Instruction/ maintenance manual of the product 200 Series ZyXEL Communications
Go to page of 902
www .zyxel.com ZyW ALL USG 100/200 Series Unified Security Gateway User ’ s Guide V ersion 2.10 5/2008 Edition 1 DEFAULT LOGIN LAN1 Port P4 IP Address http://1 92 .
.
About This User's Guide ZyWALL USG 100/200 Series User’s Gu ide 3 About This User's Guide Intended Audience This manual is intended for pe ople who want to want to conf igure the ZyW ALL using the web configurator . How T o Use This Guide •R e a d Chapter 1 on page 53 chapter for an overview of features available on the ZyW ALL.
About This User's Guide ZyWALL USG 100/200 Series User’s Guide 4 Click the help icon in any screen for help in configuring that screen and supplementa ry information. • Supporting Disk Refer to the included CD for support documents. • ZyXEL W eb Site Please refer to www .
Document Conventions ZyWALL USG 100/200 Series User’s Gu ide 5 Document Conventions W arnings and Notes These are how warnings and notes are shown in this User ’ s Guide.
Document Conventions ZyWALL USG 100/200 Series User’s Guide 6 Icons Used in Figures Figures in this User ’ s Guide may use the followi ng generic icons.
Safety Warnings ZyWALL USG 100/200 Series User’s Gu ide 7 Safety Warnings 1 For your safety , be sure to read and follow all warni ng notices and instructions. • Do NOT use this product near water , for example, in a wet basement or near a swimming pool.
Safety Warnings ZyWALL USG 100/200 Series User’s Guide 8.
Contents Overview ZyWALL USG 100/200 Series User’s Gu ide 9 Contents Overview Getting St arted ............................................... ................................................................ ........ 51 Introducing the ZyWALL ..... .
Contents Overview ZyWALL USG 100/200 Series User’s Guide 10 Anti-X .................................................... .................................................................... ............ 467 Anti-Virus .................. .............
Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 11 Table of Contents About This User's Guide ..................................................................................... ..................... 3 Document Conventions...........
Table of Contents ZyWALL USG 100/200 Series User’s Guide 12 3.1 Web Configurator Requirements ........ ................ ................. ................ ................ ................ 65 3.2 Web Configurator Access ...................... ......
Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 13 5.2 Zones, Interfac es, and Physical Ports .......... ................ ................ ................ ................ ......1 10 5.2.1 Interface T ypes .... ... ............. ... ... .
Table of Contents ZyWALL USG 100/200 Series User’s Guide 14 6.3 How to Set Up a WLAN I nterface .......... ................. ................ ................ ................ ........... 1 31 6.3.1 How to Set Up User Acc ounts ............. .......
Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 15 7.2.4 The VPN S tatus Screen ...... ... ... ... ............. .... ... ... ... .... ... ... ... ... .... ... ............. ... ... ... .... . 178 7.2.5 The DHCP T able Screen .............
Table of Contents ZyWALL USG 100/200 Series User’s Guide 16 10.5.6 Interface Wizard: Summa ry (Non-W AN) ........ ... ... .... ... ... ... ... .... ... ... ............. ... ... .... . 219 10.5.7 Interface Wizard: Summary (W AN) ... ... ............
Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 17 12.4 Policy Routing T echnical Re ference .... ............. ................. ................ ............. ................ . 285 Chapter 13 Routing Protocols ..........................
Table of Contents ZyWALL USG 100/200 Series User’s Guide 18 17.1.2 What Y ou Need to Know About HTTP Redirect ....... ................ ................ .............. 322 17.2 The HTTP Redirect Screen ........ ............. ................ ........
Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 19 20.4.1 The VPN Concentrator Ad d/Edit Screen ..................... ... ... ... .... ............. ... ... ... ... .... . 370 20.5 The SA Monitor Screen .......... ................... .....
Table of Contents ZyWALL USG 100/200 Series User’s Guide 20 Chapter 25 L2TP VPN ............................................... .......... ........... .......... ......................................... ........ 409 25.1 Overview ................. .
Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 21 Chapter 28 Anti-Vi r us ............... ............................................................................................... ................. 469 28.1 Overview ................
Table of Contents ZyWALL USG 100/200 Series User’s Guide 22 Chapter 30 ADP .. ............................................................................................... ................................ ...... 513 30.1 Overview .................
Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 23 33.2 Before Y ou Begin ........... ............. ................ ................ ................ ............. ................ .... .... 561 33.3 The Anti-S pam General Screen ........
Table of Contents ZyWALL USG 100/200 Series User’s Guide 24 35.4.1 Force User Authenticati on Policy Add/Edit Screen ........ ................ ................... ..... 602 35.4.2 User Awar e Login Example ........ .... ... ............. ... ... ...
Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 25 39.3 Active Directory or LDAP Group Summary Screen ....... ................ .................... .............. 629 39.3.1 Creating an Active Directory or LDAP Group ................. ....
Table of Contents ZyWALL USG 100/200 Series User’s Guide 26 Chapter 43 System ...................................................................... ................................................. .......... 665 43.1 Overview ................. ...
Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 27 43.12 V antage CNM ...... ................. ................ ................ ................ ................ ................ ..... ... 700 43.12.1 Configuring V antage CNM ........... .
Table of Contents ZyWALL USG 100/200 Series User’s Guide 28 Chapter 48 Reboot.............................................................. ........................................................... ........... 743 48.1 Overview ................. .
List of Figures ZyWALL USG 100/200 Series User’s Gu ide 29 List of Figures Figure 1 ZyW ALL USG 200 Front Panel ......... ................ ................... ................ ................. .............. ..... 53 Figure 2 ZyW ALL USG 100 Front Panel .
List of Figure s ZyWALL USG 100/200 Series User’s Guide 30 Figure 39 VPN Advanced Wizard: S tep 2 .......... ... ................ ................. ............ ................. ............. .... 1 00 Figure 40 VPN Advanced Wizard: S tep 3 .......
List of Figures ZyWALL USG 100/200 Series User’s Gu ide 31 Figure 82 Network > Routing > P olicy Route ........................ ................. ................ ................ ........... ... 146 Figure 83 Network > Routing > P olicy Route > Add .
List of Figure s ZyWALL USG 100/200 Series User’s Guide 32 Figure 125 Creating the Address Ob ject for the wan2 Public IP Addr ess .............. ............. ................ . 168 Figure 126 Creating the Virtual Server .. ................ .......
List of Figures ZyWALL USG 100/200 Series User’s Gu ide 33 Figure 168 Network > Interface > Et hernet > Edit > Edit static DHCP table ........... ................... ........... 240 Figure 169 Network > Interface > WLAN > Add (WEP Se curit y ) .
List of Figure s ZyWALL USG 100/200 Series User’s Guide 34 Figure 21 1 Multiple Servers Behind NA T E xample ... ................. ................ ............. ................ .............. 3 09 Figure 212 Network > Virtual Server .. ........
List of Figures ZyWALL USG 100/200 Series User’s Gu ide 35 Figure 254 VPN > IPSec VPN > VPN Gateway ........... ... ................ ................ ............. ................ ........ 363 Figure 255 VPN > IPSec VPN > VPN Gateway > Edit .
List of Figure s ZyWALL USG 100/200 Series User’s Guide 36 Figure 297 VPN > L2TP VPN ....................... ................ ................ ................ ................ .............. ......... ..41 1 Figure 298 VPN > L2TP VPN > Ses sion Monitor .
List of Figures ZyWALL USG 100/200 Series User’s Gu ide 37 Figure 340 IP Security Policy Properties: IP Filter List .... ... ... .... ... ... ... .... ... ............. ... ... ... .... ... ... ........ ... 434 Figure 341 Console: L2TP to Zy W ALL Assign .
List of Figure s ZyWALL USG 100/200 Series User’s Guide 38 Figure 383 Anti-X > IDP > Profile > E dit > IDP Service Group ............... ................ ................... ........... 4 95 Figure 384 Anti-X > IDP > Profile: Query View .
List of Figures ZyWALL USG 100/200 Series User’s Gu ide 39 Figure 426 Anti-X > Anti-S pam > Black/White List > White List ...................... ................ ................ ..... 567 Figure 427 Anti-X > Anti-S pam > DNSBL ......
List of Figure s ZyWALL USG 100/200 Series User’s Guide 40 Figure 469 Object > AAA Server > RADIUS > Group > Add .......... ................................ ............. ........ 632 Figure 470 Example: Using Authentication Method in VPN .
List of Figures ZyWALL USG 100/200 Series User’s Gu ide 41 Figure 512 SSL Client Aut hentication ................. ................ ................ ................ ................. ........ ......... 689 Figure 513 Secure Web Configurator Login Screen .
List of Figure s ZyWALL USG 100/200 Series User’s Guide 42 Figure 555 WLAN Card Installati on .......... ................ ................. ............. ................ ................ ..... ......... 754 Figure 556 Windows XP: Opening the Serv ices Window .
List of Tables ZyWALL USG 100/200 Series User’s Gu ide 43 List of Tables T a ble 1 Front Panel LEDs ........ ................ ................ ................. ................ ................ ............ .............. ... 54 T able 2 Managing the ZyW ALL: Cons ole Port .
List of Tables ZyWALL USG 100/200 Series User’s Guide 44 T a ble 39 S tatus > Port S tatistics > Switch to Graphic View ............... ................ ................. ................ . 18 2 T a ble 40 S tatus > Current Users ..... ... .
List of Tables ZyWALL USG 100/200 Series User’s Gu ide 45 T a ble 82 Network > Interface > Bridge > Add .............. ................ ................ ................ ................... . .... 264 T able 83 Example: Routing T able Entries for Interfac es .
List of Tables ZyWALL USG 100/200 Series User’s Guide 46 T a ble 125 Objects .............. ................ ................ ................ ................ ................ .............. ............ ........ 386 T a ble 126 VPN > SSL VPN > Ac cess Privilege .
List of Tables ZyWALL USG 100/200 Series User’s Gu ide 47 T a ble 168 ADP > Profile > Traf fic Anomaly .......................... ................. ................ ................ ......... ..... 520 T a ble 169 ADP > Profile > Protocol Anomaly .
List of Tables ZyWALL USG 100/200 Series User’s Guide 48 T able 21 1 Object > AAA Server > Active D irectory (o r LDAP) > Default ........... ................. ................ . 628 T able 212 Objec t > AAA Server > Ac tive Directory (or LDAP) > Group .
List of Tables ZyWALL USG 100/200 Series User’s Gu ide 49 T a ble 254 Maintenance > Log > Log Setting ........ ................ .................... ................ ................ ........ ... 718 T a ble 255 Maintenance > Log > Log Setting > E dit (System Log) .
List of Tables ZyWALL USG 100/200 Series User’s Guide 50 T a ble 297 Device HA Logs ... ................ ................ ................ ................. ................ ................ . ............. 797 T a ble 298 Routing Protocol Logs ....
51 P ART I Getting S t arted Introducing the ZyW ALL (53) Features and Applications (57) W eb Configurator (65) Configuration Basics (109) T utorials (125) St atus (171) Registration (185) Signature U.
52.
ZyWALL USG 100/200 Series User’s Gu ide 53 C HAPTER 1 Introducing the ZyWALL This chapter gives an overview of the ZyW ALL. It explains the front panel ports, LEDs, introduces the management meth ods, and lists different ways to start or stop the ZyW ALL.
Chapter 1 Introducing the ZyWALL ZyWALL USG 100/200 Series User’s Guide 54 Figure 2 ZyW ALL USG 100 Front Panel The following table describes the LEDs. 1.3 Management Overview Y ou can use the following ways to manage the ZyW ALL. Web Configurator The web configurator allows easy ZyW ALL setup and management using an Internet browser .
Chapter 1 Introducing the Zy WALL ZyWALL USG 100/200 Series User’s Gu ide 55 Figure 3 Managing the ZyW ALL: Web Configurato r Command-Line Interface (CLI) The CLI allows you to use text-based comman ds to configure the ZyW ALL. Y ou can access it using remote management (for example, SSH or T elnet) or via the console port.
Chapter 1 Introducing the ZyWALL ZyWALL USG 100/200 Series User’s Guide 56 " It is recommended you use the shutdown command before turning off the ZyW ALL. When you apply configuration files or running shell scripts, t he ZyW ALL does not stop or start the system processes.
ZyWALL USG 100/200 Series User’s Gu ide 57 C HAPTER 2 Features and Applications This chapter introduces the main feat ures and applications of the ZyW ALL.
Chapter 2 Features and Applications ZyWALL USG 100/200 Series User’s Guide 58 Intrusion Detection and Prevention (IDP) IDP (Intrusion Detection an d Protection) can de tect malicious or suspicious packets and respond instantaneously . It detects pattern-ba sed attacks in order to protect against network- based intrusions.
Chapter 2 Features an d Applications ZyWALL USG 100/200 Series User’s Gu ide 59 Application Patrol Application patrol (App. Patrol) manages instant messenger (IM), peer-to-peer (P2P) applications like MSN and BitT orrent.
Chapter 2 Features and Applications ZyWALL USG 100/200 Series User’s Guide 60 2.2.2 Interface to In terface (T o/From ZyW A LL) T o: Ethernet -> VLAN -> Encap -> ALG -> DNA T -> Routing -> zFW -> ADP -> RM From: RM -> Routing -> BWM -> Encap -> VLAN -> Ethernet 2.
Chapter 2 Features an d Applications ZyWALL USG 100/200 Series User’s Gu ide 61 Figure 4 Applications: VPN Connectivity 2.3.2 SSL VPN Network Access Y ou can configure the ZyW ALL to provide SSL VPN network access to remote users. There are two SSL VPN network access modes: reverse proxy and full tunnel.
Chapter 2 Features and Applications ZyWALL USG 100/200 Series User’s Guide 62 Figure 6 Network Access Mode: Full Tu nnel Mode 2.3.3 User-Aware Access Control Set up security policies that r estrict access to sensitive informa tion and shared resources based on the user who is trying to access it.
Chapter 2 Features an d Applications ZyWALL USG 100/200 Series User’s Gu ide 63 Figure 8 Applications: Multip le W AN Interfaces 2.3.5 Device HA Set up an additional ZyW ALL as a backup gate way to ensure the default gateway is always available for the network.
Chapter 2 Features and Applications ZyWALL USG 100/200 Series User’s Guide 64.
ZyWALL USG 100/200 Series User’s Gu ide 65 C HAPTER 3 Web Configurator The ZyW ALL web co nfigurator allows easy ZyW ALL setup and mana ge ment using an Internet browser .
Chapter 3 Web C onfig ur a t or ZyWALL USG 100/200 Series User’s Guide 66 Figure 10 Login Screen 3 T ype the user name (default: “adm in”) and password (default: “1234”). If your account is configured to use an AS AS authentication server , use the OTP (One - T ime Password) token to generate a number .
Chapter 3 Web Configurator ZyWALL USG 100/200 Series User’s Gu ide 67 Follow the directions in this screen. If you change the de fault password, the Login screen ( Figure 10 on page 66 ) appears after you click Apply . If you click Ignor e , the main screen appears.
Chapter 3 Web C onfig ur a t or ZyWALL USG 100/200 Series User’s Guide 68 The icons provide th e following functions. 3.3.2 Navigation Panel Use the men u items on the navi gation panel to open screens to configure ZyW ALL features. The following tables describe each menu item.
Chapter 3 Web Configurator ZyWALL USG 100/200 Series User’s Gu ide 69 Interface S tatus Use this screen to see information about all of the ZyWALL’ s interfaces and their connection status. Port Role Use this screen to set the ZyWALL’ s fl exibl e ports as LAN1, WLAN, or DMZ.
Chapter 3 Web C onfig ur a t or ZyWALL USG 100/200 Series User’s Guide 70 AppPatrol General Use this screen to enable or disab le tra ffic management by application and see registration and signature information. Common Use this screen to manage traffic of the most commonly used web, file transfer and e-mail protocols.
Chapter 3 Web Configurator ZyWALL USG 100/200 Series User’s Gu ide 71 User/Group User Use this screen to create and manage users. Group Use this screen to create and manage groups of users. Setting Use this screen to manage default settings for all users, ge neral settings for user sessions, and rules to force user authentication .
Chapter 3 Web C onfig ur a t or ZyWALL USG 100/200 Series User’s Guide 72 3.3.3 Main Window The main window shows the screen you select in th e menu. It is discussed in the rest of this document. Right after you log in, the St a t u s screen is displayed.
Chapter 3 Web Configurator ZyWALL USG 100/200 Series User’s Gu ide 73 Figure 14 W arnin g Me ss ag e s Click Refr esh Now to update the screen. Close the popup window when you are done with it. Click Clear W arning Messages to re move the current warn ing messages from the window .
Chapter 3 Web C onfig ur a t or ZyWALL USG 100/200 Series User’s Guide 74 Click Refr esh Now to update the screen. For example, if you just enab led a particular feature, you can look at the commands the web configurator genera ted to enable it. Close the popup window when you are d one with it.
ZyWALL USG 100/200 Series User’s Gu ide 75 C HAPTER 4 Wizard Setup 4.1 Wizard Setup Overview The web configurator's setup wizards help yo u configure initial configuration (Internet) and VPN connection settings. This chapter provides informatio n on configuring the W izard se tup screens in the web configurator .
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 76 Figure 16 Wizard Setu p Welcome 4.2 Inst allation Setup, One ISP The wizard screens vary depending on what enca psulation type you use. Refer to information provided by your ISP to kn ow wh at to enter in each field.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 77 The following table describes the labels in this screen. 4.3 St ep 1 Internet Access Encapsula tion : Choose the Ethernet option when the W AN port is used as a regular Ethernet. Otherwise, choose PPPoE or PP TP for a dial-up connection ac cording to the information from your ISP .
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 78 Figure 18 Ethernet Encapsulation: Auto: Finish Y ou have set up your ZyW ALL to access the Internet. " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 79 Figure 19 Ethernet Encapsulation: Static The following table describes the labels in this screen.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 80 " Enter the Internet access information ex actly as given to you by your ISP . W AN Interface : This is the number of the interf ace that will connect with your ISP . Zone: This is the security zone to which this interface and Internet connection will belong.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 81 4.3.4 PPPoE: Auto IP Address Assignment If you select Auto as the IP Addr ess Assignment in the previous screen, the following screen displays after you click Next . Figure 21 PPPoE Encapsul ation: Auto The following table describes the labels in this screen.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 82 Figure 22 PPPoE Encapsulatio n: Auto: Fin ish Y ou have set up your ZyW ALL to access the Internet. " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 83 Figure 23 PPPoE Encapsul ation: Static The following table describes the labels in this screen. T able 10 PPPoE Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are config uring .
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 84 4.3.6 St ep 2 In ternet Access PPPoE " Enter the Internet access information ex actly as given to you by your ISP . 4.3.6.1 ISP Parameters T ype the PPPoE Serv ice Name from your service provider .
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 85 Figure 24 PPPoE Encapsulatio n: Static: Finish Y ou have set up your ZyW ALL to access the Internet. " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 86 Figure 25 PPTP Encapsulation: Auto The following table describes the labels in this screen. Ta b l e 1 1 PPTP Encapsulation: Auto LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 87 The ZyW ALL applies the configuration settings. Figure 26 PPTP Encapsulation: Auto : Finish Y ou have set up your ZyW ALL to access the Internet. " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 88 4.3.8 PPTP: S tatic IP Address Assignment If you select St a t i c as the IP Addr ess Assignment , the following screen displays. Figure 27 PPTP Encapsulation: Static The following table describes the labels in this screen.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 89 4.3.9 St ep 2 In ternet Access PPTP " Enter the Internet access information ex actly as given to you by your ISP . 4.3.9.1 ISP Parameters Ty p e t h e User Name given to you by your ISP .
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 90 4.3.9.3 W AN IP Address Assignment s Y ou do not configure this section if you selected Au to as the IP Address Assignment in the previous screen. W AN Interface : This is the connection type on the interface you are configuring to connect with your ISP .
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 91 4.4 Device Registration Use this screen to register your ZyW ALL w ith myZXEL.com and activate trial periods of subscription security feature s if you have not already done so. " Y ou must be connected to the Internet to register .
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 92 Figure 30 Registration: Re gis ter e d Dev ice 4.5 Inst allation Setup, T wo Internet Service Providers This wizard allows you to con.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 93 Figure 31 Internet Acc ess: S tep 1: First W AN Interface After you configure the First W A N Interface , you c an configure the Second W AN Interface .
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 94 Figure 33 Internet Access: Finish " Y ou can register your ZyWALL with myZyXEL.com and activate trials of services like IDP . Use the myZyXEL.com link if you do alrea dy ha ve a myZyXEL.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 95 Figure 34 VPN Wizard: Wizard T ype The following table describes the labels in this screen. 4.7 VPN Wizards A VPN (V irtual Private Network) tunnel is a secure connection to another computer or network.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 96 Figure 35 VPN Express Wizard: S tep 2 The following table describes the labels in this screen. 4.8 VPN Express Wizard - Remote Gateway The Remote Gateway policy identifies the IPSec devices at either end of a VPN tunnel.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 97 Pre-Shar ed Key : T ype the password. Bo th ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII charact ers or 16 to 62 hexa deci mal (“0-9”, “A-F”) characters.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 98 Figure 37 VPN Express Wizard: S tep 4 The following table describes the labels in this screen. 4.8.2 VPN Express Wizard - Summary This summary of VPN tunnel settings is read-only . Name : Identifies the VPN gateway .
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 99 Local Policy : IP address and subnet mask of the computers on the netw ork behind your ZyW ALL that can use the tunnel. Remote Policy : IP address and subnet mask of the co mputers on the network behind th e peer IPSec device that can us e the tunnel.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 100 4.8.4 VPN Advanced Wizard Click the Advanced radio button as shown in Figure 34 on page 95 to display the fol lowing screen. Figure 39 VPN Advanced Wizard: S tep 2 The following table describes the labels in this screen.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 101 4.8.5 VPN Advanced Wizard - Remote Gateway The Remote Gateway policy identifies the IPSec devices at either end of a VPN tunnel. Name : T ype the name used to identify this VP N connection (and VPN gateway).
