ZyXEL Communications USG110 User Manual Download | Manualshive

Page: 569 / 1090

background image

ZyWALL USG Series User’s Guide

569

C

HAPTER

27

Security Policy

27.1 Overview

A security policy is a template of security settings that can be applied to specific traffic at specific times.
The policy can be applied:

• to a specific direction of travel of packets (from / to)
• to a specific source and destination address objects
• to a specific type of traffic (services)
• to a specific user or group of users
• at a specific schedule

The policy can be configured:

• to allow or deny traffic that matches the criteria above
• send a log or alert for traffic that matches the criteria above
• to apply the actions configured in the UTM profiles (application patrol, content filter, IDP, anti-virus,

anti-spam) to traffic that matches the criteria above

Note: Security policies can be applied to both IPv4 and IPv6 traffic.

The security policies can also limit the number of user sessions.

The following example shows the Zyxel Device’s default security policies behavior for a specific direction
of travel of packets. WAN to LAN traffic and how stateful inspection works. A LAN user can initiate a
Telnet session from within the LAN zone and the Zyxel Device allows the response. However, the Zyxel
Device blocks incoming Telnet traffic initiated from the WAN zone and destined for the LAN zone.

Figure 402

Default Directional Security Policy Example

«
...
567
568
569
570
571
...
»

Summary of Contents for USG110

Page 1: ...Default Login Details User s Guide ZyWALL USG Series Copyright 2019 Zyxel Communications Corporation LAN Port IP Address https 192 168 1 1 User Name admin Password 1234 Version 4 35 Edition 1 08 2019 ...

Page 2: ...plies to versions 4 10 4 11 4 13 4 15 4 16 4 20 4 25 4 30 4 31 4 32 4 33 and 4 35 at the time of writing Related Documentation Quick Start Guide The Quick Start Guide shows how to connect the Zyxel Device and access the Web Configurator wizards See the wizard real time help for information on configuring each screen It also contains a connection diagram and package contents list CLI Reference Guid...

Page 3: ... Product labels screen names field labels and field choices are all in bold font A right angle bracket within a screen name denotes a mouse click For example Configuration Network Interface Ethernet means you first click Configuration in the navigation panel then Network then the Interface sub menu and finally the Ethernet tab to get to that screen Icons Used in Figures Figures in this user guide ...

Page 4: ...NAT 439 Redirect Service 447 ALG 453 UPnP 460 IP MAC Binding 475 Layer 2 Isolation 480 DNS Inbound LB 484 Web Authentication 490 Hotspot 522 Printer Manager 540 Free Time 552 IPnP 557 Walled Garden 560 Advertisement Screen 566 Security Policy 569 Cloud CNM 595 Amazon VPC 603 IPSec VPN 605 SSL VPN 641 SSL User Screens 652 Zyxel Device SecuExtender Windows 665 L2TP VPN 669 BWM Bandwidth Management 6...

Page 5: ...ew ZyWALL USG Series User s Guide 5 Anti Spam 751 SSL Inspection 769 Device HA 778 Object 794 System 906 Log and Report 964 File Manager 982 Diagnostics 996 Packet Flow Explore 1017 Shutdown 1025 Troubleshooting 1026 ...

Page 6: ...rview 38 1 5 3 Navigation Panel 41 1 5 4 Tables and Lists 50 Chapter 2 Initial Setup Wizard 53 2 1 Initial Setup Wizard Screens 53 2 1 1 Internet Access Setup WAN Interface 54 2 1 2 Internet Access Ethernet 54 2 1 3 Internet Access PPPoE 56 2 1 4 Internet Access PPTP 57 2 1 5 Internet Access L2TP 59 2 1 6 Internet Access Setup Second WAN Interface 60 2 1 7 Internet Access Congratulations 61 2 1 8 ...

Page 7: ...ial Setup Wizard Date and Time 91 4 2 4 Initial Setup Wizard Register Device 92 4 2 5 Initial Setup Wizard Activate Services 94 4 2 6 Initial Setup Wizard Wi Fi 96 4 2 7 Initial Setup Wizard Remote Management 96 4 2 8 Initial Setup Wizard Congratulations 98 4 3 Initial Setup Wizard Security Service 99 4 4 Initial Setup Wizard Port Forwarding 101 4 5 Initial Setup Wizard Guest LAN 102 4 5 1 Connect...

Page 8: ...4 8 2 L2TP VPN Settings 2 130 4 8 3 VPN Settings for L2TP VPN Setting Wizard Summary 131 4 8 4 VPN Settings for L2TP VPN Setting Wizard Completed 132 4 9 Port Forwarding 133 4 9 1 Port Forwarding Add Client 134 4 9 2 Port Forwarding Add Service 134 4 9 3 Port Forwarding UPnP 134 4 10 Wi Fi and Guest Network Wizard 135 4 10 1 Guest LAN Wired Network 136 4 10 2 Connecting AP Scenarios 138 4 11 Secur...

Page 9: ...gs 172 5 4 7 VPN Settings for Configuration Provisioning Advanced Wizard Phase 2 173 5 4 8 VPN Settings for Configuration Provisioning Advanced Wizard Summary 174 5 4 9 VPN Settings for Configuration Provisioning Advanced Wizard Finish 176 5 5 VPN Settings for L2TP VPN Settings Wizard 177 5 5 1 L2TP VPN Settings 178 5 5 2 L2TP VPN Settings 179 5 5 3 VPN Settings for L2TP VPN Setting Wizard Summary...

Page 10: ... USB Storage Screen 218 7 14 Ethernet Neighbor Screen 219 7 15 FQDN Object Screen 220 7 16 AP Information AP List 222 7 16 1 AP List More Information 224 7 16 2 AP List Config AP 227 7 17 AP Information Radio List 228 7 17 1 Radio List More Information 230 7 18 AP Information Top N APs 231 7 19 AP Information Single AP 233 7 20 ZyMesh 234 7 21 SSID Info 234 7 22 Station Info Station List 235 7 23 ...

Page 11: ...o Know 266 8 1 2 Registration Screen 266 8 1 3 Service Screen 267 8 2 Signature Update 269 8 2 1 What you Need to Know 269 8 2 2 The Anti Virus Update Screen 269 8 2 3 The IDP AppPatrol Update Screen 270 Chapter 9 Wireless 273 9 1 Overview 273 9 1 1 What You Can Do in this Chapter 273 9 2 Controller Screen 273 9 3 AP Management Screens 274 9 3 1 Mgnt AP List 274 9 3 2 AP Policy 278 9 3 3 AP Group ...

Page 12: ... Interfaces 331 10 6 1 PPP Interface Summary 331 10 6 2 PPP Interface Add or Edit 333 10 7 Cellular Configuration Screen 338 10 7 1 Cellular Choose Slot 341 10 7 2 Add Edit Cellular Configuration 341 10 8 Tunnel Interfaces 347 10 8 1 Configuring a Tunnel 349 10 8 2 Tunnel Add or Edit Screen 350 10 9 VLAN Interfaces 353 10 9 1 VLAN Summary Screen 355 10 9 2 VLAN Add Edit 356 10 10 Bridge Interfaces...

Page 13: ... to Know 418 11 6 The RIP Screen 418 11 7 The OSPF Screen 420 11 7 1 Configuring the OSPF Screen 423 11 7 2 OSPF Area Add Edit Screen 424 11 7 3 Virtual Link Add Edit Screen 426 11 8 BGP Border Gateway Protocol 427 11 8 1 Allow BGP Packets to Enter the Zyxel Device 428 11 8 2 Configuring the BGP Screen 428 11 8 3 The BGP Neighbors Screen 430 11 8 4 Example Scenario 431 Chapter 12 DDNS 433 12 1 DDN...

Page 14: ... and NAT PMP Overview 460 16 2 What You Need to Know 460 16 2 1 NAT Traversal 460 16 2 2 Cautions with UPnP and NAT PMP 461 16 3 UPnP Screen 461 16 4 Technical Reference 462 16 4 1 Turning on UPnP in Windows 7 Example 462 16 4 2 Turn on UPnP in Windows 10 Example 466 16 4 3 Auto discover Your UPnP enabled Network Device 468 16 4 4 Web Configurator Easy Access in Windows 7 471 16 4 5 Web Configurat...

Page 15: ...in this Chapter 490 20 1 2 What You Need to Know 491 20 2 Web Authentication General Screen 491 20 2 1 User aware Access Control Example 496 20 2 2 Authentication Type Screen 502 20 2 3 Custom Web Portal User Agreement File Screen 506 20 2 4 Facebook Wi Fi Screen 507 20 3 SSO Overview 511 20 4 SSO Zyxel Device Configuration 512 20 4 1 Configuration Overview 513 20 4 2 Configure the Zyxel Device to...

Page 16: ...een 540 22 2 1 Add Printer Rule 543 22 2 2 Edit Printer Rule 543 22 2 3 Discover Printer 544 22 2 4 Edit Printer Manager Discover Printer 546 22 3 The Printout Configuration Screen 547 22 4 Printer Reports Overview 548 22 4 1 Key Combinations 548 22 4 2 Daily Account Summary 548 22 4 3 Monthly Account Summary 549 22 4 4 Account Report Notes 549 22 4 5 System Status 550 Chapter 23 Free Time 552 23 ...

Page 17: ...ecurity Policy Control Screen 576 27 4 2 The Security Policy Control Add Edit Screen 579 27 5 Anomaly Detection and Prevention Overview 581 27 5 1 The Anomaly Detection and Prevention General Screen 582 27 5 2 Creating New ADP Profiles 583 27 5 3 Traffic Anomaly Profiles 584 27 5 4 Protocol Anomaly Profiles 587 27 6 The Session Control Screen 590 27 6 1 The Session Control Add Edit Screen 591 27 7...

Page 18: ... Chapter 641 31 1 2 What You Need to Know 641 31 2 The SSL Access Privilege Screen 642 31 2 1 The SSL Access Privilege Policy Add Edit Screen 643 31 3 The SSL Global Setting Screen 646 31 3 1 How to Upload a Custom Logo 647 31 4 Zyxel Device SecuExtender 648 31 4 1 Example Configure Zyxel Device for SecuExtender 649 Chapter 32 SSL User Screens 652 32 1 Overview 652 32 1 1 What You Need to Know 652...

Page 19: ...2TP VPN Screen 670 34 2 1 Example L2TP and Zyxel Device Behind a NAT Router 672 Chapter 35 BWM Bandwidth Management 674 35 1 Overview 674 35 1 1 What You Can Do in this Chapter 674 35 1 2 What You Need to Know 674 35 2 The Bandwidth Management Configuration 678 35 2 1 The Bandwidth Management Add Edit Screen 681 Chapter 36 Application Patrol 689 36 1 Overview 689 36 1 1 What You Can Do in this Cha...

Page 20: ...dding Editing Profiles 717 38 2 3 Profile Group View Screen 718 38 2 4 Add Profile Query View 721 38 2 5 Query Example 725 38 3 IDP Custom Signatures 726 38 3 1 Add Edit Custom Signatures 729 38 3 2 Custom Signature Example 733 38 3 3 Applying Custom Signatures 735 38 3 4 Verifying Custom Signatures 735 38 4 IDP Technical Reference 736 Chapter 39 Anti Virus 739 39 1 Overview 739 39 1 1 What You Ca...

Page 21: ...1 1 2 What You Need To Know 769 41 1 3 Before You Begin 770 41 2 The SSL Inspection Profile Screen 770 41 2 1 Add Edit SSL Inspection Profiles 771 41 3 Exclude List Screen 773 41 4 Certificate Update Screen 775 41 5 Install a CA Certificate in a Browser 776 Chapter 42 Device HA 778 42 1 Device HA Overview 778 42 1 1 Device HA and Device HA Pro Differences 778 42 1 2 What You Can Do in These Screen...

Page 22: ...5 2 Add Edit ZyMesh Profile 834 43 6 Application 834 43 6 1 Add Application Rule 837 43 6 2 Application Group Screen 839 43 7 Address Geo IP Overview 841 43 7 1 What You Need To Know 841 43 7 2 Address Summary Screen 841 43 7 3 Address Group Summary Screen 845 43 7 4 Geo IP Summary Screen 847 43 8 Service Overview 850 43 8 1 What You Need to Know 850 43 8 2 The Service Summary Screen 851 43 8 3 Th...

Page 23: ...d to Know 897 43 14 2 The SSL Application Screen 899 43 15 DHCPv6 Overview 902 43 15 1 The DHCPv6 Request Screen 902 43 15 2 The DHCPv6 Lease Screen 904 Chapter 44 System 906 44 1 Overview 906 44 1 1 What You Can Do in this Chapter 906 44 2 Host Name 907 44 3 USB Storage 907 44 4 Date and Time 908 44 4 1 Pre defined NTP Time Servers List 911 44 4 2 Time Server Synchronization 911 44 5 Console Port...

Page 24: ...cure Telnet Using SSH Examples 943 44 9 Telnet 945 44 9 1 Configuring Telnet 945 44 10 FTP 946 44 10 1 Configuring FTP 946 44 11 SNMP 947 44 11 1 SNMPv3 and Security 948 44 11 2 Supported MIBs 949 44 11 3 SNMP Traps 949 44 11 4 Configuring SNMP 949 44 11 5 Add SNMPv3 User 951 44 12 Authentication Server 952 44 12 1 Add Edit Trusted RADIUS Client 954 44 13 Notification Mail Server 954 44 14 Notific...

Page 25: ... Script Screen 993 Chapter 47 Diagnostics 996 47 1 Overview 996 47 1 1 What You Can Do in this Chapter 996 47 2 The Diagnostics Screens 996 47 2 1 The Diagnostics Collect Screen 997 47 2 2 The Diagnostics Collect on AP Screen 998 47 2 3 The Diagnostics Files Screen 999 47 3 The Packet Capture Screen 1000 47 3 1 The Packet Capture on AP Screen 1002 47 3 2 The Packet Capture Files Screen 1005 47 4 T...

Page 26: ... 1025 49 1 1 What You Need To Know 1025 49 2 The Shutdown Screen 1025 Chapter 50 Troubleshooting 1026 50 1 Resetting the Zyxel Device 1038 50 2 Getting More Troubleshooting Help 1039 Appendix A Customer Support 1040 Appendix B Common Services 1046 Appendix C Product Features 1049 Appendix D Legal Information 1055 Index 1069 ...

Page 27: ...27 PART I User s Guide ...

Page 28: ... NO NO AP Contoller YES YES YES YES YES YES YES YES YES YES YES YES YES NO NO YES App Patrol YES YES YES YES YES YES YES YES YES YES YES YES YES NO NO NO Content Filtering YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES Device HA Pro YES YES YES NO NO NO NO YES YES YES YES YES YES NO NO YES Easy Mode Wizard YES NO NO YES YES YES YES YES NO NO NO NO NO YES YES NO Hotspot Management ...

Page 29: ...rvice for services available for your Zyxel Device For Zyxel Devices that already have firmware version 4 25 or later you have to register your Zyxel Device and activate the corresponding service at myZyxel through your Zyxel Device For Zyxel Devices upgrading to firmware version 4 25 or later you may skip registering your Zyxel Device and activating the corresponding service at myZyxel through yo...

Page 30: ...will receive notifications to renew your license s New license s are valid for 1 year from the date of purchase 1 3 Applications These are some Zyxel Device application scenarios Security Router Security includes a Stateful Packet Inspection SPI firewall and UTM Unified Threat Management All models need a license to use UTM Unified Threat Management features Figure 2 Applications Security Router A...

Page 31: ... travelers to provide secure access to your network AS is an Authentication Server in the below figure Figure 4 Applications VPN Connectivity SSL VPN Network Access SSL VPN lets remote users use their web browsers for a very easy to use VPN solution A user just browses to the Zyxel Device s web address and enters his user name and password to securely connect to the Zyxel Device s network Here ful...

Page 32: ...e server User B has a lower level of access and can only access the Internet User C is not even logged in so and cannot access either the Internet or the file server Figure 6 Applications User Aware Access Control Load Balancing Set up multiple connections to the Internet on the same port or different ports including cellular interfaces In either case you can balance the traffic loads between them...

Page 33: ...d in Easy Mode and enter Easy Mode every time you log in Choose Expert Mode to go to the Initial Setup Wizard in Expert Mode and enter Expert Mode every time you log in Note This screen is only available for models that support Easy Mode and Expert Mode See Chapter 1 on page 28 to see which models support Easy Mode Note You can still switch between modes after selecting a mode in this screen Figur...

Page 34: ...FTP Use File Transfer Protocol for firmware upgrades and configuration backup restore SNMP The device can be monitored and or managed by an SNMP manager See Section 44 11 on page 947 Cloud CNM Use the Cloud CNM screen see Section 44 15 on page 957 to enable and configure management of the Zyxel Device by a Central Network Management system Management Authentication Managers must be authenticated w...

Page 35: ...y differ slightly from your product due to differences in product features or web configurator brand style Most screen shots in this guide come from the USG110 and USG60W 1 5 1 Web Configurator Access 1 Make sure your Zyxel Device hardware is properly connected See the Quick Start Guide 2 In your browser go to http 192 168 1 1 By default the Zyxel Device automatically routes this request to its HT...

Page 36: ...a number at least 1 a lower case letter at least 1 an upper case letter and at least 1 a special character from the keyboard such as _ You can also require periodic changing of the password in that screen by configuring Password must changed every days Make a note of your new password enter it in the following screen then click Apply 5 A Terms of Use screen displays Read the statement select the c...

Page 37: ...ections in the Update Admin Info screen If you change the default password the Login screen appears after you click Apply If you click Ignore the Installation Setup Wizard opens if the ZyWALL is using its default configuration otherwise the dashboard appears Router enable Router Router configure terminal Router config Router config service register _setremind after 10 days after 180 days after 30 ...

Page 38: ...en the SecuReporter portal page This icon shows when the Zyxel Device is added to an organization Web Console Click this to open one or multiple console windows from which you can run command line interface CLI commands You will be prompted to enter your user name and password See the Command Reference Guide for information about the commands Logging in to the Zyxel Device with HTTPS so you can op...

Page 39: ...ee an overview of links to the Web Configurator screens Forum Go to https businessforum zyxel com for product discussions Help Click this to open the help page for the current screen About Click this to display basic information about the Zyxel Device Easy Mode Click this to go to a mode that contains wizards that help you configure the Zyxel Device and links to portals Not all models have this mo...

Page 40: ... Configurator screens Click a screen s link to go to that screen Service This is the type of setting that references the selected object Click a service s name to display the service s configuration screen in the main window Priority If it is applicable this field lists the referencing configuration item s position in its list otherwise N A displays Name This field identifies the configuration ite...

Page 41: ...guration screens Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it The following sections introduce the Zyxel Device s navigation panel menus and their screens Table 5 About LABEL DESCRIPTION Current Version This shows the firmware version of the Zyxel Device Released Date This shows the date yyyy mm dd and time hh mm ss when the firmwar...

Page 42: ...ce Summary Displays general interface information and packet statistics Traffic Statistics Traffic Statistics Collect and display traffic statistics Session Monitor Session Monitor Displays the status of all current sessions IGMP Statistics IGMP Statistics Collect and display IGMP statistics DDNS Status DDNS Status Displays the status of the Zyxel Device s DDNS domain names IP MAC Binding IP MAC B...

Page 43: ...d with the APs managed by the Zyxel Device Top N Stations Lists wireless stations with the most wireless traffic usage Single Station Lists wireless traffic usage for an associated wireless station Detected Device Detected Device Display information about suspected rogue APs Printer Status Printer Status Display information about the connected statement printers VPN Monitor IPSec IPSec Displays an...

Page 44: ...controller registration AP Management Mgnt AP List Edit or remove entries in the lists of APs managed by the Zyxel Device AP Policy Configure the AP controller s IP address on the managed APs and determine the action the managed APs take if the current AP controller fails AP Group Create groups of APs define their radio VLAN port and load balancing settings Firmware Update the firmware on APs conn...

Page 45: ... OSPF settings including areas and virtual links BGP Configure exchange of Border Gateway Protocol BGP information over an IPSec tunnel DDNS DDNS Define and manage the Zyxel Device s DDNS domain names NAT NAT Set up and manage port forwarding rules Redirect Service Redirect Service Set up and manage HTTP and SMTP redirection rules ALG ALG Configure SIP H 323 and FTP pass through settings UPnP UPnP...

Page 46: ... ADP bindings Profile Create and manage ADP profiles Session Control Session Control Limit the number of concurrent client NAT security policy sessions Cloud CNM SecuManager Enable and configure management of the Zyxel Device by a Central Network Management system SecuReporter Enable SecuReporter logging and access the SecuReporter security analytics portal that collects and analyzes logs from you...

Page 47: ... mail DNSBL Have the ZyWALL check e mail against DNS Black Lists SSL Inspection Profile Decrypt HTTPS traffic for UTM inspection Create SSL Inspection template s of settings to apply to a traffic flow using a security policy Exclude List Configure services to be excluded from SSL Inspection Certificate Update Use this screen to update the latest certificates of servers using SSL connections to the...

Page 48: ...ory settings LDAP Configure the LDAP settings RADIUS Configure the RADIUS settings Auth Method Authentication Method Create and manage ways of authenticating users Two factor Authentication Configure SMS email authentication to access a secured network behind the Zyxel Device via a VPN tunnel Certificate My Certificates Create and manage the Zyxel Device s certificates Trusted Certificates Import ...

Page 49: ... to send daily reports and what reports to send Log Settings Log Settings Configure the system log e mail logs and remote syslog servers Table 8 Maintenance Menu Screens Summary FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and upload configuration files for the Zyxel Device Firmware Management View the current firmware version and upload firmware Reboot with your choice of fi...

Page 50: ...ere are some examples of what you can do Sort in ascending or descending reverse alphabetical order Select which columns to display Group entries by field Show entries in groups Filter by mathematical operators or or searching for text Figure 18 Common Table Column Options Select a column heading cell s right border and drag to re size the column Packet Flow Explore Routing Status Check how the Zy...

Page 51: ...riptions for the most common table icons Table 9 Common Table Icons LABEL DESCRIPTION Add Click this to create a new entry For features where the entry s position in the numbered list is important features where the Zyxel Device applies the table s entries in order like the security policy for example you can select an entry and click Add to create a new entry after the selected entry Edit Double ...

Page 52: ...ct it and click Inactivate Connect To connect an entry select it and click Connect Disconnect To disconnect an entry select it and click Disconnect References Select an entry and click References to check which settings use the entry Move To change an entry s position in a numbered list select it and click Move to display a field to type a number for where you want to put that entry and press ENTE...

Page 53: ... with Easy Mode wizards have a different style to the other models Note For Zyxel Devices that already have firmware version 4 25 or later you have to register your Zyxel Device and activate the corresponding service at myZyxel through your Zyxel Device This chapter provides information on configuring the Web Configurator s Initial Setup Wizard See the feature specific chapters in this User s Guid...

Page 54: ...t is used as a regular Ethernet Choose PPPoE PPTP or L2TP for a dial up connection according to the information from your ISP WAN Interface This is the interface you are configuring for Internet access Zone This is the security zone to which this interface and Internet connection belong IP Address Assignment Select Auto if your ISP did not assign you a fixed IP address Select Static if the ISP ass...

Page 55: ... 0 if you do not want to configure DNS servers 2 1 2 1 Possible Errors Check that your cable connection is coming from the correct interface you re using for the WAN connection on the Zyxel Device Check that the interface is connected to the device you re using for Internet access such as a broadband router and that the router is turned on The LED of the interface you re using for the WAN connecti...

Page 56: ...h this interface and Internet connection will belong IP Address Enter your static public IP address Auto displays if you selected Auto as the IP Address Assignment in the previous screen First Second DNS Server These fields display if you selected static IP address assignment The Domain Name System DNS maps a domain name to an IP address and vice versa Enter a DNS server s IP address es The DNS se...

Page 57: ...Use up to 64 ASCII characters except the and This field can be blank Re type your password in the next field to confirm it Select Nailed Up if you do not want the connection to time out Otherwise type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server 2 1 4 2 PPTP Configuration Base Interface This identifies the Ethernet interface you configur...

Page 58: ...ess it The Zyxel Device uses these in the order you specify here to resolve domain names for VPN DDNS and the time server Leave the field as 0 0 0 0 if you do not want to configure DNS servers 2 1 4 4 Possible Errors Check that you re using the correct PPPT Service IP Base IP Address IP Subnet Mask Gateway IP Address Connection ID and Authentication Type Make sure that your Internet access informa...

Page 59: ...3 WAN IP Address Assignments WAN Interface This is the name of the interface that will connect with your ISP Zone This is the security zone to which this interface and Internet connection will belong IP Address Enter your static public IP address Auto displays if you selected Auto as the IP Address Assignment in the previous screen First Second DNS Server These fields display if you selected stati...

Page 60: ...ternet Access Setup Second WAN Interface If you selected I have two ISPs after you configure the First WAN Interface you can configure the Second WAN Interface The screens for configuring the second WAN interface are similar to the first see Section 2 1 1 on page 54 Figure 30 Internet Access Step 3 Second WAN Interface ...

Page 61: ...y If you have check that you got the correct settings from your ISP or network administrator Figure 31 Internet Access Summary 2 1 8 Date and Time Settings It s important to have correct date and time values in the logs The Zyxel Device can automatically update the time and date by detecting your time zone and whether Daylight Savings is in effect in that time zone If your Zyxel Device cannot get ...

Page 62: ... this screen to register your device at portal myzyxel com Note The Zyxel Device must be connected to the Internet in order to register Figure 33 Register Device You may need the Zyxel Device s serial number and LAN MAC address to register it at myZyxel if you have not already done so Refer to the label at the back of the Zyxel Device s for details ...

Page 63: ... 1 10 Activate Service After you register your Zyxel Device you can register for the services supported by your model Examples of services are Content Filter to block websites by category such as Gambling IDP to recognize and drop traffic with Intrusion Detection Protection attack patterns Anti Virus to detect virus patterns in files Anti Spam to mark or discard unsolicited commercial or junk e ma...

Page 64: ...s the Internet from a computer connected to a LAN port on the Zyxel Device If you cannot then check your Internet access settings on the Zyxel Device Figure 36 Activate Service Figure 37 Activated Service 2 1 11 Wireless Settings AP Controller The Zyxel Device can act as an AP Controller that can manage APs in the same network as the Zyxel Device Select Yes if you want your Zyxel Device to manage ...

Page 65: ... ASCII characters including spaces and symbols or 64 hexadecimal characters Hidden SSID Select this option if you want to hide the SSID in the outgoing beacon frame A wireless client then cannot obtain the SSID through scanning using a site survey tool Enable Intra BSS Traffic Blocking Select this option if you want to prevent crossover traffic from within the same SSID Wireless clients can still ...

Page 66: ...ttings SSID Security 2 1 13 Remote Management Select this to allow access to the Zyxel Device using HTTP or HTTPS from the Internet Figure 40 Remote Management HTTPS is added to the Default_Allow_WAN_to_ZyWALL rule in Object Service Service Group screen when you enable Remote Management ...

Page 67: ...Chapter 2 Initial Setup Wizard ZyWALL USG Series User s Guide 67 Figure 41 Object Service Service Group HTTPS ...

Page 68: ...ction describes the front and rear panels for each model 3 1 1 Front Panels The LED indicators are located on the front panel Figure 42 ZyWALL 110 USG110 USG210 Front Panel Figure 43 ZyWALL 310 ZyWALL 1100 USG310 USG1100 USG1900 Front Panel Figure 44 USG20 VPN Front Panel Figure 45 USG20W VPN Front Panel ...

Page 69: ...aces and Zones ZyWALL USG Series User s Guide 69 Figure 46 USG40 Front Panel Figure 47 USG40W Front Panel Figure 48 USG60 Front Panel Figure 49 USG60W Front Panel Figure 50 USG2200 VPN Front Panel Figure 51 USG2200 Front Panel ...

Page 70: ... the connected mobile broadband USB card P1 P2 Green Off There is no traffic on this port Blinking The Zyxel Device is sending or receiving packets on this port Orange Off There is no connection on this port On This port has a successful link Blinking The Zyxel Device is sending or receiving packets on this port Table 11 USG2200 VPN USG2200 LED Descriptions LED COLOR STATUS DESCRIPTION PWR1 2 Off ...

Page 71: ...orts LABEL DESCRIPTION RESET Press the button in for about 5 seconds or until the SYS LED starts to blink then release it to return the Zyxel Device to the factory defaults password is 1234 LAN IP address 192 168 1 1 etc CONSOLE You can use the console port to manage the Zyxel Device using CLI commands You will be prompted to enter your user name and password See the Command Reference Guide for mo...

Page 72: ...puter equipped with communications software configured to the following parameters Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off USB Connect a storage device for system logs see Maintenance Diagnostics System Log and storage see Configuration System USB Storage P1 P4 These are SFP 1G ports These are compatible 1G transceiver modules at the time of writing SFP 1000T SFP SX D ...

Page 73: ...mmand Reference Guide for more information about the CLI When configuring using the console port you need a computer equipped with communications software configured to the following parameters Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off Power Use the included power cord to connect the power socket to a power outlet Turn the power switch on if your Zyxel Device has a power...

Page 74: ...t using a rack mounting kit Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the ZyWALL does not make the rack unstable or top heavy Take all necessary precautions to anchor the rack securely before installing the unit Note Leave 10 cm of clearance at the sides and 20 cm in the rear Use a 2 Phillips screwdriver to install the scre...

Page 75: ...he rack and match up the bracket holes with the rack holes Secure the Zyxel Device to the rack with the rack mounting screws 3 2 2 USG2200 VPN USG2200 Rack Mounting 3 2 2 1 Installation Requirements Two front mounting brackets short and two rear mounting brackets long Two railings inner and outer Front Brackets M3 Screws Rack M6 Screws and Nuts ...

Page 76: ... s Guide 76 Note Failure to use the proper screws may damage the unit 3 2 2 2 Procedure 1 Connect the front brackets to the USG2200 VPN USG2200 using the M3 bracket screws 2 To separate the inner and outer railings press tab B white and slide out the outer railing ...

Page 77: ...connect the rear of an outer railing to the back of the rack using the rack screws Repeat for the second outer rail on the other side of the rack 5 Carefully lift the USG2200 VPN USG2200 with the inner rails attached and slide it onto the outer rails of the rack Use the blue tab A in step 2 above to slide the USG2200 VPN USG2200 along the inner rail Secure the USG2200 VPN USG2200 in the rack using...

Page 78: ...deep and 174 mm 6 85 apart into a wall Place two screw anchors in the holes Figure 58 Wall Mounting 2 Screw two screws with 6 mm 8 mm 0 24 0 31 wide heads into the screw anchors Do not screw the screws all the way in to the wall leave a small gap of between 1 1 5 mm 0 04 0 06 between the head of the screw and the wall The gap must be big enough for the screw heads to slide into the screw slots and...

Page 79: ...The default configurations for zones interfaces and ports are as follows References to interfaces may be generic rather than the specific name used in your model For example this guide may use the WAN interface rather than wan1 or wan2 ge2 or ge3 USG2200 VPN USG2200 is ge5 or ge6 An OPT optional Ethernet port can be configured as an additional WAN port LAN WLAN or DMZ port The following table show...

Page 80: ...USG2200 VPN USG2200 ge1 ge2 ge3 ge4 ge5 ge6 ge7 ge8 ge9 ge10 ge11 ge12 ge13 ge14 ge15 ge16 te1 te2 Table 18 Default Zone Interface Mapping ZONE INTERFACE WAN LAN1 LAN2 DMZ OPT NO DEFAULT ZONE USG20 VPN USG20W VPN WAN WAN_PPP LAN1 LAN2 DMZ OPT OPT_PPP USG40 WAN1 WAN1_PPP LAN1 LAN2 DMZ OPT OPT_PPP USG40W WAN1 WAN1_PPP LAN1 LAN2 DMZ OPT OPT_PPP USG60 WAN1 WAN1_PPP WAN2 WAN2_PPP LAN1 LAN2 DMZ USG60W W...

Page 81: ...e the power Not doing so can cause the firmware to become corrupt Table 19 Default Zone Interface Mapping USG2200 VPN USG2200 ZONE INTERFACE WAN LAN1 LAN2 DMZ 10G NO DEFAULT ZONE USG2200 VPN USG2200 GE5 GE5_PPP GE7 GE8 GE9 GE10 TE1 TE1_PPP TE2 TE2_PPP GE1 GE1_PPP GE2 GE2_PPP GE3 GE3_PPP GE4 GE4_PPP GE7_PPP GE8_PPP GE9_PPP GE10_PPP GE11 GE11_PPP GE12 GE12_PPP GE13 GE13_PPP GE14 GE14_PPP GE15 GE15_P...

Page 82: ...advanced screens then simply click Expert Mode and select the Expert Mode option Figure 60 Switch Modes Note Enabling guest network renames the OPT or P6 port to guest Go to the Configuration Network Interface Port Role screen in Expert Mode to check A guest interface is created The OPT port or the highest numbered copper Ethernet port in the Zyxel Device will be bound with the guest interface If ...

Page 83: ... screen Back to return to the previous screen and Exit or X top right to close the wizard screen without saving any changes The following are the Easy Mode wizards and links Figure 61 Easy Mode Wizards and Links Table 20 Editing Deleting EZ_ Objects OBJECT RULE SCREEN EDIT DELETE X The action is not allowed V The action is allowed guest interface Configuration Network Interface Ethernet X X Conten...

Page 84: ...hich contains all the advanced menus 4 1 3 Easy Mode Settings Click to display the Easy Mode Settings menu Figure 62 Easy Mode Settings Create Recovery Point a recovery point is a point to which all the Zyxel Device s configuration can be reset to after you click Create Recovery Point Choose this when you have some configurations done and everything is working correctly Restore Last Recovery Point...

Page 85: ...e at myZyxel then the icon displays a red N Click the icon with the red N to display a What s New pop up screen You need a Firmware Upgrade license to upgrade the firmware If you do not have a license Upgrade Now is grayed out If you have a license click Upgrade Now to directly upgrade firmware The Zyxel Device will reboot automatically Figure 63 Cloud Helper What s New The Easy Mode dashboard is ...

Page 86: ...nd time Internet information such as Internet connection type WAN IP address and a button to test the connection VPN tunnel information and a button to monitor and create VPN tunnels Security information such as if the firewall is enabled and if supported security services are licensed You will be prompted to create a secure policy when a service is licensed and you turn it on in order for the ser...

Page 87: ...P Address MAC Address and Name This is the information you see under Network Client LAN information on wired and wireless connections to the Zyxel Device Guest Network information on guest wired and wireless connections to the Zyxel Device Wi Fi button to change Wi Fi channel Guest button turn the guest wireless network off or on 4 2 Initial Setup Wizard Language and Overview Figure 65 Initial Set...

Page 88: ...izard helps you set up basic options as shown in the screen At the end you will have the choice of finishing the wizard or continuing the wizard to configure the optional features as listed If you choose to finish the wizard you can configure the optional features later using their own separate links in the Easy Mode main screen ...

Page 89: ...ode ZyWALL USG Series User s Guide 89 4 2 1 Initial Setup Wizard Internet Figure 66 Initial Setup Wizard Connect to Internet This screen displays the Internet settings if the Zyxel Device can detect them automatically ...

Page 90: ...evice you re using for Internet access such as a broadband router and that the router is turned on The LED of the WAN1 interface on the Zyxel Device should be orange PPPoE Error Your Zyxel Device was not able to obtain an IP address Check that your Internet access information uses PPPoE as the WAN connection type Re enter your PPPoE user name and password exactly as given If it fails again check w...

Page 91: ... Setup Wizard Date and Time Figure 67 Initial Setup Wizard Date and Time It s important to have correct date and time values in the logs The Zyxel Device can automatically update the time and date by detecting your time zone and whether Daylight Savings is in effect in that time zone If your Zyxel Device cannot get the correct date and time it may not able to connect to a time server Check that th...

Page 92: ...Chapter 4 Easy Mode ZyWALL USG Series User s Guide 92 4 2 4 Initial Setup Wizard Register Device Figure 68 Initial Setup Wizard Non Registered Device Figure 69 Initial Setup Wizard Registered Device ...

Page 93: ...s highly recommended to at least register your Zyxel Device You will see the following prompt if your Zyxel Device is not registered Click the Register button in this screen to register your device at portal myzyxel com You need to create a myZyxel account at portal myzyxel com before you can register your device and activate the services at myZyxel When registering the Zyxel Device at myZyxel if ...

Page 94: ...Chapter 4 Easy Mode ZyWALL USG Series User s Guide 94 4 2 5 Initial Setup Wizard Activate Services Figure 70 Initial Setup Wizard Non Activated Services ...

Page 95: ...tection Protection attack patterns Anti Virus to detect virus patterns in files Anti Spam to mark or discard unsolicited commercial or junk e mail suspect of being sent by spammers Click Refresh and wait a few moments for the service information to update in this screen If the page does not refresh make sure the Internet connection is working and click Refresh again To check your Internet connecti...

Page 96: ...only be able to wirelessly access the Internet via the Zyxel Device for up to 4 hours Configure a descriptive name of from 1 to 32 alpha numeric characters hyphens or underscores a z A Z 0 9 _ for the wireless network name Wi Fi Set a Password of between 8 and 63 printable ASCII characters including spaces and symbols or 64 hexadecimal characters 0 9 a f that wireless users will have to enter for ...

Page 97: ... USG Series User s Guide 97 Figure 73 Remote Management HTTPS is added to the Default_Allow_WAN_to_ZyWALL rule in Object Service Service Group screen when you enable Remote Management Figure 74 Object Service Service Group HTTPS ...

Page 98: ...s in the dashboard Select from the following to continue configuring in this screen Security Service Content Filter IDP Anti Virus to configure subscriptions for these services Port Forwarding to set up a server in your network that people outside the network can access Guest LAN Wired Network to set up a guest network where users can access the Internet only from a wired connection to the OPT por...

Page 99: ... as dating and marriage Includes sites for match making online dating spousal introduction For example www i part com tw www imatchi com Gambling Sites that offer or are related to online gambling lottery casinos and betting agencies involving chance For example www taiwanlottery com tw www i win com tw www hkjc com Games Sites relating to computer or other games information about game producers o...

Page 100: ...g or professional reasons For example www facebook com www flickr com www groups google com Streaming Media Downloads Sites that deliver streaming content such as Internet radio Internet TV or MP3 and live or archived media download sites Includes fan sites or official sites run by musicians bands or record labels For example www youtube com pfp sina com cn my xunlei com Tasteless Sites with offen...

Page 101: ...le need access to from outside your network select the IP address of the NAS from Client Then select the service s that your NAS provides for example FTP HTTP HTTPS from the Available box and use the right arrow to move each service to the Member box Even though the NAS is in your local network receiving the protection of the Zyxel Device you can still access that NAS using these services from any...

Page 102: ...ress If the client selected does not have a static IP address the IP address may change when the client reboots so the Zyxel Device may not be able to find it If this happens check for the new IP address of the client Then add the new IP address by clicking Add here and entering it in the pop up screen 4 5 Initial Setup Wizard Guest LAN Figure 78 Initial Setup Wizard Guest LAN ...

Page 103: ...port are allowed Internet access only and do not have access to networks connected to the other ports When the OPT or P6 port is not a guest port then guest devices connected to that port can communicate with all networks including devices connected to the LAN DMZ ports If that is not your intention make sure Enable Guest Network for wired clients is selected and that guest devices are only connec...

Page 104: ... ZyWALL USG Series User s Guide 104 4 5 1 Connecting AP Scenarios If you connect an AP to a LAN port then users can use the AP s SSID to wirelessly access all wired resources connected to the LAN ports and Internet access ...

Page 105: ...ide 105 If you connect an AP to the Guest port then users can use the AP s SSID to wirelessly access all wired resources connected to the Guest port only and Internet access You must select both Enable Guest Wi Fi Network and Guest LAN Wired Network ...

Page 106: ... key group and so on are the same on both Zyxel Devices Make sure that both Zyxel Devices are able to communicate with each other Try pinging one gateway from a computer behind the other Make sure that there is not a firewall blocking VPN traffic in front of one of the Zyxel Devices Select IPSec VPN Settings for Configuration Provisioning to create a secure private connection between a Zyxel Devic...

Page 107: ...nicate with the Zyxel Device Try pinging the Zyxel Device from the computer Make sure that L2TP traffic is allowed through the WAN on the Zyxel Device 4 6 1 VPN Setup Wizard Wizard Type Choose Express to create a VPN rule with the default phase 1 and phase 2 settings to connect to another ZLD based Zyxel Device using a pre shared key Choose Advanced to change the default settings and or use certif...

Page 108: ...man key exchange to set up a shared session secret from which encryption keys are derived IKEv2 supports Extended Authentication Protocol EAP authentication and IKEv1 supports X Auth EAP is important when connecting to existing enterprise authentication systems Rule Name Type the name used to identify this VPN connection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or das...

Page 109: ...ess or a domain name Only the remote IPSec router can initiate the VPN tunnel Remote Access Server Role choose this to allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users You don t specify the addresses of the client IPSec routers or the remote policy This creates a dynamic IPSec VPN rule that can let multiple clients connect ...

