX D Importing Certificates This appendix shows importing certificates examples using Netscape Navigator and Internet Explorer 5. This appendix uses the ZyWALL 70 as an example. Other models should be similar. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in the following screen to do this.
Appendix D Importing Certificates Figure 568 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 569 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard.
Appendix D Importing Certificates Figure 570 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 571 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.
Appendix D Importing Certificates Figure 572 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store.
Appendix D Importing Certificates Figure 574 Certificate General Information after Import ZyWALL USG 100/200 Series User’s Guide 829
Appendix D Importing Certificates 830 ZyWALL USG 100/200 Series User’s Guide
APPENDIX E Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Appendix E Wireless LANs Figure 576 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.
Appendix E Wireless LANs Figure 577 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.
Appendix E Wireless LANs Figure 578 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. RTS/CTS is designed to prevent collisions due to hidden nodes.
Appendix E Wireless LANs If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Preamble Type Preamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet.
Appendix E Wireless LANs Wireless security methods available on the ZyWALL are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyWALL identity. The following figure shows the relative effectiveness of these wireless security methods available on your ZyWALL. Table 310 Wireless Security Levels SECURITY LEVEL SECURITY TYPE Least Secure Unique SSID (Default) Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.
Appendix E Wireless LANs Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server.
Appendix E Wireless LANs For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client.
Appendix E Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen.
Appendix E Wireless LANs Encryption WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA2 also uses TKIP when required for compatibility reasons, but offers stronger encryption than TKIP with Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP). TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server.
Appendix E Wireless LANs Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's builtin "Zero Configuration" wireless client. However, you must run Windows XP to use it.
Appendix E Wireless LANs 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them.
Appendix E Wireless LANs Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. Antenna Characteristics Frequency An antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz (IEEE 802.
Appendix E Wireless LANs Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down.
APPENDIX F Open Software Announcements Notice Information herein is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, except the express written permission of ZyXEL Communications Corporation. " This Product includes ppp-2.4.
Appendix F Open Software Announcements " This Product includes Netkit Telnet -0.17 software under the Netkit Telnet License Netkit Telnet License Copyright (c) 1989 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Appendix F Open Software Announcements " This Product includes expat-1.95.
Appendix F Open Software Announcements The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. " This Product includes openssl-0.9.8d-ocf software under the OpenSSL License OpenSSL The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses.
Appendix F Open Software Announcements OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Original SSLeay License Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
Appendix F Open Software Announcements ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] " This Product includes libevent-1.1a and xinetd-2.3.
Appendix F Open Software Announcements " This Product includes bind-9.2.3 software under the Internet Software Consortium and Nominum License Copyright (C) 1996-2002 Internet Software Consortium. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
Appendix F Open Software Announcements THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Appendix F Open Software Announcements "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
Appendix F Open Software Announcements (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the
Appendix F Open Software Announcements Version 1.1 Copyright (c) 1999-2003 The Apache Software Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Appendix F Open Software Announcements 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1. Preamble The licenses for most software are designed to take away your freedom to share and change it.
Appendix F Open Software Announcements When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library.
Appendix F Open Software Announcements Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1.
Appendix F Open Software Announcements 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.
Appendix F Open Software Announcements copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with.
Appendix F Open Software Announcements simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.
Appendix F Open Software Announcements 16.
Appendix F Open Software Announcements To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have.
Appendix F Open Software Announcements c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License.
Appendix F Open Software Announcements 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5.
Appendix F Open Software Announcements 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this.
Appendix F Open Software Announcements Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the University nor of the Laboratory may be used to endorse or promote products derived from this software without specific prior written permission.
Appendix F Open Software Announcements The Public License Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions in source form must retain copyright statements and notices, 2.
Appendix F Open Software Announcements End-User License Agreement for “ZyWALL USG 100 and ZyWALL USG 200” WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE ENCLOSED SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AS INSTALLING THE SOFTWARE WILL INDICATE YOUR ASSENT TO THEM. IF YOU DO NOT AGREE TO THESE TERMS, THEN ZyXEL, INC.
Appendix F Open Software Announcements You acknowledge that the Software contains proprietary trade secrets of ZyXEL and you hereby agree to maintain the confidentiality of the Software using at least as great a degree of care as you use to maintain the confidentiality of your own most confidential information.
