ZyXEL Communications ZyWall USG20-VPN, User Manual

Page 1: ...ZyWALL USG Series USG20 VPN USG20W VPN VPN Firewalls Version 4 16 Edition 1 1 2016 Copyright 2016 ZyXEL Communications Corporation User s Guide Default Login Details LAN Port IP Address https 192 168 1 1 User Name admin Password 1234 ...

Page 2: ...uick Start Guide The Quick Start Guide shows how to connect the ZyWALL USG and access the Web Configurator wizards See the wizard real time help for information on configuring each screen It also contains a connection diagram and package contents list CLI Reference Guide The CLI Reference Guide explains how to use the Command Line Interface CLI to configure the ZyWALL USG Note It is recommended yo...

Page 3: ...9 2 1 4 Internet Access PPTP 41 2 1 5 Internet Access Setup Second WAN Interface 42 2 1 6 Internet Access Succeed 43 2 1 7 Wireless Settings SSID Security 43 2 1 8 Internet Access Device Registration 44 Chapter 3 Hardware Interfaces and Zones 45 3 1 Hardware Overview 45 3 1 1 Front Panels 45 3 1 2 Rear Panels 46 3 1 3 Wall mounting 47 3 2 Default Zones Interfaces and Ports 48 3 3 Stopping the USG ...

Page 4: ...N Settings for Configuration Provisioning Advanced Wizard Scenario 72 4 4 6 VPN Settings for Configuration Provisioning Advanced Wizard Phase 1 Settings 73 4 4 7 VPN Settings for Configuration Provisioning Advanced Wizard Phase 2 75 4 4 8 VPN Settings for Configuration Provisioning Advanced Wizard Summary 75 4 4 9 VPN Settings for Configuration Provisioning Advanced Wizard Finish 77 4 5 VPN Settin...

Page 5: ...tor Screen 109 6 6 IGMP Statistics 110 6 7 The DDNS Status Screen 111 6 8 IP MAC Binding 112 6 9 The Login Users Screen 112 6 10 Cellular Status Screen 113 6 11 The UPnP Port Status Screen 115 6 12 USB Storage Screen 116 6 13 Ethernet Neighbor Screen 117 6 14 Wireless 118 6 14 1 Wireless AP Information Radio List 118 6 14 2 Radio List More Information 120 6 14 3 Wireless Station Info 121 6 14 4 De...

Page 6: ...41 9 1 2 What You Need to Know 142 9 1 3 What You Need to Do First 146 9 2 Port Role Screen 146 9 3 Ethernet Summary Screen 147 9 3 1 Ethernet Edit 149 9 3 2 Object References 164 9 3 3 Add Edit DHCPv6 Request Release Options 165 9 3 4 Add Edit DHCP Extended Options 166 9 4 PPP Interfaces 167 9 4 1 PPP Interface Summary 168 9 4 2 PPP Interface Add or Edit 169 9 5 Cellular Configuration Screen 174 ...

Page 7: ...Edit Screen 231 10 3 IP Static Route Screen 236 10 3 1 Static Route Add Edit Screen 236 10 4 Policy Routing Technical Reference 238 10 5 Routing Protocols Overview 239 10 5 1 What You Need to Know 239 10 6 The RIP Screen 239 10 7 The OSPF Screen 241 10 7 1 Configuring the OSPF Screen 244 10 7 2 OSPF Area Add Edit Screen 245 10 7 3 Virtual Link Add Edit Screen 247 10 8 Routing Protocol Technical Re...

Page 8: ...Reference 272 Chapter 15 UPnP 274 15 1 UPnP and NAT PMP Overview 274 15 2 What You Need to Know 274 15 2 1 NAT Traversal 274 15 2 2 Cautions with UPnP and NAT PMP 275 15 3 UPnP Screen 275 15 4 Technical Reference 276 15 4 1 Turning on UPnP in Windows 7 Example 276 15 4 2 Using UPnP in Windows XP Example 278 15 4 3 Web Configurator Easy Access 280 Chapter 16 IP MAC Binding 283 16 1 IP MAC Binding O...

Page 9: ...n Screen 299 19 2 1 Creating Exceptional Services 302 19 2 2 Creating Editing an Authentication Policy 302 19 3 SSO Overview 303 19 4 SSO USG Configuration 305 19 4 1 Configuration Overview 305 19 4 2 Configure the USG to Communicate with SSO 305 19 4 3 Enable Web Authentication 306 19 4 4 Create a Security Policy 307 19 4 5 Configure User Information 308 19 4 6 Configure an Authentication Method ...

Page 10: ...it Screen 355 21 5 USG IPSec VPN Client Configuration Provisioning 356 21 6 IPSec VPN Background Information 358 Chapter 22 SSL VPN 368 22 1 Overview 368 22 1 1 What You Can Do in this Chapter 368 22 1 2 What You Need to Know 368 22 2 The SSL Access Privilege Screen 369 22 2 1 The SSL Access Privilege Policy Add Edit Screen 370 22 3 The SSL Global Setting Screen 373 22 3 1 How to Upload a Custom L...

Page 11: ...1 What You Can Do in this Chapter 396 25 1 2 What You Need to Know 396 25 2 L2TP VPN Screen 397 25 2 1 Example L2TP and USG Behind a NAT Router 399 Chapter 26 BWM Bandwidth Management 401 26 1 Overview 401 26 1 1 What You Can Do in this Chapter 401 26 1 2 What You Need to Know 401 26 2 The Bandwidth Management Screen 405 26 2 1 The Bandwidth Management Add Edit Screen 407 Chapter 27 Content Filter...

Page 12: ...ist Entries 445 28 6 The Anti Spam White List Screen 445 28 7 The DNSBL Screen 447 28 8 Anti Spam Technical Reference 449 Chapter 29 Object 453 29 1 Zones Overview 453 29 1 1 What You Need to Know 453 29 1 2 The Zone Screen 454 29 2 User Group Overview 455 29 2 1 What You Need To Know 456 29 2 2 User Group User Summary Screen 458 29 2 3 User Group Group Summary Screen 461 29 2 4 User Group Setting...

Page 13: ...ation Method Objects 512 29 10 Certificate Overview 514 29 10 1 What You Need to Know 514 29 10 2 Verifying a Certificate 516 29 10 3 The My Certificates Screen 517 29 10 4 The Trusted Certificates Screen 524 29 10 5 Certificates Technical Reference 529 29 11 ISP Account Overview 529 29 11 1 ISP Account Summary 529 29 12 SSL Application Overview 532 29 12 1 What You Need to Know 532 29 12 2 The SS...

Page 14: ...5 Service Control Rules 559 30 7 6 Customizing the WWW Login Page 560 30 7 7 HTTPS Example 563 30 8 SSH 570 30 8 1 How SSH Works 571 30 8 2 SSH Implementation on the USG 572 30 8 3 Requirements for Using SSH 572 30 8 4 Configuring SSH 572 30 8 5 Secure Telnet Using SSH Examples 573 30 9 Telnet 574 30 9 1 Configuring Telnet 574 30 10 FTP 576 30 10 1 Configuring FTP 576 30 11 SNMP 577 30 11 1 SNMPv3...

Page 15: ...Firmware Package Screen 611 32 4 The Shell Script Screen 613 Chapter 33 Diagnostics 616 33 1 Overview 616 33 1 1 What You Can Do in this Chapter 616 33 2 The Diagnostic Screen 616 33 2 1 The Diagnostics Files Screen 617 33 3 The Packet Capture Screen 618 33 3 1 The Packet Capture Files Screen 621 33 4 The Core Dump Screen 621 33 4 1 The Core Dump Files Screen 622 33 5 The System Log Screen 623 33 ...

Page 16: ...What You Need To Know 636 35 2 The Shutdown Screen 636 Chapter 36 Troubleshooting 637 36 1 Resetting the USG 645 36 2 Getting More Troubleshooting Help 646 Appendix A Customer Support 647 Appendix B Legal Information 653 Appendix C Product Features 662 Index 666 ...

Page 17: ...17 PART I User s Guide ...

Page 18: ...18 ...

Page 19: ...ace name mapping See Table 13 on page 49 for default interface zone mapping See the product s datasheet for detailed information on a specific model 1 1 1 Applications These are some USG application scenarios Security Router Security includes a Stateful Packet Inspection SPI firewall Content Filtering CF and Anti Spam AS Figure 1 Applications Security RouterApplications Security Router Table 1 USG...

Page 20: ...stem for strong two factor authentication for Web Configurator Web access SSL VPN and ZyXEL IPSec VPN client user logins Figure 3 Applications VPN Connectivity SSL VPN Network Access SSL VPN lets remote users use their web browsers for a very easy to use VPN solution A user just browses to the USG s web address and enters his user name and password to securely connect to the USG s network Here ful...

Page 21: ...access and can only access the Internet User C is not even logged in so and cannot access either the Internet or the file server Figure 5 Applications User Aware Access Control Load Balancing Set up multiple connections to the Internet on the same port or different ports including cellular interfaces In either case you can balance the traffic loads between them Figure 6 Applications Multiple WAN I...

Page 22: ...mands to configure the USG Access it using remote management for example SSH or Telnet or via the physical or Web Configurator console port See the Command Reference Guide for CLI details The default settings for the console port are FTP Use File Transfer Protocol for firmware upgrades and configuration backup restore SNMP The device can be monitored and or managed by an SNMP manager See Section 3...

Page 23: ...s 1024 x 768 pixels 1 3 1 Web Configurator Access 1 Make sure your USG hardware is properly connected See the Quick Start Guide 2 In your browser go to http 192 168 1 1 By default the USG automatically routes this request to its HTTPS server and it is recommended to keep this setting The Login screen appears 3 Type the user name default admin and password default 1234 If you have a OTP One Time Pa...

Page 24: ...and you later want to bring this screen back use these commands note the space before the underscore See the Command Line Interface CLI Reference Guide RG for details on all supported commands Router enable Router Router configure terminal Router config Router config service register _setremind after 10 days after 180 days after 30 days every time never Router config service register _setremind ev...

Page 25: ... appears after you click Apply If you click Ignore the Installation Setup Wizard opens if the USG is using its default configuration otherwise the dashboard appears 1 3 2 Web Configurator Screens Overview The Web Configurator screen is divided into these parts as illustrated on page 25 A title bar B navigation panel C main window Title Bar Figure 8 Title Bar A C B ...

Page 26: ...ormation about the USG Site Map Click this to see an overview of links to the Web Configurator screens Object Reference Click this to check which configuration items reference an object Console Click this to open a Java based console window from which you can run command line interface CLI commands You will be prompted to enter your user name and password See the Command Reference Guide for inform...

Page 27: ...e of object This table describes labels that can appear in this screen Table 5 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the ty...

Page 28: ...figurator Open the pop up window and then click some menus in the web configurator to display the corresponding commands Priority If it is applicable this field lists the referencing configuration item s position in its list otherwise N A displays Name This field identifies the configuration item that references the object Description If the referencing configuration item has a description configu...

Page 29: ...ht edge of the navigation panel to hide the panel or drag to resize it The following sections introduce the USG s navigation panel menus and their screens Figure 14 Navigation Panel Dashboard The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs See the Web Help for de...

Page 30: ... Status Port Statistics Displays details about UPnP connections going through the USG USB Storage Storage Information Displays details about USB device connected to the USG Ethernet Neighbor Ethernet Neighbor View and manage the USG s neighboring devices via Smart Connect Layer Link Discovery Protocol LLDP Use the ZyXEL One Network ZON utility to view and manage the USG s neighboring devices via t...

Page 31: ...anage bridges and virtual bridge interfaces Trunk Create and manage trunks groups of interfaces for load balancing Routing Policy Route Create and manage routing policies Static Route Create and manage IP static routing information RIP Configure device level RIP settings OSPF Configure device level OSPF settings including areas and virtual links DDNS DDNS Define and manage the USG s DDNS domain na...

Page 32: ...egardless of content filtering policies Anti Spam Profile Turn anti spam on or off and manage anti spam policies Create anti spam template s of settings to apply to a traffic flow using a security policy Mail Scan Configure e mail scanning details Black White List Set up a black list to identify spam and a white list to identify legitimate e mail DNSBL Have the USG check e mail against DNS Black L...

Page 33: ... name for the USG USB Storage Settings Configure the settings for the connected USB devices Date Time Date Time Configure the current date time and time zone in the USG Console Speed Console Speed Set the console speed DNS DNS Configure the DNS server and address records for the USG WWW Service Control Configure HTTP HTTPS and general authentication Login Page Configure how the login and access us...

Page 34: ...rs or or searching for text Table 8 Maintenance Menu Screens Summary FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and upload configuration files for the USG Firmware Package View the current firmware version and upload firmware Reboot with your choice of firmware Shell Script Manage and run shell script files for the USG Diagnostics Diagnostic Collect diagnostic information P...

Page 35: ...order A green check mark displays next to the column s title when you drag the column to a valid new location Figure 18 Moving Columns Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time Figure 19 Navigating Pages of Table Entries The tables have icons for working with table entries You can often use the Shift...

Page 36: ... click Edit to open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red triangles display for table entries with changes that you have not yet applied Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Activate To turn on an e...

Page 37: ...uide for background information Figure 22 Installation Setup Wizard Click the double arrow in the upper right corner to display or hide the help Click Go to Dashboard to skip the installation setup wizard or click Next to start configuring for Internet access 2 1 1 Internet Access Setup WAN Interface Use this screen to set how many WAN interfaces to configure and the first WAN interface s type of ...

Page 38: ...m your ISP WAN Interface This is the interface you are configuring for Internet access Zone This is the security zone to which this interface and Internet connection belong IP Address Assignment Select Auto if your ISP did not assign you a fixed IP address Select Static if the ISP assigned a fixed IP address 2 1 2 Internet Access Ethernet This screen is read only if you set the previous screen s I...

Page 39: ...ask Enter the subnet mask for this WAN connection s IP address Gateway IP Address Enter the IP address of the router through which this WAN connection will send traffic the default gateway First Second DNS Server These fields display if you selected static IP address assignment The Domain Name System DNS maps a domain name to an IP address and vice versa Enter a DNS server s IP address es The DNS ...

Page 40: ...only MSCHAP V2 Your USG accepts MSCHAP V2 only Type the User Name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 characters long Type the Password associated with the user name Use up to 64 ASCII characters except the and This field can be blank Select Nailed Up if you do not want the connection to time out Otherwise type the Idle Timeout in seconds that ...

Page 41: ...he Internet access information exactly as given to you by your ISP Figure 26 Internet Access PPTP Encapsulation 2 1 4 1 ISP Parameters Authentication Type Select an authentication protocol for outgoing calls Options are CHAP PAP Your USG accepts either CHAP or PAP when requested by the remote node CHAP Your USG accepts CHAP only PAP Your USG accepts PAP only MSCHAP Your USG accepts MSCHAP only MSC...

Page 42: ...to which this interface and Internet connection will belong IP Address Enter your static public IP address Auto displays if you selected Auto as the IP Address Assignment in the previous screen First Second DNS Server These fields display if you selected static IP address assignment The Domain Name System DNS maps a domain name to an IP address and vice versa Enter a DNS server s IP address es The...

Page 43: ... 6 Internet Access Succeed This screen shows your Internet access settings that have been applied successfully Figure 28 Internet Access Succeed 2 1 7 Wireless Settings SSID Security Configure SSID and wireless security in this screen Figure 29 Wireless Settings SSID Security ...

Page 44: ...locking Select this option if you want to prevent crossover traffic from within the same SSID Wireless clients can still access the wired network but cannot communicate with each other For Built in Wireless AP Only Bridged to USGs with W in the model name have a built in AP Select an interface to bridge with the built in AP wireless network Devices connected to this interface will then be in the s...

Page 45: ...table describes the LEDs Table 10 LED Descriptions LED COLOR STATUS DESCRIPTION PWR Off The USG is turned off Green On The USG is turned on Red On There is a hardware component failure Shut down the device wait for a few minutes and then restart the device see Section 3 1 3 on page 47 If the LED turns red again then please contact your vendor SYS Green Off The USG is not ready or has failed On The...

Page 46: ...ving packets P1 P2 Green Off There is no traffic on this port On This port has a successful 10 100 Mbps connection Blinking The USG is sending or receiving packets on this port with a 10 100 Mbps connection Yellow Off There is no connection on this port On This port has a successful 1000 Mbps connection Blinking The device is sending or receiving packets on this port with a 1000 Mbps connection Ta...

Page 47: ...e Make sure the screws are securely fixed to the wall and strong enough to hold the weight of the USG with the connection cables 3 Use the holes on the bottom of the USG to hang the USG on the screws Wall mount the USG horizontally The USG s side panels with ventilation slots should not be facing up or down as this position is less safe WAN LAN DMZ Gigabit SFP Ethernet Port P1 You have to install ...

Page 48: ...ces may be generic rather than the specific name used in your model For example this guide may use the WAN interface rather than wan1 or wan2 The following table shows the default physical port and interface mapping for each model at the time of writing Screw Specifications Table 12 Default Physical Port Interface Mapping PORT INTERFACE P1 P2 P3 P4 P5 P6 USG20 VPN sfp wan lan1 lan1 lan1 lan1 USG20...

Page 49: ...of writing 3 3 Stopping the USG Always use Maintenance Shutdown Shutdown or the shutdown command before you turn off the USG or remove the power Not doing so can cause the firmware to become corrupt Table 13 Default Zone Interface Mapping ZONE INTERFACE WAN LAN1 LAN2 DMZ USG20 VPN WAN WAN_PPP SFP SFP_PPP LAN1 LAN2 DMZ USG20W VPN WAN WAN_PPP SFP SFP_PPP LAN1 LAN2 DMZ ...

Page 50: ...terface Click this link to open a wizard to set up a WAN Internet connection This wizard creates matching ISP account settings in the USG if you use PPPoE or PPTP See Section 4 2 on page 51 VPN SETUP Use VPN Setup to configure a VPN Virtual Private Network rule for a secure connection to another computer or network Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be re...

Page 51: ...uick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen Use these screens to configure an interface to connect to the Internet Click Next Figure 37 WAN Interface Quick Setup Wizard 4 2 1 Choose an Ethernet Interface Select the Ethernet interface names vary by model that you want to configure for a WAN connection and click Next ...

Page 52: ... for a dial up connection according to the information from your ISP Figure 39 WAN Interface Setup Step 2 The screens vary depending on what encapsulation type you use Refer to information provided by your ISP to know what to enter in each field Leave a field blank if you don t have that information Note Enter the Internet access information exactly as your ISP gave it to you 4 2 3 Configure WAN I...

Page 53: ...fixed IP address Select Static if you have a fixed IP address and enter the IP address subnet mask gateway IP address optional and DNS server IP address es 4 2 4 ISP and WAN and ISP Connection Settings Use this screen to configure the ISP and WAN interface settings This screen is read only if you select Ethernet and set t the IP Address Assignment to AutoStatic If you set the IP Address Assignment...

Page 54: ...hentication protocol for outgoing calls Options are CHAP PAP Your USG accepts either CHAP or PAP when requested by this remote node CHAP Your USG accepts CHAP only PAP Your USG accepts PAP only MSCHAP Your USG accepts MSCHAP only MSCHAP V2 Your USG accepts MSCHAP V2 only User Name Type the user name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 character...

Page 55: ...ng WAN Interface Setup WAN Interface This displays the identity of the interface you configure to connect with your ISP Zone This field displays to which security zone this interface and Internet connection will belong IP Address This field is read only when the WAN interface uses a dynamic IP address If your WAN interface uses a static IP address enter it in this field First DNS Server Second DNS...

Page 56: ...ddress of the PPTP server User Name This is the user name given to you by your ISP Nailed Up If No displays the connection will not time out Yes means the USG uses the idle timeout Idle Timeout This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server 0 means no timeout Connection ID If you specified a connection ID it displays here WAN I...

Page 57: ...e VPN IPSec VPN VPN Connection screen VPN Settings configures a VPN tunnel for a secure connection to another computer or network VPN Settings for Configuration Provisioning sets up a VPN rule the USG IPSec VPN Client can retrieve Just enter a user name password and the IP address of the USG in the IPSec VPN Client to get the VPN settings automatically from the USG VPN Settings for L2TP VPN Settin...

Page 58: ... to connect to another ZLD based USG using a pre shared key Choose Advanced to change the default settings and or use certificates instead of a pre shared key to create a VPN rule to connect to another IPSec device Figure 46 VPN Setup Wizard Wizard Type 4 3 3 VPN Express Wizard Scenario Click the Express radio button as shown in Figure 46 on page 58 to display the following screen ...

Page 59: ... screen changes to match the scenario you select Site to site The remote IPSec device has a static IP address or a domain name This USG can initiate the VPN tunnel Site to site with Dynamic Peer The remote IPSec device has a dynamic IP address Only the remote IPSec device can initiate the VPN tunnel Remote Access Server Role Allow incoming connections from IPSec VPN clients The clients have dynami...

Page 60: ...acters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network that can use the tunnel You can also specify a subnet This must match the remote IP address configured on the remote IPSec device Remote Policy IP Mask Any displays in this fiel...

Page 61: ...e remote IPSec device that can use the tunnel If this field displays Any only the remote IPSec device can initiate the VPN connection Copy and paste the Configuration for Secure Gateway commands into another ZLD based USG s command line interface to configure it to serve as the other end of this VPN tunnel You can also use a text editor to save these commands as a shell script file with a zysh fil...

Page 62: ...SG20 W VPN Series User s Guide 62 Figure 50 VPN Express Wizard Finish Click Close to exit the wizard 4 3 7 VPN Advanced Wizard Scenario Click the Advanced radio button as shown in Figure 46 on page 58 to display the following screen ...

Page 63: ...or a domain name This USG can initiate the VPN tunnel Site to site with Dynamic Peer The remote IPSec device has a dynamic IP address Only the remote IPSec device can initiate the VPN tunnel Remote Access Server Role Allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users Only the clients can initiate the VPN tunnel Remote Access ...

Page 64: ...secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput AES128 uses a 128 bit key and is fa...

Page 65: ... security and SHA512 gives the highest security MD5 Message Digest 5 and SHA Secure Hash Algorithm are hash algorithms used to authenticate packet data The stronger the algorithm the slower it is SA Life Time Set how often the USG renegotiates the IKE SA A short SA life time increases security but renegotiation temporarily disconnects the VPN tunnel Perfect Forward Secrecy PFS Disabling PFS allows...

Page 66: ...g up the VPN tunnel Local Policy IP address and subnet mask of the computers on the network behind your USG that can use the tunnel Remote Policy IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel Copy and paste the Configuration for Remote Gateway commands into another ZLD based USG s command line interface Click Save to save the VPN ...

Page 67: ...tion Provisioning Wizard Wizard Type Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved with the USG IPSec VPN Client VPN rules for the USG IPSec VPN Client have certain restrictions They must not contain the following settings AH active protocol NULL encryption SHA512 authentication A subnet or range remote policy ...

Page 68: ...e shared key Choose Advanced to change the default settings and or use certificates instead of a pre shared key in the VPN rule Figure 56 VPN Settings for Configuration Provisioning Express Wizard Wizard Type 4 4 1 Configuration Provisioning Express Wizard VPN Settings Click the Express radio button as shown in the previous screen to display the following screen ...

Page 69: ...tion and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Application Scenario Only the Remote Access Server Role is allowed in this wizard It allows incoming connections from the USG IPSec VPN Client 4 4 2 Configuration Provisioning VPN Express Wizard Configuration Click Next to continue the wizard...

Page 70: ...ters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network You can also specify a subnet This must match the remote IP address configured on the remote IPSec device Remote Policy IP Mask Any displays in this field because it is not config...

Page 71: ...uters on the network behind your USG that can be accessed using the tunnel Remote Policy Any displays in this field because it is not configurable in this wizard The Configuration for Secure Gateway displays the configuration that the USG IPSec VPN Client will get from the USG Click Save to save the VPN rule 4 4 4 VPN Settings for Configuration Provisioning Express Wizard Finish Now the rule is co...

Page 72: ...PN for Configuration Provisioning Express Wizard Finish Click Close to exit the wizard 4 4 5 VPN Settings for Configuration Provisioning Advanced Wizard Scenario Click the Advanced radio button as shown in the screen shown in Figure 56 on page 68 to display the following screen ...