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 102 The following table describes the labels in this screen. 4.8.6 VPN Advanced Wizard - Phase 1 Phases : IKE (Internet Key Exchange) negotiatio n has two pha ses.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 103 " Multiple SAs connecting through a se cure gateway must have the same negotiation mode. Negotiation Mode : Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 104 The following table describes the labels in this screen. T able 20 VPN Advanced Wizard: S tep 4 LABEL DESCRIPTION Phase 2 Setting Active Protocol Select the se curity protocols used for an SA.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 105 4.8.7 VPN Advanced Wizard - Phase 2 Active Protocol : ESP is compatible with NA T , AH is not. Encapsula tion : T unnel is compatible with NA T , Tr a n s p o r t is not. Proposal : 3DES and AES use encryption.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 106 4.8.8 VPN Advanced Wizard - Summary This summary of VPN tunnel settings is read-only . Name : Identifies the VPN connec tion (and the VPN gateway). Secure Gateway : IP addre ss or domain name of the peer IPSec device.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 107 Figure 43 VPN Wizard: S tep 6: Advanced " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Y ou can click Next and use the following screen to perform a basic registration (see Section 4.
Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 108.
ZyWALL USG 100/200 Series User’s Gu ide 109 C HAPTER 5 Configuration Basics This section provides info rmation to help y ou configure the ZyW ALL effectively . Some of it is helpful when you are just gettin g started. Some of it is provid ed for your reference when you configure various features in the ZyW ALL.
Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 11 0 5.2 Zones, Interfaces, and Physical Port s Zones (groups of interfaces and VP N tunnels) simplify security se ttings. Here is an overview of zones, interfaces, and physical ports in the ZyW ALL.
Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 111 • Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Then, you can configure the IP address and subnet mask of the bridge.
Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 11 2 T able 24 ZyWALL USG 100 Defa ult Port, Interface, and Zone Configuration • The W AN zone contains the wan1 and wan2 interfaces (physical ports P1 and P2 ). They use public IP addresses to connect to the Internet.
Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 11 3 5.4 Feature Configuration Overview This section provides informatio n about config uring the main features in the ZyW ALL. The features are listed in the same sequence as the menu item(s) in the web configurator .
Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 11 4 " PREQUISITES or WHERE USED does no t appear if there are no prerequisites or references in other features to this one. For example, no other features reference DDNS en tries, so there is no WHERE USED entry .
Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 11 5 Example: See Chapter 6 on page 125 . 5.4.5 SSL VPN Use SSL VPN to provide secure netw ork access to remote users.
Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 11 6 Example: See Chapter 6 on page 125 . 5.4.9 DDNS Dynamic DNS maps a domain name to a dynamic IP address.
Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 11 7 " The ZyW ALL checks the policy routes in the order that they are listed. So make sure that your cust om policy route comes befor e any other routes that would also match the FTP traf fic.
Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 11 8 5.4.13 Application Patrol Use application patrol to control which in div iduals can use which services through the ZyW ALL (and when they can do so). Y ou can also specify allowed am ounts of bandwidth and priorities.
Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 11 9 5.4.16 ADP Use ADP to detect and take action on traffic and protocol anomalies . 5.4.17 Content Filter Use content filtering to block or allow access to specific categories of web site content, individual web sites an d web features (such as cookies).
Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 120 The ZyW ALL does not check to-ZyW ALL firewall rules for packets that are redirected by virtual server . It does check regu lar (through-ZyW ALL) firewall rules. Example: Suppose you have an FTP server with a private IP address connect ed to a DMZ port.
Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 121 5.5 Object s Objects store information and are referenced by other features. If you up date this information in response to changes, the ZyW ALL automa tically propagates the change through the features that use the object.
Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 122 5.6 System Management and Maintenance This section introduces some of the management an d m aintenance features in the ZyW ALL. Use Host Name to configure the system and do mai n name for the ZyW ALL.
Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 123 5.6.3 Licensing Registration Use these screens to register your ZyW ALL and subscribe to services like anti-virus, IDP and application patrol, more SSL VPN tunnels, and content filtering.
Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 124.
ZyWALL USG 100/200 Series User’s Gu ide 125 C HAPTER 6 Tutorials This chapter provides so me examples of using th e web configurator to set up features in the ZyW ALL.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 126 Click Network > Interface > Ethernet and the wan1 interface’ s Edit icon. Configure the IP address, subnet mask, and default ga teway settings as follows and click OK . Figure 47 Network > In terface > Et hernet > Edit wa n1 6.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 127 Figure 48 Network > In terface > Et hernet > Edit o pt 2 Set DHCP to DHCP Server and click OK .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 128 Figure 49 Network > Interf ac e > Ethe rn e t > Edit opt > More Settings 6.1.3 How to Configure Port Roles Here is how to remove port P6 from the ext-wlan interface and add it to the dmz interface.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 129 6.2 How to Configure a Cellular Interface Use 3G cards for cellular W AN (Internet) connections. Y ou can ha ve up to three simultaneous 3G connections (one 3G d evice in the ZyW ALL’ s PCIMCIA slot and one connected to each of the ZyW ALL’ s two USB ports).
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 130 Figure 52 Network > Interf ac e > Cellular > Edit 5 Go to the St a t u s screen. The Interface S tatus Summary section should contain a “cellular” entry . When its connection stat us is “Connected” you can use the 3G connection to access the Internet.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 131 Figure 53 S tatus The ZyW ALL automatically balances the tr affic load amongs t the av a ilab le W AN connections. This enhances overall network throughput. Plus, if a W AN connection goes down, the ZyW ALL sends traffic through the re maining W AN connections.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 132 1 Click Object > User/Group > User and the Add wlan_user Edit icon. 2 Set the User Name to wlan_us er .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 133 Figure 55 Network > Interfac e > WLAN > Add (WP A/WP A2 Security) 3 T urn on the wireless LAN and click Apply .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 134 6.3.3 How to Set Up the Wireless Client s to Use the WLAN Interface The following sections sho w you how to have a wireless client (not included with the ZyW ALL) use the wireless network.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 135 Figure 58 ZyXEL Wireless Client > Profile 3 Select WP A2 as the security type and click Next . Figure 59 ZyXEL Wireless Client > Profile: Security T ype 4 Set the encryption type to TKIP and the EAP type to TTLS .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 136 Figure 60 ZyXEL Wireless Client > Profile: Security Settings 5 Confirm your settings and click Save .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 137 Figure 63 ZyXEL Wireless Client > Profile: Activate Since the ZyXEL utility does not have the wirele ss client validate the ZyW ALL’ s certificate, you can go to Section 6.3.3.4 on page 143 .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 138 Figure 65 Odyssey Access Client Manager > Profiles > User Info 3 Click the Authentication tab and select V alidate server ce rtificate . Figure 66 Odyssey Access Client Manager > Profiles > Authentication 4 Click the TTLS tab and select PA P .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 139 Figure 67 Odyssey Access Client Manager > Profiles > Authentication 5 Click Networks > Add . Figure 68 Odyssey Access Client Manager > Networks 6 Enter the name of the wireless network (“ZYXEL_WP A” in this example) or click Scan to look for it.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 140 Figure 69 Odyssey Access Client Manager > Networks > Add Use the next section to import the ZyW ALL ’ s certificate into the wireless client.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 141 2 Click Import . Figure 71 Internet Explorer: T ools > Internet Options > Content > Certifica t es 3 Use the wizard screens to import the certificate. Y ou may n eed to change the Files of Ty p e setting to All Files in order to see the certificate file.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 142 Figure 73 Internet Explorer Certificate Impo rt Wizard Certificate S tore Screen 5 If you get a security warning screen, click Y es to proceed.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 143 Figure 75 Internet Explorer: T rusted Ro ot Certification Authorities As shown here, the My Certificates screen uses a prefix, follo w.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 144 Figure 77 Funk Odyssey Access Wireles s Client Login Example 6.4 How to Set Up an IPSec VPN This example shows how to create the VPN tunnel illustrated below . Figure 78 VPN Example In this example, the ZyW ALL is router X (1.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 145 Figure 79 VPN > IPSec VPN > VPN Gateway > Add 6.4.2 How to Set Up the VPN Connection The VPN co nnection manages the IPSec SA. Y ou ha ve to set up the address objects for the local network and remote network befo re you can set up the VPN connection.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 146 Figure 81 VPN > IPSec VPN > VPN Connection > Add 6.4.3 How to Set Up the Po licy Route for the VPN T unnel Do the following to create a policy route to have the ZyW ALL send traffic through the VPN tunnel.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 147 and destination address objects here. The next-hop is the VP N connection that you created. Click OK . Figure 83 Network > Routing > Policy Route > Add 3 Now set up the VPN settings on the peer IPSec router and try to establish the VPN tunnel.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 148 6.5 How to Configure User-aware Access Control Y ou can configure many policies and security settin gs for specific users or groups of users. This is illustrated in the follo wing example, where you will set up the following policies.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 149 2 Enter the name of the group that is used in T abl e 31 on page 148 . In this example, it is “Finance”. Then, select U ser/Leo and click the right arrow to move him to the Member list.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 150 Figure 87 Object > Auth. meth od > Add 4 Click System > WWW . In the Authentication section, selec t the new authentication method in the Client Authentication Method field. Click Apply .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 151 1 Click AppPatr ol . If application p atrol an d bandwidth manage men t are not enabled, enable them, and click Apply . Figure 90 AppPatrol > General 2 Click the Common tab and then the Edit icon next to the default http service.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 152 Figure 93 AppPatrol > Common > http > Edit Default 5 Click the Add icon in the policy list . In the new polic y , select one of the use r groups that is allowed to browse the web and set the co rresponding bandwidth restriction in the Inbound and Outbound fields.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 153 Figure 95 Object > Schedule > Add (Recurring) 3 Follow the steps in Section 6.5.4 o n page 150 to set up the appropriate policies for MSN in application patrol. Make su re to specif y the schedule when you configure the policy for the Sales group’ s MSN acc ess.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 154 Figure 97 Firewall > LAN1 to DMZ > Edit 3 Click the Add icon at the top of the rule list to cr eate a rule for one of the user groups that is allowed to access the DMZ. 4 Select one of the user groups that is allowed to access the DMZ, and click OK .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 155 Y ou do not have to change many of the ZyW A LL’ s settings from the defaults to set up this trunk. Y ou only have to set up the bandwidth on wan1 and wan2 and chan ge the algorithm that W AN_TRUNK us es.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 156 Figure 101 Network > Interface > T runk > WAN_TRUNK > Edit 6.7 How to Configure Service Control Service control lets you co.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 157 Figure 102 System > WWW 3 In the Zone field select LAN1 and click OK . Figure 103 System > WWW > Service Control Rule Edit 4 Click the new rule’ s Add icon.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 158 Figure 104 System > WWW (First Example Ad min Service Rule Configured) 5 Set the Zone to ALL and set the Action to Deny . Click OK . Figure 105 System > WWW > Service Control Rule Edit 6 Click Apply .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 159 Figure 106 System > WWW (Second Example Ad min Service Rule C onfigured) Now administrator access to th e we b configura tor can only come from the LAN1 zone.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 160 6.8.1 How to T urn On the ALG Click Network > A LG . S e lec t Enable H.323 transforma tions and click Apply . Figure 108 Network > ALG 6.8.2 How to Set Up a Vi rtual Server Policy For H.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 161 Figure 1 10 Network > Virtual Server > Add 6.8.3 How to Set Up a Firewall Rule For H.323 Here is how to configure a firewall rule t o allo w H.323 (TCP port 1720) traffic received on the W AN_IP-for-H323 IP address to go to LAN1 IP address 192.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 162 Figure 1 12 Firewall > A dd 4 Configure an address object for the ZyW ALL’ s 10.0.0.8 W AN IP address as follows and click OK . Figure 1 13 Object > Address > Add 5 Configure the screen as follows and click OK .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 163 An Ethernet switch co nnects both ZyW ALLs’ lan1 interfaces to LAN1. Whichever ZyW ALL is functioning as the master uses the defau lt gateway IP address of the LAN1 computers (192.168.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 164 2 Configure 192.168.1 .3 as the Management IP and 255.255.255.0 as the Subnet Mask . Click OK . Figure 1 17 Device H A > Active-Passive Mode > Edit: Master ZyW ALL Example 3 Set the Device Role to Master .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 165 Figure 1 19 Device H A > General: Master ZyW ALL Example 6.9.3 How to Config ure the Backup ZyW ALL 1 Connect a computer to ZyW ALL B ’s lan1 interface and log into its web configurator .
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 166 Figure 121 Device HA > Active- Passive Mode : Backup ZyWALL Example 5 Click the General tab. T urn o n device HA and click Apply . Figure 122 Device HA > General: Master ZyW ALL Example 6.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 167 Maintenance > File Manager > Configuration File screen to save copies of the ZyW ALLs’ configuration fil es that you can compare . 2 T o test your device HA configuration, dis connect ZyW ALL A ’s lan1 or wan1 interface.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 168 Figure 125 Creating the Address Ob ject for the wan2 Public IP Address 6.10.2 How to Configure a V irtual Server Y ou need a virtual server to send H TTP traffic coming to IP address 1.1.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 169 The firewall allows traffic from the W AN zone to the DMZ zone by default so your configuration is done. Now the public can go to IP address 1.1.1.2 to access the HTTP server . If a domain name is registered for IP address 1.
Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 170.
ZyWALL USG 100/200 Series User’s Gu ide 171 C HAPTER 7 Status 7.1 Overview Use the St a t u s screens to check status in formation about the Z yW ALL. 7.1.1 What Y ou Can Do in the St atus Screens Use the St a t u s screens for the following. • Use the main St a t u s screen (see Section 7.
Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 172 Figure 127 S tatus The following table describes the labels in this screen. T able 32 Status LABEL DESCRIPTION Refresh Interval Select how often you w ant the scre en to automatically refresh.
Chapter 7 Status ZyWALL USG 100/200 Series User’s Gu ide 173 Current Date/ Ti m e This field displays the current date and time in the ZyW ALL. The format is yyyy- mm-dd hh:mm:ss. VPN S tatus Click this to look at the VPN tu nnels that are current ly established.
Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 174 Signature Ve r s i o n This field displays the version number , da te, and time of the current se t of signature s the ZyWALL is using. Last Update Ti m e This field displays the last time the Zy W ALL receive d updated signature s.
Chapter 7 Status ZyWALL USG 100/200 Series User’s Gu ide 175 7.2.1 The CPU Usage Screen Use this screen to look at a chart of the ZyW A LL’ s recent C PU usage. T o acce ss this screen, click CPU Usage in the St a t u s screen. HA S tatus This field displays the status of the interface in the virtual router .
Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 176 Figure 128 S tatus > CPU Usage The following table describes the labels in this screen. 7.2.2 The Memory Usage Screen Use this screen to look at a chart of the Zy W ALL’ s recent memory (RAM) usage.
Chapter 7 Status ZyWALL USG 100/200 Series User’s Gu ide 177 Figure 129 S tatus > Memory Usage The following table describes the labels in this screen. 7.2.3 The Session Usage Screen Use this screen to look at a chart of the ZyW ALL’ s recent traf fic ses sion usage.
Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 178 Figure 130 S tatus > Session Usage The following table describes the labels in this screen. 7.2.4 The VPN St atus Screen Use this screen to look at the VPN tunnels that are currently established.
Chapter 7 Status ZyWALL USG 100/200 Series User’s Gu ide 179 Figure 131 S tatus > VPN S tatus The following table describes the labels in this screen. 7.2.5 The DHCP T able Screen Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses.
Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 180 The following table describes the labels in this screen. 7.2.6 The Port S tatistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port. T o access this scre en, click Port S tatistics in the St a t u s screen.
Chapter 7 Status ZyWALL USG 100/200 Series User’s Gu ide 181 The following table describes the labels in this screen. 7.2.7 The Port S tatistics Graph Screen Use this screen to look at a line graph of pack et statistics for each physi cal port.
Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 182 Figure 134 S tatus > Port S tatistics > Switch to Graphic View The following table describes the labels in this screen. 7.2.8 The Current Users Screen Use this screen to look at a list of the users currently logged into th e ZyW ALL.
Chapter 7 Status ZyWALL USG 100/200 Series User’s Gu ide 183 Figure 135 S tatus > Current Users The following table describes the labels in this screen. 7.2.9 The Cellular St atus Detail Screen Use this screen to look at detailed status info rmation for a cellular (3G) card.
Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 184 Cellular System This field displays the type of the network to which the ZyW ALL is co nne cted. The network type varies depending on the 3G card you inserted and could be UMTS , UMTS/HSDP A , GPRS or EDGE when you insert a GSM 3G card, or 1xRTT , EVDO Rev .
ZyWALL USG 100/200 Series User’s Gu ide 185 C HAPTER 8 Registration 8.1 Overview Use the Licensing > Registration screens to register your ZyW ALL and manage its service subscriptions. 8.1.1 What Y ou Can Do in the Registration Screens • Use the Registration screen (see Section 8 .
Chapter 8 Registration ZyWALL USG 100/200 Series User’s Guide 186 Subscription Services A vailable on the ZyW ALL Y ou can have the ZyW ALL use anti-virus, IDP/AppPatrol (Intrusion Detection and Prevention and application patrol), and conten t filtering subscription services.
Chapter 8 Registration ZyWALL USG 100/200 Series User’s Gu ide 187 Figure 137 Licensing > Registration The following table describes the labels in this screen. T able 42 Licensing > Registration LABEL DESCRIPTION General Setup If you select existing myZyXEL .
Chapter 8 Registration ZyWALL USG 100/200 Series User’s Guide 188 " If the ZyW ALL is register ed already , this screen is read-only and indicates whether trial services are activated (if any). Y ou can still select the unchecked trial service(s) to acti vate it after regist ration.
Chapter 8 Registration ZyWALL USG 100/200 Series User’s Gu ide 189 8.3 The Service Screen Use this screen to display the status of your service registrations and upgrade licenses. T o activate or extend a standard service subscripti on, purchase an iCard and enter the iCard’ s PIN number (license key) in this screen.
Chapter 8 Registration ZyWALL USG 100/200 Series User’s Guide 190.
ZyWALL USG 100/200 Series User’s Gu ide 191 C HAPTER 9 Signature Update 9.1 Overview This chapter shows you h o w to upda te the ZyW ALL’ s signature packages. 9.1.1 What Y ou Can Do in the Up date Screens • Use the Licensing > Update > Anti-virus screen ( Se ction 9.
Chapter 9 Signature Update ZyWALL USG 100/200 Series User’s Guide 192 Figure 140 Licensing > Update >Anti-V irus The following table describes the labels in this screen. LABEL DESCRIPTION Signature Information The following fields d isplay information on the current signature set that the ZyW ALL is using.
Chapter 9 Signature Update ZyWALL USG 100/200 Series User’s Gu ide 193 9.3 The IDP/AppPatrol Up date Screen Click Licensing > Up date > IDP/AppPatrol to display the following screen. The ZyW ALL comes with signatures for the ID P and application patrol features.
Chapter 9 Signature Update ZyWALL USG 100/200 Series User’s Guide 194 Figure 142 Downloading IDP Signatures Figure 143 Successful IDP Signature Downlo ad 9.4 The System Protect Up date Screen Click Licensing > Up date > System Protect to display the followi ng screen.
Chapter 9 Signature Update ZyWALL USG 100/200 Series User’s Gu ide 195 Figure 144 Licensing > Update > System Protect The following table describes th e fields in this screen.
Chapter 9 Signature Update ZyWALL USG 100/200 Series User’s Guide 196 Figure 145 Downloading System Protect Signatur es Figure 146 Successful System Protect Sign ature Down load.
197 P ART II Network Interface (199) T runks (269) Policy and S tatic Routes (277) Routing Protocols (287) Zones (299) DDNS (303) V irtual Servers (309) HTTP Redirect (321) ALG (325).
198.
ZyWALL USG 100/200 Series User’s Gu ide 199 C HAPTER 10 Interface 10.1 Interface Overview Use the Interface screens to config ure the ZyW ALL’ s interfaces. Y ou can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 200 10.1.2 What Y ou Need to Know About Interfaces Interface Characteristics Interfaces generally have the following character istics (although not all characteristics apply to each type of interface).
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 201 T runks and the auxiliary interface have many char acteristics that are speci fic to each type of interface.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 202 * - Y ou cannot set up a PPPoE/PPTP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridg e.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 203 Figure 147 Network > Interface > S tatus Each field is described in the following table.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 204 S tatus This field displays the current status of each interfa ce. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethern et interface is disable d.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 205 10.3 The Port Role Screen T o access this screen, click Network > Interface > Port Role . Use the Port Role screen to set the ZyW ALL’ s flexible ports as part of the la n1, ext-wlan or dmz interfaces.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 206 Each section in this scr een is described below . 10.4 The Ethernet Summary Screen This screen lists every Etherne t interface an d virtual interface created on top of Ethernet interfaces.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 207 Figure 149 Network > Interface > Ethernet Each field is described in the following table. 10.4.1 The Ethernet Edit Screen Click Network > Interface > Ethernet and then the interface’ s Edit icon to display the Ethernet Edit screen.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 208 " If you create IP address obj ects based on an interfac e’ s IP address, subnet, or gateway , the ZyWA LL automatical ly updates every rule or setting that uses the object whenever the interf ace’s IP address settings change.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 209 Figure 150 Network > Interface > Ethernet > Edit (Opt).
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 210 Each field is described in the table below . The OP T interface’ s Edit > Configuration screen contains all of the following fields . Not ev ery field is included in othe r interface edit screens.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 21 1 Ingress Bandwidth This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the ZyW ALL can receive from the network through the in terface. Allowed values are 0 - 1048576.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 212 More Setting s/Less Settings Click th is butto n to display a greater or lesser numb er of configuration fields. RIP Setting See Section 13.2 on page 288 for more information about RIP .