Page 110: ... to 128 pairs of hexadecimal 0 9 A F characters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network that can use the tunnel You can also specify a subnet This must match the remote IP address configured on the remote IPSec device Remote...

Page 111: ...PSec device that can use the tunnel If this field displays Any only the remote IPSec device can initiate the VPN connection Copy and paste the Configuration for Secure Gateway commands into another ZLD based Zyxel Device s command line interface to configure it to serve as the other end of this VPN tunnel You can also use a text editor to save these commands as a shell script file with a zysh file...

Page 112: ...uide 112 Figure 84 VPN Express Wizard Finish Click Close to exit the wizard 4 6 6 VPN Advanced Wizard Scenario Click the Advanced radio button as shown in Figure 80 on page 107 to display the following screen Figure 85 VPN Advanced Wizard Scenario ...

Page 113: ...te the VPN tunnel Site to site with Dynamic Peer The remote IPSec device has a dynamic IP address Only the remote IPSec device can initiate the VPN tunnel Remote Access Server Role Allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users Only the clients can initiate the VPN tunnel Remote Access Client Role Connect to an IPSec serv...

Page 114: ...ash Algorithm are hash algorithms used to authenticate packet data The stronger the algorithm the slower it is Key Group DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 default refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number DH5 refers to Diffie Hellman Group 5 a 1536 bit random number SA Life Time ...

Page 115: ...allows faster IPSec setup but is less secure Select DH1 DH2 or DH5 to enable PFS DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number DH5 refers to Diffie Hellman Group 5 a 1536 bit random number more secure yet slower Local Policy IP Mask Type the IP addre...

Page 116: ... Device that can use the tunnel Remote Policy IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel Copy and paste the Configuration for Remote Gateway commands into another ZLD based Zyxel Device s command line interface Click Save to save the VPN rule 4 6 10 VPN Advanced Wizard Finish Now the rule is configured on the Zyxel Device The P...

Page 117: ...4 7 VPN Settings for Configuration Provisioning Wizard Wizard Type Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved with the Zyxel Device IPSec VPN Client VPN rules for the Zyxel Device IPSec VPN Client have certain restrictions They must not contain the following settings ...

Page 118: ... 1 and phase 2 settings and to use a pre shared key Choose Advanced to change the default settings and or use certificates instead of a pre shared key in the VPN rule Figure 90 VPN Settings for Configuration Provisioning Express Wizard Wizard Type 4 7 1 Configuration Provisioning Express Wizard VPN Settings Click the Express radio button as shown in the previous screen to display the following scr...

Page 119: ...xtended Authentication Protocol EAP authentication and IKEv1 supports X Auth EAP is important when connecting to existing enterprise authentication systems Rule Name Type the name used to identify this VPN connection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Application Scenario Only the ...

Page 120: ...up to 128 pairs of hexadecimal 0 9 A F characters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network You can also specify a subnet This must match the remote IP address configured on the remote IPSec device Remote Policy IP Mask Any di...

Page 121: ... Zyxel Device that can be accessed using the tunnel Remote Policy Any displays in this field because it is not configurable in this wizard The Configuration for Secure Gateway displays the configuration that the Zyxel Device IPSec VPN Client will get from the Zyxel Device Click Save to save the VPN rule 4 7 4 VPN Settings for Configuration Provisioning Express Wizard Finish Now the rule is configu...

Page 122: ... Configuration Provisioning Express Wizard Finish Click Close to exit the wizard 4 7 5 VPN Settings for Configuration Provisioning Advanced Wizard Scenario Click the Advanced radio button as shown in the screen shown in Figure 90 on page 118 to display the following screen ...

Page 123: ...n connecting to existing enterprise authentication systems Rule Name Type the name used to identify this VPN connection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Application Scenario Only the Remote Access Server Role is allowed in this wizard It allows incoming connections from the Zyxel...

Page 124: ...ey Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput AES128 uses a 128 bit key and is faster than 3DES AES192 uses a 192 bit key and AES256 uses a 256 bit key Authentication Algorithm MD5 Message Digest 5 and SHA Secure Hash Algorithm are hash algorith...

Page 125: ... disconnects the VPN tunnel Perfect Forward Secrecy PFS Disabling PFS allows faster IPSec setup but is less secure Select DH1 DH2 or DH5 to enable PFS DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number DH5 refers to Diffie Hellman Group 5 a 1536 bit rando...

Page 126: ...his field because it is not configurable in this wizard It allows incoming connections from the Zyxel Device IPSec VPN Client Pre Shared Key VPN tunnel password Local Policy IP address and subnet mask of the computers on the network behind your Zyxel Device that can use the tunnel Remote Policy Any displays in this field because it is not configurable in this wizard Phase 1 Negotiation Mode This d...

Page 127: ...56 gives the highest security Key Group This displays the Diffie Hellman DH key group used DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 uses a 768 bit random number DH2 uses a 1024 bit 1Kb random number DH5 uses a 1536 bit random number Phase 2 Active Protocol This displays ESP compatible with NAT or AH Encapsulation This displays Tunnel compatible with NAT or Transport...

Page 128: ...Device The Phase 1 rule settings appear in the VPN IPSec VPN VPN Gateway screen and the Phase 2 rule settings appear in the VPN IPSec VPN VPN Connection screen Enter the IP address of the Zyxel Device in the Zyxel Device IPSec VPN Client to get all these VPN settings automatically from the Zyxel Device Figure 99 VPN for Configuration Provisioning Advanced Wizard Finish Click Close to exit the wiza...

Page 129: ...set up an L2TP VPN rule Click Configuration Quick Setup VPN Settings and select VPN Settings for L2TP VPN Settings to see the following screen Figure 100 VPN Settings for L2TP VPN Settings Wizard L2TP VPN Settings Click Next to continue the wizard 4 8 1 L2TP VPN Settings 1 Figure 101 VPN Settings for L2TP VPN Settings Wizard L2TP VPN Settings ...

Page 130: ...ings 2 Figure 102 VPN Settings for L2TP VPN Settings Wizard L2TP VPN Settings IP Address Pool Select Range or Subnet from the pull down menu This IP address pool is used to assign to the L2TP VPN clients Starting IP Address Enter the starting IP address in the field End IP Address Enter the ending IP address in the field First DNS Server Optional Enter the first DNS server IP address in the field ...

Page 131: ...mmary This is a read only summary of the L2TP VPN settings Figure 103 VPN Settings for L2TP VPN Settings Advanced Settings Wizard Summary Summary Rule Name Identifies the L2TP VPN connection and the L2TP VPN gateway Secure Gateway Any displays in this field because it is not configurable in this wizard It allows incoming connections from the L2TP VPN Client Pre Shared Key L2TP VPN tunnel password ...

Page 132: ... for L2TP VPN Setting Wizard Completed Figure 104 VPN Settings for L2TP VPN Settings Wizard Finish Now the rule is configured on the Zyxel Device The L2TP VPN rule settings appear in the VPN L2TP VPN screen and also in the VPN IPSec VPN VPN Connection and VPN Gateway screen ...

Page 133: ...our local network receiving the protection of the Zyxel Device you can still access that NAS using these services from anywhere outside your network For example if you have a NAS server in your network that you or other people need access to from outside your network select the IP address of the NAS from Client Then select the service s that your NAS provides for example FTP HTTP HTTPS from the Av...

Page 134: ...o Service List if you cannot see the service in the list In the pop up screen click Add then enter the service name and port range that defines the service For example if you have a FileZilla Server in your network then enter FileZilla Server as the Service Name 14147 as the Starting Port and 14147 as the Ending Port 4 9 3 Port Forwarding UPnP The Zyxel Device supports both UPnP Universal Plug and...

Page 135: ...Chapter 4 Easy Mode ZyWALL USG Series User s Guide 135 Click Finish to complete the Port Forwarding Wizard 4 10 Wi Fi and Guest Network Wizard Figure 106 Wi Fi and Guest Network Setup ...

Page 136: ...irelessly access the Internet via the Zyxel Device for up to the period specified in Duration Configure a descriptive name of from 1 to 32 alpha numeric characters hyphens or underscores a z A Z 0 9 _ for the wireless network name Wi Fi Set a Password of between 8 and 63 printable ASCII characters including spaces and symbols or 64 hexadecimal characters 0 9 a f that wireless users will have to en...

Page 137: ... guest port are allowed Internet access only and do not have access to networks connected to the other ports When the OPT or P6 port is not a guest port then guest devices connected to that port can communi cate with all networks including devices connected to the LAN DMZ ports To avoid this make sure Enable Guest Network for wired clients is selected and that guest devices are only connected to t...

Page 138: ...ZyWALL USG Series User s Guide 138 4 10 2 Connecting AP Scenarios If you connect an AP to a LAN port then users can use the AP s SSID to wirelessly access all wired resources connected to the LAN ports and Internet access ...

Page 139: ...o wirelessly access all wired resources connected to the Guest port only and Internet access You must select both Enable Guest Wi Fi Network and Guest LAN Wired Network 4 11 Security Service Wizard Figure 108 Register First You must first register the Zyxel Device at portal myzyxel com and activate licenses for required services ...

Page 140: ...to block websites by category such as Gambling IDP to recognize and drop traffic with Intrusion Detection Protection attack patterns Anti Virus to detect virus patterns in files Click Refresh and wait a few moments for the registration information to update in this screen If the page does not refresh make sure the Internet connection is working and click Refresh again To check your Internet connec...

Page 141: ...ity Sites that contain full or partial nudity that are not necessarily overtly sexual in intent Includes sites that advertise or sell lingerie intimate apparel or swim wear For example www easyshop com tw www faster swim com tw image baidu com Pornography Sexually Explicit Sites that contain explicit sexual content Includes adult products such as sex toys CD ROMs and videos adult services such as ...

Page 142: ... race religion gender age disability sexual orientation or nationality For example www racist jokes com aryan nations org whitepower com Illegal Drugs Sites with information on the purchase manufacture and use of illegal or recreational drugs and their paraphernalia and misuse of prescription drugs and other compounds For example www cannabis net www amphetamines com Illegal Software Sites that il...

Page 143: ...usion Detection Protection attack patterns Select Enable Anti Virus to detect virus patterns in files 4 11 2 Security Service Wizard 3 Websites Figure 111 Security Wizard 3 Trusted and Forbidden Websites Here you can create a list of good trusted web site addresses and a list of bad forbidden web site addresses Click Add to create a new trusted or forbidden web site Enter host names such as www go...

Page 144: ...urity Wizard 4 Exemptions Select devices which are exempted from content file category and trusted forbidden web site policies Click Add Client Address under Client List if you cannot see the client to exempt in the list In the pop up screen you can add a new client by entering its Name IP Address and MAC Address ...

Page 145: ...e constantly evolving Use the Zyxel Device s Anti Virus AV feature to protect your connected network from virus spyware infection A computer virus is a small program designed to corrupt and or alter the operation of other legitimate programs A worm is a self replicating virus that resides in active memory and duplicates itself Zyxel Device s Anti Virus consists of a set of signatures which examine...

Page 146: ...e you have to register the Zyxel Device and activate the corresponding service at myZyxel through the Zyxel Device Use the MyZyxel Portal link to create an account at myZyxel Then register your device You may need your Zyxel Device s serial number and LAN MAC address to register it at myZyxel Refer to the myZyxel web site s on line help for details To have the Zyxel Device use subscription service...

Page 147: ...the walkthroughs do not perform the actual configuring but just show you how to do it Troubleshooting Click this icon to go to a series of screens that guide you how to fix problems with the feature Application Patrol Click this icon for more information on Application Patrol which identifies traffic that passes through the Zyxel Device so you can decide what to do with specific types of traffic T...

Page 148: ...ted commercial or junk e mail and e mail from certain servers suspect of being used by spammers VPN Click this icon for more information on IPSec and SSL VPN Internet Protocol Security IPSec VPN connects IPSec routers or remote users using IPSec client software SSL VPN allows users to use a web browser for secure remote user login without need of a VPN router or VPN client software Download VPN Cl...

Page 149: ... link to open a wizard to set up a WAN Internet connection This wizard creates matching ISP account settings in the Zyxel Device if you use PPPoE or PPTP See Section 5 2 on page 150 VPN Setup Use VPN Setup to configure a VPN Virtual Private Network rule for a secure connection to another computer or network Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved ...

Page 150: ...e Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen Use these screens to configure an interface to connect to the Internet Click Next Figure 117 WAN Interface Quick Setup Wizard 5 2 1 Choose an Ethernet Interface Select a WAN interface names vary by model that you want to configure for a WAN connection and click Next ...

Page 151: ... used as a regular Ethernet Otherwise choose PPPoE PPTP or L2TP for a dial up connection according to the information from your ISP Figure 119 WAN Interface Setup Step 2 The screens vary depending on what encapsulation type you use Refer to information provided by your ISP to know what to enter in each field Leave a field blank if you don t have that information Note Enter the Internet access info...

Page 152: ...P Figure 121 WAN Interface Setup Step 2 Ethernet Static IP WAN Interface This is the interface you are configuring for Internet access Zone This is the security zone to which this interface and Internet connection belong IP Address Assignment Select Auto If your ISP did not assign you a fixed IP address Select Static if you have a fixed IP address and enter the IP address subnet mask gateway IP ad...

Page 153: ...ttings This screen is read only if you select Ethernet and set the IP Address Assignment to Auto If you set the IP Address Assignment to static and or select PPTP or PPPoE enter the Internet access information exactly as your ISP gave it to you Note Enter the Internet access information exactly as your ISP gave it to you Figure 122 WAN and ISP Connection Settings PPTP ...

Page 154: ...ngs PPPoE Figure 124 WAN and ISP Connection Settings L2TP ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection Encapsulation This displays the type of Internet connection you are configuring Service Name Type the PPPoE service name if you were given one by your ISP ...

Page 155: ...signed to you by your ISP if given Gateway IP Address For PPTP or L2TP type the gateway IP address if you were given one by your ISP Server IP Type the IP address of the PPTP server Connection ID Enter the connection ID or connection name in this field It must follow the c id and n name format For example C 12 or N My ISP This field is optional and depends on the requirements of your DSL modem You...

Page 156: ...0 means no timeout Connection ID If you specified a connection ID it displays here WAN Interface This identifies the interface you configure to connect with your ISP Zone This field displays to which security zone this interface and Internet connection will belong IP Address Assignment This field displays whether the WAN IP address is static or dynamic Auto IP Address This field displays the curre...

Page 157: ...n to another computer or network VPN Settings for Configuration Provisioning sets up a VPN rule the Zyxel Device IPSec VPN Client can retrieve Just enter a user name password and the IP address of the Zyxel Device in the IPSec VPN Client to get the VPN settings automatically from the Zyxel Device VPN Settings for L2TP VPN Settings sets up a L2TP VPN rule that the Zyxel Device IPSec L2TP VPN client...

Page 158: ...d or use certificates instead of a pre shared key to create a VPN rule to connect to another IPSec device Figure 128 VPN Setup Wizard Wizard Type 5 3 3 VPN Express Wizard Scenario Click the Express radio button as shown in Figure 128 on page 158 to display the following screen Figure 129 VPN Express Wizard Scenario ...

Page 159: ...This value is case sensitive Select the scenario that best describes your intended VPN connection The figure on the left of the screen changes to match the scenario you select Site to site The remote IPSec device has a static IP address or a domain name This Zyxel Device can initiate the VPN tunnel Site to site with Dynamic Peer The remote IPSec device has a dynamic IP address Only the remote IPSe...

Page 160: ...t This must match the remote IP address configured on the remote IPSec device Remote Policy IP Mask Any displays in this field if it is not configurable for the chosen scenario Otherwise type the IP address of a computer behind the remote IPSec device You can also specify a subnet This must match the local IP address configured on the remote IPSec device 5 3 5 VPN Express Wizard Summary This scree...

Page 161: ...save these commands as a shell script file with a zysh filename extension Use the file manager to run the script in order to configure the VPN connection See the commands reference guide for details on the commands displayed in this list 5 3 6 VPN Express Wizard Finish Now the rule is configured on the Zyxel Device The Phase 1 rule settings appear in the Configuration VPN IPSec VPN VPN Gateway scr...

Page 162: ...y You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Select the scenario that best describes your intended VPN connection The figure on the left of the screen changes to match the scenario you select Site to site The remote IPSec device has a static IP address or a domain name This Zyxel Device can initiate the V...

Page 163: ...gotiation mode Encryption Algorithm 3DES and AES use encryption The longer the key the higher the security this may affect throughput Both sender and receiver must use the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bi...

Page 164: ...ES and AES use encryption The longer the AES key the higher the security this may affect throughput Null uses no encryption Authentication Algorithm MD5 gives minimal security and SHA512 gives the highest security MD5 Message Digest 5 and SHA Secure Hash Algorithm are hash algorithms used to authenticate packet data The stronger the algorithm the slower it is SA Life Time Set how often the Zyxel D...

Page 165: ...igure 136 VPN Advanced Wizard Summary Rule Name Identifies the VPN connection and the VPN gateway Secure Gateway IP address or domain name of the remote IPSec device Pre Shared Key VPN tunnel password Certificate The certificate the Zyxel Device uses to identify itself when setting up the VPN tunnel Local Policy IP address and subnet mask of the computers on the network behind your Zyxel Device th...

Page 166: ...Device s command line interface Click Save to save the VPN rule 5 3 11 VPN Advanced Wizard Finish Now the rule is configured on the Zyxel Device The Phase 1 rule settings appear in the VPN IPSec VPN VPN Gateway screen and the Phase 2 rule settings appear in the VPN IPSec VPN VPN Connection screen Figure 137 VPN Wizard Finish Click Close to exit the wizard ...

Page 167: ...lowing settings AH active protocol NULL encryption SHA512 authentication A subnet or range remote policy Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre shared key Choose Advanced to change the default settings and or use certificates instead of a pre shared key in the VPN rule Figure 138 VPN Settings for Configuration Provisioning Express Wizard ...

Page 168: ...xtended Authentication Protocol EAP authentication and IKEv1 supports X Auth EAP is important when connecting to existing enterprise authentication systems Rule Name Type the name used to identify this VPN connection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Application Scenario Only the ...

Page 169: ...rs or up to 128 pairs of hexadecimal 0 9 A F characters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network You can also specify a subnet This must match the remote IP address configured on the remote IPSec device Remote Policy IP Mask ...

Page 170: ...evice that can be accessed using the tunnel Remote Policy Any displays in this field because it is not configurable in this wizard The Configuration for Secure Gateway displays the configuration that the Zyxel Device IPSec VPN Client will get from the Zyxel Device Click Save to save the VPN rule 5 4 4 VPN Settings for Configuration Provisioning Express Wizard Finish Now the rule is configured on t...

Page 171: ...N for Configuration Provisioning Express Wizard Finish Click Close to exit the wizard 5 4 5 VPN Settings for Configuration Provisioning Advanced Wizard Scenario Click the Advanced radio button as shown in the screen shown in Figure 138 on page 167 to display the following screen ...

Page 172: ...n connecting to existing enterprise authentication systems Rule Name Type the name used to identify this VPN connection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Application Scenario Only the Remote Access Server Role is allowed in this wizard It allows incoming connections from the Zyxel...

Page 173: ...56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput AES128 uses a 128 bit key and is faster than 3DES AES192 uses a 192 bit key and AES256 uses a 256 bit key Authentication Algorithm MD5 Message Digest 5 and SHA Secure Hash Algorithm are hash ...

Page 174: ...arily disconnects the VPN tunnel Perfect Forward Secrecy PFS Disabling PFS allows faster IPSec setup but is less secure Select DH1 DH2 or DH5 to enable PFS DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number DH5 refers to Diffie Hellman Group 5 a 1536 bit ...

Page 175: ...cal Policy IP address and subnet mask of the computers on the network behind your Zyxel Device that can use the tunnel Remote Policy Any displays in this field because it is not configurable in this wizard Phase 1 Negotiation Mode This displays Main or Aggressive Main encrypts the Zyxel Device s and remote IPSec router s identities but takes more time to establish the IKE SA Aggressive is faster b...

Page 176: ...mpatible with NAT or AH Encapsulation This displays Tunnel compatible with NAT or Transport Encryption Algorithm This displays the encryption method used The longer the key the higher the security the lower the throughput possibly DES uses a 56 bit key 3DES uses a 168 bit key AES128 uses a 128 bit key AES192 uses a 192 bit key AES256 uses a 256 bit key Null uses no encryption Authentication Algori...

Page 177: ... all these VPN settings automatically from the Zyxel Device Figure 147 VPN for Configuration Provisioning Advanced Wizard Finish Click Close to exit the wizard 5 5 VPN Settings for L2TP VPN Settings Wizard Use VPN Settings for L2TP VPN Settings to set up an L2TP VPN rule Click Configuration Quick Setup VPN Setup and select VPN Settings for L2TP VPN Settings to see the following screen ...

Page 178: ...yWALL USG Series User s Guide 178 Figure 148 VPN Settings for L2TP VPN Settings Wizard L2TP VPN Settings Click Next to continue the wizard 5 5 1 L2TP VPN Settings Figure 149 VPN Settings for L2TP VPN Settings Wizard L2TP VPN Settings ...

Page 179: ...ngs Wizard L2TP VPN Settings IP Address Pool Select Range or Subnet from the pull down menu This IP address pool is used to assign to the L2TP VPN clients Starting IP Address Enter the starting IP address in the field End IP Address Enter the ending IP address in the field Network Enter the IPv4 IP address in this field if you selected SUBNET Netmask Enter the associated subnet mask of the subnet ...

Page 180: ...L2TP VPN Setting Wizard Summary This is a read only summary of the L2TP VPN settings Figure 151 VPN Settings for L2TP VPN Settings Advanced Settings Wizard Summary Rule Name Identifies the L2TP VPN connection and the L2TP VPN gateway Secure Gatewa Any displays in this field because it is not configurable in this wizard It allows incoming connections from the L2TP VPN Client Pre Shared Key L2TP VPN...

Page 181: ... VPN Setting Wizard Completed Figure 152 VPN Settings for L2TP VPN Settings Wizard Finish Now the rule is configured on the Zyxel Device The L2TP VPN rule settings appear in the Configuration VPN L2TP VPN screen and also in the Configuration VPN IPSec VPN VPN Connection and VPN Gateway screen ...

Page 182: ...ge 190 Secured Service Status Screen on page 191 Content Filter Statistics Screen on page 192 Top 5 Viruses Screen on page 192 Top 5 Intrusions Screen on page 193 Top 5 IPv4 IPv6 Security Policy Rules that Blocked Traffic Screen on page 193 The Latest Alert Logs Screen on page 194 6 2 Main Dashboard Screen The Dashboard screen displays when you log into the Zyxel Device or click Dashboard in the n...

Page 183: ...played in the widget Refresh Now D Click this to update the widget s information immediately Close Widget E Click this to close the widget Use Widget Settings to re open it Virtual Device Rear Panel Click this to view details about the Zyxel Device s rear panel Hover your cursor over a connected interface or slot to display status details Front Panel Click this to view details about the status of ...

Page 184: ... 10 7 on page 338 for the status that can appear For the auxiliary interface Inactive The auxiliary interface is disabled Connected The auxiliary interface is enabled and connected Disconnected The auxiliary interface is not connected HA Status This field displays the status of the interface in the virtual router Active This interface is the master interface in the virtual router Stand By This int...

Page 185: ...umber This field displays the serial number of this Zyxel Device The serial number is used for device tracking and control MAC Address Range This field displays the MAC addresses used by the Zyxel Device Each physical port has one MAC address The first MAC address is assigned to physical port 1 the second MAC address is assigned to physical port 2 and so on Firmware Version This field displays the...

Page 186: ...n to the Zyxel Device Boot Status This field displays details about the Zyxel Device s startup state OK The Zyxel Device started up successfully Firmware update OK A firmware update was successful Problematic configuration after firmware update The application of the configuration failed after a firmware upgrade System default configuration The Zyxel Device successfully applied the system default ...

Page 187: ...entries by MAC address Click the heading cell again to reverse the sort order Description For a static DHCP entry the host name or the description you configured shows here This field is blank for dynamic DHCP entries Reserve If this field is selected this entry is a static DHCP entry The IP address is reserved for the MAC address If this field is clear this entry is a dynamic DHCP entry The IP ad...

Page 188: ...User Info This field displays the types of user accounts the Zyxel Device uses If the user type is ext user external user this field will show its external group information when you move your mouse over it If the external user matches two external group objects both external group object names will be shown Force Logout Click this icon to end a user s session Table 26 Dashboard System Status Numb...

Page 189: ...d is installed SEM VPN VPN accelerator The SEM VPN provides 500 Mbps VPN throughput 2 000 IPSec VPN tunnels and 750 SSL VPN users SEM DUAL accelerator for both VPN and UTM The SEM DUAL provides the benefits of the SEM VPN and increases the maximum anti virus and IDP traffic throughput from 100 Mbps to 400 Mbps USB Flash Drive Indicates a connected USB storage device and the drive s storage capacit...

Page 190: ...have any physical ports associated with it or the Ethernet interface is enabled but not connected Speed Duplex The Ethernet interface is enabled and connected This field displays the port speed and duplex setting Full or Half For cellular mobile broadband interfaces see Section 7 11 on page 214 for the status that can appear For the auxiliary interface Inactive The auxiliary interface is disabled ...

Page 191: ...a DHCP If this interface is a member of an active virtual router this field displays the IP address it is currently using This is either the static IP address of the interface if it is the master or the management IP address if it is a backup IP Assignment This field displays the interface s IP assignment It will show DHCP or Static Action Use this field to get or to update the IP address for the ...

Page 192: ...oard Content Filter Statistics LABEL DESCRIPTION Web Request Statistics Total Web Pages Inspected This is the number of web pages the Zyxel Device has checked to see whether they belong to the categories you selected in the content filter screen Blocked This is the number of web pages that the Zyxel Device blocked access Warned This is the number of web pages for which the Zyxel Device has display...

Page 193: ...e has detected the event described in the entry Table 33 Dashboard Top 5 Intrusions LABEL DESCRIPTION This is the entry s rank in the list of the most commonly triggered signature policies Signature ID This is the identification number of the signature Signature Name This is the name of the signature Type This is the type of the signature for example Schedule Severity This is the level of threat t...

Page 194: ...BEL DESCRIPTION Table 35 Dashboard The Latest Alert Logs LABEL DESCRIPTION This is the entry s rank in the list of alert logs Time This field displays the date and time the log was created Priority This field displays the severity of the log Category This field displays the type of log generated Message This field displays the actual log message Source This field displays the source address if any...

Page 195: ...195 PART II Technical Reference ...

Page 196: ... DDNS domain names Use the System Status IP MAC Binding screen Section 7 8 on page 210 to view a list of devices that have received an IP address from Zyxel Device interfaces with IP MAC binding enabled Use the System Status Login Users screen Section 7 9 on page 211 to look at a list of the users currently logged into the Zyxel Device Use the System Status Dynamic Guest screen see Section 7 10 on...

Page 197: ...he connected statement printers Use the SecuDeployer screen see Section 7 27 on page 239 to view Zyxel Device SecuDeployer client s managed by the Zyxel Device SecuDeployer server A Zyxel Device SecuDeployer server provisions local interfaces and IPSec tunnels to Zyxel Device SecuDeployer clients Use the VPN Monitor IPSec screen Section 7 28 on page 244 to display and manage active IPSec SAs Use t...

Page 198: ...describes the labels in this screen Table 36 Monitor System Status Port Statistics LABEL DESCRIPTION Poll Interval Enter how often you want this window to be updated automatically and click Set Interval Set Interval Click this to set the Poll Interval the screen uses Stop Click this to stop the window from updating automatically You can start it again by setting the Poll Interval and clicking Set ...

Page 199: ... per second on the physical port in the one second interval before the screen updated Rx B s This field displays the reception speed in bytes per second on the physical port in the one second interval before the screen updated Up Time This field displays how long the physical port has been connected System Up Time This field displays how long the Zyxel Device has been running since it last restart...

Page 200: ...nsmission or reception time The x axis shows the time period over which the transmission or reception occurred TX This line represents traffic transmitted from the Zyxel Device on the physical port since it was last connected RX This line represents the traffic received by the Zyxel Device on the physical port since it was last connected Last Update This field displays the date and time the inform...

Page 201: ...ry interface is not connected For virtual interfaces this field always displays Up If the virtual interface is disabled it does not appear in the list For VLAN and bridge interfaces this field always displays Up If the VLAN or bridge interface is disabled it does not appear in the list For PPP interfaces Connected The PPP interface is connected Disconnected The PPP interface is not connected If th...

Page 202: ...s lit when the entry is active and dimmed when the entry is inactive Zone This field displays the zone to which the interface is assigned IP Address This is the IP address of the interface If the interface is active and connected the Zyxel Device tunnels local traffic sent to this IP address to the Remote Gateway Address My Address This is the interface or IP address uses to identify itself to the...

Page 203: ...e This field displays the zone to which the interface is assigned IP Address This field displays the current IPv6 address assigned to the interface If the IPv6 address is the interface is disabled or did not receive an IPv6 address via DHCP If this interface is a member of an active virtual router this field displays the IPv6 address it is currently using This is either the static IPv6 address of ...

Page 204: ... you have to start and stop it manually in the Traffic Statistics screen Status This field displays the current status of the interface Down The interface is not connected Speed Duplex The interface is connected This field displays the port speed and duplex setting Full or Half This field displays Connected and the accumulated connection time hh mm ss when the PPP interface is connected TxPkts Thi...

Page 205: ...es Sort By Select the type of report to display Choices are Host IP Address User displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one Service Port displays the most used protocols or service ports and the amount of traffic for each one Web Site Hits displays the most visited Web sites and how many times each one has been visited Country d...

Page 206: ...ffic for the particular protocol or service port The count starts over at zero if the number of bytes passes the byte count limit See Table 40 on page 206 These fields are available when the Traffic Type is Web Site Hits This field is the rank of each record The domain names are sorted by the number of hits Web Site This field displays the domain names most often visited The Zyxel Device counts ea...

Page 207: ...mber of bytes transmitted so far Duration so far You can look at all established sessions that passed through the Zyxel Device by user service source IP address or destination IP address You can also filter the information by user protocol service or service group source address and or destination address and view it by user Click Monitor System Status Session Monitor to display the following scre...

Page 208: ...ies the service by comparing the protocol and destination port of each packet to the protocol and port of each services that is defined Source Address This field displays when View is set to all sessions Type the source IP address whose sessions you want to view You cannot include the source port Source Country This field displays when View is set to all sessions Select the country where the traff...

Page 209: ...estination IP address s sessions Destination Country This field displays the destination country in each active session Rx This field displays the amount of information received by the source in the active session Tx This field displays the amount of information transmitted by the source in the active session Duration This field displays the length of the active session in seconds Table 41 Monitor...

Page 210: ...System Status IP MAC Binding Table 43 Monitor System Status DDNS Status LABEL DESCRIPTION Update Click this to have the Zyxel Device update the profile to the DDNS server The Zyxel Device attempts to resolve the IP address for the domain name This field is a sequential value and it is not associated with a specific DDNS server Profile Name This field displays the descriptive profile name for this ...

Page 211: ...ld displays the MAC address to which the IP address is currently assigned Last Access This is when the device last established a session with the Zyxel Device through this interface Description This field displays the description of the IP MAC binding Table 45 Monitor System Status Login Users LABEL DESCRIPTION Force Logout Select a user ID and click this icon to end a user s session This field is...

Page 212: ... specifically for private networks 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 224 0 0 0 239 255 255 255 MAC This field displays the MAC address of the computer used to log in to the Zyxel Device User Info This field displays the types of user accounts the Zyxel Device uses If the user type is ext user external user this field will show its external group informat...

Page 213: ...ach account Time Period This field displays the total account of time the account can use to access the Internet through the Zyxel Device Expiration Time This field displays the date and time the account becomes invalid Note Once the time allocated to a dynamic account is used up or a dynamic account remains un used after the expiration time the account is deleted from the account list Quota T U D...

Page 214: ...nd online This guest account has been used but is offline now This guest account expired This guest account has been deleted Table 46 Monitor System Status Dynamic Guest continued LABEL DESCRIPTION Table 48 Monitor System Status Cellular Status LABEL DESCRIPTION Refresh Click this button to update the information in the screen More Information Click this to display more information on your mobile ...

Page 215: ...ntered an incorrect device code Device unlocked You entered the correct device code and unlocked a CDMA2000 mobile broadband device Get dev info fail The Zyxel Device cannot get cellular device information Get dev info ok The Zyxel Device succeeded in retrieving mobile broadband device information Searching network The mobile broadband device is searching for a network Get signal fail The mobile b...

Page 216: ...A when you insert a CDMA mobile broadband card Signal Quality This displays the strength of the signal The signal strength mainly depends on the antenna output power and the distance between your Zyxel Device and the service provider s base station Table 48 Monitor System Status Cellular Status continued LABEL DESCRIPTION Table 49 Monitor System Status Cellular Status More Information LABEL DESCRI...

Page 217: ...national Mobile Equipment Identity is a 15 digit code in decimal format that identifies the mobile broadband device ESN Electronic Serial Number is an 8 digit code in hexadecimal format that identifies the mobile broadband device SIM Card IMSI IMSI International Mobile Subscriber Identity is a 15 digit code that identifies the SIM card Table 49 Monitor System Status Cellular Status More Informatio...

Page 218: ...oming connection requests Internal Client This field displays the DNS host name or IP address of a client on the LAN Multiple NAT clients can use a single port simultaneously if the internal client field is set to 255 255 255 255 for UDP mappings Internal Client Type This field displays the type of the client application on the LAN Description This field displays a text explanation of the NAT mapp...

Page 219: ...mputer on which the ZON utility is installed Click Monitor System Status Ethernet Neighbor to see the following screen Figure 181 Monitor System Status Ethernet Neighbor Status Ready you can have the Zyxel Device use the USB storage device Click Remove Now to stop the Zyxel Device from using the USB storage device so you can remove it Unused the connected USB storage device was manually unmounted ...

Page 220: ... checks the IP address website mapping in response to the DNS query and then finds the FQDN object match The Security Policy that has this FQDN object match can then block the configured users from accessing the website Table 52 Monitor System Status Ethernet Neighbor LABEL DESCRIPTION Local Port Description This field displays the port of the Zyxel Device on which the neighboring device is discov...

Page 221: ...ied domain name IP Address This field displays the mapping of the FQDN to an IP address This is the IP address of a host TTL This field displays the number of seconds the Zyxel Device holds IP address FQDN object mapping in its cache The mapping is updated when the TTL Time To Live setting expires IPv6 FQDN Object Cache List You must first configure IPv6 FQDN objects in Configuration Object Addres...

Page 222: ... holds IP address FQDN object mapping in its cache The mapping is updated when the TTL Time To Live setting expires Refresh Click this button to update the information in the screen Table 53 Monitor System Status FQDN Object LABEL DESCRIPTION Table 54 Monitor Wireless AP Information AP List LABEL DESCRIPTION Config AP Select an AP and click this to change the selected AP s group radio VLAN and por...

Page 223: ...ercentage of the AP s processing capability is currently being used IP Address This field displays the IP address of the AP Model This field displays the AP s hardware model information It displays N A not applicable only when the AP disconnects from the Zyxel Device and the information is unavailable as a result Group This displays the name of the AP group to which the AP belongs Station This fie...

Page 224: ... adapter and or through a PoE switch injector using IEEE 802 3at PoE plus The PoE device that supports IEEE 802 3at PoE Plus can supply power of up to 30W per Ethernet port Limited the AP receives power through a PoE switch injector using IEEE 802 3af PoE even when it is also connected to a power source using a power adaptor The PoE device that supports IEEE 802 3af PoE can supply power of up to 1...

Page 225: ...Monitor Wireless AP Information AP List More Information LABEL DESCRIPTION Configuration Status This displays whether or not any of the AP s configuration is in conflict with the Zyxel Device s settings for the AP Non Support If any of the AP s configuration conflicts with the Zyxel Device s settings for the AP this field displays which configuration conflicts It displays n a if none of the AP s c...

Page 226: ...ical port has been connected VLAN Configuration Name This shows the name of the VLAN Status This displays whether or not the VLAN is activated VID This shows the VLAN ID number Member This field displays the Ethernet port s that is a member of this VLAN Station Count The y axis represents the number of connected stations The x axis shows the time over which a station was connected Last Update This...

Page 227: ... create a new Radio Profile object to associate with this AP MAC This displays the MAC address of the selected AP Model This field displays the AP s hardware model information It displays N A not applicable only when the AP disconnects from the Zyxel Device and the information is unavailable as a result Description Enter a description for this AP You can use up to 31 characters spaces and undersco...

Page 228: ...e the AP output power setting with the setting you configure here Output Power Set the output power of the AP Override Group SSID Setting Select this option to overwrite the AP SSID profile setting with the setting you configure here This section allows you to associate an SSID profile with the radio Edit Select an SSID and click this button to reassign it The selected SSID becomes editable immedi...

Page 229: ...ld displays the station count information Rx This field displays the total number of bytes received by the radio Tx This field displays the total number of bytes transmitted by the radio Model This field displays the AP s hardware model information It displays N A not applicable only when the AP disconnects from the Zyxel Device and the information is unavailable as a result MAC Address This field...

Page 230: ...ows you to view detailed information about a selected radio s SSID s wireless traffic and wireless clients for the preceding 24 hours To access this window select an entry and click the More Information button in the Radio List screen Figure 187 Monitor Wireless AP Information Radio List More Information ...

Page 231: ...SSID Security Mode This displays the security mode in which the SSID is operating Forwarding Mode This field indicates the forwarding mode Local Bridge or Tunnel associated with the SSID profile VLAN This displays the VLAN ID associated with the SSID Traffic Statistics This graph displays the overall traffic information about the radio over the preceding 24 hours y axis This axis represents the am...

Page 232: ...y Station Number select the measure unit in GB or MB to display the graph Traffic Usage This graph displays the overall traffic information about the top five or top ten wireless traffic for the preceding 24 hours y axis The y axis represents the amount of traffic in megabytes gigabytes x axis The x axis represents the time over which wireless traffic flows transmitting from to the AP Station Coun...

Page 233: ...usage and wireless stations Usage by Select the measure unit in GB or MB to display the graph Traffic Usage This graph displays the overall traffic information about the AP you specified for the preceding 24 hours y axis The y axis represents the amount of traffic in megabytes gigabytes x axis The x axis represents the time over which wireless traffic flows transmitting from to the AP Station Coun...

Page 234: ...y 2 means there is another repeater AP between the managed AP and the root AP Uplink AP Info This shows the role and descriptive name of the managed AP to which this managed AP is connected wirelessly SSID Name This indicates the name of the wireless network SSID the managed AP uses to associated with another managed AP Signal Strength Before the slash this shows the signal strength the uplink AP ...

Page 235: ...lients which are currently connected to the SSID using the 2 4 GHz frequency band Click the number to go to the Station Info Station List screen See Section 7 23 on page 236 5GHz This shows the number of wireless clients which are currently connected to the SSID using the 5 GHz frequency band Click the number to go to the Station Info Station List screen See Section 7 23 on page 236 SSID Profile N...

Page 236: ...ddress This field displays the IP address of the station Tx Rate This field displays the transmit data rate of the station Rx Rate This field displays the receive data rate of the station Tx This field displays the number of bytes transmitted from the station Rx This field displays the number of bytes received by the station Association Time This field displays the time duration the station was on...

Page 237: ...ons in megabytes per second Refresh Click Refresh to update this screen Table 65 Monitor Wireless Station Info Top N Stations LABEL DESCRIPTION Table 66 Monitor Wireless Station Info Single Station LABEL DESCRIPTION Station Selection Select this to view the traffic statistics of the wireless station Usage by Select the measure unit in GB or MB to display the graph Traffic Usage This graph displays...

Page 238: ...ogue AP A rogue AP can be contained in the Configuration Wireless MON Mode screen Mark as Friendly AP Click this button to mark the selected AP as a friendly AP For more on managing friendly APs see the Configuration Wireless MON Mode screen This is the station s index number in this list Status This indicates the detected device s status Device This indicates the detected device s network type su...

Page 239: ...itor Wireless Detected Device continued LABEL DESCRIPTION Table 68 Monitor Printer Status LABEL DESCRIPTION This is the index number of the printer in the list IPv4 Address This field displays the IP address of the printer that you configured in the Configuration Hotspot Printer Manager General Add screen Update Time This field displays the date and time the Zyxel Device last synchronized with the...

Page 240: ...yer LABEL DESCRIPTION SecuDeployer Monitor Index This is the index number of a Zyxel Device SecuDeployer client entry Connected This displays whether the Zyxel Device SecuDeployer client is connected to the Zyxel Device SecuDeployer server or not Host This is the name of the Zyxel Device SecuDeployer client IP Port This is the IP address and port number the Zyxel Device SecuDeployer client uses to...

Page 241: ... entry S N This displays the serial number of the Zyxel Device SecuDeployer client entry CPU This displays what percentage of the Zyxel Device SecuDeployer client s processing capability is currently being used MEM This displays what percentage of the Zyxel Device SecuDeployer client s RAM is currently being used Model This displays the model type of the Zyxel Device SecuDeployer client entry Vers...