Page 73: ...st character cannot be a number This value is case sensitive Application Scenario Only the Remote Access Server Role is allowed in this wizard It allows incoming connections from the USG IPSec VPN Client Click Next to continue the wizard 4 4 6 VPN Settings for Configuration Provisioning Advanced Wizard Phase 1 Settings There are two phases to every IKE Internet Key Exchange negotiation phase 1 Aut...

Page 74: ...erify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput AES128 uses a 128 bit key and is faster than 3DES AES192 uses a 192 bit key and AES256 uses a 256 bit key Authenticatio...

Page 75: ...iates the IKE SA A short SA life time increases security but renegotiation temporarily disconnects the VPN tunnel Perfect Forward Secrecy PFS Disabling PFS allows faster IPSec setup but is less secure Select DH1 DH2 or DH5 to enable PFS DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Grou...

Page 76: ...ssword Local Policy IP address and subnet mask of the computers on the network behind your USG that can use the tunnel Remote Policy Any displays in this field because it is not configurable in this wizard Phase 1 Negotiation Mode This displays Main or Aggressive Main encrypts the USG s and remote IPSec router s identities but takes more time to establish the IKE SA Aggressive is faster but does n...

Page 77: ...is displays ESP compatible with NAT or AH Encapsulation This displays Tunnel compatible with NAT or Transport Encryption Algorithm This displays the encryption method used The longer the key the higher the security the lower the throughput possibly DES uses a 56 bit key 3DES uses a 168 bit key AES128 uses a 128 bit key AES192 uses a 192 bit key AES256 uses a 256 bit key Null uses no encryption Aut...

Page 78: ...settings automatically from the USG Figure 65 VPN for Configuration Provisioning Advanced Wizard Finish Click Close to exit the wizard 4 5 VPN Settings for L2TP VPN Settings Wizard Use VPN Settings for L2TP VPN Settings to set up an L2TP VPN rule Click Configuration Quick Setup VPN Settings and select VPN Settings for L2TP VPN Settings to see the following screen ...

Page 79: ...ext to continue the wizard 4 5 1 L2TP VPN Settings Figure 67 VPN Settings for L2TP VPN Settings Wizard L2TP VPN Settings Rule Name Type the name used to identify this L2TP VPN connection and L2TP VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive ...

Page 80: ...Subnet from the pull down menu This IP address pool is used to assign to the L2TP VPN clients Starting IP Address Enter the starting IP address in the field End IP Address Enter the ending IP address in the field First DNS Server Optional Enter the first DNS server IP address in the field Leave the filed as 0 0 0 0 if you do not want to configure DNS servers If you do not configure a DNS server yo...

Page 81: ...rd Summary This is a read only summary of the L2TP VPN settings Figure 69 VPN Settings for L2TP VPN Settings Advanced Settings Wizard Summary Summary Rule Name Identifies the L2TP VPN connection and the L2TP VPN gateway Secure Gateway Any displays in this field because it is not configurable in this wizard It allows incoming connections from the L2TP VPN Client Pre Shared Key L2TP VPN tunnel passw...

Page 82: ...N Settings for L2TP VPN Setting Wizard Completed Figure 70 VPN Settings for L2TP VPN Settings Wizard Finish Now the rule is configured on the USG The L2TP VPN rule settings appear in the VPN L2TP VPN screen and also in the VPN IPSec VPN VPN Connection and VPN Gateway screen ...

Page 83: ... 91 Memory Usage Screen on page 92 Active Session Screen on page 93 Extension Slot Screen on page 94 Interface Status Summary Screen on page 94 Secured Service Status Screen on page 95 Content Filter Statistics Screen on page 96 Top 5 IPv4 IPv6 Security Policy Rules that Blocked Traffic Screen on page 97 Top 5 IPv4 IPv6 Security Policy Rules that Blocked Traffic Screen on page 97 Top 5 IPv4 IPv6 S...

Page 84: ...ting clearing the associated checkbox expand collapse widget B Click this to collapse a widget It then becomes a down arrow Click it again to enlarge the widget again Refresh time setting C Set the interval for refreshing the information displayed in the widget Refresh Now D Click this to update the widget s information immediately Close widget E Click this to close the widget Use Widget Setting t...

Page 85: ...wn The Ethernet interface does not have any physical ports associated with it or the Ethernet interface is enabled but not connected Speed Duplex The Ethernet interface is enabled and connected This field displays the port speed and duplex setting Full or Half The status for a WLAN card is none For cellular mobile broadband interfaces see Section 9 5 on page 174 for the status that can appear For ...

Page 86: ... number of this USG The serial number is used for device tracking and control MAC Address Range This field displays the MAC addresses used by the USG Each physical port has one MAC address The first MAC address is assigned to physical port 1 the second MAC address is assigned to physical port 2 and so on Firmware Version This field displays the version number and date of the firmware the USG is cu...

Page 87: ...rs who are currently logged in to the USG Boot Status This field displays details about the USG s startup state OK The USG started up successfully Firmware update OK A firmware update was successful Problematic configuration after firmware update The application of the configuration failed after a firmware upgrade System default configuration The USG successfully applied the system default configu...

Page 88: ...ddresses The following screen will show LABLE DESCRIPTION This field is a sequential value and it is not associated with a specific SA Name This field displays the name of the IPSec SA Encapsulation This field displays how the IPSec SA is encapsulated Algorithm This field displays the encryption and authentication algorithms used in the SA Refresh Interval Select how often you want this window to ...

Page 89: ...lays the name used to identify this device on the network the computer name The USG learns these from the DHCP client requests None shows here for a static DHCP entry MAC Address This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved Click the column s heading cell to sort the table entries by MAC address Click the heading cell aga...

Page 90: ...ch user who is currently logged in to the USG Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user Type This field displays the way the user logged in to the USG IP address This field displays the IP address of the computer used to log in to the USG User Info This field displays the types of user accounts the USG uses...

Page 91: ...ry Usage This field displays what percentage of the USG s RAM is currently being used Hover your cursor over this field to display the Show Memory Usage icon that takes you to a chart of the USG s recent memory usage Flash Usage This field displays what percentage of the USG s onboard flash memory is currently being used USB Storage Usage This field shows how much storage in the USB device connect...

Page 92: ...emory RAM usage To access this screen click Memory Usage in the dashboard Figure 79 Dashboard Memory Usage screen Table 23 Dashboard CPU Usage LABEL DESCRIPTION The y axis represents the percentage of CPU usage The x axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the inf...

Page 93: ...ard Memory Usage screen LABEL DESCRIPTION The y axis represents the percentage of RAM usage The x axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away Table 25 Dashboard Active Sessions Show Active Session Sessions The y axis represents...

Page 94: ...PN users SEM DUAL accelerator for both VPN and UTM The SEM DUAL provides the benefits of the SEM VPN USB Flash Drive Indicates a connected USB storage device and the drive s storage capacity Status The status for an installed WLAN card is none For cellular mobile broadband interfaces see Section 6 10 on page 113 for the status that can appear For an installed SEM Security Extension Module card thi...

Page 95: ...ed For PPP interfaces Connected The PPP interface is connected Disconnected The PPP interface is not connected If the PPP interface is disabled it does not appear in the list For WLAN interfaces Up The WLAN interface is enabled Down The WLAN interface is disabled Zone This field displays the zone to which the interface is currently assigned IP Addr Netmask This field displays the current IP addres...

Page 96: ... s security services It will show these types of status Licensed Unlicensed Disabled or Enabled Name This field displays the name of security services supported by this model Status will show Licensed for Premium Service after you register the device at myZyXEL com You can then activate security service licenses such as Anti Spam Content Filter and so on Version This field displays the version num...

Page 97: ...his is the number of requested web pages that belong to the unsafe categories you have selected in the content filter screen Managed Web pages This is the number of requested web pages that belong to the managed categories you have selected in the content filter screen Table 29 Dashboard Content Filter Statistics LABEL DESCRIPTION Table 30 Dashboard Top 5 IPv4 IPv6 Security Policy Rules that Block...

Page 98: ...e log was created Priority This field displays the severity of the log Category This field displays the type of log generated Message This field displays the actual log message Source This field displays the source address if any in the packet that generated the log Destination This field displays the destination address if any in the packet that generated the log Source Interface This field displ...

Page 99: ...99 PART II Technical Reference ...

Page 100: ...100 ...

Page 101: ...to view the status of the USG s DDNS domain names Use the System Status IP MAC Binding screen Section 6 8 on page 112 to view a list of devices that have received an IP address from USG interfaces with IP MAC binding enabled Use the System Status Login Users screen Section 6 9 on page 112 to look at a list of the users currently logged into the USG Use the System Status Cellular Status screen Sect...

Page 102: ...ge 130 to see how many mail sessions the USG is currently checking and DNSBL statistics Use the Log screens Section 6 20 on page 131 to view the USG s current log messages You can change the way the log is displayed you can e mail the log and you can also clear the log in this screen 6 2 The Port Statistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port To acces...

Page 103: ...or Half TxPkts This field displays the number of packets transmitted from the USG on the physical port since it was last connected RxPkts This field displays the number of packets received by the USG on the physical port since it was last connected Collisions This field displays the number of collisions on the physical port since it was last connected Tx B s This field displays the transmission sp...

Page 104: ... the window right away Port Selection Select the number of the physical port for which you want to display graphics Switch to Grid View Click this to display the port statistics as a table bps The y axis represents the speed of transmission or reception time The x axis shows the time period over which the transmission or reception occurred TX This line represents traffic transmitted from the USG o...

Page 105: ...is not connected For virtual interfaces this field always displays Up If the virtual interface is disabled it does not appear in the list For VLAN and bridge interfaces this field always displays Up If the VLAN or bridge interface is disabled it does not appear in the list For PPP interfaces Connected The PPP interface is connected Disconnected The PPP interface is not connected If the PPP interfa...

Page 106: ...address uses to identify itself to the remote gateway The USG uses this as the source for the packets it tunnels to the remote gateway Remote Gateway Address This is the IP address or domain name of the remote gateway to which this interface tunnels traffic Mode This field displays the tunnel mode that you are using Interface Statistics This table provides packet statistics for each interface Refr...

Page 107: ...click the Refresh button to update it Apply Click Apply to save your changes back to the USG Reset Click Reset to return the screen to its last saved settings Statistics Interface Select the interface from which to collect information You can collect information from Ethernet VLAN bridge and PPPoE PPTP interfaces Sort By Select the type of report to display Choices are Host IP Address User display...

Page 108: ...field indicates whether the indicated protocol or service port is sending or receiving traffic Ingress traffic is coming into the router through the interface Egress traffic is going out from the router through the interface Amount This field displays how much traffic was sent or received from the indicated service port If the Direction is Ingress a red bar is displayed if the Direction is Egress ...

Page 109: ...tus Session Monitor LABEL DESCRIPTION View Select how you want the established sessions that passed through the USG to be displayed Choices are sessions by users display all active sessions grouped by user sessions by services display all active sessions grouped by service or protocol sessions by source IP display all active sessions grouped by source IP address sessions by destination IP display ...

Page 110: ...ngth of the active session in seconds Active Sessions This is the total number of established sessions that passed through the USG which matched the search criteria Show Select the number of active sessions displayed on each page You can use the arrow keys on the right to change pages This field is the rank of each record The names are sorted by the name of user in active session You can use the p...

Page 111: ...ys the host source IP information of the IGMP Incoming Interface This field displays the incoming interface that s connected on the IGMP Packet Count This field displays the packet size of the data being transferred Bytes This field displays the size of the data being transferred in Byes Outgoing Interface This field displays the outgoing interface that s connected on the IGMP Table 39 Monitor Sys...

Page 112: ...ting to resolve the IP address for the domain name Last Update Time This shows when the last attempt to resolve the IP address for the domain name occurred in year month day hour minute second format Table 39 Monitor System Status DDNS Status continued LABEL DESCRIPTION Table 40 Monitor System Status IP MAC Binding LABEL DESCRIPTION Interface Select a USG interface that has IP MAC binding enabled ...

Page 113: ... user name of each user who is currently logged in to the USG Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user Type This field displays the way the user logged in to the USG IP Address This field displays the IP address of the computer used to log in to the USG MAC This field displays the MAC address of the comput...

Page 114: ...broadband device SIM locked PUK the PUK is locked on the mobile broadband device s SIM card SIM locked PIN the PIN is locked on the mobile broadband device s SIM card Unlock PUK fail Your attempt to unlock a WCDMA mobile broadband device s PUK failed because you entered an incorrect PUK Unlock PIN fail Your attempt to unlock a WCDMA mobile broadband device s PIN failed because you entered an incor...

Page 115: ...the service provider s base station Table 42 Monitor System Status Cellular Status continued LABEL DESCRIPTION Table 43 Monitor System Status UPnP Port Status LABEL DESCRIPTION Remove Select an entry and click this button to remove it from the list This is the index number of the UPnP created NAT mapping rule entry Remote Host This field displays the source IP address on the WAN of inbound IP pack...

Page 116: ...ays the type of the client application on the LAN Description This field displays a text explanation of the NAT mapping rule Delete All Click this to remove all mapping rules from the NAT table Refresh Click this button to update the information in the screen Table 43 Monitor System Status UPnP Port Status continued LABEL DESCRIPTION Table 44 Monitor System Status USB Storage LABEL DESCRIPTION Dev...

Page 117: ...ces in the same network as the computer on which the ZON utility is installed Click Monitor System Status Ethernet Neighbor to see the following screen Figure 99 Monitor System Status Ethernet Neighbor Status Ready you can have the USG use the USB storage device Click Remove Now to stop the USG from using the USB storage device so you can remove it Unused the connected USB storage device was manua...

Page 118: ...are Version This field displays the firmware version of the discovered device Port Description This field displays the first internal port on the discovered device Internal is an interface type displayed in the Network Interface Ethernet Edit screen For example if P1 and P2 are WAN P3 to P5 are LAN and P6 is DMZ then USG will display P3 as the first internal interface port number For USGs that sup...

Page 119: ...n AP is set to this mode it cannot receive connections from wireless clients Profile This field displays the AP Profile for the Radio It displays n A for the radio profile not using an AP profile It displays default if using a default profile Frequency Band This field displays the WLAN frequency band using the IEEE 802 11 a b g n ac standard of 2 4 or 5 GHz Channel ID This field displays the WLAN ...

Page 120: ...ows you to view detailed information about a selected radio s SSID s wireless traffic and wireless clients for the preceding 24 hours To access this window select an entry and click the More Information button in the Radio List screen Figure 101 Monitor Wireless AP Information Radio List More Information ...

Page 121: ...affic information about the radio over the preceding 24 hours y axis This axis represents the amount of data moved across this radio per second x axis This axis represents the amount of time over which the data moved across this radio Station Count This graph displays information about all the wireless clients that have connected to the radio over the preceding 24 hours y axis The y axis represent...

Page 122: ...e station An 169 x x x IP address is a private IP address that means the station didn t get the IP address from a DHCP server Tx Rate This field displays the transmit data rate of the station Rx Rate This field displays the receive data rate of the station Tx This field displays the number of packets transmitted from the station Rx This field displays the number of packets received by the station ...

Page 123: ...PSec LABEL DESCRIPTION Name Type the name of a IPSec SA here and click Search to find it if it is associated You can use a keyword or regular expression Use up to 30 alphanumeric and _ characters See Section 6 15 1 on page 124 for more details Policy Type the IP address es or names of the local and remote policies for an IPSec SA and click Search to find it You can use a keyword or regular express...

Page 124: ...has to match if you do not use a question mark or asterisk 6 16 The SSL Screen The USG keeps track of the users who are currently logged into the VPN SSL client Click Monitor VPN Monitor SSL to display the user list Use this screen to do the following View a list of active SSL VPN connections Log out individual users and delete related session information Once a user logs out the corresponding ent...

Page 125: ...lue and it is not associated with a specific SSL User This field displays the account user name used to establish this SSL VPN connection Access This field displays the name of the SSL VPN application the user is accessing Login Address This field displays the IP address the user used to establish this SSL VPN connection Connected Time This field displays the time this connection was established I...

Page 126: ...stics Content Filter Hostname This field displays the name of the computer that has this L2TP VPN connection with the USG Assigned IP This field displays the IP address that the USG assigned for the remote user s computer to use within the L2TP VPN tunnel Public IP This field displays the public IP address that the remote user is using to connect to the Internet Table 52 Monitor VPN Monitor L2TP o...

Page 127: ...d web pages that the USG s content filtering service identified as posing a threat to users Managed Web Pages This is the number of requested web pages that the USG s content filtering service identified as belonging to a category that was selected to be managed Block Hit Summary Web Pages Warned by Category Service This is the number of web pages that matched an external database content filterin...

Page 128: ...ESCRIPTION Collect Statistics Select this check box to have the USG collect anti spam statistics The collection starting time displays after you click Apply All of the statistics in this screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the USG or click Flush Data Collecting starts ...

Page 129: ... virus Virus Mails This is the number of e mails that the USG has determined to be attached with virus Query Timeout This is how many queries that were sent to the USG s configured list of DNSBL domains or Mail Scan services and did not receive a response in time Mail Sessions Forwarded This is how many e mail sessions the USG allowed because they exceeded the maximum number of e mail sessions tha...

Page 130: ...ton to update the information displayed on this screen Flush Click this button to clear the DNSBL statistics This also clears the concurrent mail session scanning bar s historical high Concurrent Mail Session Scanning The darker shaded part of the bar shows how much of the USG s total spam checking capability is currently being used The lighter shaded part of the bar and the pop up show the histor...

Page 131: ...cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order The Web Configurator saves the filter settings if you leave the View Log screen and return to it later Avg Response Time sec This is the average for how long it takes to receive a reply from this service No Response This is how many queries the USG sent to this service without receiving ...

Page 132: ...as recorded Priority This displays when you show the filter Select the priority of log messages to display The log displays the log messages with this priority or higher Choices are any emerg alert crit error warn notice and info from highest priority to lowest priority This field is read only if the Category is Debug Log Category This field displays the log that generated the log message It is th...

Page 133: ...bove Source This field displays the source IP address and the port number in the event that generated the log message Destination This field displays the destination IP address and the port number of the event that generated the log message Note This field displays any additional information about the log message Table 56 Monitor Log View Log continued LABEL DESCRIPTION ...

Page 134: ...your USG and manage subscription services available for the USG To update signature files or use a subscription service you have to register the USG and activate the corresponding service at myZyXEL com through the USG Note You need to create a myZyXEL com account before you can register your device and activate the services at myZyXEL com You need your USG s serial number and LAN MAC address to r...

Page 135: ...s To activate or extend a standard service subscription purchase an iCard and enter the iCard s PIN number license key in this screen Click Configuration Licensing Registration Service to open the screen as shown next Figure 112 Configuration Licensing Registration Service The following table describes the labels in this screen Table 57 Configuration Licensing Registration Service LABEL DESCRIPTIO...

Page 136: ... field displays how many VPN tunnels you can use with your current license This field does not apply to the other services Service License Refresh Click this button to renew service license information such as the registration status and expiration day Table 57 Configuration Licensing Registration Service continued LABEL DESCRIPTION ...

Page 137: ...e 138 configures dynamic radio channel selection 8 1 2 What You Need to Know The following terms and concepts may help as you read this chapter Station Wireless Client A station or wireless client is any wireless capable device that can connect to an AP using a wireless signal Dynamic Channel Selection DCS Dynamic Channel Selection DCS is a feature that allows an AP to automatically select the rad...

Page 138: ... be determined if those APs are friendly or rogue If a radio is set to this mode it cannot receive connections from wireless clients Radio Profile Select the radio profile the radio uses Max Output Power Enter the output power between 0 to 30 dBm of the USG in this field If there is a high density of APs in an area decrease the output power of the USG to reduce interference with other APs Note Red...

Page 139: ...nd manually change the channel to one that no other AP is using or at least a channel that has a lower level of interference in order to give the connected stations a minimum degree of interference Dynamic channel selection frees the network administrator from this task by letting the AP do it automatically The AP can scan the area around it looking for the channel with the least amount of interfe...

Page 140: ...l Deployment However some regions require the use of other channels and often use a safety scheme with the following four channels 1 4 7 and 11 While they are situated sufficiently close to both each other and the three so called safe channels 1 6 and 11 that interference becomes inevitable the severity of it is dependent upon other factors proximity to the affected AP signal strength activity and...

Page 141: ...on 9 4 on page 167 for PPPoE or PPTP Internet connections Use the Cellular screens Section 9 5 on page 174 to configure settings for interfaces for Internet connections through an installed mobile broadband card Use the Tunnel screens Section 9 6 on page 183 to configure tunnel interfaces to be used in Generic Routing Encapsulation GRE IPv6 in IPv4 and 6to4 tunnels Use the VLAN screens Section 9 7...

Page 142: ...RIP and OSPF are also configured in these interfaces Tunnel interfaces send IPv4 or IPv6 packets from one network to a specific network through the Internet or a public network VLAN interfaces receive and send tagged frames The USG automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a software connection between Eth...

Page 143: ...cify the number after the colon if you use the CLI to set up a virtual interface Relationships Between Interfaces In the USG interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the physical ports or port groups The relationships between interfaces are explained in the following table Table 60 Ethernet PPP Cellular VLAN Bridge and Virtua...

Page 144: ...tted So 2001 0db8 1a2b 0015 0000 0000 1a2f 0000 can be written as 2001 db8 1a2b 15 0 0 1a2f 0 Any number of consecutive blocks of zeros can be replaced by a double colon A double colon can only appear once in an IPv6 address So 2001 0db8 0000 0000 1a2f 0000 0000 0015 can be written as 2001 0db8 1a2f 0000 0000 0015 2001 0db8 0000 0000 1a2f 0015 2001 db8 1a2f 0 0 15 or 2001 db8 0 0 1a2f 15 Prefix an...

Page 145: ...owner and status of addresses don t need to be maintained by a DHCP server Every IPv6 device is able to generate its own and unique IP address automatically when IPv6 is initiated on its interface It combines the prefix and the interface ID generated from its own Ethernet MAC address to form a complete IPv6 address When IPv6 is enabled on a device its interface automatically generates a link local...

Page 146: ...vendor s private enterprise number registered with the IANA It should not change over time even after you reboot the device 9 1 3 What You Need to Do First For IPv6 settings go to the Configuration System IPv6 screen to enable IPv6 support on the USG first 9 2 Port Role Screen To access this screen click Configuration Network Interface Port Role Use the Port Role screen to set the USG s flexible p...

Page 147: ...no security It can increase the bandwidth between the port group and other interfaces The port group uses a single MAC address Click Apply to save your changes and apply them to the USG Click Reset to change the port groups to their current configuration last saved values 9 3 Ethernet Summary Screen This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfa...

Page 148: ...twork Interface Ethernet LABEL DESCRIPTION Configuration IPv6 Configuration Use the Configuration section for IPv4 network settings Use the IPv6 Configuration section for IPv6 network settings if you connect your USG to an IPv6 network Both sections have similar fields as described below Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settin...

Page 149: ...oth versions Select the broadcasting method used by RIP 2 packets The USG can use subnet broadcasting or multicasting With OSPF you can use Ethernet interfaces to do the following things Enable and disable OSPF in the underlying physical port or port group Select the area to which the interface belongs Override the default link cost and authentication method for the selected area Select in which d...

Page 150: ...ssue IGMP host messages on behalf of hosts that the USG discovered on its IGMP enabled interfaces The USG acts as a proxy for its hosts Refer to the following figure DS Downstream traffic US Upstream traffic R Router MS Multicast Server Enable IGMP Upstream US on the USG interface that connects to a router R running IGMP that is closer to the multicast server MS Enable IGMP Downstream on the USG i...

Page 151: ...Chapter 9 Interfaces USG20 W VPN Series User s Guide 151 Configuration Network Interface Ethernet Edit External Type ...

Page 152: ...Chapter 9 Interfaces USG20 W VPN Series User s Guide 152 Configuration Network Interface Ethernet Edit External Type ...

Page 153: ...Chapter 9 Interfaces USG20 W VPN Series User s Guide 153 Figure 120 Configuration Network Interface Ethernet Edit Internal Type ...

Page 154: ...Chapter 9 Interfaces USG20 W VPN Series User s Guide 154 Configuration Network Interface Ethernet Edit Internal Type ...

Page 155: ...Chapter 9 Interfaces USG20 W VPN Series User s Guide 155 Figure 121 Configuration Network Interface Ethernet Edit OPT ...

Page 156: ...Chapter 9 Interfaces USG20 W VPN Series User s Guide 156 Configuration Network Interface Ethernet Edit OPT ...