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 213 Overwrite Default MAC Address Select this option to have the interf ace use a different MAC address. Either enter the MAC address in the fields or click Clone by host and enter the IP address of the device or computer whose MAC you are cloning.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 214 10.5 Interface Wizards Y ou can use the interface wizard (instead of the regular Ethernet Edit screen) to configure a W AN, OP T , or PPP (W AN) interface.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 215 Figure 152 Interface Wizard: OPT Interface First Screen The following table describes the labels in this screen. 10.5.2 Interface Wizard: W AN T ype This screen appears if you are configur ing one of the W AN interface s or you use the OP T interface for a W AN connection.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 216 Figure 154 Interface Wizard: Non-WAN OP T Interf ace Setup The following table describes the labels in this screen.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 217 Figure 155 Interface Wizard: WAN In terface Zone and IP Address Setup The following table describes the labels in this screen. 10.5.5 Interface Wizard: W AN ISP Connection Settings Use this screen to configure th e ISP and W AN interface settings.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 218 The following table describes the labels in this screen. T able 56 Interface Wizard: WAN ISP Connection Settings LABEL DESCRIPTION ISP Parameter Thi s section appears if the interface uses a PPPo E or PPTP Internet connection.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 219 10.5.6 Interface Wizard: Summary (Non-W AN) Use this screen to review the local interface’ s settings. Figure 157 Interface Wizard: Summary (Non-W AN) The following table describes the labels in this screen.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 220 Figure 158 Interface Wizard: Summary WA N (PP TP Show n) The following table describes the labels in this screen. T able 58 Interface Wizard: Summary WAN LABEL DESCRIPTION Encapsulation This displays wha t encapsulation this interface uses to connect to the Intern et.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 221 10.6 The PPP Interfaces Screen Use PPP interfaces (PPPoE/PP TP interfaces) to conn ect to your ISP so you do not have to install or manage PPPoE o r PP TP software on each computer in the network.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 222 10.6.1 PPP Interface Edit Screen This screen lets you configure new or existin g PPPoE/PP TP interfaces. T o access this screen, click the Edit icon in the PPP Interface screen. The PPP interface Edit > Configuration screen is shown here as an example.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 223 Figure 161 Network > Interface > PPP > Edit > Configuration Each field is explained in the following table. T able 60 Network > Interface > PPP > Edit > Configuration LABEL DESCRIPTION General Settings Enable Interface Select this to ena ble this inte rface.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 224 Description Ente r a descri ption of this interface. It is not used elsewhere. Y ou can use alphanumeri c and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Connectivity Nailed-Up Select this if the PPPo E/PPTP connection should always be up.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 225 Ingress Bandwidth This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the ZyW ALL can receive from the network through the in terface. Allowed values are 0 - 1048576.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 226 10.7 Cellular Configuration Screen (3G) 3G (Third Generation) is a digital, packet-s witched wireless technology . Bandwidth usage is optimized as multiple users shar e the same channel and bandwidt h is only allocated to users when they send data.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 227 " Install (or connect) a comp atible 3G ca rd to use a cellular connection. See Chapter 50 on page 749 for details. " The W AN IP addresses of a ZyW ALL with multiple W AN interfaces must be on different subnet s.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 228 10.7.1 Cellular Add/Edit Screen T o change your 3G settings, click Netw ork > Interface > Cellular > Add (or Edit ). In the pop-up windo w that displays, select the slot that you want to configure.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 229 The following table describes the labels in this screen. T able 63 Interface > Cellular > Add LABEL DESCRIPTION Enable Interface Select this option to turn on this interface. Interface Properties Interface Name This field is read-only .
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 230 PIN Code This field displays with a GSM or HS DP A 3G card . A PIN (Persona l Identification Number) code is a key to a 3G card. Wi thout the PIN code, you cannot use the 3G card. Enter the 4-digit PIN code (0000 for example) provide d by your ISP .
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 231 10.8 Cellular St atus Screen T o check your 3G connection status, click Network > Interface > Cellular > S tatus .
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 232 The following table describes the labels in this screen. T able 64 Interface > Cellular > St atus LABEL DESCRIPTION Refresh Click this button to update the info rmation in the screen.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 233 10.9 WLAN Interf ace General Screen The following figure provides an exampl e of a wireless network. The wireless network is in the blue circle. W ireless clients (A and B) connect to an access point (AP) to access other devices (such as the printer) or the Inte rnet.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 234 Figure 166 Network > Interface > WLAN The following table describes the general wireless LAN labels in this screen. T able 65 Network > Interface > WLAN LABEL DESCRIPTION WLAN Device Settings Enable WLAN Device Select this option to turn on the wireless LAN card.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 235 10.9.1 WLAN Add/Edit Screen Use the strongest security that every wireless client in the wireless network supports.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 236 • WP A2-PSK and WP A-PSK do no t emp loy user authentication an d are known as the personal version of WP A. • WEP is better than no security , but it is still possible for unauthorized devices to figure out the original informat ion pretty quickly .
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 237 Figure 167 Network > Interface > WLAN > Add (No Security).
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 238 The following table describes the genera l wireless LAN labels in this screen. T able 67 Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION General Settings Enable Interface Select this opti on to turn on the wireless LAN interface.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 239 Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyW ALL can send through the interfac e to the ne twork. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 240 Lease time S pecify how long each computer c an use the information (especial ly the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 241 10.9.2 WLAN Add/Edit Screen: WEP Security WEP provides a mechanism for encrypting da ta using encryption keys. Both the ZyW ALL and the wireless stations must use the same WEP key to encrypt and decrypt data.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 242 Figure 169 Network > Interface > WLAN > Add (WEP Security) The following table describes the WEP-related wi reless LAN security labels in this s creen. See T able 67 on pa ge 238 for information on the 802.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 243 The following table describes the WP A-PSK/WP A2-PSK-related wireless LAN security labels in this screen. 10.9.4 WLAN Add/Edit Screen: WP A/WP A2 Security W ith WP A or WP A2 security , each user can have a separate user name and password.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 244 The following table describes the WP A/WP A2 -related wireless LAN security labe ls. T able 70 Network > Interface > WLAN > A d d ( W PA / W PA 2 S e c u r i t y ) LABEL DESCRIPTION Authentication Ty p e Select what the ZyW ALL uses to authenticate the wireless clients.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 245 10.10 WLAN Interface MAC Filter Screen The MAC filter allows you to gi ve specific wireless clients ex clusive access to the ZyW ALL (allow association) or block specific devices from accessing the ZyW ALL (deny association) based on the devices’ MAC addresses.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 246 If you set the filter to deny access and add the MAC address of a connec ted device, the ZyW ALL drops the device’ s connection immediatel y .
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 247 10.12 VLAN Interface Screen A V irtual Local Area Network (VLAN) divid es a physical network into multiple logical networks.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 248 Figure 176 Example: After V LAN Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each VLAN also has a unique identification numb er (ID). The ID is a 12-bit value that is stored in the MAC header .
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 249 " Each VLAN interface is created on top of only one Ethernet interface. Otherwise, VLAN interfaces are similar to othe r interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 250 10.12.2 Configuring the VLAN Add/Edit Screen This screen lets you configure IP address assi gnment, interface bandwidth parameters, DHCP settings, and ping check for each VLAN inte rface.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 251 Figure 178 Network > Interface > VLAN > Edit Each field is explained in the following table. T able 75 Network > Interface > VLAN > Edit LABEL DESCRIPTION General Settings Enable Interface Select this to ena ble this inte rface.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 252 Interface Name This field is read-only if you are editing an exi stin g VLAN interface. Enter the number of the VLAN interface. Y ou can use a number from 0~4094. See Chapter 50 on page 749 fo r the total number of VLANs yo u can configure on the ZyW ALL.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 253 Connectivity Check The interface can regul arly ch eck the connection to the gateway you sp ecified to make sure it is still available.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 254 IP Pool S tart Address Enter the IP add ress from which the Zy W ALL begins allocating IP addresses. If you want to assign a static IP address to a specific computer , click Add St atic DHCP .
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 255 10.13 Bridge Interface Screen A bridge creates a connectio n between two or more netw ork segments at the layer-2 (MAC address) level.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 256 Bridge Interface Overview A bridge interface creates a software bridge be tween the members of the bridge interface. It also becomes the ZyW ALL’ s interface for the resulting network.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 257 10.13.2 Configuring the Bridge Add/Edit Screen This screen lets you configure IP address assi gnment, interface bandwidth parameters, DHCP settings, and ping check for each bridge interface.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 258 Figure 182 Network > Interface > Bridge > Add.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 259 Each field is described in the table below . T able 80 Network > Interface > Bridge > Add LABEL DESCRIPTION General Settings Enable Interface Select this to ena ble this inte rface.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 260 Interface Parameters Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyW ALL can send through the interface to the ne twork. Allowed values are 0 - 104857 6.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 261 10.14 Auxiliary Interface Screen Use the auxiliary interface as a backup W AN in terface or a way to access the ZyW ALL for remote management.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 262 " Y ou must connect an external m odem to use the auxiliary port. The ZyW ALL uses the auxiliary interface to dial out in two situations. 1 Y ou click the Connect icon on the ZyW ALL St a t u s screen.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 263 10.15 V irtual Interface Screen Use virtual interfaces to tell the ZyW ALL where to route packet s. V irtual interfaces can also be used in VPN gateways (see Chapter 20 on page 351 ) and VRRP groups (see Chapter 34 on page 575 ).
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 264 Like other interfaces, virtual in terfaces have an IP address, subnet mask, and gateway used to make routing decisions . Ho wev er , you have to manually specify the IP address and subnet mask; virtual interfaces cannot be DHCP clients.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 265 10.16 Interface T echnical Reference Here is more detailed informati on about interfaces on the ZyW ALL. IP Address Assignment Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routing table.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 266 In the example above, if the ZyW ALL gets a pack et with a destination address of 5.5.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 267 In DHCP , every network has at least one DHCP server . When a computer (a DHCP client) joins the network, it submits a DHCP request.
Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 268 WINS WINS (W indows Internet Naming Service) is a W indows implementation of NetBIOS Name Server (NBNS) on W indows. It keeps track of NetBIOS computer names. It stores a mapping table of your network’ s comput er names and IP addresse s.
ZyWALL USG 100/200 Series User’s Gu ide 269 C HAPTER 11 Trunks 1 1.1 Overview Use trunks for W AN traffic load balancing to increase overall network throughput and reliability .
Chapter 11 T run k s ZyWALL USG 100/200 Series User’s Guide 270 • If that interface’ s connection goes down, th e ZyW ALL can still send its traffic t h rough another interface. • Y ou can define multiple trunks for the same phys ical interfaces.
Chapter 11 Trunks ZyWALL USG 100/200 Series User’s Gu ide 271 Least Load First The least load first algorithm uses the current (or recent) ou tbound bandwidth utilization of each trunk member interface as the load balancin g index(es) when making decisions about to which interface a new session is to be distributed.
Chapter 11 T run k s ZyWALL USG 100/200 Series User’s Guide 272 Figure 189 Weig hted Round Robin Algorithm Example Spill over The spillover load ba lancing algorithm sends network traf fic to the fi.
Chapter 11 Trunks ZyWALL USG 100/200 Series User’s Gu ide 273 Figure 191 Network > Interface > T runk The following table describes the items in this screen. 1 1.2.1 The T runk Edit Screen Click Network > Interface > T runk and then the Edit icon to open the T runk Edit screen.
Chapter 11 T run k s ZyWALL USG 100/200 Series User’s Guide 274 Figure 192 Network > Interface > T runk > Edit Each field is described in the table below . T able 88 Network > Interface > Trunk > Edit LABEL DESCRIPTION Name This is the descriptive name for this trunk.
Chapter 11 Trunks ZyWALL USG 100/200 Series User’s Gu ide 275 1 1.3 T runk T echnical Reference Round Robin Load Balancing Algorithm Round Robin scheduling services queues on a rota ting basis and is activated only when an interface has more traf fic than it can handle.
Chapter 11 T run k s ZyWALL USG 100/200 Series User’s Guide 276.
ZyWALL USG 100/200 Series User’s Gu ide 277 C HAPTER 12 Policy and Static Routes 12.1 Policy and S t atic Routes Overview Use policy routes and static routes to override the ZyW ALL’ s default routing behavior in order to send packe ts through the ap propriate the interface or VPN tunnel.
Chapter 12 Policy an d Static Routes ZyWALL USG 100/200 Series User’s Guide 278 12.1.1 What Y ou Can Do in the Policy and St atic Route Screen s •U s e t h e Policy Route screens (see Section 12.2 on page 279 ) to list and configure pol icy routes.
Chapter 12 Policy and Sta tic Routes ZyWALL USG 100/200 Series User’s Gu ide 279 Policy Routes V ersus St atic Routes • Policy routes are more flexible than static routes. Y ou can select more criteria for the traffic to match and can also use schedules, NA T , and bandwidth management.
Chapter 12 Policy an d Static Routes ZyWALL USG 100/200 Series User’s Guide 280 The following table describes the labels in this screen. T able 89 Network > Routing > Policy Route LABEL DESCRIPTION Enable BWM This is a globa l setting for enabling or disab ling bandwidth management on the ZyW ALL.
Chapter 12 Policy and Sta tic Routes ZyWALL USG 100/200 Series User’s Gu ide 281 12.2.1 Policy Route Edit Screen Click Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or edit a policy route.
Chapter 12 Policy an d Static Routes ZyWALL USG 100/200 Series User’s Guide 282 Schedule Select a schedule or select Create Obje ct to configure a new one (see Chapter 38 on page 619 for details). none means th e route is active at all times if enabled.
Chapter 12 Policy and Sta tic Routes ZyWALL USG 100/200 Series User’s Gu ide 283 12.3 IP S t atic Route Screen Click Network > Routing > S tatic Route to open the St a t i c R o u t e screen. This screen displays the configured st atic routes.
Chapter 12 Policy an d Static Routes ZyWALL USG 100/200 Series User’s Guide 284 Figure 196 Network > Routing > S tatic Route The following table describes the labels in this screen. 12.3.1 S tatic Route Add/Edit Screen Select a static route index number and click Add or Edit .
Chapter 12 Policy and Sta tic Routes ZyWALL USG 100/200 Series User’s Gu ide 285 12.4 Policy Routing T echnical Reference Here is more detailed informat ion abo ut so me of the features you ca n configure in policy routing.
Chapter 12 Policy an d Static Routes ZyWALL USG 100/200 Series User’s Guide 286 Incoming servic e: Gam e (UDP: 1234) T rigger service: Game -1 (UDP: 5670-5678) 1 Computer A wants to play a multiplayer online game and tries to connect to game server 1 using port 1234.
ZyWALL USG 100/200 Series User’s Gu ide 287 C HAPTER 13 Routing Protocols 13.1 Routing Protocols Overview Routing protocols give th e ZyW ALL routing information about the network from other routers. The ZyW A LL stores this routing inform ation in the routing table it uses to make routing decisions.
Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 288 13.2 The RIP Screen RIP (Routing Information Protocol, RFC 10 58 and RFC 1389) allows a device to exchange routing information with other routers.
Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Gu ide 289 13.3 The OSPF Screen OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous System (AS).
Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 290 • A normal area is a group of ad jacent networks. A normal area has routing information about the OSPF AS, any networks outside the O SPF AS to which it is directly connected, and any networks outside the OSPF AS that pr ovide routing information to any area in the OSPF AS.
Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Gu ide 291 • An Area Border Router (ABR) connects two or mo re areas. It is a member of all the areas to which it is connected, and it filters, summ arizes, and exchanges routing informa tion between them.
Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 292 Figure 202 OSPF: Vi rtual Link In this example, area 100 does not have a direct connection to the backbone. As a result, yo u should set up a virtual link on both ABR in area 10 .
Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Gu ide 293 The following table describes the labels in this screen. See Section 13.3.2 on page 293 for more information as well. 13.3.2 OSPF Area Add/Edit Screen The OSPF Ar ea Add/Edit screen allows you to create a new area or edit an existing one.
Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 294 Figure 204 Network > Routing > OSPF > Edit The following table describes the labels in this screen. T able 97 Network > Routing > OSPF > Edit LABEL DESCRIPTION Area ID T ype the unique , 32-bit identifie r for the area in IP address format.
Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Gu ide 295 13.4 Routing Protocol T echnical Reference Here is more detailed info rmation about RIP and OSPF . Authentication T ypes Authentication is used to gu arantee the integrity , but not the confidentiality , of routing updates.
Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 296 • The packet’ s message-digest is the same as the one the ZyW ALL calculates using the MD5 password. For RIP , authentication is not available in RIP ve rsion 1. In R IP version 2, you c an only select one authentication type for all interfaces.
Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Gu ide 297.
Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 298.
ZyWALL USG 100/200 Series User’s Gu ide 299 C HAPTER 14 Zones 14.1 Zones Overview Set up zones to configure network security and network policies in the ZyW ALL. A zone is a group of interfaces and VPN tunnels. The Zy W ALL uses zones, not interfaces, in many security and policy settings, such as fi rewall rules and remote management.
Chapter 14 Z o ne s ZyWALL USG 100/200 Series User’s Guide 300 14.1.2 What Y ou Need to Know A bo ut Zones Effect s of Zones on Different T ypes of T raffic Zones effectively divide traf fic into th.
Chapter 14 Zones ZyWALL USG 100/200 Series User’s Gu ide 301 Figure 206 Network > Zone The following table describes the labels in this screen. 14.2.1 The Zone Edit Screen The Zone Edit screen allows you to edit a zone. T o access this screen, go to the Zone screen (see Section 14.
Chapter 14 Z o ne s ZyWALL USG 100/200 Series User’s Guide 302 Member L ist Av ailabl e Inter face lists the interfaces that do not belong to any zone.
ZyWALL USG 100/200 Series User’s Gu ide 303 C HAPTER 15 DDNS 15.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 15.1.1 What Y ou Can Do in the DDNS Screens • Use the DDNS sc reen (see Section 15.2 on page 304 ) to view a list of the configured DDNS domain names and their details.
Chapter 15 DDNS ZyWALL USG 100/200 Series User’s Guide 304 " Record your DDNS account’s user na me, p assword, and doma in name to use to configure the ZyW ALL. After , you configure the ZyW ALL, it automati cally sends updated IP addresses to the DDNS service provider , which helps redirect traffic accordingly .
Chapter 15 DDNS ZyWALL USG 100/200 Series User’s Gu ide 305 15.2.1 The Dynamic DNS A dd /Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyW ALL or to edit the configuration of an exis ting domain name. Click Network > DDNS and then an Add or Edit icon to open this screen.
Chapter 15 DDNS ZyWALL USG 100/200 Series User’s Guide 306 The following table describes the labels in this screen. T able 102 Network > DDNS > Add LABEL DESCRIPTION Enable DDNS Profile Se lect this check bo x to use this DDNS entry . Profile Name When you are adding a DDNS entry , type a descriptive name for this DDNS entry in the ZyW ALL.
Chapter 15 DDNS ZyWALL USG 100/200 Series User’s Gu ide 307 15.3 The DDNS S t atus Screen The D DNS S tatus screen shows the status of the ZyW ALL’ s DDNS domain names. T o access this screen, login to the web configurator . Whe n the main screen appears, click Network > DDNS > S tatus .
Chapter 15 DDNS ZyWALL USG 100/200 Series User’s Guide 308 Figure 210 Network > DDNS > S tatus The following table describes the labels in this screen. T able 103 Network > DDNS > Status LABEL DESCRIPTION Profile Name This field displays the desc ri ptive profile name for this entry .
ZyWALL USG 100/200 Series User’s Gu ide 309 C HAPTER 16 Virtual Servers 16.1 V irtual Servers Overview V irtual servers are compute rs on a private network behind the Z yW ALL that you make available outside the private network.
Chapter 16 Virtu al Ser ve rs ZyWALL USG 100/200 Series User’s Guide 310 Finding Out More • See Section 5.4.19 on pag e 1 19 for related informa tion on these screens. • See Section 6. 8.2 on page 160 for an example of how to configure a virtual server to allow H.
Chapter 16 Virtual Servers ZyWALL USG 100/200 Series User’s Gu ide 31 1 16.2.1 The Vi rtual Server Add/Edit Screen The V irtual Server Add/Edit screen lets you create new virtual servers and edit existing ones. T o open this window , open the Virtual Server summary screen.
Chapter 16 Virtu al Ser ve rs ZyWALL USG 100/200 Series User’s Guide 312 Original IP Use the d rop-down list box to in dicate which destination IP add ress this virtual server supports. Choices are: Any - this virtua l server supports the IP address of the selected interface.
Chapter 16 Virtual Servers ZyWALL USG 100/200 Series User’s Gu ide 313 16.3 NA T 1:1 and NA T Loopback Examples The following sections provid e examples of manually configur ing NA T 1:1 ma pping and a policy route rule for NA T loopback.
Chapter 16 Virtu al Ser ve rs ZyWALL USG 100/200 Series User’s Guide 314 NA T 1:1 Address Objects First create two address objects for the priv ate and public IP addresses (LAN_SMTP and W AN_EG) in the Object > Address screen as shown next.
Chapter 16 Virtual Servers ZyWALL USG 100/200 Series User’s Gu ide 315 Figure 217 NA T 1:1 Example V irtual Server The wan2 interface has a dif ferent IP address th an 1.1.1.1, so in order for the Zy W ALL gateway to be able to do ARP reso lution correctly , you need to create a wan2 virtual server entry .
Chapter 16 Virtu al Ser ve rs ZyWALL USG 100/200 Series User’s Guide 316 Figure 219 NA T 1:1 Example Policy Route Click Network > Routing > Policy Route > Add and configure the screen as shown next. Be careful of where you create the route as routes are ordered in descending priority .
Chapter 16 Virtual Servers ZyWALL USG 100/200 Series User’s Gu ide 317 Figure 221 Create a Firewall Rule NA T Loopback Example The NA T 1:1 Example on pa ge 313 maps a public IP address to the private IP address of a LAN1 SMTP mail server to allow users to access the SMTP mail server from the W AN.
Chapter 16 Virtu al Ser ve rs ZyWALL USG 100/200 Series User’s Guide 318 NA T Loopback Virtual Server When a LAN1 user sends SMTP traffic to IP address 1.1.1.1, the traf fic c omes into the ZyW ALL through the LAN1 interface, thus it do es not match the NA T 1:1 mapping’ s virtual server rule for SMTP traffic coming to IP 1 .
Chapter 16 Virtual Servers ZyWALL USG 100/200 Series User’s Gu ide 319 NA T L oopback Po licy Route W ithout a NA T loopback policy route, the LAN1 user SMTP tr af fic goes to the LAN1 SMTP server with the LAN1 computer ’ s IP address as the sourc e.
Chapter 16 Virtu al Ser ve rs ZyWALL USG 100/200 Series User’s Guide 320 Figure 227 Create a Policy Route Now the LAN1 SMTP server replies to the Zy W ALL’ s LAN1 IP address and the ZyW A LL changes the source address to 1.1.1.1 before sending it to the LAN1 user ’ s computer .