Appendix F Open Software Announcements ORDERS, OR OTHER RESTRICTIONS. YOU AGREE TO INDEMNIFY ZyXEL AGAINST ALL CLAIMS, LOSSES, DAMAGES, LIABILITIES, COSTS AND EXPENSES, INCLUDING REASONABLE ATTORNEYS' FEES, TO THE EXTENT SUCH CLAIMS ARISE OUT OF ANY BREACH OF THIS SECTION 8. 9.Audit Rights ZyXEL SHALL HAVE THE RIGHT, AT ITS OWN EXPENSE, UPON REASONABLE PRIOR NOTICE, TO PERIODICALLY INSPECT AND AUDIT YOUR RECORDS TO ENSURE YOUR COMPLIANCE WITH THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. 10.
Appendix F Open Software Announcements 872 ZyWALL USG 100/200 Series User’s Guide
APPENDIX G Legal Information Copyright Copyright © 2008 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Appendix G Legal Information If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures: 1 Reorient or relocate the receiving antenna. 2 Increase the separation between the equipment and the receiver. 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Appendix G Legal Information ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to five years from the date of purchase.
Appendix G Legal Information 876 ZyWALL USG 100/200 Series User’s Guide
APPENDIX H Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device. Regional offices are listed below (see also http:// www.zyxel.com/web/contact_us.php). Please have the following information ready when you contact an office. Required Information • • • • Product model and serial number. Warranty Information.
Appendix H Customer Support • Address: 1005F, ShengGao International Tower, No.137 XianXia Rd., Shanghai • Web: http://www.zyxel.cn Costa Rica • • • • • • Support E-mail: soporte@zyxel.co.cr Sales E-mail: sales@zyxel.co.cr Telephone: +506-2017878 Fax: +506-2015098 Web: www.zyxel.co.cr Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San José, Costa Rica Czech Republic • • • • • E-mail: info@cz.zyxel.com Telephone: +420-241-091-350 Fax: +420-241-091-359 Web: www.zyxel.
Appendix H Customer Support Germany • • • • • • Support E-mail: support@zyxel.de Sales E-mail: sales@zyxel.de Telephone: +49-2405-6909-69 Fax: +49-2405-6909-99 Web: www.zyxel.de Regular Mail: ZyXEL Deutschland GmbH., Adenauerstr. 20/A2 D-52146, Wuerselen, Germany Hungary • • • • • • Support E-mail: support@zyxel.hu Sales E-mail: info@zyxel.hu Telephone: +36-1-3361649 Fax: +36-1-3259100 Web: www.zyxel.hu Regular Mail: ZyXEL Hungary, 48, Zoldlomb Str.
Appendix H Customer Support Malaysia • • • • • • Support E-mail: support@zyxel.com.my Sales E-mail: sales@zyxel.com.my Telephone: +603-8076-9933 Fax: +603-8076-9833 Web: http://www.zyxel.com.my Regular Mail: ZyXEL Malaysia Sdn Bhd., 1-02 & 1-03, Jalan Kenari 17F, Bandar Puchong Jaya, 47100 Puchong, Selangor Darul Ehsan, Malaysia North America • • • • • • • Support E-mail: support@zyxel.com Support Telephone: +1-800-978-7222 Sales E-mail: sales@zyxel.
Appendix H Customer Support Singapore • • • • • • Support E-mail: support@zyxel.com.sg Sales E-mail: sales@zyxel.com.sg Telephone: +65-6899-6678 Fax: +65-6899-8887 Web: http://www.zyxel.com.sg Regular Mail: ZyXEL Singapore Pte Ltd., No. 2 International Business Park, The Strategy #03-28, Singapore 609930 Spain • • • • • • Support E-mail: support@zyxel.es Sales E-mail: sales@zyxel.es Telephone: +34-902-195-420 Fax: +34-913-005-345 Web: www.zyxel.