Page 157: ...unk For general the rest of the screen s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface Interface Name Specify a name for the interface It can use alphanumeric characters hyphens and underscores and it can be up to 11 characters long Port This is the name of the Ethernet interface s physical port Zone Select the...

Page 158: ...nd the prefix length for this interface if you want to use a static IP address This field is optional The prefix length indicates what the left most part of the IP address is the same for all computers in the network that is the network address Gateway Enter the IPv6 address of the default outgoing gateway using colon hexadecimal notation Metric Enter the priority of the gateway if any on this int...

Page 159: ...ce from the DHCP server Clear this to not get any IP address information through DHCPv6 DHCPv6 Request Options DHCPv6 Lease Options If this interface is a DHCPv6 client use this section to configure DHCPv6 request settings that determine what additional information to get from the DHCPv6 server If the interface is a DHCPv6 server use this section to configure DHCPv6 lease settings that determine w...

Page 160: ...ixed prefix to the network Add Click this to create an IPv6 prefix address Edit Select an entry in this table and click this to modify it Remove Select an entry in this table and click this to delete it This field is a sequential value and it is not associated with any entry IPv6 Address Prefix Length Enter the IPv6 network prefix address and the prefix length The prefix length indicates what the ...

Page 161: ...ection check Check Method Select the method that the gateway allows Select icmp to have the USG regularly ping the gateway you specify to make sure it is still available Select tcp to have the USG regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number...

Page 162: ...ss From ISP select the DNS server that another interface received from its DHCP server USG the DHCP clients use the IP address of this interface and the USG works as a DNS relay First WINS Server Second WINS Server Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your netw...

Page 163: ...ge 239 for more information about RIP Enable RIP Select this to enable RIP in this interface Direction This field is effective when RIP is enabled Select the RIP direction from the drop down list box BiDir This interface sends and receives routing information In Only This interface receives routing information Out Only This interface sends routing information Send Version This field is effective w...

Page 164: ...e either the factory assigned default MAC address a manually specified MAC address or clone the MAC address of another device or computer Use Default MAC Address Select this option to have the interface use the factory assigned default MAC address By default the USG uses the factory assigned MAC address to identify itself Overwrite Default MAC Address Select this option to have the interface use a...

Page 165: ...ease Options Table 65 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a...

Page 166: ...haracters a z A Z 0 9 and _ with no spaces allowed The first character must be alphabetical a z A Z Code This field displays the code number of the selected DHCP option If you selected User Defined in the Option field enter a number for the option This field is mandatory Type This is the type of the selected DHCP option If you selected User Defined in the Option field select an appropriate type fo...

Page 167: ...ption is used to identify a bootfile when the file field in the DHCP header has been used for DHCP options The minimum length of the value is 1 SIP Server 120 This option carries either an IPv4 address or a DNS domain name to be used by the SIP client to locate a SIP server VIVC 124 Vendor Identifying Vendor Class option A DHCP client may use this option to unambiguously identify the vendor that m...

Page 168: ...PTP interface to use Each ISP account specifies the protocol PPPoE or PPTP as well as your ISP account information If you change ISPs later you only have to create a new ISP account not a new PPPoE PPTP interface You should not have to change any network policies You do not set up the subnet mask or gateway PPPoE PPTP interfaces are interfaces between the USG and only one computer Therefore the su...

Page 169: ...ou want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Connect To connect an interface select it and click Connect You might use this in testing the interface or to manually establish the connection for a Dial on Demand PPPoE PPTP interface Disconnect To disconnect an interface select it and clic...

Page 170: ...Chapter 9 Interfaces USG20 W VPN Series User s Guide 170 Figure 127 Configuration Network Interface PPP Add ...

Page 171: ...p to 60 characters long Connectivity Nailed Up Select this if the PPPoE PPTP connection should always be up Clear this to have the USG establish the PPPoE PPTP connection only when there is traffic You might use this option if a lot of traffic needs to go through the interface or it does not cost extra to keep the connection up all the time Dial on Demand Select this to have the USG establish the ...

Page 172: ... interface must be a DHCPv6 client You must configure the DHCPv6 request options using a DHCPv6 request object with the type of prefix delegation Assign the prefix delegation to an internal interface and enable router advertisement on that interface Add Click this to create an entry Edit Select an entry and click this to change the settings Remove Select an entry and click this to delete it from t...

Page 173: ...ceive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the USG divides it into smaller fragments Allowed values are 576 1492 Usually this value is 1492 Connectivity Check The interface can regularly check the connection to the gateway y...

Page 174: ... is only allocated to users when they send data It allows fast transfer of voice and non voice data and provides broadband Internet access to mobile devices 4G 4G is the fourth generation of the mobile telecommunications technology and a successor of 3G Both the WiMAX and Long Term Evolution LTE standards are the 4G candidate systems 4G only supports all IP based packet switched telephony services...

Page 175: ... radio CDMA2000 1xRTT 1 times Radio Transmission Technology is the core CDMA2000 wireless air interface standard It is also known as 1x 1xRTT or IS 2000 and considered to be a 2 5G or 2 75G technology 2 75G Packet switched Enhanced Data rates for GSM Evolution EDGE Enhanced GPRS EGPRS etc 3G Packet switched UMTS Universal Mobile Telecommunications System a third generation 3G wireless standard def...

Page 176: ...sting the interface Object References Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 9 3 2 on page 164 for an example This field is a sequential value and it is not associated with any interface Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive The connect icon is lit when the i...

Page 177: ...er you select the slot that contains the mobile broadband device in the previous pop up window Current Version This displays the currently supported by the USG mobile broadband dongle list version number Update Now If the latest version number is greater than the current version number then click this button to download the latest list of supported mobile broadband dongle devices to the USG Apply ...

Page 178: ...Chapter 9 Interfaces USG20 W VPN Series User s Guide 178 Figure 129 Configuration Network Interface Cellular Add Edit ...

Page 179: ...elapses before the USG automatically disconnects from the ISP s server Zero disables the idle timeout ISP Settings Profile Selection Select Device to use one of the mobile broadband device s profiles of device settings Then select the profile use Profile 1 unless your ISP instructed you to do otherwise Select Custom to configure your device settings yourself APN This field is read only if you sele...

Page 180: ...may be blocked by your ISP and you cannot use the account to access the Internet If your ISP disabled PIN code authentication enter an arbitrary number Retype to Confirm Type the PIN code again to confirm it Interface Parameters Egress Bandwidth Enter the maximum amount of traffic in kilobits per second the USG can send through the interface to the network Allowed values are 0 1048576 This setting...

Page 181: ...ress Metric Enter the priority of the gateway if any on this interface The USG decides which gateway to use based on this priority The lower the number the higher the priority If two or more gateways have the same priority the USG uses the one that was configured first Device Settings Band Selection This field appears if you selected a mobile broadband device that allows you to select the type of ...

Page 182: ...nd enable budget control the USG resets the statistics Reset time and data budget counters on Select the date on which the USG resets the budget every month If the date you selected is not available in a month such as 30th or 31st the USG resets the budget on the last day of the month Reset time and data budget counters This button is available only when you enable budget control in this screen Cl...

Page 183: ...tunnel or an automatic 6to4 tunnel The following describes each method Actions when over of time budget or of data budget Specify the actions the USG takes when the specified percentage of time budget or data limit is exceeded Enter a number from 1 to 99 in the percentage fields If you change the value after you configure and enable budget control the USG resets the statistics Log Select None to n...

Page 184: ...you do not need to configure a policy route for a 6to4 tunnel Through your properly pre configuring the destination router s IP address in the IP address assignments to hosts the USG can automatically forward 6to4 packets to the destination they want to go A 6to4 relay router is required to route 6to4 packets to a native IPv6 network if the packet s destination do not match your specified criteria...

Page 185: ... new GRE tunnel interface Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object References Select an ent...

Page 186: ...emote Gateway Address Tunnel Mode This is the tunnel mode of the interface GRE IPv6 in IPv4 or 6to4 This field also displays the interface s IPv4 IP address and subnet mask if it is a GRE tunnel Otherwise it displays the interface s IPv6 IP address and prefix length My Address This is the interface or IP address uses to identify itself to the remote gateway The USG uses this as the source for the ...

Page 187: ...eater or lesser number of configuration fields General Settings Enable Select this to enable this interface Clear this to disable this interface Interface Properties Interface Name This field is read only if you are editing an existing tunnel interface Enter the name of the tunnel interface The format is tunnelx where x is 0 3 For example tunnel0 Zone Use this field to select the zone to which thi...

Page 188: ...osts in the matched network If you enter a prefix starting with 2002 the USG will forward the matched packets to the IPv4 IP address converted from the packets destination address The IPv4 IP address can be converted from the next 32 bits after the prefix you specified in this field See 6to4 Tunneling on page 184 for an example The USG forwards the unmatched packets to the specified Relay Router R...

Page 189: ...umes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the USG regularly ping the gateway you specify to make sure it is still available Select tcp to have the USG regularly perform a TCP handshake with the gateway you specif...

Page 190: ...e switches are connected to the router If one switch has enough connections for the entire network the network does not need switches A and B Traffic inside each VLAN is layer 2 communication data link layer MAC addresses It is handled by the switches As a result the new switch is required to handle traffic inside VLAN 2 Traffic is only broadcast inside each VLAN not each physical network Traffic ...

Page 191: ...verview In the USG each VLAN is called a VLAN interface As a router the USG routes traffic between VLAN interfaces but it does not route traffic within a VLAN interface All traffic for each VLAN interface can go through only one Ethernet interface though each Ethernet interface can have one or more VLAN interfaces Note Each VLAN interface is created on top of only one Ethernet interface Otherwise ...

Page 192: ...ct an interface and click Create Virtual Interface Object References Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 9 3 2 on page 164 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displa...

Page 193: ...hapter 9 Interfaces USG20 W VPN Series User s Guide 193 9 7 2 VLAN Add Edit Select an existing entry in the previous scrren and click Edit or click Add to create a new entry The following screen appears ...

Page 194: ...Chapter 9 Interfaces USG20 W VPN Series User s Guide 194 Figure 139 Configuration Network Interface VLAN Add Edit ...

Page 195: ...rest of the screen s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface Interface Name This field is read only if you are editing an existing VLAN interface Enter the number of the VLAN interface You can use a number from 0 4094 For example use vlan0 vlan8 and so on The total number of VLANs you can configure on the...

Page 196: ...ork prefix that the USG generates itself for the interface IPv6 Address Prefix Length Enter the IPv6 address and the prefix length for this interface if you want to configure a static IP address for this interface This field is optional The prefix length indicates what the left most part of the IP address is the same for all computers in the network that is the network address Gateway Enter the IP...

Page 197: ... refreshing information retrieved from DHCPv6 Request Address This field is available if you set this interface to DHCPv6 Client Select this to get an IPv6 IP address for this interface from the DHCP server Clear this to not get any IP address information through DHCPv6 DHCPv6 Request Options DHCPv6 Lease Options If this interface is a DHCPv6 client use this section to configure DHCPv6 request set...

Page 198: ...p Limit is 0 Advertised Prefix Table Configure this table only if you want the USG to advertise a fixed prefix to the network Add Click this to create an IPv6 prefix address Edit Select an entry in this table and click this to modify it Remove Select an entry in this table and click this to delete it This field is a sequential value and it is not associated with any entry IPv6 Address Prefix Lengt...

Page 199: ...ecify to make sure it is still available Select tcp to have the USG regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tolerance Enter the number of consecutive failures ...

Page 200: ...P server USG the DHCP clients use the IP address of this interface and the USG works as a DNS relay First WINS Server Second WINS Server Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Default Router If you s...

Page 201: ...ormation about RIP Enable RIP Select this to enable RIP on this interface Direction This field is effective when RIP is enabled Select the RIP direction from the drop down list box BiDir This interface sends and receives routing information In Only This interface receives routing information Out Only This interface sends routing information Send Version This field is effective when RIP is enabled ...

Page 202: ...s available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the underscore and it can be up to 16 characters long MD5 Authentication ID This field is available if the Authentication is MD5 Type the ID for MD5 authentication The ID can be between 1 and 255 MD5 Authentication Key This field is available if the Authentication ...

Page 203: ...idge traffic between some interfaces while it routes traffic for other interfaces The bridge interfaces also support more functions like interface bandwidth parameters DHCP settings and connectivity check To use the whole USG as a transparent bridge add all of the USG s interfaces to a bridge interface A bridge interface may consist of the following members Zero or one VLAN interfaces and any asso...

Page 204: ...z Table 79 Example Routing Table Before and After Bridge Interface br0 Is Created continued IP ADDRESS ES DESTINATION IP ADDRESS ES DESTINATION Table 80 Configuration Network Interface Bridge LABEL DESCRIPTION Configuration IPv6 Configuration Use the Configuration section for IPv4 network settings Use the IPv6 Configuration section for IPv6 network settings if you connect your USG to an IPv6 netwo...

Page 205: ...ce Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the interface IP Address This field displays the current IP address of the interface If the IP address is 0 0 0 0 the interface does not have an IP address yet This screen also shows whether the IP address is a static IP address STATIC or dynamically assigned DHCP IP addre...

Page 206: ...Chapter 9 Interfaces USG20 W VPN Series User s Guide 206 Figure 141 Configuration Network Interface Bridge Add Edit ...

Page 207: ...to display both IPv4 and IPv6 IPv4 only or IPv6 only configuration fields Show Advanced Settings Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields Create New Object Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use for the DHCPv6 settings in this screen General Settings Enable Interface Select this to enable th...

Page 208: ...lowing situations There is a virtual interface on top of it It is already used in a different bridge interface Select one and click the arrow to add it to the bridge interface Each bridge interface can only have one VLAN interface Member This field displays the interfaces that are part of the bridge interface Select one and click the arrow to remove it from the bridge interface IP Address Assignme...

Page 209: ...link router for an internal network such as the LAN or DMZ You have to also enter a suffix address which is appended to the delegated prefix to form an address for this interface See Prefix Delegation on page 145 for more information To use prefix delegation you must Create at least one DHCPv6 request object before configuring this table The external interface must be a DHCPv6 client You must conf...

Page 210: ...ettings Object Reference Select an entry and click this to delete it from this table This field is a sequential value and it is not associated with any entry Name This field displays the name of the DHCPv6 request or lease object Type This field displays the type of the object Value This field displays the IPv6 prefix that the USG obtained from an uplink router Server is selected or will advertise...

Page 211: ... computers in the network that is the network address Advertised Prefix from DHCPv6 Prefix Delegation Use this table to configure the network prefix if you want to use a delegated prefix as the beginning part of the network prefix Add Click this to create an entry in this table Edit Select an entry in this table and click this to modify it Remove Select an entry in this table and click this to del...

Page 212: ... mask except for the first address network address last address broadcast address and the interface s IP address Pool Size Enter the number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For example if the Subnet Mask is 255 255 255 0 and IP Pool Start Address is 10 10 10 10 the USG can allocate 10 10 10 10 to 10 10 10 254 or 245 IP addre...

Page 213: ...tatic IP addresses the USG assigns to computers connected to the interface Otherwise the USG assigns an IP address dynamically using the interface s IP Pool Start Address and Pool Size Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This field is a sequential value and it is not associated with a sp...

Page 214: ...Virtual Interfaces Add Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces To access this screen click the Create Virtual Interface icon in the Ethernet VLAN or bridge interface summary screen Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tolerance Enter the number of consecutive fai...

Page 215: ...he IP address is the same for all computers in the network Gateway Enter the IP address of the gateway The USG sends packets to the gateway when it does not know how to route the packet to its destination The gateway should be on the same network as the interface Metric Enter the priority of the gateway if any on this interface The USG decides which gateway to use based on this priority The lower ...

Page 216: ...ress and subnet mask be assigned by an external DHCP server on the network In this case the interface is a DHCP client Virtual interfaces however cannot be DHCP clients You have to assign the IP address and subnet mask manually In general the IP address and subnet mask of each interface should not overlap though it is possible for this to happen with DHCP clients In the example above if the USG ge...

Page 217: ...original packet is re assembled later The smaller the MTU the more fragments sent and the more work required to re assemble packets correctly On the other hand some communication channels such as Ethernet over ATM might not be able to handle large data packets DHCP Settings Dynamic Host Configuration Protocol DHCP RFC 2131 RFC 2132 provides a way to automatically set up and maintain IP addresses s...

Page 218: ...ly for example a company s own DNS server or you can refer to DNS servers that other interfaces received from DHCP servers for example a DNS server at an ISP These other interfaces have to be DHCP clients It is not possible for an interface to be the DHCP server and a DHCP client simultaneously WINS WINS Windows Internet Naming Service is a Windows implementation of NetBIOS Name Server NBNS on Win...

Page 219: ...s and trunks to have traffic for your European branch office primarily use ISP A and traffic for your Australian branch office primarily use ISP B Or maybe one of the USG s interfaces is connected to an ISP that is also your Voice over IP VoIP service provider You can use policy routing to send the VoIP traffic through a trunk with the interface connected to the VoIP service provider set to active...

Page 220: ...G can use to decide which interface the traffic from the LAN should use for a session In the load balancing section a session may refer to normal connection oriented UDP or SNMP2 traffic The available bandwidth you configure on the USG refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using Least Load First The least loa...

Page 221: ...ndwidth of WAN1 is 1M and WAN2 is 512K You can set the USG to distribute the network traffic between the two interfaces by setting the weight of wan1 and wan2 to 2 and 1 respectively The USG assigns the traffic of two sessions to wan1 and one session s traffic to wan2 in each round of 3 new sessions Figure 145 Weighted Round Robin Algorithm Example Spillover The spillover load balancing algorithm ...

Page 222: ...bes the items in this screen Table 87 Configuration Network Interface Trunk LABEL DESCRIPTION Show Advanced Settings Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields Configuration Configure what to do with existing passive mode interface connections when an interface set to active mode in the same trunk comes back up Disconnect Connections Befo...

Page 223: ...l interfaces into the pre configured system default SYSTEM_DEFAULT_WAN_TRUNK You cannot delete it You can create your own User Configuration trunks and customize the algorithm member interfaces and the active passive mode Add Click this to create a new user configured trunk Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To r...

Page 224: ... user configured trunks Add Click this to add a member interface to the trunk Select an interface and click Add to add a new member interface after the selected member interface Edit Select an entry and click Edit to modify the entry s settings Remove To remove a member interface select it and click Remove The USG confirms you want to remove it before doing so Move To move an interface to a differ...

Page 225: ...idth of an interface in the corresponding interface edit screen Egress Bandwidth This field displays with the least load first or spillover load balancing algorithm It displays the maximum number of kilobits of data the USG is to send out through the interface per second Note You can configure the bandwidth of an interface in the corresponding interface edit screen Spillover This field displays wi...

Page 226: ... interfaces Mode This field displays Active if the USG always attempt to use this connection This field displays Passive if the USG only use this connection when all of the connections set to active are down Only one of a group s interfaces can be set to passive mode Weight This field displays with the weighted round robin load balancing algorithm Specify the weight 1 10 for the interface The weig...

Page 227: ...o services offered by your ISP behind router R2 You create another policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 150 Example of Policy Routing Topology Note You can generally just use policy routes You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to propagate routing information...

Page 228: ...ators to have traffic received on a specified interface use a specified IP address as the source IP address Note The USG automatically uses SNAT for traffic it routes from internal interfaces to external interfaces For example LAN to WAN traffic Static Routes The USG usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet To have the USG send data to de...

Page 229: ...termines the forwarding behavior the PHB Per Hop Behavior that each packet gets across the DiffServ network Based on the marking rule different kinds of traffic can be marked for different kinds of forwarding Resources can then be allocated according to the DSCP values and the configured policies 10 2 Policy Route Screen Click Configuration Network Routing to open the Policy Route screen Use this ...

Page 230: ... Policy Route to Override Direct Route Select this to have the USG forward packets that match a policy route according to the policy route instead of sending the packets directly to a connected network Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you ca...

Page 231: ...ured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 238 for more details Service This is the name of the service object any means all services Source Port This is the name of a service object The USG applies the policy route to the packets sent from the corresponding service port any means a...

Page 232: ...Chapter 10 Routing USG20 W VPN Series User s Guide 232 Figure 152 Configuration Network Routing Policy Route Add Edit IPv4 Configuration ...

Page 233: ...me of up to 31 printable ASCII characters for the policy Criteria User Select a user name or user group from which the packets are sent Incoming Select where the packets are coming from any an interface a tunnel an SSL VPN or the USG itself For an interface a tunnel or an SSL VPN you also need to select the individual interface VPN tunnel or SSL VPN connection Source Address Select a source IP add...

Page 234: ... hop router or switch as a HOST address object first Select VPN Tunnel to route the matched packets via the specified VPN tunnel Select Trunk to route the matched packets through the interfaces in the trunk group based on the load balancing algorithm Select Interface to route the matched packets through the specified outgoing interface to a gateway which is connected to the interface Gateway This ...

Page 235: ...group to use as the source IP address es of the packets that match this route Healthy Check Use this part of the screen to configure a route connectivity check and disable the policy if the interface is down Disable policy route automatically while Interface link down Select this to disable the policy if the interface is down or disabled This is available for Interface and Trunk in the Type field ...

Page 236: ...Pv6 Configuration Use the IPv4 Configuration section for IPv4 network settings Use the IPv6 Configuration section for IPv6 network settings if you connect your USG to an IPv6 network Both sections have similar fields as described below Add Click this to create a new static route Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove...

Page 237: ...he Prefix Length field Subnet Mask Enter the IP subnet mask here Prefix Length Enter the number of left most digits in the destination IP address which indicates the network prefix Enter in the Destination IP field and 0 in this field if you want to send all traffic to the gateway or interface specified in the Gateway IP or Interface field Gateway IP Select the radio button and enter the IP addres...

Page 238: ...e The maximize bandwidth usage option allows the USG to divide up any available bandwidth on the interface including unallocated bandwidth and any allocated bandwidth that a policy route is not using among the policy routes that require more bandwidth When you enable maximize bandwidth usage the USG first makes sure that each policy route gets up to its bandwidth allotment Next the USG divides up ...

Page 239: ...background information on routing protocols 10 6 The RIP Screen RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a device to exchange routing information with other routers RIP is a vector space routing protocol and like most such protocols it uses hop count to decide which route is the shortest Unfortunately it also broadcasts its routes asynchronously to the network and converges sl...

Page 240: ...ext authentication The key can consist of alphanumeric characters and the underscore and it can be up to 16 characters long MD5 Authentication ID This field is available if the Authentication is MD5 Type the ID for MD5 authentication The ID can be between 1 and 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the password for MD5 authentication The password can ...

Page 241: ...it area that routes packets between other areas All other areas are connected to the backbone A normal area is a group of adjacent networks A normal area has routing information about the OSPF AS any networks outside the OSPF AS to which it is directly connected and any networks outside the OSPF AS that provide routing information to any area in the OSPF AS A stub area has routing information abou...

Page 242: ... path costs The link state database is then constantly updated through Link State Advertisements LSA Each router uses the link state database and the Dijkstra algorithm to compute the least cost paths to network destinations Like areas each router has a unique 32 bit ID in the OSPF AS and there are several types of routers Each type is really just a different role and it is possible for one router...

Page 243: ...selected in each group of routers that are directly connected to each other If a router is directly connected to several groups it might be a DR in one group a BDR in another group and neither in a third group all at the same time Virtual Links In some OSPF AS it is not possible for an area to be directly connected to the backbone In this case you can create a virtual link through an intermediate ...

Page 244: ...screen to add or edit them Click Configuration Network Routing OSPF to open the following screen Figure 161 Configuration Network Routing OSPF The following table describes the labels in this screen See Section 10 7 2 on page 245 for more information as well Table 98 Configuration Network Routing Protocol OSPF LABEL DESCRIPTION OSPF Router ID Select the 32 bit ID the USG uses in the OSPF AS Defaul...

Page 245: ...Type 1 and Type 2 Type 1 cost OSPF AS cost external cost Metric Type 2 cost external cost Metric the OSPF AS cost is ignored Metric Type the external cost for routes provided by static routes The metric represents the cost of transmission for routing purposes The way this is used depends on the Type field This value is usually the average cost in the OSPF AS and it can be between 1 and 16777214 Ar...

Page 246: ...but not the confidentiality of routing updates None uses no authentication Text uses a plain text password that is sent over the network not very secure MD5 uses an MD5 password and authentication ID most secure Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the underscore an...