ZyWALL USG 100/200 Series User’s Gu ide 321 C HAPTER 17 HTTP Redirect 17.1 Overview HTTP redirect forwards the client’ s HTTP re quest (except HTTP traf fic destined for the ZyW ALL) to a web proxy server . In the following example, proxy server A is connected to the dmz interface.
Chapter 17 HTT P Red ire ct ZyWALL USG 100/200 Series User’s Guide 322 17.1.2 What Y ou Need to Know About HTTP Redirect Web Proxy Server A proxy server helps client devices ma ke indire ct requests to acce ss the Internet or outside network resources/services.
Chapter 17 HTTP Redirect ZyWALL USG 100/200 Series User’s Gu ide 323 " Y ou can configure up to one HTTP redirect rule for each (incoming) interface. Figure 230 Network > HTTP Redirect The following table describes the labels in this screen.
Chapter 17 HTT P Red ire ct ZyWALL USG 100/200 Series User’s Guide 324 The following table describes the labels in this screen. T able 107 Network > HTTP Redirec t > Edit LABEL DESCRIPTION Enable Use this option to turn the HTTP redirect rule on or off.
ZyWALL USG 100/200 Series User’s Gu ide 325 C HAPTER 18 ALG 18.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyW ALL’ s NA T . • FTP - File T ransfer Protocol (FTP) is an Internet file transfer service.
Chapter 18 ALG ZyWALL USG 100/200 Series User’s Guide 326 18.1.2 What Y ou Need to Know A bo ut ALG Application Layer Gateway (ALG), NA T and Firewall The ZyW ALL can function as an Application Laye r Gateway (ALG) to allow certain NA T un- friendly applications (such as SIP ) to operate properly through the ZyW ALL’ s NA T and firewall.
Chapter 18 ALG ZyWALL USG 100/200 Series User’s Gu ide 327 • The SIP ALG allows UDP packets with a sp ecified port destina tion to pass through. • The ZyW ALL allows SIP audio connections.
Chapter 18 ALG ZyWALL USG 100/200 Series User’s Guide 328 For example, you configure firewall and virt ual server rules to allow LAN IP address A to receive calls through public W AN IP address 1 . Y ou configure dif ferent firewall an d port forwarding rules to allow LAN IP address B to receive calls through public W AN IP address 2 .
Chapter 18 ALG ZyWALL USG 100/200 Series User’s Gu ide 329 Figure 236 Network > ALG The following table describes the labels in this screen. T able 108 Network > ALG LABEL DESCRIPTION Enable SIP T ransformations T urn on the SIP ALG to allow SIP sessions to pass through the ZyWA LL.
Chapter 18 ALG ZyWALL USG 100/200 Series User’s Guide 330 18.3 ALG T echnical Reference Here is more detailed information about the Applica tion Layer Gateway . ALG Some applications can not operate through NA T (are NA T un -friendly) because they embed IP addresses and port numbers in their packets’ data payload.
Chapter 18 ALG ZyWALL USG 100/200 Series User’s Gu ide 331 H.323 H.323 is a standard teleconferen cing protocol suite that provides audio, data and video conferencing. It allows for real-time point- to-point and multipoint communication between client computers over a packet -based network that does not pr ovide a guaranteed quality of service.
Chapter 18 ALG ZyWALL USG 100/200 Series User’s Guide 332.
333 P ART III Firewall Firewall (335).
334.
ZyWALL USG 100/200 Series User’s Gu ide 335 C HAPTER 19 Firewall 19.1 Overview Use the firewall to block or allow services that us e static port numbers. Use application patrol (see Chapter 27 on pa ge 4 43 ) to control services using fl exible/d ynamic po rt numb ers.
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 336 19.1.2 What Y ou Need to Know Abo ut the Firewall St ateful Inspection The ZyW ALL has a stateful inspection firewa ll. The ZyW ALL restricts a ccess by screening data packets agai nst define d access rules.
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Gu ide 337 T o-ZyW ALL Rules Rules with ZyW ALL as the To Z o n e apply to traf fic going to the ZyW ALL itself. By default: • The firewall allows LAN1 and WLAN computers to acces s or ma nage the ZyW ALL.
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 338 Firewall and VPN T raffic After you create a VPN tunnel and add it to a zo ne, you can set the firewall rules applied to VPN traffic.
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Gu ide 339 • The second row is the firewall’ s default policy that allows all traf fic from the LAN to go to the W AN. The ZyW ALL applies the firewall rules in order . So for this example, when the ZyW ALL receives traffic from LAN1, it checks it against the first rule.
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 340 • The third row is (still) the firewall’ s default policy of allowing all traf fic from LAN1 to go to the W AN.
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Gu ide 341 Figure 240 Firewall Example: Select the Traveling Direction of T raffic 2 Select From W AN and T o L AN1 . Select Create Object in the Destination drop-down list box. Figure 241 Firewall Example: Edit a Firewall Rule 1 3 The screen for configur ing an address obj ect opens.
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 342 Figure 243 Firewall Example: Create a Service Object 6 Enter the name of the firewall rule. 7 Make sure Dest_1 is selected for the Destination and MyService is selected as the Service . Enter a description and configure the rest of the screen as follows.
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Gu ide 343 19.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on LAN1 has an IP address in the same subnet as the ZyW ALL’ s LAN1 IP address, return traffic may not go through the ZyW A LL .
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 344 • Besides configurin g the firewall, you also need to configure virtual servers (NA T port forwarding) to allow computers on the W AN to access LAN devices. See Chapter 16 on page 309 for more information.
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Gu ide 345 From Zone T o Zone This is the direction of travel of packet s. Select from whi ch zone the packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of packets to which they apply .
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 346 19.2.2 The Firewall Edit Screen In the Fir e wall screen, click the Edit or Add icon to display the Fir ewall Rule Edit screen. Refer to the following table for information on the labels.
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Gu ide 347 Description Enter a descriptive name of up to 60 pr intable ASCII characte rs for the firewall rule. S paces are allowed. Schedule Sel ect a schedule that defines when the rule applie s or select Create Object to configure a new one (see Chap ter 38 on page 619 for de tails).
Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 348.
349 P ART IV VPN IPSec VPN (351) SSL VPN (385) SSL User Screens (395) SSL User Application Screens (401) SSL User File Sharing (403) L2TP VPN (409) L2TP VPN Example (415).
350.
ZyWALL USG 100/200 Series User’s Gu ide 351 C HAPTER 20 IPSec VPN 20.1 IPSec VPN Overview A virtual private network (VPN) provides secu re communications between sites without the expense of leased site-to-site lines. A secure VP N is a combination of tunneling, encryption, authentication, access control and a uditing.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 352 • Use the VPN Concentrator screens (see Section 20.4 on page 369 ) to combine several IPSec VPN connections into a single secure network. • Use the SA Monitor screen (see Section 20.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 353 Y ou should set up the following featu res before you set up the VPN tunnel. • In any VPN connection, you have to select address objects to specify the local policy and remote policy .
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 354 Each field is discussed in the following table. See Section 20.2.2 on page 360 and Section 20.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 355 20.2.1 The VPN Connection Add/Edit (IKE) Screen The VPN Connection Add/Edit Gateway screen allows you to cre ate a new VPN connection policy or edit an existing one. T o access this screen, go to the VPN Connection screen (se e Section 20.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 356 Figure 252 VPN > IPSec VPN > VPN Connection > Edit (IKE).
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 357 Each field is described in the following table. T able 1 16 VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION General Settings Click Advanced to display more settings.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 358 SA Life Time T ype the maximum number of se conds the IPSe c SA can last. Shorter life times provide better securi ty . The Zy W ALL automatical ly negotiates a ne w IPSec SA before the current one expires, if th ere are users who are accessing remote resources.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 359 Related Settings Add this VPN connection to IPSec_VPN zone. Select this check box to add the VPN connection policy to the IPSec_VPN security zone. Any securi ty rules or settings configured for the IPSec_VPN security zone will also apply to this VPN connection p olicy .
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 360 20.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an exist ing one using a manual key .
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 361 Figure 253 VPN > IPSec VPN > VPN Connec tion > Manual Key > Edit This table describes labels specific to manual key configuration . See Section 20.2 on page 353 for descriptions of the other fields.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 362 Encapsulation Mode Select which typ e of encapsulati on the IPSec SA uses. Ch oices are T unnel - this mode encrypts the IP header information and the data Tr a n s p o r t - this mode on ly encrypts the data.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 363 20.3 The VPN Gateway Screen The VPN Ga tew a y summary screen displays the I PSec VPN gateway policies i n the ZyW ALL, as well as the ZyW ALL’ s address, remote IPSec router ’ s address, and associated VPN connections for each one.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 364 20.3.1 The VPN Gateway Add/Edit Screen The VPN Gatew a y Add/Edit screen allows you to create a new VP N ga te wa y policy or edit an existing one. T o access this screen, go to the VPN Gateway summa ry screen (see Section 20.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 365 Figure 255 VPN > IPSec VPN > VPN Gateway > Edit Each field is described in the following table. T able 1 19 VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION General Settings VPN Gateway Name T ype the name used to identify this VPN gateway .
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 366 Peer Gateway Address Select how the IP address of the remote IPSec router in the IKE SA is defined. Select S t atic Address to enter the domain name or the IP address of the remote IPSec router .
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 367 Peer ID T ype Select which type of identificatio n is used to i dentify the remo te IPSec router during authentica tion.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 368 Encryption Select which key size and encryption alg orithm to use in the IKE SA. Choices are: DES - a 56-bit key with the DES encrypti.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 369 20.4 The VPN Concentrator Screen A VPN concentrator combines several IPSec VPN connections into one secure network.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 370 Figure 257 VPN > IPSec VPN > Concentrator Each field is discussed in the following table.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 371 20.5 The SA Monitor Screen Y ou can use the SA Monitor screen to display and to manage active IPSec SAs. T o acce ss this screen, click VPN > IPSec VPN > SA Monitor . The following screen appears.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 372 Figure 260 VPN > IPSec VPN > SA Monitor Each field is described in the following table. T able 122 VPN > IPSec VPN > SA Monitor LABEL DESCRIPTION Name Enter the name of a IPSec SA here and click Search to find it (if it is associated).
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 373 20.6 IPSec VPN Background Information Here is some more detailed I PSec VPN background information. IKE SA Overview The IKE SA provides a secure connection between the ZyW ALL and remote IPSec router .
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 374 The ZyW ALL sends one or more proposals to the remote IPSec router . (In some devices, you can only set up one proposal.) Each propo sal consists of an encryption algorithm, authentication algorithm, and DH key group that the ZyW ALL wants to use in the IKE SA.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 375 DH public-key cryptography is b ased on DH key groups. Ea ch key group is a fixed number of bits long. The longer the key , the more secure the encryption, but also the longer it takes to encrypt and decrypt information.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 376 Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properl y-formatted) domain name, IP address, or e- mail address.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 377 Main mode takes six steps to establish an IKE SA. Steps 1 - 2: The ZyW ALL sends its proposals to the remote IPSec router . The remote IPSec router selects an acceptable propos al and sends it back to the ZyW ALL.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 378 Extended Authentication Extended authentication is often used when multiple IPSec router s use the same VPN tunnel to connect to a single IPSec router . For exampl e, this might be used with telecommuters.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 379 IPSec SA Overview Once the ZyW ALL and remote IPSe c router have established the IKE SA, they can securely negotiate an IPSec SA through which to send da ta between compu t ers o n the networks.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 380 These modes are illustrated below . In tunnel mode, the ZyW ALL uses the active protocol to encapsulate the entire IP packet.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 381 IPSec SA using Manual Keys Y ou might set up an IPSec SA using ma nual keys when you wa nt to es tablish a VPN tunnel quickly , for example, for troubleshooting. Y ou should only do th is as a temporary solution, however , because it is not as secure as a regular IPSec SA .
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 382 Figure 266 VPN Example: NA T for Inbound and Outbound T raffic Source Address in Outbound Packet s (Outbound T raffic, Source NA T) This translation lets the ZyW ALL route packet s from computers that are not part of the specified local network (local policy) through the IPSec SA.
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 383 Y ou have to specify one or more ru les when you set up this kind of NA T . The ZyW ALL checks these rules similar to the way it checks rul es for a firewall. The first part of these rules define the conditions in which the rule apply .
Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 384.
ZyWALL USG 100/200 Series User’s Gu ide 385 C HAPTER 21 SSL VPN 21.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VPN router or VPN client software. 21.1.1 What Y ou Can Do in the SSL VPN Screens • Use the VPN > SSL VPN > Access Privilege scree ns (see Section 21.
Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Guide 386 Full T unnel Mode In full tunnel mode, a virtual connection is cr eated for remote users with private IP addresses in the same subnet as the local network. This a llows them to access network resources in the same way as if they were part of the internal network.
Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Gu ide 387 Finding Out More • See Section 5.4.5 on page 1 15 for related information on these screens. • See Section 21.5 on page 392 for how to establish an SSL VPN connec tion to the ZyW ALL (after you have configured the SSL VPN settings on the ZyW ALL).
Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Guide 388 Figure 270 VPN > SSL VPN > Access Privilege > Add/Edit The following table describes the labels in this screen. T able 127 VPN > SSL VPN > Access Priv ilege > Add/Edit LABEL DESCRIPTION Configuration Enable Sel ect this option to activate this SSL access policy .
Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Gu ide 389 21.3 The SSL Connection Monitor Screen The ZyW ALL keeps track of the users who ar e currently logged in to the VPN SSL client portal. Click VPN > SSL VPN in the navigation panel and click the Connection Moni tor tab to display the user list.
Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Guide 390 • Log out individual us ers and dele te related session information. Once a user logs out, the corres ponding entry is removed from the Connection Monitor screen. Figure 271 VPN > SSL VPN > Connection Monitor The following table describes the labels in this screen.
Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Gu ide 391 Figure 272 VPN > SSL VPN > Global Setting The following table describes the labels in this screen.
Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Guide 392 21.4.1 How to Upload a Custom Logo Follow the steps below to upload a custom lo go to display on th e remote user SSL VPN screens. 1 Click VPN > SSL VPN and click the Global Setting tab to display the configurati on screen.
Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Gu ide 393 Figure 274 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated” message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again.
Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Guide 394.
ZyWALL USG 100/200 Series User’s Gu ide 395 C HAPTER 22 SSL User Screens 22.1 Overview This chapter introduces the remote user SSL VPN screens. The fo llowi ng figure shows a network example where a remote user ( A ) logs into the ZyW ALL from the Internet to access the web server ( WWW ) on the local network.
Chapter 22 SSL User Screen s ZyWALL USG 100/200 Series User’s Guide 396 • Firefox 1.0 and ab ove • Mozilla 1.7.3 and above • Sun’ s Java (Java Runtime Environment or ‘J RE’) installed and enab led with a minimum version of 1.
Chapter 22 SSL User Screens ZyWALL USG 100/200 Series User’s Gu ide 397 Figure 277 Login Security Screen 3 A login screen displays. Enter the user na me and password of you r login account. If a token password is also required, enter it in the One-Time Password field.
Chapter 22 SSL User Screen s ZyWALL USG 100/200 Series User’s Guide 398 Figure 280 SecuExtender Progress 7 The Application screen displays showing the list of re sources available to you. See Figure 281 on page 39 8 for a screen example. " Available resource lin ks vary depending on the confi guration your network administrator made.
Chapter 22 SSL User Screens ZyWALL USG 100/200 Series User’s Gu ide 399 The following table describes the various parts of a remote user screen. 22.4 Bookmarking the ZyW ALL Y ou can create a bookma rk of the ZyW ALL by clicking the Add to Favorite icon.
Chapter 22 SSL User Screen s ZyWALL USG 100/200 Series User’s Guide 400 Figure 284 Logout: Connection T ermination Progress.
ZyWALL USG 100/200 Series User’s Gu ide 401 C HAPTER 23 SSL User Application Screens 23.1 SSL User Application Screens Overview Use the Application screen to access web-bas ed applications (such as web sites and e-mail) on the network through the SSL VPN connection.
Chapter 23 SSL User Application Screens ZyWALL USG 100/200 Series User’s Guide 402.
ZyWALL USG 100/200 Series User’s Gu ide 403 C HAPTER 24 SSL User File Sharing 24.1 Overview The File Sharing screen lets you access files on a file server th rough the SSL VPN connection. 24.1.1 What Y ou Need to Know About the SSL VPN File Sharing Use the File Sharing screen to display and access shared files/folders on a file server .
Chapter 24 SSL Use r File Sharing ZyWALL USG 100/200 Series User’s Guide 404 Figure 286 File Sharing 24.3 Opening a File or Folder Y ou can open a file if the file extension is recognized by the web browser and the associate d application is installed on your computer .
Chapter 24 SS L User File Sh aring ZyWALL USG 100/200 Series User’s Gu ide 405 4 A list of files/folders displays. Click on a f ile to open it in a separate browser window . Y ou can also clic k a folder to access it. For this exam ple, click on a .
Chapter 24 SSL Use r File Sharing ZyWALL USG 100/200 Series User’s Guide 406 Figure 289 File Sharing: Save a W ord File 24.4 Creating a New Folder T o create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder .
Chapter 24 SS L User File Sh aring ZyWALL USG 100/200 Series User’s Gu ide 407 Figure 291 File Sharing: Rename A popup window displa ys. Spe cify the new name an d/or file extension in the field provided. Y ou can enter up to 356 characters. Then click Apply .
Chapter 24 SSL Use r File Sharing ZyWALL USG 100/200 Series User’s Guide 408 24.7 Uploading a File Follow the steps below to upload a file to the file server . 1 Log into the remote user screen and click the File Sharing tab. 2 Specify the location and/or name of th e file you want to upload.
ZyWALL USG 100/200 Series User’s Gu ide 409 C HAPTER 25 L2TP VPN 25.1 Overview L2TP VPN lets remote users use the L2TP and IP Sec client software included with their computers’ operating systems to securely connect to the network behind the ZyW ALL.
Chapter 25 L2T P VPN ZyWALL USG 100/200 Series User’s Guide 410 IPSec Configuration Required for L2TP VPN Y ou must configure an IPSe c VPN co nnection for L2TP VPN to use (see Chapter 20 on page 351 for details). The IPSe c VPN connection must: • Be enabled.
Chapter 25 L2TP VPN ZyWALL USG 100/200 Series User’s Gu ide 41 1 Finding Out More • See Section 5.4.6 on page 1 15 for related information on these screens. • See Chapter 26 on page 415 for an example of how to create a basic L2TP VPN tunnel. 25.
Chapter 25 L2T P VPN ZyWALL USG 100/200 Series User’s Guide 412 25.3 L2TP VPN Session Monitor Screen Click VPN > L2TP VPN > Session Monitor to open the following scr een. Use this screen to display and manage the ZyW ALL’ s connected L2TP VPN sessions.
Chapter 25 L2TP VPN ZyWALL USG 100/200 Series User’s Gu ide 413 Hostname This field displays the name of the computer that has this L2TP VPN connection with the ZyWALL. Assigned IP This fie ld displays the IP address that the ZyWALL assigned for the remote user ’s computer to use within the L2TP VPN tunnel.
Chapter 25 L2T P VPN ZyWALL USG 100/200 Series User’s Guide 414.
ZyWALL USG 100/200 Series User’s Gu ide 415 C HAPTER 26 L2TP VPN Example This chapter shows how to create a basic L2TP VPN tunnel. 26.1 L2TP VPN Example This chapter uses the following settings in creating a basic L2TP VPN tunnel. Figure 299 L2TP VPN Example • The ZyW ALL’ s has a static IP addre ss of 172.
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 416 Figure 300 VPN > IPSec VPN > VPN Gateway > Edit • Configure the My Addr ess setting. This exam ple uses interface wan1 with static IP address 172.16.1.2 . • Select Pre-Shar ed Key and configure a password.
Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 417 Figure 302 VPN > IPSec VPN > VPN Connection > Edit 2 Click the Policy Advanced button.
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 418 26.4 Configuring the L2TP VPN Settings Example 1 Click VPN > L2TP VPN to open the following screen. Figure 304 VPN > L2TP VPN Example 2 Configure the following. • Enable the connection.
Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 419 Figure 305 Routing > Add: L2TP VPN Example 2 Configure the following. • Enable the policy route . • Set the policy route’ s Sour ce Addr ess to the address object that you want to allow the remote users to access ( LAN1_SUBNET in this example).
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 420 2 Click Next in the We l c o m e screen. 3 Select Connect to the network at my workplace and click Next . Figure 306 New Connection Wizard: Netwo rk Connection T ype 4 Select V irtual Private Network connection and click Next .
Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 421 Figure 308 New Connection Wizard: Conn ection Name 6 Select Do not dial the initial connection and click Ne xt .
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 422 Figure 310 New Connection Wizard: VPN Server Selection 8 Click Finish . 9 The Connect L2TP to ZyW ALL screen appears. Click Properties > Security . Figure 31 1 Connect L2TP to ZyWALL 10 Click Security , select Advanced (custom settings) and click Settings .
Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 423 Figure 312 Connect L2TP to ZyW ALL: S ecurity 11 Select Optional encryption (conne ct even if no encryption) and the Allow these pro tocols radio button. Select Unencrypted password (P AP) and clear all of the other check boxes.
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 424 Figure 314 L2TP to Z y WALL Pr operties > Security 13 Select the Use pre-shar ed key for authentication check box and enter the pre-shared key used in the VPN gateway configuratio n that the ZyW ALL is using for L2TP VPN.
Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 425 Figure 317 Connect L2TP to ZyW ALL 16 A window appears while the us er na me and password are verified. 17 A ZyW ALL-L2TP icon displays in your system tray . Double-click it to open a status screen.
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 426 1 Click St a r t > R u n . T ype regedit and click OK . Figure 320 S tarting the Registry Editor 2 Click Registry > Export Registry File and save a b ackup copy of your registry .
Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 427 Figure 323 ProhibitIpSec DWORD V alue 6 Restart the computer an d co n tinue with the next section.
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 428 Figure 326 Add > IP Security Policy Management > Finish 4 Right-click IP Security Policies on Local Machine and click Cr eate IP Security Policy . Click Next in the welcome scree n.
Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 429 Figure 328 IP Security Policy: Name 6 Clear the Activate the default response rule check box and click Next . Figure 329 IP Security Policy: Request for Secure Communication 7 Leave the Edit Properties check box selected and click Finish .