Page 242: ... details on the Zyxel Device SecuDeployer client This displays the Zyxel Device SecuDeployer client IPSec entry number Name This displays the Zyxel Device SecuDeployer client IPSec entry name Policy This displays the Zyxel Device SecuDeployer client IPSec scenario Site to site Policy Based or VTI Route Based Algorithm This displays the encryption authentication algorithm and key group the IPSec VP...

Page 243: ...ient This displays the Zyxel Device SecuDeployer client interface entry number Name This displays the Zyxel Device SecuDeployer client interface name Type This displays the type of network internal to which this interface will connect Subnetting This displays the interface s subnet on the Zyxel Device SecuDeployer client DHCP server This displays whether a DHCP server that is on the network connec...

Page 244: ...tic Route Traffic Direction This displays the direction of traffic packets for which the route applies Server to Client or Client to Server Destination This displays the destination IP address and the subnet mask of the route Next hop This displays the next hop gateway or the interface through which the traffic is routed Close Click this to close this screen Table 71 Monitor Cloud CNM SecuDeployer...

Page 245: ... Connection Check Select an IPSec SA and click this button to check the connection This field is a sequential value and it is not associated with a specific SA Serial Number This field displays the serial number of this ZyXEL device System Name This field displays the name used to identify this ZyXEL device Name This field displays the name of the IPSec SA Policy This field displays the content of...

Page 246: ...d click this button to terminate the user s connection and delete corresponding session information from the Zyxel Device Refresh Click Refresh to update this screen This field is a sequential value and it is not associated with a specific SSL User This field displays the account user name used to establish this SSL VPN connection Access This field displays the name of the SSL VPN application the ...

Page 247: ...onnect it Refresh Click Refresh to update this screen This field is a sequential value and it is not associated with a specific L2TP VPN session User Name This field displays the remote user s user name Hostname This field displays the name of the computer that has this L2TP VPN connection with the Zyxel Device Assigned IP This field displays the IP address that the Zyxel Device assigned for the r...

Page 248: ...d Data KB This is how much of the application s traffic the Zyxel Device has discarded without notifying the client in kilobytes This traffic was dropped because it matched an application policy set to drop Rejected Data KB This is how much of the application s traffic the Zyxel Device has discarded and notified the client that the traffic was rejected in kilobytes This traffic was rejected becaus...

Page 249: ...or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report display Web Request Statistics Total W...

Page 250: ... which the Zyxel Device did not allow access due to the content filtering custom service configuration Restricted Web Features This is the number of web pages to which the ZyWALL limited access or removed cookies due to the content filtering custom service s restricted web features configuration Forbidden Web Sites This is the number of web pages to which the Zyxel Device did not allow access beca...

Page 251: ... this field to have the following read only table display the top IDP log entries by Signature Name Source or Destination This table displays the most common recent IDP logs See the log screen for less common IDP logs or use a syslog server to record all IDP logs Select Signature Name to list the most common signatures that the Zyxel Device has detected Select Source to list the source IP addresse...

Page 252: ...ION Collect Statistics Select this check box to have the Zyxel Device collect anti virus statistics The collection starting time displays after you click Apply All of the statistics in this screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the Zyxel Device or click Flush Data Collec...

Page 253: ...es that Zyxel Device has detected Select Source IPv6 to list the source IPv6 addresses from which the Zyxel Device has detected the most virus infected files Select Destination IPv6 to list the most common destination IPv6 addresses for virus infected files that Zyxel Device has detected This field displays the entry s rank in the list of the top entries Virus name This column displays when you di...

Page 254: ...ows when you display the top entries by destination IPv6 Figure 212 Monitor UTM Statistics Anti Virus Destination IPv6 7 35 The Anti Spam Screens The Anti Spam menu contains the Summary and Status screens 7 35 1 Anti Spam Summary Click Monitor UTM Statistics Anti Spam Summary to display the following screen This screen displays spam statistics ...

Page 255: ...time displays Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report display Email Summary Total Mails Scanned This field displays the number of e mails that the Zyxel Device s ...

Page 256: ...il sessions that the anti spam feature can check at a time You can see the Zyxel Device s threshold of concurrent e mail sessions in the Anti Spam Status screen Use the Anti Spam General screen to set whether the Zyxel Device forwards or drops sessions that exceed this threshold Mail Sessions Dropped This is how many e mail sessions the Zyxel Device dropped because they exceeded the maximum number...

Page 257: ...displayed on this screen Flush Click this button to clear the DNSBL statistics This also clears the concurrent mail session scanning bar s historical high Mail Scan Statistics These are the statistics for the service the Zyxel Device uses These statistics are for when the Zyxel Device actually queries the service servers This is the entry s index number in the list Service This displays the name o...

Page 258: ...eceiving a reply Table 80 Monitor UTM Statistics Anti Spam Status continued LABEL DESCRIPTION Table 81 Monitor UTM Statistics SSL Inspection Summary LABEL DESCRIPTION Collect Statistics Select this check box to have the Zyxel Device collect SSL Inspection statistics The collection starting time displays after you click Apply All of the statistics in this screen are for the time period starting at ...

Page 259: ... actual number of simultaneous SSL Inspection sessions in progress Summary Total SSL Sessions This is the total of SSL sessions inspected and number of sessions blocked and number of sessions passed since data was last flushed or the Zyxel Device last rebooted after Collect Statistics was enabled Sessions Inspected This shows the total number of SSL sessions inspected since data was last flushed o...

Page 260: ...me CN to the Exclude List This field is a sequential value and it is not associated with a specific entry In Exclude List If any one of common name DNS name email address or IP address of the certificate is in the Exclude List then traffic to the server identified by the certificate is excluded from inspection The icons here are defined as follows Gray The identity of the certificate is not in the...

Page 261: ...own the Category Priority Source Address Destination Address Source Interface Destination Interface Service Keyword criteria and Search fields are available Category Select the type of log message s you want to view You can also view All Logs at one time or you can view the Debug Log Priority This displays when you show the filter Select the priority of log messages to display The log displays the...

Page 262: ...arch This displays when you show the filter Click this button to update the log using the current filter settings Reset Click Reset to return the screen to its last saved settings Email Log Now Click this button to send log message s to the Active e mail address es specified in the Send Log To field on the Log Settings page Refresh Click this button to update the information in the screen Clear Lo...

Page 263: ...This field displays how many logs are available It will display Empty if there s none Last Log Query Time This field displays the most recent time a log query was solicited Display Select the category of log message s you want to view You can also view All Logs at one time or you can view the Debug Log Source Address Type the IP address of the source AP Source Interface Select the interface of the...

Page 264: ...og regardless of what is currently displayed on the screen This field is a sequential value and it is not associated with a specific log message Time This field displays the time the log message was recorded Priority This displays when you show the filter Select the priority of log messages to display The log displays the log messages with this priority or higher Choices are any emerg alert crit e...

Page 265: ...en the account was created Remaining Time This field displays the amount of Internet access time remaining for each account Time Period This field displays the total account of time the account can use to access the Internet through the Zyxel Device Expiration Time This field displays the date and time the account becomes invalid Note Once the time allocated to a dynamic account is used up or a dy...

Page 266: ... services that your Zyxel Device supports ZyWALL models need a license for UTM Unified Threat Management functionality see Section 1 1 on page 28 for details You can purchase an iCard and enter its license key at myZyxel to have a Zyxel Device use UTM services or use more counts of a service or extend a service See the respective chapters in this guide for more information about UTM features 8 1 2...

Page 267: ...umber license key at myZyxel Click Activate in this screen to enable both Trial and Standard services on this Zyxel Device Click Configuration Licensing Registration Service to open the screen as shown next Figure 221 Configuration Licensing Registration Service The following table describes the labels in this screen Table 86 Configuration Licensing Registration Service LABEL DESCRIPTION Service S...

Page 268: ...r professional High Availability HA that lets a backup Zyxel Device automatically take over if the master Zyxel Device fails Firmware Upgrade Service This is a free license to get Cloud Helper notifications when new firmware is available You must register your Zyxel Device at myZyxel SecuReporter This is a license that allows SecuReporter to collect and analyze logs from your Zyxel Device in order...

Page 269: ...iguration Licensing Signature Update Anti Virus to display the following screen Expiration Date This field displays the date your service license expires or the date the grace period expires if the license has already expired You can continue to use IDP AppPatrol Anti Virus AV Content Filter Anti Spam AS during the grace period After the grace period ends all these features are disabled except the...

Page 270: ...these fields to have the Zyxel Device check for new signatures at myZyxel If new signatures are found they are then downloaded to the Zyxel Device Update Now Click this button to have the Zyxel Device check for new signatures immediately If there are new ones the Zyxel Device will then download them Auto Update Select this check box to have the Zyxel Device automatically check for new signatures r...

Page 271: ... anomaly rule set version number This number gets larger as the set is enhanced Signature Number This field displays the number of IDP signatures in this set This number usually gets larger as the set is enhanced Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones Released Date This field displays the date and time the set was released S...

Page 272: ... check for new IDP signatures once a week on the day and at the time specified Apply Click this button to save your changes to the Zyxel Device Reset Click this button to return the screen to its last saved settings Table 88 Configuration Licensing Signature Update IDP AppPatrol continued LABEL DESCRIPTION ...

Page 273: ... Device Use the AP Management screens Section 9 3 on page 274 to manage all of the APs connected to the Zyxel Device Use the Rogue AP screen Section 9 4 on page 288 to assign APs either to the rogue AP list or the friendly AP list Use the Auto Healing screen Section 9 5 on page 291 to extend the wireless service coverage area of the managed APs when one of the APs fails Use the RTLS screen Section...

Page 274: ...el Device is located installed The available channels vary depending on the country you selected Registration Type Select Manual to add each AP to the Zyxel Device for management or Always Accept to automatically add APs to the Zyxel Device for management If you select Manual then go to Monitor Wireless AP Information AP List select an AP to be managed and then click Add to Mgnt AP List That AP wi...

Page 275: ...ode The AP LEDs stay lit after the AP is ready This button is not available if the selected AP doesn t support suppression mode This field is a sequential value and it is not associated with any entry IP Address This field displays the IP address of the AP MAC Address This field displays the MAC address of the AP Model This field displays the AP s hardware model information It displays N A not app...

Page 276: ... Series User s Guide 276 9 3 1 1 Edit AP List Select an AP and click the Edit button in the Configuration Wireless AP Management table to display this screen Figure 226 Configuration Wireless AP Management Mgnt AP List Edit AP List ...

Page 277: ... to form a ZyMesh to extend its wireless network Repeater AP means the radio can establish a wireless connection with other APs in either root AP or repeater mode Note To prevent bridge loops do NOT set both radios on a managed AP to Repeater AP mode Note The root AP and repeater AP s in a ZyMesh must use the same country code and AP radio profile settings in order to communicate with each other N...

Page 278: ...AP radio SSID Profile Indicates which SSID profile is associated with this radio profile Override Group VLAN Setting Select this option to overwrite the AP VLAN setting with the setting you configure here Force Overwrite VLAN Config Select this to have the Zyxel Device change the AP s management VLAN to match the configuration in this screen Management VLAN ID Enter a VLAN ID for this AP As Native...

Page 279: ...configured on the managed AP s with the one s you specified below Primary Controller Specify the IP address of the primary AP controller if you set Override Type to Manual Secondary Controller Specify the IP address of the secondary AP controller if you set Override Type to Manual Fall back to Primary Controller when possible Select this option to have the managed AP s change back to associate wit...

Page 280: ...te You cannot remove a group with which an AP is associated DCS Now Select one or multiple groups and click this button to use DCS Dynamic Channel Selection to allow the APs in the group s to automatically find a less used channel in an environment where there are many APs and there may be interference Note You should have enabled DCS in the applied AP radio profile before the APs can use DCS Note...

Page 281: ... Wireless ZyWALL USG Series User s Guide 281 9 3 3 1 Add Edit AP Group Click Add or select an AP group and click the Edit button in the Configuration Wireless AP Management AP Group table to display this screen ...

Page 282: ...Chapter 9 Wireless ZyWALL USG Series User s Guide 282 Figure 229 Configuration Wireless AP Management AP Group Add Edit ...

Page 283: ...ent AP Group Add Edit LABEL DESCRIPTION General Settings Group Name Enter a name for this group You can use up to 31 alphanumeric characters Dashes and underscores are also allowed The name should start with a letter Description Enter a description for this group You can use up to 31 characters spaces and underscores allowed Radio 1 2 Setting ...

Page 284: ...rough the Create new Object menu Radio 1 2 ZyMesh Profile This field is available only when the radio is in Root AP or Repeater AP mode Enable Wireless Bridging Select the ZyMesh profile the radio uses to connect to a root AP or repeater This field is available only when the radio is in Repeater AP mode Select this option to enable wireless bridging on the radio The managed AP must support LAN pro...

Page 285: ...ot the VLAN is activated Name This shows the name of the VLAN VID This shows the VLAN ID number Member This field displays the Ethernet port s that is a member of this VLAN Load Balancing Setting Enable Load Balancing Select this to enable load balancing on the Zyxel Device Use this section to configure wireless network traffic load balancing between the managed APs in this group Note Load balanci...

Page 286: ...u do not enable this option then the AP simply delays the connection until it can afford the bandwidth it requires or it transfers the connection to another AP within its broadcast radius The disassociation priority is determined automatically by the Zyxel Device and is as follows Idle Timeout Devices that have been idle the longest will be disassociated first If none of the connected devices are ...

Page 287: ...t AP firmware then the Zyxel Device will delete an existing firmware that no AP is using before downloading the new AP firmware Click Configuration Wireless AP Management Firmware to access this screen Figure 230 Configuration Wireless AP Management Firmware Each field is described in the following table Table 95 Configuration Wireless AP Management Firmware LABEL DESCRIPTION AP Firmware Runtime F...

Page 288: ...irmware was made and whether the check is in progress checking was successful success or has failed fail Apply AP Firmware Due to space limitations the Zyxel Device only downloads and keeps AP firmware for APs it is currently managing If you connect a new AP to the Zyxel Device the Zyxel Device may need to download a new AP firmware Please wait while downloading new firmware as the speed depends o...

Page 289: ... Select an SSID Keyword and click this button to modify it Remove Select an existing SSID keyword and click this button to delete it This is the SSID Keyword s index number in this list SSID Keyword This field displays the SSID Keyword Rogue Friendly AP List Add Click this button to add an AP to the list and assign it either friendly or rogue status Edit Select an AP in the list to edit and reassi...

Page 290: ...o export the current list of rogue and friendly APs or import existing lists File Path Browse Importing Enter the file name and path of the list you want to import or click the Browse button to locate it Once the File Path field has been populated click Importing to bring the list into the Zyxel Device Exporting Click this button to export the current list of either rogue APs or friendly APS Monit...

Page 291: ...feature Save Current State Click this button to have all manged APs immediately scan their neighborhoods three times in a row and update their neighbor lists to the AP controller Zyxel Device Auto Healing Interval Set the time interval in minutes at which the managed APs scan their neighborhoods and report the status of neighbor APs to the AP controller Zyxel Device An AP is considered failed if t...

Page 292: ...ckets at specified intervals or triggered by something like motion or button presses 2 The APs pick up the blink packets measure the signal strength and send it to the Zyxel Device 3 The Zyxel Device forwards the signal measurements to the Ekahau RTLS Controller 4 The Ekahau RTLS Controller calculates the tag positions Figure 234 RTLS Example 9 6 1 What You Can Do in this Chapter Use the RTLS scre...

Page 293: ... Configuration Wireless RTLS The following table describes the labels in this screen Table 99 RTLS Traffic Port Numbers PORT NUMBER TYPE DESCRIPTION 8548 TCP Ekahau T201 location update 8549 UDP Ekahau T201 location update 8550 TCP Ekahau T201 tag maintenance protocol and Ekahau RTLS Controller user interface 8552 UDP Ekahau Location Protocol 8553 UDP Ekahau Maintenance Protocol 8554 UDP Ekahau T3...

Page 294: ...n the 2 4 GHz spectrum each channel from 1 to 13 is broken up into discrete 22 MHz segments that are spaced 5 MHz apart Channel 1 is centered on 2 412 GHz while channel 13 is centered on 2 472 GHz Figure 236 An Example Three Channel Deployment Three channels are situated in such a way as to create almost no interference with one another if used exclusively 1 6 and 11 When an AP broadcasts on any o...

Page 295: ...nt neighboring AP If he still connects to the AP regardless of the delay then the AP may boot other people who are already connected in order to associate with the new connection Load balancing by traffic level limits the number of connections to the AP based on maximum bandwidth available If you are uncertain as to the exact number of wireless connections you will have then choose this option By ...

Page 296: ...e 327 to create virtual interfaces on top of Ethernet interfaces to tell the Zyxel Device where to route packets You can create virtual Ethernet interfaces virtual VLAN interfaces and virtual bridge interfaces Use the PPP screens Section 10 6 on page 331 for PPPoE PPTP or L2TP Internet connections Use the Cellular screens Section 10 7 on page 338 to configure settings for interfaces for Internet c...

Page 297: ...aces receive and send tagged frames The Zyxel Device automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer 2 data link MAC address level Unlike port groups bridge interfaces can take advantage of some security features in the Zyxel Device You can a...

Page 298: ...et up a virtual interface Relationships Between Interfaces In the Zyxel Device interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the physical ports or port groups The relationships between interfaces are explained in the following table IP Address Assignment Static IP address Yes Yes Yes Yes Yes Yes Yes DHCP client Yes No Yes Yes Yes ...

Page 299: ...ten as 2001 db8 1a2b 15 0 0 1a2f 0 Any number of consecutive blocks of zeros can be replaced by a double colon A double colon can only appear once in an IPv6 address So 2001 0db8 0000 0000 1a2f 0000 0000 0015 can be written as 2001 0db8 1a2f 0000 0000 0015 2001 0db8 0000 0000 1a2f 0015 2001 db8 1a2f 0 0 15 or 2001 db8 0 0 1a2f 15 Prefix and Prefix Length Similar to an IPv4 subnet mask IPv6 uses an...

Page 300: ...ombines the prefix and the interface ID generated from its own Ethernet MAC address to form a complete IPv6 address When IPv6 is enabled on a device its interface automatically generates a link local address beginning with fe80 When the Zyxel Device s WAN interface is connected to an ISP with a router and the Zyxel Device is set to automatically obtain an IPv6 network prefix from the router for th...

Page 301: ...en to enable IPv6 support on the Zyxel Device first 10 2 Port Role To access this screen click Configuration Network Interface Port Role Use the Port Role screen to set the Zyxel Device s flexible ports as part of the lan1 lan2 ext wlan ext lan or dmz interfaces This creates a hardware connection between the physical ports at the layer 2 data link MAC address level This provides wire speed through...

Page 302: ...teristics There is a layer 2 Ethernet switch between physical ports in the port group This provides wire speed throughput but no security It can increase the bandwidth between the port group and other interfaces The port group uses a single MAC address Click Apply to save your changes and apply them to the Zyxel Device Click Reset to change the port groups to their current configuration last saved...

Page 303: ... this port Choices are Auto Negotiate 1000Mbps Full Duplex 100Mbps Full Duplex 100Mbps Half Duplex 10Mbps Full Duplex and 10Mbps Half Duplex Selecting Auto Negotiate allows one port to negotiate with a peer port automatically to obtain the connection speed of up to 1000M and duplex mode that both ends support When auto negotiation is turned on a port on the Zyxel Device negotiates with the peer au...

Page 304: ... types of interfaces you cannot create new Ethernet interfaces nor can you delete any of them If an Ethernet interface does not have any physical ports assigned to it the Ethernet interface is effectively removed from the Zyxel Device but you can still configure it Ethernet interfaces are similar to other types of interfaces in many ways They have an IP address subnet mask and gateway used to make...

Page 305: ...l interface select it and click Remove The Zyxel Device confirms you want to remove it before doing so Activate To turn on an interface select it and click Activate Inactivate To turn off an interface select it and click Inactivate Create Virtual Interface To open the screen where you can create a virtual Ethernet interface select an Ethernet interface and click Create Virtual Interface References...

Page 306: ...asting method used by RIP 2 packets The Zyxel Device can use subnet broadcasting or multicasting With OSPF you can use Ethernet interfaces to do the following things Enable and disable OSPF in the underlying physical port or port group Select the area to which the interface belongs Override the default link cost and authentication method for the selected area Select in which direction s routing in...

Page 307: ...el Device discovered on its IGMP enabled interfaces The Zyxel Device acts as a proxy for its hosts Refer to the following figure DS Downstream traffic US Upstream traffic R Router MS Multicast Server Enable IGMP Upstream US on the Zyxel Device interface that connects to a router R running IGMP that is closer to the multicast server MS Enable IGMP Downstream on the Zyxel Device interface which conn...

Page 308: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 308 Figure 244 Configuration Network Interface Ethernet Edit External Type ...

Page 309: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 309 ...

Page 310: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 310 Configuration Network Interface Ethernet Edit External Type ...

Page 311: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 311 Figure 245 Configuration Network Interface Ethernet Edit Internal Type ...

Page 312: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 312 Configuration Network Interface Ethernet Edit Internal Type ...

Page 313: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 313 ...

Page 314: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 314 Figure 246 Configuration Network Interface Ethernet Edit OPT ...

Page 315: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 315 Configuration Network Interface Ethernet Edit OPT ...

Page 316: ... Show Advanced Settings Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields Create New Object Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use for the DHCPv6 settings in this screen General Settings Enable Interface Select this to enable this interface Clear this to disable this interface General IPv6 Setting En...

Page 317: ...ment These IP address fields configure an IPv4 IP address on the interface itself If you change this IP address on the interface you may also need to change a related address object for the network connected to the interface For example if you use this screen to change the IP address of your LAN interface you should also change the corresponding LAN subnet address object Get Automatically This opt...

Page 318: ...ion Metric Enter the priority of the gateway if any on this interface The Zyxel Device decides which gateway to use based on this priority The lower the number the higher the priority If two or more gateways have the same priority the Zyxel Device uses the one that was configured first Address from DHCPv6 Prefix Delegation Use this table to have the Zyxel Device obtain an IPv6 prefix from the ISP ...

Page 319: ...t Address This field is available if you set this interface to DHCPv6 Client Select this to get an IPv6 IP address for this interface from the DHCP server Clear this to not get any IP address information through DHCPv6 DHCPv6 Request Options DHCPv6 Lease Options If this interface is a DHCPv6 client use this section to configure DHCPv6 request settings that determine what additional information to ...

Page 320: ...e sender to inform this Hop Limit Enter the maximum number of network segments that a packet can cross before reaching the destination When forwarding an IPv6 packet IPv6 routers are required to decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0 Advertised Prefix Table Configure this table only if you want the Zyxel Device to advertise a fixed prefix to the network ...

Page 321: ...e fields appear when Interface Properties is External or General The interface can regularly check the connection to the gateway you specified to make sure it is still available You specify how often the interface checks the connection how long to wait for a response before the attempt is a failure and how many consecutive failures are required before the Zyxel Device stops routing to the gateway ...

Page 322: ...except for the first address network address last address broadcast address and the interface s IP address Pool Size Enter the number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For example if the Subnet Mask is 255 255 255 0 and IP Pool Start Address is 10 10 10 10 the Zyxel Device can allocate 10 10 10 10 to 10 10 10 254 or 245 IP ad...

Page 323: ...uter program that loads the operating system for the computer Type the exact file name of the boot loader software file including filename extension that is on the PXE server If the wrong filename is typed then the client computers cannot boot Enable IP MAC Binding Select this option to have this interface enforce links between specific IP addresses and specific MAC addresses This stops anyone els...

Page 324: ...re Same as Area use the default authentication method in the area None disable authentication Text authenticate OSPF routing information using a plain text password MD5 authenticate OSPF routing information using MD5 encryption Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and t...

Page 325: ... Range for example 192 168 1 2 192 168 1 100 as the target IP address The Zyxel Device answers external ARP requests only if they match one of these inputted target IP addresses For example if the IPv4 Address is 192 168 1 5 then the Zyxel Device will answer ARP requests coming from the WAN only if it contains 192 168 1 5 as the target IP address Select an existing entry and click Remove to delete...

Page 326: ...ce Edit Add Proxy ARP The following table describes labels that can appear in this screen Table 107 Interface Edit Add Proxy ARP LABEL DESCRIPTION Interface Name This identifies the interface for which the configuration settings that use it are displayed Address Type Choose IPv4 Address or IPv4 CIDR for example 192 168 1 1 24 or an IPv4 Range for example 192 168 1 2 192 168 1 100 and then enter th...

Page 327: ...ace uses Unlike other interfaces virtual interfaces do not provide DHCP services and they do not verify that the gateway is available This screen lets you configure IP address assignment and interface parameters for virtual interfaces To access this screen click the Create Virtual Interface icon in the Ethernet VLAN or bridge interface summary screen Figure 249 Configuration Network Interface Crea...

Page 328: ...that was configured first OK Click OK to save your changes back to the Zyxel Device Cancel Click Cancel to exit this screen without saving Table 108 Configuration Network Interface Create Virtual Interface continued LABEL DESCRIPTION Table 109 References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name t...

Page 329: ...additionally add DHCP extended options which have the Zyxel Device to add more information in the DHCP packets The available fields vary depending on the DHCP option you select in this screen To open the screen click Configuration Network Interface Ethernet Edit select DHCP Server in the DHCP Setting section and then click Add or Edit in the Extended Options table Figure 252 Configuration Network ...

Page 330: ...hich the client is running or of industry consortium compliance First Information Second Information If you selected VIVS 125 enter additional information for the corresponding enterprise number in these fields OK Click this to close this screen and update the settings to the previous Edit screen Cancel Click Cancel to close the screen Table 111 DHCP Extended Options OPTION NAME CODE DESCRIPTION T...

Page 331: ...ot have to change any network policies You do not set up the subnet mask or gateway PPPoE PPTP L2TP interfaces are interfaces between the Zyxel Device and only one computer Therefore the subnet mask is always 255 255 255 255 In addition the Zyxel Device always treats the ISP as a gateway 10 6 1 PPP Interface Summary This screen lists every PPPoE PPTP L2TP interface To access this screen click Conf...

Page 332: ...vate Inactivate To turn off an entry select it and click Inactivate Connect To connect an interface select it and click Connect You might use this in testing the interface or to manually establish the connection for a Dial on Demand PPPoE PPTP interface Disconnect To disconnect an interface select it and click Disconnect You might use this in testing the interface References Select an entry and cl...

Page 333: ...ion System IPv6 screen you can also configure PPP interfaces used for your IPv6 networks on this screen To access this screen click the Add icon or an Edit icon in the PPP Interface screen Account Profile This field displays the ISP account used by this PPPoE PPTP interface Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved sett...

Page 334: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 334 Figure 255 Configuration Network Interface PPP Add ...

Page 335: ...this if the PPPoE PPTP L2TP connection should always be up Clear this to have the Zyxel Device establish the PPPoE PPTP L2TP connection only when there is traffic You might use this option if a lot of traffic needs to go through the interface or it does not cost extra to keep the connection up all the time Dial on Demand Select this to have the Zyxel Device establish the PPPoE PPTP L2TP connection...

Page 336: ...or more information To use prefix delegation you must Create at least one DHCPv6 request object before configuring this table The external interface must be a DHCPv6 client You must configure the DHCPv6 request options using a DHCPv6 request object with the type of prefix delegation Assign the prefix delegation to an internal interface and enable router advertisement on that interface Add Click th...

Page 337: ...alues are 0 1048576 Ingress Bandwidth This is reserved for future use Enter the maximum amount of traffic in kilobits per second the Zyxel Device can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the Zyxel Device divides it i...

Page 338: ...oice and non voice data and provides broadband Internet access to mobile devices 4G 4G is the fourth generation of the mobile telecommunications technology and a successor of 3G Both the WiMAX and Long Term Evolution LTE standards are the 4G candidate systems 4G only supports all IP based packet switched telephony services and is required to offer Gigabit speed access Note The actual data rate you...

Page 339: ...gital radio CDMA2000 1xRTT 1 times Radio Transmission Technology is the core CDMA2000 wireless air interface standard It is also known as 1x 1xRTT or IS 2000 and considered to be a 2 5G or 2 75G technology 2 75G Packet switched Enhanced Data rates for GSM Evolution EDGE Enhanced GPRS EGPRS etc 3G Packet switched UMTS Universal Mobile Telecommunications System a third generation 3G wireless standar...

Page 340: ...or to manually establish the connection Disconnect To disconnect an interface select it and click Disconnect You might use this in testing the interface References Select an entry and click References to open a screen that shows which settings use the entry See Section 10 5 4 on page 328 for an example This field is a sequential value and it is not associated with any interface Status The activate...

Page 341: ...ice at myZyxel myZyxel hosts a list of supported mobile broadband dongle devices You should have an Internet connection to access this website Latest Version This displays the latest supported mobile broadband dongle list version number Current Version This displays the currently supported by the Zyxel Device mobile broadband dongle list version number Update Now If the latest version number is gr...

Page 342: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 342 Figure 257 Configuration Network Interface Cellular Add Edit ...

Page 343: ...s 0 360 that elapses before the Zyxel Device automatically disconnects from the ISP s server Zero disables the idle timeout ISP Settings Profile Selection Select Device to use one of the mobile broadband device s profiles of device settings Then select the profile use Profile 1 unless your ISP instructed you to do otherwise Select Custom to configure your device settings yourself APN This field is...

Page 344: ...ou cannot use the account to access the Internet If your ISP disabled PIN code authentication enter an arbitrary number Retype to Confirm Type the PIN code again to confirm it Interface Parameters Egress Bandwidth Enter the maximum amount of traffic in kilobits per second the Zyxel Device can send through the interface to the network Allowed values are 0 1048576 This setting is used in WAN load ba...

Page 345: ...ic Enter the priority of the gateway if any on this interface The Zyxel Device decides which gateway to use based on this priority The lower the number the higher the priority If two or more gateways have the same priority the Zyxel Device uses the one that was configured first Device Settings Band Selection This field appears if you selected a mobile broadband device that allows you to select the...

Page 346: ...month If the date you selected is not available in a month such as 30th or 31st the Zyxel Device resets the budget on the last day of the month Reset time and data budget counters This button is available only when you enable budget control in this screen Click this button to reset the time and data budgets immediately The count starts over with the mobile broadband connection s full configured mo...

Page 347: ...IPv6 networks over an IPv4 network an IPv6 over IPv4 tunnel has to be used Figure 259 IPv6 over IPv4 Network On the Zyxel Device you can either set up a manual IPv6 in IPv4 tunnel or an automatic 6to4 tunnel The following describes each method Log Select None to not create a log when the Zyxel Device takes this action Log to create a log or Log alert to create an alert log If you select Log or Log...

Page 348: ...4 tunneling you do not need to configure a policy route for a 6to4 tunnel Through your properly pre configuring the destination router s IP address in the IP address assignments to hosts the Zyxel Device can automatically forward 6to4 packets to the destination they want to go A 6to4 relay router is required to route 6to4 packets to a native IPv6 network if the packet s destination do not match yo...

Page 349: ...reate a new GRE tunnel interface Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate References Sele...

Page 350: ... Gateway Address Tunnel Mode This is the tunnel mode of the interface GRE IPv6 in IPv4 or 6to4 This field also displays the interface s IPv4 IP address and subnet mask if it is a GRE tunnel Otherwise it displays the interface s IPv6 IP address and prefix length My Address This is the interface or IP address uses to identify itself to the remote gateway The Zyxel Device uses this as the source for ...

Page 351: ...r or lesser number of configuration fields General Settings Enable Select this to enable this interface Clear this to disable this interface Interface Properties Interface Name This field is read only if you are editing an existing tunnel interface Enter the name of the tunnel interface The format is tunnelx where x is 0 3 For example tunnel0 Zone Use this field to select the zone to which this in...

Page 352: ...he hosts in the matched network If you enter a prefix starting with 2002 the Zyxel Device will forward the matched packets to the IPv4 IP address converted from the packets destination address The IPv4 IP address can be converted from the next 32 bits after the prefix you specified in this field See 6to4 Tunneling on page 348 for an example The Zyxel Device forwards the unmatched packets to the sp...

Page 353: ... resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available Select tcp to have the Zyxel Device regularly perform a TCP handshake with ...

Page 354: ...affic inside VLAN 2 Traffic is only broadcast inside each VLAN not each physical network Traffic between VLANs or between a VLAN and another type of network is layer 3 communication network layer IP addresses It is handled by the router This approach provides a few advantages Increased performance In VLAN 2 the extra switch should route traffic inside the sales department faster than the router do...

Page 355: ...h VLAN interface is created on top of only one Ethernet interface Otherwise VLAN interfaces are similar to other interfaces in many ways They have an IP address subnet mask and gateway used to make routing decisions They restrict bandwidth and packet size They can provide DHCP services and they can verify the gateway is available 10 9 1 VLAN Summary Screen This screen lists every VLAN interface an...

Page 356: ...ate a virtual interface select an interface and click Create Virtual Interface References Select an entry and click References to open a screen that shows which settings use the entry See Section 10 5 4 on page 328 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Name T...

Page 357: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 357 Figure 267 Configuration Network Interface VLAN Add Edit ...

Page 358: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 358 ...

Page 359: ...w Advanced Settings Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields Create New Object Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use for the DHCPv6 settings in this screen General Settings Enable Interface Select this to turn this interface on Clear this to disable this interface General IPv6 Setting Enabl...

Page 360: ...tting here Description Enter a description of this interface You can use alphanumeric and _ characters and it can be up to 60 characters long Spaces are allowed but the string can t start with a space IP Address Assignment Get Automatically Select this if this interface is a DHCP client In this case the DHCP server configures the IP address subnet mask and gateway automatically You should not sele...

Page 361: ... of the gateway if any on this interface The Zyxel Device decides which gateway to use based on this priority The lower the number the higher the priority If two or more gateways have the same priority the Zyxel Device uses the one that was configured first Address from DHCPv6 Prefix Delegation Use this table to have the Zyxel Device obtain an IPv6 prefix from the ISP or a connected uplink router ...

Page 362: ...ation retrieved from DHCPv6 Request Address This field is available if you set this interface to DHCPv6 Client Select this to get an IPv6 IP address for this interface from the DHCP server Clear this to not get any IP address information through DHCPv6 DHCPv6 Request Options DHCPv6 Lease Options If this interface is a DHCPv6 client use this section to configure DHCPv6 request settings that determi...

Page 363: ...ivides it into smaller fragments Hop Limit Enter the maximum number of network segments that a packet can cross before reaching the destination When forwarding an IPv6 packet IPv6 routers are required to decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0 Advertised Prefix Table Configure this table only if you want the Zyxel Device to advertise a fixed prefix to the...

Page 364: ...s value is 1500 Connectivity Check The Zyxel Device can regularly check the connection to the gateway you specified to make sure it is still available You specify how often to check the connection how long to wait for a response before the attempt is a failure and how many consecutive failures are required before the Zyxel Device stops routing to the gateway The Zyxel Device resumes routing to the...

Page 365: ...xcept for the first address network address last address broadcast address and the interface s IP address Pool Size Enter the number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For example if the Subnet Mask is 255 255 255 0 and IP Pool Start Address is 10 10 10 10 the Zyxel Device can allocate 10 10 10 10 to 10 10 10 254 or 245 IP add...

Page 366: ... to use an IP address that is bound to another device s MAC address Static DHCP Table Configure a list of static IP addresses the Zyxel Device assigns to computers connected to the interface Otherwise the Zyxel Device assigns an IP address dynamically using the interface s IP Pool Start Address and Pool Size Add Click this to create a new entry Edit Select an entry and click this to be able to mod...

Page 367: ...cation The key can consist of alphanumeric characters and the underscore and it can be up to 16 characters long MD5 Authentication ID This field is available if the Authentication is MD5 Type the ID for MD5 authentication The ID can be between 1 and 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the password for MD5 authentication The password can consist of a...

Page 368: ...r example 192 168 1 1 24 or an IPv4 Range for example 192 168 1 2 192 168 1 100 as the target IP address The Zyxel Device answers external ARP requests only if they match one of these inputted target IP addresses For example if the IPv4 Address is 192 168 1 5 then the Zyxel Device will answer ARP requests coming from the WAN only if it contains 192 168 1 5 as the target IP address Select an existi...

Page 369: ...ngs and connectivity check To use the whole Zyxel Device as a transparent bridge add all of the Zyxel Device s interfaces to a bridge interface A bridge interface may consist of the following members Zero or one VLAN interfaces and any associated virtual VLAN interfaces Any number of Ethernet interfaces and any associated virtual Ethernet interfaces When you create a bridge interface the Zyxel Dev...

Page 370: ...uration IPv6 Configuration Use the Configuration section for IPv4 network settings Use the IPv6 Configuration section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network Both sections have similar fields as described below Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings ...

Page 371: ...s field displays the description of the interface IP Address This field displays the current IP address of the interface If the IP address is 0 0 0 0 the interface does not have an IP address yet This screen also shows whether the IP address is a static IP address STATIC or dynamically assigned DHCP IP addresses are always static in virtual interfaces Member This field displays the Ethernet interf...

Page 372: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 372 Figure 269 Configuration Network Interface Bridge Add Edit ...

Page 373: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 373 ...

Page 374: ...option depending on the type of network to which the Zyxel Device is connected or if you want to additionally manually configure some related settings internal is for connecting to a local network Other corresponding configuration options DHCP server and DHCP relay The Zyxel Device automatically adds default SNAT settings for traffic flowing from this interface to an external interface external is...

Page 375: ... these characters a zA Z0 9 _ to identify this Zyxel Device to the DHCP server For example Zyxel TW Use Fixed IP Address Select this if you want to specify the IP address subnet mask and gateway manually IP Address This field is enabled if you select Use Fixed IP Address Enter the IP address for this interface Subnet Mask This field is enabled if you select Use Fixed IP Address Enter the subnet ma...

Page 376: ... use prefix delegation you must Create at least one DHCPv6 request object before configuring this table The external interface must be a DHCPv6 client You must configure the DHCPv6 request options using a DHCPv6 request object with the type of prefix delegation Assign the prefix delegation to an internal interface and enable router advertisement on that interface Add Click this to create an entry ...

Page 377: ...10 5 5 on page 329 for more information Remove Select an entry and click this to change the settings Object Reference Select an entry and click this to delete it from this table This field is a sequential value and it is not associated with any entry Name This field displays the name of the DHCPv6 request or lease object Type This field displays the type of the object Value This field displays the...

Page 378: ...ress Advertised Prefix from DHCPv6 Prefix Delegation Use this table to configure the network prefix if you want to use a delegated prefix as the beginning part of the network prefix Add Click this to create an entry in this table Edit Select an entry in this table and click this to modify it Remove Select an entry in this table and click this to delete it References Select an entry and click Refer...

Page 379: ...terface s IP address and subnet mask except for the first address network address last address broadcast address and the interface s IP address Pool Size Enter the number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For example if the Subnet Mask is 255 255 255 0 and IP Pool Start Address is 10 10 10 10 the Zyxel Device can allocate 10 ...

Page 380: ...ile A boot loader is a computer program that loads the operating system for the computer Type the exact file name of the boot loader software file including filename extension that is on the PXE server If the wrong filename is typed then the client computers cannot boot Enable IP MAC Binding Select this option to have this interface enforce links between specific IP addresses and specific MAC addr...

Page 381: ...fore the Zyxel Device stops routing through the gateway Check Default Gateway Select this to use the default gateway for the connectivity check Check this address Select this to specify a domain name or IP address for the connectivity check Enter that domain name or IP address in the field next to it Check Port This field only displays when you set the Check Method to tcp Specify the port number t...

Page 382: ...d on the Zyxel Device To access this screen click Configuration Network Interface LAG Add Click Add to create an IPv4 Address an IPv4 CIDR for example 192 168 1 1 24 or an IPv4 Range for example 192 168 1 2 192 168 1 100 as the target IP address The Zyxel Device answers external ARP requests only if they match one of these inputted target IP addresses For example if the IPv4 Address is 192 168 1 5...

Page 383: ... Mode refers to whether the LAG is acting as follows active backup where only one slave in the LAG interface is active and another slave becomes active only if the active slave fails 802 3ad IEEE 802 3ad Dynamic link aggregation where Link Aggregation Control Protocol LACP negotiates automatic combining of links and balances the traffic load across the LAG link by sending LACP packets to the direc...

Page 384: ...rface To access this screen click the Add or Edit icon in the LAG screen The following screen appears Figure 271 Configuration Network Interface LAG Add Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Table 126 Configuration Network Interface LAG continued LABEL DESCRIPTION ...

Page 385: ...where only one slave in the LAG interface is active and another slave becomes active only if the active slave fails 802 3ad IEEE 802 3ad Dynamic link aggregation where Link Aggregation Control Protocol LACP negotiates automatic combining of links and balances the traffic load across the LAG link by sending LACP packets to the directly connected device that also implements LACP The slaves must have...

Page 386: ... address of the gateway The Zyxel Device sends packets to the gateway when it does not know how to route the packet to its destination The gateway should be on the same network as the interface Metric Enter the priority of the gateway if any on this interface The Zyxel Device decides which gateway to use based on this priority The lower the number the higher the priority If two or more gateways ha...