Page 247: ... field is a sequential value and it is not associated with a specific area Peer Router ID This is the 32 bit ID in IP address format of the other ABR in the virtual link Authentication This is the authentication method the virtual link uses This authentication protects the integrity but not the confidentiality of routing updates None uses no authentication Text uses a plain text password that is s...

Page 248: ...value between 1 and 255 The USG only accepts packets if these conditions are satisfied The packet s authentication ID is the same as the authentication ID of the interface that received it Table 100 Configuration Network Routing OSPF Add Add LABEL DESCRIPTION Peer Router ID Enter the 32 bit ID in IP address format of the other ABR in the virtual link Authentication Select the authentication method...

Page 249: ... a default authentication type by area If you want to use this default in an interface or virtual link you set the associated Authentication Type field to Same as Area As a result you only have to update the authentication information for the area to update the authentication type used by these interfaces and virtual links Alternatively you can override the default in any interface or virtual link...

Page 250: ... IP address Note You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the USG When registration is complete the DNS service provider gives you a password or key At the time of writing the USG supports the following DNS service providers See the listed websites for details ab...

Page 251: ...ntry is inactive Profile Name This field displays the descriptive profile name for this entry DDNS Type This field displays which DDNS service you are using Domain Name This field displays each domain name the USG can route Primary Interface IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the USG determines the IP address for the do...

Page 252: ...edit the configuration of an existing domain name Click Configuration Network DDNS and then an Add or Edit icon to open this screen Figure 165 Configuration Network DDNS Add Apply Click this button to save your changes to the USG Reset Click this button to return the screen to its last saved settings Table 102 Configuration Network DDNS continued LABEL DESCRIPTION ...

Page 253: ...are editing an entry DDNS Type Select the type of DDNS service you are using Select User custom to create your own DDNS service and configure the DYNDNS Server URL and Additional DDNS Options fields below HTTPS Select this to encrypt traffic using SSL port 443 including traffic with username and password to the DDNS server Not all DDNS providers support this option Username Type the user name used...

Page 254: ... for the domain name Backup Binding Address Use these fields to set an alternate interface to map the domain name to when the interface specified by the Primary Binding Interface settings is not available Interface Select the interface to use for updating the IP address mapped to the domain name Select Any to let the domain name be used with any interface Select None to not use a backup address IP...

Page 255: ...able again the DynDNS server delivers the mail to you See www dyndns org for more information about this service DYNDNS Server This field displays when you select User custom from the DDNS Type field above Type the IP address of the server that will host the DDSN service URL This field displays when you select User custom from the DDNS Type field above Type the URL that can be used to access the s...

Page 256: ... and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure 167 Multiple Servers Behind NAT Example 12 1 1 What You Can Do in this Chapter Use the NAT screens see Section 1...

Page 257: ...t associated with a specific entry Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the entry Mapping Type This field displays what kind of NAT this entry performs Virtual Server 1 1 NAT or Many 1 1 NAT Interface This field displays the interface on which packets for the NAT entry are received Original IP This field display...

Page 258: ...this button to save your changes to the USG Reset Click this button to return the screen to its last saved settings Table 104 Configuration Network NAT continued LABEL DESCRIPTION Table 105 Configuration Network NAT Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen Enable Rule Use this option to turn the NAT rule on or off Rule Na...

Page 259: ... User Defined Select this to manually enter an IP address in the User Defined field For example you could enter a static public IP assigned by the ISP without having to create a virtual interface for it Host address select a host address object to use the IP address it specifies The list also includes address objects based on interface IPs So for example you could select an address object based on...

Page 260: ...le if Mapping Type is Ports Enter the end of the range of translated destination ports if this NAT rule forwards the packet The original port range and the mapped port range must be the same size Enable NAT Loopback Enable NAT loopback to allow users connected to any interface instead of just the specified Incoming Interface to use the NAT rule s specified Original IP address to access the Mapped ...

Page 261: ...ample a LAN user s computer at IP address 192 168 1 89 queries a public DNS server to resolve the SMTP server s domain name xxx LAN SMTP com in this example and gets the SMTP server s mapped public IP address of 1 1 1 1 Figure 170 LAN Computer Queries a Public DNS Server The LAN user s computer then sends traffic to IP address 1 1 1 1 NAT loopback uses the IP address of the USG s LAN interface 192...

Page 262: ... the original destination address 1 1 1 1 If the SMTP server replied directly to the LAN user without the traffic going through NAT the source would not match the original destination address which would cause the LAN user s computer to shut down the session Figure 172 LAN to LAN Return Traffic 192 168 1 21 LAN 192 168 1 89 Source 192 168 1 89 SMTP NAT Source 192 168 1 1 SMTP 192 168 1 21 LAN 192 ...

Page 263: ...ows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 173 HTTP Redirect Example 13 1 1 What You Can Do in this Chapter Use the HTTP Redirect screens see Section 13 2 on page 264 to display and edit the HTTP redirect rules 13 1 2 What You Need to Know Web Proxy Server A proxy server helps client devices make indirect requests to acces...

Page 264: ...e HTTP requests from the client to the proxy server You also need to manually configure a policy route to forward the HTTP traffic from the proxy server to the Internet To make the example in Figure 173 on page 263 work make sure you have the following settings For HTTP traffic between lan1 and dmz a from LAN1 to DMZ security policy default to allow HTTP requests from lan1 to dmz Responses to this...

Page 265: ...you can modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific entry Status This icon is lit when the entry is active and di...

Page 266: ...You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Select the interface on which the HTTP request must be received for the USG to forward it to the specified proxy server Proxy Server Enter the IP address of the proxy server Port Enter the port number that the proxy server uses OK Click OK to save your ...

Page 267: ...server Figure 176 SIP ALG Example The ALG feature is only needed for traffic that goes through the USG s NAT 14 1 1 What You Need to Know Application Layer Gateway ALG NAT and Security Policy The USG can function as an Application Layer Gateway ALG to allow certain NAT un friendly applications such as SIP to operate properly through the USG s NAT and security policy The USG dynamically creates an ...

Page 268: ... can be in the same network or different networks The SIP server cannot be on the LAN It must be on the WAN or the DMZ There should be only one SIP server total on the USG s private networks Any other SIP servers must be on the WAN So for example you could have a Back to Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN but not on both Using the SIP ALG allows you...

Page 269: ...m LAN IP addresses B and C go out through WAN IP address 2 Even though only LAN IP address A can receive incoming calls from the Internet LAN IP addresses B and C can still make calls out to the Internet Figure 178 VoIP Calls from the WAN with Multiple Outgoing Calls VoIP with Multiple WAN IP Addresses With multiple WAN IP addresses on the USG you can configure different security policy and NAT po...

Page 270: ... also configure the security policy and enable NAT in the USG to allow sessions initiated from the WAN 14 2 The ALG Screen Click Configuration Network ALG to open the ALG screen Use this screen to turn ALGs off or on configure the port numbers to which they apply and configure SIP ALG time outs Figure 180 Configuration Network ALG ...

Page 271: ... session timeout value 1 86400 Restrict Peer to Peer Signaling Connection A signaling connection is used to set up the SIP connection Enable this if you want signaling connections to only arrive from the IP address es you registered with Signaling connections from other IP addresses will be dropped Restrict Peer to Peer Media Connection A media connection is the audio transfer in a SIP connection ...

Page 272: ...rface s connection goes down When the active interface s connection fails the client needs to re initialize the connection through the second interface that was set to passive in order to have the connection go through the second interface VoIP clients usually re register automatically at set intervals or the users can manually force them to re register FTP File Transfer Protocol FTP is an Interne...

Page 273: ...ling protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet SIP is used in VoIP Voice over IP the sending of voice signals over the Internet Protocol SIP signaling is separate from the media for which it handles sessions The media that is exchanged during the session can use a different path from that of the signaling SIP handles telephone...

Page 274: ...UPnP IGD and mainly designed for small home networks It allows a client behind a NAT router to retrieve the router s public IP address and port number and make them known to the peer device with which it wants to communicate The client can automatically configure the NAT router to create a port mapping to allow the peer to contact it 15 2 What You Need to Know UPnP hardware is identified as an ico...

Page 275: ... network environments When a UPnP or NAT PMP device joins a network it announces its presence with a multicast message For security reasons the USG allows multicast messages on the LAN only All UPnP enabled or NAT PMP enabled devices may communicate freely with each other without additional configuration Disable UPnP or NAT PMP if this is not your intention 15 3 UPnP Screen Use this screen to enab...

Page 276: ...ication to open the web configurator s login screen without entering the USG s IP address although you must still enter the password to access the web configurator Allow UPnP or NAT PMP to pass through Firewall Select this check box to allow traffic from UPnP enabled or NAT PMP enabled applications to bypass the security policy Clear this check box to have the security policy block all UPnP or NAT...

Page 277: ...ced Sharing Settings 3 Select Turn on network discovery and click Save Changes Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer This makes it easier to share files and printers ...

Page 278: ...our computer and the USG 15 4 2 1 Auto discover Your UPnP enabled Network Device 1 Click start and Control Panel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and select Properties Figure 182 Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automatically created Figure 183 Interne...

Page 279: ...Advanced Settings Add Note When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically 5 Select Show icon in notification area when connected option and click OK An icon displays in the system tray Figure 186 System Tray Icon 6 Double click on the icon to display your current Internet connection status ...

Page 280: ...ou can access the web based configurator on the USG without finding out the IP address of the USG first This comes helpful if you do not know the IP address of the USG Follow the steps below to access the web configurator 1 Click Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places under Other Places ...

Page 281: ...UPnP enabled device displays under Local Network 5 Right click on the icon for your USG and select Invoke The web configurator login screen displays Figure 189 Network Connections My Network Places 6 Right click on the icon for your USG and select Properties A properties window displays with basic information about the USG ...

Page 282: ...Chapter 15 UPnP USG20 W VPN Series User s Guide 282 Figure 190 Network Connections My Network Places Properties Example ...

Page 283: ...ess 192 168 1 27 and use static DHCP to assign it to Tim s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with another MAC address Figure 191 IP MAC Binding Example 16 1 1 What You Can Do in this Chapter Use the Summary and Edit screens Section 16 2 on page 284 to bind IP addresses to MAC addresses Use the Exempt Lis...

Page 284: ...uration Network IP MAC Binding Edit to open the IP MAC Binding Edit screen Use this screen to configure an interface s IP to MAC address binding settings Table 110 Configuration Network IP MAC Binding Summary LABEL DESCRIPTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an entry select it and click Activate I...

Page 285: ...specific IP addresses Enable Logs for IP MAC Binding Violation Select this option to have the USG generate a log if a device connected to this interface attempts to use an IP address not assigned by the USG Static DHCP Bindings This table lists the bound IP and MAC addresses The USG checks this table when it assigns IP addresses If the computer s MAC address is in the table the USG assigns the cor...

Page 286: ...plays the name of the interface within the USG and the interface s IP address and subnet mask IP Address Enter the IP address that the USG is to assign to a device with the entry s MAC address MAC Address Enter the MAC address of the device to which the USG assigns the entry s IP address Description Enter up to 64 printable ASCII characters to help identify the entry For example you may want to li...

Page 287: ...he USG does not apply IP MAC binding End IP Enter the last IP address in a range of IP addresses for which the USG does not apply IP MAC binding Add icon Click the Add icon to add a new entry Click the Remove icon to delete an entry A window displays asking you to confirm that you want to delete it Apply Click Apply to save your changes back to the USG Table 113 Configuration Network IP MAC Bindin...

Page 288: ...ing example layer 2 isolation is enabled on the USG s interface Vlan1 A printer PC and AP are in the Vlan1 The IP address of network printer C is added to the white list With this setting the connected AP then cannot communicate with the PC D but can access the network printer C server B wireless client A and the Internet Figure 196 Layer 2 Isolation Application 17 1 1 What You Can Do in this Chap...

Page 289: ...tion Network Layer 2 Isolation White List Table 114 Configuration Network Layer 2 Isolation LABEL DESCRIPTION Enable Layer2 Isolation Select this option to turn on the layer 2 isolation feature on the USG Note You can enable this feature only when the security policy is enabled Member List The Available list displays the name s of the internal interface s on which you can enable layer 2 isolation ...

Page 290: ... List Select this option to turn on the white list on the USG Note You can enable this feature only when the security policy is enabled Add Click this to add a new rule Edit Click this to edit the selected rule Remove Click this to remove the selected rule Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequen...

Page 291: ...ork Layer 2 Isolation White List Add Edit LABEL DESCRIPTION Enable Select this option to turn on the rule Host IP Address Enter an IPv4 address associated with this rule Description Specify a description for the IP address associated with this rule Enter up to 60 characters spaces and underscores allowed OK Click OK to save your changes back to the USG Cancel Click Cancel to exit this screen witho...

Page 292: ...sponds to it with the WAN2 s IP address 2 2 2 2 because the WAN2 has the least load at that moment Another Internet host B also sends a DNS query message to ask where www example com is The USG responds to it with the WAN1 s IP address 1 1 1 1 since WAN1 has the least load this time Figure 200 DNS Load Balancing Example 18 1 1 What You Can Do in this Chapter Use the Inbound LB screen see Section 1...

Page 293: ... or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the ...

Page 294: ...ce is assigned a weight An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight For example if the weight ratio of wan1 and wan2 interfaces is 2 1 the USG chooses wan1 for 2 sessions traffic and wan2 for 1 session s traffic in each round of 3 new sessions Least Connection The USG chooses choose a member interface which is handling the least n...

Page 295: ... provide the best answer the client makes iteration queries to other configured DNS servers to resolve the name You have to configure this field to the client s IP address when iteration is used Zone Select the zone of DNS query messages upon which to apply this rule Load Balancing Member Load Balancing Algorithm Select a load balancing method to use from the drop down list box Select Weighted Rou...

Page 296: ...bin as the load balancing algorithm This field displays the weight of the member interface An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight OK Click OK to save your changes back to the USG Cancel Click Cancel to exit this screen without saving Table 118 Configuration Network Inbound LB Add Edit continued LABEL DESCRIPTION Table 119 Con...

Page 297: ...played in the Monitor Interface field to the DNS query senders Custom Select this and enter another IP address to send to the DNS query senders OK Click OK to save your changes back to the USG Cancel Click Cancel to exit this screen without saving Table 119 Configuration Network Inbound LB Add Edit Add Edit continued LABEL DESCRIPTION ...

Page 298: ... network or Internet As soon as a user attempt to open a web page the USG reroutes his her browser to a web portal page that prompts him her to log in Figure 204 Web Authentication Example The web authentication page only appears once per authentication session Unless a user session times out or he she closes the connection he or she generally will not see it again during the same session 19 1 1 W...

Page 299: ...isplay the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged in yet Note This works with HTTP traffic only The USG does not display the Login screen when users attempt to send other kinds of traffic The USG does not automatically route the request that prompted the login however so users have to make this request again 19 2 Web Authentication Screen The Web A...

Page 300: ...cepts network traffic preventing unauthorized users from gaining access to the network You can customize the login page built into the USG in the System WWW Login Page screen External Web Portal Select this to use a custom login page from an external web portal instead of the default one built into the USG You can configure the look and feel of the web portal page Login URL Specify the login page ...

Page 301: ...to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Priority This is the position of the authentication policy in the list The priority is important as the policies are applied in order of priority Default displays for the def...

Page 302: ...Select any service that you want to remove from the member list and click the left arrow button to remove them Then click OK to apply the changes and return to the main Web Authentication screen Alternatively click Cancel to discard the changes and return to the main Web Authentication screen Figure 206 Configuration Web Authentication Add Exceptional Service 19 2 2 Creating Editing an Authenticat...

Page 303: ...ource Address Select a source address or address group for whom this policy applies Select any if the policy is effective for every source This is any and not configurable for the default policy Destination Address Select a destination address or address group for whom this policy applies Select any if the policy is effective for every destination This is any and not configurable for the default p...

Page 304: ...IPv4 network environment with Windows AD Active Directory authentication database You must enable Web Authentication in the Configuration Web Authentication screen Figure 208 SSO Overview Install the SSO Agent on one of the following platforms Windows 7 Professional 32 bit and 64 bit Windows Server 2008 Enterprise 32 bit and 64 bit Windows 2008 R2 64 bit Windows Server 2012 64 bit U User DC Domain...

Page 305: ... Table 122 USG SSO Agent Field Mapping USG SSO SCREEN FIELD SCREEN FIELD Web Authentication SSO Listen Port Agent Configuration Page Gateway Setting Gateway Port Web Authentication SSO Primary Agent Port Agent Configuration Page Agent Listening Port Object User Group User Add Group Identifier Agent Configuration Page Configure LDAP AD Server Group Membership Object AAA Server Active Directory Add ...

Page 306: ...ed to encrypt communications between the USG and the SSO agent Primary Agent Address Type the IPv4 address of the SSO agent The USG and the SSO agent must be in the same domain and be able to communicate with each other Primary Agent Port Type the same port number here as in the Agent Listening Port field on the SSO agent Type a number ranging from 1025 to 65535 Secondary Agent Address Optional Ty...

Page 307: ...o be authenticated See Table 120 on page 300 and Table 121 on page 303 for more information on configuring these screens 19 4 4 Create a Security Policy Configure a Security Policy for SSO traffic source and destination direction in order to prevent the security policy from blocking this traffic Go to Configuration Security Policy Policy and add a new policy if a default one does not cover the SSO...

Page 308: ...uide 308 Configure the fields as shown in the following screen Configure the source and destination addresses according to the SSO web authrntication traffic in your network 19 4 5 Configure User Information Configure a User account of the ext group user type ...

Page 309: ... User s Guide 309 Configure Group Identifier to be the same as Group Membership on the SSO agent 19 4 6 Configure an Authentication Method Configure Active Directory AD for authentication with SSO Choose group ad as the authentication server for SSO ...

Page 310: ...Setup to be the same as AD configured on the SSO agent The default AD server port is 389 If you change this make sure you make the same changes on the SSO Configure the Base DN exactly the same as on the Domain Controller and SSO Bind DN is a user name and password that allows the USG to join the domain with administrative privileges It is a required field ...

Page 311: ...PN Series User s Guide 311 19 5 SSO Agent Configuration This section shows what you have to do on the SSO agent in order to work with the USG After you install the SSO agent you will see an icon in the system tray bottom right of the screen ...

Page 312: ...ide 312 Right click the SSO icon and select Configure ZyXEL SSO Agent Configure the Agent Listening Port AD server exactly as you have done on the USG Add the USG IP address as the Gateway Make sure the USG and SSO agent are able to communicate with each other ...

Page 313: ...er s Guide 313 Configure the Server Address Port Base DN Bind DN Login Name Attribute and Group Membership for the AD server settings exactly as you have done on the USG Group Membership is called Group Identifier on the USG LDAP AD Server Configuration ...

Page 314: ...n the USG Configuration Web Authentication SSO screen If you want to use Generate Key to have the SSO create a random password select Check to show PreShareKey as clear Text so as to see the password then copy and paste it to the USG After all SSO agent configurations are done right click the SSO icon in the system tray and select Enable ZyXEL SSO Agent ...

Page 315: ...tions configured in the UTM profile content filter to traffic that matches the criteria above Note Security policies can be applied to both IPv4 and IPv6 traffic The security policies can also limit the number of user sessions The following example shows the USG s default security policies behavior for a specific direction of travel of packets WAN to LAN traffic and how stateful inspection works A...

Page 316: ...roughs do not perform the actual configuring but just show you how to do it This is an example of a port forwarding configuration walkthrough Figure 211 Example of a Port Forwarding Configuration Walkthrough This is an example of L2TP over IPSec VPN Troubleshooting troubleshooting 1 2 3 4 ...

Page 317: ...Chapter 20 Security Policy USG20 W VPN Series User s Guide 317 Figure 212 Example of L2TP over IPSec Troubleshooting 1 1 2 2 3 ...

Page 318: ...w to do it Licensing Registration Network NAT Network Routing Policy Route UTM Profile Content Filter UTM Profile Anti Spam VPN IPSec VPN VPN SSL VPN VPN L2TP VPN Click this icon to go to a series of screens that guide you how to fix problems with the feature Network NAT Network Routing Policy Route UTM Profile Content Filter UTM Profile Anti Spam VPN IPSec VPN VPN SSL VPN VPN L2TP VPN Click this ...

Page 319: ...it is initiated by a computer in another zone first Zones A zone is a group of interfaces Group the USG s interfaces into different zones based on your needs You can configure security policies for data passing between zones or even between interfaces Click this icon for more information on IPSec and SSL VPN Internet Protocol Security IPSec VPN connects IPSec routers or remote users using IPSec cl...

Page 320: ... is not included in a zone The from any policies apply to traffic coming from the interface and the to any policies apply to traffic going to the interface Security Policy Rule Criteria The USG checks the schedule user name user s login name on the USG source IP address and object destination IP address and object IP protocol type of network traffic service and UTM profile criteria against the Sec...

Page 321: ...s If an alternate gateway on the LAN has an IP address in the same subnet as the USG s LAN IP address return traffic may not go through the USG This is called an asymmetrical or triangle route This causes the USG to reset the connection as the connection has not been acknowledged You can have the USG permit the use of asymmetrical route topology on the network not reset the connection However allo...

Page 322: ... which zone packets travel to display only the policies specific to the selected direction Note the following Besides configuring the Security Policy you also need to configure NAT rules to allow computers on the WAN to access LAN devices The USG applies NAT Destination NAT settings before applying the Security Policies So for example if you configure a NAT entry that sends WAN traffic to a LAN IP...

Page 323: ... IPv6 if enabled security policies based on direction application user source destination and or schedule From To Select a zone to view all security policies from a particular zone and or to a particular zone any means all zones IPv4 IPv6 Source Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 IPv6 source address object used An IPv4 IP address is written as four inte...

Page 324: ...d the backup gateway on separate subnets Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Activate To turn on an ...

Page 325: ... and control which computers can manage the USG IPv4 IPv6 Source This displays the IPv4 IPv6 source address object to which this Security Policy applies IPv4 IPv6 Destination This displays the IPv4 IPv6 destination address object to which this Security Policy applies Service This displays the service object to which this Security Policy applies User This is the user name or user group name to whic...

Page 326: ...ress group object to apply the policy to traffic coming from it Select any to apply the policy to all traffic coming from IPv4 IPv6 addresses Destination Select an IPv4 IPv6 address or address group to apply the policy to traffic going to it Select any to apply the policy to all traffic going to IPv4 IPv6 addresses Service Select a service or service group from the drop down list box User This fie...

Page 327: ...ermit the passage of the packets Log matched traffic Select whether to have the USG generate a log log log and alert log alert or not no when the policy is matched to the criteria listed above UTM Profile Use this section to apply anti x profiles created in the Configuration UTM Profile screens to traffic that matches the criteria above You must have created a profile first otherwise none displays...

Page 328: ...umber of concurrent sessions hosts can have Default Session per Host This field is configurable only when you enable session limit Use this field to set a common limit to the number of concurrent NAT Security Policy sessions each client computer can have If only a few clients use peer to peer applications you can raise this number to improve their performance With heavy peer to peer application us...

Page 329: ...umbering Status This icon is lit when the entry is active and dimmed when the entry is inactive This is the index number of a session limit rule It is not associated with a specific rule User This is the user name or user group name to which this session limit rule applies IPv4 IPv6 Address This is the IPv4 IPv6 address object to which this session limit rule applies Description This is the inform...

Page 330: ...se select any and there is no need for user logging Note If you specified an IP address or address group instead of any in the field below the user s IP address should be within the IP address range Address Select the IPv4 source address or address group to which this rule applies Select any to apply the rule to all IPv4 source addresses IPv6 Address Select the IPv6 source address or address group...

Page 331: ...tatic DHCP entry for it so the USG always assigns it the same IP address Now you configure a LAN1 to WAN security policy that allows IRC traffic from the IP address of the CEO s computer 172 16 1 7 for example to go to any destination address You do not need to specify a schedule since you want the security policy to always be in effect The following figure shows the results of your two custom pol...

Page 332: ...fault policy of allowing allows all traffic from the LAN1 to go to the WAN The policy for the CEO must come before the policy that blocks all LAN1 to WAN IRC traffic If the policy that blocks all LAN1 to WAN IRC traffic came first the CEO s IRC traffic would match that policy and the USG would drop it and not check any other security policies Table 132 Limited LAN1 to WAN IRC Traffic Example 2 USE...