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 430 8 In the properties d ialog box, click Add > Next . Figure 331 IP Security Policy Properties > Add 9 Select This rule does not specify a tunnel and click Next .
Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 431 Figure 333 IP Security Policy Pr opertie s: Network T ype 11 Select Use this string to protect the key exchange (preshar ed key) , type password in the text box, and click Next .
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 432 Figure 335 IP Securit y Policy Properties: IP Filt er List 13 Ty p e ZyW ALL W AN_IP in the Name field. Clear the Use A dd Wizard check box and click Add . Figure 336 IP Security Policy Prop erties: IP Filter List > Add 14 Configure the following in the Addressing tab.
Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 433 Figure 337 Filter Propertie s: Addressing 15 Configure the following in the Filter Properties window’ s Protocol tab. Set the protocol type to UDP from port 1701. Select To a n y p o r t .
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 434 Figure 339 IP Securit y Policy Properties: IP Filt er List 17 Select Require Security and click Next . Then click Finish and Close . Figure 340 IP Securit y Policy Properties: IP Filt er List 18 In the Console window , right-click L2TP to ZyW ALL and select Assign .
Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 435 26.6.2.3 Configure the W indows 2000 Network Connection After you have configured the IPSec policy , use these directions to create a network connection. 1 Click S tart > Settings > Network and Dial-up connections > Make New Connection .
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 436 Figure 344 New Connection Wizard: Destination Address 4 Select For all users and click Next . Figure 345 New Connection Wizard: Connection Availability 5 Name the co nnection L2TP to ZyW ALL and click Finish .
Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 437 6 Click Pr operties . Figure 347 Connect L2TP to ZyW ALL 7 Click Security and select Advanced (custom settings) and click Settings .
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 438 Figure 349 Connect L2TP to ZyW ALL: S ecurity > Advanced 9 Click Networking and select Layer 2 T unneling Pr otocol (L2TP) from the drop-down list box. Click OK . Figure 350 Connect L2TP to ZyW ALL: Networking 10 Enter your user name and password and click Connect .
Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 439 Figure 351 Connect L2TP to ZyW ALL 11 A ZyW ALL-L2TP icon displays in your system tray .
Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 440.
441 P ART V Application Patrol Application Patrol (443).
442.
ZyWALL USG 100/200 Series User’s Gu ide 443 C HAPTER 27 Application Patrol 27.1 Overview Application patrol provides a co nvenient way to m anage the use of various application s on the network.
Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 444 27.1.2 What Y ou Need to Know About Application Patrol " The ZyW ALL checks firewall rules before it checks application patrol rules for traffic going through the ZyW ALL.
Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 445 The application patrol band width management is more flexible and powerful than the bandwidth management in pol icy routes. Application patrol controls TCP and UDP traf fic. Use policy routes to manage o ther types of traffic (like ICMP).
Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 446 • Inbound traffic is limited to 500 kbs. Th e connection initiator is on LAN1 so inbound means the traffic traveling from the W AN to the LAN1.
Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 447 Figure 356 Bandwidth Ma nagement Behavior Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usa ge is disabled, both servers get their configured rate.
Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 448 Priority and Over Allotment of Bandwid th Effect Server A has a configured rate that equals the total amount of available bandwidth and a higher priority .
Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 449 Figure 357 Application Patrol B andwidth Managem ent Example 27.1.3.1 Setting the Interface’ s Bandwid th Use the interface screens to set the W AN zone in te rface ’ s upstream bandwidth to be equal to (or slightly less than) what th e connected device can supp ort.
Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 450 Figure 358 SIP Any to W AN Bandwidth Management Example 27.1.3.3 SIP W AN to Any Bandwid th Management Example Y ou also crea te a policy for calls coming in from the SIP server on the W AN.
Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 451 Figure 360 FTP W AN to DMZ Bandwid th Management Example 27.1.3.6 FTP LAN to DMZ Bandwid th Management Example • The LAN and DMZ zone interfaces are connected to Ethernet networks (not an ADSL device) so you l imit both outbound and i nbound traffic to 50 Mbps.
Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 452 " Y ou must register for the IDP/AppPatrol signature serv ice (at least the trial) before you can use it. See Chapter 8 on pa ge 185 for how to register . Click AppPatr ol to open the following screen.
Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 453 27.3 Application Patrol Applications Use the application patrol Common , Instant Messenger , Peer to Peer , Vo I P , or St r e a m i n g screen to manage traffic o f individual applications.
Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 454 27.3.1 The Application Patrol Edit Screen Use this screen to edit the settin gs for an applicat ion.
Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 455 Service Port This is available if the Classification is Service Ports . Y ou can view and edit the ports used to identify this application.
Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 456 27.3.2 The Application Pa trol Policy Edit Screen The Application Policy Edit screen allows you to edit a group of settings for an application.
Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 457 Schedule Select a schedule that defines when the policy app lies or select Create Object to configure a new one (see Chapter 38 on page 619 for details). Otherwise, select none to make the policy always effec tive.
Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 458 27.4 The Other Applications Screen Sometimes, the ZyW ALL cannot identify the application. For example, the application might be a new application, or the pac ke ts might arrive out of sequence .
Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 459 Figure 366 AppPatrol > Other The following table describes the labels in this screen.
Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 460 27.4.1 The Other Applic ations Add/Edit Screen The Other Configuration Add/Ed it screen allows you to create a new condition or edit an existing one. T o access this scre en, go to the Other Protocol screen (see Section 27.
Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 461 Figure 367 AppPatrol > Other > Edit The following table describes the labels in this screen. T able 142 AppPatrol > Other > Edit LABEL DESCRIPTION Enable Select this check box to turn on this policy .
Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 462 27.5 Application Patrol St atistics This screen displays a band width usage gr aph and statistics for selected protocols. Click AppPatr ol > S tatistics to open the following screen.
Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 463 Figure 368 AppPatrol > S tatistics: General Setup The following table describes the labels in this screen.
Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 464 • Different colors represent dif ferent protocols. 27.5.3 Application Patrol St atistics: Protocol St atistics The bottom of the AppPatrol > S tatistics screen displays statistics for each of the selected protocols.
Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 465 Inbound Kbps This is the incoming bandwidth usage for traffic that matched this protocol rule, in kilobits per second. This is the protocol ’s traf fic that the ZyWALL sends to the initiator of the co nnection.
Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 466.
467 P ART VI Anti-X Anti-V irus (469) IDP (483) ADP (513) Content Filtering (531) Content Filter Reports (551) Anti-Spam (559).
468.
ZyWALL USG 100/200 Series User’s Gu ide 469 C HAPTER 28 Anti-Virus 28.1 Overview Use the ZyW ALL’ s anti-virus feature to protect your connected network from viru s/spyware infection. The ZyW ALL checks traffic going in the direction(s) you spe cify for signature matches.
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 470 28.1.2 What Y ou Need to Know Abo ut Anti-V irus Anti-Virus Engines Subscribe to signature files for ZyXEL ’ s anti- virus engine or one powered by Kaspersky . When using the trial, you can switch from one engine to the other in the Registration screen.
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Gu ide 471 " Since the ZyW ALL erases t he infected portion of the file before sending it, you may not be able to open the file.
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 472 Figure 372 Anti-X > Anti-Virus > General The following table describes the labels in this screen. T able 145 Anti-X > Anti-V irus > General LABEL DESCRIPTION General Settings Click Adva nced to display more settings.
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Gu ide 473 28.2.1 Anti-V irus Policy Add or Edit Screen Click the Add or Edit icon in the Anti-X > Anti-V irus > General screen to display the configuration screen as sh own next. Add icon Click the Add icon in the heading row to add a new first entry .
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 474 Figure 373 Anti-X > Anti-Virus > Gene ral > Add The following table describes the labels in this screen.
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Gu ide 475 28.3 Anti-V irus Black List Click Anti-X > Anti-V irus > Black/White List to display the screen shown next. Use the Black List screen to set up the Anti-V irus black (blocked) list of virus file patterns.
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 476 Figure 374 Anti-X > Anti-Virus > Black/White List > Black List The following table describes the labels in this screen.
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Gu ide 477 Figure 375 Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add The following table describes the labels in this screen.
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 478 Figure 376 Anti-X > Anti-Viru s > Black/White List > White List The following table describes the labels in this screen. 28.6 Signature Searching Click Anti-X > Anti-V irus > Signature to display this screen.
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Gu ide 479 Figure 377 Anti-X > Anti-Virus > Signature: Search by Severity The following table describes the labels in this screen. T able 150 Anti-X > Anti-V irus > Signature LABEL DESCRIPTION Signatures Search Select the criteria on wh ic h to perform the search.
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 480 28.7 Anti-V irus T echnical Reference T ypes of Computer Viruses The following table describes some of the common computer viruses. Computer V irus Infection and Prevention The following describes a simple life cycle of a computer virus.
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Gu ide 481 • HA V scanners are slow in stopping virus thre ats through real-time traffic (such as from the Internet). • HA V scanners may reduce computing performan ce as they also share the resourc es (such as CPU time) on the computer for file inspection.
Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 482.
ZyWALL USG 100/200 Series User’s Gu ide 483 C HAPTER 29 IDP 29.1 Overview This chapter introduces pack et inspection IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic flow , custom signatures and updating signatures.
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 484 " Y ou can only apply one IDP profile to one traffic flow . Base IDP Profiles Base IDP profiles are templates that you use to create new IDP profiles.The ZyW ALL comes with several base profiles.
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 485 Figure 378 Anti-X > IDP > General The following table describes th e screens in this screen. T able 152 Anti-X > IDP > General LABEL DESCRIPTION General Setup Enable Signature Detection Y ou must register for IDP service in orde r to use packet inspection signature s.
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 486 29.2.1 Configuring IDP Policies Click Anti-X > IDP > General and then an Add or Edit icon to display the following screen. Use this scr een to apply an IDP profile to traffic flowing from one zone to another .
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 487 Figure 379 Anti-X > IDP > General > Add The following table describes th e screens in this screen. 29.3 Introducing IDP Profiles An IDP profile is a set of packet inspection signatures.
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 488 Figure 380 Base Profiles The following table describes this screen. 29.4 The Profile Summary Screen Select Anti-X > IDP > Pr ofile .
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 489 Figure 381 Anti-X > IDP > Profile The following table describes th e fields in this screen. 29.5 Creating New Profiles Y ou may want to create a ne w profile if not all signatures in a base profile are applicable to your network.
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 490 3 T ype a new profile name 4 Enable or disable individu al signatures. 5 Edit the default log options an d actions. 29.6 Profiles: Packet Inspection Select Anti-X > IDP > Pr ofile and the n add a new or edit an existing profile select.
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 491 Figure 382 Anti-X > IDP > Profile > Edit : Group View.
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 492 The following table describes th e fields in this screen. T able 156 Anti-X > IDP > Profile > Group V iew LABEL DESCRIPTION Name This is the name of the profile.
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 493 29.6.2 Policy T ypes This section describes IDP policy types, also kn own as attack types, as categorized in the ZyW ALL. Y ou may refer to these types wh en categorizing your own custom rules.
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 494 29.6.3 IDP Service Group s An IDP service group is a set of related packet inspec tion signatures. DoS/DDoS The goa l of Denial of Service (DoS) at tacks is not to steal information, but to disable a device or network on the Internet.
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 495 The following figure sh ows the WEB_PHP service g roup that contains signatures related to attacks on web servers using PHP ex ploits. PHP (PHP: Hypertext Preprocessor) is a server- side HTML embedded scripting language that allows web developers to build d ynamic websites.
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 496 Figure 384 Anti-X > IDP > Profile: Query View The following table describes th e fields in this screen. T able 159 Anti-X > IDP > Profile: Query View LABEL DESCRIPTION Name This is the name of the profile that you created in the IDP > Profiles > Gr oup View screen.
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 497 29.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attack T ype: DDoS • Platform: W .
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 498 Figure 386 Query Example Sear ch Results 29.7 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others.
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 499 Figure 387 IP v4 Packet Headers The header fields are discussed below: T able 160 IP v4 Packet Headers HEADER DESCRIPTIO N V ersion The value 4 indi cates IP version 4. IHL IP Header Len gth is the number of 32 b it words forming the total length of the header (usually five).
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 500 29.8 Configuring Custom Signatures Select Anti-X > IDP > Custom Signature s. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature.
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 501 The following table describes th e fields in this screen. 29.8.1 Creating or Editing a Custom Signature Click the Add icon to create a new signature or click the Edit icon to edit an existing signature in the screen as shown in Figure 388 on page 500 .
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 502 Figure 389 Anti-X > IDP > Custom Signatures > Add/Edit.
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 503 The following table describes the fields in this screen. T able 162 Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name T ype the name of your custom si gnature.
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 504 IP Options IP opti ons is a vari able-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier , (secu.
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 505 29.8.2 Custom Signature Example Before creating a custom signature, you must fi rst clearly understand the vulnerability . 29.8.2.1 Underst and the V ulnerability Check the ZyW ALL logs when the attack occurs .
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 506 29.8.2.2 Analyze Packet s Then use a packet sniffer such as TCPdum p or Ethereal to investigate some more. From the NetBIOS header you see that the first byte ‘00’ defines the message type.
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 507 Figure 393 Example Custom Signature.
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 508 29.8.3 Applying Custom Signatures After you create your custom signature, it beco mes available in the IDP service group category in the IDP > Profile > Packet Inspection screen. Custom signatures have an SID from 9000000 t o 9999999.
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 509 Figure 395 Custom Signature Log 29.9 IDP T echnical Reference This section contains some background information on IDP .
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 510 The rule header contains the rule's: • Action •P r o t o c o l • Source and destination IP addresses and netmasks • Source and destination ports information.
Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 51 1 " Not all Snort functionality is supported in the ZyW ALL..
Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 512.
ZyWALL USG 100/200 Series User’s Gu ide 513 C HAPTER 30 ADP 30.1 Overview This chapter introduces ADP (Anomaly Detection and Prev ention), anomaly profiles and applying an ADP profile to a traffic direc tion.
Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 514 ADP Profile An ADP profile is a set of traffic anomaly rules and protocol anomaly rules that you can activate as a set and configure common log an d action settings. Y ou can apply ADP profiles to traffic flowing from on e zone to another .
Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 515 The following table describes th e screens in this screen. 30.2.1 Configuring ADP Policies Click Anti-X > ADP > General and then an Add or Edit icon to display the following screen. Use this screen to apply an ADP profile to a traf fic direction.
Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 516 The following table describes th e screens in this screen. 30.3 The Profile Summary Screen Use this screen to: • Create a new profi le using an existing base profil e • Edit an existing profile • Delete an existing profile 30.
Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 517 These are the default base profiles at the time of writing. 30.3.2 Configuring The ADP Profile Summary Screen Select Anti-X > ADP > Pr ofile . Figure 399 Anti-X > ADP > Profile The following table describes th e fields in this screen.
Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 518 ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles. T o create a new profile, select a base profile (see T able 166 on page 517 ) and then click OK to go to the profile details screen.
Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 519 Figure 400 Profiles: T raffic Anomaly.
Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 520 The following table describes th e fields in this screen. 30.3.5 Protocol Anomaly Profiles Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (P A) rules check for protocol compliance ag ainst the rele vant RFC (Request for Comments).
Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 521 Protocol anomaly rules may be upda ted when you upload n e w firmware. 30.3.6 Protocol Anomaly Configuration In the Anti-X > ADP > Pr ofile screen, click the Edit icon or click the Add icon and choose a base profile, then select the Protocol Anomaly tab.
Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 522 Figure 401 Profiles: Proto c ol Anomaly.
Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 523 The following table describes th e fields in this screen. 30.4 T echnical Reference This section is divided into traf fic anomaly background information and protocol anomaly background informatio n.
Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 524 Many connection attempts to di fferent ports (services) may in dicate a port scan. These are some port scan types: • TCP Portscan • UDP.
Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 525 Flood Detection Flood attacks saturate a netw ork with useless data, use up all available bandwidth, and therefore make communications in the network impossible.
Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 526 Figure 403 TCP Three-W ay Handshake A SYN flood attack is when an attacker se nds a series of SYN packets.
Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 527 Protocol Anomaly Background Information The following sections may help you configur e the protocol anomaly profile screen (see Section 30.
Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 528 OVERSIZE-CHUNK- ENCODING A TT ACK This rule is an anomaly detector for abnormall y large chunk sizes. This picks up the apache chunk encod ing exploits and may also be triggered on HTTP tunneling t hat uses chun k en coding.
Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 529 TRUNCA TED-HEADER AT TA C K This is when a UDP packet is sent wh ich has a UDP datagram length of less the UDP header length. This may cause some applications to crash. UNDERSIZE-LEN A TT A CK This is when a UDP packet is sent which has a UDP length field of less than 8 bytes.
Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 530.
ZyWALL USG 100/200 Series User’s Gu ide 531 C HAPTER 31 Content Filtering 31.1 Overview Use the content filtering feature to control a ccess to specific web sites or web content. 31.1.1 What Y ou Can Do in the Content Filter Screens • Use the Ge neral screens ( Section 31.
Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 532 The ZyW ALL can disabl e web proxies and bloc k web features such as ActiveX controls, Java applets and cookies. • Customize W eb Site Acce ss Y ou can specify URLs to which the ZyW ALL bloc ks access.
Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 533 31.2 Content Filter General Screen Click Anti-X > Content Filter > General to open the Content Filter General scre en.
Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 534 Filter Profile This column displays the name of the content filter prof ile that each content filter policy uses. The content fil ter profile defines to which web services, web sites or web site categories access is to be allowed or denied.
Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 535 31.3 Content Filter Policy Add or Edit Screen Click Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen. Use this screen to configure a content filter policy .
Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 536 31.4 Content Filter Profile Screen Click Anti-X > Content Filter > Filter Pr ofile to open the Filter Profile screen. A content filter profile defines to which web services, web s ites or web site categories access is to be allowed or denied.
Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 537 1 Log into myZyXEL.com and click y our d evice’ s link to open it’ s Service Management screen. 2 Click Content Filter in the Service Name field to open th e Blue Coat login screen.
Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 538 Unrated Web Pages Select Block to prevent users from accessing web p a ges that the external web filtering service has not categorized.
Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 539 Alcohol/T obacco Selecting this category excludes pages that promote or offer the sale alcohol/tobacco products, or provide the means to create them. It also includes pages that glorify , tout, or otherwise encourage the consumpti on of alcohol/tobacco.
Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 540 Alternative S pirituality/ Occult Selecting this category exclude s pages that promote a nd provide information on religions such as Wi cca, Witchcraft or Satanism. Occult practices, atheistic view s, voodoo rituals or an y other form of mysticism are represented here.
Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 541 Computers/Internet Selecting this category excludes pages that sponsor or provide information on computers, technology , the Internet and technology- related organiza tions and companies.
Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 542 Religion Selecting this category e xcludes pages that pro mote and provide information on conventional or unconventional religio us or quasi-religious subjects, as well as churches, synagogue s, or other houses of worship.
Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 543 31.6 Content Filter Customization Screen Click Anti-X > Content Filter > Filter Pr ofile > Add or Edit > Customization to open the Customization screen.
Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 544 Figure 409 Anti-X > Content Filter > F ilter Profile > Customization The following table describes the labels in this screen.
Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 545 Java Java is a programming language an d devel opment environment for building downloadable Web components or Internet and intranet business applications of all kinds. Cookies Cookies are files stored on a com puter ’s hard drive.
Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 546 31.7 Content Filter Cache Screen Click Anti-X > Content Filter > Cache to display the Content Filter Cache screen. Use this screen to view and configure your ZyW ALL’ s URL caching.
Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 547 Figure 410 Anti-X > Content Filter > Cache The following table describes the labels in this screen.
Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 548 31.8 Content Filter T echnical Reference This section provides content f iltering background information. External Content Filter Server Lookup Procedure The content filter lookup pro cess is described below .
Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 549 3 Use the Content Filter C ache screen to configure how long a web site address remains in the cache a s well as view those web site addresses (see Section 31.7 on page 546 ).
Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 550.
ZyWALL USG 100/200 Series User’s Gu ide 551 C HAPTER 32 Content Filter Reports 32.1 Overview Y ou can view content filtering reports after you have activated the category-based content filtering subscription service. See Chapter 8 on pa ge 185 on how to create a myZyXEL.
Chapter 32 Content Filter Reports ZyWALL USG 100/200 Series User’s Guide 552 3 A welcome screen displays. Click your ZyW ALL’ s model name and/or MAC address under Registered ZyXEL Pr oducts . Y ou can change the descriptive name for your ZyW ALL using the Rename button in the Service Management screen (see Figure 414 on page 552 ).
Chapter 3 2 Content Filt er Reports ZyWALL USG 100/200 Series User’s Gu ide 553 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. Y ou can find this MAC address in the Service Management screen ( Figure 414 on page 552 ).
Chapter 32 Content Filter Reports ZyWALL USG 100/200 Series User’s Guide 554 Figure 417 Blue Coat: Report Ho me 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Ta k e n field and a category (or enter the user name if you want to view sing le user reports) and click Run Report .
Chapter 3 2 Content Filt er Reports ZyWALL USG 100/200 Series User’s Gu ide 555 Figure 418 Global Report Screen Example 11 Y ou can click a ca tegory in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.
Chapter 32 Content Filter Reports ZyWALL USG 100/200 Series User’s Guide 556 Figure 419 Requested URLs Example 32.3 W eb Site Submission Y ou may find that a web site has not been ac cura tely categorized or that a web site’ s contents have changed and the content filtering cate gory needs to be updat ed.
Chapter 3 2 Content Filt er Reports ZyWALL USG 100/200 Series User’s Gu ide 557 Figure 420 Web Pag e Review Process Screen 3 T ype the web site’ s URL in the field and click Submit to have the web site reviewed.
Chapter 32 Content Filter Reports ZyWALL USG 100/200 Series User’s Guide 558.
ZyWALL USG 100/200 Series User’s Gu ide 559 C HAPTER 33 Anti-Spam 33.1 Overview The anti-spam feature can mark or dis card spam (unsolicited commercial or junk e-mail). Use the white list to id entify legitimate e-mail. Use the black list to identify spam e-mail.
Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 560 matches a black list entry as spam and immediately takes the configur ed action for dealing with spam. If an e-mail matches a blacklist en try , the ZyW ALL does not perform any more anti-spam checking on that individual e-mail.