Page 387: ...NS Server Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Default Router If you set this interface to DHCP Server you can select to use either the interface s IP address or another IP address as the default r...

Page 388: ... resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available Select tcp to have the Zyxel Device regularly perform a TCP handshake with ...

Page 389: ...nnel interfaces for load balancing In the following example configure VPN tunnels with static IP addresses or DNS on both Zyxel Devices or IPSec routers at the end of the tunnel Also configure VTI and a trunk on both Zyxel Devices Figure 272 VTI and Trunk for VPN Load Balancing 10 12 1 Restrictions for IPSec Virtual Tunnel Interface IPv4 traffic only IPSec tunnel mode only A shared keyword must no...

Page 390: ...emove The Zyxel Device confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate References Select an entry and click References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with any interface Status This icon is lit whe...

Page 391: ... are editing an existing VPN tunnel interface For a new VPN tunnel interface enter the name of the VPN tunnel interface in vtix format where x is a number from 0 to the maximum number of VPN connections allowed for this model For example enter vti10 Zone Select a zone Make sure that the zone you select does not have traffic blocked by a security feature such as a security policy vpn rule You shoul...

Page 392: ...interface can regularly check the connection to the gateway you specified to make sure it is still available You specify how often the interface checks the connection how long to wait for a response before the attempt is a failure and how many consecutive failures are required before the Zyxel Device stops routing to the gateway The Zyxel Device resumes routing to the gateway the first time the ga...

Page 393: ...uting information from the selected interface As a result this interface only receives routing information Authentication Select an authentication method or disable authentication To exchange OSPF routing information with peer border routers you must use the same authentication method that they use Choices are Same as Area use the default authentication method in the area None disable authenticati...

Page 394: ... up Use the Trunk summary screen Section 10 14 on page 397 to view the list of configured trunks and which load balancing algorithm each trunk uses Use the Add Trunk screen Section 10 14 1 on page 398 to configure the member interfaces for a trunk and the load balancing algorithm the trunk uses Use the Add System Default screen Section 10 14 2 on page 400 to configure the load balancing algorithm ...

Page 395: ...s to be distributed The outbound bandwidth utilization is defined as the measured outbound throughput over the available outbound bandwidth Here the Zyxel Device has two WAN interfaces connected to the Internet The configured available outbound bandwidths for WAN 1 and WAN 2 are 512K and 256K respectively Figure 275 Load Balancing Least Load First Example The outbound bandwidth utilization is used...

Page 396: ...ght of wan1 and wan2 to 2 and 1 respectively The Zyxel Device assigns the traffic of two sessions to wan1 and one session s traffic to wan2 in each round of 3 new sessions Figure 276 Weighted Round Robin Algorithm Example Spillover The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the interface s maximum allowable load is reached the...

Page 397: ...nnections on an interface which is set to passive mode when any interface set to active mode in the same trunk comes back up Enable Default SNAT Select this to have the Zyxel Device use the IP address of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks The Zyxel Device automatically adds SNAT settings for traffic it routes from internal interfaces ...

Page 398: ...e Zyxel Device Reset Click this button to return the screen to its last saved settings Table 131 Configuration Network Interface Trunk continued LABEL DESCRIPTION Table 132 Configuration Network Interface Trunk Add or Edit LABEL DESCRIPTION Name This is read only if you are editing an existing trunk When adding a new trunk enter a descriptive name for this trunk You may use 1 31 alphanumeric chara...

Page 399: ...Mode Click this table cell and select Active to have the Zyxel Device always attempt to use this connection Select Passive to have the Zyxel Device only use this connection when all of the connections set to active are down You can only set one of a group s interfaces to passive mode Weight This field displays with the weighted round robin load balancing algorithm Specify the weight 1 10 for the i...

Page 400: ...is field displays the name of the selected system default trunk Load Balancing Algorithm Select the load balancing method to use for the trunk Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight For example if the weight ratio of w...

Page 401: ...ancing algorithm It displays the maximum number of kilobits of data the Zyxel Device is to allow to come in through the interface per second Egress Bandwidth This field displays with the least load first or spillover load balancing algorithm It displays the maximum number of kilobits of data the Zyxel Device is to send out through the interface per second Spillover This field displays with the spi...

Page 402: ...5 it might not find any entries in the routing table In this case the packet is dropped However if there is a default router to which the Zyxel Device should send this packet you can specify it as a gateway in one of the interfaces For example if there is a default router at 200 200 200 100 you can create a gateway at 200 200 200 100 on ge2 In this case the Zyxel Device creates the following entry...

Page 403: ...tion Protocol DHCP RFC 2131 RFC 2132 provides a way to automatically set up and maintain IP addresses subnet masks gateways and some network information such as the IP addresses of DNS servers on computers in the network This reduces the amount of manual configuration you have to do and usually uses available IP addresses more efficiently In DHCP every network has at least one DHCP server When a c...

Page 404: ...pany s own DNS server or you can refer to DNS servers that other interfaces received from DHCP servers for example a DNS server at an ISP These other interfaces have to be DHCP clients It is not possible for an interface to be the DHCP server and a DHCP client simultaneously WINS WINS Windows Internet Naming Service is a Windows implementation of NetBIOS Name Server NBNS on Windows It keeps track ...

Page 405: ...TP is convenient and easy to use but you have to make sure that firewalls support both PPTP sessions Layer 2 Tunneling Protocol L2TP was taken from PPTP of Microsoft and Cisco s L2F Layer 2 Forwarding technology so LT2P combines PPTP s control and runs over a faster transport protocol UDP although it may be a bit more complicated to set up It supports up to 256 bit session keys using the IPSec pro...

Page 406: ...e policy route to connect to services offered by your ISP behind router R2 You create another policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 282 Example of Policy Routing Topology Note You can generally just use policy routes You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to pr...

Page 407: ...ultiple paths NAT The Zyxel Device performs NAT by default for traffic going to or from the WAN interfaces A routing policy s SNAT allows network administrators to have traffic received on a specified interface use a specified IP address as the source IP address Note The Zyxel Device automatically uses SNAT for traffic it routes from internal interfaces to external interfaces such as LAN to WAN tr...

Page 408: ...evice will not conflict with the DSCP mapping The DSCP value determines the forwarding behavior the PHB Per Hop Behavior that each packet gets across the DiffServ network Based on the marking rule different kinds of traffic can be marked for different kinds of forwarding Resources can then be allocated according to the DSCP values and the configured policies 11 2 Policy Route Screen Click Configur...

Page 409: ...en also enables or disables it in the other screen IPv4 Configuration IPv6 Configuration Use the IPv4 Configuration section for IPv4 network settings Use the IPv6 Configuration section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network Both sections have similar fields as described below Use IPv4 IPv6 Policy Route to Override Direct Route Select this to have the Zyxel De...

Page 410: ...lue of 0 This is usually best effort traffic The af entries stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ for more details Service This is the name of the service object any means all services Source Port This is the name of a service object The Zyxel Device applies the policy rou...

Page 411: ... the Add or Edit icon in the IPv4 Configuration or IPv6 Configuration section The Add Policy Route or Policy Route Edit screen opens Use this screen to configure or edit a policy route Both IPv4 and IPv6 policy route have similar settings except the Address Translation SNAT settings Figure 284 Configuration Network Routing Policy Route Add Edit IPv4 Configuration ...

Page 412: ...eria User Select a user name or user group from which the packets are sent Incoming Select where the packets are coming from any an interface a tunnel an SSL VPN or the Zyxel Device itself For an interface a tunnel or an SSL VPN you also need to select the individual interface VPN tunnel or SSL VPN connection Source Address Select a source IP address object including geographic address and FQDN gr...

Page 413: ...T address object first Select VPN Tunnel to route the matched packets via the specified VPN tunnel Select Trunk to route the matched packets through the interfaces in the trunk group based on the load balancing algorithm Select Interface to route the matched packets through the specified outgoing interface to a gateway which is connected to the interface Gateway This field displays when you select...

Page 414: ...e as the source IP address es of the packets that match this route Healthy Check Use this part of the screen to configure a route connectivity check and disable the policy if the interface is down Disable policy route automatically while Interface link down Select this to disable the policy if the interface is down or disabled This is available for Interface and Trunk in the Type field above Enabl...

Page 415: ...Use the IPv4 Configuration section for IPv4 network settings Use the IPv6 Configuration section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network Both sections have similar fields as described below Add Click this to create a new static route Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remov...

Page 416: ... Length field Subnet Mask Enter the IP subnet mask here Prefix Length Enter the number of left most digits in the destination IP address which indicates the network prefix Enter in the Destination IP field and 0 in this field if you want to send all traffic to the gateway or interface specified in the Gateway IP or Interface field Gateway IP Select the radio button and enter the IP address of the ...

Page 417: ... not using among the policy routes that require more bandwidth When you enable maximize bandwidth usage the Zyxel Device first makes sure that each policy route gets up to its bandwidth allotment Next the Zyxel Device divides up an interface s available bandwidth bandwidth that is unbudgeted or unused by the policy routes depending on how many policy routes require more bandwidth and on their prio...

Page 418: ... routing protocol and like most such protocols it uses hop count to decide which route is the shortest Unfortunately it also broadcasts its routes asynchronously to the network and converges slowly Therefore RIP is more suitable for small networks up to 15 routers In the Zyxel Device you can configure two sets of RIP settings before you can use it in an interface First the Authentication field spe...

Page 419: ...ilable if the Authentication is MD5 Type the ID for MD5 authentication The ID can be between 1 and 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the password for MD5 authentication The password can consist of alphanumeric characters and the underscore and it can be up to 16 characters long Redistribute Active OSPF Select this to use RIP to advertise routes th...

Page 420: ...y a 32 bit ID In OSPF this number may be expressed as an integer or as an IP address There are several types of areas The backbone is the transit area that routes packets between other areas All other areas are connected to the backbone A normal area is a group of adjacent networks A normal area has routing information about the OSPF AS any networks outside the OSPF AS to which it is directly conn...

Page 421: ...ted through Link State Advertisements LSA Each router uses the link state database and the Dijkstra algorithm to compute the least cost paths to network destinations Like areas each router has a unique 32 bit ID in the OSPF AS and there are several types of routers Each type is really just a different role and it is possible for one router to play multiple roles at one time An internal router IR o...

Page 422: ...ther If a router is directly connected to several groups it might be a DR in one group a BDR in another group and neither in a third group all at the same time Virtual Links In some OSPF AS it is not possible for an area to be directly connected to the backbone In this case you can create a virtual link through an intermediate area to logically connect the area to the backbone This is illustrated ...

Page 423: ... Network Routing OSPF to open the following screen Figure 293 Configuration Network Routing OSPF The following table describes the labels in this screen See Section 11 7 2 on page 424 for more information as well Table 145 Configuration Network Routing Protocol OSPF LABEL DESCRIPTION OSPF Router ID Select the 32 bit ID the Zyxel Device uses in the OSPF AS Default the first available interface IP a...

Page 424: ... Type 2 Type 1 cost OSPF AS cost external cost Metric Type 2 cost external cost Metric the OSPF AS cost is ignored Metric Type the external cost for routes provided by static routes The metric represents the cost of transmission for routing purposes The way this is used depends on the Type field This value is usually the average cost in the OSPF AS and it can be between 1 and 16777214 Area This se...

Page 425: ...but not the confidentiality of routing updates None uses no authentication Text uses a plain text password that is sent over the network not very secure MD5 uses an MD5 password and authentication ID most secure Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the underscore an...

Page 426: ...integrity but not the confidentiality of routing updates For OSPF the Zyxel Device supports a default authentication type by area If you want to use this default in an interface or virtual link you set the associated Authentication Type field to Same as Area As a result you only have to update the authentication information for the area to update the authentication type used by these interfaces an...

Page 427: ...on information for the area to update the authentication type used by these interfaces and virtual links Alternatively you can override the default in any interface or virtual link by selecting a specific authentication method Please see the respective interface sections for more information None uses no authentication Text uses a plain text password that is sent over the network not very secure M...

Page 428: ...Configuration Object Service Service Group 2 Select the Default_Allow_WAN_To_ZyWALL rule and click Edit 3 Move BGP from Available to Member 4 Click OK Figure 297 Allow BGP to the Zyxel Device 11 8 2 Configuring the BGP Screen Use this screen to configure BGP information about the Zyxel Device and its peer BGP routers Click Configuration Network Routing BGP to open the following screen ...

Page 429: ...ew peer BGP router Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so This field is a sequential value and it is not associated with a specific area IP Address This displays the IPv4 address of the peer BGP router in a n...

Page 430: ...s field Get the number from your service provider Enable EBGP Multihop Select this to allow the Zyxel Device to attempt BGP connections to external peers on indirectly connected networks eBGP neighbors must also perform multihop Multihop is not established if the only route to the multihop peer is a default route This avoids loop formation EBGP Maximum Hops Enter a maximum hop count from 1 255 The...

Page 431: ...to inform it that the BGP connection between the two is still active The Keepalive Time is the interval between each Keepalive message sent by the Zyxel Device We recommend Keepalive Time is 1 3 of the Hold Time time Hold Time This is the maximum time the Zyxel Device waits to receive a Keepalive message from a peer BGP router before it declares that the peer BGP router is dead Hold Time must be g...

Page 432: ...n Network Routing BGP Note The Zyxel Device can only belong to one AS at a time 2 Configure the AS number and BGP criteria of the peer BGP routers PE in the neighboring AS in Configuration Network Routing BGP Add Neighbors Note The maximum number of neighboring BGP routers supported by the Zyxel Device is 5 3 Configure the network for BGP routes in the neighboring AS Note You may configure up to 1...

Page 433: ...te You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the Zyxel Device When registration is complete the DNS service provider gives you a password or key At the time of writing the Zyxel Device supports the following DNS service providers See the listed websites for detail...

Page 434: ...e Name This field displays the descriptive profile name for this entry DDNS Type This field displays which DDNS service you are using Domain Name This field displays each domain name the Zyxel Device can route Primary Interface IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the Zyxel Device determines the IP address for the domain ...

Page 435: ...edit the configuration of an existing domain name Click Configuration Network DDNS and then an Add or Edit icon to open this screen Figure 302 Configuration Network DDNS Add Apply Click this button to save your changes to the Zyxel Device Reset Click this button to return the screen to its last saved settings Table 151 Configuration Network DDNS continued LABEL DESCRIPTION ...

Page 436: ...you are editing an entry DDNS Type Select the type of DDNS service you are using Select User custom to create your own DDNS service and configure the DYNDNS Server URL and Additional DDNS Options fields below HTTPS Select this to encrypt traffic using SSL port 443 including traffic with username and password to the DDNS server Not all DDNS providers support this option Username Type the user name ...

Page 437: ...s to use for the domain name Backup Binding Address Use these fields to set an alternate interface to map the domain name to when the interface specified by the Primary Binding Interface settings is not available Interface Select the interface to use for updating the IP address mapped to the domain name Select Any to let the domain name be used with any interface Select None to not use a backup ad...

Page 438: ...again the DynDNS server delivers the mail to you See www dyndns org for more information about this service DYNDNS Server This field displays when you select User custom from the DDNS Type field above Type the IP address of the server that will host the DDSN service URL This field displays when you select User custom from the DDNS Type field above Type the URL that can be used to access the server...

Page 439: ...n the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure 304 Multiple Servers Behind NAT Example 13 1 1 What You Can Do in this Chapter Use the NAT screens see Section 13 2 on page 440 to view and manage the list of NAT rules...

Page 440: ...te Login Protocol 23 TCP Telnet 25 TCP Simple Mail Transfer Protocol SMTP 42 UDP Host Name Server Nameserv 43 TCP WhoIs 53 TCP UDP Domain Name System DNS 67 UDP BOOTP DHCP server 68 UDP BOOTP DHCP client 69 UDP Trivial File Transfer Protocol TFTP 79 TCP Finger 80 TCP HTTP 110 TCP POP3 119 TCP Newsgroup NNTP 123 UDP Network Time Protocol NTP 135 TCP UDP RPC Locator service 137 TCP UDP NetBIOS Name ...

Page 441: ... click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To change an entry s position in a numbered list selec...

Page 442: ...AT entry It displays any if there is no restriction on the external destination IP address Internal IP This field displays the new destination IP address for the packet Protocol This field displays the service used by the packets for this NAT entry It displays any if there is no restriction on the services External Port This field displays the external destination port s of packets for the NAT ent...

Page 443: ...on which packets for the NAT rule must be received It can be an Ethernet VLAN bridge or PPPoE PPTP interface Source IP Specify the source IP address of the packets received by this NAT rule s specified incoming interface any Select this to use all of the incoming interface s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface User ...

Page 444: ...Mapping Type is Port Enter the external destination port this NAT rule supports Internal Port This field is available if Mapping Type is Port Enter the translated destination port if this NAT rule forwards the packet External Start Port This field is available if Mapping Type is Ports Enter the beginning of the range of external destination ports this NAT rule supports External End Port This field...

Page 445: ... By default the security policy blocks incoming connections from external addresses After you configure your NAT rule settings click the Security Policy link to configure a security policy to allow the NAT rule s traffic to come in The Zyxel Device checks NAT rules before it applies To Zyxel Device security policies so To Zyxel Device security policies do not apply to traffic that is forwarded by ...

Page 446: ...the Zyxel Device changes the source address to 1 1 1 1 before sending it to the LAN user The return traffic s source matches the external destination address 1 1 1 1 If the SMTP server replied directly to the LAN user without the traffic going through NAT the source would not match the external destination address which would cause the LAN user s computer to shut down the session Figure 309 LAN to...

Page 447: ...e a policy route allows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 310 HTTP Redirect Example 14 1 2 SMTP Redirect SMTP redirect forwards the authenticated client s SMTP message to a SMTP server that handles all outgoing e mail messages In the following example SMTP server A is connected to the lan2 interface in the LAN2 zone W...

Page 448: ...application layer gateway between the private network and the Internet or other networks It also keeps hackers from knowing internal IP addresses A client connects to a web proxy server each time he she wants to access the Internet The web proxy provides caching service to allow quick access and reduce network usage The proxy checks its local cache for the requested web resource first If it is not...

Page 449: ...rward HTTP traffic from proxy server A to the Internet SMTP Simple Mail Transfer Protocol SMTP is the Internet s message transport standard It controls the sending of e mail messages between servers E mail clients also called e mail applications then use mail server protocols such as POP Post Office Protocol or IMAP Internet Message Access Protocol to retrieve e mail E mail clients also generally ...

Page 450: ...rect rule and one SMTP redirect rule for each incoming interface Figure 312 Configuration Network Redirect Service The following table describes the labels in this screen Table 156 Configuration Network Redirect Service LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To r...

Page 451: ...ource Server This is the IP address of the HTTP proxy server or the SMTP server to which the matched traffic is forwarded Port This is the service port number used by the HTTP proxy server or SMTP server Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Table 156 Configuration Network Redirect Service continued LABEL D...

Page 452: ...Address Select the name of the source IP address object from which the traffic should be sent Select any for the rule to be effective for every source Redirect Settings Server Enter the IP address of the HTTP proxy or SMTP server Port Enter the port number that the HTTP proxy or SMTP server uses OK Click OK to save your changes back to the Zyxel Device Cancel Click Cancel to exit this screen witho...

Page 453: ... SIP signaling 1 and audio 2 sessions between SIP clients A and B and the SIP server Figure 314 SIP ALG Example The ALG feature is only needed for traffic that goes through the Zyxel Device s NAT 15 1 1 What You Need to Know Application Layer Gateway ALG NAT and Security Policy The Zyxel Device can function as an Application Layer Gateway ALG to allow certain NAT un friendly applications such as S...

Page 454: ...ons between H 323 devices A and B Figure 315 H 323 ALG Example SIP ALG SIP phones can be in any zone including LAN DMZ WAN and the SIP server and SIP clients can be in the same network or different networks The SIP server cannot be on the LAN It must be on the WAN or the DMZ There should be only one SIP server total on the Zyxel Device s private networks Any other SIP servers must be on the WAN So...

Page 455: ...P addresses For example you configure the security policy and NAT to allow LAN IP address A to receive calls from the Internet through WAN IP address 1 You also use a policy route to have LAN IP address A make calls out through WAN IP address 1 Configure another policy route to have H 323 or SIP calls from LAN IP addresses B and C go out through WAN IP address 2 Even though only LAN IP address A c...

Page 456: ...o configure the security policy and enable NAT in the Zyxel Device to allow sessions initiated from the WAN 15 2 The ALG Screen Click Configuration Network ALG to open the ALG screen Use this screen to turn ALGs off or on configure the port numbers to which they apply and configure SIP ALG time outs Note If the Zyxel Device provides an ALG for a service you must enable the ALG in order to use the ...

Page 457: ...vice SIP timeout the Zyxel Device deletes the signaling session after the timeout period Enter the SIP signaling session timeout value 1 86400 Restrict Peer to Peer Signaling Connection A signaling connection is used to set up the SIP connection Enable this if you want signaling connections to only arrive from the IP address es you registered with Signaling connections from other IP addresses will...

Page 458: ...nterface that was set to passive in order to have the connection go through the second interface VoIP clients usually re register automatically at set intervals or the users can manually force them to re register FTP File Transfer Protocol FTP is an Internet file transfer service that operates on the Internet and over TCP IP networks A system running the FTP server accepts commands from a system r...

Page 459: ...ing protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet SIP is used in VoIP Voice over IP the sending of voice signals over the Internet Protocol SIP signaling is separate from the media for which it handles sessions The media that is exchanged during the session can use a different path from that of the signaling SIP handles telephone ...

Page 460: ...pler than UPnP IGD and mainly designed for small home networks It allows a client behind a NAT router to retrieve the router s public IP address and port number and make them known to the peer device with which it wants to communicate The client can automatically configure the NAT router to create a port mapping to allow the peer to contact it 16 2 What You Need to Know UPnP hardware is identified...

Page 461: ...environments When a UPnP or NAT PMP device joins a network it announces its presence with a multicast message For security reasons the Zyxel Device allows multicast messages on the LAN only All UPnP enabled or NAT PMP enabled devices may communicate freely with each other without additional configuration Disable UPnP or NAT PMP if this is not your intention 16 3 UPnP Screen Use this screen to enab...

Page 462: ... NAT PMP application to open the web configurator s login screen without entering the Zyxel Device s IP address although you must still enter the password to access the web configurator Allow UPnP or NAT PMP to pass through Firewall Select this check box to allow traffic from UPnP enabled or NAT PMP enabled applications to bypass the security policy Clear this check box to have the security policy...

Page 463: ...ed Sharing Settings 3 Select Turn on network discovery and click Save Changes Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer This makes it easier to share files and printers ...

Page 464: ... already have UPnP activated on the Zyxel Device and in your computer Make sure your computer is connected to a LAN port of the Zyxel Device 1 Open the Windows Explorer and click Network 2 Right click the device icon and select Properties Figure 320 Network Connections 3 In the Internet Connection Properties window click Settings to see port mappings ...

Page 465: ...WALL USG Series User s Guide 465 Figure 321 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings Figure 322 Internet Connection Properties Advanced Settings ...

Page 466: ...e more details about your current Internet connection status right click on the network icon in the system tray and click Open Network and Sharing Center Click Local Area Network Figure 325 Internet Connection Status 16 4 2 Turn on UPnP in Windows 10 Example This section shows you how to use the UPnP feature in Windows 10 UPnP server is installed in Windows 10 Activate UPnP on the Zyxel Device by ...

Page 467: ...Chapter 16 UPnP ZyWALL USG Series User s Guide 467 1 Click the start icon Settings and then Network Internet 2 Click Network and Sharing Center 3 Click Change advanced sharing settings ...

Page 468: ...llows your computer to find other computers and devices on the network and other computers on the network to find your computer This makes it easier to share files and printers 16 4 3 Auto discover Your UPnP enabled Network Device Before you follow these steps make sure you already have UPnP activated on the Zyxel Device and in your computer ...

Page 469: ... File Explorer and click Network 2 Right click the Zyxel Device icon and select Properties Figure 326 Network Connections 3 In the Internet Connection Properties window click Settings to see port mappings Figure 327 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings ...

Page 470: ...isconnected from your computer all port mappings will be deleted automatically 5 Click OK Check the network icon on the system tray to see your Internet connection status Figure 330 System Tray Icon 6 To see more details about your current Internet connection status right click the network icon in the system tray and click Open Network Internet settings Click Network and Sharing Center and click t...

Page 471: ...th UPnP you can access the web based configurator on the Zyxel Device without finding out the IP address of the Zyxel Device first This comes helpful if you do not know the IP address of the Zyxel Device Follow the steps below to access the web configurator 1 Open Windows Explorer 2 Click Network Select My Network Places under Other Places ...

Page 472: ...der Network Infrastructure 4 Right click on the icon for your Zyxel Device and select View device webpage The web configurator login screen displays Figure 333 Network Connections My Network Places 5 Right click on the icon for your Zyxel Device and select Properties Click the Network Device tab A window displays with information about the Zyxel Device ...

Page 473: ...de 473 Figure 334 Network Connections My Network Places Properties Example 16 4 5 Web Configurator Easy Access in Windows 10 Follow the steps below to access the Web Configurator 1 Open File Explorer 2 Click Network Figure 335 Network Connections ...

Page 474: ... for your Zyxel Device and select View device webpage The Web Configurator login screen displays Figure 336 Network Connections Network Infrastructure 5 Right click the icon for your Zyxel Device and select Properties Click the Network Device tab A window displays information about the Zyxel Device Figure 337 Network Connections Network Infrastructure Properties Example ...

Page 475: ...address 192 168 1 27 and use static DHCP to assign it to Tim s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with another MAC address Figure 338 IP MAC Binding Example 17 1 1 What You Can Do in this Chapter Use the Summary and Edit screens Section 17 2 on page 476 to bind IP addresses to MAC addresses Use the Exempt...

Page 476: ...on Network IP MAC Binding Edit to open the IP MAC Binding Edit screen Use this screen to configure an interface s IP to MAC address binding settings Table 160 Configuration Network IP MAC Binding Summary LABEL DESCRIPTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an entry select it and click Activate Inacti...

Page 477: ...s for IP MAC Binding Violation Select this option to have the Zyxel Device generate a log if a device connected to this interface attempts to use an IP address not assigned by the Zyxel Device Static DHCP Bindings This table lists the bound IP and MAC addresses The Zyxel Device checks this table when it assigns IP addresses If the computer s MAC address is in the table the Zyxel Device assigns the...

Page 478: ...ESCRIPTION Interface Name This field displays the name of the interface within the Zyxel Device and the interface s IP address and subnet mask IP Address Enter the IP address that the Zyxel Device is to assign to a device with the entry s MAC address MAC Address Enter the MAC address of the device to which the Zyxel Device assigns the entry s IP address Description Enter up to 64 printable ASCII c...

Page 479: ...ddress in a range of IP addresses for which the Zyxel Device does not apply IP MAC binding End IP Enter the last IP address in a range of IP addresses for which the Zyxel Device does not apply IP MAC binding Add icon Click the Add icon to add a new entry Click the Remove icon to delete an entry A window displays asking you to confirm that you want to delete it Apply Click Apply to save your change...

Page 480: ...the Vlan1 The IP address of network printer C is added to the white list With this setting the connected AP then cannot communicate with the PC D but can access the network printer C server B wireless client A and the Internet Figure 343 Layer 2 Isolation Application 18 1 1 What You Can Do in this Chapter Use the General screen Section 18 2 on page 480 to enable layer 2 isolation on the Zyxel Devi...

Page 481: ...Enable Layer2 Isolation Select this option to turn on the layer 2 isolation feature on the Zyxel Device Note You can enable this feature only when the security policy is enabled Member List The Available list displays the name s of the internal interface s on which you can enable layer 2 isolation To enable layer 2 isolation on an interface you can double click a single entry to move it or use the...

Page 482: ... Select this option to turn on the white list on the Zyxel Device Note You can enable this feature only when the security policy is enabled Add Click this to add a new rule Edit Click this to edit the selected rule Remove Click this to remove the selected rule Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a se...

Page 483: ...ayer 2 Isolation White List Add Edit LABEL DESCRIPTION Enable Select this option to turn on the rule Host IP Address Enter an IPv4 address associated with this rule Description Specify a description for the IP address associated with this rule Enter up to 60 characters spaces and underscores allowed OK Click OK to save your changes back to the Zyxel Device Cancel Click Cancel to exit this screen w...

Page 484: ...query message and responds to it with the WAN2 s IP address 2 2 2 2 because the WAN2 has the least load at that moment Another Internet host B also sends a DNS query message to ask where www example com is The Zyxel Device responds to it with the WAN1 s IP address 1 1 1 1 since WAN1 has the least load this time Figure 347 DNS Load Balancing Example 19 1 1 What You Can Do in this Chapter Use the In...

Page 485: ... Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that app...

Page 486: ...ed a weight An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight For example if the weight ratio of wan1 and wan2 interfaces is 2 1 the Zyxel Device chooses wan1 for 2 sessions traffic and wan2 for 1 session s traffic in each round of 3 new sessions Least Connection The Zyxel Device chooses choose a member interface which is handling the l...

Page 487: ...o resolve the name You have to configure this field to the client s IP address when iteration is used Zone Select the zone of DNS query messages upon which to apply this rule Load Balancing Member Load Balancing Algorithm Select a load balancing method to use from the drop down list box Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights An ...

Page 488: ...lick OK to save your changes back to the Zyxel Device Cancel Click Cancel to exit this screen without saving Table 168 Configuration Network DNS Inbound LB Add Edit continued LABEL DESCRIPTION Table 169 Configuration Network DNS Inbound LB Add Edit Add Edit LABEL DESCRIPTION Member The Zyxel Device checks each member interface s loading in the order displayed here Monitor Interface Select an inter...

Page 489: ... USG Series User s Guide 489 OK Click OK to save your changes back to the Zyxel Device Cancel Click Cancel to exit this screen without saving Table 169 Configuration Network DNS Inbound LB Add Edit Add Edit continued LABEL DESCRIPTION ...

Page 490: ...or Internet As soon as a user attempt to open a web page the Zyxel Device reroutes his her browser to a web portal page that prompts him her to log in Figure 351 Web Authentication Example The web authentication page only appears once per authentication session Unless a user session times out or he she closes the connection he or she generally will not see it again during the same session 20 1 1 W...

Page 491: ...e the Zyxel Device to display the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged in yet Note This works with HTTP traffic only The Zyxel Device does not display the Login screen when users attempt to send other kinds of traffic The Zyxel Device does not automatically route the request that prompted the login however so users have to make this request again...

Page 492: ...cates with the Zyxel Device through the specifically designated web portal or user agreement page Web Portal General Setting Enable Session Page Select this to display a page showing information on the user session after s he logs in It displays remaining time with an option to renew or log out immediately Logout IP Specify an IP address that users can use to terminate their sessions manually by e...

Page 493: ...ice confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface Status This icon is lit when the entry is active and dimmed when th...

Page 494: ...ick the Edit icon in the Web Authentication Policy Summary section to open the Auth Policy Add Edit screen Use this screen to configure an authentication policy Authentication This field displays the authentication requirement for users when their traffic matches this policy unnecessary Users do not need to be authenticated required Users need to be authenticated They must manually go to the login...

Page 495: ...his policy are received Source Address Select a source address or address group including geographic address and FQDN group objects for whom this policy applies Select any if the policy is effective for every source This is any and not configurable for the default policy Destination Address Select a destination address or address group including geographic address and FQDN group objects for whom t...

Page 496: ...k the Add icon 2 Enter the same user name that is used in the RADIUS server and set the User Type to ext user because this user account is authenticated by an external server Click OK Single Sign on This field is available for user configured policies that require Single Sign On SSO Select this to have the Zyxel Device enable the SSO feature You can set up this feature in the SSO screen Force User...

Page 497: ... users to the user groups 1 Click Configuration Object User Group Group Click the Add icon 2 Enter the name of the group In this example it is Finance Then select Object Leo and click the right arrow to move him to the Member list This example only has one member in this group so click OK Of course you could add more members later Figure 357 Configuration Object User Group Group Add 3 Repeat this ...

Page 498: ...method Finally force users to log into the Zyxel Device before it routes traffic for them 1 Click Configuration Object AAA Server RADIUS Double click the radius entry Configure the RADIUS server s address authentication port 1812 if you were not told otherwise and key Click OK Figure 358 Configuration Object AAA Server RADIUS Add 2 Click Configuration Object Auth Method Double click the default en...

Page 499: ...ection click the Add icon to set up a default policy that has priority over other policies and forces every user to log into the Zyxel Device before the Zyxel Device routes traffic for them 5 Select Enable Policy Enter a descriptive name default_policy for example Set the Authentication field to required and make sure Force User Authentication is selected Select an authentication type profile defa...

Page 500: ...roups distinguished by the value of a specific attribute you can make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defined in the RADIUS server 1 Click Configuration Object AAA Server RADIUS Double click the radius entry Besides configuring the RADIUS server s address authentication port and key set the Group Membership Attribute fi...

Page 501: ...ntify groups based on the group identifier values Set up one user account for each group of user accounts in the RADIUS server Click Configuration Object User Group User Click the Add icon Enter a user name and set the User Type to ext group user In the Group Identifier field enter Finance Engineer Sales or Boss and set the Associated AAA Server Object to radius ...

Page 502: ...ication pages to be used for user authentication Go to Configuration Web Authentication and then select the Authentication Type tab to display the screen Figure 364 Configuration Web Authentication Authentication Type The following table describes the labels in this screen Table 172 Configuration Web Authentication Authentication Type LABEL DESCRIPTION Add Click this to create a new entry Select a...

Page 503: ...ys the name of the profile default web portal the default login page built into the Zyxel Device Note You can also customize the default login page built into the Zyxel Device in the System WWW Login Page screen default web portal the default user agreement page built into the Zyxel Device Type This field displays the type of the web authentication page used by this profile Web Page This field dis...

Page 504: ...ric characters A Z a z 0 9 and underscores _ Spaces are not allowed The first character must be a letter The following fields are available if you set Type to Web Portal Internal Web Portal Select this to use the web portal pages uploaded to the Zyxel Device The login page appears whenever the web portal intercepts network traffic preventing unauthorized users from gaining access to the network Pr...

Page 505: ...monitor how long each access user is logged in and idle in other words there is no traffic for this access user The Zyxel Device automatically logs out the access user once the Idle timeout has been reached Idle timeout This is applicable for access users This field is effective when Enable Idle Detection is checked Type the number of minutes each access user can be logged in and idle before the Z...

Page 506: ...uthentication Custom Web Portal File Welcome URL Specify the welcome page s URL for example http IIS server IP Address welcome html The Internet Information Server IIS is the web server on which the user agreement files are installed If you leave this field blank the Zyxel Device will use the welcome page of internal user agreement file Download Click this to download an example external user agre...

Page 507: ... associated with the business location Table 174 Configuration Web Authentication Custom Web Portal User Agreement File LABEL DESCRIPTION Remove Click a file s row to select it and click Remove to delete it from the Zyxel Device Download Click a file s row to select it and click Download to save the zipped file to your computer This column displays the index number for each file entry This field i...

Page 508: ...ion Web Authentication Facebook Wi Fi LABEL DESCRIPTION Enable Facebook Wi Fi Select the check box and click Apply to turn on Facebook Wi Fi on the Zyxel Device Configure Click this button to open the Facebook Wi Fi configuration screen in a new window where you can select the Facebook Page associated with your location and configure bypass mode and session length Note You should have registered y...

Page 509: ... see the following message This device is not paired with facebook Please configure this device 1 Click Configure 2 Log into Facebook and click Create Page 3 Select the Facebook page type and fill in the information prompts to create a Facebook page Then click Get Started 4 In the following screen select the page just created and click Save Settings Your Facebook page is now paired with Facebook W...

Page 510: ...ice s wireless or LAN network 2 Open a web browser from the connected computer or mobile device 3 The Facebook Page you specified displays By default users can log in and check in to the location associated with the Facebook Page or click a link to skip check in If you set Bypass Mode to Require Wi Fi code in the Facebook Wi Fi configuration screen users need to enter the Wi Fi password you provid...

Page 511: ... agent checks that these credentials are correct with the AD server and if the AD server confirms so the SSO then notifies the Zyxel Device to allow access for the user to the permitted resource Internet access for example Note The Zyxel Device the DC the SSO agent and the AD server must all be in the same domain and be able to communicate with each other SSO does not support IPv6 LDAP or RADIUS y...

Page 512: ...Configuration Page Gateway Setting Gateway Port Web Authentication SSO Primary Agent Port Agent Configuration Page Agent Listening Port Object User Group User Add Group Identifier Agent Configuration Page Configure LDAP AD Server Group Membership Object AAA Server Active Directory Add Base DN Agent Configuration Page Configure LDAP AD Server Base DN Object AAA Server Active Directory Add Bind DN A...

Page 513: ...ion Web Authentication SSO LABEL DESCRIPTION Listen Port The default agent listening port is 2158 If you change it on the Zyxel Device then change it to the same number in the Gateway Port field on the SSO agent too Type a number ranging from 1025 to 65535 Agent PreShareKey Type 8 32 printable ASCII characters or exactly 32 hex characters 0 9 a f The Agent PreShareKey is used to encrypt communicat...

Page 514: ...y as the source address unless you want all incoming connections to be authenticated Secondary Agent Port Optional Type the same port number here as in the Agent Listening Port field on the backup SSO agent if there is one Type a number ranging from 1025 to 65535 Apply Click this button to save your changes to the Zyxel Device Reset Click this button to return the screen to its last saved settings...

Page 515: ...icy for SSO traffic source and destination direction in order to prevent the security policy from blocking this traffic Go to Configuration Security Policy Policy and add a new policy if a default one does not cover the SSO web authentication traffic direction Configure the fields as shown in the following screen Configure the source and destination addresses according to the SSO web authenticatio...

Page 516: ... Authentication ZyWALL USG Series User s Guide 516 20 4 5 Configure User Information Configure a User account of the ext group user type Configure Group Identifier to be the same as Group Membership on the SSO agent ...

Page 517: ...tive Directory You must configure an Active Directory AD server in AAA Setup to be the same as AD configured on the SSO agent The default AD server port is 389 If you change this make sure you make the same changes on the SSO Configure the Base DN exactly the same as on the Domain Controller and SSO Bind DN is a user name and password that allows the Zyxel Device to join the domain with administra...

Page 518: ...ries User s Guide 518 20 5 SSO Agent Configuration This section shows what you have to do on the SSO agent in order to work with the Zyxel Device After you install the SSO agent you will see an icon in the system tray bottom right of the screen ...

Page 519: ...click the SSO icon and select Configure Zyxel SSO Agent Configure the Agent Listening Port AD server exactly as you have done on the Zyxel Device Add the Zyxel Device IP address as the Gateway Make sure the Zyxel Device and SSO agent are able to communicate with each other ...

Page 520: ... 520 Configure the Server Address Port Base DN Bind DN Login Name Attribute and Group Membership for the AD server settings exactly as you have done on the Zyxel Device Group Membership is called Group Identifier on the Zyxel Device LDAP AD Server Configuration ...

Page 521: ...el Device Configuration Web Authentication SSO screen If you want to use Generate Key to have the SSO create a random password select Check to show PreShareKey as clear Text so as to see the password then copy and paste it to the Zyxel Device After all SSO agent configurations are done right click the SSO icon in the system tray and select Enable Zyxel SSO Agent ...

Page 522: ...ice screen see Section 21 6 on page 534 to enable online payment service and configure the service pages 21 2 1 What You Need to Know Accumulation Accounting Method The accumulation accounting method allows multiple re logins until the allocated time period or until the user account is expired The Zyxel Device accounts the time that the user is logged in for Internet access Time to finish Accounti...

Page 523: ...een Use this screen to configure the general billing settings such as the accounting method currency unit and the SSID profiles to which the settings are applied Click Configuration Hotspot Billing General to open the following screen Figure 372 Configuration Hotspot Billing General ...

Page 524: ...number per billing account Enter the maximum number of the users that are allowed to log in with the same account Reach maximum number per billing account Select Block to stop new users from logging in when the Maximum number per billing account is reached Select Remove previous user and login to disassociate the first user that logged in and allow new user to log in when the Maximum number per bi...

Page 525: ...ctivated for this service If you need a license or a trial license has expired click Buy to buy a new one If a Standard license has expired click Renew to extend the license Then click Activate to connect with the myZyxel server to activate the new license Service Type This shows whether you have a trial or standard license or none Trial Standard None Expiration Date This shows when your hotspot l...

Page 526: ... to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific entry Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the descriptive profile name for this entry Time Period T...

Page 527: ...rice plan in the Billing Discount screen This is the number of each discount level The default first level cannot be edited or deleted It is created automatically according to the billing profile of the button you select Name This field displays the conditions of each discount level Unit This field displays the duration of the billing period that should be reached before the Zyxel Device charges u...

Page 528: ... there is no printer attached Summary Total This shows the total price for the account before sales tax is added Tax This shows the tax rate Grand Total This shows the total price including tax Quantity Specify the number of account to be created Generate Click Generate to generate an account based on the billing settings you configure for the selected button in the Billing Profile screen A window...