Appendix H Customer Support Turkey • • • • • Support E-mail: cso@zyxel.com.tr Telephone: +90 212 222 55 22 Fax: +90-212-220-2526 Web: http:www.zyxel.com.tr Address: Kaptanpasa Mahallesi Piyalepasa Bulvari Ortadogu Plaza N:14/13 K:6 Okmeydani/Sisli Istanbul/Turkey Ukraine • • • • • • Support E-mail: support@ua.zyxel.com Sales E-mail: sales@ua.zyxel.com Telephone: +380-44-247-69-78 Fax: +380-44-494-49-32 Web: www.ua.zyxel.com Regular Mail: ZyXEL Ukraine, 13, Pimonenko Str.
Index Index Numerics 3DES 374 3G 129 3G see also cellular 226 A AAA server 625 AD 626 and users 594 directory service 625 LDAP 625, 626 LDAP Default 628 LDAP Group 629 LDAP group members 630 local user database 626 object, where used 121 RADIUS 625, 626 RADIUS default 631 RADIUS group 632 RADIUS group members 633 RADIUS. See also RADIUS. access control web category 494 Access Point Name see APN. 229 access point, See AP 233 access users 593, 595 forcing login 595 forcing login.
Index alerts 717, 721, 724, 725 anti-spam 564 anti-virus 475 IDP 492 ALG 325, 330 and firewall 325, 327 and NAT 326 and policy routes 327, 330 and trunks 330 and virtual servers 327 configuration overview 120 FTP 326 H.323 326, 331 peer-to-peer calls 327 RTP 331 See also VoIP pass through 326 SIP 326 tutorial 159 Anomaly, Detection and Prevention see ADP.
Index allowing through the firewall 344 vs virtual interfaces 343 AT command strings 699 authentication LDAP/AD 626 authentication algorithms 295, 373, 374 and active protocol 374 and routing protocols 295 MD5 295, 374 SHA1 374 text 295 Authentication Header. See AH. authentication method objects 635 and users 594 create 637 example 635 where used 121 authentication methods and WWW 681 authentication type 224 Authentication, Authorization, Accounting servers. See AAA server.
Index and FTP 695 and HTTPS 678 and IKE SA 378 and SSH 691 and synchronization (device HA) 589 and VPN gateways 353 and WWW 680 certification path 640, 647, 652 expired 640 factory-default 640 file formats 640 fingerprints 648, 654 importing 643 in the VPN wizard 101 not used for encryption 640 revoked 640 self-signed 640, 645 serial number 648, 653 storage space 642, 650 thumbprint algorithms 641 thumbprints 641 used for authentication 640 verifying fingerprints 641 where used 121 certification requests 6
Index copyright 873 CPU usage 173, 175 CTS (Clear to Send) 834 current date/time 173, 666 and schedules 619 daylight savings 668 setting manually 669 time server 669 current user list 389 custom signatures 498 applying 508 example 505 verifying 508 custom.rules 501 customer support 877 D data collection 727 Data Encryption Standard. See DES. Data Terminal Ready.
Index double-encoding 527 DTR 699 Dynamic Domain Name System. See DDNS. Dynamic Host Configuration Protocol. See DHCP. dynamic WEP key exchange 839 DynDNS 303 DynDNS see also DDNS. 303 Dynu see DDNS. 303 E EAP Authentication 837 e-Donkey 493 EGP (Exterior Gateway Protocol) 524 egress bandwidth 210, 230, 252 EICAR 472 e-mail 559 daily statistics report 737 header buffer 560 headers 560 virus 480 e-Mule 493 Encapsulating Security Payload. See ESP.
Index vs application patrol 335, 337 firmware and restart 710 boot module. See boot module.
Index custom signature example 505 custom signatures 498 false negatives 489 false positives 489 inline profile 489 license status 173 log options 492 monitor profile 489 packet inspection profiles 490 packet inspection signatures 490 policies 486 policy types 493 prerequisites 118 profiles 483, 485, 487 query view 492, 495 registration status 189, 486 reject sender 493 reject-both 493 reject-receiver 493 service group 494 severity 492 signature categories 493 signature ID 492 signatures 483 signatures and
Index trunks. See also trunks. types 200 virtual. See also virtual interfaces. VLAN. See also VLAN interfaces. where used 114 WLAN 200 Internet Control Message Protocol. See ICMP. Internet Message Access Protocol. See IMAP. 560 Internet Protocol Security. See IPSec. Internet Protocol. See IP. Intrusion, Detection and Prevention see IDP. 483 intrusions host 509 network 509 IP 498 IP alias. See virtual interfaces. IP decoy portscan 524 IP distributed portscan 524 IP options 500, 504 IP policy routing.