Chapter 33 Anti-Spa m ZyWALL USG 100/200 Series User’s Gu ide 561 Figure 421 DNSBL Example 1 The ZyW ALL checks the e-mail’ s header for sender or relay IP addresses and sends them to all of the DNSBL doma ins configured in the ZyW ALL. 2 The DNSBL servers reply as to whether or no t the IP addresses match an entry in their list.
Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 562 Figure 422 Anti-X > Anti-S pam > General The following table describes the labels in this screen. T able 177 Anti-X > Anti-S pam > General LABEL DESCRIPTION General Settings Click Advanced to display more settings.
Chapter 33 Anti-Spa m ZyWALL USG 100/200 Series User’s Gu ide 563 33.3.1 The Anti-Sp am Policy Add or Edit Screen Click the Add or Edit icon in the Anti-X > Anti-Spam > General screen to display the configuration screen as shown ne xt.
Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 564 The following table describes the labels in this screen. 33.4 The Anti-S p am Black List Screen Click Anti-X > Anti-Spam > Black / White List to display the Anti-Spam Black List screen.
Chapter 33 Anti-Spa m ZyWALL USG 100/200 Series User’s Gu ide 565 Figure 424 Anti-X > Anti-S pam > Black/White List > Black List The following table describes the labels in this screen.
Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 566 Use this screen to configure an anti-spam blac k list entry to identify spam e-mail. Y ou can create entries based on specific subject text, or the sender ’ s or relay’ s IP address or e-mail address.
Chapter 33 Anti-Spa m ZyWALL USG 100/200 Series User’s Gu ide 567 33.4.2 Regular Expressions in Black or White List Entries The following applies for a black or w hite list en try based on an e-mail subject, e-mail address, or e-mail header value. • Use a question mark (?) to let a single char acter vary .
Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 568 33.6 The DNSBL Screen Click Anti-X > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to configure the ZyW ALL to check the se nder and relay IP addr esses in e-mail headers against DNS (Domain Na me Service )-based spam Black Lists (DN SBLs).
Chapter 33 Anti-Spa m ZyWALL USG 100/200 Series User’s Gu ide 569 Figure 427 Anti-X > Anti-S pam > DNSBL The following table describes the labels in this screen.
Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 570 33.6.1 The DNSBL Add/Edit Screen Click the Add or Edit icon in the Anti-X > Anti-Spam > DNSBL screen to display the configuration screen as sh own next. Use this screen to specify a DNSB L (spam IP addr ess blacklis t).
Chapter 33 Anti-Spa m ZyWALL USG 100/200 Series User’s Gu ide 571 The following table describes the labels in this screen. 33.7 The Anti-S pa m St atus Screen Click Anti-X > Anti-Spam > S tatus to display the Anti-Spam S t atus screen.
Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 572 Avg. Response T ime (sec) This is the average for how long it takes to receive a reply from this DNSBL. No Response Thi s is how many DNS qu eries the ZyW ALL sent to thi s DNSBL without receiving a reply .
573 P ART VII Device HA Device HA (575).
574.
ZyWALL USG 100/200 Series User’s Gu ide 575 C HAPTER 34 Device HA 34.1 Overview Device HA lets a backup ZyW ALL ( B ) automatically take over if a master ZyW ALL ( A ) fails. Figure 430 Device HA Backup T aking Over for the Master 34.1.1 What Y ou Can Do in the Device HA Screens • Use the Ge neral screen ( Section 34.
Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 576 Management Access Y ou can configure a se parate management IP address for each interface. Y ou can use it to access the ZyW ALL for management whether the ZyW ALL is the master or a backup.
Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 577 Figure 431 Device HA > General The following table describes the labels in this screen. T able 185 Device HA > General LABEL DESCRIPTION Enable Device HA T urn the ZyWALL’s d evice HA fe ature on or off.
Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 578 34.3 The Active-Passive Mode Screen Virtual Router The master and backup ZyW ALL form a single ‘v irtual router ’. In the following example, master ZyW ALL A and backup ZyW ALL B form a virtual router .
Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 579 Enable monitoring for the same interfaces on the master and backup ZyW ALLs. Each monitored interface must have a static IP addr e ss and be connecte d to the same subnet as the corresponding interface on the backup or master ZyW ALL.
Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 580 Figure 435 Device HA > Active-Passive Mode The following table describes the labels in this screen.
Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 581 Authentication Select the aut hentication method the vi rtu al router uses. Every interface in a virtual router must use the same authentica tion method and password. Choices are: None - this virtual router does not use any authentication method.
Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 582 34.4 Configuring an Active-Passive Mode Monitored Interface The Device HA Active-Passive Mode Monitored Interface Edit scre en lets you enable or disable monitoring of an interf ace and set the interface’ s management IP address and subnet mask.
Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 583 34.5 The Legacy Mode Screen Virtual Router Redundan cy Protocol (VRRP) Legacy mode device HA uses V irtual Router Redundancy Protocol (VRRP) to create redundant backup gateways to ensure that a default gateway is alway s av ail able.
Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 584 Figure 437 Device HA > Legacy Mode The following table describes the labels in this screen.
Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 585 34.7 The Legacy Mode Add/Edit Screen Use the VRRP Group Add/Edit screen to add or edit VRRP grou ps. • Y ou can only use interfa ces that have static IP addresses. In addition, yo u should set the static IP address to the IP address of the virtual router .
Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 586 Figure 438 Device HA > Legacy Mode > Add The following table describes the labels in this screen. T able 189 Device HA > Legacy Mode > Add LABEL DESCRIPTION Enable VRRP Group Select this to make the spec ified interface part of the vi rtual router .
Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 587 34.8 Device HA T echnical Reference Legacy Mode ZyW ALL VRRP Application In VRRP , a virtual router represents a number of ZyW ALLs associated with one IP address, the IP address of the default gateway .
Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 588 Figure 439 Example: VRRP , Normal Operation The VR ID is not shown. In normal operation, ZyW ALL A is the master . It has the same IP address as the default gateway and forwards traffic for the network.
Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 589 • System protect signatures • Certificates ( My Certificates , and T rusted Certificates ) Synchronization does not change the device HA settin gs in the backup ZyW ALL. Synchronization af fects the entire device configuration.
Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 590.
591 P ART VIII Object s User/Group (593) Addresses (607) Services (613) Schedules (619) AAA Server (625) Authentication Method (635) Certificates (639) SSL Application (657).
592.
ZyWALL USG 100/200 Series User’s Gu ide 593 C HAPTER 35 User/Group 35.1 Overview This chapter describes how to se t up user accounts, user grou ps, and user settings for the ZyW ALL. Y ou can also set up rules that contro l whe n users have to log in to the ZyW ALL before the ZyW ALL routes traffic for them.
Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 594 " The default admin account is always authenticated locally , regardless of the authentication method setting. (See Chapter 39 on page 625 for more information about aut hentication methods.
Chapter 35 User/Group ZyWALL USG 100/200 Series User’s Gu ide 595 " Y ou cannot put access users and admin users in the same user group. " Y ou cannot put the default admin account into any user group. The sequence of members in a user group is not important.
Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 596 Figure 441 Object > User/Gr oup The following table describes the labels in this screen. 35.2.1 User Add/Edit Screen The User Add/Edit screen allows you to create a new user account or edit an existing one.
Chapter 35 User/Group ZyWALL USG 100/200 Series User’s Gu ide 597 T o access this screen, go to the User screen (see Section 35.2 on page 595 ), and click either the Add icon or an Edit icon. Figure 442 User/Group > User > Edit The following table describes the labels in this screen.
Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 598 35.3 User Group Summary Screen User groups consist of ac cess users and other user grou ps. Y o u cannot put admin users in user groups. The Group screen provides a summary of all u ser groups.
Chapter 35 User/Group ZyWALL USG 100/200 Series User’s Gu ide 599 Figure 444 User/Group > Group > Add The following table describes the labels in this screen. 35.4 Setting Screen The Setting screen controls default settings, login settings, lock out settings, and other user settings for the ZyW ALL.
Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 600 Figure 445 Object > User/Group > Setting The following table describes the labels in this screen. T able 196 Object > User/Group > Setting LABEL DESCRIPTION User Default Setting User T ype Select the default u ser type when you create a new user account.
Chapter 35 User/Group ZyWALL USG 100/200 Series User’s Gu ide 601 Maximum number per access account This field is effective wh en Limit ... for access account is checked.
Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 602 35.4.1 Force User Authenti cation Policy Add/Edit Screen Use this screen to specify a cond ition when users must log in or do not have to log in to the ZyW ALL before their HTTP traffic can pass through the ZyW ALL.
Chapter 35 User/Group ZyWALL USG 100/200 Series User’s Gu ide 603 The following table describes the labels in this screen. 35.4.2 User A w are Login Example Access users cannot use the W eb configurator to browse the configuration of the ZyW ALL.
Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 604 The following table describes the labels in this screen. 35.5 User /Group T echnical Reference This section provides some inform ation on users who use an exte rnal authentication server in order to log in.
Chapter 35 User/Group ZyWALL USG 100/200 Series User’s Gu ide 605 Creating a Large Number of Ext-User Account s If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the web configurator , to create the accounts.
Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 606.
ZyWALL USG 100/200 Series User’s Gu ide 607 C HAPTER 36 Addresses 36.1 Overview Address objects can represent a single IP address or a ra nge of IP addres ses. Address groups are composed of address objects and other address groups. 36.1.1 What Y ou Can Do Using The Addresses Screens •T h e Addr ess screen ( Section 36.
Chapter 36 Add re sse s ZyWALL USG 100/200 Series User’s Guide 608 Figure 450 Object > Address > Address The following table describes the labels in this screen. See Section 36.2.1 on page 608 for more information as well. 36.2.1 Address Add/Edit Screen The Addr ess Add/Edit screen allows you to create a new address or edit an existing one.
Chapter 36 Addresses ZyWALL USG 100/200 Series User’s Gu ide 609 The following table describes the labels in this screen. 36.3 Address Group Summary Screen The Addr es s Group screen provides a summary of all address groups. T o access this screen, click Object > Address > Addr ess Group .
Chapter 36 Add re sse s ZyWALL USG 100/200 Series User’s Guide 610 The following table describes the labels in this screen. See Section 36.3.1 on page 610 for more information as well. 36.3.1 Address Group Add/Edit Screen The Addr ess Group Add/Edit screen allows you to create a new address group or edit an existing one.
Chapter 36 Addresses ZyWALL USG 100/200 Series User’s Gu ide 61 1 Available This field displays the names of the addre ss and address group objects that can be added to the address group. Select address and address group objects that you want to be members of this group and click th e right arrow to add them to the member list.
Chapter 36 Add re sse s ZyWALL USG 100/200 Series User’s Guide 612.
ZyWALL USG 100/200 Series User’s Gu ide 613 C HAPTER 37 Services 37.1 Overview Use service objects to define TCP applicatio ns, UDP applications, and ICMP messages. Y ou can also create service groups to refer to multiple service objects in other features.
Chapter 37 Serv ice s ZyWALL USG 100/200 Series User’s Guide 614 Service Object s and Service Group s Use service objects to define IP prot ocols. • TCP applications • UDP applications • ICMP messages • user -defined services (for other types of IP protocols) These objects are us ed in policy rout es, firewall rules, and IDP profiles.
Chapter 37 Services ZyWALL USG 100/200 Series User’s Gu ide 615 The following table describes the labels in this screen. 37.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. T o access this screen, go to the Service screen (see Section 37.
Chapter 37 Serv ice s ZyWALL USG 100/200 Series User’s Guide 616 37.3 The Service Group Summary Screen The Service Gr oup summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups.
Chapter 37 Services ZyWALL USG 100/200 Series User’s Gu ide 617 37.3.1 The Service Group Add/Edit Screen The Service Gr oup Add/Edit screen allows you to create a new service group or edit an existing one. T o access this screen, go to the Service Group screen (see Section 37.
Chapter 37 Serv ice s ZyWALL USG 100/200 Series User’s Guide 618.
ZyWALL USG 100/200 Series User’s Gu ide 619 C HAPTER 38 Schedules 38.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and cont ent filtering. The ZyW ALL supp orts one-time and recurring schedules.
Chapter 38 Sc he du le s ZyWALL USG 100/200 Series User’s Guide 620 38.2 The Schedule Summary Screen The Schedule summary screen provides a summary of all schedules in the ZyW ALL. T o access this screen, click Object > Schedule . Figure 458 Object > Schedule The following table describes the labels in this screen.
Chapter 38 Sc hedules ZyWALL USG 100/200 Series User’s Gu ide 621 38.2.1 The One-T ime Schedule Add/Edit Screen The One-Time S chedule Add/Edit screen allows you to define a one-time schedule or edit an existing one. T o access this screen, go to the Schedule screen (see Section 38.
Chapter 38 Sc he du le s ZyWALL USG 100/200 Series User’s Guide 622 38.2.2 The Recurring Sc hedule Add/Edit Screen The Recurring Schedu le Add/Edit screen allows you to de fine a recurring schedule or ed it an existing one. T o access this screen, go to the Schedule screen (see Section 38.
Chapter 38 Sc hedules ZyWALL USG 100/200 Series User’s Gu ide 623 Week Days Select each day of the week the re curring schedule is effective. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes.
Chapter 38 Sc he du le s ZyWALL USG 100/200 Series User’s Guide 624.
ZyWALL USG 100/200 Series User’s Gu ide 625 C HAPTER 39 AAA Server 39.1 Overview Y ou can use a AAA (Authentication, Authoriza tion, Accounting) server to provide access control to your network. The AAA server can be a Active Directory , LDAP , or RADIUS server .
Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Guide 626 Figure 462 RADIUS Server Network Example 39.1.3 ASAS ASAS (Authenex S trong Authentication System ) is a RADIUS server that works with the One-T ime Password (OTP) feature. Purchas e a ZyW ALL OTP package in order to use this feature.
Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Gu ide 627 RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external or built-in RADIUS server . RADIUS authentication allows you to validate a lar ge number of users from a central location.
Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Guide 628 Bind DN A bind DN is used to authenticate with an LDAP/AD server . For example a bind DN of cn=zywallAdmin allows the ZyW ALL to log into the LDAP/AD server using the user name of zywallAdmin .
Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Gu ide 629 39.3 Active Directory or LDAP Group Summary Screen Y ou can configure a group of AD or LDAP servers in the Active Directory (or LDAP ) > Group screen. This is useful if you have more tha n one AD se rver or more than one LDAP server for user authentication in a network.
Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Guide 630 Figure 466 Object > AAA Server > Active Directory (or LDAP) > Group > Add The following table describes the labels in this screen.
Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Gu ide 631 39.4 Configuring a Default RADIUS Server T o configure the default extern al RADIUS server to use fo r user authentication, click Object > AAA Server > RADIUS to display the screen as shown.
Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Guide 632 39.5 Configuring a Group of RADIUS Servers Y ou can configure a group of RADIUS servers in the RADIUS > Group screen. This is useful if you have more than one authentication se rver for user authentication in a network.
Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Gu ide 633 The following table describes the labels in this screen. T able 216 Object > AAA Server > RADIUS > Group > Add LABEL DESCRIPTION Configuration All RADIUS servers in a group s hare the same settings in the fields below .
Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Guide 634.
ZyWALL USG 100/200 Series User’s Gu ide 635 C HAPTER 40 Authentication Method 40.1 Overview Authentication method objects set how the ZyW ALL authenticates HTTP/HTTPS clients, peer IPSec routers (extended authentication), L2TP VPN, and wireless clients.
Chapter 40 Auth en tic ation Method ZyWALL USG 100/200 Series User’s Guide 636 Figure 470 Example: Using Authentication Method in VPN 40.2 V iewing Authentication Method Objects Click Object > Auth. Method to display the screen as shown. " Y ou can create up to 16 auth entication method objects.
Chapter 40 Authentication Method ZyWALL USG 100/200 Series User’s Gu ide 637 40.3 Creating an Authentication Method Object Follow the steps below to create an authentication method object. 1 Click Object > Auth. Method . 2 Click Add . 3 Specify a descriptive name fo r identification purposes in the Name field.
Chapter 40 Auth en tic ation Method ZyWALL USG 100/200 Series User’s Guide 638 The following table describes the labels in this screen. T able 218 Object > Auth. Method > Add LABEL DESCRIPTION Name S pecify a descriptive name for identification purposes.
ZyWALL USG 100/200 Series User’s Gu ide 639 C HAPTER 41 Certificates 41.1 Overview The ZyW ALL can use certificates (also called digita l IDs) to authenticate users. Certificates are based on public-priva te key pairs. A certificate contains the certificate owner ’ s identity and public key .
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 640 message, no-one can have altered it (because they cannot re-sign the message with T im’ s private key). 5 Additionally , Jenny uses her own private key to sign a message and T im uses Jenny’ s public key to v e rify the message.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 641 • PEM (Base-64) encoded PKCS#7: This Pr ivacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numera ls to convert a binary PKCS#7 certificate into a printable form.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 642 Figure 474 Certificate Details 4 Use a secure method to verify that the certificate owner ha s the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 643 41.2.1 The My Certificates Add Screen Click Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 644 Figure 476 Object > Certificate > My Certificates > Add The following table describes the labels in this screen. T able 220 Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name T ype a name to identify th is certific ate.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 645 Organization Identify the company or group to which the certificate ow ner belongs. Y ou can use up to 31 characters. Y ou can use a lphanumeric characte rs, the hyphen and the underscore.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 646 If you configured the My Cert ific ate Create screen to have t h e ZyW ALL enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certif icate Create screen.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 647 Figure 477 Object > Certificate > My Certificates > Edit The following table describes the labels in this screen. T able 221 Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificat e.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 648 T ype T his field displays general informa ti on about the certificat e. CA-signed mea ns that a Certification Authority signed the certificate . Self-sign ed mean s that the certificate’s owner signed the certificate (not a certification authority).
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 649 41.2.3 The My Certif icates Import Screen Click Object > Certificate > My Certificates > Import to open the My Certif icate Import screen. Follow the instruc tions in this screen to save an existing certificate to the ZyW ALL.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 650 The following table describes the labels in this screen. 41.3 The T rusted Certificates Screen Click Object > Certificate > T rusted Certificates to open the T rusted Certificates screen.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 651 41.3.1 The T rusted Ce rtificates Edit Screen Click Object > Certificate > T rusted Certificates and then a certificate’ s Edit icon to open the T rusted Certificates Edit screen.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 652 Figure 480 Object > Certificate > Tr us ted Certificates > Edit The following table describes the labels in this screen.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 653 Refresh Click Refresh to display the certification path. Enable X.509v3 CRL Distribution Points and OCSP checking Select this chec.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 654 41.3.2 The T rusted Cert ificates Import Screen Click Object > Certificate > T rusted Certificates > Import to open the T rusted Certificates I mport screen. Follow the instructions in this screen to save a trusted certificate to the ZyW ALL.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 655 Figure 481 Object > Certificate > Tr us ted Certificates > Import The following table describes the labels in this screen.
Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 656.
ZyWALL USG 100/200 Series User’s Gu ide 657 C HAPTER 42 SSL Application 42.1 Overview Y ou use SSL application objects in SSL VPN. Co nfigure an SSL application object to specify a service and a corresponding IP addres s of the se rver on th e local network.
Chapter 42 SSL Application ZyWALL USG 100/200 Series User’s Guide 658 1 Click Object > SSL Application in the navigation panel. 2 Click the Add button and select W eb Application in the Ty p e field. 3 Enter a descriptive name in the Display Name field.
Chapter 42 SSL Application ZyWALL USG 100/200 Series User’s Gu ide 659 42.2.1 Creating/Editing a We b-based SSL Application Object A web-based application allows remote user s to access an application via standard web browsers.
Chapter 42 SSL Application ZyWALL USG 100/200 Series User’s Guide 660 42.2.2 Creating/Editing a File Sharing SSL Application Object Y ou can specify the name of a folder on a file server (Linux or W indows) which remote users can access. Remote users can access files using a standa rd web browser and files are displayed as links on the screen.
Chapter 42 SSL Application ZyWALL USG 100/200 Series User’s Gu ide 661 " Y ou must then configure the shared folder on the file server for remote access.
Chapter 42 SSL Application ZyWALL USG 100/200 Series User’s Guide 662.
663 P ART IX System System (665).
664.
ZyWALL USG 100/200 Series User’s Gu ide 665 C HAPTER 43 System 43.1 Overview Use the system screens to conf igure general ZyW ALL settings. 43.1.1 What Y ou Can Do In The System Screens •U s e t h e System > Host Name screen ( Figure 486 on page 666 ) to configure a unique name for the ZyW ALL in your network.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 666 • V antage CNM (Centraliz ed Network Management) is a browser-based global management tool that allows an administ rator to manage Zy XEL devices. Use the System > V antage CNM screen ( Figure 525 on page 701 ) to allow your Zy W ALL to be managed by the V antage CNM server .
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 667 Figure 487 System > Date and T ime The following table describes the labels in this screen. T able 230 System > Date and Time LABEL DESCRIPTION Current T ime and Date Current T ime T his fi eld displays the present ti me of your ZyW AL L.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 668 43.3.1 Pre-define d NTP Time Servers List When you turn on the ZyW ALL for the first time, the date an d time start at 2003 -01-01 00:00:00. The ZyW ALL then atte mpts to synchronize with one o f the following pre-defined list of Network T ime Protocol (NTP) time servers.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 669 The ZyW ALL continues to use the following pre- defined list of NTP time servers if you do not specify a time server or it cannot synchr onize with the time server you specified.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 670 43.4 Console Port Sp eed This section shows you how to set the console port speed wh en you connect to the ZyW ALL via the console port using a te rminal emulation program. See T able 2 on page 55 for default console port settings.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 671 43.5.2 Configuring the DNS Screen Click System > DNS to change your ZyW ALL’ s DNS settings. Use the DNS screen to configure the ZyW ALL to use a DNS server to resolve domain name s for ZyW ALL system features like VPN, DDNS and the time server .
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 672 Domain Zone A domain zone is a fully qualified domain name without the h ost. For example, zyxel.com.tw is the domain zone for the www .zyxel.com.tw full y qualified domain name. A “*” means all domain zones.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 673 43.5.3 Address Record An address record contains the mapping of a fu lly qualified domain na me (FQDN) to an IP address. An FQDN consists of a host and do main name. For example, www .zyxel.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 674 The following table describes the labels in this screen. 43.5.6 Domain Zone Forwarder A domain zone forwarder contains a DNS serv er ’ s IP address. The ZyW ALL can query the DNS server to resolve domain zones for fe atures like VPN, DDNS and the time server .
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 675 The following table describes the labels in this screen. 43.5.8 MX Record A MX (Mail eXchange) record indi cates which host is responsible for the mail for a particular domain, that is, contro ls where mail is se nt for that domain.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 676 43.5.10 Adding a DN S Service Control Rule Click the Add icon in the Service Control table to add a service control rule. Figure 494 System > DNS > Service Control Rule Add The following table describes the labels in this screen.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 677 Figure 495 Secure and Insecure Service Acce ss From the WAN • See Section 5.6.1 on page 122 for related informa tion on these screens.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 678 43.6.3 HTTPS Y ou can set the ZyW ALL to use HTTP or HTTPS (HTTPS adds security) for web configurator sessions. Specify which zones allow web configurator ac cess and from which IP address the access can come.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 679 43.6.4 Configuring WWW Click System > WWW to open the WW W screen. Use this scree n to specify from which zones you can access the ZyW ALL using HTTP or HTTPS. Y ou can also specify which IP addresses the access can come from.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 680 Server Port The HTTPS server listens on port 443 by default. If you change the HT TPS server port to a different number on the ZyW ALL, .
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 681 43.6.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW , SSH , Te l n e t , FTP or SNM P screen to add a service control rule. Figure 498 System > Service Control Rule Edit # This is the index number of the se rvice control rule .
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 682 The following table describes the labels in this screen. 43.6.6 HTTPS Example If you haven’t changed the default HTTPS port on the ZyW.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 683 43.6.6.2 Net scape Navigator W arning Messages When you attempt to access the ZyW ALL HTTPS server , a W ebsite Certified by an Unknown Authority screen pops up asking if you trust the server certificate.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 684 • For the browser to trust a self-signed certific ate, import the self-signed certificate into your operating system as a trusted certificate.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 685 43.6.6.5.1 Installing the CA’ s Certificate 1 Double click the CA ’ s trusted certificate to produce a screen similar to the one shown next. Figure 504 CA Certificate Example 2 Click Install Certificate and follow the wizard as show n earlier in this appendix.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 686 Figure 505 Personal Certificate Import Wizard 1 2 The file name and path of the certificate y ou double-clicked should automatically appear in the File name text box. Click Br owse if you wish to import a dif ferent certific ate.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 687 Figure 507 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificat e should be saved on your computer or select Place all certificates in the following stor e and choose a different location.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 688 Figure 509 Personal Certificate Import Wizard 5 6 Y ou should see the following screen when the ce rtificate is correctly installed on your computer . Figure 510 Personal Certificate Import Wizard 6 43.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 689 Figure 512 SSL Client Authentication 3 Y ou next see the web configurator login screen. Figure 513 Secure W eb Configurator Login Screen 43.7 SSH Y ou can use SSH (Secure SHell) to securely access the ZyW ALL’ s command line interface.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 690 Figure 514 SSH Communication Over the W AN Example 43.7.1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 691 43.7.2 SSH Implementation on the ZyW ALL Y our ZyW ALL supports SSH version s 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour and Blowfish ). The SSH server is implemented on the ZyW ALL for management using port 22 (by default).
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 692 43.7.5 Secure T elnet Using SSH Examples This section shows two examples using a comm and interface and a graphical interface SSH client program to remotely access the ZyW ALL. The configuration and connection steps are similar for most SSH client programs.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 693 43.7.5.2 Example 2: Linux This section describes how to access the ZyW A LL using the OpenSSH client program that comes with most Linux di stributions. 1 T est whether the SSH service is available on the ZyW ALL.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 694 Figure 520 System > T elnet The following table describes the labels in this screen. 43.9 FTP Y ou can upload and download the ZyW ALL’ s firm ware and configuration files using FTP .
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 695 43.9.1 Configuring FTP T o change your ZyW ALL’ s FTP settings, click System > FTP tab. The screen appears as shown. Use this screen to sp ecify from which zones FTP can be used to access the ZyW ALL.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 696 43.10 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Y our ZyW A LL supports SNMP agent functionality , which allows a manager station to manage and monitor the ZyW ALL through the network.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 697 An agent is a management software module th at resi des in a managed device (the ZyW ALL). An agent translates the local management info rmation from the managed device into a form compatible with SNMP .
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 698 43.10.3 Configuring SN MP T o change your ZyW ALL’ s SNMP settings, click System > SNMP ta b. The screen appears as shown. Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the ZyW ALL.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 699 43.1 1 Dial-in Management Connect an external serial modem to the AUX port to provide a management connectio n in case the ZyW ALL’ s other W AN connections are do wn.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 700 Figure 524 System > Dial-in Mgmt The following table describes the labels in this screen.
Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 701 Figure 525 System > V antage CNM The following table describes the labels in this screen. T able 246 System > V antage CNM LABEL DESCRIPTION V antage CNM Click Ad vanced to display more confi guration fields or click B asic to display fewer fields.
Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 702 43.13 Language Screen Click System > Language to open the following screen. Use this screen to select a display language for the ZyW ALL’ s web configurator screens. Figure 526 System > Langu age The following table describes the labels in this screen.
703 P ART X Maintenance, T roubleshooting, & S pecifications File Manager (705) Logs (715) Reports (727) Diagnostics (741) Reboot (743) T roubleshooting (745) Product Specification s (749).
704.
ZyWALL USG 100/200 Series User’s Gu ide 705 C HAPTER 44 File Manager 44.1 Overview Configuration files define the ZyW ALL’ s settings . Shell scripts are files of commands that you can store on the ZyW ALL and run when yo u need them. Y ou can apply a configuration file or run a shell script without the ZyW ALL r estarting.
Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Guide 706 These files have the same synt ax, whic h is also identical to the way you run CLI commands manually . An example is shown below . While configuration files and shell scripts have the same syntax, the ZyW ALL applies configuration files dif ferently than it runs shell scripts.
Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Gu ide 707 " “exit” or “!'” must follow sub commands if it is to make the ZyW ALL exit sub command mode. Line 3 in the following example ex its sub command mode. Lines 1 and 3 in t he followin g example are comments and lin e 4 exits sub command mode.
Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Guide 708 Once your ZyW ALL is co nfigured and function i ng properly , it is highly recommended that you back up your configuration file befo re making further configuratio n changes. The backup configuration file will be useful in case you need to return to yo ur previous settings.
Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Gu ide 709 The following table describes the labels in this screen. T able 249 Maintenanc e > File Mana g er > Configuration File LABEL DESCRIPTION Download Click a configura tion file’s row to select it and click Download to save the configuration to your computer .
Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Guide 710 44.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmwar e Package screen. Use the Firmware Package screen to check your current firmware version and upload firmware to the ZyW ALL.
Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Gu ide 71 1 The ZyW ALL’ s firmware packag e canno t go through the ZyW A LL when you enable the anti- virus Destroy compr essed files that could not be decompressed option. The ZyW ALL classifies the firmware package as not being able to be decompressed and deletes it.
Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Guide 712 " The ZyW ALL automatically reboo ts after a successful upload. The ZyW ALL automatically restarts causing a temporary network disconnect. In some operating systems, you may see th e following icon on your desktop.
Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Gu ide 713 Each field is described in the following table. T able 251 Maintenanc e > File Ma nager > Shell Script LABEL DESCRIPTION Download Click a shell script file’s ro w to select it and click Download to save the con figuration to your computer .
Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Guide 714 Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process.
ZyWALL USG 100/200 Series User’s Gu ide 715 C HAPTER 45 Logs 45.1 Overview This chapter provides gene ral information about the ZyW ALL’ s log feature. See Appendix A on page 759 for individual log descriptions. The following table displays the maximum number of system log messages in the ZyW ALL.
Chapter 45 L ogs ZyWALL USG 100/200 Series User’s Guide 716 Figure 538 Maintenance > L o g > View Log Events that generate an alert (a s well as a log message ) display in red. Regular logs display in black. The following table d escribe s the labels in this screen.
Chapter 45 Logs ZyWALL USG 100/200 Series User’s Gu ide 717 The W eb configurator saves the filter settings if you leave the Vi e w L o g screen and return to it later . 45.4 Log Setting Screens The Log Setting screens control log messages and alerts.
Chapter 45 L ogs ZyWALL USG 100/200 Series User’s Guide 718 The Log Settings Summary screen provides a summary of all the settings. Y ou can use the Log Settings Edit screen to maintain the detailed setti ngs (such as log categories, e-mail addresses, server names, etc.
Chapter 45 Logs ZyWALL USG 100/200 Series User’s Gu ide 719 45.4.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 45.
Chapter 45 L ogs ZyWALL USG 100/200 Series User’s Guide 720 Figure 540 Maintenance > Log > Log Setting > Edit (System Log).
Chapter 45 Logs ZyWALL USG 100/200 Series User’s Gu ide 721 The following table describes the labels in this screen. T able 255 Maintenance > Log > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section.
Chapter 45 L ogs ZyWALL USG 100/200 Series User’s Guide 722 45.4.3 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each l og in the remote server (syslog). Go to the Log Settings Summary screen (see Section 45.
Chapter 45 Logs ZyWALL USG 100/200 Series User’s Gu ide 723 Figure 541 Maintenance > L og > Log Sett ing > Edit (Remote Server).
Chapter 45 L ogs ZyWALL USG 100/200 Series User’s Guide 724 The following table describes the labels in this screen. 45.4.4 Active Log Summary Screen The Active Lo g Summary screen allows you to v iew and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time.
Chapter 45 Logs ZyWALL USG 100/200 Series User’s Gu ide 725 Figure 542 Active Log Summary This screen provides a different view and a dif ferent way of indicating which mes sages are included in each log and each ale rt. Please see Section 45.4.2 on page 719 , where this process is discussed.
Chapter 45 L ogs ZyWALL USG 100/200 Series User’s Guide 726 Selection Select wh at information you w ant to log from ea ch Log Category (except All Logs ; see below).
ZyWALL USG 100/200 Series User’s Gu ide 727 C HAPTER 46 Reports 46.1 Overview This chapter provides information about the report screens. Use the Report screens to s tart or stop data collection and view various statisti cs about traf fic passing through yo ur ZyW ALL.
Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 728 Figure 543 Maintenance > Report > T raf fic S tatistics There is a limit on the number of re cords shown in the report. Please see T able 259 on page 730 for more information. The following tabl e describes the labe ls in this screen.
Chapter 46 Reports ZyWALL USG 100/200 Series User’s Gu ide 729 Flush Data Click th is button to disca rd all of the screen’s statistics and upda te the report display . These fields are available when the T raffic T ype is Host IP Address/User . # This field is the rank of each record.
Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 730 The following table disp lays the maximum number of records shown in the report, the byte count limit, and the hit count limit. 46.3 The Session Screen The Session screen displays informa tion about active sessions for debugging or statistical analysis.
Chapter 46 Reports ZyWALL USG 100/200 Series User’s Gu ide 731 Figure 544 Maintenance > Report > Sessio n The following table describes the labels in this screen. T able 260 Maintenanc e > Rep ort > Sessio n LABEL DESCRIPTION View Select how you want the information to be displaye d.
Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 732 46.4 The Anti-V irus Report Screen Click Maintenance > Report > Anti-V irus to display the following screen. This screen displays anti-virus statistics. Figure 545 Maintenance > Report > Anti-V irus: Virus Name The following table describes the labels in this screen.
Chapter 46 Reports ZyWALL USG 100/200 Series User’s Gu ide 733 The statistics display as follows when yo u display the top entries by source. Figure 546 Maintenance > Report > Anti-V irus: Source The statistics display as follows when you display the top entr ies by destination.
Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 734 Figure 548 Maintenance > Report > IDP: Signature Name The following table describes the labels in this screen. T able 262 Maintenanc e > Rep or t > IDP LABEL DESCRIPTI ON Collect St a t i s t i c s Select this check box to have the ZyWALL collect IDP st atistics.
Chapter 46 Reports ZyWALL USG 100/200 Series User’s Gu ide 735 The statistics display as follows when yo u display the top entries by source. Figure 549 Maintenance > Report > IDP: Source The statistics display as follows when you display the top entr ies by destination.
Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 736 Figure 551 Maintenance > Report > Anti-S pam: Sender IP The following table describes the labels in this screen.
Chapter 46 Reports ZyWALL USG 100/200 Series User’s Gu ide 737 46.7 The Email Daily Report Screen Click Maintenance > Report > Email Daily Report to display the following screen. Configure this screen to have the ZyW ALL e-mail you system statistics every day .
Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 738 Figure 552 Maintenance > Report > Email Daily Report The following table describes the labels in this screen. T able 264 Maintenance > Report > Email Daily R eport LABEL DESCRIPTI ON Enable Email Daily Report Select this to send reports by e-mail every day .
Chapter 46 Reports ZyWALL USG 100/200 Series User’s Gu ide 739 Password This box is effective when you select the SMTP Authentication check box. T ype the password to provide to the SMTP server when the log is e-mailed. Send Report Now Click this button to have the ZyWALL send the daily e-mail report immediately .
Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 740.
ZyWALL USG 100/200 Series User’s Gu ide 741 C HAPTER 47 Diagnostics 47.1 The Diagnostics Screen The Diagnostics s creen provides an easy way for you to generate a file containing the ZyW ALL’ s configuration and d i ag nostic information. Y ou may need to generate this file and send it to customer support during troubleshooting.
Chapter 47 Diagnostics ZyWALL USG 100/200 Series User’s Guide 742.
ZyWALL USG 100/200 Series User’s Gu ide 743 C HAPTER 48 Reboot 48.1 Overview Use this to restart the device (for example, if th e device begins behaving erratically ). See also Section 1.4 on page 55 for information on different wa ys to start and stop the ZyW ALL.
Chapter 48 Reboot ZyWALL USG 100/200 Series User’s Guide 744.
ZyWALL USG 100/200 Series User’s Gu ide 745 C HAPTER 49 Troubleshooting This chapter offers some suggestions to so lve problems you might encounter . V I cannot set up an IPSec VPN tunnel to another device. If the IPSec tunnel does not build properly , the pr oblem is likely a configuration error at one of the IPSec routers.
Chapter 49 Tro u blesh oo tin g ZyWALL USG 100/200 Series User’s Guide 746 • If you have the ZyW ALL and remote IPSec rout er use certific ates to authenticate each other , make sure they trust each other ’ s cer tificates. If the ZyW ALL’ s certificate is self- signed, import it into the remote IPsec router .
Chapter 49 Trou bleshooting ZyWALL USG 100/200 Series User’s Gu ide 747 V I changed the LAN IP addr ess and can no longer access the Internet. The ZyW ALL automatically updates address ob jects based on an interface’ s IP address, subnet, or gateway if the interface’ s IP addr ess settings change.
Chapter 49 Tro u blesh oo tin g ZyWALL USG 100/200 Series User’s Guide 748 49.1 Resetting the ZyW ALL If you cannot access the ZyW ALL by any me thod, try restarting it by disconnecting and reconnecting the power .
ZyWALL USG 100/200 Series User’s Gu ide 749 C HAPTER 50 Product Specifications 50.1 General Sp ecifications The following specificatio ns are subject to change without notice. See Chapter 2 on page 57 for a general overview of key features. This table provides basic device specifications.
Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Guide 750 1 It is recommended that you do NOT wa ll-mount the ZyW ALL . A wall-mounting kit is not included.
Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Gu ide 751 USER PROFILES Maximum Local Users 192 128 Maximum Admin Users 5 5 Maximum User Groups 64 32 Maximum Users in One User Gr.
Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Guide 752 Admin E-mail Addresses 2 2 Syslog Servers 4 4 IDP Maximum Number of IDP Profiles 8 8 Custom Signatures 64 3 2 Maximum Num.
Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Gu ide 753 The following table, which is not exhaustive, lists standards referenced by ZyW ALL features.
Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Guide 754 50.2 3G or WLAN PCMCIA Card Inst allation Only insert a compatible 802.1 1b/g-compliant wireless LAN PCMCIA or CardBus card or 3G card. Slide the connector end of the card into the slot as shown next.
Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Gu ide 755 POWER CONSUMPTION 20 W MAX. SAFETY ST ANDARDS UL, CUL (UL 60950-1 FIRST EDITIONCSA C22.2 NO. 60950-1-03 1ST .) T able 271 European Plug Standards AC POWER ADAP TOR MODEL PSA18R-120P (ZE)-R INPUT POWER 100-240V AC, 50/60HZ, 0.
Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Guide 756.
757 P ART XI Appendices and Index Common Services (815) Displaying Anti-V irus Alert Messages in W indows (819) Open Software Announcements (845) Legal Information (873) Customer Support (877) Index (.
758.
ZyWALL USG 100/200 Series User’s Gu ide 759 A PPENDIX A Log Descriptions This appendix provides descripti ons of example log messages. T able 276 Content Filter Logs LOG MESSAGE DESCRIPTION Content filter has been enabled An administrator tu rned the content filter on.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 760 %s: Service is unavailable Content filter rating service is te mporarily unavailable and access to the web site was blocked due to: 1. Can't resolve rating server IP (No DNS) 2.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 761 Anti-Spam policy %d has been inserted. The anti-spam policy with the specified index number (%d) has be en added into the list. Anti-Spam policy %d has been appended. The anti-spam policy with the specified index number (%d) has be en added to the end of the list.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 762 DNSBL domain %s has been deleted. The specified DNSBL domain name (%s) has been removed. DNSBL domain %s has been activated. The specified DNSBL domain n ame (%s) has been turned o n.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 763 The %s address-object is wrong type for '1st-dns' in SSL Policy %s. The listed address object (first %s) is not t he right kind for the fi rst DNS server specified in the listed SSL VPN policy (second %s).
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 764 The SSL VPN policy %s does not configure users or user groups. There are no use r s or u s er g rou ps configured for the listed SSL VPN policy (%s). SSL VPN policy rule %s has been inserted.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 765 Failed login attempt to SSLVPN from %s (reach the max. number of simultaneous logon) The listed user (%s) failed to log into SSL VPN be cause the maximum number of simultaneous logons was al ready reached.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 766 The ZySH logs deal with internal system errors. User %s has been granted an L2TP over IPSec session. A user with the specified user na me (%s) was given access to the L2TP over IPSec service.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 767 can't get name for entry %d! 1st:zysh entry index can't get reference count: %s! 1st:zysh list name can't print.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 768 T able 283 ADP Logs LOG MESSAGE DESCRIPTION from <zone> to <zone> [type=<type>] <message> , Action: <action>, Severity: <severity> The ZyW ALL detected an an omaly in traffic traveling between the specified zones.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 769 Reloading Anti-Virus signature reference table has failed. The ZyWALL failed to reload the anti -virus signatures due to an internal error . %s Virus infected - ID:%d,%s,%s. The ZyW ALL’s anti-virus feature detected a virus-infected file.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 770 AV signature update has failed. An anti-virus signatures update failed for unknown reasons. Anti-Virus signatures missing, refer to your user documentation to recover the default database file.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 771 %s, due to decompress malfunction, %s could not be decompressed. Action on file: %s File decompression failed due to an internal error . 1st %s: The protocol of the packet. 2nd %s: The filename of the related file.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 772 Failed login attempt to ZyWALL from %s (reach the max. number of simultaneous logon) The ZyW ALL blocked a login because the maximum simultaneous login capacity for the administra tor or access account has already been reached.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 773 Standard service activation has failed:%s. S tandard service activation failed, this log will append an error message returned by the MyZyXEL.com server . %s: error message returned by the myZyXEL.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 774 Change Anti-Virus engine type has failed. Because of lack must fields. The device failed to change the type of anti-virus engine beca use th e response from th e server is missing req uired fields.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 775 IDP signature download has failed. The device still cannot download the ID P signature after 3 retries. Anti-Virus signature download has succeeded. The device successfully downloaded an anti-virus signature file.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 776 System bootup. Do expiration daily- check. The device pro cesses a service expi ration day check immediately after it starts up. After register. Do expiration daily- check immediately.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 777 Download file size is wrong. The file size downl oaded for AS is not identical with content-length Parse HTTP header has failed. Device can't parse the HTTP header in a response returned by a server .
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 778 Custom signature import error: line <line>, sid <sid>, <error_message>. An attempt to import a custom IDP signature failed. The errored lin e number in the file, the error sid and error message are displayed.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 779 IDP system-protect signature update from version <version> to version <version> has succeeded. An update of th e IDP system-protect sign atures succ eeded. The previous and updated signat u re versions are listed.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 780 IDP system-protect signature update failed. Invalid signature content. An IDP system-protect signature update failed. Enable IDP system- protect succeeded. The IDP system-prote ct feature was succ essfully turned on.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 781 T able 288 Application Patrol MESSAGE EXPLANATION Service=%s Mode=%s Rule=%s Access=%s Common packet logging.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 782 System fatal error: 60011002. The device failed to get the application patrol protocol list. System fatal error: 60011003. The device failed to initiate XML. System fatal error: 60011004.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 783 [SA] : Tunnel [%s] Phase 1 authentication method mismatch %s is the tunnel name. When negoti ating Phase -1, the authentication method did not match. [SA] : Tunnel [%s] Phase 1 encryption algorithm mismatch %s is the tunnel name.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 784 Cannot resolve Secure Gateway Addr %s for Tunnel [%s] 1st %s is my ip address. 2nd %s is the tunnel name; When selecting a matched proposal in phase-1, the engine could not get the correct secure gateway address.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 785 Tunnel [%s] Sending IKE request %s is the tunnel name. The device sent an IKE request. Tunnel [%s] IKE Negotiation is in process %s is the tunnel name. When IKE request is already sent but still attempting to dial a tunnel.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 786 T able 290 IPSec Logs LOG MESSAGE DESCRIPTION Corrupt packet, Inbound transform operation fail The device received corrupt IPse c p ackets and could not process them.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 787 Firewall rule %d has been moved to %d. 1st %d is the old global index of rule, 2nd %d is the new global index of rule Firewall rule %d has been deleted. %d is the globa l index of rule Firewall rules have been flushed.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 788 To send message to policy route daemon failed! Failed to send control message to policy routing manager . The policy route %d allocates memory fail! Allocatin g poli cy routing rule fails: insufficient memory .
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 789 HTTPS port has been changed to default port. An administrator changed the port number for HTTPS back to the default (443). HTTP port has changed to port %s. An administrator changed the port number for HTTP .
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 790 DHCP Server on Interface %s will be reapplied due to Device HA status is Active When an interface has become the HA master , the DHCP server needs to start operating. %s is interface na me DHCP's DNS option:%s has changed.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 791 Interface %s ping check is failed. Zone Forwarder removes DNS servers in records. Ping check failed, remove DNS servers from bind. %s is interface na me Interface %s ping check is disabled.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 792 %s is dead at %s A daemon (process) is gone (was ki lled by the operating system). 1st %s: Daemon Name, 2nd %s: date and time %s process count is incorrect at %s The count of the listed process is incorrect.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 793 DHCP request received via interface %s (%s:%s), src_mac: %s with requested IP: %s The device received a DHCP request through the specified interface. IP confliction is detected.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 794 Update the profile %s has failed because of invalid system parameters. Some system parameters are invalid to update FQDN, %s i s the profile name. Update the profile %s has failed because the FQDN %s was blocked.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 795 Update the profile %s has failed because WAN interface was link- down. DDNS profile cannot be updated for WAN IP because W AN iface is link-down, %s is the profile name. Update the profile %s has failed because WAN interface was not connected.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 796 DDNS Initialization has failed. Initialize DD NS failed, All DDNS profiles are deleted All DDNS profiles have been removed. Collect Diagnostic Information has failed - Server did not respond.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 797 Can't get BROADCAST address of %s interface The connectivity check process can't get broadcast ad dress of interface %s: interface name Can't use MULTICAST IP for destination The connectivity check process can't use multicast address to check link-status.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 798 Master firmware version can not be recognized. Stop syncing from Master. Synchronizing stoppe d because the firmware version file was not found in the Master .
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 799 Device HA authentication string of AH for VRRP group %s maybe wrong. A VRRP group’s AH S trin g (IPSec AH) configuration may no t match between the Backup and the Mast er . %s: The name of the VRRP group.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 800 Invalid RIP text authentication. RIP text authentication has been set witho ut setting au thentication key first RIP on interface %s has been activated. RIP on interface %s has been activated.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 801 RIP v2-broadcast on interface %s has b een enabled. RIP v2-broadcast on interface %s has been enabled. %s: Interface Name. RIP send-version on interface %s has b een changed to %s.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 802 Interface %s does not belong to any OSPF area. Interface %s has been set OSPF authentication same-as-area, however the interface does not belong to any OSPF area. %s: Interface Name Invalid OSPF authentication of area %s on interface %s.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 803 T able 300 PKI Logs LOG MESSAGE DESCRIPTION Generate X509certifiate "%s" successfully The router create d an X509 format ce rtificate with the specified name.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 804 Import PKCS#7 certificate "%s" into "My Certificate" successfully The device imp o rte d a PKC S# 7 fo rma t cert i fi c at e int o My Cert if ica t es. %s is the certif icate request name.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 805 CODE DESCRIPTION 1 Algorithm mismatch between the cert ificate and the search constraints. 2 Key usage mismatch between the cert ificate and the search constra ints. 3 Certificat e was not valid in the time interval.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 806 AUX Interface disconnecting failed. This AUX interface is not enabled. The AUX interface is not enabled and a user tried to us e the disconnect aux command. Please type phone number of interface AUX first then dial again.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 807 Interface %s links down. Default route will not apply until interface %s links u p. An administrator set a static gateway in interface but this interface is link down. At this time the configur ation will be saved b ut route will not take ef fect until the link becomes up.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 808 Interface %s connect failed: Connect timeout. A PPPOE connection timed out due to a lack of response from the PPPOE server . %s: PPP interface name. Interface %s create failed because has no member.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 809 "Incorrect PIN code of interface cellular%d. Please check the PIN code setting. The listed cellular interface (%d) does has the wrong PIN code config ured. "Unable to query the signal quality from the device in %s.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 810 Create interface %s has failed. Wlan device does not exist. The wireless device failed to create the specified WLAN i nterface (%s). Remove the wireless device and reinst all it.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 81 1 T able 303 Account Logs LOG MESSAGE DESCRIPTION Account %s %s has been deleted. A user deleted an ISP account profile. 1st %s: profile type, 2nd %se: profile name. Account %s %s has been changed.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 812 T able 306 File Manager Logs LOG MESSAGE DESCRIPTION ERROR:#%s, %s Apply configuration failed, this lo g will be what CLI command is and what error message is. 1st %s is CLI command.
Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 813.
Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 814.
ZyWALL USG 100/200 Series User’s Gu ide 815 A PPENDIX B Common Services The following table l ists some commonly-used se rvices and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site.
Appendix B Com mon Servic es ZyWALL USG 100/200 Series User’s Guide 816 FTP TCP TCP 20 21 File T ransfer Program, a program to enable fast transfe r of files, i ncluding large files that may not be possible by e-mail. H.323 TCP 1720 NetMeeting uses this protoco l.
Appendix B Common Services ZyWALL USG 100/200 Series User’s Gu ide 817 RTS P TCP/UDP 554 The Real Time S treaming (media contro l) Protocol (R TSP) is a remote control for multimedia on the Internet. SFTP TCP 11 5 Simple File Transfer Protocol. SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet.
Appendix B Com mon Servic es ZyWALL USG 100/200 Series User’s Guide 818.
ZyWALL USG 100/200 Series User’s Gu ide 819 A PPENDIX C Displaying Anti-V irus Alert Messages in Windows W ith the anti-virus packet scan , when a virus is detected, you can have the ZyW ALL display an alert message on Misc rosoft W indows-based computers.
Appendix C Dis playing Anti-Virus Alert Messages in Windows ZyWALL USG 100/200 Series User’s Guide 820 Figure 557 Windows XP: S tarting the Messenger Service 3 Close the window when you are done. Windows 2000 1 Click S tart > Settings > Control Panel > Administrative T ools > Services .
Appendix C Displaying Anti-Virus Alert Messages in Windows ZyWALL USG 100/200 Series User’s Gu ide 821 Figure 559 Windows 2000: S tarting the Messen ger Service 3 Close the window when you are done. Windows 98 SE/Me For W indows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages.
Appendix C Dis playing Anti-Virus Alert Messages in Windows ZyWALL USG 100/200 Series User’s Guide 822 Figure 562 Windows 98 SE: T ask Bar Properties 3 Double-click Programs and click St a r t U p . 4 Right-click in the St a r t U p pane and click New , Shortcut .
Appendix C Displaying Anti-Virus Alert Messages in Windows ZyWALL USG 100/200 Series User’s Gu ide 823 Figure 564 Windows 98 SE: S tartup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish . Figure 565 Windows 98 SE: S tartup: Select a T itle for the Program 7 A shortcut is created in the St a r t U p pane.
Appendix C Dis playing Anti-Virus Alert Messages in Windows ZyWALL USG 100/200 Series User’s Guide 824 Figure 566 Windows 98 SE: S tartup: Shortcut " The WinPopup window displays after t he computer finishes the st artup process (see Figure 560 on page 821 ).
ZyWALL USG 100/200 Series User’s Gu ide 825 A PPENDIX D Importing Certificates This appendix shows importing certificates ex amples using Netscape Na vigator and Internet Explorer 5. This appe nd ix uses the ZyW ALL 70 as an example. Other models should be similar .
Appendix D Importing Certificates ZyWALL USG 100/200 Series User’s Guide 826 Figure 568 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 569 Certificate General Information befor e Import 3 Click Next to begin the Install Certificate wizard.
Appendix D Importi ng Certificates ZyWALL USG 100/200 Series User’s Gu ide 827 Figure 570 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next . Figure 571 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.
Appendix D Importing Certificates ZyWALL USG 100/200 Series User’s Guide 828 Figure 572 Certificate Import Wizard 3 6 Click Ye s to add the ZyW ALL certifi cate to the root store.
Appendix D Importi ng Certificates ZyWALL USG 100/200 Series User’s Gu ide 829 Figure 574 Certificate General Information af ter Import.
Appendix D Importing Certificates ZyWALL USG 100/200 Series User’s Guide 830.
ZyWALL USG 100/200 Series User’s Gu ide 831 A PPENDIX E W ireless LANs Wireless LAN T opologies This section discusses ad-hoc and in frastructure w ireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an inde pendent (Ad-hoc) WLAN that connects a se t of computers with wireless adapters (A, B, C).
Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 832 Figure 576 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlappi ng BSSs, each containing an access point, with each access point connected together by a wired network.
Appendix E Wir eless LANs ZyWALL USG 100/200 Series User’s Gu ide 833 Figure 577 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your g eographical area.
Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 834 Figure 578 RTS/ CT S When station A sends data to the AP , it might not know that the station B is already using the channel.
Appendix E Wir eless LANs ZyWALL USG 100/200 Series User’s Gu ide 835 If the Fragmentation Threshold value is smaller than the RT S / C T S value (see previously) you set then the R TS (Request T o Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmen ted before they reach R TS/CTS size.
Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 836 W ireless security methods available on the Zy W ALL are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyW ALL identity .
Appendix E Wir eless LANs ZyWALL USG 100/200 Series User’s Gu ide 837 Determines the network services available to authenticated users once they are connected to the network.
Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 838 For EAP-TLS authentication type, you must firs t hav e a wired connection to the network an d obtain the certificate(s) from a certificate authorit y (CA).
Appendix E Wir eless LANs ZyWALL USG 100/200 Series User’s Gu ide 839 Dynamic WEP Key Exchange The AP maps a unique ke y that is generated w ith the RADIUS se rver . This key expires when the wireless connection times out, disconnects or reauthentic ation times out.
Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 840 Encryption WP A improves data encry ption by using T emporal Key In te grity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.
Appendix E Wir eless LANs ZyWALL USG 100/200 Series User’s Gu ide 841 Wireless Client WP A Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WP A.
Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 842 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID.
Appendix E Wir eless LANs ZyWALL USG 100/200 Series User’s Gu ide 843 Antenna Overview An antenna couples RF signals onto air . A tran smitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air . The antenna also operates in reverse by capturing RF signals fro m the air .
Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 844 Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point ap plication, position both antennas at the same height and in a direct line of si ght to each othe r to attain the best performance.
ZyWALL USG 100/200 Series User’s Gu ide 845 A PPENDIX F Open Sof tware Announcement s Notice Information herein is subject to change without notice. Compan ies, names, and data used in examples herein are fictitious unless otherwise no ted.
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 846 " This Product includes Netkit T elnet -0 .17 soft ware under the Netkit T elnet License Netkit T elnet License Copyright (c) 1989 Regents of th e University of California.
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 847 " This Product includes expat-1.95.6 sof tware under the Expat License Exp at License Copyright (c) 1998, 199.
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 848 The above copy righ t notic e an d t his permis sio n notice shall be included in all copies or substantial portions of the Software. " This Product includes openssl-0.
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 849 OTHER WISE) ARISING IN ANY W A Y OUT OF THE USE OF THIS SOFTW ARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Y oung (eay@cryptsoft.
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 850 ANY W A Y OUT OF THE USE OF THIS SOFTW ARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence a nd distribution terms for any publically available version or derivative of this code cannot b e ch anged.
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 851 " This Product includes bind-9.2.3 soft ware under the Internet Sof tware Consortium and Nominum License Copyright (C) 1996-2002 In ternet Software Consortium.
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 852 THE SOFTW ARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL W ARRANTIES WITH REGARD TO THIS SOFTW ARE INCLUDING ALL IMPLIED W ARRANTIES OF MERCHANT ABILITY AND FITNESS.
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 853 "W ork" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright no tice that is included in or attached to the work (an example is provided in the Appendix below).
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 854 (d) If the W ork includes a "NOTIC E" text file as part of its distrib u tion, then any Derivative W or.
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 855 Ve r s i o n 1 . 1 Copyright (c) 1999-2 0 03 The Apache Software Foundation.
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 856 59 T emple Place, Suite 33 0, Boston, MA 0211 1-1307 USA Everyone is permitted to co py and distribute verbatim copies of this license document, but changing it is not allowed.
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 857 When a program is linked with a library , whethe r statically or using a shared library , the combination of the two is legally speaking a combined work, a deriva tive of the original library .
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 858 Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Li brary (independent of the use of the Library in a tool for writing it).
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 859 4. Y ou may copy and distribute the Library (or a po rtion or derivative of it, under Section 2) in object code or.
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 860 copy of the library already present on the user's computer system , rather than copying library functions in.
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 861 simultaneously your obligations un der this Licen se and any other pertinen t obligations, then as a consequence you ma y not distribute the Library at all.
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 862 16. IN NO EVENT UNLESS REQUI R ED BY APPLICABLE LA W OR AGREED T O IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY O.
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 863 T o protect your rights, we need to make restrictio ns that forbid anyone to deny yo u these rights or to ask you to surrender the rights.
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 864 c) If the modified program norm ally reads co mm ands interactively when ru n, you must c aus e it, when started .
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 865 4. Y ou may not copy , modify , sublicense, or distribute the Program except as expressly provided under this License.
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 866 10. If you wish to incorporate parts of the Program into ot her free programs whose distribution conditions are different, write to the author to ask for permission.
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 867 Redistributions in binary form must reprod uce the above copyright not ice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 868 The Public License V ersion 2.8, 17 August 2003 Redistribution and use of this software and associated d oc umentation ("Software"), with or without modification, are permitted provid ed that the following conditions are met: 1.
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 869 End-User License Agreement for “Z yW ALL USG 100 and ZyW ALL USG 200” W ARNING: ZyXEL Communications Corp. IS WILLING T O LICENSE THE ENCLOSED SOFTW ARE TO YOU ONL Y UPON THE CONDITION THA T YOU ACCEP T ALL OF THE TERMS CONT AINED IN THIS LICENSE AGREEMENT .
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 870 Y ou acknowledge that the Software contains proprietary trade secrets of ZyXEL and you hereby agree to maintain t.
Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 871 ORDERS, OR OTHER RESTRICTIONS. YOU AGREE T O INDEMNIFY ZyXEL AGAINST ALL CLAIMS, LOSSES, DAMAGES, LIABILITIES, COSTS AND EXPENSES, INCLUDING REASONABLE A TTORNEYS' FEES, T O THE EXTENT SUCH CLAIMS ARISE OUT OF ANY BREACH OF THIS SECTION 8.
Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 872.
ZyWALL USG 100/200 Series User’s Gu ide 873 A PPENDIX G Legal Information Copyright Copyright © 2008 by ZyXEL Communications Corporation. The contents of this publication may not be reprod uced in .
Appendix G Legal In formation ZyWALL USG 100/200 Series User’s Guide 874 If this device does cause harmful inte rference to radio/television reception, which can be determined by turning th e device.
Appendix G Legal Information ZyWALL USG 100/200 Series User’s Gu ide 875 ZyXEL Limited W arranty ZyXEL warrants to the original en d user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to five years from the da te of purchase.
Appendix G Legal In formation ZyWALL USG 100/200 Series User’s Guide 876.
ZyWALL USG 100/200 Series User’s Gu ide 877 A PPENDIX H Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor . If you cannot contact yo ur vendor , then contac t a ZyXEL office for the region in which you bought the dev ice.
Appendix H Customer Support ZyWALL USG 100/200 Series User’s Guide 878 • Address: 1005F , ShengGao Internationa l T ower , No.137 XianXia Rd., Shanghai • W eb: http://www .zyxel.cn Cost a Rica • Support E-mail: soporte@zyxel.co.cr • Sales E-mail: sales@zyxel.
Appendix H Customer Support ZyWALL USG 100/200 Series User’s Gu ide 879 Germany • Support E-mail: support@zyxel.de • Sales E-mail: sales@zyxel.de • T elephone: +49-2405-6909 -69 • Fax: +49-2405-6909-99 • W eb: www .zyxel.de • Re g u l ar M a i l: ZyXEL Deut schland GmbH.
Appendix H Customer Support ZyWALL USG 100/200 Series User’s Guide 880 Malaysia • Support E-mail: support@zyxel.com.my • Sales E-mail: sales@zyxel.com.my • T elephone: +603-8076-9933 • Fax: +603-8076-98 33 • W eb: http://www .zyxel.com.my • Regular Mail: ZyXEL Malaysia Sdn Bhd.
Appendix H Customer Support ZyWALL USG 100/200 Series User’s Gu ide 881 Singapore • Support E-mail: support@zyxel.com.sg • Sales E-mail: sales@zyxel.com.sg • T elephone: +65-6899-6678 • Fax: +65-6899-8887 • W eb: http://www .zyxel.com.sg • Regular Mail: ZyXEL Singapore Pte Ltd.
Appendix H Customer Support ZyWALL USG 100/200 Series User’s Guide 882 T urkey • Support E-mail: cso@zyxel.com.tr • T elephone: +90 212 222 5 5 22 • Fax: +90-212-220-2 526 • W eb: http:www .
Index ZyWALL USG 100/200 Series User’s Gu ide 883 Index Numerics 3DES 374 3G 129 3G see also cellular 226 A AAA server 625 AD 626 and users 594 directory service 625 LDAP 625 , 626 LDAP Default 628 .
Index ZyWALL USG 100/200 Series User’s Guide 884 alerts 717 , 721 , 724 , 72 5 anti-spam 564 anti-virus 475 IDP 492 ALG 325 , 330 and firewall 325 , 327 and NA T 326 and policy routes 327 , 330 and trunks 330 and virtual servers 327 configuration overview 120 FTP 326 H.
Index ZyWALL USG 100/200 Series User’s Gu ide 885 allowing through the firewall 344 vs virtual interfaces 343 A T command strings 699 authentication LDAP/AD 626 authentication algorithms 295 , 373 , 374 and active pr ot ocol 374 and routing protocol s 295 MD5 295 , 374 SHA1 374 text 295 Authentication Header .
Index ZyWALL USG 100/200 Series User’s Guide 886 and FTP 695 and HTTPS 678 and IKE SA 378 and SSH 691 and synchronization (device HA) 589 and VPN gateways 353 and WWW 680 certification path 640 , 64.
Index ZyWALL USG 100/200 Series User’s Gu ide 887 copyright 873 CPU usage 173 , 175 CTS (Clear to Send) 834 current date/time 173 , 666 and schedules 619 daylight savings 668 setting manually 669 time se rver 669 current user list 389 custom signatures 498 applying 508 example 505 verifying 508 custom.
Index ZyWALL USG 100/200 Series User’s Guide 888 double-encoding 527 DTR 699 Dynamic Domain Name System. See DDNS. Dynamic Host Configurat ion Protocol.
Index ZyWALL USG 100/200 Series User’s Gu ide 889 vs application patrol 335 , 337 firmware and restart 710 boot module. See boot module. current version 172 , 71 1 getting updated 710 uploading 710 .
Index ZyWALL USG 100/200 Series User’s Guide 890 custom signature example 505 custom signatures 498 false negatives 489 false positives 489 inline profile 489 license status 173 log optio n s 492 mo.
Index ZyWALL USG 100/200 Series User’s Gu ide 891 trunks. See also trunks. types 200 virtual. See also virtual interfaces. VLAN. See also VLAN interfaces. where used 11 4 WLAN 200 Internet Control Message Protocol. See ICMP . Internet Message Acce ss Protocol.
Index ZyWALL USG 100/200 Series User’s Guide 892 Default_L2TP_VPN_GW example 415 DNS 412 example 415 , 418 IPSec configuration 410 policy route 410 policy route example 41 8 prerequisites 11 5 remote user configuration 419 session monitor 412 where used 11 5 WINS 412 LAND attack 526 lastgood.
Index ZyWALL USG 100/200 Series User’s Gu ide 893 N NA T 285 , 30 9 1 to 1 example 313 address mapping. See policy routes. ALG . See ALG . and address objects 282 and ALG 326 and policy routes 278 , 282 and VPN 377 and VPN. See also VPN. port forwarding.
Index ZyWALL USG 100/200 Series User’s Guide 894 Pairwise Master Key (PMK) 840 , 842 payload option 504 payload size 505 PCMCIA card installation 754 Peanut Hull see DDNS.
Index ZyWALL USG 100/200 Series User’s Gu ide 895 R RADIUS 625 , 626 , 836 advantages 625 and IKE SA 378 and PPPoE 268 and users 594 message types 837 messages 837 shared secret key 837 user attributes 604 real-time alert message 821 Real-time Transport Protocol.
Index ZyWALL USG 100/200 Series User’s Guide 896 and force user authentication policies 603 and policy routes 282 , 455 , 457 , 459 , 461 one-time 619 recurring 619 types of 619 where used 121 screen resolution 65 Secure Hash Algo rithm. See SHA1. Secure Socket Layer .
Index ZyWALL USG 100/200 Series User’s Gu ide 897 spam 559 specifications 749 device 749 feature 750 hardware 749 spillover (for load balancing) 272 SQL slammer 509 SSH 689 and address groups 692 an.
Index ZyWALL USG 100/200 Series User’s Guide 898 SYN flood 526 synchronization 576 and subscription service s 576 information synchronized 588 passwor d 581 , 585 port number 581 , 585 restrictions 589 syntax conventions 5 syslog 718 , 724 syslog servers.
Index ZyWALL USG 100/200 Series User’s Gu ide 899 messages 613 port numbers 613 UDP Decoder 520 UDP decoy portscan 524 UDP distributed portscan 524 UDP flood attack 526 UDP portscan 524 UDP portswee.
Index ZyWALL USG 100/200 Series User’s Guide 900 Virtual Private Network. See VPN. virtual router 578 Virtual Router ID number (VRID). 584 Virtual Router Redundancy Protocol.
Index ZyWALL USG 100/200 Series User’s Gu ide 901 white list anti-spam 564 , 566 , 567 whitelist 567 anti-spam 559 Wi-Fi Protected Access 83 9 Windows Internet Naming Service.
Index ZyWALL USG 100/200 Series User’s Guide 902.
An important point after buying a device ZyXEL Communications 200 Series (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought ZyXEL Communications 200 Series yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data ZyXEL Communications 200 Series - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, ZyXEL Communications 200 Series you will learn all the available features of the product, as well as information on its operation. The information that you get ZyXEL Communications 200 Series will certainly help you make a decision on the purchase.
If you already are a holder of ZyXEL Communications 200 Series, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime ZyXEL Communications 200 Series.
However, one of the most important roles played by the user manual is to help in solving problems with ZyXEL Communications 200 Series. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device ZyXEL Communications 200 Series along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center