Page 529: ...Click Printer to print this subscriber statement Click Cancel to close this window when you are finished viewing it 21 4 2 The Account Redeem Screen The Account Redeem screen allows you to send SMS messages for certain accounts Click the Account Redeem tab in the Account Generator screen to open this screen ...

Page 530: ...her an account expires or not Username This field displays the user name of the account Create Time This field displays when the account was created Remaining Time This field displays the amount of Internet access time remaining for each account Time Period This field displays the total account of time the account can use to access the Internet through the Zyxel Device Expiration Time This field d...

Page 531: ...n is available only when you open this screen by logging in with the guest manager account Table 181 Account Redeem continued LABEL DESCRIPTION Table 182 Configuration Hotspot Billing Billing Profile Add Edit LABEL DESCRIPTION Enable billing profile Select this option to activate the profile Name Enter a name for the billing profile You can use up to 31 alphanumeric characters A Z a z 0 9 and unde...

Page 532: ...es 0 means there is no data limit for the user account Upload Quota If you select Upload Download specify how much upstream data in MB Megabytes or GB Gigabytes can be transmitted through the WAN interface before the account expires 0 means there is no data limit for the user account Download Quota If you select Upload Download specify how much downstream data in MB Megabytes or GB Gigabytes can b...

Page 533: ...that their total purchase reaches Discount Price Plan Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so This is the number of each discount level The default first level cannot be ed...

Page 534: ...s and manage credit card transactions directly through the Internet You must register with the supported credit card service before you can configure the Zyxel Device to handle credit card transactions Click Configuration Hotspot Billing Payment Service to open the following screen Table 184 Configuration Hotspot Billing Discount Add Edit LABEL DESCRIPTION Name This field displays the conditions o...

Page 535: ...n when users try to access the Internet The link redirects users to a screen where they can make online payments by credit card to purchase access time and get dynamic guest account information Payment Provider Selection Account You should already have a PayPal account to receive credit card payments Enter your PayPal account name Currency Select the currency in which payments are made The availab...

Page 536: ...w the Zyxel Device provides dynamic guest account information after the user s online payment is done Select On Screen to display the user account information in the web screen Select SMS to use Short Message Service SMS to send account information in a text message to the user s mobile device Select On Screen and SMS to provide the account information both in the web screen and via SMS text messa...

Page 537: ...Chapter 21 Hotspot ZyWALL USG Series User s Guide 537 Figure 380 Configuration Hotspot Billing Payment Service Desktop View ...

Page 538: ...Chapter 21 Hotspot ZyWALL USG Series User s Guide 538 Figure 381 Configuration Hotspot Billing Payment Service Mobile View ...

Page 539: ...second page after the user s online payment is made successfully Use up to 256 printable ASCII characters Spaces are allowed Notification Message Enter the important information you want to display Use up to 256 printable ASCII characters Spaces are allowed Notification Color Specify the font color of the important information You can use the color palette chooser or enter a color value of your ow...

Page 540: ...g paper in the printer Refer to the printer s documentation for details 22 1 1 What You Can Do in this Chapter Use the Printer Manager General screen see Section 21 3 on page 523 to configure the printer list and enable printer management Use the Printer Manager Printout Configuration screen see Section 22 3 on page 547 to customize the account printout 22 2 The Printer Manager General Screen Use ...

Page 541: ...k this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Discover Printer Cl...

Page 542: ...tion This field displays the descriptive name for the printer that you configured Printer Firmware Information Current Version This is the version of the printer firmware currently uploaded to the Zyxel Device The Zyxel Device automatically installs it in the connected printers to make sure the printers are upgraded to the same version Hotspot Service Status The hotspot license must be registered ...

Page 543: ...ter s settings You can t click the Edit icon when the printer status is sync fail or sync progressing Figure 384 Configuration Hotspot Printer Manager General Edit Table 188 Configuration Hotspot Printer Manager General Add LABEL DESCRIPTION Enable Printer Manager Select this option to turn on this entry in order to allow the Zyxel Device to manage this printer IPv4 Address Enter an IPv4 address f...

Page 544: ...60 characters long IP Address Assignment Get Automatically Select this to make the printer a DHCP client and automatically get the IP address subnet mask and gateway address from a DHCP server Use Fixed IP Address Select this if you want to specify the IP address subnet mask and gateway manually IP Address This field is enabled if you select Use Fixed IP Address Enter the IP address for the printe...

Page 545: ...Printer List Click this to add the selected printer to the managed printer list This is the index number of the printer in the list Registration This field displays whether the printer is added to the managed printer list Mgnt Printer or not Un Mgnt Printer IPv4 Address This field displays the IP address of the printer Update Time This field displays the date and time the Zyxel Device last synchro...

Page 546: ... this to make the printer a DHCP client and automatically get the IP address subnet mask and gateway address from a DHCP server Use Fixed IP Address Select this if you want to specify the IP address subnet mask and gateway manually IP Address This field is enabled if you select Use Fixed IP Address Enter the IP address for the printer Subnet Mask This field is enabled if you select Use Fixed IP Ad...

Page 547: ... Zyxel Device Once this option is selected the custom format controls below become active Preview Click the button to display a preview of account printout format you uploaded to the Zyxel Device File Name This shows the file name of account printout format file in the Zyxel Device Click Download to download the account printout format file from the Zyxel Device to your computer File Path Browse U...

Page 548: ... within five seconds to print The following sections describe each report printout in detail 22 4 2 Daily Account Summary The daily account report lists the accounts printed during the current day the current day s total number of accounts and the total charge It covers the accounts that have been printed during the current day starting from midnight not the past 24 hours For example if you press ...

Page 549: ... monthly account report includes the accounts created from 2013 05 01 at 00 00 01 to 2013 05 17 at 19 59 59 Key combination A B C B A The following figure shows an example Figure 389 Monthly Account Example 22 4 4 Account Report Notes The daily monthly or last month account report holds up to 2000 entries If there are more than 2000 accounts created in the same month or same day the account report...

Page 550: ...ollowing table describes the labels in this report System Status Item Description SYST 02 02 35 WAST Link up WLST Activate FWVR 2 50 AACG 0 BTVR 1 22 WAMA 00 90 0E 00 4A 29 LAMA 00 90 0E 00 4A 30 WAIP 10 21 2 267 LAIP 172 16 0 1 WLIP 10 59 1 1 DHSP 10 59 1 33 DHEP 10 59 1 254 CPUS 5 MEMS 40 DKST 5 2012 04 12 17 10 22 End Table 194 System Status LABEL DESCRIPTION SYST This field displays the time s...

Page 551: ...face on the Zyxel Device DHSP This field displays the first of the continuous addresses in the IP address pool DHEP This field displays the end of the continuous addresses in the IP address pool CPUS This field displays the Zyxel Device s recent CPU usage MEMS This field displays the Zyxel Device s recent memory usage DKST This field displays what percentage of the Zyxel Device s on board flash me...

Page 552: ...eriod of time 23 1 1 What You Can Do in this Chapter Use the Free Time screen see Section 23 2 on page 552 to turn on this feature to allow users to get a free account for Internet surfing during the specified time period 23 2 The Free Time Screen Use this screen to enable and configure the free time settings Click Configuration Hotspot Free Time to open the following screen Figure 391 Configurati...

Page 553: ...h the new free time account is allowed to access the Internet If the date you selected is not available in a month such as 30th or 31th the Zyxel Device allows the free account access on the last day of the month Maximum Registration Number Before Reset Time Enter the maximum number of the users that are allowed to log in for Internet access with a free guest account before the time specified in t...

Page 554: ... for this service If you need a license or a trial license has expired click Buy to buy a new one If a Standard license has expired click Renew to extend the license Then click Activate to connect with the myZyxel server to activate the new license Service Type This shows whether you have a trial or standard license or none Trial Standard None Expiration Date This shows when your hotspot license w...

Page 555: ...d free time feature on the Zyxel Device the link description in the login screen will be mainly for online payment service You can still click the link to get a free account If SMS is enabled on the Zyxel Device you have to enter your mobile phone number before clicking OK to get a free guest account ...

Page 556: ...ZyWALL USG Series User s Guide 556 The guest account information then displays in the screen and or is sent to the configured mobile phone number EXAMPLE ...

Page 557: ...an connect to the Zyxel Device or access the Internet through the Zyxel Device The IPnP feature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the Zyxel Device s IP address Note You must enable NAT to use the IPnP feature The following figure depicts a scenario where a computer is set to use a static private IP address in the cor...

Page 558: ...s the name s of the internal interface s on which you can enable IPnP To enable IPnP on an interface you can double click a single entry to move it or use the Shift or Ctrl key to select multiple entries and click the right arrow button to add to the Member list To remove an interface select the name s in the Member list and click the left arrow button Hotspot Service Status Service Status This fi...

Page 559: ...t license will expire Register Now Click the link to go to myZyxel where you can register your Zyxel Device and activate the service This link is available only when the service is not activated yet Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Table 196 Configuration Hotspot IPnP continued LABEL DESCRIPTION ...

Page 560: ...o turn on the walled garden feature Note You must enable web authentication before you can access the Walled Garden screens Note You can configure up to 50 walled garden web site links Click Configuration Hotspot Walled Garden to display the screen Figure 394 Configuration Hotspot Walled Garden General The following table describes the labels in this screen Table 197 Configuration Hotspot Walled G...

Page 561: ...ne If a Standard license has expired click Renew to extend the license Then click Activate to connect with the myZyxel server to activate the new license Service Type This shows whether you have a trial or standard license or none Trial Standard None Expiration Date This shows when your hotspot license will expire Register Now Click the link to go to myZyxel where you can register your Zyxel Devic...

Page 562: ...ated with any entry Status This icon is lit when the entry is active and dimmed when the entry is inactive Display This icon is lit when the web site link is set to display in the user login screen Name This field displays the descriptive name of the web site URL This field displays the URL of the web site Apply Click this button to save your changes to the Zyxel Device Reset Click this button to ...

Page 563: ...it this screen without saving Table 199 Configuration Hotspot Walled Garden URL Base Add Edit continued LABEL DESCRIPTION Table 200 Configuration Hotspot Walled Garden Domain IP Based LABEL DESCRIPTION Walled Garden Domain IP List Use this table to manage the list of walled garden web site links Add Click this to create a new entry Select an entry and click Add to create a new entry after the sele...

Page 564: ...figuration Hotspot Walled Garden Domain IP Based continued LABEL DESCRIPTION Table 201 Configuration Hotspot Walled Garden Domain IP Base Add Edit LABEL DESCRIPTION Enable Select this to activate the entry Name Enter a descriptive name for the walled garden link You can use up to 31 alphanumeric characters A Z a z 0 9 and underscores _ Spaces are also allowed The first character must be a letter T...

Page 565: ...Chapter 25 Walled Garden ZyWALL USG Series User s Guide 565 Figure 399 Walled Garden Login Example ...

Page 566: ...sement LABEL DESCRIPTION Enable Advertisement Select this to turn on the advertisement feature Note This feature works only when you enable web authentication Advertisement Summary Use this table to manage the list of advertisement web pages Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and ...

Page 567: ...yZyxel Activated or not Not Activated or expired Expired It displays the remaining Grace Period if your license has Expired It displays Not Licensed if there isn t a license to be activated for this service If you need a license or a trial license has expired click Buy to buy a new one If a Standard license has expired click Renew to extend the license Then click Activate to connect with the myZyx...

Page 568: ...You can use up to 31 alphanumeric characters A Z a z 0 9 and underscores _ Spaces are not allowed The first character must be a letter URL Enter the URL or IP address of the web site Use http followed by up to 262 characters 0 9a zA Z _ For example http www example com or http 172 16 1 35 Preview Click this button to open the specified web site in a new frame OK Click OK to save your changes back ...

Page 569: ...iteria above to apply the actions configured in the UTM profiles application patrol content filter IDP anti virus anti spam to traffic that matches the criteria above Note Security policies can be applied to both IPv4 and IPv6 traffic The security policies can also limit the number of user sessions The following example shows the Zyxel Device s default security policies behavior for a specific dir...

Page 570: ...bsite with guidance on configuration walkthroughs troubleshooting and other information This is an example of a port forwarding configuration walkthrough Figure 403 Example of a Port Forwarding Configuration Walkthrough This is an example of L2TP over IPSec VPN Troubleshooting troubleshooting 1 2 3 4 ...

Page 571: ...Chapter 27 Security Policy ZyWALL USG Series User s Guide 571 Figure 404 Example of L2TP over IPSec Troubleshooting 1 1 2 2 3 ...

Page 572: ... the feature Note that the walkthroughs do not perform the actual configuring but just show you how to do it Device HA General Licensing Registration Network NAT Network Routing Policy Route UTM Profile App Patrol UTM Profile Content Filter UTM Profile IDP UTM Profile Anti Virus UTM Profile Anti Spam VPN IPSec VPN VPN SSL VPN VPN L2TP VPN Click this icon to go to a series of screens that guide you...

Page 573: ...ick this icon for more information on Intrusion Detection which can detect malicious or suspicious packets used in network based intrusions UTM Profile IDP Click this icon for more information on Anti Virus which checks traffic flows through your network for known virus and spyware signature patterns UTM Profile Anti Virus Click this icon for more information on Anti Spam which can mark or discard...

Page 574: ... itself and generates a log except for AH ESP GRE HTTPS IKE NATT When you configure a Security Policy rule for packets destined for the Zyxel Device itself make sure it does not conflict with your service control rule The Zyxel Device checks the security policy before the service control rules for traffic destined for the Zyxel Device A From Any To Device direction policy applies to traffic from a...

Page 575: ...Limits Accessing the Zyxel Device or network resources through the Zyxel Device requires a NAT session and corresponding Security Policy session Peer to peer applications such as file sharing applications may use a large number of NAT sessions A single client could use all of the available NAT sessions and prevent others from connecting to or through the Zyxel Device The Zyxel Device lets you limi...

Page 576: ...metrical routes set a maximum number of sessions per host and display the configured Security Policies Specify from which zone packets come and to which zone packets travel to display only the policies specific to the selected direction Note the following Besides configuring the Security Policy you also need to configure NAT rules to allow computers on the WAN to access LAN devices The Zyxel Devic...

Page 577: ... IPv6 if enabled security policies based on direction application user source destination and or schedule From To Select a zone to view all security policies from a particular zone and or to a particular zone any means all zones IPv4 IPv6 Source Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 IPv6 source address object used An IPv4 IP address is written as four inte...

Page 578: ...e Zyxel Device and the backup gateway on separate subnets Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing ...

Page 579: ...This displays the IPv4 IPv6 source address object including geographic address and FQDN group objects to which this Security Policy applies IPv4 IPv6 Destination This displays the IPv4 IPv6 destination address object including geographic address and FQDN group objects to which this Security Policy applies Service This displays the service object to which this Security Policy applies User This is t...

Page 580: ...Spaces are allowed From To For through Zyxel Device policies select the direction of travel of packets to which the policy applies any means all interfaces Device means packets destined for the Zyxel Device itself Source Select an IPv4 IPv6 address or address group object including geographic address and FQDN group objects to apply the policy to traffic coming from it Select any to apply the polic...

Page 581: ...ct whether to have the Zyxel Device generate a log log log and alert log alert or not no when the policy is matched to the criteria listed above UTM Profile Use this section to apply anti x profiles created in the Configuration UTM Profile screens to traffic that matches the criteria above You must have created a profile first otherwise none displays Use Log to generate a log log log and alert log...

Page 582: ...file in the In the Configuration Security Policy ADP Profile screen Then apply the profile to traffic originating from a specific zone in the Configuration Security Policy ADP General screen 27 5 1 The Anomaly Detection and Prevention General Screen Click Configuration Security Policy ADP General to display the next screen Figure 409 Configuration Security Policy ADP General The following table de...

Page 583: ...y select it and click Inactivate Move To change an entry s position in the numbered list select it and click Move to display a field to type a number for where you want to put that entry and press ENTER to move the entry to the number that you typed This is the entry s index number in the list Priority This is the rank in the list of anomaly profile policies The list is applied in order of priorit...

Page 584: ...a none or all Base Profile none base profile sets all ADP entries to have Log set to no and Action set to none by default all base profile sets all ADP entries to have Log set to log and Action set to block by default Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Clone Use Clone to create a new entry by modifying an existing one Sele...

Page 585: ...hat you can edit The name must be the same in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive These are valid unique profile names MyProfile mYProfile Mymy12_3 4 These are invalid profile names 1mYProfile My Profile MyProfile Whatalongpr...

Page 586: ...on To edit what action the Zyxel Device takes when a packet matches a policy select the policy and use the Action icon none The Zyxel Device takes no action when a packet matches the policy block The Zyxel Device silently drops packets that matches the policy Neither sender nor receiver are notified This is the entry s index number in the list Status The activate light bulb icon is lit when the en...

Page 587: ...offset which defines the size of the fragment and the original packet A series of IP fragments with overlapping offset fields can cause some systems to crash hang or reboot when fragment reassembling is attempted at the destination IP Spoofing IP Spoofing is used to gain unauthorized access to network devices by modifying packet headers so that it appears that the packets originate from a host wit...

Page 588: ...Chapter 27 Security Policy ZyWALL USG Series User s Guide 588 Figure 412 Configuration Security Policy ADP Profile Add Protocol Anomaly ...

Page 589: ...cket matches a policy select the policy and use the Action icon original setting Select this action to return each rule in a service group to its previously saved configuration none Select this action to have the Zyxel Device take no action when a packet matches a policy drop Select this action to have the Zyxel Device silently drop a packet that matches a policy Neither sender nor receiver are no...

Page 590: ...or descending order according to the protocol anomaly policy name Log These are the log options To edit this select an item and use the Log icon Action This is the action the Zyxel Device should take when a packet matches a policy To edit this select an item and use the Action icon OK Click OK to save your settings to the Zyxel Device complete the profile and return to the profile summary page Can...

Page 591: ...ther limits for specific users or addresses Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Activate To...

Page 592: ...racters Spaces are allowed User Select a user name or user group to which to apply the rule The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out Otherwise select any and there is no need for user logging Note If you specified an IP address or address group instead of any in the field below the user s IP address should be withi...

Page 593: ... the CEO use IRC You configure a LAN1 to WAN security policy that allows IRC traffic from the IP address of the CEO s computer You can also configure a LAN to WAN policy that allows IRC traffic from any computer through which the CEO logs into the Zyxel Device with his her user name In order to make sure that the CEO s computer always uses the same IP address make sure it either Has a static IP ad...

Page 594: ...RC service on the WAN by logging into the Zyxel Device with the CEO s user name The second row blocks LAN1 access to the IRC service on the WAN The third row is the default policy of allowing allows all traffic from the LAN1 to go to the WAN The policy for the CEO must come before the policy that blocks all LAN1 to WAN IRC traffic If the policy that blocks all LAN1 to WAN IRC traffic came first th...

Page 595: ... 3 on page 598 to enable SecuReporter logging on your Zyxel Device see license status type expiration date and access a link to the SecuReporter web portal The SecuReporter web portal collects and analyzes logs from your Zyxel Device in order to identify anomalies alert on potential internal external threats and report on network usage 28 2 Cloud CNM SecuManager Cloud CNM SecuManager is a Virtual ...

Page 596: ...cation for events and alarms such as when a device goes down Graphically monitor individual devices and see related statistics Directly access a device for remote configuration Create four types of administrators with different privileges Perform Site to Site Hub Spoke Fully meshed and Remote Access VPN provisioning To allow Cloud CNM SecuManager management of your Zyxel Device You must have a Clo...

Page 597: ...e VM server is behind a NAT router You then need to manually enter the VM server URL into the Zyxel Device Enter the IPv4 IP address of the Cloud CNM SecuManager server followed by the port number default 7547 for HTTPS or 7549 for HTPP followed by the CNM ID from the license in CNM URL For example if you installed Cloud CNM SecuManager on a server with IP address 1 1 1 1 and CNM ID V6ABQNTPYGD th...

Page 598: ...vices in order to identify anomalies alert on potential internal external threats and report on network usage You need to buy a license for SecuReporter for your Zyxel Device and activate it at myZyxel You must be a registered user at myZyxel Figure 419 Cloud CNM SecuReporter Application Scenario Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen...

Page 599: ...iguration Licensing Registration Service 2 After the SecuReporter license is activated go back to the Configuration Cloud CNM SecuReporter screen and select the categories of logs that you want this Zyxel Device to send to the SecuReporter portal 3 Select Enable SecuReporter Do not go to the SecuReporter portal until after you have enabled SecuReporter on this Zyxel Devicee and applied the setting...

Page 600: ...vice will be added to a new or existing organization Organization This field appears if you haven t created an organization in the SecuReporter server Type a name of up to 255 characters and description to create a new organization Select from existing organization Select an existing organization from the drop down list box to add the Zyxel Device to the selected organization Create new organizati...

Page 601: ... 28 Cloud CNM ZyWALL USG Series User s Guide 601 Figure 422 SecuReporter Banner Settings Click Configuration Cloud CNM SecuReporter to open the following screen Figure 423 Configuration Cloud CNM SecuReporter ...

Page 602: ...gories Select the categories of logs that you want this Zyxel Device to send to SecuReporter for analysis and trend spotting SecuReporter Service License Status Service Status This field displays whether a service license is enabled at myZyxel Activated or not Not Activated or expired Expired It displays the remaining Grace Period if your license has Expired It displays Not Licensed if there isn t...

Page 603: ... to configure Amazon VPC on the other Zyxel Devices Figure 424 CG to Amazon VPC 29 2 Amazon VPC Configuration Process The process to transmit traffic from a Customer Gateway Zyxel Device through an IPSec tunnel to an Amazon VPC is 1 Create an Amazon Web Services AWS account and configure VPN on Amazon VPC 2 Download the tunnel configurations Each VPN Connection has a VPN Connection ID a Customer G...

Page 604: ...switches to the redundant tunnel You do not need to configure BGP to route tunnel traffic between the Zyxel Device and AWS Dynamic Configure BGP to switch tunnel traffic dynamically between the Zyxel Device and AWS If you re using dynamic routing configure BGP on the Zyxel Device in Configuration Network Routing BGP using the AS router ID and network information from the tunnel configurations you ...

Page 605: ...PSec VPN connections into one secure network Here local Zyxel Device X uses an IPSec VPN tunnel to remote peer Zyxel Device Y to connect the local A and remote B networks Figure 426 IPSec VPN Example Internet Key Exchange IKE IKEv1 and IKEv2 The Zyxel Device supports IKEv1 and IKEv2 for IPv4 and IPv6 traffic IKE Internet Key Exchange is a protocol used in setting up security associations that allo...

Page 606: ... and IKEv1 supports X Auth EAP is important when connecting to existing enterprise authentication systems IKEv2 always uses NAT traversal and Dead Peer Detection DPD but they can be disabled in IKEv1 using Zyxel Device firmware the default is on Configuration payload includes the IP address pool in the VPN setup data is supported in IKEv2 off by default but not in IKEv1 Narrowed is supported in IK...

Page 607: ... see Section 30 2 1 on page 612 to manage the Zyxel Device s VPN gateways A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings phase 1 settings You can also activate and deactivate each VPN gateway Use the VPN Concentrator screens see Section 30 4 on page 627 to combine several IPSec VPN connections into a single secure network Use the Configuration Provi...

Page 608: ... data with a computer in network B Inside networks A and B the data is transmitted the same way data is normally transmitted in the networks Between routers X and Y the data is protected by tunneling encryption authentication and other security features of the IPSec SA The IPSec SA is secure because routers X and Y established the IKE SA first ...

Page 609: ...hind the remote IPSec router This Zyxel Device must have a static IP address or a domain name Only the remote IPSec router can initiate the VPN tunnel Choose this to allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users You don t specify the addresses of the client IPSec routers or the remote policy This creates a dynamic IPSec ...

Page 610: ...s in server mode you should set up the authentication method AAA server first The authentication method specifies how the Zyxel Device authenticates the remote IPSec router In a VPN gateway the Zyxel Device and remote IPSec router can use certificates to authenticate each other Make sure the Zyxel Device and the remote IPSec router will trust each other s certificates 30 2 The VPN Connection Scree...

Page 611: ...ate these policy routes The Zyxel Device automatically obtains source and destination addresses for dynamic IPSec rules that do not match any of the policy routes Clear this to have the Zyxel Device automatically obtain source and destination addresses for all dynamic IPSec rules Ignore Don t Fragment setting in packet header Select this to fragment packets larger than the MTU Maximum Transmission...

Page 612: ...open a screen that shows which settings use the entry See Section 10 5 4 on page 328 for an example This field is a sequential value and it is not associated with a specific connection Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive The connect icon is lit when the interface is connected and dimmed when it is disconnected Name This field di...

Page 613: ...Chapter 30 IPSec VPN ZyWALL USG Series User s Guide 613 Figure 431 Configuration VPN IPSec VPN VPN Connection Add Edit ...

Page 614: ...ystem packets through the IPSec SA NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN It may sometimes be necessary to allow NetBIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa MSS Adjustment Select Custom Size to set a specific number of bytes for the Maximum Segment ...

Page 615: ...c tunnel Policy Enforcement Clear this to allow traffic with source and destination IP addresses that do not match the local and remote policy to use the VPN tunnel Leave this cleared for free access between the local and remote networks Selecting this restricts who can use the VPN tunnel The Zyxel Device drops traffic with source and destination IP addresses that do not match the local and remote...

Page 616: ...H RFC 2402 provides integrity authentication sequence integrity replay resistance and non repudiation but not encryption If you select AH you must select an Authentication algorithm ESP RFC 2406 provides encryption and the same services offered by AH but its authentication is weaker If you select ESP you must select an Encryption algorithm and Authentication algorithm Both AH and ESP increase proc...

Page 617: ...dom number DH2 enable PFS and use a 1024 bit random number DH5 enable PFS and use a 1536 bit random number DH14 enable PFS and use a 2048 bit random number PFS changes the root key that is used to generate encryption keys for each IPSec SA The longer the key the more secure the encryption but also the longer it takes to encrypt and decrypt information Both routers must use the same DH key group PF...

Page 618: ... address range SNAT Destination Select the address object that represents the original destination address or select Create Object to configure a new one This is the address object for the remote network SNAT Select the address object that represents the translated source address or select Create Object to configure a new one This is the address object for the local network The size of the origina...

Page 619: ...uted Original IP Select the address object that represents the original destination address This is the address object for the remote network Mapped IP Select the address object that represents the desired destination address For example this is the address object for the mail server Protocol Select the protocol required to use this translation Choices are TCP UDP or All Original Port Start Origin...

Page 620: ...y and click References to open a screen that shows which settings use the entry See Section 10 5 4 on page 328 for an example This field is a sequential value and it is not associated with a specific VPN gateway Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the VPN gateway My address This field display...

Page 621: ...Chapter 30 IPSec VPN ZyWALL USG Series User s Guide 621 Figure 433 Configuration VPN IPSec VPN VPN Gateway Add Edit ...

Page 622: ...ace If you select Domain Name IP enter the domain name or the IP address of the Zyxel Device The IP address of the Zyxel Device in the IKE SA is the specified IP address or the IP address corresponding to the domain name 0 0 0 0 is not generally recommended as it has the Zyxel Device accept IPSec requests destined for any interface address on the Zyxel Device Peer Gateway Address Select how the IP...

Page 623: ...unique key to access the same VPN gateway policy with one to one authentication and strong encryption Access can be denied on a per user basis thus allowing VPN SA user based policies Click User Based PSK then select a user or group object who is allowed VPN SA access using this VPN gateway policy This is for IKEv1 only Local ID Type This field is read only if the Zyxel Device and remote IPSec rou...

Page 624: ...lternative name field see the note at the end of this description DNS subject alternative name field E mail subject alternative name field Subject Name subject name maximum 255 ASCII characters including spaces Note If Peer ID Type is IP please read the rest of this section If you type 0 0 0 0 the Zyxel Device uses the IP address specified in the Secure Gateway Address field This is not recommende...

Page 625: ...e the encryption but also the longer it takes to encrypt and decrypt information Both routers must use the same DH key group NAT Traversal Select this if any of these conditions are satisfied This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol There are one or more NAT routers between the Zyxel Device and remote IPSec router and these routers do not support IPSec p...

Page 626: ...31 ASCII characters It is case sensitive but spaces are not allowed Retype to Confirm Type the exact same password again here to make sure an error was not made when typing it originally Extended Authentication Protocol This displays when using IKEv2 EAP uses a certificate for authentication Allowed Auth Method This field displays the authentication method that is used to authenticate users Enable...

Page 627: ...oint so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally maintenance for example There is also more burden on the hub router It receives VPN traffic from one spoke decrypts it inspects it to find out to which spoke to route it encrypts it and sends it to the appropriate spoke Therefore a VPN concentrator is more suitable when there is a m...

Page 628: ...e or edit a VPN concentrator To access this screen go to the VPN Concentrator summary screen see Section 30 4 on page 627 and click either the Add icon or an Edit icon Table 224 Configuration VPN IPSec VPN Concentrator LABEL DESCRIPTION IPv4 IPv6 Configuration Choose to configure for IPv4 or IPv6 traffic Add Click this to create a new entry Edit Select an entry and click this to be able to modify ...

Page 629: ...H active protocol NULL encryption SHA512 authentication Table 225 VPN IPSec VPN Concentrator Add Edit LABEL DESCRIPTION Name Enter the name of the concentrator You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Member Select the concentrator s IPSec VPN connection policies Note You must disable policy enforcement...

Page 630: ...s using the Zyxel Device IPSec VPN client Client Authentication Method Choose how users should be authenticated They can be authenticated using the local database on the Zyxel Device or an external authentication database such as LDAP Active Directory or RADIUS default is a method you configured in Object Auth Method You may configure multiple methods there If you choose the local database on the ...

Page 631: ...ry click Move type the number where the entry should be moved press ENTER then click Apply Status This icon shows if the entry is active yellow or not gray VPN rule settings can only be retrieved when the entry is activated and Enable Configuration Provisioning is also selected Priority Priority shows the order of the entry in the list Entry order is important as the Zyxel Device searches entries ...

Page 632: ...e encryption algorithm authentication algorithm and Diffie Hellman DH key group that the Zyxel Device and remote IPSec router use in the IKE SA In main mode this is done in steps 1 and 2 as illustrated next Figure 438 IKE SA Main Negotiation Mode Steps 1 2 IKE SA Proposal The Zyxel Device sends one or more proposals to the remote IPSec router In some devices you can only set up one proposal Each p...

Page 633: ...e information about DH key groups Diffie Hellman DH Key Exchange The Zyxel Device and the remote IPSec router use DH public key cryptography to establish a shared secret The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA In main mode this is done in steps 3 and 4 as illustrated next Figure 439 IKE SA Main Negotiation Mode Steps 3 4 DH Key Exchange DH public key ...

Page 634: ...f them must store two sets of information one for themselves and one for the other router Local ID type and content refers to the ID type and content that applies to the router itself and peer ID type and content refers to the ID type and content that applies to the other router Note The Zyxel Device s local and peer ID type and content must match the remote IPSec router s peer and local ID type a...

Page 635: ...a Diffie Hellman key exchange based on the accepted DH key group to establish a shared secret Steps 5 6 Finally the Zyxel Device and the remote IPSec router generate an encryption key from the shared secret encrypt their identities and exchange their encrypted identity information for authentication In contrast aggressive mode only takes three steps to establish an IKE SA Aggressive mode does not ...

Page 636: ...on the Zyxel Device and remote IPSec router Configure the NAT router to forward packets with the extra header unchanged See the field description for detailed information about the extra header The extra header may be UDP port 500 or UDP port 4500 depending on the standard s the Zyxel Device and remote IPSec router support X Auth Extended Authentication X Auth Extended authentication is often used...

Page 637: ...te Network In an IPSec SA the local network the one s connected to the Zyxel Device may be called the local policy Similarly the remote network the one s connected to the remote IPSec router may be called the remote policy Active Protocol The active protocol controls the format of each packet It also specifies how much of each packet is protected by the encryption and authentication algorithms IPS...

Page 638: ... exchange every time an IPSec SA is established This is called Perfect Forward Secrecy PFS If you enable PFS the Zyxel Device and remote IPSec router perform a DH key exchange every time an IPSec SA is established changing the root key from which encryption keys are generated As a result if one encryption key is compromised other encryption keys remain secure If you do not enable PFS the Zyxel Dev...

Page 639: ... in Outbound Packets Outbound Traffic Source NAT This translation lets the Zyxel Device route packets from computers that are not part of the specified local network local policy through the IPSec SA For example in Figure 443 on page 639 you have to configure this kind of translation if you want computer M to establish a connection with any computer in the remote network B If you do not configure ...

Page 640: ...his kind of NAT The Zyxel Device checks these rules similar to the way it checks rules for a security policy The first part of these rules define the conditions in which the rule apply Original IP the original destination address the remote network B Protocol the protocol TCP UDP or both used by the service requesting the connection Original Port the original destination port or range of destinati...

Page 641: ...ee Section 31 4 on page 648 to update and check the current and latest version of the Security Extender 31 1 2 What You Need to Know Full Tunnel Mode In full tunnel mode a virtual connection is created for remote users with private IP addresses in the same subnet as the local network This allows them to access network resources in the same way as if they were part of the internal network Figure 44...

Page 642: ...ion walkthroughs troubleshooting and other information Figure 446 VPN SSL VPN Access Privilege Table 229 Objects OBJECT TYPE OBJECT SCREEN DESCRIPTION User Accounts User Account User Group Configure a user account or user group to which you want to apply this SSL access policy Application SSL Application Configure an SSL application object to specify the type of application and the address of the ...

Page 643: ...ing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface References Select an entry and click References to open a screen that shows which settings use the entry Click ...

Page 644: ...llowing table describes the labels in this screen Table 231 VPN SSL VPN Access Privilege Add Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen Configuration Enable Policy Select this option to activate this SSL access policy ...

Page 645: ... sharing on the folder and also go to the Network and Sharing Center s Advanced sharing settings and turn on the current network profile s file and printer sharing Network Extension Optional Enable Network Extension Select this option to create a VPN tunnel between the authenticated users and the internal network This allows the users to access the resources on the network as if they were on the s...

Page 646: ...ss Objects list and click the right arrow button to add to the Selected Address Objects list You can select more than one network To block access to a network select the network name in the Selected Address Objects list and click the left arrow button OK Click OK to save the changes and return to the main Access Privilege screen Cancel Click Cancel to discard all changes and return to the main Acc...

Page 647: ...nection is established successfully You can enter up to 60 characters 0 9 a z A Z _ with spaces allowed Logout Message Specify a message to display on the screen when a user logs out and the SSL VPN connection is terminated successfully You can enter up to 60 characters 0 9 a z A Z _ with spaces allowed Update Client Virtual Desktop Logo You can upload a graphic logo to be displayed on the web bro...

Page 648: ...if you were on the local network Use applications like e mail file transfer and remote desktop programs directly without using a browser For example you can use Outlook for e mail instead of the Zyxel Device s web based e mail Use applications even proprietary applications for which the Zyxel Device does not offer SSL application objects The applications must be installed on your computer For exam...

Page 649: ...SL VPN Access Privilege policy substituting your information for the information shown in the following example Using the Zyxel Device web configurator go to Configuration VPN SSL VPN Access Privilege Add Table 233 Configuration VPN SSL VPN SecuExtender LABEL DESCRIPTION Latest Version This displays the latest version of the Zyxel Device Security SecuExtender that is available Current Version This...

Page 650: ...reate File Sharing and Web Application SSL Application objects Using the Zyxel Device web configurator go to Configuration Object SSL Application Add and select the Type accordingly Substitute your information for the information shown in the following example Figure 453 Create a File Sharing SSL Application Object ...

Page 651: ...Chapter 31 SSL VPN ZyWALL USG Series User s Guide 651 Figure 454 Create a Web Application SSL Application Object ...

Page 652: ...ne of the following methods Using a supported web browser Once you have successfully logged in through the Zyxel Device you can access intranet sites web based applications or web based e mails using one of the supported web browsers Using the Zyxel Device SecuExtender client Once you have successfully logged into the Zyxel Device if the SSL VPN access policy has network extension enabled the Zyxe...

Page 653: ...shes an HTTPS connection to the Zyxel Device to access the login screen If instructed by your network administrator you must install or import a certificate provided by the Zyxel Device or your network administrator Finding Out More See Chapter 31 on page 641 for how to configure SSL VPN on the Zyxel Device 32 2 Remote SSL User Login This section shows you how to access and log into the network th...

Page 654: ...ogin Screen 4 Your computer starts establishing a secure connection to the Zyxel Device after a successful login This may take up to two minutes If you get a message about needing Java download and install it and restart your browser and re login If a certificate warning screen displays click OK Yes or Continue Figure 459 Java Needed Message 5 The Application screen displays showing the list of re...

Page 655: ...ew DESCRIPTION 1 Click on a menu tab to go to the corresponding screen 2 Click this icon to log out and terminate the secure connection 3 Click this icon to create a bookmark to the SSL VPN user screen in your web browser 4 Click this icon to display the on line help window 5 Select your preferred language for the interface 6 This part of the screen displays a list of the resources available to yo...

Page 656: ...remote user screen 2 A prompt window displays Click OK to continue Figure 462 Logout Prompt 32 6 SSL User Application Screen Use the Application tab s screen to access web based applications such as web sites and e mail on the network through the SSL VPN connection Which applications you can access depends on the Zyxel Device s configuration The Name field displays the descriptive name for an appl...

Page 657: ... Access a folder Open a file if your web browser cannot open the file you are prompted to download it Save a file to your computer Create a new folder Rename a file or folder Delete a file or folder Upload a file Note Available actions you can perform in the File Sharing screen vary depending on the rights granted to you on the file server 32 7 1 The Main File Sharing Screen The first File Sharing...

Page 658: ...he web browser and the associated application is installed on your computer 1 Log in as a remote user and click the File Sharing tab 2 Click on a file share icon 3 If an access user name and password are required a screen displays as shown in the following figure Enter the account information and click Login to continue Figure 465 File Sharing Enter Access User Name and Password ...

Page 659: ...on a doc file to open the Word document Figure 466 File Sharing Open a Word File 32 7 3 Downloading a File You are prompted to download a file which cannot be opened using a web browser Follow the on screen instructions to download and save the file to your computer Then launch the associated application to open the file 32 7 4 Saving a File After you have opened a file in a web browser you can sa...

Page 660: ... New Folder icon Specify a descriptive name for the folder You can enter up to 356 characters Then click Add Note Make sure the length of the folder name does not exceed the maximum allowed on the file server Figure 468 File Sharing Create a New Folder 32 7 6 Renaming a File or Folder To rename a file or folder select a file or folder and click the Rename icon Figure 469 File Sharing Rename ...

Page 661: ...ure 470 File Sharing Rename 32 7 7 Deleting a File or Folder Click the Delete icon next to a file or folder to remove it 32 7 8 Uploading a File Follow the steps below to upload a file to the file server 1 Log into the remote user screen and click the File Sharing tab 2 Click Upload and specify the location and or name of the file you want to upload Or click Browse to locate it 3 Click OK to send ...

Page 662: ...s latest version of Windows and Mac latest version of Mac as well as the Current Version of the SecuExtender client that you have We recommend you upgrade to the latest version of the SecuExtender client for your operating system You must first install the SecuExtender client before using SSL VPN to log into the Zyxel Device Figure 472 SecuExtender 32 8 1 Installing the SecuExtender Client 1 Click...

Page 663: ...WALL USG Series User s Guide 663 2 Click SecuExtenderSetup exe to begin the installation There are some prerequisites to first install 3 Next install SecuExtender Follow the wizard prompts Click Install if you see a security warning ...

Page 664: ...Chapter 32 SSL User Screens ZyWALL USG Series User s Guide 664 4 Next run and log into the SecuExtender client ...

Page 665: ... objects The applications must be installed on your computer For example to use the VNC remote desktop program you must have the VNC client installed on your computer 33 1 The Zyxel Device SecuExtender Icon The Zyxel Device SecuExtender icon color indicates the SSL VPN tunnel s connection status Figure 473 Zyxel Device SecuExtender Icon Green the SSL VPN tunnel is connected You can connect to the ...

Page 666: ...e System maps a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it Your computer uses the DNS server specified here to resolve domain names for resources you access through the SSL VPN connection WINS Server 1 2 These are the IP addresses of the WINS Windows Internet...

Page 667: ...2 13 35 50 SecuExtender Agent DETAIL Build Datetime Feb 24 2009 10 25 07 2009 03 12 13 35 50 SecuExtender Agent DEBUG rasphone pbk C Documents and Settings 11746 rasphone pbk 2009 03 12 13 35 50 SecuExtender Agent DEBUG SecuExtender log C Documents and Settings 11746 SecuExtender log 2009 03 12 13 35 50 SecuExtender Agent DETAIL Check Parameters 2009 03 12 13 35 50 SecuExtender Agent DETAIL Connec...

Page 668: ...SecuExtender Windows ZyWALL USG Series User s Guide 668 Figure 476 Uninstalling the Zyxel Device SecuExtender Confirmation 3 Windows uninstalls the Zyxel Device SecuExtender Figure 477 Zyxel Device SecuExtender Uninstallation ...