Index Default_L2TP_VPN_GW example 415 DNS 412 example 415, 418 IPSec configuration 410 policy route 410 policy route example 418 prerequisites 115 remote user configuration 419 session monitor 412 where used 115 WINS 412 LAND attack 526 lastgood.conf 708, 710 Layer 2 Tunneling Protocol Virtual Private Network, See L2TP VPN.
Index N NAT 285, 309 1 to 1 example 313 address mapping. See policy routes. ALG. See ALG. and address objects 282 and ALG 326 and policy routes 278, 282 and VPN 377 and VPN. See also VPN. port forwarding. See virtual servers. port translation. See virtual servers. port triggering. See also policy routes. port triggering. See also port triggering. traversal 377 trigger port. See also policy routes. NBNS 213, 239, 254, 261, 268, 389 NetBIOS Name Server. See NBNS. NetMeeting. See H.323.
Index Pairwise Master Key (PMK) 840, 842 payload option 504 payload size 505 PCMCIA card installation 754 Peanut Hull see DDNS. 303 peer-to-peer (P2P) managing 443 peer-to-peer calls 159, 327 Perfect Forward Secrecy (PFS) Diffie-Hellman key group 380 Personal Identification Number code see PIN code 230 physical port packet statistics 180, 181 physical ports and interfaces 110 PIN code 230 ping check 261 Point-to-Point Protocol over Ethernet. See PPPoE. Point-to-Point Tunneling Protocol.
Index R RADIUS 625, 626, 836 advantages 625 and IKE SA 378 and PPPoE 268 and users 594 message types 837 messages 837 shared secret key 837 user attributes 604 real-time alert message 821 Real-time Transport Protocol. See RTP. reauthentication time 243, 244 reboot 55, 743 vs reset 743 record route 500 registration 185 and content filtering 534, 536 configuration overview 123 prerequisites 123 product 875 subscription services. See subscription services.
Index and force user authentication policies 603 and policy routes 282, 455, 457, 459, 461 one-time 619 recurring 619 types of 619 where used 121 screen resolution 65 Secure Hash Algorithm. See SHA1. Secure Socket Layer. See SSL. security associations. See VPN.
Index spam 559 specifications 749 device 749 feature 750 hardware 749 spillover (for load balancing) 272 SQL slammer 509 SSH 689 and address groups 692 and address objects 692 and certificates 691 and zones 692 client requirements 691 encryption methods 691 for secure Telnet 692 how connection is established 690 versions 691 with Linux 693 with Microsoft Windows 692 SSID 233, 235 SSL 385, 389, 678 certificates 396 computer names 389 connection monitor 389 full tunnel mode 389 global setting 390 IP pool 389
Index SYN flood 526 synchronization 576 and subscription services 576 information synchronized 588 password 581, 585 port number 581, 585 restrictions 589 syntax conventions 5 syslog 718, 724 syslog servers. See logs. system log. See logs. system name 172, 666 system protect updating signatures 194 system reports. See reports. system uptime 172 system-default.
Index messages 613 port numbers 613 UDP Decoder 520 UDP decoy portscan 524 UDP distributed portscan 524 UDP flood attack 526 UDP portscan 524 UDP portsweep 524 undersize-len attack 528, 529 undersize-offset attack 528 unsolicited commercial e-mail 559 update configuration overview 123 prerequisites 123 updating anti-virus signatures 191 IDP and application patrol signatures 193 signatures 191 system protect signatures 194 upgrading licenses 189 uploading configuration files 710 firmware 710 shell scripts 7
Index Virtual Private Network. See VPN. virtual router 578 Virtual Router ID number (VRID). 584 Virtual Router Redundancy Protocol. See VRRP.
Index white list anti-spam 564, 566, 567 whitelist 567 anti-spam 559 Wi-Fi Protected Access 839 Windows Internet Naming Service. See WINS.
Index 902 ZyWALL USG 100/200 Series User’s Guide