Page 333: ...re network Here local USG X uses an IPSec VPN tunnel to remote peer USG Y to connect the local A and remote B networks Figure 221 IPSec VPN Example Internet Key Exchange IKE IKEv1 and IKEv2 The USG supports IKEv1 and IKEv2 for IPv4 and IPv6 traffic IKE Internet Key Exchange is a protocol used in setting up security associations that allows two parties to send data securely IKE uses certificates or...

Page 334: ...hentication Protocol EAP authentication and IKEv1 supports X Auth EAP is important when connecting to existing enterprise authentication systems IKEv2 always uses NAT traversal and Dead Peer Detection DPD but they can be disabled in IKEv1 using USG firmware the default is on Configuration payload includes the IP address pool in the VPN setup data is supported in IKEv2 off by default but not in IKE...

Page 335: ...IPSec VPN connection policy uses which devices behind the IPSec routers can use the VPN tunnel and the IPSec SA settings phase 2 settings You can also activate or deactivate and connect or disconnect each VPN connection each IPSec SA Use the VPN Gateway screens see Section 21 2 1 on page 339 to manage the USG s VPN gateways A VPN gateway specifies the IPSec routers at either end of a VPN tunnel an...

Page 336: ...curely establish an IPSec SA through which the USG and remote IPSec router can send data between computers on the local network and remote network This is illustrated in the following figure Figure 224 VPN IKE SA and IPSec SA In this example a computer in network A is exchanging data with a computer in network B Inside networks A and B the data is transmitted the same way data is normally transmit...

Page 337: ...PN tunnel if this USG has a static IP address or a domain name Choose this if the remote IPSec router has a dynamic IP address You don t specify the remote IPSec router s address but you specify the remote policy the addresses of the devices behind the remote IPSec router This USG must have a static IP address or a domain name Only the remote IPSec router can initiate the VPN tunnel Choose this to...

Page 338: ...emote IPSec router In a VPN gateway the USG and remote IPSec router can use certificates to authenticate each other Make sure the USG and the remote IPSec router will trust each other s certificates 21 2 The VPN Connection Screen Click Configuration VPN IPSec VPN to open the VPN Connection screen The VPN Connection screen lists the VPN connection policies and their associated VPN gateway s and var...

Page 339: ...hat have the Don t Fragment bit in the header turned on IPv4 IPv6 Configuration Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Ina...

Page 340: ...Chapter 21 IPSec VPN USG20 W VPN Series User s Guide 340 Figure 226 Configuration VPN IPSec VPN VPN Connection Edit IKE ...

Page 341: ...fic number of bytes for the Maximum Segment Size MSS meaning the largest amount of data in a single TCP segment or IP datagram for this VPN connection Some VPN clients may not be able to use a custom MSS size if it is set too small In that case those VPN clients will ignore the size set here and use the minimum size that they can use Select Auto to have the USG automatically set the MSS for this V...

Page 342: ...s IP address Second DNS Server Optional Enter a secondary DNS server s IP address that is checked if the first one is unavailable First WINS Server Optional Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Sec...

Page 343: ...tion Select which hash algorithm to use to authenticate packet data in the IPSec SA Choices are SHA1 SHA256 SHA512 and MD5 SHA is generally considered stronger than MD5 but it is also slower The USG and the remote IPSec router must both have a proposal that uses the same authentication algorithm Perfect Forward Secrecy PFS Select whether or not you want to enable Perfect Forward Secrecy PFS and if...

Page 344: ... VPN connection Inbound Outbound traffic NAT Outbound Traffic Source NAT This translation hides the source address of computers in the local network It may also be necessary if you want the USG to route packets from computers outside the local network through the IPSec SA Source Select the address object that represents the original source address or select Create Object to configure a new one Thi...

Page 345: ...ick Move to display a field to type a number for where you want to put that entry and press ENTER to move the entry to the number that you typed This field is a sequential value and it is not associated with a specific NAT record However the order of records is the sequence in which conditions are checked and executed Original IP Select the address object that represents the original destination a...

Page 346: ...n page 164 for an example This field is a sequential value and it is not associated with a specific VPN gateway Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the VPN gateway My address This field displays the interface or a domain name the USG uses for the VPN gateway Secure Gateway This field displays...

Page 347: ...he VPN Gateway Add Edit Screen The VPN Gateway Add Edit screen allows you to create a new VPN gateway policy or edit an existing one To access this screen go to the VPN Gateway summary screen see Section 21 3 on page 345 and click either the Add icon or an Edit icon ...

Page 348: ...Chapter 21 IPSec VPN USG20 W VPN Series User s Guide 348 Figure 228 Configuration VPN IPSec VPN VPN Gateway Add Edit ...

Page 349: ... is the IP address of the interface If you select Domain Name IP enter the domain name or the IP address of the USG The IP address of the USG in the IKE SA is the specified IP address or the IP address corresponding to the domain name 0 0 0 0 is not generally recommended as it has the USG accept IPSec requests destined for any interface address on the USG Peer Gateway Address Select how the IP add...

Page 350: ...ach with a unique key to access the same VPN gateway policy with one to one authentication and strong encryption Access can be denied on a per user basis thus allowing VPN SA user based policies Click User Based PSK then select a user or group object who is allowed VPN SA access using this VPN gateway policy This is for IKEv1 only Local ID Type This field is read only if the USG and remote IPSec r...

Page 351: ...te IPSec router IP subject alternative name field see the note at the end of this description DNS subject alternative name field E mail subject alternative name field Subject Name subject name maximum 255 ASCII characters including spaces Note If Peer ID Type is IP please read the rest of this section If you type 0 0 0 0 the USG uses the IP address specified in the Secure Gateway Address field Thi...

Page 352: ... use a 1024 bit random number DH5 use a 1536 bit random number The longer the key the more secure the encryption but also the longer it takes to encrypt and decrypt information Both routers must use the same DH key group NAT Traversal Select this if any of these conditions are satisfied This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol There are one or more NAT r...

Page 353: ...rd can be 1 31 ASCII characters It is case sensitive but spaces are not allowed Retype to Confirm Type the exact same password again here to make sure an error was not made when typing it originally Extended Authentication Protocol This displays when using IKEv2 EAP uses a certificate for authentication Enable Extended Authentication Select this if one of the routers the USG or the remote IPSec ro...

Page 354: ...point so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally maintenance for example There is also more burden on the hub router It receives VPN traffic from one spoke decrypts it inspects it to find out to which spoke to route it encrypts it and sends it to the appropriate spoke Therefore a VPN concentrator is more suitable when there is a ...

Page 355: ... edit a VPN concentrator To access this screen go to the VPN Concentrator summary screen see Section 21 4 on page 354 and click either the Add icon or an Edit icon Table 138 Configuration VPN IPSec VPN Concentrator LABEL DESCRIPTION IPv4 IPv6 Configuration Choose to configure for IPv4 or IPv6 traffic Add Click this to create a new entry Edit Select an entry and click this to be able to modify it R...

Page 356: ...thentication A subnet or range remote policy Table 139 VPN IPSec VPN Concentrator Add Edit LABEL DESCRIPTION Name Enter the name of the concentrator You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Member Select the concentrator s IPSec VPN connection policies Note You must disable policy enforcement in each me...

Page 357: ...Authentication Method Choose how users should be authenticated They can be authenticated using the local database on the USG or an external authentication database such as LDAP Active Directory or RADIUS default is a method you configured in Object Auth Method You may configure multiple methods there If you choose the local database on the USG then configure users using the Object User Group scree...

Page 358: ...rms you want to remove it before doing so Activate To turn on an entry select it and click Activate Make sure that Enable Configuration Provisioning is also selected Inactivate To turn off an entry select it and click Inactivate Move Use Move to reorder a selected entry Select an entry click Move type the number where the entry should be moved press ENTER then click Apply Status This icon shows if...

Page 359: ...ode Steps 1 2 IKE SA Proposal The USG sends one or more proposals to the remote IPSec router In some devices you can only set up one proposal Each proposal consists of an encryption algorithm authentication algorithm and DH key group that the USG wants to use in the IKE SA The remote IPSec router selects an acceptable proposal and sends the accepted proposal back to the USG If the remote IPSec rou...

Page 360: ...lish a shared secret The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA In main mode this is done in steps 3 and 4 as illustrated next Figure 234 IKE SA Main Negotiation Mode Steps 3 4 DH Key Exchange DH public key cryptography is based on DH key groups Each key group is a fixed number of bits long The longer the key the more secure the encryption but also the l...

Page 361: ...of them must store two sets of information one for themselves and one for the other router Local ID type and content refers to the ID type and content that applies to the router itself and peer ID type and content refers to the ID type and content that applies to the other router Note The USG s local and peer ID type and content must match the remote IPSec router s peer and local ID type and conte...

Page 362: ... router generate an encryption key from the shared secret encrypt their identities and exchange their encrypted identity information for authentication In contrast aggressive mode only takes three steps to establish an IKE SA Aggressive mode does not provide as much security because the identity of the USG and the identity of the remote IPSec router are not encrypted It is usually used in remote a...

Page 363: ... depending on the standard s the USG and remote IPSec router support X Auth Extended Authentication X Auth Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router For example this might be used with telecommuters In extended authentication one of the routers the USG or the remote IPSec router provides a user name and password to...

Page 364: ...e remote IPSec router may be called the remote policy Active Protocol The active protocol controls the format of each packet It also specifies how much of each packet is protected by the encryption and authentication algorithms IPSec VPN includes two active protocols AH Authentication Header RFC 2402 and ESP Encapsulating Security Payload RFC 2406 Note The USG and remote IPSec router must use the ...

Page 365: ...n IPSec SA is established This is called Perfect Forward Secrecy PFS If you enable PFS the USG and remote IPSec router perform a DH key exchange every time an IPSec SA is established changing the root key from which encryption keys are generated As a result if one encryption key is compromised other encryption keys remain secure If you do not enable PFS the USG and remote IPSec router use the same...

Page 366: ...kets from computers that are not part of the specified local network local policy through the IPSec SA For example in Figure 238 on page 366 you have to configure this kind of translation if you want computer M to establish a connection with any computer in the remote network B If you do not configure it the remote IPSec router may not route messages for computer M through the IPSec SA because com...

Page 367: ...the way it checks rules for a security policy The first part of these rules define the conditions in which the rule apply Original IP the original destination address the remote network B Protocol the protocol TCP UDP or both used by the service requesting the connection Original Port the original destination port or range of destination ports in Figure 238 on page 366 it might be port 25 for SMTP...

Page 368: ...s or upload a custom logo to be displayed on the remote user screen Use the VPN SSL VPN SecuExtender screen see Section 22 4 on page 375 to update and check the current and latest version of the Security Extender 22 1 2 What You Need to Know Full Tunnel Mode In full tunnel mode a virtual connection is created for remote users with private IP addresses in the same subnet as the local network This a...

Page 369: ...eSecurity com website where there is guidance on configuration walkthroughs troubleshooting and other information Figure 241 VPN SSL VPN Access Privilege Table 143 Objects OBJECT TYPE OBJECT SCREEN DESCRIPTION User Accounts User Account User Group Configure a user account or user group to which you want to apply this SSL access policy Application SSL Application Configure an SSL application object...

Page 370: ...vate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry Cli...

Page 371: ...ollowing table describes the labels in this screen Table 145 VPN SSL VPN Access Privilege Add Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen Configuration Enable Policy Select this option to activate this SSL access policy ...

Page 372: ...you must enable sharing on the folder and also go to the Network and Sharing Center s Advanced sharing settings and turn on the current network profile s file and printer sharing Network Extension Optional Enable Network Extension Select this option to create a VPN tunnel between the authenticated users and the internal network This allows the users to access the resources on the network as if the...

Page 373: ...ss Objects list and click the right arrow button to add to the Selected Address Objects list You can select more than one network To block access to a network select the network name in the Selected Address Objects list and click the left arrow button OK Click OK to save the changes and return to the main Access Privilege screen Cancel Click Cancel to discard all changes and return to the main Acc...

Page 374: ...ion is established successfully You can enter up to 60 characters 0 9 a z A Z _ with spaces allowed Logout Message Specify a message to display on the screen when a user logs out and the SSL VPN connection is terminated successfully You can enter up to 60 characters 0 9 a z A Z _ with spaces allowed Update Client Virtual Desktop Logo You can upload a graphic logo to be displayed on the web browser...

Page 375: ...ere on the local network Use applications like e mail file transfer and remote desktop programs directly without using a browser For example you can use Outlook for e mail instead of the USG s web based e mail Use applications even proprietary applications for which the USG does not offer SSL application objects The applications must be installed on your computer For example to use the VNC remote ...

Page 376: ...VPN Access Privilege policy substituting your information for the information shown in the following example Using the USG web configurator go to Configuration VPN SSL VPN Access Privilege Add Table 147 Configuration VPN SSL VPN SecuExtender LABEL DESCRIPTION Latest Version This displays the latest version of the USG Security SecuExtender that is available Current Version This displays the current...

Page 377: ...hen create File Sharing and Web Application SSL Application objects Using the USG web configurator go to Configuration Object SSL Application Add and select the Type accordingly Substitute your information for the information shown in the following example Figure 248 Create a File Sharing SSL Application Object ...

Page 378: ...Chapter 22 SSL VPN USG20 W VPN Series User s Guide 378 Create a Web Application SSL Application Object ...

Page 379: ...ing methods Using a supported web browser Once you have successfully logged in through the USG you can access intranet sites web based applications or web based e mails using one of the supported web browsers Using the USG SecuExtender client Once you have successfully logged into the USG if the SSL VPN access policy has network extension enabled the USG automatically loads the USG SecuExtender cl...

Page 380: ...tes The remote user s computer establishes an HTTPS connection to the USG to access the login screen If instructed by your network administrator you must install or import a certificate provided by the USG or your network administrator Finding Out More See Chapter 22 on page 368 for how to configure SSL VPN on the USG 23 2 Remote SSL User Login This section shows you how to access and log into the...

Page 381: ...twork to access network resources Figure 252 Login Screen 4 Your computer starts establishing a secure connection to the USG after a successful login This may take up to two minutes If you get a message about needing Java download and install it and restart your browser and re login If a certificate warning screen displays click OK Yes or Continue Figure 253 Java Needed Message 5 The USG tries to ...

Page 382: ...er Figure 255 SecuExtender Blocked by Internet Explorer 6 The USG tries to run the ssltun application You may need to click something to get your browser to allow this In Internet Explorer click Run Figure 256 SecuExtender Progress 7 Click Next to use the setup wizard to install the SecuExtender client on your computer ...

Page 383: ...uExtender client on your computer Figure 258 Installation Warning 9 The Application screen displays showing the list of resources available to you See Figure 259 on page 384 for a screen example Note Available resource links vary depending on the configuration your network administrator made 23 3 The SSL VPN User Screens This section describes the main elements in the remote user screens ...

Page 384: ... Name field or enter a descriptive name to identify this link Table 148 Remote User Screen Overview DESCRIPTION 1 Click on a menu tab to go to the Application or File Sharing screen 2 Click this icon to log out and terminate the secure connection 3 Click this icon to create a bookmark to the SSL VPN user screen in your web browser 4 Click this icon to display the on line help window 5 Select your ...

Page 385: ...gout Prompt 23 6 SSL User Application Screen Use the Application tab s screen to access web based applications such as web sites and e mail on the network through the SSL VPN connection Which applications you can access depends on the USG s configuration The Name field displays the descriptive name for an application The Type field displays wether the application is a web site Web Server or web ba...

Page 386: ... Access a folder Open a file if your web browser cannot open the file you are prompted to download it Save a file to your computer Create a new folder Rename a file or folder Delete a file or folder Upload a file Note Available actions you can perform in the File Sharing screen vary depending on the rights granted to you on the file server 23 7 1 The Main File Sharing Screen The first File Sharing...

Page 387: ...he web browser and the associated application is installed on your computer 1 Log in as a remote user and click the File Sharing tab 2 Click on a file share icon 3 If an access user name and password are required a screen displays as shown in the following figure Enter the account information and click Login to continue Figure 264 File Sharing Enter Access User Name and Password ...

Page 388: ... on a doc file to open the Word document Figure 265 File Sharing Open a Word File 23 7 3 Downloading a File You are prompted to download a file which cannot be opened using a web browser Follow the on screen instructions to download and save the file to your computer Then launch the associated application to open the file 23 7 4 Saving a File After you have opened a file in a web browser you can s...

Page 389: ...e New Folder icon Specify a descriptive name for the folder You can enter up to 356 characters Then click Add Note Make sure the length of the folder name does not exceed the maximum allowed on the file server Figure 267 File Sharing Create a New Folder 23 7 6 Renaming a File or Folder To rename a file or folder select a file or folder and click the Rename icon Figure 268 File Sharing Rename ...

Page 390: ...gure 269 File Sharing Rename 23 7 7 Deleting a File or Folder Click the Delete icon next to a file or folder to remove it 23 7 8 Uploading a File Follow the steps below to upload a file to the file server 1 Log into the remote user screen and click the File Sharing tab 2 Click Upload and specify the location and or name of the file you want to upload Or click Browse to locate it 3 Click OK to send...

Page 391: ...Chapter 23 SSL User Screens USG20 W VPN Series User s Guide 391 Note Uploading a file with the same name and file extension replaces the existing file on the file server No warning message is displayed ...

Page 392: ... objects The applications must be installed on your computer For example to use the VNC remote desktop program you must have the VNC client installed on your computer 24 1 The USG SecuExtender Icon The USG SecuExtender icon color indicates the SSL VPN tunnel s connection status Figure 271 USG SecuExtender Icon Green the SSL VPN tunnel is connected You can connect to the SSL application and network...

Page 393: ...its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it Your computer uses the DNS server specified here to resolve domain names for resources you access through the SSL VPN connection WINS Server 1 2 These are the IP addresses of the WINS Windows Internet Naming Service and backup WINS...

Page 394: ...nt DETAIL Build Datetime Feb 24 2009 10 25 07 2009 03 12 13 35 50 SecuExtender Agent DEBUG rasphone pbk C Documents and Settings 11746 rasphone pbk 2009 03 12 13 35 50 SecuExtender Agent DEBUG SecuExtender log C Documents and Settings 11746 SecuExtender log 2009 03 12 13 35 50 SecuExtender Agent DETAIL Check Parameters 2009 03 12 13 35 50 SecuExtender Agent DETAIL Connect to 172 23 31 19 443 10444...

Page 395: ...r 24 USG SecuExtender Windows USG20 W VPN Series User s Guide 395 Figure 274 Uninstalling the USG SecuExtender Confirmation 3 Windows uninstalls the USG SecuExtender Figure 275 USG SecuExtender Uninstallation ...

Page 396: ...50 to configure the USG s L2TP VPN settings 25 1 2 What You Need to Know The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is established first and then an L2TP tunnel is built inside it See Chapter 21 on page 333 for information on IPSec VPN IPSec Configuration...

Page 397: ...to create a policy route to send that traffic from the L2TP tunnels out through a WAN trunk This task can be easily performed by clicking the Allow L2TP traffic through WAN checkbox at Quick Setup VPN Setup Allow L2TP traffic through WAN Figure 277 Policy Route for L2TP VPN 25 2 L2TP VPN Screen Click Configuration VPN L2TP VPN to open the following screen Use this screen to configure the USG s L2T...

Page 398: ...ge 396 Note Modifying this VPN connection or the VPN gateway that it uses disconnects any existing L2TP VPN sessions IP Address Pool Select the pool of IP addresses that the USG uses to assign to the L2TP VPN clients Use Create new Object if you need to configure a new pool of IP addresses This should not conflict with any WAN LAN DMZ or WLAN subnet even if they are not in use Authentication Metho...

Page 399: ...d password on the USG to log in Keep Alive Timer The USG sends a Hello message after waiting this long without receiving any traffic from the remote user The USG disconnects the VPN tunnel if the remote user does not respond First DNS Server Second DNS Server Specify the IP addresses of DNS servers to assign to the remote users You can specify these IP addresses two ways Custom Defined enter a sta...

Page 400: ...Chapter 25 L2TP VPN USG20 W VPN Series User s Guide 400 4 Select the NAT router WAN IP address object as the Local Policy 5 Go to Configuration VPN L2TP VPN and select the VPN Connection just configured ...

Page 401: ...se a service make sure both the security policy allow the service s packets to go through the USG Note The USG checks security policies before it checks bandwidth management rules for traffic going through the USG Bandwidth management examines every TCP and UDP connection passing through the USG Then you can specify by port whether or not the USG continues to route the connection BWM Type The USG ...

Page 402: ... the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going Connection and Packet Directions Bandwidth management looks at the connection direction that is from which interface the connection was initiated and to which interface the connection is going A connecti...

Page 403: ... LAN1 so outbound means the traffic traveling from the LAN1 to the WAN Each of the WAN zone s two interfaces can send the limit of 200 kbps of traffic Inbound traffic is limited to 500 kbs The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1 Figure 280 LAN1 to WAN Outbound 200 kbps Inbound 500 kbps Bandwidth Management Priority The USG gives bandw...

Page 404: ...to WAN policies for FTP servers A and B Each server tries to send 1000 kbps but the WAN is set to a maximum outgoing speed of 1000 kbps You configure policy A for server A s traffic and policy B for server B s traffic Figure 281 Bandwidth Management Behavior Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is di...

Page 405: ... B gets almost no bandwidth with this configuration 26 2 The Bandwidth Management Screen The Bandwidth management screens control the bandwidth allocation for TCP and UDP traffic You can use source interface destination interface destination port schedule user source destination information DSCP code and service type as criteria to create a sequence of specific conditions similar to the sequence o...

Page 406: ...able for the default bandwidth management policy Priority This field displays a sequential value for each bandwidth management policy and it is not associated with a specific setting This field displays default for the default bandwidth management policy Description This field displays additional information about this policy BWM Type This field displays the below types of BWM Shared when the poli...

Page 407: ... management for the inbound traffic Out This is how much outgoing bandwidth in kilobits per second this policy allows the matching traffic to use Outbound refers to the traffic the USG sends out from a connection s initiator If no displays here this policy does not apply bandwidth management for the outbound traffic Pri This is the priority for the incoming the first Pri value or outgoing the seco...

Page 408: ...he Add icon or an Edit icon Figure 283 Configuration Bandwidth Management Edit For the Default Policy Table 156 Single Tagged 802 1Q Frame Format DA SA TPID Priority VID Len Etype Data FCS IEEE 802 1Q customer tagged frame Table 157 802 1Q Frame DA Destination Address Priority 802 1p Priority SA Source Address Len Etype Length and type of Ethernet frame TPID Tag Protocol IDentifier Data Frame data...

Page 409: ... Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen Configuration Enable Select this check box to turn on this policy Description Enter a description of this policy It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Criteria Use this section to configure the conditions of traf...

Page 410: ... the number the higher the priority with the exception of 0 which is usually given only best effort treatment any means all DSCP value or no DSCP marker default means traffic with a DSCP value of 0 This is usually best effort traffic The af choices stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences User Defined DSCP Code Use th...

Page 411: ...ffic with a lower priority The USG uses a fairness based round robin scheduler to divide bandwidth between traffic flows with the same priority The number in this field is ignored if the incoming and outgoing limits are both set to 0 In this case the traffic is automatically treated as being set to the lowest priority 7 regardless of this field s configuration Maximize Bandwidth Usage This field d...

Page 412: ... Address objects Click Configuration BWM Add Create New Object Add User to see the following screen Figure 285 Configuration BWM Create New Object Add User The following table describes the fields in the above screen Table 160 Configuration BWM Create New Object Add User LABEL DESCRIPTION User Name Type a user or user group object name of the rule User Type Select a user type from the drop down me...

Page 413: ...d it can be up to 60 characters long Authentication Timeout Settings Choose either Use Default setting option which shows the default Lease Time of 1 440 minutes and Reauthentication Time of 1 440 minutes or you can enter them manually by choosing Use Manual Settings option Lease Time This shows the Lease Time setting for the user by default it is 1 440 minutes Reauthentication Time This shows the...

Page 414: ... the schedule object of the rule Type Select an option from the drop down menu for the schedule object It will show One Time or Recurring Start Date Click the icon menu on the right to choose a Start Date for the schedule object Start Time Click the icon menu on the right to choose a Start Time for the schedule object Stop Date Click the icon menu on the right to choose a Stop Date for schedule ob...

Page 415: ...iguration BWM Create New Object Add Address LABEL DESCRIPTION Name Enter a name for the Address object of the rule Address Type Select an Address Type from the drop down menu on the right The Address Types are Host Range Subnet Interface IP Interface Subnet and Interface Gateway IP Address Enter an IP address for the Address object OK Click OK to save the setting Cancel Click Cancel to abandon the...