Page 669: ...tings Use the VPN Setup Wizard screen in Quick Setup Chapter 5 on page 149 to configure the Zyxel Device s L2TP VPN settings 34 1 2 What You Need to Know The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is established first and then an L2TP tunnel is built insi...

Page 670: ... of the traffic from the L2TP clients needs to go to the Internet you will need to create a policy route to send that traffic from the L2TP tunnels out through a WAN trunk This task can be easily performed by clicking the Allow L2TP traffic through WAN checkbox at Quick Setup VPN Setup Allow L2TP traffic through WAN Figure 479 Policy Route for L2TP VPN 34 2 L2TP VPN Screen Click Configuration VPN ...

Page 671: ...g this VPN connection or the VPN gateway that it uses disconnects any existing L2TP VPN sessions IP Address Pool Select the pool of IP addresses that the Zyxel Device uses to assign to the L2TP VPN clients Use Create new Object if you need to configure a new pool of IP addresses This should not conflict with any WAN LAN DMZ or WLAN subnet even if they are not in use Authentication Method Select ho...

Page 672: ... the Zyxel Device to log in Keep Alive Timer The Zyxel Device sends a Hello message after waiting this long without receiving any traffic from the remote user The Zyxel Device disconnects the VPN tunnel if the remote user does not respond First DNS Server Second DNS Server Specify the IP addresses of DNS servers to assign to the remote users You can specify these IP addresses two ways Custom Defin...

Page 673: ...User s Guide 673 3 Select Remote Access Server Role as the VPN scenario for the remote client 4 Select the NAT router WAN IP address object as the Local Policy 5 Go to Configuration VPN L2TP VPN and select the VPN Connection just configured ...

Page 674: ...y routes has priority over TCP and UDP traffic policies If you want to use a service make sure both the security policy allow the service s packets to go through the Zyxel Device Note The Zyxel Device checks security policies before it checks bandwidth management rules for traffic going through the Zyxel Device Bandwidth management examines every TCP and UDP connection passing through the Zyxel De...

Page 675: ...ary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going Connection and Packet Directions Bandwidth management looks at the connection direction that i...

Page 676: ...on the LAN1 so outbound means the traffic traveling from the LAN1 to the WAN Each of the WAN zone s two interfaces can send the limit of 200 kbps of traffic Inbound traffic is limited to 500 kbs The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1 Figure 484 LAN1 to WAN Outbound 200 kbps Inbound 500 kbps Bandwidth Management Priority The Zyxel Dev...

Page 677: ... a larger portion of the unused bandwidth Bandwidth Management Behavior The following sections show how bandwidth management behaves with various settings For example you configure DMZ to WAN policies for FTP servers A and B Each server tries to send 1000 kbps but the WAN is set to a maximum outgoing speed of 1000 kbps You configure policy A for server A s traffic and policy B for server B s traff...

Page 678: ...rent priorities as shown here as a configuration error Even though the Zyxel Device still attempts to let all traffic get through and not be lost regardless of its priority server B gets almost no bandwidth with this configuration 35 2 The Bandwidth Management Configuration The Bandwidth management screens control the bandwidth allocation for TCP and UDP traffic You can use source interface destin...

Page 679: ...d click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To change an entry s position in the numbered list select it and click Move to display a field to type a number for where you want to put that entry and press ENTER to move the entry to ...

Page 680: ...fers to the traffic the Zyxel Device sends to a connection s initiator If no displays here this policy does not apply bandwidth management for the inbound traffic Out This is how much outgoing bandwidth in kilobits per second this policy allows the matching traffic to use Outbound refers to the traffic the Zyxel Device sends out from a connection s initiator If no displays here this policy does no...

Page 681: ...ation Bandwidth Management screen see Section 35 2 on page 678 and click either the Add icon or an Edit icon Figure 487 Configuration Bandwidth Management Edit For the Default Policy Table 242 Single Tagged 802 1Q Frame Format DA SA TPID Priority VID Len Etype Data FCS IEEE 802 1Q customer tagged frame Table 243 802 1Q Frame DA Destination Address Priority 802 1p Priority SA Source Address Len Ety...

Page 682: ... Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen Configuration Enable Select this check box to turn on this policy Description Enter a description of this policy It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Criteria Use this section to configure the conditions of traf...

Page 683: ...fort treatment any means all DSCP value or no DSCP marker default means traffic with a DSCP value of 0 This is usually best effort traffic The af choices stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences User DefinedDSCP Code Use this field to specify a custom DSCP code point Service Type Select Service Object or Application O...

Page 684: ...ffic with a lower priority The Zyxel Device uses a fairness based round robin scheduler to divide bandwidth between traffic flows with the same priority The number in this field is ignored if the incoming and outgoing limits are both set to 0 In this case the traffic is automatically treated as being set to the lowest priority 7 regardless of this field s configuration Maximize Bandwidth Usage Thi...

Page 685: ...Address objects Click Configuration BWM Add Create New Object Add User to see the following screen Figure 489 Configuration BWM Create New Object Add User The following table describes the fields in the above screen Table 246 Configuration BWM Create New Object Add User LABEL DESCRIPTION User Name Type a user or user group object name of the rule User Type Select a user type from the drop down men...

Page 686: ...d it can be up to 60 characters long Authentication Timeout Settings Choose either Use Default setting option which shows the default Lease Time of 1 440 minutes and Reauthentication Time of 1 440 minutes or you can enter them manually by choosing Use Manual Settings option Lease Time This shows the Lease Time setting for the user by default it is 1 440 minutes Reauthentication Time This shows the...

Page 687: ...the schedule object of the rule Type Select an option from the drop down menu for the schedule object It will show One Time or Recurring Start Date Click the icon menu on the right to choose a Start Date for the schedule object Start Time Click the icon menu on the right to choose a Start Time for the schedule object Stop Date Click the icon menu on the right to choose a Stop Date for schedule obj...

Page 688: ...guration BWM Create New Object Add Address LABEL DESCRIPTION Name Enter a name for the Address object of the rule Address Type Select an Address Type from the drop down menu on the right The Address Types are Host Range Subnet Interface IP Interface Subnet and Interface Gateway IP Address Enter an IP address for the Address object OK Click OK to save the setting Cancel Click Cancel to abandon the ...

Page 689: ...vice make sure both the Security Policy and application patrol allow the service s packets to go through the Zyxel Device Note The Zyxel Device checks secure policies before it checks application patrol rules for traffic going through the Zyxel Device Application patrol examines every TCP and UDP connection passing through the Zyxel Device and identifies what application is using the connection Th...

Page 690: ... port numbers for SIP traffic also configures the SIP ALG to use the same port numbers for SIP traffic Likewise configuring the SIP ALG to use custom port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP traffic Finding Out More You must configure services in Objects Application See Configuration BWM chapter for detailed information on bandwidth manag...

Page 691: ...e This displays the number of times an object reference is used in a profile Service You need to create an account at myZyxel register your Zyxel Device and then subscribe for App Patrol in order to be able to download new packet inspection signatures from myZyxel There s an initial free trial period for App Patrol after which you must pay to subscribe to the service See the Registration chapter f...

Page 692: ...ed Update Signatures Click this link to go to the screen you can use to download signatures from the update server Table 249 Configuration UTM Profile App Patrol Profile LABEL DESCRIPTION Table 250 Configuration UTM Profile App Patrol Profile Add Edit LABEL DESCRIPTION General Settings Name Type the name of the profile You may use 1 31 alphanumeric characters underscores _ or dashes but the first ...

Page 693: ...ategory forward the Zyxel Device routes packets that matches these signatures drop the Zyxel Device silently drops packets that matches these signatures without notification reject the Zyxel Device drops packets that matches these signatures and sends notification Log Select whether to have the Zyxel Device generate a log log log and alert log alert or neither no by default when traffic matches a ...

Page 694: ...tion reject the Zyxel Device drops packets that matches these signatures and sends notification Log Select whether to have the Zyxel Device generate a log log log and alert log alert or neither no by default when traffic matches a signature in this category OK Click OK to save your settings to the Zyxel Device Cancel Click Cancel to return to the profile summary page without saving any changes Tab...

Page 695: ...cific categories of web site content You can create different content filter policies for different addresses schedules users or groups and content filter profiles For example you can configure one policy that blocks John Doe s access to arts and entertainment web pages during the workday and another policy that lets him access them after work Content Filtering Policies A content filtering policy ...

Page 696: ...ed on these categories HTTPS Domain Filter HTTPS Domain Filter works with the Content Filter category feature to identify HTTPS traffic and take appropriate action SSL Inspection identifies HTTPS traffic for all UTM traffic and has higher priority than HTTPS Domain Filter HTTPS Domain Filter only identifies keywords in the domain name of an URL and matches it to a category For example if the keywo...

Page 697: ...abase content filtering see the Licensing Registration screens 37 2 Content Filter Profile Screen Click Configuration UTM Profile Content Filter Profile to open the Content Filter Profile screen Use this screen to enable content filtering view and order your list of content filter policies create a denial of access message or specify a redirect URL and check your external web filtering service reg...

Page 698: ... you specified without showing a denied access message Redirect URL Enter the URL of the web page to which you want to send users when their web access is blocked by content filter The web page you specify here opens in a new frame below the denied access message Use http or https followed by up to 262 characters 0 9a zA Z _ For example http 192 168 1 17 blocked access Profile Management Add Click...

Page 699: ...uccessfully registered the Zyxel Device and activated the service Trial displays if you have successfully registered the Zyxel Device and activated the trial service subscription Expiration Date This field displays the date your service license expires Register Now Click the link to go to myZyxel where you can register your Zyxel Device and activate the service This link is available only when the...

Page 700: ...Chapter 37 Content Filtering ZyWALL USG Series User s Guide 700 Figure 496 Content Filter Profile Add Filter Profile Category Service ...

Page 701: ...ng service Trial displays if you have successfully registered the Zyxel Device and activated the trial service subscription Name Enter a descriptive name for this content filtering profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description for the content filtering profile rul...

Page 702: ...he external database content filtering blocks access to a web page it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized Select Log to record attempts to access web pag...

Page 703: ...e optimizedby rmxads com 218 1 71 226 e3b Spam Sites Sites that have been promoted through spam techniques For example img tongji linezing com banner chinesegamer net Managed Categories These are categories of web pages based on their content Select categories in this section to control access to specific types of Internet content You must have the Category Service content filtering license to fil...

Page 704: ...g tw Dating Personals Sites that promote networking for interpersonal relationships such as dating and marriage Includes sites for match making online dating spousal introduction For example www i part com tw www imatchi com Download Sites Sites that contain downloadable software whether shareware freeware or for a charge Includes peer to peer sites For example www hotdl com toget pchome com tw ww...

Page 705: ...ial numbers illegal license key generators For example www zhaokey com cn www tiansha net Image Sharing Sites that host digital photographs and images online photo albums and digital photo exchanges For example photo pchome com tw photo xuite net photobucket com Information Security Sites that provide legitimate information about data protection including newly discovered vulnerabilities and how t...

Page 706: ...ol Cheating Sites that promote unethical practices such as cheating or plagiarism by providing test answers written essays research papers or term papers For example www zydk788 com www huafengksw com Search Engines Portals Sites enabling the searching of the Web newsgroups images directories and other online content Includes portal and directory sites such as white yellow pages For example tw yah...

Page 707: ... sym com tw Travel Sites that provide travel and tourism information or online booking of travel services such as airlines accommodations car rentals Includes regional or city information sites For example www startravel com tw taipei grand hyatt com tw www car plus com tw Unknown Unknown For example www 669 com tw www appleballoon com tw www uimco com tw Violence Sites that contain images or text...

Page 708: ...phanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description for the content filtering profile rule to help identify the purpose of rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive This field is optional Enable Custom ...

Page 709: ...ive control and caching service When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server Allow Java ActiveX Cookies Web proxy to trusted web sites When this box is selected the Zyxel Device will permit Java ActiveX and Cookies from sites on the Trusted Web Sites list to the LAN In certain cases it may be desirable to al...

Page 710: ...does not matter can be used as a wildcard to match any string The entry must contain at least one or it will be invalid Blocked URL Keywords This section allows you to block Web sites with URLs that contain certain keywords in the domain name or IP address Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delet...

Page 711: ...want to allow access to regardless of their content rating can be allowed by adding them to this list Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This displays the index number of the trusted web sites Trusted Web Site This column displays the trusted web sites already added Enter host names suc...

Page 712: ...ick this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This displays the index number of the forbidden web sites Forbidden Web Sites This list displays the forbidden web sites already added Enter host names such as www bad site com into this text field Do not enter the complete URL of the site that is do not inc...

Page 713: ...ter Cache screen to configure how long a web site address remains in the cache as well as view those web site addresses All of the web site address records are also cleared from the local cache when the Zyxel Device restarts 4 If the Zyxel Device has no record of the web site it queries the external content filter database and simultaneously sends the request to the web server 5 The external conte...

Page 714: ...ting signatures or save signatures to your computer 38 1 2 What You Need To Know Packet Inspection Signatures A signature is a pattern of malicious or suspicious packet activity You can specify an action to be taken if the system matches a stream of data to a malicious signature You can change the action in the profile screens Packet inspection examine OSI Open System Interconnection layer 4 to la...

Page 715: ...abled Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs troubleshooting and other information Figure 501 Configuration UTM Profile IDP Profile The following table describes the fields in this screen Table 258 Configuration UTM Profile IDP Profile LABEL DESCRIPTION Profile Management Add Click Add to create a new profile Select from the option...

Page 716: ...vice license is enabled at myZyxel Activated or not Not Activated or expired Expired It displays the remaining Grace Period if your license has Expired It displays Not Licensed if there isn t a license to be activated for this service If you need a license or a trial license has expired click Buy to buy a new one If a Standard license has expired click Renew to extend the license Then click Activa...

Page 717: ...tures with a medium high or severe severity level greater than two generate logs not log alerts and no action is taken on packets that trigger them Signatures with a very low or low severity level less than or equal to two are disabled lan This profile is most suitable for common LAN network services Signatures for common services such as DNS FTP HTTP ICMP IM IMAP MISC NETBIOS P2P POP3 RPC RSERVIC...

Page 718: ... malicious data It operates at layer 4 to layer 7 An IDP profile is a group of IDP signatures that have the same log and action settings In group view you can configure the same log and action settings for all IDP signatures by severity level in the Add Profile screen You may also configure signature exceptions in the same view 38 2 3 Profile Group View Screen Select Configuration UTM Profile IDP ...

Page 719: ...nerable attack platforms service category log options or actions Severity Level Select a severity level and these use the icons to enable disable and configure logs and actions for all signatures of that level Signature Group Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Log To edit an item s log option select it and use th...

Page 720: ...he list Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive Message This displays the message of the violation of IDP Profile rule SID This displays the Signature ID number The SID is a numerical field in the 9000000 to 9999999 range Severity These are the severities as defined in the Zyxel Device The number in brackets is the number you use if...

Page 721: ...elect this action on an individual signature or a complete service group to have the Zyxel Device send a reset to the receiver when a packet matches the signature If it is a TCP attack packet the Zyxel Device will send a packet with an a RST flag If it is an ICMP or UDP attack packet the Zyxel Device will do nothing reject both Select this action on an individual signature or a complete service gr...

Page 722: ... causing denial of service for users of the targeted system Instant Messenger IM Instant Messenger refers to chat applications Chat is real time text based communication between two or more users via networks connected computers After you enter a chat or chat room any room member can type a message that will appear on the monitors of all the other participants Mail A Mail or E mail bombing attack ...

Page 723: ...Pv4 slipping viruses worms and spyware through the network using secret tunnels This method infiltrates standard security measures through IPv6 tunnels passing through IPv4 undetected An external signal then activates the malicious files to wreak havoc from inside the network Virus Worm A computer virus is a small program designed to corrupt and or alter the operation of other legitimate programs ...

Page 724: ... screen where IDP signatures are grouped by service and you can configure activation logs and or actions Query Signatures Select the criteria on which to perform the search Search all custom signatures Select this check box to include signatures you created or imported in the Custom Signatures screen in the search You can search for specific signatures by name or ID If the name and ID fields are l...

Page 725: ... s See Table 261 on page 722 for group details Hold down the Ctrl key if you want to make multiple selections Action Search for signatures by the response the Zyxel Device takes when a packet matches a signature See Table 260 on page 719 for action details Hold down the Ctrl key if you want to make multiple selections Activation Search for activated and or inactivated signatures here Log Search fo...

Page 726: ...atures for new attacks or attacks peculiar to your network Custom signatures can also be saved to from your computer so as to share with others You need some knowledge of packet headers and attack types to create your own custom signatures IP Packet Header These are the fields in an Internet Protocol IP version 4 packet header ...

Page 727: ...the start of the original sent packet Time To Live This is a counter that decrements every time it passes through a router When it reaches zero the datagram is discarded It is used to prevent accidental routing loops Protocol The protocol indicates the type of transport packet being carried for example 1 ICMP 2 IGMP 6 TCP 17 UDP Header Checksum This is used to detect processing errors introduced i...

Page 728: ...edit delete or export save to your computer custom signatures Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Export To save an entry or entries as a file on your computer select them and click Export Click Save in the file download dialog box and then select a location and name for the file Custom ...

Page 729: ...ure Rule Importing Use this part of the screen to import custom signatures previously saved to your computer to the Zyxel Device Note The name of the complete custom signature file on the Zyxel Device is custom rules If you import a file named custom rules then all custom signatures on the Zyxel Device are overwritten with the new file If this is not your intention make sure that the files you imp...

Page 730: ...Chapter 38 IDP ZyWALL USG Series User s Guide 730 Figure 508 Configuration UTM Profile IDP Custom Signatures Add Edit ...

Page 731: ...file Group View screen Policy Type Categorize the attack type here See Table 261 on page 722 as a reference Frequency Recurring packets of the same type may indicate an attack Use the following field to indicate how many packets per how many seconds constitute an intrusion Threshold Select Threshold and then type how many packets that meet the criteria in this signature per how many seconds consti...

Page 732: ...for packets that are designed to cause machines to crash To Client Match packets that flow from server to client To Server Match packets that flow from client to server From Client Match packets that flow from client to server From Servers Match packets that flow from server to client No Stream Match packets that have not been reassembled by the stream engine It will not match packets that have be...

Page 733: ...rce Identifier URI is a string of characters for identifying an abstract or physical resource RFC 2396 A resource can be anything that has identity for example an electronic document an image a service today s weather report for Taiwan a collection of other resources An identifier is an object that can act as a reference to something that has identity Example URIs are ftp ftp is co za rfc rfc1808 ...

Page 734: ... can The more specific your signature the less chance it will cause false positives As an example say you want to check if your router is being overloaded with DNS queries so you create a signature to detect DNS query traffic 38 3 2 2 Analyze Packets Use the packet capture screen and a packet analyzer also known as a network or protocol analyzer such as Wireshark or Ethereal to investigate some mo...

Page 735: ...ignature it becomes available in an IDP profile Configuration UTM Profile IDP Profile Edit screen Custom signatures have an SID from 9000000 to 9999999 Search for then activate the signature configure what action to take when a packet matches it and if it should generate a log or alert in a profile Then bind the profile to a zone 38 3 4 Verifying Custom Signatures Configure the signature to create...

Page 736: ...ation on a computer You must install a host IDP directly on the system being protected It works closely with the operating system monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them Disadvantages of host IDPs are that you have to install them on each device that you want to protect in your network and due to the necessarily tight integrati...

Page 737: ...n Protocol Source and destination IP addresses and netmasks Source and destination ports information The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken These are some equivalent Snort terms in the Zyxel Device Table 267 Zyxel Device Snort Equivalent Terms ZYXEL DEVICE TERM SNORT EQUIVALENT...

Page 738: ...xel Device Payload Options Snort rule options Payload Size dsize Offset relative to start of payload offset Relative to end of last match distance Content content Case insensitive nocase Decode as URI uricontent Table 267 Zyxel Device Snort Equivalent Terms continued ZYXEL DEVICE TERM SNORT EQUIVALENT TERM ...

Page 739: ...tches a file with those in a virus database This is done as files go through the Zyxel Device Virus Worm and Spyware A computer virus is a type of malicious software designed to corrupt and or alter the operation of other legitimate programs A worm is a self replicating virus that resides in active memory and duplicates itself The effect of a virus attack varies from doing so little damage that yo...

Page 740: ...the order of packets in TCP connection oriented sessions to check for matching virus signatures The order of non setup packets such as SYN ACK and FIN is ignored 2 The Zyxel Device checks every packet of the file for matches with the local signature databases If a virus pattern signature is matched the actions you specify for identified virus will be applied If Destroy infected file is enabled the...

Page 741: ...49 for anti virus background information 39 1 1 What You Can Do in this Chapter Use the Profile screens Section 39 2 on page 741 to turn anti virus on or off set up anti virus policies and custom service port rules You can also check the anti virus license and signature status Use the Black White List screen Section 39 3 on page 745 to set up anti virus black blocked and white allowed lists of vir...

Page 742: ...etect it in a compressed file The test string consists of the following human readable ASCII characters X5O P AP 4 PZX54 P 7CC 7 EICAR STANDARD ANTIVIRUS TEST FILE H H Profile Management Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this t...

Page 743: ...expired click Buy to buy a new one If a Standard license has expired click Renew to extend the license Then click Activate to connect with the myZyxel server to activate the new license Service Type This field displays whether you applied for a trial application Trial or registered a service with your iCard s PIN number Standard None displays when the service is not activated Expiration Date This ...

Page 744: ...t character cannot be a number This value is case sensitive Actions When Matched Destroy infected file When you select this check box if a virus signature is matched the Zyxel Device overwrites the infected portion of the file with zeros before being forwarded to the user The uninfected portion of the file will pass through unmodified Log These are the log options no Do not create a log when a pac...

Page 745: ...pressed file Destroy compressed files that could not be decompressed When you select this check box the Zyxel Device deletes compressed files that use password encryption Select this check box to have the Zyxel Device delete any compressed files that it cannot decompress The Zyxel Device cannot decompress password protected files or a file within another compressed file There are also limits to th...

Page 746: ...nti Virus Black White List Black List or White List Add Table 270 Configuration UTM Profile Anti Virus Black White List Black List LABEL DESCRIPTION Enable Black List Select this check box to log and delete files with names that match the black list patterns Use the black list to log and delete files with names that match the black list patterns Add Click this to create a new entry Edit Select an ...

Page 747: ... dashes question marks and asterisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to specify aa zip ab zip and so on Wildcards let multiple files match the pattern For example use a zip without the quotation marks to specify any file that ends with a zip A file named testa zip would match There could be any number of an...

Page 748: ...ck on files with names that match the white list patterns Use the white list to have the Zyxel Device not perform the anti virus check on files with names that match the white list patterns Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inac...

Page 749: ...virus Table 274 Common Computer Virus Types TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program A file infector is able to copy and attach itself to other programs that are executed on an infected computer Boot Sector Virus This type of virus infects the area of a hard drive that a computer reads and executes during startup The virus causes computer cr...

Page 750: ...etwork It inspects files for virus patterns as they are moved in and out of the hard drive However host based anti virus scanners cannot eliminate all viruses for a number of reasons HAV scanners are slow in stopping virus threats through real time traffic such as from the Internet HAV scanners may reduce computing performance as they also share the resources such as CPU time on the computer for f...

Page 751: ...mate see E mail Headers for more on mail headers The anti spam feature checks an e mail against the white list entries before doing any other anti spam checking If the e mail matches a white list entry the Zyxel Device classifies the e mail as legitimate and does not perform any more anti spam checking on that individual e mail A properly configured white list helps keep important e mail from bein...

Page 752: ...ce check for specific header fields with specific values E mail programs usually only show you the To From Subject and Date header fields but there are others such as Received and Content Type To see all of an e mail s header you can select an e mail in your e mail program and look at its properties or details For example in Microsoft s Outlook Express select a mail and click File Properties Detai...

Page 753: ...ct how to handle concurrent e mail sessions that exceed the maximum number of concurrent e mail sessions that the anti spam feature can handle See the chapter of product specifications for the threshold Select Forward Session to have the Zyxel Device allow the excess e mail sessions without any spam filtering Select Drop Session to have the Zyxel Device drop mail connections to stop the excess e m...

Page 754: ... there isn t a license to be activated for this service If you need a license or a trial license has expired click Buy to buy a new one If a Standard license has expired click Renew to extend the license Then click Activate to connect with the myZyxel server to activate the new license Service Type This read only field displays what kind of service registration you have for the anti spam scanning ...

Page 755: ...value is case sensitive This field is optional Log Select how the Zyxel Device is to log the event when the DNSBL times out or an e mail matches the white list black list or DNSBL no Do not create a log log Create a log on the Zyxel Device log alert An alert is an e mailed log for more serious events that may need more immediate attention Select this option to have the Zyxel Device send an alert S...

Page 756: ... The Zyxel Device classifies e mail that matches a DNS black list as spam Actions for Spam Mail Use this section to set how the Zyxel Device is to handle spam mail SMTP Select how the Zyxel Device is to handle spam SMTP mail Select drop to discard spam SMTP mail Select forward to allow spam SMTP mail to go through Select forward with tag to add a spam tag to an SMTP spam mail s mail subject and se...

Page 757: ...is determined by the sender s IP address Mail Content Analysis Enable Mail Content Analysis Select this to identify Spam Email by content such as malicious content Mail Content Spam Tag Enter a message or label up to 15 ASCII characters to add to the beginning of the mail subject of e mails that are determined to spam based on the mail content analysis This tag is only added if the anti spam polic...

Page 758: ...ached virus Query Timeout Settings SMTP Select how the Zyxel Device is to handle SMTP mail query timeout Select drop to discard SMTP mail Select forward to allow SMTP mail to go through Select forward with tag to add a tag to an SMTP query timeout mail s mail subject and send it on to the destination POP3 Select how the Zyxel Device is to handle POP3 mail query timeout Select forward to allow POP3...

Page 759: ... match the Zyxel Device s spam black list Rule Summary Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Status The activate light bulb icon is lit when the entry is active and dimm...

Page 760: ...ent in the subject line Select IP Address to have the Zyxel Device check e mail for a specific source or relay IP address Select IPv6 Address to have the Zyxel Device check e mail for a specific source or relay IPv6 address Select E Mail Address to have the Zyxel Device check e mail for a specific source e mail address or domain name Select Mail Header to have the Zyxel Device check e mail for spe...

Page 761: ... display the Anti Spam White List screen Configure the white list to identify legitimate e mail You can create white list entries based on the sender s or relay s IP address or e mail address You can also create entries that check for particular header fields and values or specific subject text Mail Header Field Name This field displays when you select the Mail Header type Type the name part of an...

Page 762: ... See Section 40 5 1 on page 760 for details Edit Select an entry and click this to be able to modify it See Section 40 5 1 on page 760 for details Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Status The activate light bulb icon is lit when the entry is active and dimmed wh...

Page 763: ...ation UTM Profile Anti Spam DNSBL to display the anti spam DNSBL screen Use this screen to configure the Zyxel Device to check the sender and relay IP addresses in e mail headers against DNS Domain Name Service based spam Black Lists DNSBLs Figure 525 Configuration UTM Profile Anti Spam DNSBL ...

Page 764: ...orwarded the mail Select last N IPs to have the Zyxel Device start checking from the last IP address in the mail header This is the IP of the last server that forwarded the mail Query Timeout Setting SMTP Select how the Zyxel Device is to handle SMTP mail mail going to an e mail server if the queries to the DNSBL domains time out Select drop to discard SMTP mail Select forward to allow SMTP mail t...

Page 765: ...l Device does not wait for any more DNSBL replies If the Zyxel Device receives at least one non spam reply for each of an e mail s routing IP addresses the Zyxel Device immediately classifies the e mail as legitimate and forwards it Any further DNSBL replies that come after the Zyxel Device classifies an e mail as spam or legitimate have no effect The Zyxel Device records DNSBL responses for IP ad...

Page 766: ...eplies that IP address a a a a does not match any entries in its list not spam 3 DNSBL C replies that IP address b b b b matches an entry in its list 4 The Zyxel Device immediately classifies the e mail as spam and takes the action for spam that you defined in the anti spam policy In this example it was an SMTP mail and the defined action was to drop the mail The Zyxel Device does not wait for any...

Page 767: ...s not match any entries in its list not spam 3 DNSBL C replies that IP address c c c c does not match any entries in its list not spam 4 Now that the Zyxel Device has received at least one non spam reply for each of the e mail s routing IP addresses the Zyxel Device immediately classifies the e mail as legitimate and forwards it The Zyxel Device does not wait for any more DNSBL replies If the Zyxe...

Page 768: ... A replies that IP address a b c d does not match any entries in its list not spam 3 While waiting for a DNSBL reply about IP address w x y z the Zyxel Device receives a reply from DNSBL B saying IP address a b c d is in its list 4 The Zyxel Device immediately classifies the e mail as spam and takes the action for spam that you defined in the anti spam policy In this example it was an SMTP mail an...

Page 769: ...crypted traffic is then inspected by the UTM profiles in the same security profile that matched the SSL Inspection profile If all is OK then the Zyxel Device re encrypts the traffic using SSL Inspection and forwards it to the destination server D SSL traffic could be in the opposite direction for other examples Figure 529 SSL Inspection Overview Note Anti Spam cannot be applied to traffic decrypte...

Page 770: ...ic flow s 41 1 3 Before You Begin If you don t want to use the default Zyxel Device certificate then create a new certificate in Object Certificate My Certificates Decide what destination servers to which traffic is sent directly without inspection This may be a matter of privacy and legality regarding inspecting an individual s encrypted session such as financial websites This may vary by locale ...

Page 771: ...rtificate being used in this profile Reference This displays the number of times an object reference is used in a profile Table 282 Configuration UTM Profile SSL Inspection Profile continued LABEL DESCRIPTION Table 283 Configuration UTM Profile SSL Inspection Profile Add Edit LABEL DESCRIPTION Name This is the name of the profile You may use 1 31 alphanumeric characters underscores _ or dashes but...

Page 772: ...t this option to have the Zyxel Device create a log for unsupported traffic that matches traffic bound to this policy log alert An alert is an e mailed log for more serious events that may need more immediate attention They also appear in red in the Monitor Log screen Select this option to have the Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy Excepte...

Page 773: ...ck packet the Zyxel Device will send a packet with a RST flag If it is an ICMP or UDP attack packet the Zyxel Device will send an ICMP unreachable packet reject receiver Select this action on an individual signature or a complete service group to have the Zyxel Device send a reset to the receiver when a packet matches the signature If it is a TCP attack packet the Zyxel Device will send a packet w...

Page 774: ...owing ways The Common Name CN of the certificate The common name of the certificate can be created in the Object Certificate My Certificates screen Type an IPv4 or IPv6 address For example type 192 168 1 35 or 2001 7300 3500 1 Type an IPv4 IPv6 in CIDR notation For example type 192 168 1 1 24 or 2001 7300 3500 1 64 Type an IPv4 IPv6 address range For example type 192 168 1 1 192 168 1 35 or 2001 7...

Page 775: ...Zyxel Device Figure 533 SSL Inspection Certificate Update Overview Click Configuration UTM Profile SSL Inspection Certificate Update to display the following screen Figure 534 Configuration UTM Profile SSL Inspection Certificate Update The following table describes the fields in this screen Table 285 Configuration UTM Profile SSL Inspection Certificate Update LABEL DESCRIPTION Certificate Informat...

Page 776: ...rtmgr msc 2 Go to Trusted Root Certification Authorities Certificates 3 From the main menu select Action All Tasks Import and run the Certificate Import Wizard to install the certificate on the PC Auto Update Select this to automatically have the Zyxel Device update the certificate set when a new one becomes available on myZyxel Apply Click Apply to save your settings to the Zyxel Device Reset Cli...

Page 777: ...using a Firefox browser in addition to the above you need to do the following to import a certificate into the browser Click Tools Options Advanced Encryption View Certificates click Import and enter the filename of the certificate you want to import See the browser s help for further information ...

Page 778: ... model is the one whose heartbeat interface comes online first The passive becomes active if active goes down and stays active even if the previous active comes online again Firmware Upgrade Master remains Master by default when new firmware is uploaded If Device HA Pro is enabled then both the active and passive Zyxel Device must be online and connected in order to upload firmware New firmware is...

Page 779: ...ss the Zyxel Device for management whether the Zyxel Device is the master or a backup The management IP address should be in the same subnet as the interface IP address Synchronization Use synchronization to have a backup Zyxel Device copy the master Zyxel Device s configuration signatures anti virus IDP application patrol and system protect and certificates Note Only Zyxel Devices of the same mod...

Page 780: ...anti virus gets IDP AppPatrol updates from the master but not anti virus updates It is highly recommended to subscribe the master and backup Zyxel Devices to the same services The Configuration Device HA General screen lets you enable or disable Device HA and displays which Device HA mode the Zyxel Device is set to use along with a summary of the monitored interfaces Click on the icons to go to th...

Page 781: ...ored interface s connection is down or up HA Status The text before the slash shows whether the device is configured as the master or the backup role This text after the slash displays the monitored interface s status in the virtual router Active This interface is up and using the virtual IP address and subnet mask Stand By This interface is a backup interface in the virtual router It is not using...

Page 782: ...virtual router In the following example Zyxel Devices A and B form a virtual router that uses cluster ID 1 Zyxel Devices C and D form a virtual router that uses cluster ID 2 Figure 539 Cluster IDs for Multiple Virtual Routers Register Now Click the link to go to myZyxel where you can register your Zyxel Device and activate the service This link is available only when the service is not activated y...

Page 783: ...s the virtual router IP addresses Each interface can also have a management IP address You can connect to this IP address to manage the Zyxel Device regardless of whether it is the master or the backup For example Zyxel Device B takes over A s 192 168 1 1 LAN interface IP address This is a virtual router IP address Zyxel Device A keeps it s LAN management IP address of 192 168 1 5 and Zyxel Device...

Page 784: ...Chapter 42 Device HA ZyWALL USG Series User s Guide 784 Figure 541 Configuration Device HA Device HA ...

Page 785: ...iple Zyxel Device virtual routers on your network use a different cluster ID for each virtual router Authentication Select the authentication method the virtual router uses Every interface in a virtual router must use the same authentication method and password Choices are None this virtual router does not use any authentication method Text this virtual router uses a plain text password for authen...

Page 786: ...lick this to copy the specified Zyxel Device s configuration Server Port If this Zyxel Device is set to the backup role enter the port number to use for Secure FTP when synchronizing with the specified master Zyxel Device If this Zyxel Device is set to master role this field displays the Zyxel Device s Secure FTP port number Click the Configure link if you need to change the FTP port number Every ...

Page 787: ...e Do not connect the bridge interfaces on two Zyxel Devices without Device HA activated on both Doing so could cause a broadcast storm Either activate Device HA before connecting the bridge interfaces or disable the bridge interfaces connect the bridge interfaces activate Device HA and finally reactivate the bridge interfaces Virtual Router IP VRIP Subnet Mask This is the interface s static IP add...

Page 788: ...ay is to activate Device HA before connecting the bridge interfaces as shown in the following example 1 Make sure the bridge interfaces of the master Zyxel Device A and the backup Zyxel Device B are not connected 2 Configure the bridge interface on the master Zyxel Device set the bridge interface as a monitored interface and activate Device HA 3 Configure the bridge interface on the backup Zyxel D...

Page 789: ...lready connected but the bridge faces have not been configured yet Configure a disabled bridge interface on the master Zyxel Device but disable it Then set the bridge interface as a monitored interface and activate Device HA 2 Configure a corresponding disabled bridge interface on the backup Zyxel Device Then set the bridge interface as a monitored interface and activate Device HA 3 Enable the bri...

Page 790: ...ize but it is still recommended that the backup Zyxel Device synchronize with a master Zyxel Device on a secure network The backup Zyxel Device gets the configuration from the master Zyxel Device The backup Zyxel Device cannot become the master or be managed while it applies the new configuration This usually takes two or three minutes or longer depending on the configuration complexity The follow...

Page 791: ...down A monitored service daemon is down The heartbeat link exceeds the failure tolerance After failover the initial active Zyxel Device becomes the passive Zyxel Device after it recovers Note After failover the Device HA Pro license is transferred from the failing device to the passive device Thus the original license will always be used 42 4 1 Deploying Device HA Pro 1 Register either the active ...

Page 792: ...to synchronize firmware the location of the running firmware must be the same in both active and passive Zyxel Devices For example if the running firmware is in partition 1 in the active Zyxel Device standby firmware in partition 2 then the running firmware must also be in partition 1 in the passive Zyxel Device standby firmware in partition 2 42 4 2 Configuring Device HA Pro Go to Configuration D...

Page 793: ...onfirm Type the exact same synchronization password as typed above Heartbeat Interval Type the number of seconds 1 10 allowed for absence of a heartbeat signal before a failure of the active Zyxel Device is recorded Heartbeat Lost Tolerance Type the number of heartbeat failures allowed before failover is activated on the passive Zyxel Device Monitor Interface Select an interface in Available Inter...

Page 794: ... Profile and remote management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 546 Example Zones Use the Zone screens see Section 43 9 2 on page 855 to manage the Zyxel Device s zones 43 1 1 Wha...

Page 795: ...re for more information 43 1 2 The Zone Screen The Zone screen provides a summary of all zones In addition this screen allows you to add edit and remove zones To access this screen click Configuration Object Zone Figure 547 Configuration Object Zone The following table describes the labels in this screen Table 291 Configuration Object Zone LABEL DESCRIPTION User Configuration System Default The Zy...

Page 796: ...one Add Edit LABEL DESCRIPTION Name For a system default zone the name is read only For a user configured zone type the name used to refer to the zone You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Member List Available lists the interfaces and VPN tunnels that do not belong to any zone Select the interfaces ...

Page 797: ...wireless clients for MAC authentication using the local user database The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device 43 2 1 What You Need To Know User Account A user account defines the privileges of a user logged into the Zyxel Device User accounts are used in security policies and application patrol in addition to controlling acces...

Page 798: ...nt Ext User in the Zyxel Device 3 Default user account for AD users ad users LDAP users ldap users or RADIUS users radius users in the Zyxel Device See Setting up User Attributes in an External Server for a list of attributes and how to set up the attributes in an external server Ext Group User Accounts Ext Group User accounts work are similar to ext user accounts but allow you to group users by t...

Page 799: ...re of the user who is logged in and you can create user aware policies that define what services they can use See Section 43 2 6 on page 810 for a user aware login example Finding Out More See Section 43 2 6 on page 810 for some information on users who use an external authentication server in order to log in The Zyxel Device supports TTLS using PAP so you can use the Zyxel Device s local user dat...

Page 800: ...uses admin this user can look at and change the configuration of the Zyxel Device limited admin this user can look at the configuration of the Zyxel Device but not to change it dynamic guest this user has access to the Zyxel Device s services but cannot look at the configuration user this user has access to the Zyxel Device s services and can also browse user mode commands CLI guest this user has ...

Page 801: ...nfiguration of the Zyxel Device but not to change it user this user has access to the Zyxel Device s services and can also browse user mode commands CLI guest this user has access to the Zyxel Device s services but cannot look at the configuration ext user this user account is maintained in a remote server such as RADIUS or LDAP See Ext User Accounts on page 798 for more information about this typ...

Page 802: ...a code of six digits will be sent to the email addresses or mobile telephone number you put in Enter the verification code to verify your email addresses or mobile telephone number Figure 551 Verification Code for Email Figure 552 Verification Code for Mobile Telephone Number Authentication Timeout Settings If you want the system to use default settings select Use Default Settings If you want to s...

Page 803: ...ent on the Zyxel Device When a user is authenticated successfully all data traffic from this user is tagged with the VLAN ID number you specify here This allows you to assign a user of the ext group user type to a specific VLAN based on the user credentials instead of using an AAA server Configuration Validation Use a user account from the group specified above to test if the configuration is corr...

Page 804: ...bject User Group Group continued LABEL DESCRIPTION Table 297 Configuration Object User Group Group Add LABEL DESCRIPTION Name Type the name for this user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive User group names have to be different than user names Description Enter the description of the user gro...

Page 805: ...entication Timeout Settings Default Authentication Timeout Settings These authentication timeout settings are used by default when you create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings Edit Double click an entry or select it and click Ed...

Page 806: ...to log in again Unlike Lease Time the user has no opportunity to renew the session without logging out Miscellaneous Settings Allow renewing lease time automatically Select this check box if access users can renew lease time automatically as well as manually simply by selecting the Updating lease time automatically check box on their screen Enable user idle detection This is applicable for access ...

Page 807: ...ous logins by non admin users If you do not select this access users can login as many times as they want as long as they use different IP addresses Maximum number per access account This field is effective when Limit for access account is checked Type the maximum number of simultaneous logins by each access user Reach maximum number per account Select Block to stop new users from logging in when ...

Page 808: ...e server such as RADIUS or LDAP See Ext Group User Accounts on page 798 for more information about this type guest manager this user can log in via the web configurator login screen and create dynamic guest accounts using the Account Generator screen that pops up See Section 21 4 1 on page 526 for detailed information about the Account Generator screen Lease Time Enter the number of minutes this t...

Page 809: ...ning before the Zyxel Device automatically logs them out The Zyxel Device sets this amount of time according to the User defined lease time field in this screen Lease time field in the User Add Edit screen see Section 43 15 1 1 on page 903 Lease time field in the Setting screen see Section 43 2 4 on page 804 Updating lease time automatically This box appears if you checked the Allow renewing lease...

Page 810: ...of wireless clients using MAC authentication with the Zyxel Device local user database Description This field displays a description of the device identified by the MAC address or OUI Table 301 Configuration Object User Group MAC Address continued LABEL DESCRIPTION Table 302 Configuration Object User Group MAC Address Add LABEL DESCRIPTION MAC Address OUI Type the MAC address six hexadecimal numbe...

Page 811: ...n 43 3 1 on page 812 creates radio configurations that can be used by the APs The SSID screen Section 43 3 2 on page 818 configures three different types of profiles for your networked APs 43 3 0 1 What You Need To Know The following terms and concepts may help as you read this section Wireless Profiles At the heart of all wireless AP configurations on the Zyxel Device are profiles A profile repre...

Page 812: ...ociated Wireless stations associating to the access point AP must have the same SSID In other words it is the name of the wireless network that clients use to connect to it WEP WEP Wired Equivalent Privacy encryption scrambles all data packets transmitted between the AP and the wireless stations associated with it in order to keep network communications private Both the wireless stations and the a...

Page 813: ...lick Inactivate References Click this to view which other objects are linked to the selected radio profile This field is a sequential value and it is not associated with a specific profile Status This icon is lit when the entry is active and dimmed when the entry is inactive Profile Name This field indicates the name assigned to the radio profile Frequency Band This field indicates the frequency b...

Page 814: ...3 Configuration Object AP Profile Add Edit Radio Profile The following table describes the labels in this screen Table 305 Configuration Object AP Profile Add Edit Radio Profile LABEL DESCRIPTION Hide Show Advanced Settings Click this to hide or show the Advanced Settings in this window General Settings Activate Select this option to make this profile active Profile Name Enter up to 31 alphanumeri...

Page 815: ...t 20 40MHz or 20 40 80MHz to allow the AP to adjust the channel bandwidth automatically Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the wireless clients do not support channel bonding Note If the environment has poor signal to noise SNR the Zyxel Device will switch to a lower bandwidth Channel Selection Select the wireless channel which...

Page 816: ...Ps are operating in an area known to have RADAR devices This allows the device to downgrade its frequency to below 5 GHz in the event a RADAR signal is detected thus preventing it from interfering with that signal Enabling this forces the AP to select a non DFS channel 5 GHz Channel Selection Method This shows auto and allows the AP to search for available channels automatically in the 5 GHz band ...

Page 817: ...eive good throughput This allows only wireless clients with a strong signal to connect to the AP Clear the check box to not require wireless clients to have a minimum signal strength to connect to the AP Station Signal Threshold Set a minimum client signal strength A wireless client is allowed to connect to the AP only when its signal strength is stronger than the specified threshold 20 dBm is the...

Page 818: ...is displayed as the wireless network name when a person makes a connection to it To access this screen click Configuration Object AP Profile SSID Note You can have a maximum of 32 SSID profiles on the Zyxel Device Figure 564 Configuration Object AP Profile SSID List The following table describes the labels in this screen OK Click OK to save your changes back to the Zyxel Device Cancel Click Cancel...

Page 819: ...is field indicates the VLAN ID associated with the SSID profile Table 306 Configuration Object AP Profile SSID List continued LABEL DESCRIPTION Table 307 Configuration Object AP Profile SSID Add Edit SSID Profile LABEL DESCRIPTION Create new Object Select an object type from the list to create a new one associated with this SSID profile Profile Name Enter up to 31 alphanumeric characters for the p...

Page 820: ...raffic This is good for activities that do not require the best bandwidth throughput such as surfing the Internet WMM_BACKGROUND All wireless traffic to the SSID is tagged as low priority or background traffic meaning all other access categories take precedence over this one If traffic from an SSID does not have strict throughput requirements then this access category is recommended For example an...

Page 821: ...ting system Enable Intra BSS Traffic Blocking Select this option to prevent crossover traffic from within the same SSID Local VAP Setting This part of the screen only applies to Zyxel Device models that have built in wireless functionality AP see Section 1 1 on page 28 VLAN Support Select On to have the Zyxel Device assign the VLAN ID listed in the top part of the screen to the built in AP Select ...

Page 822: ...Guide 822 Profile Name This field indicates the name assigned to the security profile Security Mode This field indicates this profile s security mode if any Table 308 Configuration Object AP Profile SSID Security List continued LABEL DESCRIPTION ...

Page 823: ...ile or edit an existing one To access this screen click the Add button or select a security profile from the list and click the Edit button Note This screen s options change based on the Security Mode selected Only the default screen is displayed here Figure 567 Configuration Object AP Profile SSID Security Profile Add Edit Security Profile ...

Page 824: ... an external RADIUS server for authentication Primary Secondary Radius Server Activate Select this to have the Zyxel Device use the specified RADIUS server Radius Server IP Address Enter the IP address of the RADIUS server to be used for authentication Radius Server Port Enter the port number of the RADIUS server to be used for authentication Radius Server Secret Enter the shared secret password o...

Page 825: ...ols or 64 hexadecimal characters Cipher Type Select an encryption cipher type from the list auto This automatically chooses the best available cipher based on the cipher in use by the wireless client that is attempting to make a connection tkip This is the Temporal Key Integrity Protocol encryption method added later to the WEP encryption protocol to further secure Not all wireless clients may sup...

Page 826: ... labels in this screen Table 310 Configuration Object AP Profile SSID MAC Filter List LABEL DESCRIPTION Add Click this to add a new MAC filtering profile Edit Click this to edit the selected MAC filtering profile Remove Click this to remove the selected MAC filtering profile References Click this to view which other objects are linked to the selected MAC filtering profile for example SSID profile ...

Page 827: ...for the profile name This name is only visible in the Web Configurator and is only for management purposes Spaces and underscores are allowed Filter Action Select allow to permit the wireless client with the MAC addresses in this profile to connect to the network through the associated SSID select deny to block the wireless clients with the specified MAC addresses Add Click this to add a MAC addre...

Page 828: ...3 4 2 Configuring MON Profile This screen allows you to create monitor mode configurations that can be used by the APs To access this screen login to the Web Configurator and click Configuration Object MON Profile Figure 570 Configuration Object MON Profile The following table describes the labels in this screen Table 312 Configuration Object MON Profile LABEL DESCRIPTION Add Click this to add a n...

Page 829: ...or select and existing monitor mode profile and click the Edit button Figure 571 Configuration Object MON Profile Add Edit MON Profile Profile Name This field indicates the name assigned to the monitor profile Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Table 312 Configuration Object MON Profile continued LABEL D...

Page 830: ...l time expires Select manual to set specific channels through which to cycle sequentially when the Channel dwell time expires Selecting this options makes the Scan Channel List options available Country Code Select the country code of APs that are connected to the Zyxel Device to be the same as where the Zyxel Device is located installed The available channels vary depending on the country you sel...

Page 831: ...detected in your network as well as any others that you know are not a threat those from recognized networks for example It is recommended that you export save your list of friendly APs often especially if you have a network with a large number of access points 43 5 ZyMesh Overview This section shows you how to configure ZyMesh profiles for the Zyxel Device to apply to the managed APs ZyMesh is a ...

Page 832: ... managed APs are deployed to form a ZyMesh for the first time the root AP must be connected to an AP controller the Zyxel Device In the following example managed APs 1 and 2 act as a root AP and managed APs A B and C are repeaters The maximum number of hops the repeaters between a wireless client and the root AP you can have in a ZyMesh varies according to how many wireless clients a managed AP ca...

Page 833: ... enter the primary AP controller s ZyMesh Provision Group MAC address in the second AP controller s ZyMesh Provision Group field If you didn t change the second AP controller s MAC address managed APs in an existing ZyMesh can still access the networks through the second AP controller and communicate with each other But new managed APs will not be able to communicate with the managed APs in the ex...

Page 834: ...ID specified in this ZyMesh profile Table 314 Configuration Object ZyMesh Profile continued LABEL DESCRIPTION Table 315 Configuration Object ZyMesh Profile Add Edit ZyMesh Profile LABEL DESCRIPTION Profile Name Enter up to 31 alphanumeric characters for the profile name ZyMesh SSID Enter the SSID with which you want the managed AP to connect to a root AP or repeater to build a ZyMesh link Note The...

Page 835: ...on on page 836 to create application objects that can be used in App Patrol profiles Use the Application Group screen Section 43 6 2 on page 839 to group application objects as an individual object that can be used in App Patrol profiles Database Games Network Management Remote Access Terminals Bypass Proxies and Tunnels Web Security Update Web IM TCP UDP traffic Business Network Protocols Mobile ...

Page 836: ... least change the name as duplicate entry names are not allowed This field is a sequential value associated with an application object Name This field indicates the name assigned to the application object Description This field shows some extra information on the application object Content This field shows the application signature s in this application object Reference This displays the number of...

Page 837: ...te your signatures Table 317 Configuration Object Application Application continued LABEL DESCRIPTION Table 318 Configuration Object Application Application Add Application Rule LABEL DESCRIPTION Name Type a name to identify this application rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description You ...

Page 838: ... Add in Configuration Object Application Application Add Application Rule to choose the signatures that should go into this object Figure 578 Configuration Object Application Application Add Application Rule Add By Category Figure 579 Configuration Object Application Application Add Application Rule Add By Service ...

Page 839: ...ct By Service type a keyword and click Search to display all signatures containing that keyword Query Result The results of the search are displayed here This field is a sequential value associated with this signature Category This field shows the category to which the signature belongs Select the checkbox to add this signature to the application object Application This displays the name of the ap...

Page 840: ... shows the type of IDP AppPatrol signatures license you have activated Signature Information An activated license allows you to download signatures to the Zyxel Device from myZyxel These fields show details on the signatures downloaded Current Version The version number increments when signatures are updated at myZyxel This field shows the current version downloaded to the Zyxel Device Released Da...

Page 841: ...3 7 2 Address Summary Screen The address screens are used to create maintain and remove addresses There are the types of address objects HOST the object uses an IP Address to define a host address RANGE the object uses a range address defined by a Starting IP Address and an Ending IP Address SUBNET the object uses a network address defined by a Network IP address and Netmask subnet mask INTERFACE ...

Page 842: ...vel domain In an address FQDN object you can also use one wildcard For example zyxel com An FQDN is resolved to its IP address using the DNS server configured on the Zyxel Device The Address screen provides a summary of all addresses in the Zyxel Device To access this screen click Configuration Object Address Address Click a column s heading cell to sort the table entries by that column s criteria...

Page 843: ...isplays the type of each address object INTERFACE means the object uses the settings of one of the Zyxel Device s interfaces IPv4 Address This field displays the IPv4 addresses represented by each address object If the object s settings are based on one of the Zyxel Device s interfaces the name of the interface displays first followed by the object s current address settings Reference This display...

Page 844: ...P Address This field is only available if the Address Type is RANGE This field cannot be blank Enter the beginning of the range of IP addresses that this address object represents Ending IP Address This field is only available if the Address Type is RANGE This field cannot be blank Enter the end of the range of IP address that this address object represents Network This field is only available if ...

Page 845: ... is HOST This field cannot be blank Enter the IP address that this address object represents IPv6 Starting Address This field is only available if the Address Type is RANGE This field cannot be blank Enter the beginning of the range of IP addresses that this address object represents IPv6 Ending Address This field is only available if the Address Type is RANGE This field cannot be blank Enter the ...

Page 846: ...ant to remove it before doing so References Select an entry and click References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific address group Name This field displays the name of each address group Description This field displays the description of each address group if any Reference This displays the number of tim...

Page 847: ...s GEOGRAPHY and FQDN you want to create Note The Zyxel Device automatically updates address objects that are based on an interface s IP address subnet or gateway if the interface s IP address settings change For example if you change 1 s IP address the Zyxel Device automatically updates the corresponding interface based LAN subnet address object Member List The Member list displays the names of th...

Page 848: ...ic address objects in security policies to forward or deny traffic to whole countries or regions Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure 587 Configuration Object Address Geo IP Geo IP ...

Page 849: ...ant the Zyxel Device to check weekly for the latest country to IP address database version on myZyxel select the checkbox choose a day and time each week and then click Apply The default day and time displayed is the Zyxel Device current day and time Custom IPv4 IPv6 to Geography Rules Add Click this to create a new entry IPv4 v6 to Geography Enter an IP address then click this button to query whi...

Page 850: ...o this IP address Address Type Select the type of address you want to create Choices are HOST RANGE SUBNET IP Address This field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents IP Starting Address This field is only available if the Address Type is RANGE This field cannot be blank Enter the beginning of the range of ...

Page 851: ...Protocol ICMP IP protocol 1 is mainly used to send error messages or to investigate problems For example ICMP is used to send the response if a computer cannot be reached Another use is ping ICMP does not guarantee delivery but networks often treat ICMP messages differently sometimes looking at the message itself to decide where to send it Service Objects and Service Groups Use service objects to ...

Page 852: ...e to modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so References Select an entry and click References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific service Name This field displays the name of each service Content This ...

Page 853: ... Protocol is ICMP or ICMPv6 Select the ICMP message used by this service This field displays the message text not the message number IP Protocol Number This field appears if the IP Protocol is User Defined Enter the number of the next level protocol IP protocol Allowed values are 1 255 OK Click OK to save your changes back to the Zyxel Device Cancel Click Cancel to exit this screen without saving ...

Page 854: ...ly Supports both IPv4 and IPv6 Name This field displays the name of each service group By default the Zyxel Device uses services starting with Default_Allow_ in the security policies to allow certain services to connect to the Zyxel Device Description This field displays the description of each service group if any Reference This displays the number of times an object reference is used in a profil...

Page 855: ...specific stop date and time One time schedules are useful for long holidays and vacation periods Recurring Schedules Recurring schedules begin at a specific start time and end at a specific stop time on selected days of the week Sunday Monday Tuesday Wednesday Thursday Friday and Saturday Recurring schedules always begin and end in the same day Recurring schedules are useful for defining the workd...

Page 856: ...s field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule Start Day Time This field displays the date and time at which the schedule begins Stop Day Time This field displays the date and time at which the schedule ends Reference This displays the number of times an object reference is use...

Page 857: ... the one time schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartDate Specify the year month and day when the schedule begins Year 1900 2999 Month 1 12 Day 1 31 it is not possible to specify illegal dates such as February 31 StartTime Specify the hour and minute when the schedule begins Ho...

Page 858: ...Configuration Object Schedule Edit Recurring LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartTime Specify the hour and minute when the schedule begins each day Hour 0 23 Minute 0 59 StopTime Specify the ho...

Page 859: ...ew entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so References Select an entry and click References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specifi...

Page 860: ...u may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description of the service group if any You can use up to 60 printable ASCII characters Member List The Member list displays the names of the service and service group objects that have been added to the service group The order of members is not...

Page 861: ...sful the Zyxel Device checks the user information in the directory against the user name and password pair 4 If it matches the user is allowed access Otherwise access is blocked 43 10 2 RADIUS Server RADIUS Remote Authentication Dial In User Service authentication is a popular protocol used to authenticate users by means of an external server instead of or in addition to an internal device user da...

Page 862: ...user database The Zyxel Device uses the built in local user database to authenticate administrative users logging into the Zyxel Device s Web Configurator or network access users logging into the network through the Zyxel Device You can also use the local user database to authenticate VPN users Directory Service LDAP AD LDAP Lightweight Directory Access Protocol AD Active Directory is a directory ...

Page 863: ...y c UK where o means organization and c means country Bind DN A bind DN is used to authenticate with an LDAP AD server For example a bind DN of cn zywallAdmin allows the Zyxel Device to log into the LDAP AD server using the user name of zywallAdmin The bind DN is used in conjunction with a bind password When a bind DN is not specified the Zyxel Device will try to log in as an anonymous user If the...

Page 864: ... AAA Server Active Directory or LDAP LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so References Select an entry and click References to open a screen that shows w...

Page 865: ...Chapter 43 Object ZyWALL USG Series User s Guide 865 Figure 602 Configuration Object AAA Server Active Directory or LDAP Add ...

Page 866: ...al characters For example cn zywallAdmin specifies zywallAdmin as the user name Password If required enter the password up to 15 alphanumerical characters for the Zyxel Device to bind or log in to the AD or LDAP server Retype to Confirm Retype your new password for confirmation Login Name Attribute Enter the type of identifier the users are to use to log in For example name or e mail address Alter...

Page 867: ...h a LAN which allows local computers to find computers on the remote network and vice versa Configuration Validation Use a user account from the server specified above to test if the configuration is correct Enter the account s user name in the Username field and click Test OK Click OK to save the changes Cancel Click Cancel to discard the changes Table 340 Configuration Object AAA Server Active D...

Page 868: ...the Zyxel Device sends authentication requests Enter a number between 1 and 65535 Backup Server Address If the RADIUS server has a backup server enter its address here Backup Authentication Port Specify the port number on the RADIUS server to which the Zyxel Device sends authentication requests Enter a number between 1 and 65535 Timeout Specify the timeout period between 1 and 300 seconds before t...

Page 869: ...ction Refer to the chapter on VPN for more information Follow the steps below to specify the authentication method for a VPN connection 1 Access the Configuration VPN IPSec VPN VPN Gateway Edit screen 2 Click Show Advance Setting and select Enable Extended Authentication Key Enter a password up to 15 alphanumeric characters as the key to be shared between the external authentication server and the...

Page 870: ...od Object Follow the steps below to create an authentication method object 1 Click Configuration Object Auth Method Table 343 Configuration Object Auth Method LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device co...

Page 871: ...same type 7 Click OK to save the settings or click Cancel to discard all changes and return to the previous screen Figure 607 Configuration Object Auth Method Add The following table describes the labels in this screen Table 344 Configuration Object Auth Method Add LABEL DESCRIPTION Name Specify a descriptive name for identification purposes You may use 1 31 alphanumeric characters underscores _ o...

Page 872: ...field displays the index number Method List Select a server object from the drop down list box You can create a server object in the AAA Server screen The Zyxel Device authenticates the users using the databases in the local user database or the external authentication server in the order they appear in this screen If two accounts with the same username exist on two authentication servers you spec...

Page 873: ... is trying to log into the Zyxel Device using the Web Configurator SSH or Telnet 2 The Zyxel Device requests the admin user s user name password and mobile phone number or email address from the Active Directory RADIUS server or local Zyxel Device database in order to authenticate this admin user 3 If all correct credentials are found then the Zyxel Device will request the Cloud SMS system to send...

Page 874: ...igured correctly ViaNett Authentication failed and no SMS was sent Check that SMS is enabled and credentials are correct in System Notification SMS Mail server authentication failed Check if the System Notification Mail Server settings are correct The authorization timed out Extend the Valid Time in Configuration Object Auth Method Two factor Authentication VPN Access Use this screen to select the...

Page 875: ...back to the Selectable User Group Objects list Delivery Settings Use this section to configure how to send an SMS or email for authorization Deliver Authorize Link Method Select one or both methods SMS Object User Group User must contain a valid mobile telephone number A valid mobile telephone number can be up to 20 characters in length including the numbers 1 9 and the following characters in the...

Page 876: ...ation for logins via the Web Configurator SSH or Telnet Two factor Authentication for Services Select which services require Two Factor Authentication for the admin user Web SSH TELNET User Group This list displays the names of the users and user groups that can be selected for two factor authentication The order of members is not important Select users and groups from the Selectable User Group Ob...

Page 877: ...d by you or by someone else In the same way your private key writes your digital signature and your public key allows people to verify whether data was signed by you or by someone else This process works as follows 1 Tim wants to send a message to Jenny He needs her to be sure that it comes from him and that the message content has not been altered by anyone else along the way Tim generates a publ...

Page 878: ...infrastructure Advantages of Certificates Certificates offer the following benefits The Zyxel Device only has to store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys Self signed Certificate...

Page 879: ...y default 43 12 2 Verifying a Certificate Before you import a trusted certificate into the Zyxel Device you should verify that you have the correct certificate You can do this using the certificate s fingerprint A certificate s fingerprint is a message digest calculated using the MD5 or SHA1 algorithm The following procedure describes how to check a certificate s fingerprint to verify that you hav...

Page 880: ...evice s PKI storage space that is currently in use When the storage space is almost full you should consider deleting expired or unnecessary certificates before adding more certificates Add Click this to go to the screen where you can have the Zyxel Device generate a certificate or a certification request Edit Double click an entry or select it and click Edit to open a screen with an in depth list...

Page 881: ...d Click this and the following screen will appear Type the selected certificate s password and save the selected certificate to your computer Figure 614 Download a Certificate Table 347 Configuration Object Certificate My Certificates continued LABEL DESCRIPTION ...

Page 882: ...ets _ are allowed E mail Content Create the email content in English and use up to 250 keyboard characters The special characters listed in the brackets _ are allowed Compress as a ZIP File Select the check box to compress the selected certificate Make sure the endpoint devices can decompress ZIP files before sending the compressed certificate It s recommended to compress the certificate with a pr...

Page 883: ...displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department or...

Page 884: ...ate have unique subject information Select a radio button to identify the certificate s owner by IP address domain name or e mail address Type the IP address in dotted decimal notation domain name or e mail address in the field provided The domain name or e mail address is for identification purposes only and can be any string A domain name can be up to 255 characters You can use alphanumeric char...

Page 885: ...key algorithm Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Extended Key Usage This field displays how the Zyxel Device generates and stores a request for server authentication client authentication and or IKE Intermediate authentication certific...

Page 886: ...Click the Refresh button to have this read only text box display the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the certificate itself If the certificate is a self signed cert...

Page 887: ...expired none displays for a certification request Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the Zyxel Device uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field ...

Page 888: ...s screen opens browse to the location that you want to use and click Save Password If you want to export the certificate with its private key create a password and type it here Make sure you keep this password in a safe place You will need to use it if you import the certificate to another device Export Certificate with Private Key Use this button to save a copy of the certificate with its private...

Page 889: ...eleting expired or unnecessary certificates before adding more certificates Edit Double click an entry or select it and click Edit to open a screen with an in depth list of information about the certificate Remove The Zyxel Device keeps all of your certificates unless you specifically delete them Uploading a new firmware or default configuration file does not delete your certificates To remove an ...

Page 890: ...tificates before trusting a certificate issued by the certification authority Valid From This field displays the date that the certificate becomes applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expired message if the certificate has expired Import Click Import to open a screen where you can save the certificate of a certificat...

Page 891: ...Chapter 43 Object ZyWALL USG Series User s Guide 891 Figure 620 Configuration Object Certificate Trusted Certificates Edit ...

Page 892: ...II characters from the entity maintaining the OCSP server usually a certification authority LDAP Server Select this check box if the directory server uses LDAP Lightweight Directory Access Protocol LDAP is a protocol over TCP that specifies how clients access directories of certificates and lists of revoked certificates Address Type the IP address in dotted decimal notation of the directory server...

Page 893: ...eans that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate s path MD5 ...

Page 894: ...rrent or unknown response 43 13 ISP Account Overview Use ISP accounts to manage Internet Service Provider ISP account information for PPPoE PPTP L2TP interfaces An ISP account is a profile of settings for Internet access using PPPoE PPTP or L2TP Use the Object ISP Account screens Section 43 13 1 on page 894 to create and manage ISP accounts in the Zyxel Device 43 13 1 ISP Account Summary This scre...

Page 895: ...ABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so References Select an entry and click References to open a screen that shows which settings use the entry This field is a sequential ...

Page 896: ...ntication Type Use the drop down list box to select an authentication protocol for outgoing calls Options are CHAP PAP Your Zyxel Device accepts either CHAP or PAP when requested by this remote node Chap Your Zyxel Device accepts CHAP only PAP Your Zyxel Device accepts PAP only MSCHAP Your Zyxel Device accepts MSCHAP only MSCHAP V2 Your Zyxel Device accepts MSCHAP V2 only Encryption Method This fi...

Page 897: ...not displayed If this ISP account uses the PPTP protocol type the IP address of the PPTP server Connection ID This field is available if this ISP account uses the PPTP protocol Type your identification name for the PPTP server This field can be blank Service Name If this ISP account uses the PPPoE protocol type the PPPoE service name to access PPPoE uses the specified service name to identify and ...

Page 898: ...e VNC Virtual Network Computing or RDP Remote Desktop Protocol server software installed The remote user s computer does not use VNC or RDP client software The Zyxel Device works with the following remote desktop connection software RDP Windows Remote Desktop supported in Internet Explorer VNC RealVNC TightVNC UltraVNC For example user A uses an SSL VPN connection to log into the Zyxel Device Then...

Page 899: ...info Select Web Page Encryption to prevent users from saving the web content Click OK to save the settings The configuration screen should look similar to the following figure Figure 625 Example SSL Application Specifying a Web Site for Access 43 14 2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects Click Configuration Object SSL ...

Page 900: ...pplication you must also configure the shared folder on the file server for remote access Refer to the document that comes with your file server Figure 627 Configuration Object SSL Application Add Edit Web Application Table 356 Configuration Object SSL Application LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the ...

Page 901: ...Zyxel Device supports one OWA object Select VNC to allow users to manage LAN computers that have Virtual Network Computing remote desktop server software installed Select RDP to allow users to manage LAN computers that have Remote Desktop Protocol remote desktop server software installed Select Weblink to create a link to a web site that you expect the SSL VPN users to commonly use Name Enter a de...

Page 902: ...ck Preview to access the URL you specified in a new web browser screen Entry Point This field only appears when you choose Web Application as the object type This field displays if the Server Type is set to Web Server or OWA This field is optional You only need to configure this field if you need to specify the name of the directory or file on the local server as the home page or home directory on...

Page 903: ...ttings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so References Select an entry and click References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific object Name This field displays the name of each request object Type This field displays the requ...

Page 904: ...vice Cancel Click Cancel to exit this screen without saving your changes Table 359 Configuration DHCPv6 Request Add continued LABEL DESCRIPTION Table 360 Configuration Object DHCPv6 Lease LABEL DESCRIPTION Configuration Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry sel...

Page 905: ...quest object or User Defined in the DNS Server field and enter the IP address of the DNS server in the User Defined Address field below Starting IP Address If you select Address Pool in the Lease Type field enter the first of the contiguous addresses in the IP address pool End IP Address If you select Address Pool in the Lease Type field enter the last of the contiguous addresses in the IP address...

Page 906: ...h IP address the access can come Use the System TELNET screen see Section 44 9 on page 945 to configure Telnet to access the Zyxel Device s command line interface Specify which zones allow Telnet access and from which IP address the access can come Use the System FTP screen see Section 44 10 on page 946 to specify from which zones FTP can be used to access the Zyxel Device You can also specify fro...

Page 907: ... use a connected USB device to store the system log and other diagnostic information Use this screen to turn on this feature and set a disk full warning limit Note Only connect one USB device It must allow writing it cannot be read only and use the FAT16 FAT32 EXT2 or EXT3 file system Click Configuration System USB Storage to open the screen as shown next Table 362 Configuration System Host Name L...

Page 908: ...cal time zone and date click Configuration System Date Time The screen displays as shown You can manually set the Zyxel Device s time and date or have the Zyxel Device get the date and time from a time server Table 363 Configuration System USB Storage LABEL DESCRIPTION Activate USB storage service Select this if you want to use the connected USB device s Disk full warning when remaining space is l...

Page 909: ...gure a new time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered When you enter the time settings manually the Zyxel Device uses the new setting once you click Apply New Time hh mm ss This field displays the last updated time from the time server or the last time configured manually When you set Time and Date Se...

Page 910: ...in most parts of the United States on the second Sunday of March Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in the United States you would select Second Sunday March and type 2 in the at field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at...

Page 911: ...pre defined NTP time servers have been tried 44 4 2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field When the Please Wait screen appears you may have to wait up to one minute Figure 636 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if ...

Page 912: ...6 Click Apply 44 5 Console Port Speed This section shows you how to set the console port speed when you connect to the Zyxel Device via the console port using a terminal emulation program Click Configuration System Console Speed to open the Console Speed screen Figure 637 Configuration System Console Speed The following table describes the labels in this screen Table 366 Configuration System Conso...

Page 913: ...vices A name query begins at a client computer and is passed to a resolver a DNS client service for resolution The Zyxel Device can be a DNS client service The Zyxel Device can resolve a DNS query locally using cached Resource Records RR obtained from a previous query and kept for a period of time If the Zyxel Device does not have the requested information it can forward the request to DNS servers...

Page 914: ... For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is the third level domain com is the second level domain and tw is the top level domain Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want...

Page 915: ...reate a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method...

Page 916: ... if the Zyxel Device is allowed or denied to forward DNS client requests to DNS servers for resolution Service Control This specifies from which computers and zones you can send DNS queries to the Zyxel Device Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify ...

Page 917: ...rd in the Domain Name System DNS that specifies that the domain name is an alias of another canonical domain name This allows users to set up a record for a domain name which translates to an IP address in other words the domain name is an alias of another This record also binds all the subdomains to the same IP address without having to create a record for each so when the IP address is changed a...

Page 918: ...features like VPN DDNS and the time server A domain zone is a fully qualified domain name without the host For example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name 44 6 9 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record Table 369 Configuration System DNS CNAME Record Add LABEL DESCRIPT...

Page 919: ... are served by the specified DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP address es The interface should be activated and set to be a DHCP client The fields below display the read only DNS server IP address es that the ISP assigns N A displays for an...

Page 920: ...rom Cache in the default policy and allow Query Recursion and Additional Info from Cache only from trusted DNS servers identified by address objects and added as members in the customized policy 44 6 13 Editing a Security Option Control Click a control policy and then click Edit to change allow or deny actions for Query Recursion and Additional Info from Cache Table 371 Configuration System DNS MX...

Page 921: ...s to DNS servers for resolution This can apply to specific open DNS servers using the address objects in a customized rule Additional Info from Cache Choose if the ZyWALL USG is allowed or denied to cache Resource Records RR obtained from previous DNS queries Address List Specifying address objects is not available in the default policy as all addresses are included Available This box displays add...

Page 922: ...lowed IP address address object in the Service Control table does not match the client IP address the Zyxel Device disallows the session Table 373 Configuration System DNS Service Control Rule Add LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to send DNS queries to the Z...

Page 923: ...level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication one party can identify the other party and data integrity you know if data has been changed It relies upon certificates public keys and private keys HTTPS on the Zyxel Device is used so that you can securely access the Zyxel Device using the Web ...

Page 924: ...WWW Service Control Click Configuration System WWW to open the WWW screen Use this screen to specify from which zones you can access the Zyxel Device using HTTP or HTTPS You can also specify which IP addresses the access can come from Note Admin Service Control deals with management access to the Web Configurator User Service Control deals with user access to the Zyxel Device logging into SSL VPN ...

Page 925: ...umber on the Zyxel Device for example 8443 then you must notify people who need to access the Zyxel Device Web Configurator to use https Zyxel Device IP Address 8443 as the URL Authenticate Client Certificates Select Authenticate Client Certificates optional to require the SSL client to authenticate itself to the Zyxel Device by sending the Zyxel Device a certificate To do that the SSL client must...

Page 926: ...he zone on the Zyxel Device the user is allowed or denied to access Address This is the object name of the IP address es with which the computer is allowed or denied to access Action This displays whether the computer with the IP address specified above can access the Zyxel Device zone s configured in the Zone field Accept or not Deny HTTP Enable Select the check box to allow or disallow the compu...

Page 927: ...blocking message HSTS HTTP Strict Transport Security may be activated in some browsers as the browser cached certificate is different to the one displayed by the local server In this case you cannot see a blocking warning message Accessing a web page may require multiple connections to different sites to get all the information in the web page When there is a connection to a HTTPS website that bel...

Page 928: ...d to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the Zyxel Device using this service Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using this service Zone Select ALL to allow or prevent any Zyxel Device zones from being accessed using this service Select a pr...

Page 929: ...Chapter 44 System ZyWALL USG Series User s Guide 929 Figure 648 Configuration System WWW Login Page Desktop View ...

Page 930: ...Chapter 44 System ZyWALL USG Series User s Guide 930 Figure 649 Configuration System WWW Login Page Mobile View The following figures identify the parts you can customize in the login and access pages ...

Page 931: ...n You can specify colors in one of the following ways Click Color to display a screen of web safe colors from which to choose Enter the name of the desired color Logo Title Message Note Message Background last line of text color of all text Logo Title Message Note Message Window last line of text color of all text Background ...

Page 932: ...the title for the top of the screen Use up to 64 printable ASCII characters Spaces are allowed Title Color Specify the color of the screen s title text Message Color Specify the color of the screen s text Note Message Enter a note to display at the bottom of the screen Use up to 64 printable ASCII characters Spaces are allowed Background Set how the screen background looks To use a graphic select ...

Page 933: ...s website to proceed to the Web Configurator login screen Otherwise select Click here to close this web page to block the access 44 7 7 2 Mozilla Firefox Warning Messages When you attempt to access the Zyxel Device HTTPS server a The Connection is Untrusted screen appears as shown in the following screen Click Technical Details if you want to verify more information about the certificate from the ...

Page 934: ...authorities The issuing certificate authority of the Zyxel Device s factory default certificate is the Zyxel Device itself since the certificate is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate To have the browser trust the certificates issued by a certificate authority import the ...

Page 935: ...Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the Zyxel Device see the Zyxel Device s Trusted CA Web Configurator screen Figure 656 Zyxel Device Trusted CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the perso...

Page 936: ...s shown earlier in this appendix 44 7 7 5 2 Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard ...

Page 937: ...e Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 659 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA ...

Page 938: ...Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 661 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process ...

Page 939: ...cate When Accessing the Zyxel Device Example Use the following procedure to access the Zyxel Device via HTTPS 1 Enter https Zyxel Device IP Address in your browser s web address field Figure 664 Access the Zyxel Device Via HTTPS 2 When Authenticate Client Certificates is selected on the Zyxel Device the following screen asks you to select a personal certificate to send to the Zyxel Device This scr...

Page 940: ...ss the Zyxel Device s command line interface Specify which zones allow SSH access and from which IP address the access can come SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network In the following figure computer A on the Internet uses SSH to securely connect to the WAN port of...

Page 941: ...ends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against the saved version on the client computer 2 Encryption Method...

Page 942: ...n a client computer Windows or Linux operating system that is used to connect to the Zyxel Device over SSH 44 8 4 Configuring SSH Click Configuration System SSH to change your Zyxel Device s Secure Shell settings Use this screen to specify from which zones SSH can be used to manage the Zyxel Device You can also specify from which IP addresses the access can come Figure 669 Configuration System SSH...

Page 943: ... This specifies from which computers you can access which Zyxel Device zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 375 on page 928 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and clic...

Page 944: ...671 SSH Example 2 Test 2 Enter ssh 1 192 168 1 1 This command forces your computer to connect to the Zyxel Device using SSH version 1 If this is the first time you are connecting to the Zyxel Device using SSH a message displays prompting you to save the host information of the Zyxel Device Type yes and press ENTER Then enter the password to log in to the Zyxel Device Figure 672 SSH Example 2 Log i...

Page 945: ...o access the Zyxel Device CLI using this service Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Control This specifies from which computers you can access which Zyxel Device zones Add Click this to create a new entry Select an entry and click Add to create a new entry aft...

Page 946: ...Zyxel Device s non configurable default policy The Zyxel Device applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the Zyxel Device will not have to use the default policy Zone This is the zone on the Zyxel Device the user is allowed or denied to access Address This is the object name ...

Page 947: ...u can access which Zyxel Device zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 375 on page 928 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you ...

Page 948: ...se MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows...

Page 949: ...our SNMP settings including from which zones SNMP can be used to access the Zyxel Device You can also specify from which IP addresses the access can come Table 380 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION Cold Start 1 3 6 1 6 3 1 1 5 1 This trap is sent when the Zyxel Device is turned on or an agent restarts linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp ...

Page 950: ...s to SNMPv2c Select the SNMP version for the Zyxel Device The SNMP version on the Zyxel Device must match the version on the SNMP manager Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which is the password for incoming Set requests ...

Page 951: ...e Zyxel Device except the user account Read Only The associated user can only collect information from the Zyxel Device MIBs Service Control This specifies from which computers you can access which Zyxel Device zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 375 on page 928 for details on the screen that opens E...

Page 952: ...tication Select an authentication algorithm MD5 Message Digest 5 and SHA Secure Hash Algorithm are hash algorithms used to authenticate SNMP data SHA authentication is generally considered stronger than MD5 but is slower Privacy Specify the encryption method for SNMP communication from this user You can choose one of the following DES Data Encryption Standard is a widely used but breakable method ...

Page 953: ...n entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Activate To turn on an entry select it and clic...

Page 954: ...Report to configure what reports to send and to whom Click Configuration System Notification to display the Mail Server screen Table 384 Configuration System Auth Server Add Edit LABEL DESCRIPTION Activate Select this check box to make this profile active Profile Name Enter a descriptive name up to 31 alphanumerical characters for identification purposes IP Address Enter the IP address of the RADI...

Page 955: ... between the mail server and the Zyxel Device STARTTLS Select this option if the mail server uses SSL or TLS for encrypted communications between the mail server and the Zyxel Device Authenticate Server Select this if the Zyxel Device authenticates the mail server in the TLS handshake Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies SMTP...

Page 956: ... Zyxel Device Reset Click Reset to return the screen to its last saved settings Table 385 Configuration System Notification Mail Server continued LABEL DESCRIPTION Table 386 Configuration System Notification SMS LABEL DESCRIPTION General Settings Enable SMS Select the check box to turn on the SMS service Default country code for phone number Enter the default country code for the mobile phone numb...

Page 957: ...ation Mail Server screen Mail To Enter the mobile phone number of up to 80 characters You can only have one receiver Use this variable in brackets mobile_number and the Zyxel Device will use the mobile phone number of the user logging in Go to the Configuration Object User Group User screen to add a valid mobile telephone number for a user ViaNett Configuration These fields are available when the ...

Page 958: ...tility screen and you can perform tasks like basic configuration of the devices and batch firmware upgrade in it You can download the ZON Utility at www zyxel com and install it on a computer 44 17 1 Requirements Before installing the ZON Utility on your computer please make sure it meets the requirements listed below Operating System At the time of writing the ZON Utility is compatible with Windo...

Page 959: ... 2GB RAM 100MB free hard disk WXGA Wide XGA 1280x800 44 17 2 Run the ZON Utility 1 Double click the ZON Utility to run it 2 The first time you run the ZON Utility you will see if your Zyxel Device and firmware version support the ZON Utility Click the OK button to close this screen Figure 684 Supported Devices and Versions If you want to check the supported models and firmware versions later you c...

Page 960: ... network adapter to which your supported devices are connected Figure 685 Network Adapter 4 Click the Go button for the ZON Utility to discover all supported devices in your network Figure 686 Discovering Devices 5 The ZON Utility screen shows the devices discovered ...

Page 961: ...an use this icon to reload the factory default configuration file This means that you will lose all configurations that you had previously 5 Locator LED Use this icon to locate the selected device by causing its Locator LED to blink 6 Web GUI Use this to access the selected device web configurator from your browser You will need a username and password to log in 7 Firmware Upgrade Use this icon to...

Page 962: ...utility is installed and the utility language Table 390 ZON Utility Fields LABEL DESCRIPTION Type This field displays an icon of the kind of device discovered Model This field displays the model name of the discovered device Firmware Version This field displays the firmware version of the discovered device MAC Address This field displays the MAC address of the discovered device IP Address This fie...

Page 963: ... domain as the computer on which ZON is installed Enable Select to activate ZDP discovery on the Zyxel Device Smart Connect Smart Connect uses Link Layer Discovery Protocol LLDP for discovering and configuring LLDP aware devices in the same broadcast domain as the Zyxel Device that you re logged into using the web configurator Enable Select to activate LLDP discovery on the Zyxel Device See also M...

Page 964: ...g messages and alerts e mailing them storing them on a connected USB storage device and sending them to remote syslog servers 45 2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your Zyxel Device See Configuration System Notification to set up the mail server Note Data collection may decrease the Zyxel...

Page 965: ...ype the subject line for outgoing e mail from the Zyxel Device Mail To Type the e mail address or addresses to which the outgoing e mail is delivered Send Report Now Click this button to have the Zyxel Device send the daily e mail report immediately Report Items Select the information to include in the report Types of information include System Resource Usage Wireless Report Interface Traffic Stat...

Page 966: ...t information the Zyxel Device saves in each log You can also specify which log messages to e mail for the system log and where and how often to e mail them These screens also set for which events to generate alerts and where to email the alerts The first Log Setting screen provides a settings summary Use the Edit screens to configure settings such as log categories e mail addresses and server nam...

Page 967: ...vate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific log Name This field displays the type of log setting entry system log logs stored on a USB storage device connected to the Zyxel Device or one of the remote servers Log Format This field displays the format of the log Internal system log you can view the log...

Page 968: ...Chapter 45 Log and Report ZyWALL USG Series User s Guide 968 Figure 691 Configuration Log Report Log Setting Edit System Log E mail Servers ...

Page 969: ...Chapter 45 Log and Report ZyWALL USG Series User s Guide 969 Figure 692 Configuration Log Report Log Setting Edit System Log AC ...