Page 416: ...s to specific categories of web site content You can create different content filter policies for different addresses schedules users or groups and content filter profiles For example you can configure one policy that blocks John Doe s access to arts and entertainment web pages during the workday and another policy that lets him access them after work Content Filtering Policies A content filtering...

Page 417: ...egorized based on content You can have the USG block block and or log access to web sites based on these categories Keyword Blocking URL Checking The USG checks the URL s domain name or IP address and file path separately when performing keyword blocking The URL s domain name or IP address is the characters that come before the first slash in the URL For example with the URL www zyxel com tw news ...

Page 418: ...e on configuration walkthroughs troubleshooting and other information Figure 288 Configuration UTM Profile Content Filter Profile The following table describes the labels in this screen Table 163 Configuration UTM Profile Content Filter Profile LABEL DESCRIPTION General Settings Enable Content Filter Report Service Select this check box to have the USG collect category based content filtering stat...

Page 419: ...ntent filter profile rule Description This column lists the description of the content filter profile rule Reference This displays the number of times an Object Reference is used in a rule License Status This read only field displays the status of your content filtering database service registration Not Licensed displays if you have not successfully registered and activated the service Expired dis...

Page 420: ...USG20 W VPN Series User s Guide 420 27 3 Content Filter Profile Add or Edit Screen Click Configuration UTM Content Filter Profile Add or Edit to open the Add Filter Profile screen Configure Category Service and Custom Service tabs ...

Page 421: ...Chapter 27 Content Filtering USG20 W VPN Series User s Guide 421 27 3 1 Content Filter Add Profile Category Service Figure 289 Content Filter Profile Add Filter Profile Category Service ...

Page 422: ... You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description for the content filtering profile rule to help identify the purpose of rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive This field is opt...

Page 423: ...e Select Warn to display a warning message before allowing users to access any requested web page if the external content filtering database is unavailable The following are possible causes for the external content filtering server not being available There is no response from the external content filtering server within the time period specified in the Content Filter Server Unavailable Timeout fi...

Page 424: ... When the content filter is active you should see the web page s category The query fails if the content filter is not active If you think the category is incorrect Click this link to see the category recorded in the USG s content filtering database for the web page you specified if the database has an entry for it Test Against Content Filter Category Server Click this button to see the category r...

Page 425: ...example www tfam museum www lksf org www 1980 org tw Entertainment Sites related to television movies music and video including video on demand such as program guides celebrity sites and entertainment news For example www ctitv com tw www hboasia com www startv com tw Fashion Beauty Sites concerning fashion jewelry glamour beauty modeling cosmetics or related products or services Includes product ...

Page 426: ... logging in to instant messaging services such as ICQ AOL Instant Messenger IRC MSN Jabber Yahoo Messenger and the like For example www meebo com www aim com www ebuddy com Job Search Sites containing job listings career information assistance with job searches such as resume writing interviewing tips etc employment agencies or head hunters For example www 104 com tw www 1111 com tw www yes123 com...

Page 427: ...ite yellow pages For example tw yahoo com www pchome com tw www google com tw Sex Education Sites relating to sex education including subjects such as respect for partner abortion gay and lesbian lifestyle contraceptives sexually transmitted diseases and pregnancy For example apps rockyou com www howmama com tw www mombaby com tw Shopping Sites for online shopping catalogs online ordering auctions...

Page 428: ...entals Includes regional or city information sites For example www startravel com tw taipei grand hyatt com tw www car plus com tw Unknown Unknown For example www 669 com tw www appleballoon com tw www uimco com tw Violence Sites that contain images or text depicting or advocating physical assault against humans animals or institutions Sites of a particularly gruesome nature such as shocking depic...

Page 429: ...phanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description for the content filtering profile rule to help identify the purpose of rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive This field is optional Enable Custom ...

Page 430: ...ovide security administrative control and caching service When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server Allow Java ActiveX Cookies Web proxy to trusted web sites When this box is selected the USG will permit Java ActiveX and Cookies from sites on the Trusted Web Sites list to the LAN In certain cases it may b...

Page 431: ...7 characters 0 9a z The casing does not matter can be used as a wildcard to match any string The entry must contain at least one or it will be invalid Blocked URL Keywords This section allows you to block Web sites with URLs that contain certain keywords in the domain name or IP address Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select a...

Page 432: ... you want to allow access to regardless of their content rating can be allowed by adding them to this list Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This displays the index number of the trusted web sites Trusted Web Site This column displays the trusted web sites already added Enter host name...

Page 433: ...Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This displays the index number of the forbidden web sites Forbidden Web Sites This list displays the forbidden web sites already added Enter host names such as www bad site com into this text field Do not enter the complete URL of the site that is do n...

Page 434: ...ter Cache screen to configure how long a web site address remains in the cache as well as view those web site addresses All of the web site address records are also cleared from the local cache when the USG restarts 4 If the USG has no record of the web site it queries the external content filter database and simultaneously sends the request to the web server 5 The external content filter server s...

Page 435: ... uses a specified header field and header value as being legitimate see E mail Headers on page 436 for more on mail headers The anti spam feature checks an e mail against the white list entries before doing any other anti spam checking If the e mail matches a white list entry the USG classifies the e mail as legitimate and does not perform any more anti spam checking on that individual e mail A pr...

Page 436: ...ey The body is the actual message text and any attachments You can have the USG check for specific header fields with specific values E mail programs usually only show you the To From Subject and Date header fields but there are others such as Received and Content Type To see all of an e mail s header you can select an e mail in your e mail program and look at its properties or details For example...

Page 437: ...l Settings Action taken when mail sessions threshold is reached An e mail session is when an e mail client and e mail server or two e mail servers connect through the USG Select how to handle concurrent e mail sessions that exceed the maximum number of concurrent e mail sessions that the anti spam feature can handle See the chapter of product specifications for the threshold Select Forward Session...

Page 438: ...e This shows how many objects are referenced in the rule License License Status This read only field displays the status of your anti spam scanning service registration Not Licensed displays if you have not successfully registered and activated the service Expired displays if your subscription to the service has expired Licensed displays if you have successfully registered the USG and activated th...

Page 439: ...annot be a number This value is case sensitive This field is optional Log Select how the USG is to log the event when the DNSBL times out or an e mail matches the white list black list or DNSBL no Do not create a log log Create a log on the USG log alert An alert is an e mailed log for more serious events that may need more immediate attention Select this option to have the USG send an alert Scan ...

Page 440: ... DNSBL domains The USG classifies e mail that matches a DNS black list as spam Actions for Spam Mail Use this section to set how the USG is to handle spam mail SMTP Select how the USG is to handle spam SMTP mail Select drop to discard spam SMTP mail Select forward to allow spam SMTP mail to go through Select forward with tag to add a spam tag to an SMTP spam mail s mail subject and send it on to t...

Page 441: ...etermined by the sender s IP address Mail Content Analysis Enable Mail Content Analysis Select this to identify Spam Email by content such as malicious content Mail Content Spam Tag Enter a message or label up to 15 ASCII characters to add to the beginning of the mail subject of e mails that are determined to spam based on the mail content analysis This tag is only added if the anti spam policy is...

Page 442: ...s determined to have an attached virus Query Timeout Settings SMTP Select how the USG is to handle SMTP mail query timeout Select drop to discard SMTP mail Select forward to allow SMTP mail to go through Select forward with tag to add a tag to an SMTP query timeout mail s mail subject and send it on to the destination POP3 Select how the USG is to handle POP3 mail query timeout Select forward to a...

Page 443: ... match the USG s spam black list Rule Summary Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Status The activate light bulb icon is lit when the entry is active and dimmed when t...

Page 444: ...cific content in the subject line Select IP Address to have the USG check e mail for a specific source or relay IP address Select IPv6 Address to have the USG check e mail for a specific source or relay IPv6 address Select E Mail Address to have the USG check e mail for a specific source e mail address or domain name Select Mail Header to have the USG check e mail for specific header fields and va...

Page 445: ... the Anti Spam White List screen Configure the white list to identify legitimate e mail You can create white list entries based on the sender s or relay s IP address or e mail address You can also create entries that check for particular header fields and values or specific subject text Mail Header Field Name This field displays when you select the Mail Header type Type the name part of an e mail ...

Page 446: ... Section 28 5 1 on page 444 for details Edit Select an entry and click this to be able to modify it See Section 28 5 1 on page 444 for details Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Status The activate light bulb icon is lit when the entry is active and dimmed when t...

Page 447: ...figuration UTM Profile Anti Spam DNSBL to display the anti spam DNSBL screen Use this screen to configure the USG to check the sender and relay IP addresses in e mail headers against DNS Domain Name Service based spam Black Lists DNSBLs Figure 300 Configuration UTM Profile Anti Spam DNSBL ...

Page 448: ...er that forwarded the mail Select last N IPs to have the USG start checking from the last IP address in the mail header This is the IP of the last server that forwarded the mail Query Timeout Setting SMTP Select how the USG is to handle SMTP mail mail going to an e mail server if the queries to the DNSBL domains time out Select drop to discard SMTP mail Select forward to allow SMTP mail to go thro...

Page 449: ... USG does not wait for any more DNSBL replies If the USG receives at least one non spam reply for each of an e mail s routing IP addresses the USG immediately classifies the e mail as legitimate and forwards it Any further DNSBL replies that come after the USG classifies an e mail as spam or legitimate have no effect The USG records DNSBL responses for IP addresses in a cache for up to 72 hours Th...

Page 450: ...es that IP address a a a a does not match any entries in its list not spam 3 DNSBL C replies that IP address b b b b matches an entry in its list 4 The USG immediately classifies the e mail as spam and takes the action for spam that you defined in the anti spam policy In this example it was an SMTP mail and the defined action was to drop the mail The USG does not wait for any more DNSBL replies He...

Page 451: ...d d d does not match any entries in its list not spam 3 DNSBL C replies that IP address c c c c does not match any entries in its list not spam 4 Now that the USG has received at least one non spam reply for each of the e mail s routing IP addresses the USG immediately classifies the e mail as legitimate and forwards it The USG does not wait for any more DNSBL replies If the USG receives conflicti...

Page 452: ...L A replies that IP address a b c d does not match any entries in its list not spam 3 While waiting for a DNSBL reply about IP address w x y z the USG receives a reply from DNSBL B saying IP address a b c d is in its list 4 The USG immediately classifies the e mail as spam and takes the action for spam that you defined in the anti spam policy In this example it was an SMTP mail and the defined act...

Page 453: ...ace PPPoE PPTP interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 304 Example Zones Use the Zone screens see Section 29 7 2 on page 498 to manage the USG s zones 29 1 1 What You Need to Know Zones effectively divide traffic into three types intra zone traffic inter zone traffic and ex...

Page 454: ...lick Configuration Object Zone Figure 305 Configuration Object Zone The following table describes the labels in this screen Table 176 Configuration Object Zone LABEL DESCRIPTION User Configuration System Default The USG comes with pre configured System Default zones that you cannot delete You can create your own User Configuration zones Add Click this to create a new user configured zone Edit Doub...

Page 455: ...r accounts Table 177 Configuration Object Zone Add Edit LABEL DESCRIPTION Name For a system default zone the name is read only For a user configured zone type the name used to refer to the zone You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Member List Available lists the interfaces and VPN tunnels that do no...

Page 456: ...on and services in the USG User Types These are the types of user accounts the USG uses Note The default admin account is always authenticated locally regardless of the authentication method setting See Chapter 29 on page 511 for more information about authentication methods Ext User Accounts Set up an ext user account if the user is authenticated by an external server and you want to set up speci...

Page 457: ...n 29 8 5 1 on page 506 for more on the group membership attribute User Groups User groups may consist of user accounts or other user groups Use user groups when you want to create the same rule for several user accounts instead of creating separate rules for each one Note You cannot put access users and admin users in the same user group Note You cannot put the default admin account into any user ...

Page 458: ...try and click Object References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific user User Name This field displays the user name of each user User Type This field displays the types of user accounts the USG uses admin this user can look at and change the configuration of the USG limited admin this user can look at t...

Page 459: ...ou enter a user bob but use BOB when connecting via CIFS or FTP it will use the account settings used for BOB not bob User names have to be different than user group names Here are the reserved user names To access this screen go to the User screen see Section 29 2 2 on page 458 and click either the Add icon or an Edit icon Figure 308 Configuration Object User Group User Add adm admin any bin daem...

Page 460: ... a ext group user type user account Select the AAA server to use to authenticate this account s users Description Enter the description of each user if any You can use up to 60 printable ASCII characters Default descriptions are provided Authentication Timeout Settings If you want the system to use default settings select Use Default Settings If you want to set authentication timeout to a value ot...

Page 461: ...s back to the USG Cancel Click Cancel to exit this screen without saving your changes Table 180 Configuration Object User Group User Add continued LABEL DESCRIPTION Table 181 Configuration Object User Group Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a...

Page 462: ...s underscores _ or dashes but the first character cannot be a number This value is case sensitive User group names have to be different than user names Description Enter the description of the user group if any You can use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the users and user groups that have been added to the user group The order of ...

Page 463: ...Timeout Settings These authentication timeout settings are used by default when you create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry ...

Page 464: ...ut logging out Miscellaneous Settings Allow renewing lease time automatically Select this check box if access users can renew lease time automatically as well as manually simply by selecting the Updating lease time automatically check box on their screen Enable user idle detection This is applicable for access users Select this check box if you want the USG to monitor how long each access user is ...

Page 465: ...t User Lockout Settings Enable logon retry limit Select this check box to set a limit on the number of times each user can login unsuccessfully for example wrong password before the IP address is locked out for a specified amount of time Maximum retry count This field is effective when Enable logon retry limit is checked Type the maximum number of times each user can login unsuccessfully before th...

Page 466: ... group user this user account is maintained in a remote server such as RADIUS or LDAP See Ext Group User Accounts on page 457 for more information about this type Lease Time Enter the number of minutes this type of user account has to renew the current session before the user is logged out You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Admin users renew t...

Page 467: ...time remaining before the USG automatically logs them out The USG sets this amount of time according to the User defined lease time field in this screen Lease time field in the User Add Edit screen see Section 29 2 5 1 on page 468 Lease time field in the Setting screen see Section 29 2 4 on page 462 Updating lease time automatically This box appears if you checked the Allow renewing lease time aut...

Page 468: ...acturers of wireless clients using MAC authentication with the USG local user database Description This field displays a description of the device identified by the MAC address or OUI Table 186 Configuration Object User Group MAC Address continued LABEL DESCRIPTION Table 187 Configuration Object User Group MAC Address Add LABEL DESCRIPTION MAC Address OUI Type the MAC address six hexadecimal numbe...

Page 469: ... Section 29 3 1 on page 470 creates radio configurations that can be used by the APs The SSID screen Section 29 3 2 on page 476 configures three different types of profiles for your networked APs 29 3 0 1 What You Need To Know The following terms and concepts may help as you read this section Wireless Profiles At the heart of all wireless AP configurations on the USG are profiles A profile represe...

Page 470: ...Set with which a wireless station is associated Wireless stations associating to the access point AP must have the same SSID In other words it is the name of the wireless network that clients use to connect to it WEP WEP Wired Equivalent Privacy encryption scrambles all data packets transmitted between the AP and the wireless stations associated with it in order to keep network communications priv...

Page 471: ...urn off an entry select it and click Inactivate Object Reference Click this to view which other objects are linked to the selected radio profile This field is a sequential value and it is not associated with a specific profile Status This icon is lit when the entry is active and dimmed when the entry is inactive Profile Name This field indicates the name assigned to the radio profile Frequency Ban...

Page 472: ...igure 319 Configuration Object AP Profile Add Edit Radio Profile The following table describes the labels in this screen Table 190 Configuration Object AP Profile Add Edit Radio Profile LABEL DESCRIPTION Hide Show Advanced Settings Click this to hide or show the Advanced Settings in this window Create New Object Select an item from this menu to create a new object of that type Any objects created ...

Page 473: ...n Select the wireless channel which this radio profile should use Select DCS to have the AP automatically select the radio channel upon which it broadcasts by scanning the area around it and determining what channels are currently being used by other devices Select Manual and specify the channels the AP uses It is recommended that you choose the channel least in use by other APs in the region wher...

Page 474: ...and field Select this if your APs are operating in an area known to have RADAR devices This allows the device to downgrade its frequency to below 5 GHz in the event a RADAR signal is detected thus preventing it from interfering with that signal Enabling this forces the AP to select a non DFS channel 5 GHz Channel Selection Method This shows auto and allows the AP to search for available channels a...

Page 475: ...s receive good throughput This allows only wireless clients with a strong signal to connect to the AP Clear the check box to not require wireless clients to have a minimum signal strength to connect to the AP Station Signal Threshold Set a minimum client signal strength A wireless client is allowed to connect to the AP only when its signal strength is stronger than the specified threshold 20 dBm i...

Page 476: ...Object AP Profile SSID Note You can have a maximum of 32 SSID profiles on the USG Figure 320 Configuration Object AP Profile SSID SSID List The following table describes the labels in this screen OK Click OK to save your changes back to the USG Cancel Click Cancel to exit this screen without saving your changes Table 190 Configuration Object AP Profile Add Edit Radio Profile continued LABEL DESCRI...

Page 477: ...ued LABEL DESCRIPTION Table 192 Configuration Object AP Profile SSID Add Edit SSID Profile LABEL DESCRIPTION Create new Object Select an object type from the list to create a new one associated with this SSID profile Profile Name Enter up to 31 alphanumeric characters for the profile name This name is only visible in the Web Configurator and is only for management purposes Spaces and underscores a...

Page 478: ...es that do not require the best bandwidth throughput such as surfing the Internet WMM_BACKGROUND All wireless traffic to the SSID is tagged as low priority or background traffic meaning all other access categories take precedence over this one If traffic from an SSID does not have strict throughput requirements then this access category is recommended For example an SSID that only has network prin...

Page 479: ... Profile SSID Security List The following table describes the labels in this screen Table 193 Configuration Object AP Profile SSID Security List LABEL DESCRIPTION Add Click this to add a new security profile Edit Click this to edit the selected security profile Remove Click this to remove the selected security profile Object Reference Click this to view which other objects are linked to the select...

Page 480: ...ile SSID Security Profile Add Edit Security Profile The following table describes the labels in this screen Table 194 Configuration Object AP Profile SSID Security Profile Add Edit Security Profile LABEL DESCRIPTION Profile Name Enter up to 31 alphanumeric characters for the profile name This name is only visible in the Web Configurator and is only for management purposes Spaces and underscores ar...

Page 481: ...per or lower the external server requires for letters in the calling station MAC addresses 802 1X Select this to enable 802 1x secure authentication Auth Method This field is available only when you set the RADIUS server type to Internal Select an authentication method if you have created any in the Configuration Object Auth Method screen ReAuthenticatio n Timer Enter the interval in seconds betwe...

Page 482: ...ntication Enable or Disable pre authentication to allow the AP to send authentication information to other APs on the network allowing connected wireless clients to switch APs without having to re authenticate their network connection Management Frame Protection This field is available only when you select wpa2 or wpa2 mix in the Security Mode field and set Cipher Type to aes Data frames in 802 11...

Page 483: ... in this screen Table 195 Configuration Object AP Profile SSID MAC Filter List LABEL DESCRIPTION Add Click this to add a new MAC filtering profile Edit Click this to edit the selected MAC filtering profile Remove Click this to remove the selected MAC filtering profile Object Reference Click this to view which other objects are linked to the selected MAC filtering profile for example SSID profile T...

Page 484: ... Select allow to permit the wireless client with the MAC addresses in this profile to connect to the network through the associated SSID select deny to block the wireless clients with the specified MAC addresses Add Click this to add a MAC address to the profile s list Edit Click this to edit the selected MAC address in the profile s list Remove Click this to remove the selected MAC address from t...

Page 485: ...can is performed when an 802 11 compatible wireless monitoring device is explicitly triggered to scan a specified channel or number of channels for other wireless devices broadcasting on the 802 11 frequencies by sending probe request frames Passive Scan A passive scan is performed when an 802 11 compatible monitoring device is set to periodically listen to a specified channel or number of channel...

Page 486: ...de profile Remove Click this to remove the selected monitor mode profile Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object Reference Click this to view which other objects are linked to the selected monitor mode profile for example an AP management profile This field is a sequential value and it is not associated with a ...

Page 487: ...s before the AP switches to another channel for monitoring Scan Channel Mode Select auto to have the AP switch to the next sequential channel once the Channel dwell time expires Select manual to set specific channels through which to cycle sequentially when the Channel dwell time expires Selecting this options makes the Scan Channel List options available Country Code Select the country where the ...

Page 488: ...sed to create maintain and remove addresses There are the types of address objects HOST a host address is defined by an IP Address RANGE a range address is defined by a Starting IP Address and an Ending IP Address SUBNET a network address is defined by a Network IP address and Netmask subnet mask The Address screen provides a summary of all addresses in the USG To access this screen click Configur...

Page 489: ...ick an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific address Name Thi...

Page 490: ...ally updates the corresponding interface based LAN subnet address object IP Address This field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents Starting IP Address This field is only available if the Address Type is RANGE This field cannot be blank Enter the beginning of the range of IP addresses that this address obj...

Page 491: ... before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific address group Name This field displays the name of each address group Description This field displays the description of each address group if any Reference This displays the number of times...

Page 492: ...r the address group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description This field displays the description of each address group if any You can use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the address and address group objects that have been ad...

Page 493: ... UDP use ports to identify the source and destination Each port is a 16 bit number Some port numbers have been standardized and are used by low level system processes many others have no particular meaning Unlike TCP and UDP Internet Control Message Protocol ICMP IP protocol 1 is mainly used to send error messages or to investigate problems For example ICMP is used to send the response if a comput...

Page 494: ...and click either the Add icon or an Edit icon Figure 333 Configuration Object Service Service Edit Table 203 Configuration Object Service Service LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doi...

Page 495: ...rst character cannot be a number This value is case sensitive IP Protocol Select the protocol the service uses Choices are TCP UDP ICMP ICMPv6 and User Defined Starting Port Ending Port This field appears if the IP Protocol is TCP or UDP Specify the port number s used by this service If you fill in one of these fields the service uses that port If you fill in both fields the service uses the range...

Page 496: ...ngs Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific service group Family This field displays the Server Group supported type which is according to ...

Page 497: ...end on a specific stop date and time One time schedules are useful for long holidays and vacation periods Recurring Schedules Recurring schedules begin at a specific start time and end at a specific stop time on selected days of the week Sunday Monday Tuesday Wednesday Thursday Friday and Saturday Recurring Table 206 Configuration Object Service Service Group Edit LABEL DESCRIPTION Name Enter the ...

Page 498: ...s Select an entry and click Object References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule Start Day Time This field displays the date and time at which the schedule begins Stop Day Time This field displays the date ...

Page 499: ...sed in a profile Table 207 Configuration Object Schedule continued LABEL DESCRIPTION Table 208 Configuration Object Schedule Edit One Time LABEL DESCRIPTION Configuration Name Type the name used to refer to the one time schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartDate Specify the ye...

Page 500: ...G Cancel Click Cancel to exit this screen without saving your changes Table 208 Configuration Object Schedule Edit One Time continued LABEL DESCRIPTION Table 209 Configuration Object Schedule Edit Recurring LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a n...

Page 501: ...n Object Schedule Schedule Group LABEL DESCRIPTION Configuration Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Object Reference Select an entry and click Object References to open a screen that shows whic...

Page 502: ...use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description of the service group if any You can use up to 60 printable ASCII characters Member List The Member list displays the names of the service and service group objects that have been added to the service group The order of members is not impor...

Page 503: ...rocess is successful the USG checks the user information in the directory against the user name and password pair 4 If it matches the user is allowed access Otherwise access is blocked 29 8 2 RADIUS Server RADIUS Remote Authentication Dial In User Service authentication is a popular protocol used to authenticate users by means of an external server instead of or in addition to an internal device u...

Page 504: ...ser database The USG uses the built in local user database to authenticate administrative users logging into the USG s Web Configurator or network access users logging into the network through the USG You can also use the local user database to authenticate VPN users Directory Service LDAP AD LDAP Lightweight Directory Access Protocol AD Active Directory is a directory service that is both a direc...

Page 505: ...xample o MyCompany c UK where o means organization and c means country Bind DN A bind DN is used to authenticate with an LDAP AD server For example a bind DN of cn zywallAdmin allows the USG to log into the LDAP AD server using the user name of zywallAdmin The bind DN is used in conjunction with a bind password When a bind DN is not specified the USG will try to log in as an anonymous user If the ...

Page 506: ...A Server Active Directory or LDAP LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows...

Page 507: ...Chapter 29 Object USG20 W VPN Series User s Guide 507 Figure 345 Configuration Object AAA Server Active Directory or LDAP Add ...

Page 508: ... AD or LDAP server Enter up to 127 alphanumerical characters For example cn zywallAdmin specifies zywallAdmin as the user name Password If required enter the password up to 15 alphanumerical characters for the USG to bind or log in to the AD or LDAP server Retype to Confirm Retype your new password for confirmation Login Name Attribute Enter the type of identifier the users are to use to log in Fo...

Page 509: ...e versa Configuration Validation Use a user account from the server specified above to test if the configuration is correct Enter the account s user name in the Username field and click Test OK Click OK to save the changes Cancel Click Cancel to discard the changes Table 213 Configuration Object AAA Server Active Directory or LDAP Add continued LABEL DESCRIPTION Table 214 Configuration Object AAA ...

Page 510: ... Add LABEL DESCRIPTION Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the RADIUS server Authentication Port Specify the port number on the RADIUS server to which the USG sends authentication requests Enter a number...

Page 511: ...r authentication fails Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down NAS IP Address Type the IP address of the NAS Network Access Server Case sensitive User Names Select this if you want configure your username as case sensitive Key Enter a password up to 15 alphanumeric characters as the key to be shared between the external authen...

Page 512: ...ts Figure 349 Configuration Object Auth Method The following table describes the labels in this screen Table 216 Configuration Object Auth Method LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to rem...

Page 513: ... If two accounts with the same username exist on two authentication servers you specify the USG does not continue the search on the second authentication server when you enter the username and password that doesn t match the one on the first authentication server Note You can NOT select two server objects of the same type 7 Click OK to save the settings or click Cancel to discard all changes and r...

Page 514: ...uld look When people know what your signature looks like they can verify whether something was signed by you or by someone else In the same way your private key writes your digital signature and your public key allows people to verify whether data was signed by you or by someone else This process works as follows Remove To remove an entry select it and click Remove The USG confirms you want to rem...

Page 515: ... triple DES encryption algorithm The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates A certification path is the hierarchy of certification authority certificates that validate a certificate The USG does not trust a certificate if any certificate on its path has expired or been revoked Certifi...

Page 516: ... certificates The private key in a PKCS 12 file is within a password encrypted envelope The file s password is not connected to your certificate s public or private passwords Exporting a PKCS 12 file creates this and you must provide it to decrypt the contents when you import the file into the USG Note Be careful not to convert a binary file to text during the transfer process It is easy for this ...

Page 517: ...humbprint fields The secure method may very based on your situation Possible examples would be over the telephone or through an HTTPS connection 29 10 3 The My Certificates Screen Click Configuration Object Certificate My Certificates to open the My Certificates screen This is the USG s summary list of certificates and certification requests Figure 353 Configuration Object Certificate My Certifica...

Page 518: ... Object References to open a screen that shows which settings use the entry This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate It is recommended that you give each certificate a unique name Type This field displays what kind of certificate this is REQ represents a certification reque...

Page 519: ...o the subject information when it issues a certificate It is recommended that each certificate have unique subject information Select a radio button to identify the certificate s owner by IP address domain name or e mail address Type the IP address in dotted decimal notation domain name or e mail address in the field provided The domain name or e mail address is for identification purposes only an...

Page 520: ...elect this to have USG generate and store a request for server authentication certificate Client Authentication Select this to have USG generate and store a request for client authentication certificate IKE Intermediate Select this to have USG generate and store a request for IKE Intermediate authentication certificate Create a self signed certificate Select this to have the USG generate the certi...

Page 521: ...t Screen Click Configuration Object Certificate My Certificates and then the Edit icon to open the My Certificate Edit screen You can use this screen to view in depth certificate information and change the certificate s name Figure 355 Configuration Object Certificate My Certificates Edit ...

Page 522: ...nformation that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O State ST and Country C Issuer This field displays identifying information about the certificate s issuing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same as the Subject Name field none displays f...

Page 523: ... a certification authority s web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution via flopp...

Page 524: ...t any certificate that is signed by one of these certificates Figure 357 Configuration Object Certificate Trusted Certificates Table 221 Configuration Object Certificate My Certificates Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it You cannot import a certificate with the same name as a certificate that is already in...

Page 525: ...want to remove it before doing so Subsequent certificates move up by one when you take this action Object References You cannot delete certificates that any of the USG s features are configured to use Select an entry and click Object References to open a screen that shows which settings use the entry This field displays the certificate index number The certificates are listed in alphabetical order...

Page 526: ...Chapter 29 Object USG20 W VPN Series User s Guide 526 Figure 358 Configuration Object Certificate Trusted Certificates Edit ...

Page 527: ...aracters from the entity maintaining the server usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the OCSP server usually a certification authority LDAP Server Select this check box if the directory server uses LDAP Lightweight Directory Access Protocol LDAP is a protocol over TCP that specifies how clients access directories of cert...

Page 528: ... e mail address EMAIL Key Usage This field displays for what functions the certificate s key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification autho...

Page 529: ...expired current or unknown response 29 11 ISP Account Overview Use ISP accounts to manage Internet Service Provider ISP account information for PPPoE PPTP interfaces An ISP account is a profile of settings for Internet access using PPPoE or PPTP Use the Object ISP Account screens Section 29 11 1 on page 529 to create and manage ISP accounts in the USG 29 11 1 ISP Account Summary This screen provid...

Page 530: ...ct ISP Account LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry This f...

Page 531: ...ated with the user name above The password can only consist of alphanumeric characters A Z a z 0 9 This field can be blank Retype to Confirm Type your password again to make sure that you have entered is correctly Server IP If this ISP account uses the PPPoE protocol this field is not displayed If this ISP account uses the PPTP protocol type the IP address of the PPTP server Connection ID This fie...

Page 532: ... to Know Application Types You can configure the following SSL application on the USG Web based A web based application allows remote users to access an intranet site using standard web browsers Remote User Screen Links Available SSL application names are displayed as links in remote user screens Depending on the application type remote users can simply click the links or follow the steps in the p...

Page 533: ...tion for an internal web site The address of the web site is http info with web page encryption 1 Click Configuration Object SSL Application in the navigation panel 2 Click the Add button and select Web Application in the Type field In the Server Type field select Web Server Enter a descriptive name in the Display Name field For example CompanyIntranet In the URLAddress field enter http my info Se...

Page 534: ...Web Application or File Sharing in the Type field The screen differs depending on what object type you choose Note If you are creating a file sharing SSL application you must also configure the shared folder on the file server for remote access Refer to the document that comes with your file server Table 227 Configuration Object SSL Application LABEL DESCRIPTION Add Click this to create a new entr...

Page 535: ...Add Edit File Sharing The following table describes the labels in this screen Table 228 Configuration Object SSL Application Add Edit Web Application File Sharing LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Object Type Select Web Application or File Sharing from the drop down list box Web Application ...

Page 536: ...s in this directory For example if you enter remote in this field remote users can only access files in the remote directory If a link contains a file that is not within this domain then remote users cannot access it Preview This field only appears when you choose Web Application or File Sharing as the object type This field displays if the Server Type is set to Web Server OWA or Weblink Note If y...

Page 537: ...wing formats IP address share name domain name share name computer name share name For example if you enter my server Tmp this allows remote users to access all files and or folders in the Tmp share on the my server computer OK Click OK to save the changes and return to the main SSL Application Configuration screen Cancel Click Cancel to discard the changes and return to the main SSL Application C...

Page 538: ...ne interface You can specify which zones allow SSH access and from which IP address the access can come Use the System TELNET screen see Section 30 9 on page 574 to configure Telnet to access the USG s command line interface Specify which zones allow Telnet access and from which IP address the access can come Use the System FTP screen see Section 30 10 on page 576 to specify from which zones FTP c...

Page 539: ...g and other diagnostic information Use this screen to turn on this feature and set a disk full warning limit Note Only connect one USB device It must allow writing it cannot be read only and use the FAT16 FAT32 EXT2 or EXT3 file system Click Configuration System USB Storage to open the screen as shown next Table 229 Configuration System Host Name LABEL DESCRIPTION System Name Enter a descriptive n...

Page 540: ...ur local time zone and date click Configuration System Date Time The screen displays as shown You can manually set the USG s time and date or have the USG get the date and time from a time server Table 230 Configuration System USB Storage LABEL DESCRIPTION Activate USB storage service Select this if you want to use the connected USB device s Disk full warning when remaining space is less than Set ...

Page 541: ... a new time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered When you enter the time settings manually the USG uses the new setting once you click Apply New Time hh mm ss This field displays the last updated time from the time server or the last time configured manually When you set Time and Date Setup to Manual...

Page 542: ...ype 2 in the at field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the at field depends on your time zone In Germany for instance you would type 2 because Germany s time zon...

Page 543: ... servers have been tried 30 4 2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field When the Please Wait screen appears you may have to wait up to one minute Figure 370 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization ...

Page 544: ...ect to the USG via the console port using a terminal emulation program Click Configuration System Console Speed to open the Console Speed screen Figure 371 Configuration System Console Speed The following table describes the labels in this screen Table 233 Configuration System Console Speed LABEL DESCRIPTION Console Port Speed Use the drop down list box to change the speed of the console port Your...

Page 545: ...s A name query begins at a client computer and is passed to a resolver a DNS client service for resolution The USG can be a DNS client service The USG can resolve a DNS query locally using cached Resource Records RR obtained from a previous query and kept for a period of time If the USG does not have the requested information it can forward the request to DNS servers This is known as recursion The...

Page 546: ...el com tw is a fully qualified domain name where www is the host zyxel is the third level domain com is the second level domain and tw is the top level domain Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so...

Page 547: ...y or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put...

Page 548: ...om Cache This displays if the USG is allowed or denied to cache Resource Records RR obtained from previous DNS queries Query Recursion This displays if the USG is allowed or denied to forward DNS client requests to DNS servers for resolution Service Control This specifies from which computers and zones you can send DNS queries to the USG Add Click this to create a new entry Select an entry and cli...

Page 549: ...ifies that the domain name is an alias of another canonical domain name This allows users to set up a record for a domain name which translates to an IP address in other words the domain name is an alias of another This record also binds all the subdomains to the same IP address without having to create a record for each so when the IP address is changed all subdomain s IP address is updated as we...

Page 550: ...ures like VPN DDNS and the time server A domain zone is a fully qualified domain name without the host For example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name 30 6 9 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record Table 236 Configuration System DNS CNAME Record Add LABEL DESCRIPTION ...

Page 551: ...l domain zones are served by the specified DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP address es The interface should be activated and set to be a DHCP client The fields below display the read only DNS server IP address es that the ISP assigns N A d...

Page 552: ...Cache in the default policy and allow Query Recursion and Additional Info from Cache only from trusted DNS servers identified by address objects and added as members in the customized policy 30 6 13 Editing a Security Option Control Click a control policy and then click Edit to change allow or deny actions for Query Recursion and Additional Info from Cache Table 238 Configuration System DNS MX Rec...

Page 553: ... to DNS servers for resolution This can apply to specific open DNS servers using the address objects in a customized rule Additional Info from Cache Choose if the USG is allowed or denied to cache Resource Records RR obtained from previous DNS queries Address List Specifiying address objects is not available in the default policy as all addresses are included Available This box displays address ob...

Page 554: ...he allowed IP address address object in the Service Control table does not match the client IP address the USG disallows the session Table 240 Configuration System DNS Service Control Rule Add LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to send DNS queries to the USG S...

Page 555: ... SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication one party can identify the other party and data integrity you know if data has been changed It relies upon certificates public keys and private keys HTTPS on the USG is used so that you can securely access the USG using the...

Page 556: ...ring WWW Service Control Click Configuration System WWW to open the WWW screen Use this screen to specify from which zones you can access the USG using HTTP or HTTPS You can also specify which IP addresses the access can come from Note Admin Service Control deals with management access to the Web Configurator User Service Control deals with user access to the USG logging into SSL VPN for example ...

Page 557: ...he check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the USG Web Configurator using secure HTTPs connections Server Port The HTTPS server listens on port 443 by default If you change the HTTPS server port to a different number on the USG for example 8443 then you must notify people who need to access the USG Web Co...

Page 558: ...e method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service control rule The entry with a hyphen instead of a number is the USG s non configurable default policy The USG applies this to traffic that does not match any other configured rule It is not an editable rule To...

Page 559: ...y other behavior configure a rule that traffic will match so the USG will not have to use the default policy Zone This is the zone on the USG the user is allowed or denied to access Address This is the object name of the IP address es with which the computer is allowed or denied to access Action This displays whether the computer with the IP address specified above can access the USG zone s config...

Page 560: ...igure 382 Configuration System WWW Login Page Zone Select ALL to allow or prevent any USG zones from being accessed using this service Select a predefined USG zone on which a incoming service is allowed or denied Action Select Accept to allow the user to access the USG from the specified computers Select Deny to block the user s access to the USG from the specified computers OK Click OK to save yo...

Page 561: ...83 Login Page Customization Figure 384 Access Page Customization You can specify colors in one of the following ways Click Color to display a screen of web safe colors from which to choose Logo Title Message Note Message Background last line of text color of all text Logo Title Message Note Message Window last line of text color of all text Background ...

Page 562: ...lick Upload to transfer the specified graphic file from your computer to the USG Customized Login Page Use this section to set how the Web Configurator login screen looks Title Enter the title for the top of the screen Use up to 64 printable ASCII characters Spaces are allowed Title Color Specify the color of the screen s title text Message Color Specify the color of the screen s text Note Message...

Page 563: ...es When you attempt to access the USG HTTPS server a The Connection is Untrusted screen appears as shown in the following screen Click Technical Details if you want to verify more information about the certificate from the USG Select I Understand the Risks and then click Add Exception to add the USG to the security exception list Click Confirm Security Exception Background Set how the window s bac...

Page 564: ...cate authorities The issuing certificate authority of the USG s factory default certificate is the USG itself since the certificate is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate To have the browser trust the certificates issued by a certificate authority import the certificate a...

Page 565: ...cate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the USG see the USG s Trusted CA Web Configurator screen Figure 389 USG Trusted CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s 30 7...

Page 566: ...as shown earlier in this appendix 30 7 7 5 2 Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard ...

Page 567: ...e Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 392 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA ...

Page 568: ...Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 394 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process ...

Page 569: ...d 6 30 7 7 6 Using a Certificate When Accessing the USG Example Use the following procedure to access the USG via HTTPS 1 Enter https USG IP Address in your browser s web address field Figure 397 Access the USG Via HTTPS 2 When Authenticate Client Certificates is selected on the USG the following screen asks you to select a personal certificate to send to the USG This screen displays even if you o...

Page 570: ...urely access the USG s command line interface Specify which zones allow SSH access and from which IP address the access can come SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network In the following figure computer A on the Internet uses SSH to securely connect to the WAN port o...

Page 571: ...with the host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against the saved version on the client computer 2 Encryption Method Once the identification is verified both the client and server must agree on the type of encryption method to use 3 Authentication and Data T...

Page 572: ...uration System SSH The following table describes the labels in this screen Table 244 Configuration System SSH LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the USG CLI using this service Version 1 Select the check box to have the USG use both SSH version 1 and version 2 proto...

Page 573: ...selected entry Refer to Table 242 on page 559 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the ...

Page 574: ...ype yes and press ENTER Then enter the password to log in to the USG Figure 405 SSH Example 2 Log in 3 The CLI screen displays next 30 9 Telnet You can use Telnet to access the USG s command line interface Specify which zones allow Telnet access and from which IP address the access can come 30 9 1 Configuring Telnet Click Configuration System TELNET to configure your USG for remote Telnet access U...

Page 575: ...k Remove The USG confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule ...

Page 576: ...LS Transport Layer Security to encrypt communication This implements TLS as a security mechanism to secure FTP clients and or servers Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify...

Page 577: ...ou typed This the index number of the service control rule The entry with a hyphen instead of a number is the USG s non configurable default policy The USG applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the USG will not have to use the default policy Zone This is the zone on the US...

Page 578: ...ager wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series of GetNext operations Set Allows the manager to set values for object variables within an agent Trap Used by the agent to inform the manager of some events 30 11 1 SNMPv3 and Security SNMPv3 enhances security for SNMP management using authentication and encryption SNMP managers can be req...

Page 579: ...an SNMP request comes from non authenticated hosts vpnTunnelDisconnected 1 3 6 1 4 1 890 1 6 22 2 3 This trap is sent when an IPSec VPN tunnel is disconnected vpnTunnelName 1 3 6 1 4 1 890 1 6 22 2 2 1 1 This trap is sent along with the vpnTunnelDisconnected trap This trap carries the disconnected tunnel s IPSec SA name vpnIKEName 1 3 6 1 4 1 890 1 6 22 2 2 1 2 This trap is sent along with the vpn...

Page 580: ...an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action This is the index number of the entry User This display...

Page 581: ...is the index number of the service control rule The entry with a hyphen instead of a number is the USG s non configurable default policy The USG applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the USG will not have to use the default policy Zone This is the zone on the USG the user ...

Page 582: ... Use this section to configure trusted clients in the USG RADIUS server database Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The USG confirms you want to remove it before doing so ...

Page 583: ...t this check box to make this profile active Profile Name Enter a descriptive name up to 31 alphanumerical characters for identification purposes IP Address Enter the IP address of the RADIUS client that is allowed to exchange messages with the USG Netmask Enter the subnet mask of the RADIUS client Secret Enter a password up to 64 alphanumeric characters as the key to be shared between the USG and...

Page 584: ...onfiguration View the location of managed devices on a map Receive notification for events and alarms such as when a device goes down Graphically monitor individual devices and see related statistics Directly access a device for remote configuration Create four types of administrators with different privileges Perform Site to Site Hub Spoke Fully meshed and Remote Access VPN provisioning To allow ...

Page 585: ...ter the CNM URL when you select Auto Custom Select this if your CloudCNM server cannot access MyZyXEL com CNM URL If your USG server cannot access MyZyXEL com then select Custom and enter the IPv4 IP address of the CloudCNM server followed by the port number default 7547 for HTTPS or 7549 for HTPP in CNM URL For example if you installed CloudCNM on a server with IP address 1 1 1 1 then enter 1 1 1...

Page 586: ... Configuration System Language LABEL DESCRIPTION Language Setting Select a display language for the USG s Web Configurator screens You also need to open a new browser session to display the screens in the new language Apply Click Apply to save your changes back to the USG Reset Click Reset to return the screen to its last saved settings Table 253 Configuration System IPv6 LABEL DESCRIPTION Enable ...

Page 587: ...ss This is not supported by the USG at the time of writing 3 Reboot Device Use this icon to restart the selected device s This may be useful when troubleshooting or upgrading new firmware 4 Flash Locator LED Use this icon to locate the selected device by causing its Locator LED to blink This is not available on the USG at the time of writing 5 Web GUI Use this to access the selected device web con...

Page 588: ...eld displays the IP address of an internal interface on the discovered device that first received an ZDP discovery request from the ZON utility System Name This field displays the system name of the discovered device Location This field displays where the discovered device is Status This field displays whether changes to the discovered device have been done successfully As the USG does not support...

Page 589: ...stem USG20 W VPN Series User s Guide 589 Apply Click Apply to save your changes back to the USG Reset Click Reset to return the screen to its last saved settings Table 256 Configuration System ZON LABEL DESCRIPTION ...

Page 590: ... page 592 to specify settings for recording log messages and alerts e mailing them storing them on a connected USB storage device and sending them to remote syslog servers 31 2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your USG Note Data collection may decrease the USG s traffic throughput rate Cl...

Page 591: ...Chapter 31 Log and Report USG20 W VPN Series User s Guide 591 Figure 418 Configuration Log Report Email Daily Report ...

Page 592: ...ect Append date time Select Append date time to add the USG s system date and time to the subject Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type the e mail address or addresses to which the outgoing e mail is delivered SMTP Authentication Select this check box if it is necessary to provide a user name and password to the S...

Page 593: ...or any log Use the Log Category Settings screen to edit what information is included in the system log USB storage e mail profiles and remote servers 31 3 1 Log Settings To access this screen click Configuration Log Report Log Settings Figure 419 Configuration Log Report Log Settings The following table describes the labels in this screen Table 258 Configuration Log Report Log Settings LABEL DESCR...

Page 594: ... field displays the format of the log Internal system log you can view the log on the View Log tab VRPT Syslog ZyXEL s Vantage Report syslog compatible format CEF Syslog Common Event Format syslog compatible format Summary This field is a summary of the settings for each log Please see Section 31 3 2 on page 594 for more information Log Category Settings Click this button to open the Log Category ...

Page 595: ...Chapter 31 Log and Report USG20 W VPN Series User s Guide 595 Figure 421 Configuration Log Report Log Setting Edit System Log ...

Page 596: ...f it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication check box Type the user name to provide to the SMTP server when the log is e mailed Password This box is effective when you select the SMTP Authentication check box Type the password to provide to the SMTP server when the log is e mailed Retype to Confirm...

Page 597: ...rmation from this category the USG does not e mail debugging information however even if this setting is selected E mail Server 1 Select whether each category of events should be included in the log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The USG does not e mail debugging information even if it is rec...

Page 598: ...Chapter 31 Log and Report USG20 W VPN Series User s Guide 598 Figure 422 Configuration Log Report Log Setting Edit USB Storage ...

Page 599: ...ll of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and it is not...

Page 600: ...Chapter 31 Log and Report USG20 W VPN Series User s Guide 600 Figure 423 Configuration Log Report Log Setting Edit Remote Server ...

Page 601: ...cility allows you to log the messages to different files in the syslog server Please see the documentation for your syslog program for more information Active Log Selection Use the Selection drop down list to change the log settings for all of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server...

Page 602: ... server 1 or 2 enable normal logs green check mark create log messages and alerts for all categories for the system log If e mail server 1 or 2 also has normal logs enabled the USG will e mail logs to them enable normal logs and debug logs yellow check mark create log messages alerts and debugging information for all categories The USG does not e mail debugging information even if this setting is ...

Page 603: ...ies This field is a sequential value and it is not associated with a specific address Log Category This field displays each category of messages It is the same value used in the Display and Category fields in the View Log tab The Default category includes debugging messages generated by open source software System Log Select which events you want to log by Log Category There are three choices disa...

Page 604: ...what information you want to log from each Log Category except All Logs see below Choices are disable all logs red X do not log any information from this category enable normal logs green check mark log regular information and alerts from this category enable normal logs and debug logs yellow check mark log regular information alerts and debugging information from this category OK Click this to sa...

Page 605: ...e the Configuration File screen see Section 32 2 on page 607 to store and name configuration files You can also download configuration files from the USG to your computer and upload configuration files from your computer to the USG Use the Firmware Package screen see Section 32 3 on page 611 to check your current firmware version and upload firmware to the USG Use the Shell Script screen see Secti...

Page 606: ... command mode Note exit or must follow sub commands if it is to make the USG exit sub command mode Figure 425 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23 37 254 metric 1 exit create address objects fo...

Page 607: ... in the configuration file or shell script The USG ignores any errors in the configuration file or shell script and applies all of the valid commands The USG still generates a log for any errors 32 2 The Configuration File Screen Click Maintenance File Manager Configuration File to open the Configuration File screen Use the Configuration File screen to store run and name configuration files You ca...

Page 608: ...le If there is an error the USG generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the USG applies the system default conf configuration file You can change the way the startup config conf file is appl...

Page 609: ...duplicate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the USG You can only delete manually saved configuration files You cannot delete the system default conf startup config conf and lastgood conf files A pop up window asks you to confirm that you want to delete the configuration file Click OK to delete the configuration file or...

Page 610: ... this gets the USG started with a fully valid configuration file as quickly as possible Ignore errors and finish applying the configuration file this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the USG apply most of your configuration and you can refer to the logs for what to fix Ignore errors and finish applying t...

Page 611: ...ment session the changes are applied to this configuration file The USG applies configuration changes made in the Web Configurator to the configuration file when you click Apply or OK It applies configuration changes made via commands when you use the write command The lastgood conf is the most recently used valid configuration file that was saved when the device last restarted If you upload and a...

Page 612: ... partition index number where the firmwarm is located The firmware can be either Standby or Running only one firmware can be running at any one time Status This indicates whether the firmware is Running or not running but already uploaded to the USG and is on Standby It displays N A if there is no firmware uploaded to that system space Model This is the model name of the device which the firmware ...

Page 613: ...ipt files They must use a zysh filename extension Click Maintenance File Manager Shell Script to open the Shell Script screen Use the Shell Script screen to store name download upload and run shell script files You can store multiple shell script files on the USG at the same time Don t Reboot If you choose Don t Reboot then the firmware upload to Standby system space will be the Standby firmware a...

Page 614: ... a shell script s row to select it and click Rename to open the Rename File screen Figure 435 Maintenance File Manager Shell Script Rename Specify the new name for the shell script file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Remove Click a shell script file s row to select...

Page 615: ...need to wait awhile for the USG to finish applying the commands This column displays the number for each shell script file entry File Name This column displays the label that identifies a shell script file Size This column displays the size in KB of a shell script file Last Modified This column displays the date and time that the individual shell script files were last changed or saved Upload Shel...

Page 616: ...ss terminates abnormally crashes so you can send the file to customer support for troubleshooting The System Log screens Section 33 5 on page 623 download files of system logs from a connected USB storage device to your computer Use the Network Tool screen see Section 33 6 on page 623 to ping an IP address or trace the route packets take to a host Use the Wireless Frame Capture screens see Section...

Page 617: ...267 Maintenance Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file Last modified This is the date and time that the last diagnostic file was created The format is yyyy mm dd hh mm ss Size This is the size of the most recently created diagnostic file Copy the diagnostic file to USB storage if ready Select this to have the USG create an extra copy of...

Page 618: ... s setting to avoid this Table 268 Maintenance Diagnostics Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the USG Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The...

Page 619: ...ion Select the version of IP for which to capture packets Select any to capture packets for all IP versions Protocol Type Select the protocol of traffic for which to capture packets Select any to capture packets for all types of traffic Host IP Select a host IP address object for which to capture packets Select any to capture packets for all hosts Select User Defined to be able to enter an IP addr...

Page 620: ... you have existing capture files and have not selected the Continuously capture and overwrite old ones option you may need to set this size larger or delete existing capture files The valid range depends on the available onboard USB storage size The USG stops the capture and generates the capture file when either the file reaches this size or the time period specified in the Duration field expires...

Page 621: ...s file to customer support for troubleshooting Click Maintenance Diagnostics Core Dump to open the following screen Table 270 Maintenance Diagnostics Packet Capture Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the USG or the connected USB storage device Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to de...

Page 622: ...ump to USB storage if ready Select this to have the USG save a process s core dump to an attached USB storage device if the process terminates abnormally crashes If you clear this option the USG only saves Apply Click Apply to save the changes Reset Click Reset to return the screen to its last saved settings Table 272 Maintenance Diagnostics Core Dump Files LABEL DESCRIPTION Remove Select files an...

Page 623: ...This column displays the size in bytes of a file Last Modified This column displays the date and time that the individual files were saved Table 272 Maintenance Diagnostics Core Dump Files continued LABEL DESCRIPTION Table 273 Maintenance Diagnostics System Log LABEL DESCRIPTION Remove Select files and click Remove to delete them from the USG Use the Shift and or Ctrl key to select multiple files ...

Page 624: ...re to display this screen Table 274 Maintenance Diagnostics Network Tool LABEL DESCRIPTION Network Tool Select PING IPv4 to ping the IP address that you entered Select TRACEROUTE IPv4 to perform the traceroute function This determines the path a packet takes to the specified computer Domain Name or IP Address Type the IPv4 address of a computer that you want to perform ping or traceroute in order ...

Page 625: ... Mode APs This column displays which APs on your wireless network are currently configured for monitor mode Use the arrow buttons to move APs off this list and onto the Captured MON Mode APs list Capture MON Mode APs This column displays the monitor mode configured APs selected to for wireless frame capture Misc Setting File Size Specify a maximum size limit in kilobytes for the total combined siz...

Page 626: ...in progress although you cannot modify the frame capture settings The USG s throughput or performance may be affected while a frame capture is in progress After the USG finishes the capture it saves a combined capture file for all APs The total number of frame capture files that you can save depends on the file sizes and the available flash storage space Once the flash storage space is full adding...

Page 627: ...es the file The file name format is interface name file suffix cap Size This column displays the size in bytes of a configuration file Last Modified This column displays the date and time that the individual files were saved Table 276 Maintenance Diagnostics Wireless Frame Capture Files continued LABEL DESCRIPTION ...

Page 628: ...nction s settings 34 2 The Routing Status Screen The Routing Status screen allows you to view the current routing flow and quickly link to specific routing settings Click a function box in the Routing Flow section the related routes activated will display in the Routing Table section To access this screen click Maintenance Packet Flow Explore The order of the routing flow may vary depending on whe...

Page 629: ...USG20 W VPN Series User s Guide 629 Figure 447 Maintenance Packet Flow Explore Routing Status Direct Route Figure 448 Maintenance Packet Flow Explore Dynamic VPN Figure 449 Maintenance Packet Flow Explore Routing Status Policy Route ...

Page 630: ...W VPN Series User s Guide 630 Figure 450 Maintenance Packet Flow Explore Routing Status 1 1 SNAT Figure 451 Maintenance Packet Flow Explore Routing Status SiteToSite VPN Figure 452 Maintenance Packet Flow Explore Routing Status Dynamic VPN ...

Page 631: ...eries User s Guide 631 Figure 453 Maintenance Packet Flow Explore Routing Status Static Dynamic Route Figure 454 Maintenance Packet Flow Explore Routing Status Default WAN Trunk Figure 455 Maintenance Packet Flow Explore Routing Status Main Route ...

Page 632: ... route Persist This is the remaining time of a dynamically learned route The USG removes the route after this time period is counted down to zero The following fields are available if you click Policy Route in the Routing Flow section This field is a sequential value and it is not associated with any entry PR This is the number of an activated policy route If you have configured a schedule for the...

Page 633: ...the name of an interface which transmits packets out of the USG Gateway This is the IP address of the gateway in the same network of the outgoing interface The following fields are available if you click Dynamic VPN or SiteToSite VPN in the Routing Flow section This field is a sequential value and it is not associated with any entry Source This is the IP address es of the local VPN network Destina...

Page 634: ...ing to the rules you have configured in the USG Click a function box to display the related settings in the SNAT Table section SNAT Table The table fields in this section vary depending on the function box you select in the SNAT Flow section The following fields are available if you click Policy Route SNAT in the SNAT Flow section This field is a sequential value and it is not associated with any ...

Page 635: ...ress Destination This is the original destination IP address es any means any IP address SNAT This indicates which source IP address the SNAT rule uses finally For example Outgoing Interface IP means that the USG uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule The following fields are available if you click Default SNAT ...

Page 636: ... can cause the firmware to become corrupt 35 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes 35 2 The Shutdown Screen To access this screen click Maintenance Shutdown Figure 460 Maintenance Shutdown Click the Shutdown button to shut down the USG Wait for the device to shut down before you manually turn off or remove the power It does no...

Page 637: ... Prompt In the Command Prompt window type ping followed by the USG s LAN IP address 192 168 1 1 is the default and then press ENTER The USG should reply If you ve forgotten the USG s password use the RESET button Press the button in for about 5 seconds or until the PWR LED starts to blink then release it It returns the USG to the factory defaults password is 1234 LAN IP address 192 168 1 1 etc see...

Page 638: ... policy I configured The USG checks the security policies in the order that they are listed So make sure that your custom security policy comes before any other rules that the traffic would also match I cannot enter the interface name I want The format of interface names other than the Ethernet interface names is very strict Each name consists of 2 4 letters interface type followed by a number x l...

Page 639: ...t before you create a PPPoE or PPTP interface The data rates through my cellular connection are no where near the rates I expected The actual cellular data rate you obtain varies depending on the cellular device you use the signal strength to the service provider s base station and so on I created a cellular interface but cannot connect through it Make sure you have a compatible mobile broadband d...

Page 640: ... SNAT for traffic it routes from internal interfaces to external interfaces For example LAN to WAN traffic You must manually configure a policy route to add routing and SNAT settings for an interface with the Interface Type set to General You can also configure a policy route to override the default routing and SNAT behavior for an interface with the Interface Type set to Internal or External I ca...

Page 641: ...y side Here are some general suggestions See also Chapter 21 on page 333 The system log can often help to identify a configuration problem If you enable NAT traversal the remote IPSec device must also have NAT traversal enabled The USG and remote IPSec router must use the same authentication method to establish the IKE SA Both routers must use the same negotiation mode Both routers must use the sa...

Page 642: ...tes If the USG s certificate is self signed import it into the remote IPsec router If it is signed by a CA make sure the remote IPsec router trusts that CA The USG uses one of its Trusted Certificates to authenticate the remote IPSec router s certificate The trusted certificate can be the remote IPSec router s self signed certificate or that of a trusted CA that signed the remote IPSec router s ce...

Page 643: ...always fail This is related to AAA servers and authentication methods which are discussed in other chapters in this guide I cannot add the admin users to a user group with access users You cannot put access users and admin users in the same user group I cannot add the default admin account to a user group You cannot put the default admin account into any user group The schedule I configured is not...

Page 644: ... connected to your certificate s public or private passwords Exporting a PKCS 12 file creates this and you must provide it to decrypt the contents when you import the file into the USG Note Be careful not to convert a binary file to text during the transfer process It is easy for this to occur since many programs use text files by default I cannot access the USG from a computer connected to the In...

Page 645: ... the command line interface if you need to recover the firmware See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it My packet capture captured less than I wanted or failed The packet capture screen s File Size sets a maximum size limit for the total combined size of all the capture files on the USG including any existing capture files and any ...

Page 646: ...startup config conf file with the settings in the system default conf file Note This procedure removes the current configuration 1 Make sure the SYS LED is on and not blinking 2 Press the RESET button and hold it until the SYS LED begins to blink This usually takes about five seconds 3 Release the RESET button and wait for the USG to restart You should be able to access the USG using the default s...

Page 647: ...ide shtml for the latest information Please have the following information ready when you contact an office Required Information Product model and serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Corporate Headquarters Worldwide Taiwan ZyXEL Communications Corporation http www zyxel com Asia China ZyXEL Commun...

Page 648: ...stan ZyXEL Pakistan Pvt Ltd http www zyxel com pk Philippines ZyXEL Philippines http www zyxel com ph Singapore ZyXEL Singapore Pte Ltd http www zyxel com sg Taiwan ZyXEL Communications Corporation http www zyxel com tw zh Thailand ZyXEL Thailand Co Ltd http www zyxel co th Vietnam ZyXEL Communications Corporation Vietnam Office http www zyxel com vn vi Europe Austria ZyXEL Deutschland GmbH http w...

Page 649: ...garia ZyXEL България http www zyxel com bg bg Czech Republic ZyXEL Communications Czech s r o http www zyxel cz Denmark ZyXEL Communications A S http www zyxel dk Estonia ZyXEL Estonia http www zyxel com ee et Finland ZyXEL Communications http www zyxel fi France ZyXEL France http www zyxel fr Germany ZyXEL Deutschland GmbH http www zyxel de Hungary ZyXEL Hungary SEE http www zyxel hu ...

Page 650: ...a http www zyxel com lt lt homepage shtml Netherlands ZyXEL Benelux http www zyxel nl Norway ZyXEL Communications http www zyxel no Poland ZyXEL Communications Poland http www zyxel pl Romania ZyXEL Romania http www zyxel com ro ro Russia ZyXEL Russia http www zyxel ru Slovakia ZyXEL Communications Czech s r o organizacna zlozka http www zyxel sk Spain ZyXEL Communications ES Ltd http www zyxel es...

Page 651: ... tr UK ZyXEL Communications UK Ltd http www zyxel co uk Ukraine ZyXEL Ukraine http www ua zyxel com Latin America Argentina ZyXEL Communication Corporation http www zyxel com ec es Brazil ZyXEL Communications Brasil Ltda https www zyxel com br pt Ecuador ZyXEL Communication Corporation http www zyxel com ec es Middle East Israel ZyXEL Communication Corporation http il zyxel com homepage shtml ...

Page 652: ...EL Communication Corporation http www zyxel com me en North America USA ZyXEL Communications Inc North America Headquarters http www zyxel com us en Oceania Australia ZyXEL Communications Corporation http www zyxel com au en Africa South Africa Nology Pty Ltd http www zyxel co za ...

Page 653: ...n Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the device This product has been tested and complies with the specifications for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This d...

Page 654: ...WVPN de modèle s il fait partie du matériel de catégorieI a été approuvé par Industrie Canada pour fonctionner avec les types d antenne énumérés ci dessous et ayant un gain admissible maximal et l impédance requise pour chaque type d antenne Les types d antenne non inclus dans cette liste ou dont le gain est supérieur au gain maximal indiqué sont strictement interdits pour l exploitation de l émet...

Page 655: ... ZyXEL ovime izjavljuje da je radijska oprema tipa u skladu s Direktivom 1999 5 EC Íslenska Icelandic Hér með lýsir ZyXEL því yfir að þessi búnaður er í samræmi við grunnkröfur og önnur viðeigandi ákvæði tilskipunar 1999 5 EC Italiano Italian Con la presente ZyXEL dichiara che questo attrezzatura è conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 199...

Page 656: ...ostdiensten en telecommunicatie BIPT Zie http www bipt be voor meer gegevens Les liaisons sans fil pour une utilisation en extérieur d une distance supérieure à 300 mètres doivent être notifiées à l Institut Belge des services Postaux et des Télécommunications IBPT Visitez http www ibpt be pour de plus amples détails Denmark In Denmark the band 5150 5350 MHz is also allowed for outdoor usage I Dan...

Page 657: ...orrect type dispose of used batteries according to the instruction Dispose them at the applicable collection point for the recycling of electrical and electronic devices For detailed information about recycling of this product please contact your local city office your household waste disposal service or the store where you purchased the product Do not obstruct the device ventilation slots as insu...

Page 658: ... a un punto limpio Cuando llegue el momento de desechar el producto la recogida por separado éste y o su batería ayudará a salvar los recursos naturales y a proteger la salud humana y medioambiental Le symbole ci dessous signifie que selon les réglementations locales votre produit et ou sa batterie doivent être éliminés séparément des ordures ménagères Lorsque ce produit atteint sa fin de vie amen...

Page 659: ...Appendix B Legal Information USG20 W VPN Series User s Guide 659 Environmental Product Declaration ...

Page 660: ... label Power Adapter 12V DC 2 0A LPS 40o C degrees Centigrade Device Operating Storage Environment Refer to the USG package This product is intended to be supplied by a Listed Direct Plug In Power Unit marked Class 2 Listed Power Adapter or DC power source marked L P S or Limited Power Source rated 12Vdc 2A minimum Tma 40 degree C and the altitude of operation 2000m If need further assistance with...

Page 661: ... vendor You may also refer to the warranty policy for the region in which you bought the device at http www zyxel com web support_warranty_info php Registration Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com for global products or at www us zyxel com for North American products Open Source Licenses This product contains in part some fre...

Page 662: ...ng Static route 64 64 Policy route 100 100 Sessions Forwarding NAT firewall 20000 20000 Reserved Sessions For Managed Devices 500 500 ARP Table Size 16384 16384 NAT Max Virtual Server Number 128 128 Firewall Security policy Max Firewall ACL Rule Number Secure Policy Number Marketing spec Lab test 10 500 500 Max Session Limit per Host Rules 1000 1000 User Profile Max Local User 64 64 Max Admin User...

Page 663: ...roup 2 2 Max Zone Number System Default 8 8 Max Zone Number User Define 8 8 Max Trunk Number System Default 1 1 Max Trunk Number User Define 4 4 Max Radio Profile 16 16 Max SSID Profile 32 32 Max Security Profile 32 32 Max Macfilter Profile 32 32 Max MAC Entry Per Macfilter Profile 512 512 VPN Max VPN Tunnels Number 10 10 Max VPN Concentrator Number 2 2 Max VPN Configuration Provision Rule Number ...

Page 664: ...e Keyword Blocking Number 128 per profile 128 per profile Common Forbidden Domain Entry Number 1024 1024 Common Trusted Domain Entry Number 1024 1024 Anti Spam Available in ZLD 2 10 and later versions Maximum AS Rule Number Profile 16 16 Maximum White List Rule Support 128 128 Maximum Black List Rule Support 128 128 Maximum DNSBL Domain Support 5 5 Max Statistics Number 500 500 Max Statistics Rank...

Page 665: ...Appendix C Product Features USG20 W VPN Series User s Guide 665 Others Device HA VRRP Group n a n a Max OSPF Areas 32 32 Table 279 Product Features MODEL NAME USG20 VPN USG20W VPN ...

Page 666: ...99 multiple logins 464 see also users 456 Web Configurator 466 access users see also force user authentication policies account user 455 accounting server 502 Active Directory see AD active protocol 364 AH 364 and encapsulation 364 ESP 364 active sessions 91 109 ActiveX 430 AD 503 505 506 508 directory structure 504 Distinguished Name see DN password 508 port 508 510 search time limit 508 SSL 508 ...

Page 667: ... 440 mail sessions threshold 437 POP2 436 POP3 436 registration status 438 regular expressions 445 SMTP 436 status 130 white list 435 439 444 445 APN 179 Application Layer Gateway see ALG application patrol and HTTP redirect 264 ASAS Authenex Strong Authentication System 503 asymmetrical routes 321 allowing through the security policy 324 vs virtual interfaces 321 attacks Denial of Service DoS 341...

Page 668: ...certificates 514 advantages of 515 and CA 515 and FTP 576 and HTTPS 555 and IKE SA 363 and SSH 572 and VPN gateways 338 and WWW 558 certification path 515 522 527 expired 515 factory default 515 file formats 516 fingerprints 523 528 importing 518 in IPSec 350 not used for encryption 515 revoked 515 self signed 515 520 serial number 522 527 storage space 518 525 thumbprint algorithms 516 thumbprint...

Page 669: ...430 cache 434 categories 423 category service 422 default policy 417 external web filtering service 422 434 filter list 417 managed web pages 423 policies 416 417 registration status 135 419 422 statistics 126 testing 424 uncategorized pages 423 unsafe web pages 422 URL for blocked access 419 cookies 23 430 copyright 653 CPU usage 91 current date time 86 540 and schedules 497 daylight savings 542 ...

Page 670: ...Dynamic Channel Selection 137 Dynamic Domain Name System see DDNS Dynamic Host Configuration Protocol see DHCP dynamic peers in IPSec 341 DynDNS 250 DynDNS see also DDNS 250 Dynu 250 E egress bandwidth 180 189 e mail 435 daily statistics report 590 header buffer 436 headers 436 Encapsulating Security Payload see ESP encapsulation and active protocol 364 IPSec 342 transport mode 364 tunnel mode 364...

Page 671: ...271 ALG 267 273 and RTP 273 and security policy 268 signaling port 271 HSDPA 180 HTTP over SSL see HTTPS redirect to HTTPS 558 vs HTTPS 555 HTTP redirect 263 and application patrol 264 and interfaces 266 and policy routes 264 and security policy 264 packet flow 264 troubleshooting 640 HTTPS 555 and certificates 555 authenticating clients 555 avoiding warning messages 564 example 563 vs HTTP 555 wi...

Page 672: ...217 general characteristics 142 IP address 216 metric 217 MTU 217 overlapping IP address and subnet mask 216 port groups see also port groups PPPoE PPTP see also PPPoE PPTP interfaces prerequisites 143 relationships between 143 static DHCP 218 subnet mask 216 trunks see also trunks Tunnel see also Tunnel interfaces types 142 virtual see also virtual interfaces VLAN see also VLAN interfaces WLAN se...

Page 673: ...erfect Forward Secrecy PFS 365 proposal 365 remote policy 364 search by name 123 search by policy 123 Security Parameter Index SPI manual keys 365 see also IPSec see also VPN source NAT for inbound traffic 366 source NAT for outbound traffic 366 status 123 transport mode 364 tunnel mode 364 when IKE SA is disconnected 364 IPSec VPN troubleshooting 641 IPv6 144 link local address 145 prefix 144 pre...

Page 674: ...9 session oriented 220 spillover 221 weighted round robin 221 local user database 504 log troubleshooting 644 log messages categories 597 599 601 602 603 debugging 131 regular 131 types of 131 log options 439 login custom page 560 SSL user 380 logo troubleshooting 644 logo in SSL 374 logout SSL user 385 Web Configurator 26 logs and security policy 327 e mail profiles 592 e mailing log messages 596...

Page 675: ...tion see NAT traversal 363 NAT Port Mapping Protocol 274 NAT Traversal 274 NAT PMP 274 NBNS 162 200 212 218 372 NetBIOS Broadcast over IPSec 341 Name Server see NBNS NetBIOS Name Server see NBNS NetMeeting 273 see also H 323 Netscape Navigator 23 network access mode 20 full tunnel 368 Network Address Translation see NAT network list see SSL 373 Network Time Protocol NTP 543 No IP 250 NSSA 241 O ob...

Page 676: ...65 physical ports packet statistics 102 103 PIN code 180 PIN generator 503 pointer record 549 Point to Point Protocol over Ethernet see PPPoE Point to Point Tunneling Protocol see PPTP policy enforcement in IPSec 342 policy route troubleshooting 638 policy routes 228 actions 229 and address objects 234 and ALG 269 272 and HTTP redirect 264 and interfaces 234 and NAT 228 and schedules 234 406 410 a...

Page 677: ...S remote desktop connections 532 Remote Desktop Protocol see RDP remote management FTP see FTP see also service control 554 Telnet 574 to Device security policy 320 WWW see WWW remote network 333 remote user screen links 532 replay detection 341 reports collecting data 107 content filtering 126 daily 590 daily e mail 590 specifications 108 traffic statistics 106 reset 645 RESET button 645 RFC 1058...

Page 678: ...268 and user groups 326 330 and users 326 330 and VoIP pass through 269 and zones 319 325 asymmetrical routes 321 324 global rules 320 priority 324 rule criteria 320 see also to Device security policy 319 session limits 321 327 triangle routes 321 324 troubleshooting 638 security settings troubleshooting 638 serial number 86 service control 554 and to ZyWALL security policy 554 and users 555 limit...

Page 679: ...A 508 and AD 508 and LDAP 508 certificates 380 client 392 client virtual desktop logo 374 computer names 372 connection monitor 124 full tunnel mode 372 global setting 373 IP pool 372 network list 373 remote user login 380 remote user logout 385 SecuExtender 392 see also SSL VPN 368 troubleshooting 642 user application screens 385 user file sharing 386 user screen bookmarks 384 user screens 379 38...

Page 680: ...curity policy and remote management 320 global rules 320 see also security policy 319 token 503 to ZyWALL security policy and NAT 260 and NAT traversal VPN 642 and OSPF 241 and RIP 239 and service control 554 and VPN 642 TR 069 protocol 583 traffic statistics 106 Transmission Control Protocol see TCP transport encapsulation 342 Transport Layer Security TLS 576 triangle routes 321 allowing through ...

Page 681: ...ser awareness 457 User Datagram Protocol see UDP user group objects 455 user groups 455 457 and content filtering 416 and policy routes 233 406 410 and security policy 326 330 user name rules 458 user objects 455 user portal links 532 logo 374 see SSL user screens 379 383 user sessions see sessions user SSL screens 379 383 access methods 379 bookmarks 384 certificates 380 login 380 logout 385 requ...

Page 682: ...ctive protocol 364 and NAT 362 basic troubleshooting 641 hub and spoke see VPN concentrator IKE SA see IKE SA IPSec 319 333 IPSec SA proposal 359 security associations SA 336 see also IKE SA see also IPSec 319 333 see also IPSec SA status 87 troubleshooting 642 VPN concentrator 354 advantages 354 and IPSec SA policy enforcement 356 disadvantages 354 VPN connections and address objects 338 and poli...

Page 683: ...37 Wizard Setup 37 50 WLAN troubleshooting 639 user accounts 457 WLAN interfaces 142 WPA 470 WPA2 470 WWW 556 and address groups 559 and address objects 559 and authentication method objects 559 and certificates 558 and zones 560 see also HTTP HTTPS 556 Z ZON Utility 587 zones 453 and FTP 577 and interfaces 453 and security policy 319 325 and SNMP 581 and SSH 573 and Telnet 575 and VPN 453 and WWW...