Page 970: ... of the outgoing SMTP server Mail Subject Type the subject line for the outgoing e mail Send From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Send Log To Type the e mail address to which the outgoing e mail is delivered Send Alerts To Type the e mail address to which alerts are delivered Sending Log Select how often log information is e maile...

Page 971: ...or all log categories Using the System Log drop down list to disable all logs overrides your e mail server 1 settings enable normal logs green check mark e mail log messages for all categories to e mail server 1 enable alert logs red exclamation point e mail alerts for all categories to e mail server 1 E mail Server 2 Use the E Mail Server 2 drop down list to change the settings for e mailing logs...

Page 972: ...for the e mail settings specified in E Mail Server 2 The Zyxel Device does not e mail debugging information even if it is recorded in the System log Log Consolidation Active Select this to activate log consolidation Log consolidation aggregates multiple log messages that arrive within the specified Log Consolidation Interval In the View Log tab the text count x where x is the number of original lo...

Page 973: ...p Duration field Keep duration Enter a number of days that the Zyxel Device keeps this log Active Log Selection Use the Selection drop down list to change the log settings for all of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal...

Page 974: ...ategory except All Logs see below Choices are disable all logs red X do not log any information from this category enable normal logs green check mark log regular information and alerts from this category enable normal logs and debug logs yellow check mark log regular information alerts and debugging information from this category OK Click this to save your changes and return to the previous scree...

Page 975: ...Chapter 45 Log and Report ZyWALL USG Series User s Guide 975 Figure 695 Configuration Log Report Log Setting Edit Remote Server AC ...

Page 976: ...ve Log section Log Format This field displays the format of the log information It is read only VRPT Syslog Zyxel s Vantage Report syslog compatible format CEF Syslog Common Event Format syslog compatible format Server Address Type the server name or the IP address of the syslog server to which to send log information Server Port Type the service port number used by the remote server See Appendix ...

Page 977: ... yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and it is not associated with a specific address Log Category This field displays each category of messages It is the same value used in the Display and Category fields in the View Log tab The Default category includes debugging messages generated by open ...

Page 978: ...Chapter 45 Log and Report ZyWALL USG Series User s Guide 978 Figure 696 Log Category Settings AC ...

Page 979: ...or 2 enable normal logs green check mark create log messages and alerts for all categories for the system log If e mail server 1 or 2 also has normal logs enabled the Zyxel Device will e mail logs to them enable normal logs and debug logs yellow check mark create log messages alerts and debugging information for all categories The Zyxel Device does not e mail debugging information even if this set...

Page 980: ...in the Display and Category fields in the View Log tab The Default category includes debugging messages generated by open source software System Log Select which events you want to log by Log Category There are three choices disable all logs red X do not log any information from this category enable normal logs green check mark create log messages and alerts from this category enable normal logs a...

Page 981: ...egory enable normal logs green check mark log regular information and alerts from this category enable normal logs and debug logs yellow check mark log regular information alerts and debugging information from this category OK Click this to save your changes and return to the previous screen Cancel Click this to return to the previous screen without saving your changes Table 397 Configuration Log ...

Page 982: ... the Configuration File screen see Section 46 2 on page 984 to store and name configuration files You can also download configuration files from the Zyxel Device to your computer and upload configuration files from your computer to the Zyxel Device Use the Firmware Package screen see Section 46 3 on page 988 to check your current firmware version and upload firmware to the Zyxel Device Use the She...

Page 983: ... sub command mode Note exit or must follow sub commands if it is to make the Zyxel Device exit sub command mode Figure 698 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23 37 254 metric 1 exit create addre...

Page 984: ... The Zyxel Device still generates a log for any errors 46 2 The Configuration File Screen Click Maintenance File Manager Configuration File to open the Configuration File screen Use the Configuration File screen to store run and name configuration files You can also download configuration files from the Zyxel Device to your computer and upload configuration files from your computer to the Zyxel De...

Page 985: ...e If there is an error the Zyxel Device generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the Zyxel Device applies the system default conf configuration file You can change the way the startup config ...

Page 986: ...duplicate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the Zyxel Device You can only delete manually saved configuration files You cannot delete the system default conf startup config conf and lastgood conf files A pop up window asks you to confirm that you want to delete the configuration file Click OK to delete the configuratio...

Page 987: ...ogs for all of the configuration file s errors and starts the Zyxel Device with a fully valid configuration file Click OK to have the Zyxel Device start applying the configuration file or click Cancel to close the screen This column displays the number for each configuration file entry This field is a sequential value and it is not associated with a specific address The total number of configurati...

Page 988: ...ile the firmware update is in progress If your Zyxel Device has two firmware images installed and one fails to boot kernel crash kernel panic out of memory etc then the Zyxel Device will automatically use the good backup image to boot 46 3 1 Firmware Upload and Device HA Pro If Device HA Pro is enabled then both the active and passive Zyxel Device must be online and connected in order to upload fi...

Page 989: ...e Cloud Helper server and lets you download it if there is Note You can download up to firmware version 4 20 directly from the Zyxel website To download firmware version 4 25 and later go to myZyxel create an account and register your Zyxel Device first Then you will be able to see links to and get notifications on new firmware available At the time of writing the Firmware Upgrade license providin...

Page 990: ...mware to the standby partition and have the Zyxel Device reboot automatically so that the new standby firmware becomes the running firmware The previous running firmware becomes the standby firmware Cloud Helper Flag Cloud firmware is being downloaded from the Cloud Helper Server If you select another partition or the local firmware upgrade icon you will see the following warning message When firm...

Page 991: ...rwise the changes are lost when you reboot If you want the Standby firmware to be the Running firmware then select the Standby firmware row and click Reboot Wait a few minutes until the login screen appears If the login screen does not appear clear your browser cache and refresh the screen or type the IP address of the Zyxel Device in your Web browser again You can also use the CLI command reboot ...

Page 992: ... cloud firmware Latest Version This displays the latest firmware version at the Cloud Helper Server Click Check Now to see if there is a later firmware at the Cloud Server Release Date This displays the date the latest firmware version was made available Release Note The release note contains details of latest firmware version such as new features and bug fixes Auto Update Select this check box to...

Page 993: ...firmware on the USB stick is older then the Zyxel Device will upgrade to the older version It is recommended that the firmware on the USB stick be the latest firmware version 3 Insert the USB stick into the Zyxel Device The firmware uploads to the standby system space 4 The SYS LED blinks when the Zyxel Device automatically reboots making the upgraded firmware in standby become the running firmwar...

Page 994: ...l script file on the Zyxel Device You cannot rename a shell script to the name of another shell script in the Zyxel Device Click a shell script s row to select it and click Rename to open the Rename File screen Figure 708 Maintenance File Manager Shell Script Rename Specify the new name for the shell script file Use up to 63 characters including a zA Z0 9 _ Click OK to save the duplicate or click ...

Page 995: ...wait awhile for the Zyxel Device to finish applying the commands This column displays the number for each shell script file entry File Name This column displays the label that identifies a shell script file Size This column displays the size in KB of a shell script file Last Modified This column displays the date and time that the individual shell script files were last changed or saved Upload She...

Page 996: ...stored on a connected USB storage device on the Zyxel Device Use the Remote Assistance screens see Section 47 6 on page 1009 to configure and schedule external access to the Zyxel Device for troubleshooting Use the Network Tool screen see Section 47 7 on page 1010 to ping an IP address or trace the route packets take to a host Use the Routing Traces screens see Section 47 8 on page 1013 to configu...

Page 997: ...e name of up to 25 characters including a z A Z 0 9 and _ Spaces are allowed Click Maintenance Diagnostics Collect to open the Collect screen Figure 710 Maintenance Diagnostics Collect The following table describes the labels in this screen debug interface ifconfig debug interface show event_sink debug interface show interface_obj debug switch table debug switch port_groupping show ping check stat...

Page 998: ...files They must use a zysh filename extension Specify the new name for the shell script file Use up to 25 characters including a z A Z 0 9 and _ Spaces are allowed Copy the diagnostic file to USB storage if ready Select this to have the Zyxel Device create an extra copy of the diagnostic file to a connected USB storage device Select Upload the cmd file as the customized script to display the follo...

Page 999: ... containing their configuration Select any managed APs that you want to prevent the Zyxel Device from generating a diagnostic file for them and click the left arrow button to remove them Copy the diagnostic file to USB storage if ready Select this to have the Zyxel Device create an extra copy of the diagnostic file to a connected USB storage device Apply Click Apply to save your changes Collect No...

Page 1000: ...apture to open the packet capture screen Note New capture files overwrite existing files of the same name Change the File Suffix field s setting to avoid this Figure 713 Maintenance Diagnostics Packet Capture File Name This column displays the label that identifies the file Size This column displays the size in bytes of a file Last Modified This column displays the date and time that the individua...

Page 1001: ...e Zyxel Device allows this Status Unused the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the Zyxel Device cannot mount it none no USB storage device is connected service deactivated USB storage feature is disabled in Configuration System USB Storage so the Zyxel Device cannot use a connected USB device to store system logs and other diagnos...

Page 1002: ...rver available xx MB Select this to have the Zyxel Device store packet capture entries on the defined FTP site The available storage size is displayed as well Server Address Type the IP address of the FTP server Server Port Type the port this server uses for FTP traffic The default FTP port is 21 Name Type the login username to access the FTP server Password Type the associated login password to a...

Page 1003: ...r configuration and storage size available for the selected AP in the screen Note You need to use the Query button before packet capturing on an AP if the AP has rebooted or the applied AP profile settings have been changed Capture Status This shows Standby when the Zyxel Device is ready to or have finished capturing network traffic going through the selected AP s interface s This shows Preparing ...

Page 1004: ...his size larger or delete existing capture files The valid range depends on the available on board USB storage size The Zyxel Device stops the capture and generates the capture file when either the file reaches this size or the time period specified in the Duration field expires Split threshold Specify a maximum size limit in megabytes for individual packet capture files After a packet capture fil...

Page 1005: ...ave data to ftp server available xx MB Select this to have the Zyxel Device store packet capture entries on the defined FTP site The available storage size is displayed as well Server Address Type the IP address of the FTP server Server Port Type the port this server uses for FTP traffic The default FTP port is 21 Name Type the login username to access the FTP server Password Type the associated l...

Page 1006: ... the Zyxel Device or the connected USB storage device Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number of packet capture files that you can save depends on the file siz...

Page 1007: ... n is the number of the CPU as a percentage of total processing power Network Traffic This field displays the current percentage of network traffic through the Zyxel Device This field is a sequential value and it is not associated with any entry CPU This field displays the current CPU utilization percentage for each application used on the Zyxel Device Application This field displays the name of t...

Page 1008: ...xel Device Application This field displays the name of the application consuming the related memory on the Zyxel Device CPU This field displays the current CPU utilization percentage for each application used on the Zyxel Device Time This field displays each application s running time Refresh Click this to update the information in this screen Table 409 Maintenance Diagnostics CPU Memory Status LA...

Page 1009: ...istance screen Use this screen to configure and schedule external access to the Zyxel Device for troubleshooting You can also specify the port numbers the services must use to connect to the Zyxel Device Remote assistance is disabled by default Figure 718 Maintenance Diagnostics Remote Assistance Random Figure 719 Maintenance Diagnostics Remote Assistance Manual ...

Page 1010: ...entifies who can have external access to the Zyxel Device for troubleshooting Password Type a password for the selected user group to allow external access SSH Port This field displays the SSH port number for external access It should be the same port number as the one configured in System SSH HTTPS Port This field displays the HTTPS port number for external access It should be the same port numbe...

Page 1011: ...Chapter 47 Diagnostics ZyWALL USG Series User s Guide 1011 Figure 720 Maintenance Diagnostics Network Tool ...

Page 1012: ...fied computer Select Test Email Server to test access to an SMTP email server Domain Name or IP Address Type the IP address that you want to use to for the selected network tool Advance Click this to display the following fields Query Server Enter the IP address of a server to which the Zyxel Device sends queries for NSLOOKUP Interface Select the interface through which the Zyxel Device sends quer...

Page 1013: ...the mail server uses SSL or TLS for encrypted communications between the mail server and the Zyxel Device Authenticate Server Select this if the Zyxel Device authenticates the mail server in the TLS handshake Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type the e mail address to which the outgoing e mail is delivered SMTP Au...

Page 1014: ...P address of a specific source or destination host whose traffic you want to trace Port Enter the port number for particular source traffic on the host that you want to trace Protocol Select the protocol of traffic that you want to trace any means any protocol Interval Enter a time interval in seconds for renewing a route trace The default time interval is 5 seconds Capture Click this button to ha...

Page 1015: ...he monitor mode configured APs selected to for wireless frame capture Misc Setting File Size Specify a maximum size limit in kilobytes for the total combined size of all the capture files on the Zyxel Device including any existing capture files and any new capture files you generate Note If you have existing capture files you may need to set this size larger or delete existing capture files The va...

Page 1016: ...depends on the file sizes and the available flash storage space Once the flash storage space is full adding more frame captures will fail Stop Click this button to stop a currently running frame capture and generate a combined capture file for all APs Reset Click this button to return the screen to its last saved settings Table 414 Maintenance Diagnostics Wireless Frame Capture Capture continued L...

Page 1017: ...h SNAT function s settings 48 2 The Routing Status Screen The Routing Status screen allows you to view the current routing flow and quickly link to specific routing settings Click a function box in the Routing Flow section the related routes activated will display in the Routing Table section To access this screen click Maintenance Packet Flow Explore Routing Status The order of the routing flow m...

Page 1018: ...USG Series User s Guide 1018 Figure 725 Maintenance Packet Flow Explore Routing Status Direct Route Figure 726 Maintenance Packet Flow Explore Routing Status Dynamic VPN Figure 727 Maintenance Packet Flow Explore Routing Status Policy Route ...

Page 1019: ...Series User s Guide 1019 Figure 728 Maintenance Packet Flow Explore Routing Status 1 1 SNAT Figure 729 Maintenance Packet Flow Explore Routing Status SiteToSite VPN Figure 730 Maintenance Packet Flow Explore Routing Status Static Dynamic Route ...

Page 1020: ...lay the related settings in the Routing Table section Routing Table This section shows the corresponding settings according to the function box you click in the Routing Flow section The following fields are available if you click Direct Route Static Dynamic Route or Main Route in the Routing Flow section This field is a sequential value and it is not associated with any entry Destination This is t...

Page 1021: ...xt hop to which packets are directed Next Hop Info This is the main route if the next hop type is Auto This is the interface name and gateway IP address if the next hop type is Interface GW This is the tunnel name if the next hop type is VPN Tunnel This is the trunk name if the next hop type is Trunk The following fields are available if you click 1 1 SNAT in the Routing Flow section This field is...

Page 1022: ...terface Trunk screen use policy routes to control 1 1 NAT by using the policy control virtual server rules activate command Note Once a packet matches the criteria of an SNAT rule the Zyxel Device takes the corresponding action and does not perform any further flow checking Figure 733 Maintenance Packet Flow Explore SNAT Status Policy Route SNAT Figure 734 Maintenance Packet Flow Explore SNAT Stat...

Page 1023: ...sequential value and it is not associated with any entry PR This is the number of an activated policy route which uses SNAT Outgoing This is the outgoing interface that the route uses to transmit packets SNAT This is the source IP address es that the SNAT rule uses finally The following fields are available if you click 1 1 SNAT in the SNAT Flow section This field is a sequential value and it is n...

Page 1024: ...ss for the matched packets it sends out through this rule The following fields are available if you click Default SNAT in the SNAT Flow section This field is a sequential value and it is not associated with any entry Incoming This indicates internal interface s on which the packets are received Outgoing This indicates external interface s from which the packets are transmitted SNAT This indicates ...

Page 1025: ...ing so can cause the firmware to become corrupt 49 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes 49 2 The Shutdown Screen To access this screen click Maintenance Shutdown Figure 737 Maintenance Shutdown Click the Shutdown button to shut down the Zyxel Device Wait for the device to shut down before you manually turn off or remove the p...

Page 1026: ...sories and then Command Prompt In the Command Prompt window type ping followed by the Zyxel Device s LAN IP address 192 168 1 1 is the default and then press ENTER The Zyxel Device should reply If you ve forgotten the Zyxel Device s password use the RESET button Press the button in for about 5 seconds or until the SYS LED starts to blink then release it It returns the Zyxel Device to the factory d...

Page 1027: ...d to the Internet Make sure you select Enable Content Filter Category Service when you add a filter profile in the Content Filter Profile Add Filter Profile Category Service screen I configured security settings but the Zyxel Device is not applying them for certain interfaces Many security settings are usually applied to zones Make sure you assign the interfaces to the appropriate zones When you c...

Page 1028: ...ot set up a PPP interface virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it My rules and settings that apply to a particular interface no longer work The interface s IP address may have changed T...

Page 1029: ...ecommended The wireless security is not following the re authentication timer setting I specified If a RADIUS server authenticates wireless stations the re authentication timer on the RADIUS server has priority Change the RADIUS server s configuration if you need to use a different re authentication timer setting I cannot configure a particular VLAN interface on top of an Ethernet interface even t...

Page 1030: ...the Configuration UTM Profile Anti Virus Profile Profile Management Add screen to modify infected files before forwarding to the user preventing them from being executed I added a file pattern in the anti virus white list but the Zyxel Device still checks and modifies files that match this pattern Make sure you select the Check White List check box above the white list table If it is already selec...

Page 1031: ...res are gone The name of the complete custom signature file on the Zyxel Device is custom rules If you import a file named custom rules then all custom signatures on the Zyxel Device are overwritten with the new file If this is not your intention make sure that the files you import are not named custom rules I cannot configure some items in IDP that I can configure in Snort Not all Snort functiona...

Page 1032: ...s setting to Auto if the interface has a dynamic IP address or there are one or more NAT routers between the Zyxel Device and the DDNS server The Zyxel Device may not determine the proper IP address if there is an HTTP proxy server between the Zyxel Device and the DDNS server I cannot create a second HTTP redirect rule for an incoming interface You can configure up to one HTTP redirect rule for ea...

Page 1033: ...od to establish the IKE SA Both routers must use the same negotiation mode Both routers must use the same encryption algorithm authentication algorithm and DH key group When using pre shared keys the Zyxel Device and the remote IPSec router must use the same pre shared key The Zyxel Device s local and peer ID type and content must match the remote IPSec router s peer and local ID type and content ...

Page 1034: ...te The trusted certificate can be the remote IPSec router s self signed certificate or that of a trusted CA that signed the remote IPSec router s certificate Multiple SAs connecting through a secure gateway must have the same negotiation mode The VPN connection is up but VPN traffic cannot be transmitted through the VPN tunnel If you have the Configuration VPN IPSec VPN VPN Connection screen s Use...

Page 1035: ...If you want to use a service make sure the security policy allows UTM application patrol to go through the Zyxel Device I configured policy routes to manage the bandwidth of TCP and UDP traffic but the bandwidth management is not being applied properly It is recommended to use application patrol instead of policy routes to manage the bandwidth of TCP and UDP traffic I cannot get the RADIUS server ...

Page 1036: ...rs and numerals to convert a binary X 509 certificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted A PKCS 7 file is used to transfer a public key certificate The private key is not included The Zyxel Device currently allows the importation of a PKS 7 file that contains a single certificate PEM Bas...

Page 1037: ...e first The commands in my configuration file or shell script are not working properly In a configuration file or shell script use or as the first character of a command line to have the Zyxel Device treat the line as a comment Your configuration files or shell scripts can use exit or a command line consisting of a single to have the Zyxel Device exit sub command mode Include write commands in you...

Page 1038: ...uReporter Banner on page 600 for more information 50 1 Resetting the Zyxel Device If you cannot access the Zyxel Device by any method try restarting it by turning the power off and then on again If you still cannot access the Zyxel Device by any method or you forget the administrator password s you can reset the Zyxel Device to its factory default settings Any configuration files or shell scripts ...

Page 1039: ...Chapter 50 Troubleshooting ZyWALL USG Series User s Guide 1039 50 2 Getting More Troubleshooting Help Search for support information for your model at www zyxel com for more troubleshooting suggestions ...

Page 1040: ...t information Please have the following information ready when you contact an office Required Information Product model and serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Corporate Headquarters Worldwide Taiwan Zyxel Communications Corporation http www zyxel com Asia China Zyxel Communications Shanghai Corp ...

Page 1041: ...l com pk Philippines Zyxel Philippines http www zyxel com ph Singapore Zyxel Singapore Pte Ltd http www zyxel com sg Taiwan Zyxel Communications Corporation http www zyxel com tw zh Thailand Zyxel Thailand Co Ltd http www zyxel co th Vietnam Zyxel Communications Corporation Vietnam Office http www zyxel com vn vi Europe Austria Zyxel Deutschland GmbH http www zyxel de Belarus Zyxel BY http www zyx...

Page 1042: ...bg Czech Republic Zyxel Communications Czech s r o http www zyxel cz Denmark Zyxel Communications A S http www zyxel dk Estonia Zyxel Estonia http www zyxel com ee et Finland Zyxel Communications http www zyxel fi France Zyxel France http www zyxel fr Germany Zyxel Deutschland GmbH http www zyxel de Hungary Zyxel Hungary SEE http www zyxel hu Italy Zyxel Communications Italy http www zyxel it ...

Page 1043: ...Benelux http www zyxel nl Norway Zyxel Communications http www zyxel no Poland Zyxel Communications Poland http www zyxel pl Romania Zyxel Romania http www zyxel com ro ro Russia Zyxel Russia http www zyxel ru Slovakia Zyxel Communications Czech s r o organizacna zlozka http www zyxel sk Spain Zyxel Communications ES Ltd http www zyxel es Sweden Zyxel Communications http www zyxel se Switzerland S...

Page 1044: ... Ukraine http www ua zyxel com Latin America Argentina Zyxel Communication Corporation http www zyxel com ec es Brazil Zyxel Communications Brasil Ltda https www zyxel com br pt Ecuador Zyxel Communication Corporation http www zyxel com ec es Middle East Israel Zyxel Communication Corporation http il zyxel com homepage shtml Middle East Zyxel Communication Corporation http www zyxel com me en ...

Page 1045: ...s User s Guide 1045 North America USA Zyxel Communications Inc North America Headquarters http www zyxel com us en Oceania Australia Zyxel Communications Corporation http www zyxel com au en Africa South Africa Nology Pty Ltd http www zyxel co za ...

Page 1046: ...ations in which this service is used Table 418 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC AH Authentication Header tunneling protocol uses this service AIM New ICQ TCP 5190 AOL s Internet Messenger service It is also used as a listening port by ICQ AUTH TCP 113 Authentication protocol used by some servers BGP TCP 179 Border Gateway Protocol BO...

Page 1047: ...that sends out ICMP echo requests to test whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e mail from a POP3 server through a temporary connection TCP IP or other PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the control channel PPTP_TUNNEL GRE User Defined 47 PPTP Point ...

Page 1048: ...CACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments It operates over TCP IP networks Its primary function is to allow users to log into remote host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to ...

Page 1049: ... Number 500 500 500 500 500 500 500 2 000 2 000 5000 5000 10000 Max Session Limit per Host Rules 1000 1000 1000 1000 1000 1000 1000 1 000 1 000 1000 1000 1000 ADP Max ADP Profile Number 8 8 8 8 8 8 8 16 16 16 16 32 Max ADP Rule Number 32 32 32 32 32 32 32 32 32 32 32 32 Application Patrol Max AppPatrol Profile 32 32 32 32 32 32 32 64 64 64 64 64 Max Application Object in Each Orofile object object...

Page 1050: ...ethernet vlan brg ethernet vlan brg ethernet vlan brg ethernet vlan brg ethernet vlan brg ethernet Max DHCP Host Pool Static DHCP 64 64 96 96 256 256 256 512 512 1024 1024 1024 Max DHCP Extended Options 10 10 10 10 15 15 15 30 30 30 30 30 Max DDNS Profiles 5 5 10 10 10 10 10 10 10 10 10 10 DHCP Relay 2 per interface 2 per interface 2 per interface 2 per interface 2 per interface 2 per interface 2 ...

Page 1051: ...32 32 32 32 32 Max MAC Entry Per MAC Filter Profile 512 512 512 512 512 512 512 512 512 512 512 512 Zymesh 32 32 32 32 32 32 32 32 32 32 32 32 BWM Maximum BWM Rule Number 128 128 128 128 256 256 256 512 512 1024 1024 1024 BWM Per Source IP Max 256 256 256 256 1024 1024 1024 1024 1024 2048 2048 2048 SIP Maximum SIP Concurrent Call 50 50 50 50 100 100 100 100 100 200 200 200 Custom Web Portal Page M...

Page 1052: ...x User In One User Group 1024 64 64 1024 Default Concurrent Device Login 2000 64 64 2000 Max Concurrent Device Upgrade License 5000 Extend by license n a n a 5000 Extend by license HTTPd Max HTTPd Number 2048 128 128 2048 Objects Address Object 4000 300 300 4000 Address Group 400 25 25 400 Max Address Object In One Group 512 64 64 256 Service Object 1 500 200 200 1 000 Service Group 300 50 50 200 ...

Page 1053: ...L Inspection Profile 16 n a n a 16 Max Exclude List 256 n a n a 256 Content Filtering Max Number Of Content Filter Policies 256 16 16 256 Forbidden Domain Entry Number 512 per profile 256 per profiles 256 per profiles 512 per profiles Trusted Domain Entry Number 512 per profile 256 per profiles 256 per profiles 512 per profiles Keyword Blocking Number 256 per profile 128 per profiles 128 per profi...

Page 1054: ...M Per Source IP Max 2048 256 256 2048 SIP Maximum SIP Concurrent Call 200 50 50 200 Custom Web Portal Page Max Internal Web Portal Customize File 4 4 4 4 Upload Zip File Size Up to 2MB Up to 2MB Up to 2MB Up to 2MB Unzip File Size Up to 5MB Up to 5MB Up to 5MB Up to 5MB Hotspot Management Max Dynamic Account List 6000 n a n a 6000 Hotspot Support Yes n a n a Yes Walled Garden URL Base 50 n a n a 5...

Page 1055: ...e for compliance could void the user s authority to operate the equipment This device has been tested and found to comply with the limits for a Class A digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate rad...

Page 1056: ... cette liste ou dont le gain est supérieur au gain maximal indiqué sont strictement interdits pour l exploitation de l émetteur Informations Antenne Lorsque la fonction sans fil 5G fonctionnant en 5150 5250 MHz and 5725 5850 MHz est activée pour ce produit il est nécessaire de porter une attention particulière aux choses suivantes Les dispositifs fonctionnant dans la bande 5150 5250 MHz sont réser...

Page 1057: ... el equipo cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 2014 53 UE Čeština Czech Zyxel tímto prohlašuje že tento zařízení je ve shodě se základními požadavky a dalšími příslušnými ustanoveními směrnice 2014 53 EU Dansk Danish Undertegnede Zyxel erklærer herved at følgende udstyr udstyr overholder de væsentlige krav og øvrige relevan...

Page 1058: ...jiet essenzjali u ma provvedimenti oħrajn relevanti li hemm fid Dirrettiva 2014 53 EU Nederlands Dutch Hierbij verklaart Zyxel dat het toestel uitrusting in overeenstemming is met de essentiële eisen en de andere relevante bepalingen van richtlijn 2014 53 EU Polski Polish Niniejszym Zyxel oświadcza że sprzęt jest zgodny z zasadniczymi wymogami oraz pozostałymi stosownymi postanowieniami Dyrektywy ...

Page 1059: ...rical and electronic device For detailed information about recycling of this product please contact your local city office your household waste disposal service or the store where you purchased the product Use ONLY power wires of the appropriate wire gauge for your device Connect it to a power supply of the correct voltage Fuse Warning Replace a fuse only with a fuse of the same type and rating Th...

Page 1060: ...roduit et ou sa batterie doivent être éliminés séparément des ordures ménagères Lorsque ce produit atteint sa fin de vie amenez le à un centre de recyclage Au moment de la mise au rebut la collecte séparée de votre produit et ou de sa batterie aidera à économiser les ressources naturelles et protéger l environnement et la santé humaine Il simbolo sotto significa che secondo i regolamenti locali il...

Page 1061: ...uld the product have indications of failure due to faulty workmanship and or materials Zyxel will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating condition Any replacement will consist of a new or re manufactured functionally equi...

Page 1062: ... interference will not occur in a particular installation If this device does cause harmful interference to radio or television reception which is found by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the devices Connect the equipment to an ...

Page 1063: ...onctionnant dans la bande 5150 5250 MHz sont réservés uniquement pour une utilisation à l intérieur afin de réduire les risques de brouillage préjudiciable aux systèmes de satellites mobiles utilisant les mêmes canaux Pour les dispositifs munis d antennes amovibles le gain maximal d antenne permis pour les dispositifs utilisant la bande de 5 725 à 5 850 MHz doit être conforme à la limite de la p i...

Page 1064: ...Ausstattung in Übereinstimmung mit den grundlegenden Anforderungen und den übrigen einschlägigen Bestimmungen der Richtlinie 2014 53 EU befindet Eesti keel Estonian Käesolevaga kinnitab Zyxel seadme seadmed vastavust direktiivi 2014 53 EU põhinõuetele ja nimetatud direktiivist tulenevatele teistele asjakohastele sätetele Ελληνικά Greek ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ Zyxel ΗΛΩΝΕΙ ΟΤΙ εξοπλισμός ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ ...

Page 1065: ...in overeenstemming is met de essentiële eisen en de andere relevante bepalingen van richtlijn 2014 53 EU Polski Polish Niniejszym Zyxel oświadcza że sprzęt jest zgodny z zasadniczymi wymogami oraz pozostałymi stosownymi postanowieniami Dyrektywy 2014 53 EU Português Portuguese Zyxel declara que este equipamento está conforme com os requisitos essenciais e outras disposições da Directiva 2014 53 EU...

Page 1066: ...ements which are Network standby power consumption 8W and or Off mode power consumption 0 5W and or Standby mode power consumption 0 5W Wireless setting please refer to Wireless chapter for more detail European Union Disposal and Recycling Information The symbol below means that according to local regulations your product and or its battery shall be disposed of separately from domestic waste If th...

Page 1067: ...勿讓設備接觸水雨水高濕度污水腐蝕性的液體或其他水份灰塵及污物切勿接觸灰塵污物沙土食物或其他不合適的材料雷雨天氣時不要安裝使用或維修此設備有遭受電擊的風險切勿重摔或撞擊設備並勿使用不正確的電源變壓器若接上不正確的電源變壓器會有爆炸的風險請勿隨意更換產品內的電池如果更換不正確之電池型式會有爆炸的風險請依製造商說明書處理使用過之電池請將廢電池丟棄在適當的電器或電子設備回收處請勿將設備解體請勿阻礙設備的散熱孔空氣對流不足將會造成設備損害請插在正確的電壓供給插座如北美台灣電壓 110V AC 歐洲是 230V AC 假若電源變壓器或電源變壓器的纜線損壞請從插座拔除若您還繼續插電使用會有觸電死亡的風險請勿試圖修理電源變壓器或電源變壓器的纜線若有毀損請直接聯絡您購買的店家購買一個新的電源變壓器請勿將此設備安裝於室外此設備僅適合放置於...

Page 1068: ...anty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose Zyxel shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To obtain the services of this warranty contact your vendor You may also refer to the w...

Page 1069: ...6 logging in 491 multiple logins 807 see also users 797 Web Configurator 808 access users see also force user authentication policies account user 797 902 accounting server 860 Active Directory see AD active protocol 637 AH 637 and encapsulation 637 ESP 637 active sessions 189 207 ActiveX 709 AD 861 863 864 866 directory structure 862 Distinguished Name see DN password 866 port 866 868 search time...

Page 1070: ...ack list 751 755 758 concurrent e mail sessions 256 753 DNSBL 752 756 763 e mail header buffer 752 e mail headers 752 excess e mail sessions 753 general settings 753 identifying legitimate e mail 751 identifying spam 751 log options 755 mail scan 756 mail sessions threshold 753 POP2 752 POP3 752 regular expressions 761 SMTP 752 status 257 white list 751 755 760 761 anti virus 145 739 alerts 744 bl...

Page 1071: ...ation policy exceptional services 493 Authentication server RADIUS client 954 authentication server 952 954 authentication type 155 896 Authentication Authorization Accounting servers see AAA server authorization server 860 Autonomous Systems AS 427 auxiliary interfaces 297 B backdoor attacks 722 backing up configuration files 984 bandwidth egress 344 353 ingress 344 353 bandwidth limit troublesho...

Page 1072: ...tion 878 verifying fingerprints 879 certification requests 885 certifications 1065 viewing 1061 1068 Challenge Handshake Authentication Protocol CHAP 896 CHAP Challenge Handshake Authentication Protocol 896 CHAP PAP 896 CLI 34 39 button 39 messages 39 popup window 39 Reference Guide 2 client 665 cluster ID 782 CNM ID 597 commands 34 sent by Web Configurator 39 Common Event Format CEF 967 976 compr...

Page 1073: ...e server 912 current user list 245 custom access user page 928 login page 928 custom signatures 726 729 1031 applying 735 example 733 verifying 735 custom rules file 729 1031 customer support 1040 1049 D Data Encryption Standard see DES date 908 daylight savings 910 DDNS 433 backup mail exchanger 438 mail exchanger 438 service providers 433 troubleshooting 1032 DDoS attacks 722 Dead Peer Detection...

Page 1074: ...404 DNSBL 752 756 763 see also anti spam 752 domain name 907 Domain Name System see DNS DoS Denial of Service attacks 722 DPD 625 DSA 885 DSCP 410 413 680 1021 DUID 301 Dynamic Domain Name System see DDNS dynamic guest 212 dynamic guest account 212 798 Dynamic Host Configuration Protocol see DHCP dynamic peers in IPSec 615 DynDNS 433 DynDNS see also DDNS 433 Dynu 433 E eBGP exterior Border Gate Pr...

Page 1075: ...37 flags 727 flash usage 188 forcing login 491 FQDN 916 fragmentation flag 731 fragmentation offset 731 free guest account 552 free time 552 configuration 552 enable 552 FTP 946 additional signaling port 458 ALG 453 and address groups 947 and address objects 947 and certificates 947 and zones 947 signaling port 458 troubleshooting 1032 with Transport Layer Security TLS 947 full tunnel mode 641 645...

Page 1076: ...er 589 720 721 773 reject both 589 720 721 773 reject receiver 589 720 721 773 service group 723 severity 720 signature ID 721 773 signatures 714 signatures and synchronization Device HA 790 Snort signatures 737 statistics 250 troubleshooting 1027 1031 troubleshooting signatures update 1027 updating signatures 270 verifying custom signatures 735 IEEE 802 1q VLAN IEEE 802 1q See VLAN IEEE 802 1x 81...

Page 1077: ...interfaces types 297 virtual see also virtual interfaces VLAN see also VLAN interfaces WLAN see also WLAN interfaces Internet access troubleshooting 1026 1035 Internet Control Message Protocol see ICMP Internet Explorer 35 Internet Message Access Protocol see IMAP 752 Internet Protocol IP 726 Internet Protocol Security see IPSec Internet Protocol version 6 see IPv6 Intrusion Detection and Preventi...

Page 1078: ...y 244 Security Parameter Index SPI manual keys 638 see also IPSec see also VPN source NAT for inbound traffic 639 source NAT for outbound traffic 639 status 244 transport mode 637 tunnel mode 637 when IKE SA is disconnected 637 IPSec VPN troubleshooting 1033 IPv6 299 link local address 300 prefix 299 prefix delegation 300 prefix length 299 stateless autoconfiguration 300 IPv6 tunnelings 6in4 tunne...

Page 1079: ...shooting 1037 log messages categories 971 973 977 979 980 debugging 260 regular 260 types of 260 log options 744 755 IDP 586 590 719 720 721 772 773 login custom page 928 SSL user 653 logo troubleshooting 1037 logo in SSL 647 logout SSL user 656 Web Configurator 39 logs and security policy 581 e mail profiles 966 e mailing log messages 264 970 formats 967 log consolidation 972 settings 966 syslog ...

Page 1080: ...terfaces 443 and policy routes 407 414 and security policy 576 and to ZyWALL security policy 445 and VoIP pass through 455 and VPN 635 loopback 445 port forwarding see NAT port translation see NAT traversal 636 NAT Port Mapping Protocol 460 NAT Traversal 460 NAT PMP 460 NBNS 322 365 379 387 404 645 NetBIOS Broadcast over IPSec 614 Name Server see NBNS NetBIOS Name Server see NBNS NetMeeting 459 se...

Page 1081: ...nspection signatures 715 718 scan 739 statistics 198 199 224 packet capture 1000 1002 files 999 1005 1006 1008 troubleshooting 1038 packet captures downloading files 999 1006 1008 padding 727 PAP Password Authentication Protocol 896 Password Authentication Protocol PAP 896 payload option 732 size 733 Peanut Hull 433 Peer to peer P2P 722 calls 455 managing 689 Perfect Forward Secrecy PFS 617 Diffie...

Page 1082: ...r firmware 540 printer list 540 printer management 540 problems 1026 profiles packet inspection 718 proxy servers 448 web see web proxy servers PTR record 917 Public Key Infrastructure PKI 878 public private key pairs 877 Q QoS 407 675 query view IDP 719 721 Quick Start Guide 2 R rack mounting 33 74 RADIUS 861 862 advantages 861 and IKE SA 636 and PPPoE 404 and users 798 user attributes 811 RADIUS...

Page 1083: ...hm RSA 885 round robin 395 routing troubleshooting 1031 Routing Information Protocol see RIP routing protocols 417 and Ethernet interfaces 304 RSA 885 887 893 RSSI threshold 817 RTLS 292 RTP 459 see also ALG 459 S same IP 732 scan attacks 722 scanner types 750 schedule troubleshooting 1036 schedules 855 and content filtering 695 696 and current date time 855 and policy routes 413 679 683 and secur...

Page 1084: ...session limits 575 590 session monitor L2TP VPN 246 sessions 207 sessions usage 189 severity IDP 717 720 SHA1 633 shell script troubleshooting 1037 shell scripts 982 and users 811 downloading 994 editing 993 how applied 983 managing 994 syntax 983 uploading 995 Short Message Service 956 shutdown 1025 signal quality 216 217 signature categories access control 722 backdoor Trojan 722 buffer overflow...

Page 1085: ...nt virtual desktop logo 647 computer names 645 connection monitor 245 full tunnel mode 645 global setting 646 IP pool 645 network list 646 remote user login 653 remote user logout 656 SecuExtender 665 see also SSL VPN 641 troubleshooting 1034 user application screens 656 662 user file sharing 657 user screen bookmarks 655 user screens 652 655 user screens access methods 652 user screens certificat...

Page 1086: ...bers 851 window size 732 Telnet 945 and address groups 946 and address objects 946 and zones 946 with SSH 943 throughput rate troubleshooting 1037 TightVNC 898 time 908 time servers default 911 time to live 727 timestamp 727 to Device security policy and remote management 574 global rules 574 see also security policy 574 token 861 to ZyWALL security policy and NAT 445 and NAT traversal VPN 1034 an...

Page 1087: ... interfaces 399 400 see also load balancing 394 Trusted Certificates see also certificates 889 tunnel encapsulation 616 Tunnel interfaces 297 U UDP 851 attack packet 589 720 721 773 messages 851 port numbers 851 UltraVNC 898 Universal Plug and Play 134 460 Application 460 security issues 461 unsolicited commercial e mail 148 573 751 updating anti virus signatures 269 IDP and application patrol sig...

Page 1088: ...797 groups see user groups Guest type 797 guest manager type 797 lease time 802 limited admin type 797 lockout 807 reauthentication time 803 types of 797 user type 797 user names 800 V Vantage Report VRPT 967 976 virtual interfaces 297 327 basic characteristics 297 not DHCP clients 402 types of 327 vs asymmetrical routes 575 vs triangle routes 575 Virtual Local Area Network see VLAN Virtual Local ...

Page 1089: ...robin for load balancing 396 weighted round robin algorithm 486 WEP Wired Equivalent Privacy 812 white list anti spam 751 755 760 761 Wi Fi Protected Access 812 Windows Internet Naming Service see WINS Windows Internet Naming Service see WINS Windows Remote Desktop 898 WINS 322 365 379 387 404 645 in L2TP VPN 672 WINS server 322 672 Wireshark 734 Wizard Setup 53 149 WLAN troubleshooting 1029 user ...

Page 1090: ...Index ZyWALL USG Series User s Guide 1090 Repeater 832 repeater 831 Root AP 832 root AP 831 security 834 SSID 834 WDS 831 ZyMesh profiles 833 ...

Reviews:

No comments

Related manuals for USG110

VigorPro 5510 Series

Brand: Draytek Pages: 316

FortiGate FortiGate-5001SX

Brand: Fortinet Pages: 36

Brand: BeyondTrust Pages: 18

Brand: ZyXEL Communications Pages: 64

Brand: ZyXEL Communications Pages: 102

FortiGate 1000A

Brand: Fortinet Pages: 412

Brand: PaloAlto Networks Pages: 2

Brand: tufin Pages: 22

Brand: St. Bernard Pages: 4

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands