ZyXEL Communications ZyWALL USG 100 Series, Manual

Page 1: ...yWALL USG 100 200 Series Unified Security Gateway Copyright 2010 ZyXEL Communications Corporation Firmware Version 2 20 Edition 2 9 2010 Default Login Details LAN1 Port P4 IP Address https 192 168 1 1 User Name admin Password 1234 ...

Page 2: ......

Page 3: ... on essential terms used in the ZyWALL what prerequisites are needed to configure a feature and how to use that feature It is highly recommended you read Chapter 7 on page 117 for ZyWALL application examples Subsequent chapters are arranged by menu item as defined in the Web Configurator Read each chapter carefully for detailed information on that menu item To find specific information in this gui...

Page 4: ...umentation from this link Read the Tech Doc Overview to find out how to efficiently use the User Guide Quick Start Guide and Command Line Interface Reference Guide in order to better understand how to use your product Knowledge Base If you have a specific question about your product the answer may be here This is a collection of answers to previously asked questions about ZyXEL products Forum This...

Page 5: ... serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Disclaimer Graphics in this book may differ slightly from the product due to differences in operating systems operating system versions or if you installed updated firmware software for your device Every effort has been made to ensure that the information in th...

Page 6: ...ont A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first ...

Page 7: ...eries User s Guide 7 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyWALL icon is not an exact representation of your device ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ...

Page 8: ...ting it to a power outlet Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the power adaptor or cord is damaged remove it from the device and the power source Do NOT attempt to repair the power adaptor or cord Con...

Page 9: ...Technical Reference 225 Dashboard 227 Monitor 241 Registration 285 Signature Update 291 Interfaces 297 Trunks 373 Policy and Static Routes 383 Routing Protocols 399 Zones 413 DDNS 417 NAT 423 HTTP Redirect 433 ALG 439 IP MAC Binding 447 Authentication Policy 453 Firewall 461 IPSec VPN 479 SSL VPN 521 SSL User Screens 535 SSL User Application Screens 545 SSL User File Sharing 547 ZyWALL SecuExtende...

Page 10: ...5 Device HA 713 User Group 735 Addresses 751 Services 757 Schedules 763 AAA Server 769 Authentication Method 779 Certificates 785 ISP Accounts 807 SSL Application 811 Endpoint Security 819 System 829 Log and Report 881 File Manager 897 Diagnostics 909 Reboot 919 Shutdown 921 Troubleshooting 923 Product Specifications 943 ...

Page 11: ...ack Mounted Installation Procedure 34 1 3 Front Panel 35 1 3 1 Front Panel LEDs 36 1 4 Management Overview 36 1 5 Starting and Stopping the ZyWALL 38 Chapter 2 Features and Applications 39 2 1 Features 39 2 2 Applications 41 2 2 1 VPN Connectivity 42 2 2 2 SSL VPN Network Access 42 2 2 3 User Aware Access Control 44 2 2 4 Multiple WAN Interfaces 44 2 2 5 Device HA 45 Chapter 3 Web Configurator 47 ...

Page 12: ... 76 5 2 1 Choose an Ethernet Interface 76 5 2 2 Select WAN Type 76 5 2 3 Configure WAN Settings 77 5 2 4 WAN and ISP Connection Settings 78 5 2 5 Quick Setup Interface Wizard Summary 80 5 3 VPN Quick Setup 81 5 4 VPN Setup Wizard Wizard Type 82 5 5 VPN Express Wizard Scenario 83 5 5 1 VPN Express Wizard Configuration 84 5 5 2 VPN Express Wizard Summary 85 5 5 3 VPN Express Wizard Finish 86 5 5 4 V...

Page 13: ...06 6 5 9 DDNS 106 6 5 10 NAT 106 6 5 11 HTTP Redirect 107 6 5 12 ALG 108 6 5 13 Auth Policy 108 6 5 14 Firewall 108 6 5 15 IPSec VPN 109 6 5 16 SSL VPN 109 6 5 17 L2TP VPN 110 6 5 18 Application Patrol 110 6 5 19 Anti Virus 111 6 5 20 IDP 111 6 5 21 ADP 111 6 5 22 Content Filter 111 6 5 23 Anti Spam 112 6 5 24 Device HA 112 6 6 Objects 113 6 6 1 User Group 113 6 7 System 114 6 7 1 DNS WWW SSH TELN...

Page 14: ... Up User Authentication Using the RADIUS Server 150 7 7 4 Web Surfing Policies With Bandwidth Restrictions 152 7 7 5 Set Up MSN Policies 155 7 7 6 Set Up Firewall Rules 156 7 8 How to Use a RADIUS Server to Authenticate User Accounts based on Groups 157 7 9 How to Use Endpoint Security and Authentication Policies 159 7 9 1 Configure the Endpoint Security Objects 159 7 9 2 Configure the Authenticat...

Page 15: ...ring the Default L2TP VPN Connection Example 189 8 4 Configuring the L2TP VPN Settings Example 190 8 5 Configuring L2TP VPN in Windows Vista XP or 2000 191 8 5 1 Configuring L2TP in Windows Vista 191 8 5 2 Configuring L2TP in Windows XP 201 8 5 3 Configuring L2TP in Windows 2000 207 Part II Technical Reference 225 Chapter 9 Dashboard 227 9 1 Overview 227 9 1 1 What You Can Do in this Chapter 227 9...

Page 16: ...10 13 The IPSec Monitor Screen 265 10 13 1 Regular Expressions in Searching IPSec SAs 267 10 14 The SSL Connection Monitor Screen 268 10 15 L2TP over IPSec Session Monitor Screen 269 10 16 The Anti Virus Statistics Screen 270 10 17 The IDP Statistics Screen 272 10 18 The Content Filter Statistics Screen 274 10 19 Content Filter Cache Screen 275 10 20 The Anti Spam Statistics Screen 278 10 21 The A...

Page 17: ...3 6 2 WLAN Add Edit WEP Security 338 13 6 3 WLAN Add Edit WPA PSK WPA2 PSK Security 339 13 6 4 WLAN Add Edit WPA WPA2 Security 340 13 7 WLAN Interface MAC Filter 342 13 8 VLAN Interfaces 344 13 8 1 VLAN Summary Screen 346 13 8 2 VLAN Add Edit 347 13 9 Bridge Interfaces 354 13 9 1 Bridge Summary 356 13 9 2 Bridge Add Edit 357 13 10 Auxiliary Interface 363 13 10 1 Auxiliary Interface Overview 363 13...

Page 18: ...this Chapter 399 16 1 2 What You Need to Know 399 16 2 The RIP Screen 400 16 3 The OSPF Screen 401 16 3 1 Configuring the OSPF Screen 405 16 3 2 OSPF Area Add Edit Screen 408 16 3 3 Virtual Link Add Edit Screen 409 16 4 Routing Protocol Technical Reference 410 Chapter 17 Zones 413 17 1 Zones Overview 413 17 1 1 What You Can Do in this Chapter 413 17 1 2 What You Need to Know 414 17 2 The Zone Scre...

Page 19: ...21 1 2 What You Need to Know 440 21 1 3 Before You Begin 443 21 2 The ALG Screen 443 21 3 ALG Technical Reference 445 Chapter 22 IP MAC Binding 447 22 1 IP MAC Binding Overview 447 22 1 1 What You Can Do in this Chapter 447 22 1 2 What You Need to Know 448 22 2 IP MAC Binding Summary 448 22 2 1 IP MAC Binding Edit 449 22 2 2 Static DHCP Edit 450 22 3 IP MAC Binding Exempt List 451 Chapter 23 Authe...

Page 20: ... Connection Screen 482 25 2 1 The VPN Connection Add Edit IKE Screen 484 25 2 2 The VPN Connection Add Edit Manual Key Screen 491 25 3 The VPN Gateway Screen 494 25 3 1 The VPN Gateway Add Edit Screen 495 25 4 VPN Concentrator 503 25 4 1 IPSec VPN Concentrator Example 503 25 4 2 VPN Concentrator Screen 506 25 4 3 The VPN Concentrator Add Edit Screen 506 25 5 IPSec VPN Background Information 507 Ch...

Page 21: ...File or Folder 548 29 3 1 Downloading a File 550 29 3 2 Saving a File 551 29 4 Creating a New Folder 551 29 5 Renaming a File or Folder 552 29 6 Deleting a File or Folder 552 29 7 Uploading a File 553 Chapter 30 ZyWALL SecuExtender 555 30 1 The ZyWALL SecuExtender Icon 555 30 2 Statistics 556 30 3 View Log 557 30 4 Suspend and Resume the Connection 557 30 5 Stop the Connection 558 30 6 Uninstallin...

Page 22: ...irus Policy Add or Edit Screen 595 33 3 Anti Virus Black List 597 33 4 Anti Virus Black List or White List Add Edit 598 33 5 Anti Virus White List 599 33 6 Signature Searching 600 33 7 Anti Virus Technical Reference 603 Chapter 34 IDP 605 34 1 Overview 605 34 1 1 What You Can Do in this Chapter 605 34 1 2 What You Need To Know 605 34 1 3 Before You Begin 606 34 2 The IDP General Screen 607 34 3 In...

Page 23: ...The ADP Profile Summary Screen 645 35 3 3 Creating New ADP Profiles 646 35 3 4 Traffic Anomaly Profiles 646 35 3 5 Protocol Anomaly Profiles 649 35 3 6 Protocol Anomaly Configuration 649 35 4 ADP Technical Reference 653 Chapter 36 Content Filtering 663 36 1 Overview 663 36 1 1 What You Can Do in this Chapter 663 36 1 2 What You Need to Know 663 36 1 3 Before You Begin 665 36 2 Content Filter Gener...

Page 24: ... What You Can Do in this Chapter 713 39 1 2 What You Need to Know 713 39 1 3 Before You Begin 714 39 2 Device HA General 715 39 3 The Active Passive Mode Screen 716 39 3 1 Configuring Active Passive Mode Device HA 718 39 4 Configuring an Active Passive Mode Monitored Interface 721 39 5 The Legacy Mode Screen 723 39 6 Configuring the Legacy Mode Screen 724 39 7 Device HA Technical Reference 728 Cha...

Page 25: ...en 760 42 3 The Service Group Summary Screen 760 42 3 1 The Service Group Add Edit Screen 762 Chapter 43 Schedules 763 43 1 Overview 763 43 1 1 What You Can Do in this Chapter 763 43 1 2 What You Need to Know 763 43 2 The Schedule Summary Screen 764 43 2 1 The One Time Schedule Add Edit Screen 765 43 2 2 The Recurring Schedule Add Edit Screen 766 Chapter 44 AAA Server 769 44 1 Overview 769 44 1 1 ...

Page 26: ...e My Certificates Edit Screen 795 46 2 3 The My Certificates Import Screen 798 46 3 The Trusted Certificates Screen 799 46 3 1 The Trusted Certificates Edit Screen 800 46 3 2 The Trusted Certificates Import Screen 804 46 4 Certificates Technical Reference 805 Chapter 47 ISP Accounts 807 47 1 Overview 807 47 1 1 What You Can Do in this Chapter 807 47 2 ISP Account Summary 807 47 2 1 ISP Account Edi...

Page 27: ...g the DNS Screen 837 50 6 3 Address Record 840 50 6 4 PTR Record 840 50 6 5 Adding an Address PTR Record 840 50 6 6 Domain Zone Forwarder 841 50 6 7 Adding a Domain Zone Forwarder 841 50 6 8 MX Record 842 50 6 9 Adding a MX Record 843 50 6 10 Adding a DNS Service Control Rule 843 50 7 WWW Overview 844 50 7 1 Service Access Limitations 845 50 7 2 System Timeout 845 50 7 3 HTTPS 845 50 7 4 Configuri...

Page 28: ...ummary 884 51 3 2 Edit System Log Settings 885 51 3 3 Edit Log on USB Storage Setting 890 51 3 4 Edit Remote Server Log Settings 892 51 3 5 Active Log Summary Screen 894 Chapter 52 File Manager 897 52 1 Overview 897 52 1 1 What You Can Do in this Chapter 897 52 1 2 What you Need to Know 897 52 2 The Configuration File Screen 900 52 3 The Firmware Package Screen 904 52 4 The Shell Script Screen 906...

Page 29: ...creen 921 Chapter 56 Troubleshooting 923 56 1 Resetting the ZyWALL 940 56 2 Getting More Troubleshooting Help 941 Chapter 57 Product Specifications 943 57 1 3G or WLAN PCMCIA Card Installation 952 57 2 Power Adaptor Specifications 952 Appendix A Log Descriptions 955 Appendix B Common Services 1017 Appendix C Displaying Anti Virus Alert Messages in Windows 1021 Appendix D Importing Certificates 102...

Page 30: ...Table of Contents ZyWALL USG 100 200 Series User s Guide 30 ...

Page 31: ...31 PART I User s Guide ...

Page 32: ...32 ...

Page 33: ...P server and many other powerful features Flexible configuration helps you set up the network and enforce security policies efficiently See Chapter 2 on page 39 for a more detailed overview of the ZyWALL s features The ZyWALL provides excellent throughput with the reliability of dual WAN Gigabit Ethernet ports and load balancing You can also use a 3G cellular card not included for a third WAN conn...

Page 34: ...position of the ZyWALL does not make the rack unstable or top heavy Take all necessary precautions to anchor the rack securely before installing the unit Note Leave 10 cm of clearance at the sides and 20 cm in the rear Use a 2 Phillips screwdriver to install the screws Note Failure to use the proper screws may damage the unit 1 2 1 Rack Mounted Installation Procedure 1 Align one bracket with the h...

Page 35: ...unting brackets position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack Secure the ZyWALL to the rack with the rack mounting screws Figure 2 Rack Mounting 1 3 Front Panel This section introduces the ZyWALL s front panel Figure 3 ZyWALL Front Panel ...

Page 36: ...tion 1 5 on page 38 If the LED turns red again then please contact your vendor SYS Green Off The ZyWALL is not ready or has failed On The ZyWALL is ready and running Flashing The ZyWALL is restarting AUX Green Off The AUX port is not connected Flashing The AUX port is sending or receiving packets On The AUX port is connected P1 P2 Green Off There is no traffic on this port Flashing The ZyWALL is s...

Page 37: ... to use text based commands to configure the ZyWALL You can access it using remote management for example SSH or Telnet or via the console port See the Command Reference Guide for more information about the CLI Console Port You can use the console port to manage the ZyWALL using CLI commands See the Command Reference Guide for more information about the CLI The default settings for the console por...

Page 38: ...sses Rebooting the ZyWALL A warm start without powering down and powering up again occurs when you use the Reboot button in the Reboot screen or when you use the reboot command The ZyWALL writes all cached data to the local storage stops the system processes and then does a warm start Using the RESET button If you press the RESET button the ZyWALL sets the configuration to its default values and t...

Page 39: ...provides reliable secure Internet access set up one or more of the following Multiple WAN ports and configure load balancing between these ports One or more 3G cellular connections An auxiliary backup Internet connection A backup ZyWALL in the event the master ZyWALL fails device HA Virtual Private Networks VPN Use IPSec SSL or L2TP VPN to provide secure communication between two sites over the In...

Page 40: ...sed on violations of protocol standards RFCs Requests for Comments Abnormal flows such as port scans The ZyWALL s ADP protects against network based intrusions See Section 35 3 4 on page 646 and Section 35 3 5 on page 649 for more on the kinds of attacks that the ZyWALL can protect against You can also create your own custom ADP rules Bandwidth Management Bandwidth management allows you to allocat...

Page 41: ...suspected of being used by spammers Application Patrol Application patrol App Patrol manages instant messenger IM peer to peer P2P applications like MSN and BitTorrent You can even control the use of a particular application s individual features like text messaging voice video conferencing and file transfers Application patrol has powerful bandwidth management including traffic prioritization to ...

Page 42: ...configure the ZyWALL to provide SSL VPN network access to remote users There are two SSL VPN network access modes reverse proxy and full tunnel 2 2 2 1 Reverse Proxy Mode In reverse proxy mode the ZyWALL is a proxy that acts on behalf of the local network servers such as your web and mail servers As the final destination the ZyWALL appears to be the server to remote users This provides an added la...

Page 43: ... tunnel mode a virtual connection is created for remote users with private IP addresses in the same subnet as the local network This allows them to access network resources in the same way as if they were part of the internal network Figure 7 Network Access Mode Full Tunnel Mode Web Mail File Share Web based Application LAN 192 168 1 X https Web Mail File Share Web based Application https Applicat...

Page 44: ...e information and shared resources based on the user who is trying to access it Figure 8 Applications User Aware Access Control 2 2 4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port or set up multiple connections on different ports In either case you can balance the loads between them Figure 9 Applications Multiple WAN Interfaces ...

Page 45: ...and Applications ZyWALL USG 100 200 Series User s Guide 45 2 2 5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network Figure 10 Applications Device HA ...

Page 46: ...Chapter 2 Features and Applications ZyWALL USG 100 200 Series User s Guide 46 ...

Page 47: ...or Requirements In order to use the Web Configurator you must Use Internet Explorer 7 or later or Firefox 1 5 or later Allow pop up windows blocked by default in Windows XP Service Pack 2 Enable JavaScript enabled by default Enable Java permissions enabled by default Enable cookies The recommended screen resolution is 1024 x 768 pixels 3 2 Web Configurator Access 1 Make sure your ZyWALL hardware i...

Page 48: ...in and password default 1234 If your account is configured to use an ASAS authentication server use the OTP One Time Password token to generate a number Enter it in the One Time Password field The number is only good for one login You must use the token to generate a new number the next time you log in 4 Click Login If you logged in using the default user name and password the Update Admin Info sc...

Page 49: ... screen If you change the default password the Login screen Figure 11 on page 48 appears after you click Apply If you click Ignore the Installation Setup Wizard opens if the ZyWALL is using its default configuration see Chapter 4 on page 65 otherwise the dashboard appears as shown next Figure 13 Dashboard 3 3 Web Configurator Screens Overview The Web Configurator screen is divided into these parts...

Page 50: ...of the Web Configurator Help Click this to open the help page for the current screen About Click this to display basic information about the ZyWALL Site Map Click this to see an overview of links to the Web Configurator screens Object Reference Click this to open a screen where you can check which configuration items reference an object Console Click this to open the console in which you can use t...

Page 51: ...panel menus and their screens Figure 16 Navigation Panel 3 3 2 1 Dashboard The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs See Chapter 9 on page 227 for details on the dashboard Table 5 About LABEL DESCRIPTION Boot Module This shows the version number of the soft...

Page 52: ...eless clients Cellular Status Displays details about the ZyWALL s 3G connection status USB Storage Displays information about a connected USB storage device AppPatrol Statistics Displays bandwidth and protocol statistics VPN Monitor IPSec Displays and manages the active IPSec SAs SSL Lists users currently logged into the VPN SSL client portal You can also log out individual users and delete relate...

Page 53: ...1 WLAN or DMZ Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces PPP Create and manage PPPoE and PPTP interfaces Cellular Configure a cellular Internet connection for an installed 3G card WLAN Configure settings for an installed wireless LAN card VLAN Create and manage VLAN interfaces and virtual VLAN interfaces Bridge Create and manage bridges and virtual bridge interfaces Auxili...

Page 54: ...s L2TP VPN L2TP VPN Configure L2TP Over IPSec VPN settings AppPatrol General Enable or disable traffic management by application and see registration and signature information Common Manage traffic of the most commonly used web file transfer and e mail protocols IM Manage instant messenger traffic Peer to Peer Manage peer to peer traffic VoIP Manage VoIP traffic Streaming Manage streaming traffic ...

Page 55: ...users Group Create and manage groups of users Setting Manage default settings for all users general settings for user sessions and rules to force user authentication Address Address Create and manage host range and network subnet addresses Address Group Create and manage groups of addresses Service Service Create and manage TCP and UDP services Service Group Create and manage groups of services Sc...

Page 56: ...re HTTP HTTPS and general authentication Login Page Configure how the login and access user screens look SSH Configure SSH server and SSH service settings TELNET Configure telnet server settings for the ZyWALL FTP Configure FTP server settings SNMP Configure SNMP communities and services Dial in Mgmt Configure settings for an out of band management connection through a modem connected to the port ...

Page 57: ... messages such as those resulting from misconfiguration display in a popup window Figure 17 Warning Message Table 8 Maintenance Menu Screens Summary FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and upload configuration files for the ZyWALL Firmware Package View the current firmware version and to upload firmware Shell Script Manage and run shell script files for the ZyWALL Di...

Page 58: ...t screen Figure 18 Site Map 3 3 3 3 Object Reference Click Object Reference to open the Object Reference screen Select the type of object and the individual object and click Refresh to show which configuration settings reference the object The following example shows which configuration settings reference the ldap users user object in this case the first firewall rule Figure 19 Object Reference ...

Page 59: ...s LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service...

Page 60: ...ies by a Column s Criteria 2 Click the down arrow next to a column heading for more options about how to display the entries The options available vary depending on the type of fields in the column Here are some examples of what you can do Sort in ascending alphabetical order Sort in descending reverse alphabetical order Select which columns to display Group entries by field Show entries in groups...

Page 61: ...a column heading and drag and drop it to change the column order A green check mark displays next to the column s title when you drag the column to a valid new location Figure 24 Changing the Column Order 5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time Figure 25 Navigating Pages of Table Entries ...

Page 62: ...nd click Edit to open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red triangles display for table entries with changes that you have not yet applied Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on...

Page 63: ...eb Configurator ZyWALL USG 100 200 Series User s Guide 63 you can also use the Shift or Ctrl key to select multiple entries and then use the arrow button to move them to the other list Figure 27 Working with Lists ...

Page 64: ...Chapter 3 Web Configurator ZyWALL USG 100 200 Series User s Guide 64 ...

Page 65: ...onfigure Internet connection settings and activate subscription services This chapter provides information on configuring the Web Configurator s installation setup wizard See the feature specific chapters in this User s Guide for background information Figure 28 Installation Setup Wizard Click the double arrow in the upper right corner to display or hide the help Click Go to Dashboard to skip the ...

Page 66: ...nfigure two Internet connections Leave it cleared to configure just one This option appears when you are configuring the first WAN interface Encapsulation Choose the Ethernet option when the WAN port is used as a regular Ethernet Otherwise choose PPPoE or PPTP for a dial up connection according to the information from your ISP WAN Interface This is the interface you are configuring for Internet ac...

Page 67: ...us screen The following fields display if you selected static IP address assignment IP Subnet Mask Enter the subnet mask for this WAN connection s IP address Gateway IP Address Enter the IP address of the router through which this WAN connection will send traffic the default gateway First Second DNS Server These fields display if you selected static IP address assignment The Domain Name System DNS...

Page 68: ...ol for outgoing connection requests Options are CHAP PAP Your ZyWALL accepts either CHAP or PAP when requested by the remote node CHAP Your ZyWALL accepts CHAP only PAP Your ZyWALL accepts PAP only MSCHAP Your ZyWALL accepts MSCHAP only MSCHAP V2 Your ZyWALL accepts MSCHAP V2 only Type the User Name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 character...

Page 69: ... address assignment The Domain Name System DNS maps a domain name to an IP address and vice versa Enter a DNS server s IP address es The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The ZyWALL uses these in the order you specify here to resolve domain names for VPN DDNS and the time server Leave the field as 0 0 0 0 if you...

Page 70: ...your ISP Type the IP Subnet Mask assigned to you by your ISP if given Server IP Type the IP address of the PPTP server Type a Connection ID or connection name It must follow the c id and n name format For example C 12 or N My ISP This field is optional and depends on the requirements of your broadband modem or router You can use alphanumeric and _ characters and it can be up to 31 characters long ...

Page 71: ...tup Second WAN Interface If you selected I have two ISPs after you configure the First WAN Interface you can configure the Second WAN Interface The screens for configuring the second WAN interface are similar to the first see Section 4 1 1 on page 66 Figure 33 Internet Access Step 3 Second WAN Interface ...

Page 72: ...lick Next and use the following screen to perform a basic registration see Section 4 2 on page 72 If you want to do a more detailed registration or manage your account details click myZyXEL com Alternatively close the window to exit the wizard 4 2 Device Registration Use this screen to register your ZyWALL with myZXEL com and activate trial periods of subscription security features if you have not...

Page 73: ...e an account at myZyXEL com and enter your user name and password in the fields below to register your ZyWALL Enter a User Name for your myZyXEL com account Use from six to 20 alphanumeric characters and the underscore Spaces are not allowed Click Check to verify that it is available Password Use six to 20 alphanumeric characters and the underscore Spaces are not allowed Type it again in the Confi...

Page 74: ... Service Activation You can try a trial service subscription The trial period starts the day you activate the trial After the trial expires you can buy an iCard and enter the license key in the Registration Service screen to extend the service Figure 36 Registration Registered Device ...

Page 75: ...s in this User s Guide for background information In the Web Configurator click Configuration Quick Setup to open the first Quick Setup screen Figure 37 Quick Setup WAN Interface Click this link to open a wizard to set up a WAN Internet connection This wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP See Section 5 2 on page 76 VPN SETUP Use VPN SETUP to configure...

Page 76: ...figure an interface to connect to the internet Click Next Figure 38 WAN Interface Quick Setup Wizard 5 2 1 Choose an Ethernet Interface Select the Ethernet interface that you want to configure for a WAN connection and click Next Figure 39 Choose an Ethernet Interface 5 2 2 Select WAN Type WAN Type Selection Select the type of encapsulation this connection is to use Choose Ethernet when the WAN por...

Page 77: ... you use Refer to information provided by your ISP to know what to enter in each field Leave a field blank if you don t have that information Note Enter the Internet access information exactly as your ISP gave it to you 5 2 3 Configure WAN Settings Use this screen to select whether the interface should use a fixed or dynamic IP address Figure 41 WAN Interface Setup Step 2 WAN Interface This is the...

Page 78: ...ttings This screen is read only if you set the IP Address Assignment to Static Note Enter the Internet access information exactly as your ISP gave it to you Figure 42 WAN and ISP Connection Settings PPTP Shown The following table describes the labels in this screen Table 11 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP In...

Page 79: ...ut PPTP Configuration This section only appears if the interface uses a PPPoE or PPTP Internet connection Base Interface This displays the identity of the Ethernet interface you configure to connect with a modem or router Base IP Address Type the static IP address assigned to you by your ISP IP Subnet Mask Type the subnet mask assigned to you by your ISP if given Server IP Type the IP address of t...

Page 80: ...pping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The ZyWALL uses a system DNS server in the order you specify here to resolve domain names for VPN DDNS and the time server Back Click Back to return to the previous screen Next Click Next to continue Table 11...

Page 81: ... uses the idle timeout Idle Timeout This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server 0 means no timeout Connection ID If you specified a connection ID it displays here WAN Interface This identifies the interface you configure to connect with your ISP Zone This field displays to which security zone this interface and Internet conn...

Page 82: ...to select which type of VPN connection you want to configure Figure 45 VPN Setup Wizard Wizard Type Express Use this wizard to create a VPN connection with another ZLD based ZyWALL using a pre shared key and default security settings Advanced Use this wizard to configure detailed VPN security settings such as using certificates The VPN connection can be to another ZLD based ZyWALL or other IPSec d...

Page 83: ... The figure on the left of the screen changes to match the scenario you select Site to site Choose this if the remote IPSec device has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose this if the remote IPSec device has a dynamic IP address Only the remote IPSec device can initiate the VPN tunnel Remote Access Server Role Choose thi...

Page 84: ... must use the same password Use 8 to 31 case sensitive ASCII characters or 8 to 31 pairs of hexadecimal 0 9 A F characters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network You can also specify a subnet This must match the remote IP a...

Page 85: ...negotiation Local Policy Static IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel Remote Policy Static IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel If this field displays Any only the remote IPSec device can initiate the VPN connection Copy and paste the Configuration for Secure...

Page 86: ...3 VPN Express Wizard Finish Now you can use the VPN tunnel Figure 49 VPN Express Wizard Step 6 Note If you have not already done so use the myZyXEL com link and register your ZyWALL with myZyXEL com and activate trials of services like IDP Click Close to exit the wizard ...

Page 87: ...tive Select the scenario that best describes your intended VPN connection The figure on the left of the screen changes to match the scenario you select Site to site Choose this if the remote IPSec device has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose this if the remote IPSec device has a dynamic IP address Only the remote IPSe...

Page 88: ... secure gateway to identify the remote IPSec device by its IP address or a domain name Use 0 0 0 0 if the remote IPSec device has a dynamic WAN IP address My Address interface Select an interface from the drop down list box to use on your ZyWALL Negotiation Mode Select Main for identity protection Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwo...

Page 89: ... Hellman Group 2 a 1024 bit 1Kb random number DH5 refers to Diffie Hellman Group 5 a 1536 bit random number SA Life Time Set how often the ZyWALL renegotiates the IKE SA A short SA life time increases security but renegotiation temporarily disconnects the VPN tunnel NAT Traversal Select this if the VPN tunnel must pass through NAT there is a NAT router between the IPSec devices Note The remote IPS...

Page 90: ... slower SA Life Time Set how often the ZyWALL renegotiates the IKE SA A short SA life time increases security but renegotiation temporarily disconnects the VPN tunnel Perfect Forward Secrecy PFS Disabling PFS allows faster IPSec setup but is less secure Select DH1 DH2 or DH5 to enable PFS DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 refers to Diffie Hellman Group 1 a 76...

Page 91: ...tion and the VPN gateway Secure Gateway IP address or domain name of the remote IPSec device Pre Shared Key VPN tunnel password Certificate The certificate the ZyWALL uses to identify itself when setting up the VPN tunnel Local Policy IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel Remote Policy IP address and subnet mask of the computers on th...

Page 92: ...e 92 5 5 8 VPN Advanced Wizard Finish Now you can use the VPN tunnel Figure 54 VPN Wizard Step 6 Advanced Note If you have not already done so you can register your ZyWALL with myZyXEL com and activate trials of services like IDP Click Close to exit the wizard ...

Page 93: ...ter you configure the trunk you should configure a policy route for it as well You might also have to configure criteria for the policy route Section 6 6 on page 113 identifies the objects that store information used by other features Section 6 7 on page 114 introduces some of the tools available for system management 6 1 Object based Configuration The ZyWALL stores information or settings as obje...

Page 94: ...a list of common objects see Section 6 6 on page 113 Use the Object Reference screen Section 3 3 3 3 on page 58 to see what objects are configured and which configuration settings reference specific objects 6 2 Zones Interfaces and Physical Ports Zones groups of interfaces and VPN tunnels simplify security settings Here is an overview of zones interfaces and physical ports in the ZyWALL Figure 55 ...

Page 95: ...ress and subnet mask of the bridge It is also possible to configure zone level security between the member interfaces in the bridge Virtual interfaces increase the amount of routing information in the ZyWALL There are three types virtual Ethernet interfaces also known as IP alias virtual VLAN interfaces and virtual bridge interfaces The auxiliary interface along with an external modem provides an ...

Page 96: ...face and Zone Configuration PORT INTERFACE ZONE IP ADDRESS AND DHCP SETTINGS SUGGESTED USE WITH DEFAULT SETTINGS P1 P2 wan1 wan2 WAN DHCP clients Connections to the Internet P3 opt OPT None DHCP server disabled Third WAN additional LAN WLAN or DMZ port or a separate network P4 lan1 LAN1 192 168 1 1 DHCP server enabled Protected LAN P5 lan2 LAN2 192 168 2 1 DHCP server enabled Protected LAN P6 ext ...

Page 97: ...s access points The ext wlan interface uses private IP address 10 59 0 1 and the connected devices use IP addresses in the 10 59 0 2 to 10 59 0 254 range The DMZ zone contains the dmz interface physical port P7 The DMZ zone has servers that are available to the public The dmz interface uses private IP address 192 168 3 1 and the connected devices use private IP addresses in the 192 168 3 2 to 192 ...

Page 98: ...nd ZyNOS ZYNOS FEATURE SCREEN ZLD ZYWALL FEATURE SCREEN Trigger port port triggering Policy route Address mapping Policy route Address mapping VPN IPSec VPN Table 19 Bandwidth Management Differences Between the ZLD ZyWALL and ZyNOS ZYNOS FEATURE SCREEN ZLD ZYWALL FEATURE SCREEN Interface bandwidth management outbound Interface OSI level 7 bandwidth management Application patrol General bandwidth m...

Page 99: ...ternal interfaces you don t need to configure anything to all LAN to WAN or WLAN to WAN traffic The ZyWALL automatically adds all of the external interfaces to the default WAN trunk External interfaces include ppp cellular and AUX interfaces as well as any Ethernet interfaces that are set as external interfaces Examples of internal interfaces are WLAN interfaces and any Ethernet interfaces that yo...

Page 100: ...mines how to route them The following figure shows how the ZLD 2 20 firmware s routing table compares with the earlier 2 1x firmware s routing table The checking flow is from top to bottom As soon as the packets match an entry in one of the sections the ZyWALL stops checking the packets against the routing table and moves on to the other checks for example the firewall check Figure 59 Routing Tabl...

Page 101: ...ntrol dynamic IPSec rules option moves the routes for dynamic IPSec rules up above the policy routes see Section 25 2 on page 482 5 Static and Dynamic Routes This section contains the user configured static routes and the dynamic routing information learned from other routers through RIP and OSPF See Chapter 15 on page 383 for more information 6 Default WAN Trunk For any traffic coming in through ...

Page 102: ...T including Many 1 to 1 is also included in the NAT table 3 NAT loopback is now included in the NAT table instead of requiring a separate policy route 4 SNAT is also now performed by default and included in the NAT table 6 5 Feature Configuration Overview This section provides information about configuring the main features in the ZyWALL The features are listed in the same sequence as the menu ite...

Page 103: ...he sequence of menu items and tabs you should click to find the main screen s for this feature See the web help or the related User s Guide chapter for information about each screen PREREQUISITES These are other features you should configure before you configure the main screen s for this feature If you did not configure one of the prerequisites first you can often select an option to create a new...

Page 104: ...ks Use trunks to set up load balancing using two or more interfaces Example See Chapter 7 on page 117 6 5 6 Policy Routes Use policy routes to override the ZyWALL s default routing behavior in order to send packets through the appropriate interface or VPN tunnel You can also use policy routes for bandwidth management out of the ZyWALL port triggering MENU ITEM S Configuration Licensing Update PRER...

Page 105: ...TP 8 For the Next Hop fields select Interface as the Type if you have a single WAN connection or Trunk if you have multiple WAN connections 9 Select the interface that you are using for your WAN connection wan1 and wan2 are the default WAN interfaces If you have multiple WAN connections select the trunk 10 Specify the amount of bandwidth FTP traffic can use You may also want to set a low priority ...

Page 106: ...hen you create a zone the ZyWALL does not create any firewall rules assign an IDP profile or configure remote management for the new zone Example For example to create the DMZ 2 zone and add an interface click Network Zone and then the Add icon 6 5 9 DDNS Dynamic DNS maps a domain name to a dynamic IP address The ZyWALL helps maintain this mapping 6 5 10 NAT Use Network Address Translation NAT to ...

Page 107: ...e packets received for the original IP address 6 In Mapping Type select Port 7 Enter 21 in both the Original and the Mapped Port fields 6 5 11 HTTP Redirect Configure this feature to have the ZyWALL transparently forward HTTP web traffic to a proxy server This can speed up web browsing because the proxy server keeps copies of the web pages that have been accessed so they are readily available the ...

Page 108: ...n access the network 6 5 14 Firewall The firewall controls the travel of traffic between or within zones You can also configure the firewall to control traffic for NAT DNAT and policy routes SNAT You can configure firewall rules based on schedules specific users or user groups source or destination addresses or address groups and services or service groups Each of these objects must be configured ...

Page 109: ...address Leave the Access field set to Allow and the Log field set to No Note The ZyWALL checks the firewall rules in order Make sure each rule is in the correct place in the sequence 6 5 15 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP IP for communication The ZyWALL also offers hub and spoke VPN Example See Chapte...

Page 110: ...ate a user account for Bob User Group 2 Click AppPatrol Peer to Peer to go to the application patrol configuration screen Click the BitTorrent application patrol entry s Edit icon Set the default policy s access to Drop Add another policy Select the user account that you created for Bob You can leave the source destination and log settings at the default WHERE USED Policy routes zones MENU ITEM S ...

Page 111: ...otocol anomalies 6 5 22 Content Filter Use content filtering to block or allow access to specific categories of web site content individual web sites and web features such as cookies You can define which user accounts or groups can access what content and at what times You must have a subscription in order to use the category based content filtering You can subscribe using the menu item or one of ...

Page 112: ...o when the category based content filtering service is not available 7 Select the Arts Entertainment category you need to click Advanced to display it and click OK 8 Click General to go to the content filter general configuration screen 9 Enable the content filter 10 Add a policy that uses the schedule the filtering profile and the user that you created 6 5 23 Anti Spam Use anti spam to detect and...

Page 113: ... user groups address VPN connections local remote network NAT policy routes criteria next hop HOST NAT authentication policies firewall application patrol source destination content filter NAT HOST user settings force user authentication address groups remote management System address group Policy routes criteria firewall application patrol source destination content filter user settings force use...

Page 114: ...mote management connection through an external serial modem connected to the AUX port Example Suppose you want to allow an administrator to use HTTPS to manage the ZyWALL from the WAN 1 Create an administrator account Configuration Object User Group guest Access network services ext user The same as a user or a guest except the ZyWALL looks for the specific type in an external authentication serve...

Page 115: ...ou can manage Configuration files Use configuration files to back up and restore the complete configuration of the ZyWALL You can store multiple configuration files in the ZyWALL and switch between them without restarting Shell scripts Use shell scripts to run a series of CLI commands These are useful for large repetitive configuration changes for example creating a lot of VPN tunnels and for trou...

Page 116: ... USG 100 200 Series User s Guide 116 Always use Maintenance Shutdown Shutdown or the shutdown command before you turn off the ZyWALL or remove the power Not doing so can cause the firmware to become corrupt MENU ITEM S Maintenance Shutdown ...

Page 117: ...Technical Reference on page 225 7 1 How to Configure Interfaces Port Roles and Zones This tutorial shows how to configure Ethernet interfaces port roles and zones for the following example configuration see Section 6 2 2 on page 96 for the default configuration You want to be able to apply security settings specifically for all VPN tunnels so you create a new VPN zone The wan1 interface uses a sta...

Page 118: ...ace for Ethernet connected APs so you remove port P6 from the ext wlan interface and add it to the dmz interface instead Figure 61 Ethernet Interface Port Roles and Zone Configuration Example 7 1 1 Configure a WAN Ethernet Interface You need to assign the ZyWALL s wan1 interface a static IP address of 1 2 3 4 ...

Page 119: ...ess and configure the IP address subnet mask and default gateway settings and click OK Figure 62 Configuration Network Interface Ethernet Edit wan1 7 1 2 Configure the OPT Interface for a Local Network Here is how to set the opt interface for a separate local network It uses 192 168 4 1 as its IP address and has a DHCP server to distribute IP addresses to connected DHCP clients ...

Page 120: ...t interface s entry Set the Interface Type to internal Set the IP Address to 192 168 4 and the Subnet Mask to 255 255 255 0 Set DHCP to DHCP Server and click OK Figure 63 Configuration Network Interface Ethernet Edit opt 7 1 3 Configure Zones Do the following to create a VPN zone 1 Click Configuration Network Zone and then the Add icon ...

Page 121: ...er box and click OK Figure 64 Configuration Network Zone WAN Edit 7 1 4 Configure Port Roles Here is how to remove port P6 from the ext wlan interface and add it to the dmz interface 1 Click Configuration Network Interface Role 2 Under P6 select the dmz DMZ radio button and click Apply Figure 65 Configuration Network Interface Port Roles Example ...

Page 122: ...mple you install or connect the 3G card before you configure the cellular interfaces but is also possible to reverse the sequence 1 Make sure the 3G device s SIM card is installed 2 Install the 3G device in the ZyWALL s PCIMCIA slot or connect it to one of the ZyWALL s USB ports 3 Click Configuration Network Interface Cellular Select the 3G device s entry and click Edit Figure 66 Configuration Net...

Page 123: ...ing Zone set to none has the ZyWALL not apply any security settings to the 3G connection Enter the PIN Code provided by the cellular 3G service provider 0000 in this example Figure 67 Configuration Network Interface Cellular Edit 5 Go to the Dashboard The Interface Status Summary section should contain a cellular entry When its connection status is Connected you can use the 3G connection to access...

Page 124: ...device is working To fine tune the load balancing configuration see Chapter 14 on page 373 See also Section 7 3 on page 124 for an example 7 3 How to Configure Load Balancing This example shows how to configure a trunk for two WAN connections to the Internet The available bandwidth for the connections is 1Mbps wan1 and 512 Kbps wan2 respectively As these connections have different bandwidth use th...

Page 125: ...click the wan1 entry Enter the available bandwidth 1000 kbps in the Egress Bandwidth field Click OK Figure 70 Configuration Network Interface Ethernet Edit wan1 2 Repeat the process to set the egress bandwidth for wan2 to 512 Kbps 7 3 2 Configure the WAN Trunk 1 Click Configuration Network Interface Trunk Click the Add icon ...

Page 126: ... User s Guide 126 2 Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin Add wan1 and enter 2 in the Weight column Add wan2 and enter 1 in the Weight column Click OK Figure 71 Configuration Network Interface Trunk Add ...

Page 127: ...ts you have different wireless LAN networks using different SSIDs You can configure the WLAN interfaces before or after you install the wireless LAN card This example shows how to create a WLAN interface that uses WPA or WPA2 security and the ZyWALL s local user database for authentication 7 4 1 Set Up User Accounts The ZyWALL supports TTLS using PAP so you can use the ZyWALL s local user database...

Page 128: ...to wlan_user Enter and re enter the user s password Click OK Figure 73 Configuration Object User Group User Add 3 Use the Add icon in the Configuration Object User Group User screen to set up the remaining user accounts in similar fashion 7 4 2 Create the WLAN Interface 1 Click Configuration Network Interface WLAN Add to open the WLAN Add screen ...

Page 129: ...n this example This determines which security settings the ZyWALL applies to the WLAN interface Configure the SSID ZYXEL_WPA in this example If all of your wireless clients support WPA2 select WPA2 Enterprise as the Security Type otherwise select WPA WPA 2 Enterprise Set the Authentication Type to Auth Method The ZyWALL can use its default authentication method the local user database and its defa...

Page 130: ...Chapter 7 Tutorials ZyWALL USG 100 200 Series User s Guide 130 Figure 74 Configuration Network Interface WLAN Add ...

Page 131: ...ireless client not included with the ZyWALL use the wireless network 7 4 3 1 Configure the ZyXEL Wireless Client Utility This example covers how to configure ZyXEL s wireless client utility not included with the ZyWALL to use the WLAN interface See Section 7 4 3 2 on page 135 instead for how to use Funk Odyssey s wireless client software if you want the wireless client to validate the ZyWALL s cer...

Page 132: ...pen the wireless client utility and click Profile Figure 76 ZyXEL Wireless Client 2 Add a new profile This example uses ZYXEL_WPA as the name It is also the SSID name of the wireless network Select Infrastructure and click Next Figure 77 ZyXEL Wireless Client Profile ...

Page 133: ...t Figure 78 ZyXEL Wireless Client Profile Security Type 4 Set the encryption type to TKIP and the EAP type to TTLS Configure wlan_user as the Login Name and enter the account s password also wlan_user in this example In TTLS Protocol select PAP Click Next Figure 79 ZyXEL Wireless Client Profile Security Settings ...

Page 134: ... 7 Tutorials ZyWALL USG 100 200 Series User s Guide 134 5 Confirm your settings and click Save Figure 80 ZyXEL Wireless Client Profile Save 6 Click Activate Now Figure 81 ZyXEL Wireless Client Profile Activate ...

Page 135: ... wireless client validate the ZyWALL s certificate you can go to Section 7 4 3 4 on page 143 7 4 3 2 Configure the Funk Odyssey Wireless Client This example shows how to configure Funk s Odyssey Access Client Manager wireless client software not included with the ZyWALL to use the WLAN interface 1 Open the Odyssey wireless client software and click Profiles Add Figure 83 Odyssey Access Client Mana...

Page 136: ... the User Info tab configure wlan_user as the Login name In the Password sub tab select Prompt for long name and password Figure 84 Odyssey Access Client Manager Profiles User Info 3 Click the Authentication tab and select Validate server certificate Figure 85 Odyssey Access Client Manager Profiles Authentication ...

Page 137: ...WALL USG 100 200 Series User s Guide 137 4 Click the TTLS tab and select PAP Then click OK Figure 86 Odyssey Access Client Manager Profiles Authentication 5 Click Networks Add Figure 87 Odyssey Access Client Manager Networks ...

Page 138: ...ager Networks Add Use the next section to import the ZyWALL s certificate into the wireless client 7 4 3 3 Wireless Clients Import the ZyWALL s Certificate You must import the ZyWALL s certificate into the wireless clients if they are to validate the ZyWALL s certificate Use the Configuration Object Certificate Edit screen see Section 46 2 2 on page 795 to export the certificate the ZyWALL is usin...

Page 139: ... s Guide 139 1 In Internet Explorer click Tools Internet Options Content and click the Certificates button Figure 89 Internet Explorer Tools Internet Options Content 2 Click Import Figure 90 Internet Explorer Tools Internet Options Content Certificates ...

Page 140: ...pe setting to All Files in order to see the certificate file Figure 91 Internet Explorer Certificate Import Wizard File Open Screen 4 When you get to the Certificate Store screen select the option to automatically select the certificate store based on the type of certificate Figure 92 Internet Explorer Certificate Import Wizard Certificate Store Screen ...

Page 141: ...Chapter 7 Tutorials ZyWALL USG 100 200 Series User s Guide 141 5 If you get a security warning screen click Yes to proceed Figure 93 Internet Explorer Certificate Import Certificate Warning Screen ...

Page 142: ...in the ZyWALL s My Certificates screen s Subject and Issuer fields respectively Figure 94 Internet Explorer Trusted Root Certification Authorities The My Certificates screen indicates what type of information is being displayed such as Common Name CN Organizational Unit OU Organization O and Country C Figure 95 Configuration Object Certificate My Certificates Repeat the steps to import the certifi...

Page 143: ...ple 7 5 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel see Section 5 4 on page 82 for details on the VPN quick setup wizard Figure 97 VPN Example In this example the ZyWALL is router X 1 2 3 4 and the remote IPSec router is router Y 2 2 2 2 Create the VPN tunnel between ZyWALL X s LAN subnet 192 168 1 0 24 and ...

Page 144: ...way and then click the Add icon 2 Enable the VPN gateway and name it VPN_GW_EXAMPLE For My Address select Interface and wan1 For the Peer Gateway Address select Static Address and enter 2 2 2 2 in the Primary field For the Authentication Select Pre Shared Key and enter 12345678 Click OK Figure 98 Configuration VPN IPSec VPN VPN Gateway Add 7 5 2 Set Up the VPN Connection The VPN connection manages...

Page 145: ... Click the Add icon 4 Enable the VPN connection and name it VPN_CONN_EXAMPLE Under VPN Gateway select Site to site and the VPN gateway VPN_GW_EXAMPLE Under Policy select LAN1_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote Click OK Figure 100 Configuration VPN IPSec VPN VPN Connection Add 5 Now set up the VPN settings on the peer IPSec router and try to establish the VPN tunnel T...

Page 146: ... How to Configure a Hub and spoke IPSec VPN Without a VPN Concentrator A hub and spoke IPSec VPN connects IPSec VPN tunnels to form one secure network This reduces the number of VPN connections that you have to set up and maintain in the network Here is an example of a hub and spoke VPN that does not use the ZyWALL s VPN concentrator feature Here branch office A has a ZyNOS based ZyWALL and headqu...

Page 147: ...nel 1 Local Policy 192 168 168 0 192 168 169 255 Remote Policy 192 168 167 0 255 255 255 0 Disable Policy Enforcement VPN Gateway VPN Tunnel2 My Address 10 0 0 1 Peer Gateway Address 10 0 0 3 VPN Connection VPN Tunnel 2 Local Policy 192 168 167 0 192 168 168 255 Remote Policy 192 168 169 0 255 255 255 0 Disable Policy Enforcement Branch Office B USG ZyWALL or ZyWALL 1050 VPN Gateway My Address 10 ...

Page 148: ...red policy routes so the only way to get traffic destined for another spoke router to go through the ZyNOS ZyWALL s VPN tunnel is to make the remote policy cover both tunnels Since the USG ZyWALLs or ZyWALL 1050s automatically handle the routing for VPN tunnels if a USG ZyWALL or ZyWALL 1050 is a hub router and the local policy covers both tunnels the automatic routing takes care of it without nee...

Page 149: ...ort user names from the RADIUS server to a text file then you might create a script to create the user accounts instead This example uses the Web Configurator 1 Click Configuration Object User Group User Click the Add icon 2 Enter the same user name that is used in the RADIUS server and set the User Type to ext user because this user account is authenticated by an external server Click OK Figure 1...

Page 150: ...o the Member list This example only has one member in this group so click OK Of course you could add more members later Figure 103 Configuration Object User Group Group Add 3 Repeat this process to set up the remaining user groups 7 7 3 Set Up User Authentication Using the RADIUS Server This step sets up user authentication using the RADIUS server First configure the settings for the RADIUS server...

Page 151: ... the default entry Click the Add icon Select group radius because the ZyWALL should use the specified RADIUS server for authentication Click OK Figure 105 Configuration Object Auth method Add 3 Click Configuration Auth Policy In the Authentication Policy Summary section click the Add icon 4 Set up a default policy that forces every user to log in to the ZyWALL before the ZyWALL routes traffic for ...

Page 152: ...the users try to browse the web or use any HTTP HTTPS application the Login screen appears They have to log in using the user name and password in the RADIUS server 7 7 4 Web Surfing Policies With Bandwidth Restrictions Use application patrol AppPatrol to enforce the web surfing and MSN policies You must have already subscribed for the application patrol service You can subscribe using the Configu...

Page 153: ... 1 Click Configuration AppPatrol If application patrol and bandwidth management are not enabled enable them and click Apply Figure 107 Configuration AppPatrol General 2 Click the Common tab and double click the http entry Figure 108 Configuration AppPatrol Common ...

Page 154: ...154 3 Double click the Default policy Figure 109 Configuration AppPatrol Common http 4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web Click OK Figure 110 Configuration AppPatrol Common http Edit Default ...

Page 155: ...ion in the Inbound and Outbound fields Click OK Repeat this process to add exceptions for all the other user groups that are allowed to browse the web Figure 111 Configuration AppPatrol Common http Edit Default 7 7 5 Set Up MSN Policies Set up a recurring schedule object first because Sales can only use MSN during specified times on specified days 1 Click Configuration Object Schedule Click the Ad...

Page 156: ...ollow the steps in Section 7 7 4 on page 152 to set up the appropriate policies for MSN in application patrol Make sure to specify the schedule when you configure the policy for the Sales group s MSN access 7 7 6 Set Up Firewall Rules Use the firewall to control access from LAN to the DMZ 1 Click Configuration Firewall Add Set the From field as LAN1 and the To field as DMZ Set the Access field to ...

Page 157: ...roups that are allowed to access the DMZ 7 8 How to Use a RADIUS Server to Authenticate User Accounts based on Groups The previous example showed how to have a RADIUS server authenticate individual user accounts If the RADIUS server has different user groups distinguished by the value of a specific attribute you can configure the make a couple of slight changes in the configuration to have the RAD...

Page 158: ...thentication port and key set the Group Membership Attribute field to the attribute that the ZyWALL is to check to determine to which group a user belongs This example uses Class This attribute s value is called a group identifier it determines to which group a user belongs In this example the values are Finance Engineer Sales and Boss Figure 115 Configuration Object AAA Server RADIUS Add ...

Page 159: ...er Group User Add 3 Repeat this process to set up the remaining groups of user accounts 7 9 How to Use Endpoint Security and Authentication Policies Here is how to use endpoint security to make sure that users computers meet specific security requirements before they are allowed to access the network This example requires users to have Kaspersky Internet security or anti virus software on their co...

Page 160: ...ity entries to the allowed list you can double click an entry to move it Select Endpoint must have Anti Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti Virus anti virus software entries to the allowed list The following figure shows the configuration screen example Figure 117 Configuration Object Endpoint Security Add ...

Page 161: ...gure an authentication policy to use endpoint security objects Enable the policy and name it Set the Source Address to LAN1 and the Destination Address to any the Schedule set to none and Authentication set to required to apply this policy to all users Select Force User Authentication to redirect the HTTP traffic of users who are not yet logged in to the ZyWALL s login screen Enable EPS checking a...

Page 162: ... message example when a user s computer does not meet an endpoint security object s requirements Click Close to return to the login screen Figure 120 Example Endpoint Security Error Message 7 10 How to Configure Service Control Service control lets you configure rules that control HTTP and HTTPS management access to the Web Configurator and separate rules that control HTTP and HTTPS ...

Page 163: ...f you configure service control to allow management or user HTTP or HTTPS access make sure the firewall is not configured to block that access 7 10 1 Allow HTTPS Administrator Access Only From the LAN This example configures service control to block administrator HTTPS access from all zones except the LAN1 1 Click Configuration System WWW 2 In HTTPS Admin Service Control click the Add icon Figure ...

Page 164: ...e 164 4 Select the new rule and click the Add icon Figure 123 Configuration System WWW First Example Admin Service Rule Configured 5 In the Zone field select ALL and set the Action to Deny Click OK Figure 124 Configuration System WWW Service Control Rule Edit ...

Page 165: ...om the LAN1 zone Non admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL s zones to use SSL VPN for example 7 11 How to Allow Incoming H 323 Peer to peer Calls Suppose you have a H 323 device on the LAN1 for VoIP calls and you want it to be able to receive peer to peer calls from the WAN Here is an example of how to configure NAT and the firewall to have the ZyWALL forwar...

Page 166: ...peer Calls Example 7 11 1 Turn On the ALG Click Configuration Network ALG Select Enable H 323 ALG and Enable H 323 transformations and click Apply Figure 127 Configuration Network ALG 7 11 2 Set Up a NAT Policy For H 323 In this example you need a NAT policy to forward H 323 TCP port 1720 traffic received on the ZyWALL s 10 0 0 8 WAN IP address to LAN1 IP address 192 168 1 56 10 0 0 8 192 168 1 56...

Page 167: ...e Configuration Object Address Add to create an address object for the public WAN IP address called WAN_IP for H323 here Then use it again to create an address object for the H 323 device s private LAN1 IP address called LAN_H323 here Figure 128 Create Address Objects ...

Page 168: ...t the Original IP to the WAN address object WAN_IP for H323 Set the Mapped IP to the H 323 device s LAN1 IP address object LAN_H323 Set the Port Mapping Type to Port the Protocol Type to TCP and the original and mapped ports to 1720 Click OK Figure 129 Configuration Network NAT Add 7 11 3 Set Up a Firewall Rule For H 323 The default firewall rule for WAN to LAN traffic drops all traffic Here is ho...

Page 169: ...e ZyWALL applies NAT to traffic before applying the firewall rule Set the Service to H 323 Click OK Figure 130 Configuration Firewall Add 7 12 How to Allow Public Access to a Web Server This is an example of making an HTTP web server in the DMZ zone accessible from the Internet the WAN zone In this example you have public IP address 1 1 1 1 that you will use on the wan2 interface and map to the HT...

Page 170: ...ss 1 1 1 1 Figure 133 Creating the Address Object for the Public IP Address 7 12 2 Configure NAT You need a NAT rule to send HTTP traffic coming to IP address 1 1 1 1 on wan2 to the HTTP server s private IP address of 192 168 3 7 In the Configuration Network NAT screen click the Add icon and create a new NAT entry as follows Set the Incoming Interface to wan2 Set the Original IP to the Public_HTTP...

Page 171: ...or details Figure 134 Creating the NAT Entry 7 12 3 Set Up a Firewall Rule The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send HTTP traffic to IP address 1 1 1 1 in order to access the HTTP server If a domain name is registered for IP address 1 1 1 1 users can just go to the domain name to access the web server ...

Page 172: ...bject DMZ_HTTP DMZ_HTTP is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule Set the Access field to allow and the Service to HTTP and click OK Figure 135 Configuration Firewall Add 7 13 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet the WAN zone In this example you have pub...

Page 173: ... USG 100 200 Series User s Guide 173 address 1 1 1 2 that you will use on the wan2 interface and map to the IPPBX s private IP address of 192 168 3 7 The local SIP clients are on the LAN Figure 136 IPPBX Example Network Topology ...

Page 174: ...e SIP Transformations and click Apply Figure 137 Configuration Network ALG 7 13 2 Create the Address Objects Use Configuration Object Address Add to create the address objects 1 Create a host address object named IPPBX DMZ for the IPPBX s private DMZ IP address of 192 168 3 9 Figure 138 Creating the Address Object for the IPPBX s Private IP Address ...

Page 175: ...e WAN and also be able to send calls to the WAN so you set the Classification to NAT 1 1 Set the Incoming Interface to wan1 Set the Original IP to the WAN address object IPPBX Public If a domain name is registered for IP address 1 1 1 2 users can use it to connect to for making SIP calls Set the Mapped IP to the IPPBX s DMZ IP address object IPPBX DMZ Set the Port Mapping Type to Port the Protocol...

Page 176: ...13 4 Set Up a WAN to DMZ Firewall Rule for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send SIP traffic to the IPPBX If a domain name is registered for IP address 1 1 1 2 users can use it to connect to for making SIP calls ...

Page 177: ...IPPBX_DMZ is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule Set the Access field to allow and click OK Figure 141 Configuration Firewall Add 7 13 5 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks traffic from the DMZ zone to the LAN zone by default so you need to create a firewall rule to allow the IPPBX to send SIP traffic to the SIP clie...

Page 178: ... Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic If your ISP gave you a range of static public IP addresses here is how to configure a policy route to have the ZyWALL use them for traffic it sends out from the LAN 7 14 1 Create the Public IP Address Range Object Click Configuration Object Address Add to create the address object that represents the range of static public IP addr...

Page 179: ...s optional it is recommended This example uses LAN to WAN Range Specifying a Source Address is also optional although recommended This example uses LAN_SUBNET1 Set the Source Network Address Translation to Public IPs and click OK Figure 144 Configuring the Policy Route 7 15 How to Use Active Passive Device HA Here is an example of using device HA High Availability to backup ZyWALL A the master wit...

Page 180: ... Backup Takes Over Each ZyWALL s lan1 interface also has a separate management IP address that stays the same whether the ZyWALL functions as the master or a backup ZyWALL A s management IP address is 192 168 1 3 and ZyWALL B s is 192 168 1 5 Figure 146 Device HA Management IP Addresses 7 15 1 Before You Start ZyWALL A should already be configured You will use device HA to copy ZyWALL A s settings...

Page 181: ...er ZyWALL 1 Log into ZyWALL A the master and click Configuration Device HA Active Passive Mode Double click lan1 s entry 2 Configure 192 168 1 3 as the Management IP and 255 255 255 0 as the Manage IP Subnet Mask Click OK Figure 147 Configuration Device HA Active Passive Mode Edit Master ZyWALL Example ...

Page 182: ...et through the wan1 interface so select the lan1 and wan1 interfaces and click Activate Enter a Synchronization Password mySyncPassword in this example and click Apply Figure 148 Configuration Device HA Active Passive Mode Master ZyWALL Example 4 Click the General tab Turn on device HA and click Apply Figure 149 Configuration Device HA General Master ZyWALL Example ...

Page 183: ...it to the same subscription services like content filtering and anti virus to which ZyWALL A is subscribed See Chapter 11 on page 285 for more on the subscription services 2 In ZyWALL B click Configuration Device HA Active Passive Mode Click lan1 s Edit icon 3 Configure 192 168 1 5 as the Management IP and 255 255 255 0 as the Subnet Mask Click OK Figure 150 Configuration Device HA Active Passive ...

Page 184: ...Synchronization Server Address to 192 168 1 1 the Port to 21 and the Password to mySyncPassword Select Auto Synchronize and set the Interval to 60 Click Apply Figure 151 Configuration Device HA Active Passive Mode Backup ZyWALL Example 5 Click the General tab Turn on device HA and click Apply Figure 152 Configuration Device HA General Master ZyWALL Example ...

Page 185: ...yWALL B s management IP address 192 168 1 5 and check the configuration You can use the Maintenance File Manager Configuration File screen to save copies of the ZyWALLs configuration files that you can compare 2 To test your device HA configuration disconnect ZyWALL A s lan1 or wan1 interface Computers on LAN1 should still be able to access the Internet If they cannot check your connections and de...

Page 186: ...Chapter 7 Tutorials ZyWALL USG 100 200 Series User s Guide 186 ...

Page 187: ...and connects through the Internet You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192 168 10 10 to 192 168 10 20 for use in the L2TP VPN tunnel The VPN rule allows the remote user to access the LAN_SUBNET which covers the 192 168 1 x subnet 8 2 Configuring the Default L2TP VPN Gateway Example 1 Click Configuration VPN Network IPSec VPN VPN Gatew...

Page 188: ...ame subnet as the specified My Address click Configure Network Routing Policy Route Show Advanced Settings and select Use Policy Route to Override Direct Route Select Pre Shared Key and configure a password This example uses top secret Click OK Figure 154 Configuration VPN IPSec VPN VPN Gateway Edit 2 Select the Default_L2TP_VPN_GW entry and click Activate and click Apply to turn on the entry Figu...

Page 189: ...Show Advanced Settings button Configure and enforce the local and remote policies Create an address object that uses host type and contains the My Address IP address that you configured in the Default_L2TP_VPN_GW The address object in this example uses the wan1 interface s IP address 172 16 1 2 and is named L2TP_IFACE Set the Application Scenario to Remote Access Server Role Set the Local Policy t...

Page 190: ... 1 Click Configuration VPN L2TP VPN and configure the following Configure an IP address pool for the range of 192 168 10 10 to 192 168 10 20 It is called L2TP_POOL here Enable the connection Set the VPN Connection to the Default_L2TP_VPN_Connection Set the IP Address Pool to L2TP_POOL This example uses the default authentication method the ZyWALL s local user data base Select a user or group of us...

Page 191: ...these sections go along with the L2TP VPN configuration example in Section 8 1 on page 187 Before you configure the client issue one of the following commands from the Windows command prompt to make sure the computer is running the Microsoft IPSec service Make sure you include the quotes For Windows XP use net start ipsec services For Windows 2000 use net start ipsec policy agent 8 5 1 Configuring...

Page 192: ... 200 Series User s Guide 192 2 Select Connect to a workplace and click Next Figure 159 Set up a connection or network Chose a connection type 3 Select Use my Internet connection VPN Figure 160 Connect to a workplace How do you want to connect ...

Page 193: ...L2TP VPN 172 16 1 2 in this example For the Destination Name enter L2TP to ZyWALL Select Don t connect now just set it up so I can connect later and click Next Figure 161 Connect to a workplace Type the Internet address to connect to 5 Enter the user name and password of a user account that can use the L2TP VPN connection and click Next Figure 162 Connect to a workplace Type your user name and pas...

Page 194: ...ser s Guide 194 6 Click Close Figure 163 Connect to a workplace The connection is ready to use 7 In the Network and Sharing Center screen click Connect to a network Right click the L2TP VPN connection and select Properties Figure 164 Connect L2TP to ZyWALL ...

Page 195: ...ata encryption to Optional encryption connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Figure 166 Connect ZyWALL L2TP Security Advanced 10 Click Yes When you use L2TP VPN to connect to the ZyWALL the ZyWALL establishes an encrypted IPSec VPN tunnel first and then builds an L2TP tunnel ...

Page 196: ...king Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings Figure 168 L2TP to ZyWALL Properties Networking 12 Select Use preshared key for authentication and enter the pre shared key of the VPN gateway configuration that the ZyWALL is using for L2TP VPN top secret in this example Click OK to close the IPSec Settings window and then click OK again to close the Properties window Figure 169 ...

Page 197: ...0 200 Series User s Guide 197 13 Select the L2TP VPN connection and click Connect Figure 170 L2TP to ZyWALL Properties Networking 14 Enter the user name and password of your ZyWALL user account Click Connect Figure 171 Connect L2TP to ZyWALL ...

Page 198: ...d password are verified and notifies you when the connection is established Figure 172 Connecting to L2TP to ZyWALL 16 If a window appears asking you to select a location for the network you can select Work if you want your computer to be discoverable by computers behind the ZyWALL Figure 173 Set Network Location ...

Page 199: ... After the network location has been set click Close Figure 174 Set Network Location Successful 18 After the connection is up a connection icon displays in your system tray Click it and then the L2TP connection to open a status screen Figure 175 Connection System Tray Icon ...

Page 200: ...open a status screen Figure 176 Network and Sharing Center 20 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL 192 168 10 10 192 168 10 20 Figure 177 ZyWALL L2TP Status Details 21 Access a server or other network resource behind the ZyWALL to make sure your access works ...

Page 201: ...L2TP VPN connection 1 Click Start Control Panel Network Connections New Connection Wizard 2 Click Next in the Welcome screen 3 Select Connect to the network at my workplace and click Next Figure 178 New Connection Wizard Network Connection Type 4 Select Virtual Private Network connection and click Next Figure 179 New Connection Wizard Network Connection ...

Page 202: ... USG 100 200 Series User s Guide 202 5 Type L2TP to ZyWALL as the Company Name Figure 180 New Connection Wizard Connection Name 6 Select Do not dial the initial connection and click Next Figure 181 New Connection Wizard Public Network ...

Page 203: ...s configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN 172 16 1 2 in this example Figure 182 New Connection Wizard VPN Server Selection 8 Click Finish 9 The Connect L2TP to ZyWALL screen appears Click Properties Security Figure 183 Connect L2TP to ZyWALL 172 16 1 2 ...

Page 204: ...stom settings and click Settings Figure 184 Connect L2TP to ZyWALL Security 11 Select Optional encryption connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Figure 185 Connect ZyWALL L2TP Security Advanced ...

Page 205: ...ttings Figure 186 L2TP to ZyWALL Properties Security 13 Select the Use pre shared key for authentication check box and enter the pre shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN Click OK Figure 187 L2TP to ZyWALL Properties Security IPSec Settings ...

Page 206: ...e 188 L2TP to ZyWALL Properties Networking 15 Enter the user name and password of your ZyWALL account Click Connect Figure 189 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified 17 A ZyWALL L2TP icon displays in your system tray Double click it to open a status screen Figure 190 ZyWALL L2TP System Tray Icon ...

Page 207: ...ows 2000 Windows 2000 does not support using pre shared keys by default Use the following procedures to edit the registry and then configure the computer to use the L2TP client 8 5 3 1 Editing the Windows 2000 Registry In Windows 2000 you need to create a registry entry and restart the computer to have it use pre shared keys 1 Click Start Run Type regedit and click OK Figure 192 Starting the Regis...

Page 208: ...ntControlSet Services Rasman P arameters Figure 193 Registry Key 4 Right click Parameters and select New DWORD Value Figure 194 New DWORD Value 5 Enter ProhibitIpSec as the name And make sure the Data displays as 0 s Figure 195 ProhibitIpSec DWORD Value 6 Restart the computer and continue with the next section ...

Page 209: ...dows 2000 IPSec Policy After you have created the registry entry and restarted the computer use these directions to configure an IPSec policy for the computer to use 1 Click Start Run Type mmc and click OK Figure 196 Run mmc 2 Click Console Add Remove Snap in Figure 197 Console Add Remove Snap in ...

Page 210: ...lick Add IP Security Policy Management Add Finish Click Close OK Figure 198 Add IP Security Policy Management Finish 4 Right click IP Security Policies on Local Machine and click Create IP Security Policy Click Next in the welcome screen Figure 199 Create IP Security Policy ...

Page 211: ...ies User s Guide 211 5 Name the IP security policy L2TP to ZyWALL and click Next Figure 200 IP Security Policy Name 6 Clear the Activate the default response rule check box and click Next Figure 201 IP Security Policy Request for Secure Communication ...

Page 212: ...eries User s Guide 212 7 Leave the Edit Properties check box selected and click Finish Figure 202 IP Security Policy Completing the IP Security Policy Wizard 8 In the properties dialog box click Add Next Figure 203 IP Security Policy Properties Add ...

Page 213: ...0 Series User s Guide 213 9 Select This rule does not specify a tunnel and click Next Figure 204 IP Security Policy Properties Tunnel Endpoint 10 Select All network connections and click Next Figure 205 IP Security Policy Properties Network Type ...

Page 214: ...r s Guide 214 11 Select Use this string to protect the key exchange preshared key type password in the text box and click Next Figure 206 IP Security Policy Properties Authentication Method 12 Click Add Figure 207 IP Security Policy Properties IP Filter List ...

Page 215: ...wing in the Addressing tab Select My IP Address in the Source address drop down list box Select A specific IP Address in the Destination address drop down list box and type the ZyWALL s WAN IP address 172 16 1 2 in this example in the IP Address field Make certain the Mirrored Also match packets with the exact opposite source and destination addresses check box is selected and click Apply Figure 2...

Page 216: ...he following in the Filter Properties window s Protocol tab Set the protocol type to UDP from port 1701 Select To any port Click Apply OK and then Close Figure 210 Filter Properties Protocol 16 Select ZyWALL WAN_IP and click Next Figure 211 IP Security Policy Properties IP Filter List ...

Page 217: ...sh and Close Figure 212 IP Security Policy Properties IP Filter List 18 In the Console window right click L2TP to ZyWALL and select Assign Figure 213 Console L2TP to ZyWALL Assign 8 5 3 3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy use these directions to create a network connection ...

Page 218: ...Figure 214 Start New Connection Wizard 2 Select Connect to a private network through the Internet and click Next Figure 215 New Connection Wizard Network Connection Type 3 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN Click Next Figure 216 New Connection Wizard Destination Address 172 16 1 2 ...

Page 219: ...ide 219 4 Select For all users and click Next Figure 217 New Connection Wizard Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish Figure 218 New Connection Wizard Naming the Connection 6 Click Properties Figure 219 Connect L2TP to ZyWALL ...

Page 220: ...click Settings Figure 220 Connect L2TP to ZyWALL Security 8 Select Optional encryption allowed connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Click Yes if a screen pops up Figure 221 Connect L2TP to ZyWALL Security Advanced ...

Page 221: ...x Click OK Figure 222 Connect L2TP to ZyWALL Networking 10 Enter your user name and password and click Connect It may take up to one minute to establish the connection and register on the network Figure 223 Connect L2TP to ZyWALL 11 A ZyWALL L2TP icon displays in your system tray Double click it to open a status screen Figure 224 ZyWALL L2TP System Tray Icon ...

Page 222: ...ck Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL 192 168 10 10 192 168 10 20 Figure 225 L2TP to ZyWALL Status Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works ...

Page 223: ...Chapter 8 L2TP VPN Example ZyWALL USG 100 200 Series User s Guide 223 ...

Page 224: ...Chapter 8 L2TP VPN Example ZyWALL USG 100 200 Series User s Guide 224 ...

Page 225: ...225 PART II Technical Reference ...

Page 226: ...226 ...

Page 227: ... information Use the VPN status screen see Section 9 2 1 on page 234 to look at the VPN tunnels that are currently established Use the DHCP Table screen see Section 9 2 5 on page 237 to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses Use the Current Users screen see Section 9 2 6 on page 238 to look at a list of the users current...

Page 228: ...apse a widget Refresh Time Setting C Set the interval for refreshing the information displayed in the widget Refresh Now D Click this to update the widget s information immediately Close this Module E Click this to close the widget Use Widget Setting to re open it Virtual Device Rear Panel Click this to view details about the ZyWALL s rear panel Hover your cursor over a connected interface or slot...

Page 229: ...interface is disabled Connected The auxiliary interface is enabled and connected Disconnected The auxiliary interface is not connected HA Status This field displays the status of the interface in the virtual router Active This interface is the master interface in the virtual router Stand By This interface is a backup interface in the virtual router Fault This VRRP group is not functioning in the v...

Page 230: ...entage of the ZyWALL s RAM is currently being used Hover your cursor over this field to display the Show Memory Usage icon that takes you to a chart of the ZyWALL s recent memory usage Flash Usage This field displays what percentage of the ZyWALL s onboard flash memory is currently being used USB Storage Usage This field displays what percentage of the USB storage device s capacity is currently be...

Page 231: ...d If the PPP interface is disabled it does not appear in the list For WLAN interfaces Up The WLAN interface is enabled Down The WLAN interface is disabled HA Status This field displays the status of the interface in the virtual router Active This interface is the master interface in the virtual router Stand By This interface is a backup interface in the virtual router Fault This VRRP group is not ...

Page 232: ...pear Ready A USB storage device connected to the ZyWALL is ready for the ZyWALL to use Unused The ZyWALL is unable to mount a USB storage device connected to the ZyWALL System Status System Uptime This field displays how long the ZyWALL has been running since it last restarted or was turned on Current Date Time This field displays the current date and time in the ZyWALL The format is yyyy mm dd hh...

Page 233: ...l applying the system configuration Licensed Service Status This shows how many licensed services there are Status This is the current status of the license Name This identifies the licensed service Version This is the version number of the anti virus or IDP signatures anti virus and IDP Expiration If the service license is valid this shows when it will expire N A displays if the service license d...

Page 234: ...ies by Signature Name It shows the categories of intrusions See Table 165 on page 616 for more information Severity This is the level of threat that the intrusions may pose Occurrence This is how many times the ZyWALL has detected the event described in the entry Table 23 Dashboard continued LABEL DESCRIPTION Table 24 Dashboard CPU Usage LABEL DESCRIPTION The y axis represents the percentage of CP...

Page 235: ...dashboard Figure 228 Dashboard Memory Usage The following table describes the labels in this screen Table 25 Dashboard Memory Usage LABEL DESCRIPTION The y axis represents the percentage of RAM usage The x axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Click this to update the information in the...

Page 236: ...ashboard Figure 229 Dashboard Session Usage The following table describes the labels in this screen Table 26 Dashboard Session Usage LABEL DESCRIPTION Sessions The y axis represents the number of session The x axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Click this to update the informatio...

Page 237: ...resses reserved for specific MAC addresses To access this screen click the icon beside DHCP Table in the dashboard Figure 231 Dashboard DHCP Table Table 27 Dashboard VPN Status LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific SA Name This field displays the name of the IPSec SA Encapsulation This field displays how the IPSec SA is encapsulated Algorithm T...

Page 238: ...e the sort order Host Name This field displays the name used to identify this device on the network the computer name The ZyWALL learns these from the DHCP client requests None shows here for a static DHCP entry MAC Address This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved Click the column s heading cell to sort the table entr...

Page 239: ...This field displays the user name of each user who is currently logged in to the ZyWALL Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user See Chapter 40 on page 735 Type This field displays the way the user logged in to the ZyWALL IP address This field displays the IP address of the computer used to log in to the Z...

Page 240: ...Chapter 9 Dashboard ZyWALL USG 100 200 Series User s Guide 240 ...

Page 241: ... on page 251 to view sessions by user or service Use the System Status DDNS Status screen see Section 10 6 on page 254 to view the status of the ZyWALL s DDNS domain names The System Status IP MAC Binding screen Section 10 7 on page 254 lists the devices that have received an IP address from ZyWALL interfaces with IP MAC binding enabled Use the System Status Login Users screen Section 10 8 on page...

Page 242: ...nti X Statistics Content Filter screen Section 10 18 on page 274 to start or stop data collection and view content filter statistics Use the Anti X Statistics Content Filter Cache screen Section 10 19 on page 275 to view and configure your ZyWALL s URL caching Use the Anti X Statistics Anti Spam screen Section 10 20 on page 278 to start or stop data collection and view spam statistics Use the Anti...

Page 243: ... port is not connected Speed Duplex The physical port is connected This field displays the port speed and duplex setting Full or Half TxPkts This field displays the number of packets transmitted from the ZyWALL on the physical port since it was last connected RxPkts This field displays the number of packets received by the ZyWALL on the physical port since it was last connected Collisions This fie...

Page 244: ...SCRIPTION Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away Port Selection Select the number of the physical port for which you want to display graphics Switch to Grid View Click this to display the port statistics as a table bps The y axis represents the speed of transmission or reception tim...

Page 245: ...em Status Interface Status to access this screen Figure 235 Monitor System Status Interface Status Last Update This field displays the date and time the information in the window was last updated System Up Time This field displays how long the ZyWALL has been running since it last restarted or was turned on Table 31 Monitor System Status Port Statistics Switch to Graphic View LABEL DESCRIPTION ...

Page 246: ...led Down The Ethernet interface does not have any physical ports associated with it or the Ethernet interface is enabled but not connected Speed Duplex The Ethernet interface is enabled and connected This field displays the port speed and duplex setting Full or Half For cellular 3G interfaces see Section 10 11 on page 260 for the status that can appear For the auxiliary interface Inactive The auxi...

Page 247: ...rface Services This field lists which services the interface provides to the network Examples include DHCP relay DHCP server DDNS RIP and OSPF This field displays n a if the interface does not provide any services to the network Action Use this field to get or to update the IP address for the interface Click Renew to send a new DHCP request to a DHCP server Click Connect to try to connect the auxi...

Page 248: ...r more information Most used protocols or service ports and the amount of traffic on each one LAN IP with heaviest traffic and how much traffic has been sent to and from each one RxPkts This field displays the number of packets received by the ZyWALL on the interface since it was last connected Tx B s This field displays the transmission speed in bytes per second on the interface in the one second...

Page 249: ...g table describes the labels in this screen Table 33 Monitor System Status Traffic Statistics LABEL DESCRIPTION Data Collection Collect Statistics Select this to have the ZyWALL collect data for the report If the ZyWALL has already been collecting data the collection period displays to the right The progress is not tracked here real time but you can click the Refresh button to update it Apply Clic...

Page 250: ...ng traffic Ingress traffic is coming from the IP address or user to the ZyWALL Egress traffic is going from the ZyWALL to the IP address or user Amount This field displays how much traffic was sent or received from the indicated IP address or user If the Direction is Ingress a red bar is displayed if the Direction is Egress a blue bar is displayed The unit of measure is bytes Kbytes Mbytes or Gbyt...

Page 251: ...rt The count starts over at zero if the number of bytes passes the byte count limit See Table 34 on page 251 These fields are available when the Traffic Type is Web Site Hits This field is the rank of each record The domain names are sorted by the number of hits Web Site This field displays the domain names most often visited The ZyWALL counts each page viewed on a Web site as another hit The maxi...

Page 252: ...formation to be displayed Choices are sessions by users display all active sessions grouped by user sessions by services display all active sessions grouped by service or protocol sessions by source IP display all active sessions grouped by source IP address sessions by destination IP display all active sessions grouped by destination IP address all sessions filter the active sessions by the User ...

Page 253: ... Active Sessions This is the total number of active sessions that matched the search criteria Show Select the number of active sessions displayed on each page You can use the arrow keys on the right to change pages User This field displays the user in each active session If you are looking at the sessions by users or all sessions report click or to display or hide details about a user s sessions S...

Page 254: ...ed a Table 36 Monitor System Status DDNS Status LABEL DESCRIPTION Update Click this to have the ZyWALL update the profile to the DDNS server The ZyWALL attempts to resolve the IP address for the domain name Profile Name This field displays the descriptive profile name for this entry Domain Name This field displays each domain name the ZyWALL can route Effective IP This is the resolved IP address o...

Page 255: ... enabled to show to which devices it has assigned an IP address This is the index number of an IP MAC binding entry IP Address This is the IP address that the ZyWALL assigned to a device Host Name This field displays the name used to identify this device on the network the computer name The ZyWALL learns these from the DHCP client requests MAC Address This field displays the MAC address to which t...

Page 256: ... 11b g card installed in the ZyWALL Table 38 Monitor System Status Login Users LABEL DESCRIPTION This field is a sequential value and is not associated with any entry User ID This field displays the user name of each user who is currently logged in to the ZyWALL Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user See...

Page 257: ... XX format of a connected wireless station Strength This displays the strength of the wireless client s radio signal The signal strength mainly depends on the antenna output power and the wireless client s distance from the ZyWALL Connect Rate This displays what data transfer rate of the wireless client s connection to the ZyWALL This field displays up to the standard IEEE 802 11g connection rate ...

Page 258: ...atus Cellular Status The following table describes the labels in this screen Table 40 Monitor System Status Cellular Status LABEL DESCRIPTION Refresh Click this button to update the information in the screen This field is a sequential value and it is not associated with any interface Extension Slot This field displays where the entry s cellular card is located Connected Device This field displays ...

Page 259: ...device is searching for a network Get signal fail The 3G device cannot get a signal from a network Network found The 3G device found a network Apply config The ZyWALL is applying your configuration to the 3G device Inactive The 3G interface is disabled Active The 3G interface is enabled Incorrect device The connected 3G device is not compatible with the ZyWALL Correct device The ZyWALL detected a ...

Page 260: ... between your ZyWALL and the service provider s base station More Info This field displays other details about the 3G connection Table 40 Monitor System Status Cellular Status continued LABEL DESCRIPTION Table 41 Monitor System Status USB Storage LABEL DESCRIPTION Device description This is a basic description of the type of USB device Usage This field displays how much of the USB storage device s...

Page 261: ...connected USB storage device was manually unmounted by using the Remove Now button or for some reason the ZyWALL cannot mount it Click Use It to have the ZyWALL mount a connected USB storage device none no USB storage device is connected Detail This field displays any other information the ZyWALL retrieves from the USB storage device Deactivated the use of a USB storage device is disabled turned o...

Page 262: ...idth usage This is the protocol s traffic that the ZyWALL sends to the initiator of the connection A dotted line represents a protocol s outgoing bandwidth usage This is the protocol s traffic that the ZyWALL sends out from the initiator of the connection Different colors represent different protocols Table 42 Monitor AppPatrol Statistics General Settings LABEL DESCRIPTION Refresh Interval Select ...

Page 263: ...f the application s traffic the ZyWALL has sent in kilobytes Dropped Data KB This is how much of the application s traffic the ZyWALL has discarded without notifying the client in kilobytes This traffic was dropped because it matched an application policy set to drop Rejected Data KB This is how much of the application s traffic the ZyWALL has discarded and notified the client that the traffic was...

Page 264: ... inbound traffic Outbound Kbps This is the outgoing bandwidth usage for traffic that matched this protocol rule in kilobits per second This is the protocol s traffic that the ZyWALL sends out from the initiator of the connection So for a connection initiated from the LAN to the WAN the traffic sent from the LAN to the WAN is the outbound traffic Forwarded Data KB This is how much of the applicatio...

Page 265: ...connection initiated from the LAN to the WAN the traffic sent from the WAN to the LAN is the inbound traffic Outbound Kbps This is the outgoing bandwidth usage for traffic that matched this protocol rule in kilobits per second This is the protocol s traffic that the ZyWALL sends out from the initiator of the connection So for a connection initiated from the LAN to the WAN the traffic sent from the...

Page 266: ...te policies for an IPSec SA and click Search to find it You can use a keyword or regular expression Use up to 30 alphanumeric and _ characters See Section 10 13 1 on page 267 for more details Search Click this button to search for an IPSec SA that matches the information you specified above Disconnect Select an IPSec SA and click this button to disconnect it Total Connection This field displays th...

Page 267: ...e whole VPN connection or policy name has to match if you do not use a question mark or asterisk Encapsulation This field displays how the IPSec SA is encapsulated Policy This field displays the content of the local and remote policies for this IPSec SA The IP addresses not the address objects are displayed Algorithm This field displays the encryption and authentication algorithms used in the SA U...

Page 268: ...or SSL LABEL DESCRIPTION Disconnect Select a connection and click this button to terminate the user s connection and delete corresponding session information from the ZyWALL This field displays the index number User This field displays the account user name used to establish this SSL VPN connection Access This field displays the name of the SSL VPN application the user is accessing Login Address T...

Page 269: ...VPN Monitor L2TP over IPSec LABEL DESCRIPTION Disconnect Select a connection and click this button to disconnect it This is the index number of a current L2TP VPN session User Name This field displays the remote user s user name Hostname This field displays the name of the computer that has this L2TP VPN connection with the ZyWALL Assigned IP This field displays the IP address that the ZyWALL assi...

Page 270: ...istics in this screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings...

Page 271: ...ected the most virus infected files Select Destination IP to list the most common destination IP addresses for virus infected files that ZyWALL has detected This field displays the entry s rank in the list of the top entries Virus name This column displays when you display the entries by Virus Name This displays the name of a detected virus Source IP This column displays when you display the entri...

Page 272: ...r minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s st...

Page 273: ...f the top entries Signature Name This column displays when you display the entries by Signature Name The signature name identifies a specific intrusion pattern Click the hyperlink for more detailed information on the intrusion Type This column displays when you display the entries by Signature Name It shows the categories of intrusions See Table 165 on page 616 for more information Severity This c...

Page 274: ...time displays after you click Apply All of the statistics in this screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Re...

Page 275: ...nfiguration Restricted Web Features This is the number of web pages to which the ZyWALL did not allow access due to the content filtering custom service s restricted web features configuration Forbidden Web Sites This is the number of web pages to which the ZyWALL did not allow access because they matched the content filtering custom service s forbidden web sites list URL Keywords This is the numb...

Page 276: ...ntries by that column s criteria Click the heading cell again to reverse the sort order Figure 258 Anti X Content Filter Cache The following table describes the labels in this screen Table 51 Anti X Content Filter Cache LABEL DESCRIPTION URL Cache Entry Refresh Click this button to reload the list of content filter cache entries Flush Click this button to clear all web site addresses from the cach...

Page 277: ... minutes left before the URL entry is discarded from the cache URL Cache Setup Maximum TTL Type the maximum time to live TTL 1 to 720 hours This sets how long the ZyWALL is to keep an entry in the URL cache before discarding it The external content filtering database frequently adds previously un categorized web sites and sometimes changes a web site s category Setting this limit higher will speed...

Page 278: ... in this screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Refre...

Page 279: ...this threshold Mail Sessions Dropped This is how many e mail sessions the ZyWALL dropped because they exceeded the maximum number of e mail sessions that the anti spam feature can check at a time You can see the ZyWALL s threshold of concurrent e mail sessions in the Anti Spam Status screen Use the Anti Spam General screen to set whether the ZyWALL forwards or drops sessions that exceed this thres...

Page 280: ...used The lighter shaded part of the bar and the pop up show the historical high The first number to the right of the bar is how many e mail sessions the ZyWALL is presently checking for spam The second number is the maximum number of e mail sessions that the ZyWALL can check at once An e mail session is when an e mail client and e mail server or two e mail servers connect through the ZyWALL DNSBL ...

Page 281: ...o access this screen click Monitor Log The log is displayed in the following screen Note When a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first For individual log descriptions see Appendix A on page 955 For the maximum number of log messages in the ZyWALL see Chapter 57 on page 943 Eve...

Page 282: ...urce Interface This displays when you show the filter Select the source interface of the packet that generated the log message Destination Interface This displays when you show the filter Select the destination interface of the packet that generated the log message Service This displays when you show the filter Select the service whose log messages you would like to see The Web Configurator uses t...

Page 283: ...field displays the reason the log message was generated The text count x where x is a number appears at the end of the Message field if log consolidation is turned on see Log Consolidation in Table 257 on page 887 and multiple entries were aggregated to generate into this one Source This field displays the source IP address and the port number in the event that generated the log message Destinatio...

Page 284: ...Chapter 10 Monitor ZyWALL USG 100 200 Series User s Guide 284 ...

Page 285: ...yZyXEL com myZyXEL com is ZyXEL s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL To update signature files or use a subscription service you have to register the ZyWALL and activate the corresponding service at myZyXEL com through the ZyWALL Note You need to create a myZyXEL com account before you can register your device and act...

Page 286: ...riod not a separate trial period for each anti virus engine After the trial expires you need to purchase an iCard for the anti virus engine you want to use and enter the PIN number license key in the Registration Service screen You must use the ZyXEL anti virus iCard for the ZyXEL anti virus engine and the Kaspersky anti virus iCard for the Kaspersky anti virus engine If you were already using an ...

Page 287: ...d fields are available new myZyXEL com account If you haven t created an account at myZyXEL com select this option and configure the following fields to create an account and register your ZyWALL existing myZyXEL com account If you already have an account at myZyXEL com select this option and enter your user name and password in the fields below to register your ZyWALL UserName Enter a user name f...

Page 288: ...engine from the update server http myupdate zywall zyxel com IDP AppPatrol Signature Service The IDP and application patrol features use the IDP AppPatrol signature files on the ZyWALL IDP detects malicious or suspicious packets and responds immediately Application patrol conveniently manages the use of various applications on the network After the service is activated the ZyWALL can download the ...

Page 289: ...een to update your service subscription status Figure 263 Configuration Licensing Registration Registered Device 11 3 The Service Screen Use this screen to display the status of your service registrations and upgrade licenses To activate or extend a standard service subscription purchase an iCard and enter the iCard s PIN number license key in this screen Click Configuration Licensing Registration...

Page 290: ... an anti virus service subscription this field also displays the type of anti virus engine Expiration date This field displays the date your service expires You can continue to use IDP AppPatrol or Anti Virus after the registration expires you just won t receive updated signatures Count This field displays how many VPN tunnels you can use with your current license This field does not apply to the ...

Page 291: ...r 34 on page 605 for details on IDP See Chapter 32 on page 563 for details on application patrol Use the Configuration Licensing Update System Protect screen Section 12 4 on page 295 to update the system protection signatures 12 1 2 What you Need to Know You need a valid service registration to update the anti virus signatures and the IDP AppPatrol signatures You do not need a service registration...

Page 292: ...are version 2 11 and updating the anti virus signatures automatically upgrades the ZyXEL anti virus engine to v2 0 v2 0 has more virus signatures and offers improved non executable file scan throughput Current Version This field displays the anti virus signatures version number currently used by the ZyWALL This number is defined by the ZyXEL Security Response Team ZSRT who maintain and update them...

Page 293: ...ures are found they are then downloaded to the ZyWALL Update Now Click this button to have the ZyWALL check for new signatures immediately If there are new ones the ZyWALL will then download them Auto Update Select this check box to have the ZyWALL automatically check for new signatures regularly at the time and day specified You should select a time when your network is not busy for minimal inter...

Page 294: ...the number of IDP signatures in this set This number usually gets larger as the set is enhanced Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones Released Date This field displays the date and time the set was released Signature Update Use these fields to have the ZyWALL check for new IDP signatures at myZyXEL com If new signatures are...

Page 295: ...The system protection feature is enabled by default and can only be disabled via the commands You do not need an IDP subscription to use the system protection feature or to download updated system protection signatures Figure 267 Configuration Licensing Update System Protect Daily Select this option to have the ZyWALL check for new IDP signatures everyday at the specified time The time format is t...

Page 296: ...e Use these fields to have the ZyWALL check for new signatures at myZyXEL com If new signatures are found they are then downloaded to the ZyWALL Update Now Click this button to have the ZyWALL check for new signatures immediately If there are new ones the ZyWALL will then download them Auto Update Select this check box to have the ZyWALL automatically check for new signatures regularly at the time...

Page 297: ...onfigure the Ethernet interfaces Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces Use the PPP screens Section 13 4 on page 313 for PPPoE or PPTP Internet connections Use the Cellular screens Section 13 5 on page 320 to configure settings for interfaces for Internet connections through an installed 3G card...

Page 298: ...s to the same port role forms a port group Port groups create a hardware connection between physical ports at the layer 2 data link MAC address level Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces VLAN interfaces receive and send tagged frames The ZyWALL automatically adds or removes the tags as needed ...

Page 299: ... example Ethernet interface names are wan1 wan2 opt lan1 lan2 ext wlan dmz VLAN interfaces are vlan0 vlan1 vlan2 and so on The names of virtual interfaces are derived from the interfaces on which they are created For example virtual interfaces created on Ethernet interface wan1 are called wan1 1 wan1 2 and so on Virtual interfaces created on VLAN interface vlan2 are called vlan2 1 vlan2 2 and so o...

Page 300: ...e Section 6 2 on page 94 details on the differences between physical ports interfaces and zones in the ZyWALL See Section 6 5 4 on page 104 for related information about the Interface screens See Section 13 12 on page 367 for background information on interfaces Table 60 Relationships Between Different Types of Interfaces INTERFACE REQUIRED PORT INTERFACE auxiliary interface auxiliary port port gr...

Page 301: ...n to set the ZyWALL s flexible ports as part of the lan1 lan2 ext wlan or dmz interfaces This creates a hardware connection between the physical ports at the layer 2 data link MAC address level This provides wire speed throughput but no security Not the following if you are configuring from a computer connected to a lan1 lan2 ext wlan or dmz port and change the port s role 1 A port s IP address va...

Page 302: ...s exchanged the more efficient the routers should be However the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management The ZyWALL supports two routing protocols RIP and OSPF See Table 61 Configuration Network Interface Port Role LABEL DESCRIPTION LAN1 WLAN DMZ PX P7 These are physical Ethernet ports lan1 LAN1 lan2 LAN2 ex...

Page 303: ...Chapter 13 Interfaces ZyWALL USG 100 200 Series User s Guide 303 Chapter 16 on page 399 for background information about these routing protocols Figure 269 Configuration Network Interface Ethernet ...

Page 304: ...try s settings Remove To remove a virtual interface select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an interface select it and click Activate Inactivate To turn off an interface select it and click Inactivate Create Virtual Interface To open the screen where you can create a virtual Ethernet interface select an Ethernet interface and click C...

Page 305: ...ts RIP 1 RIP 2 and both versions Select the broadcasting method used by RIP 2 packets The ZyWALL can use subnet broadcasting or multicasting With OSPF you can use Ethernet interfaces to do the following things Enable and disable OSPF in the underlying physical port or port group Select the area to which the interface belongs Override the default link cost and authentication method for the selected...

Page 306: ...Chapter 13 Interfaces ZyWALL USG 100 200 Series User s Guide 306 Figure 270 Configuration Network Interface Ethernet Edit OPT ...

Page 307: ...ng to an external network like the Internet The ZyWALL automatically adds this interface to the default WAN trunk For General the rest of the screen s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface Interface Name Specify a name for the interface It can use alphanumeric characters hyphens and underscores and it c...

Page 308: ...es which gateway to use based on this priority The lower the number the higher the priority If two or more gateways have the same priority the ZyWALL uses the one that was configured first Interface Parameters Egress Bandwidth Enter the maximum amount of traffic in kilobits per second the ZyWALL can send through the interface to the network Allowed values are 0 1048576 Ingress Bandwidth This is re...

Page 309: ...n Interface Properties is Internal or General DHCP Select what type of DHCP service the ZyWALL provides to the network Choices are None the ZyWALL does not provide any DHCP services There is already a DHCP server on the network DHCP Relay the ZyWALL routes DHCP requests to one or more DHCP servers you specify The DHCP server s may be on another network DHCP Server the ZyWALL assigns IP addresses a...

Page 310: ...e of the computer names on your network and the IP addresses that they are currently using Lease time Specify how long each computer can use the information especially the IP address before it has to request the information again Choices are infinite select this if IP addresses never expire days hours and minutes select this to enter how long IP addresses are valid Enable IP MAC Binding Select thi...

Page 311: ...IP 2 packets using subnet broadcasting otherwise the ZyWALL uses multicasting OSPF Setting See Section 16 3 on page 401 for more information about OSPF Area Select the area in which this interface belongs Select None to disable OSPF in this interface Priority Enter the priority between 0 and 255 of this interface when the area is looking for a Designated Router DR or Backup Designated Router BDR T...

Page 312: ...factory assigned default MAC address By default the ZyWALL uses the factory assigned MAC address to identify itself Overwrite Default MAC Address Select this option to have the interface use a different MAC address Either enter the MAC address in the fields or click Clone by host and enter the IP address of the device or computer whose MAC you are cloning Once it is successfully configured the add...

Page 313: ...me to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s configuration screen in the main window Priority If it is applicable this field lists the referencing configuration item s position in its l...

Page 314: ...fies the protocol PPPoE or PPTP as well as your ISP account information If you change ISPs later you only have to create a new ISP account not a new PPPoE PPTP interface You should not have to change any network policies You do not set up the subnet mask or gateway PPPoE PPTP interfaces are interfaces between the ZyWALL and only one computer Therefore the subnet mask is always 255 255 255 255 In a...

Page 315: ...ctivate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Connect To connect an interface select it and click Connect You might use this in testing the interface or to manually establish the connection for a Dial on Demand PPPoE PPTP interface Disconnect To disconnect an interface select it and click Disconnect You might use this in tes...

Page 316: ... screen click the Add icon or an Edit icon in the PPP Interface screen Base Interface This field displays the interface on the top of which the PPPoE PPTP interface is Account Profile This field displays the ISP account used by this PPPoE PPTP interface Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 65 Configuration...

Page 317: ...ation Network Interface PPP Add Each field is explained in the following table Table 66 Configuration Network Interface PPP Add LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields General Settings ...

Page 318: ...e connection available ISP Setting Account Profile Select the ISP account that this PPPoE PPTP interface uses The drop down box lists ISP accounts by name Use Create new Object if you need to configure a new ISP account see Chapter 47 on page 807 for details Protocol This field is read only It displays the protocol specified in the ISP account User Name This field is read only It displays the user...

Page 319: ...k Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check ...

Page 320: ...ted to users when they send data It allows fast transfer of voice and non voice data and provides broadband Internet access to mobile devices Note The actual data rate you obtain varies depending on the 3G card you use the signal strength to the service provider s base station and so on OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table...

Page 321: ...0 is a hybrid 2 5G 3G protocol of mobile telecommunications standards that use CDMA a multiple access scheme for digital radio CDMA2000 1xRTT 1 times Radio Transmission Technology is the core CDMA2000 wireless air interface standard It is also known as 1x 1xRTT or IS 2000 and considered to be a 2 5G or 2 75G technology 2 75G Packet switched Enhanced Data rates for GSM Evolution EDGE Enhanced GPRS ...

Page 322: ...face select it and click Connect You might use this in testing the interface or to manually establish the connection Disconnect To disconnect an interface select it and click Disconnect You might use this in testing the interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 312 for an example This ...

Page 323: ...Chapter 13 Interfaces ZyWALL USG 100 200 Series User s Guide 323 Figure 276 Configuration Network Interface Cellular Add ...

Page 324: ...tivity Nailed Up Select this if the connection should always be up Clear this to have the ZyWALL to establish the connection only when there is traffic You might not nail up the connection if there is little traffic through the interface or if it costs money to keep the connection available Idle timeout This value specifies the time in seconds 0 360 that elapses before the ZyWALL automatically dis...

Page 325: ... Spaces are not allowed Password This field displays when you select an authentication type other than None This field is read only if you selected Device in the profile selection and the password is included in the 3G card s profile If this field is configurable enter the password for this SIM card exactly as the service provider gave it to you You can use 0 63 alphanumeric and _ characters Space...

Page 326: ...o turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check ...

Page 327: ...specify the type of network to use if you are charged differently for different types of network or you only have one type of network available to you Select GPRS EDGE GSM only to have this interface only use a 2 5G or 2 75G network respectively If you only have a GSM network available to you you may want to select this so the ZyWALL does not spend time looking for a WCDMA network Select UMTS HSDP...

Page 328: ...n the time or data limit is exceeded Log Select None to not create a log Log to create a log or Log alert to create an alert log If you select Log or Log alert you can also select recurring every to have the ZyWALL send a log or alert for this event periodically Specify how often from 1 to 65535 minutes to send the log or alert New 3G connection Select Allow to permit new 3G connections or Disallo...

Page 329: ...SID is the name of the wireless network It stands for Service Set IDentity Different wireless networks in the same area should use different channels Like radio stations or television channels each wireless network uses a specific channel or frequency to send and receive information Every wireless client in a wireless network must use security compatible with the AP Security stops unauthorized dev...

Page 330: ...s screen Table 70 Configuration Network Interface WLAN LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields WLAN Device Settings Extension Slot Select the slot for which you want to configure wireless device settings Enable WLAN Device Select this to turn on the wireless LAN card It is recommended that you con...

Page 331: ...er here Set the RTS CTS equal to or higher than the fragmentation threshold to turn RTS CTS off Fragmentation Threshold This is the threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Output Power Select the percentage of output power that this WLAN card is to use If there is a high density of APs in the area decrease...

Page 332: ...varies according to the security features you select It displays as shown next when you set the Security Type to none IP Address This field displays the current IP address of the WLAN interface If the IP address is 0 0 0 0 the interface does not have an IP address yet This screen also shows whether the IP address is a static IP address STATIC or dynamically assigned DHCP IP addresses are always st...

Page 333: ...Chapter 13 Interfaces ZyWALL USG 100 200 Series User s Guide 333 Figure 279 Configuration Network Interface WLAN Add No Security ...

Page 334: ... to something that is difficult to guess Hide SSID Broadcast Select to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning Block Intra BSS Traffic Select this to prevent wireless clients in this profile s BSS from communicating with one another Maximum Associations Specify the highest number of wireless clients that are allowed to connect to the wireless...

Page 335: ... is 1500 DHCP Settings DHCP Select what type of DHCP service the ZyWALL provides to the wireless network Choices are None the ZyWALL does not provide any DHCP services There is already a DHCP server on the network DHCP Relay the ZyWALL routes DHCP requests to one or more DHCP servers you specify The DHCP server s may be on another network DHCP Server the ZyWALL assigns IP addresses and provides su...

Page 336: ...he DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Lease time Specify how long each computer can use the information especially the IP address before it has to request the information again Choices are infinite select this if IP addresses never expire days hours and minutes select this to enter how long IP ...

Page 337: ...priority to zero if the interface can not be the DR or BDR Link Cost Enter the cost between 1 and 65 535 to route packets through this interface Passive Interface Select this to stop forwarding OSPF routing information from the selected interface As a result this interface only receives routing information Authentication Select an authentication method or disable authentication To exchange OSPF ro...

Page 338: ...ity mechanism Use the strongest security mechanism that all the wireless devices in your network support For example use WPA PSK or WPA2 PSK or WPA or WPA2 if your wireless devices support it If your wireless devices support nothing stronger than WEP use the highest encryption level available To configure and enable WEP encryption click Configuration Network Interface WLAN Add or Edit to open the ...

Page 339: ...k Interface WLAN Add WPA PSK WPA2 PSK or WPA WPA2 PSK Security Table 73 Configuration Network Interface WLAN Add WEP Security LABEL DESCRIPTION WEP Encryption WEP Wired Equivalent Privacy provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network Select 64 bit WEP or 128 bit WEP to enable data encryption Key 1 to Key 4 If you chose ...

Page 340: ... The encryption mechanisms used for WPA and WPA PSK are the same The only difference between the two is that WPA PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols ReAuthentication Timer Specify how often wireless stations have to resend usernames and passwords in order to stay conne...

Page 341: ...ys if you set the Authentication Type field to Auth Method Select an authentication method object that defines how the ZyWALL authenticates a wireless user The ZyWALL s default configuration also includes an authentication method object named default that you can use You can configure the default authentication method object but it s default configuration uses the ZyWALL s local database for authe...

Page 342: ...e RADIUS server s listening port number the default is 1812 Radius Server Secret Enter a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the ZyWALL The key is not sent over the network This key must be the same on the external authentication server and ZyWALL ReAuthentication Timer Specify how often wireless stations have to resend u...

Page 343: ...s not listed will be denied access to the router Add Click this to add an entry to the table Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so This is the index number of the MAC address MAC Address This displays the MAC address in XX XX XX X...

Page 344: ... are connected to hubs and the hubs are connected to the router Alternatively you can divide the physical networks into three VLANs Figure 285 Example After VLAN Each VLAN is a separate network with separate IP addresses subnet masks and gateways Each VLAN also has a unique identification number ID The ID is a 12 bit value that is stored in the MAC header The VLANs are connected to switches and th...

Page 345: ...s For example you can create different content filtering rules for each VLAN each department in the example above and you can set different bandwidth limits for each VLAN These rules are also independent of the physical network so you can change the physical network without changing policies In this example the new switch handles the following types of traffic Inside VLAN 2 Between the router and ...

Page 346: ...can create a virtual interface select an interface and click Create Virtual Interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 312 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the ent...

Page 347: ... check for each VLAN interface To access this screen click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen The following screen appears Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 77 Configuration Network Interface VLAN continued LABEL DESCRIPTIO...

Page 348: ...Chapter 13 Interfaces ZyWALL USG 100 200 Series User s Guide 348 Figure 287 Configuration Network Interface VLAN Edit ...

Page 349: ... and 4095 are reserved Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment Get Automatically Select this if this interface is a DHCP client In this case the DHCP server configures the IP address subnet mask and gateway automatically You should not select this if the interfa...

Page 350: ...t is a failure and how many consecutive failures are required before the ZyWALL stops routing to the gateway The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you speci...

Page 351: ...t address broadcast address and the interface s IP address Pool Size Enter the number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For example if the Subnet Mask is 255 255 255 0 and IP Pool Start Address is 10 10 10 10 the ZyWALL can allocate 10 10 10 10 to 10 10 10 254 or 245 IP addresses If this field is blank the IP Pool Start Addre...

Page 352: ...to be able to modify it Remove Select an entry and click this to delete it This field is a sequential value and it is not associated with a specific entry IP Address Enter the IP address to assign to a device with this entry s MAC address MAC Address Enter the MAC address to which to assign this entry s IP address Description Enter a description to help identify this static DHCP entry You can use ...

Page 353: ...tion method in the area None disable authentication Text authenticate OSPF routing information using a plain text password MD5 authenticate OSPF routing information using MD5 encryption Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the underscore and it can be up to eight ch...

Page 354: ... in a table It also looks up the destination MAC address in the table If the bridge knows on which port the destination MAC address is located it sends the packet to that port If the destination MAC address is not in the table the bridge broadcasts the packet on every port except the one on which it was received In the example above computer A sends a packet to computer B Bridge X records the sour...

Page 355: ...e VLAN interfaces and any associated virtual VLAN interfaces Any number of Ethernet interfaces and any associated virtual Ethernet interfaces When you create a bridge interface the ZyWALL removes the members entries from the routing table and adds the bridge interface s entries to the routing table For example this table shows the routing table before and after you create bridge interface br0 250 ...

Page 356: ... Inactivate To turn off an entry select it and click Inactivate Create Virtual Interface To open the screen where you can create a virtual interface select an interface and click Create Virtual Interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 312 for an example This field is a sequential valu...

Page 357: ...ck for each bridge interface To access this screen click the Add icon at the top of the Add column in the Bridge Summary screen or click an Edit icon in the Bridge Summary screen The following screen appears Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 82 Configuration Network Interface Bridge continued LABEL DESC...

Page 358: ...Chapter 13 Interfaces ZyWALL USG 100 200 Series User s Guide 358 Figure 289 Configuration Network Interface Bridge Add ...

Page 359: ...art of the bridge interface An interface is not available in the following situations There is a virtual interface on top of it It is already used in a different bridge interface Select one and click the arrow to add it to the bridge interface Each bridge interface can only have one VLAN interface Member This field displays the interfaces that are part of the bridge interface Select one and click ...

Page 360: ...048576 Ingress Bandwidth This is reserved for future use Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the ZyWALL divides it into smaller fragments All...

Page 361: ...rver that another interface received from its DHCP server ZyWALL the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay First WINS Server Second WINS Server Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresse...

Page 362: ...the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter ...

Page 363: ...ort to use the auxiliary interface Note You have to connect an external modem to the auxiliary port The ZyWALL uses the auxiliary interface to dial out in two situations 1 You click the Connect icon on the ZyWALL Status screen 2 The load auxiliary interface must connect to satisfy load balancing requirements You have to add the auxiliary interface to a trunk first When the ZyWALL hangs up the call...

Page 364: ...field is read only and displays the zone to which the auxiliary interface belongs Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Port Speed Select the speed of the connection between the ZyWALL and external computer Dialing Type Tone select this if the telephone uses tone based dialing Puls...

Page 365: ... Use a comma to pause during dialing Use a plus sign to tell the external modem to make an international call User Name Enter the user name required for authentication Password Enter the password required for authentication Retype to confirm Enter the password again to make sure you have not typed it incorrectly Authentication Type Select the authentication protocol to use for outgoing calls Choic...

Page 366: ...nfiguration Network Interface Add LABEL DESCRIPTION Interface Properties Interface Name This field is read only It displays the name of the virtual interface which is automatically derived from the underlying Ethernet interface VLAN interface or bridge interface Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to ...

Page 367: ...ays have the same priority the ZyWALL uses the one that was configured first Interface Parameters Egress Bandwidth Enter the maximum amount of traffic in kilobits per second the ZyWALL can send through the interface to the network Allowed values are 0 1048576 Ingress Bandwidth This is reserved for future use Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from the...

Page 368: ... packet with a destination address of 5 5 5 5 it might not find any entries in the routing table In this case the packet is dropped However if there is a default router to which the ZyWALL should send this packet you can specify it as a gateway in one of the interfaces For example if there is a default router at 200 200 200 100 you can create a gateway at 200 200 200 100 on ge2 In this case the Zy...

Page 369: ... IP addresses subnet masks gateways and some network information such as the IP addresses of DNS servers on computers in the network This reduces the amount of manual configuration you have to do and usually uses available IP addresses more efficiently In DHCP every network has at least one DHCP server When a computer a DHCP client joins the network it submits a DHCP request The DHCP servers get t...

Page 370: ...nterface provides the same gateway you specify for the interface See IP Address Assignment on page 367 DNS servers The interface provides IP addresses for up to three DNS servers that provide DNS services for DHCP clients You can specify each IP address manually for example a company s own DNS server or you can refer to DNS servers that other interfaces received from DHCP servers for example a DNS...

Page 371: ...isting systems including RADIUS You can access one of several network services This makes it easier for the service provider to offer the service PPPoE does not usually require any special configuration of the modem PPTP is used to set up virtual private networks VPN in unsecure TCP IP environments It sets up two sessions 1 The first one runs on TCP port 1723 It is used to start and manage the sec...

Page 372: ...Chapter 13 Interfaces ZyWALL USG 100 200 Series User s Guide 372 ...

Page 373: ...stralia You could use policy routes and trunks to have traffic for your European branch office primarily use ISP A and traffic for your Australian branch office primarily use ISP B Or maybe one of the ZyWALL s interfaces is connected to an ISP that is also your Voice over IP VoIP service provider You can use policy routing to send the VoIP traffic through a trunk with the interface connected to th...

Page 374: ... types through the best WAN interface for that type of traffic If that interface s connection goes down the ZyWALL can still send its traffic through another interface You can define multiple trunks for the same physical interfaces Link Sticking You can have the ZyWALL send each local computer s traffic that is going to the same destination through a single WAN interface for a specified period of ...

Page 375: ... measured bandwidth refers to the bandwidth an interface is currently using Least Load First The least load first algorithm uses the current or recent outbound bandwidth utilization of each trunk member interface as the load balancing index es when making decisions about to which interface a new session is to be distributed The outbound bandwidth utilization is defined as the measured outbound thr...

Page 376: ...L to distribute the network traffic between the two interfaces by setting the weight of ge2 and ge3 to 2 and 1 respectively The ZyWALL assigns the traffic of two sessions to ge2 for every session s traffic assigned to ge3 Figure 295 Weighted Round Robin Algorithm Example Spillover The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the...

Page 377: ...hreshold of the first interface is set to 800K The ZyWALL sends network traffic of new sessions that exceed this limit to the secondary WAN interface Figure 296 Spillover Algorithm Example Finding Out More See Section 6 5 5 on page 104 for related information on the Trunk screens See Section 7 3 on page 124 for an example of how to configure load balancing See Section 14 4 on page 381 for more bac...

Page 378: ...Click this button to display a greater or lesser number of configuration fields Enable Link Sticking Enable link sticking to have the ZyWALL route sessions from one source to the same destination through the same link for a period of time This is useful for accessing servers that are incompatible with a user s sessions coming from different links For example this is useful when a server requires a...

Page 379: ...lly adds all external interfaces into the pre configured system default SYSTEM_DEFAULT_WAN_TRUNK You cannot delete it You can create your own User Configuration trunks Add Click this to create a new user configured trunk Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remo...

Page 380: ...click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a member interface select it and click Remove The ZyWALL confirms you want to remove it before doing so Move To move an interface to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface This column ...

Page 381: ...e least load first or spillover load balancing algorithm It displays the maximum number of kilobits of data the ZyWALL is to send out through the interface per second Spillover This field displays with the spillover load balancing algorithm Specify the maximum bandwidth of traffic in kilobits per second 1 1048576 to send out through the interface before using another interface When this spillover ...

Page 382: ...Chapter 14 Trunks ZyWALL USG 100 200 Series User s Guide 382 ...

Page 383: ...ALL s default gateway R1 You create one policy route to connect to services offered by your ISP behind router R2 You create another policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 299 Example of Policy Routing Topology Note You can generally just use policy routes You only need to use static routes if you have a large network with multiple r...

Page 384: ...o use policy routes to manage other types of traffic like ICMP traffic and send traffic through VPN tunnels Note Bandwidth management in policy routes has priority over application patrol bandwidth management Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batch traffic Load Sharing Network administrators can...

Page 385: ...s along the route based on the application types and traffic flow Packets are marked with DiffServ Code Points DSCPs indicating the level of service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not hav...

Page 386: ...nfigured policy routes and turn policy routing based bandwidth management on or off A policy route defines the matching criteria and the action to take when a packet meets the criteria The action is taken only when all the criteria are met The criteria can include the user name source address and incoming interface destination address schedule IP protocol ICMP UDP TCP etc and port The actions that...

Page 387: ...try Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To change a rule s position in the numbered l...

Page 388: ...the DSCP value of the outgoing packets that match this route If this field displays a DSCP value the ZyWALL applies that DSCP value to the route s outgoing packets preserve means the ZyWALL does not modify the DSCP value of the route s outgoing packets default means the ZyWALL sets the DSCP value of the route s outgoing packets to 0 The af choices stand for Assured Forwarding The number following ...

Page 389: ...301 Configuration Network Routing Policy Route Add The following table describes the labels in this screen Table 93 Configuration Network Routing Policy Route Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Configuration Enable Select this to activate the policy Description Enter a descriptive name of up to 31 printable AS...

Page 390: ...and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 395 for more details User Defined DSCP Code Use this field to specify a custom DSCP code point Schedule Select a schedule to control when the policy route is active none means the route is active at all times if enabled Service Select a service or service group to identify the type of traffic to which this policy ...

Page 391: ...through the specified interface Auto Disable This field displays when you select Interface or Trunk in the Type field Select this to have the ZyWALL automatically disable this policy route when the next hop s connection is down DSCP Marking DSCP Marking Set how the ZyWALL handles the DSCP value of the outgoing packets that match this route Select one of the pre defined DSCP values to apply or sele...

Page 392: ...vice before using a port triggering rule Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it You can also just double click an entry to be able to modify it Remove Select an entry and click this to delete it Move The ordering of your rules is important as they are applied in or...

Page 393: ...e s bandwidth unbudgeted and do not enable Maximize Bandwidth Usage Bandwidth Priority Enter a number between 1 and 7 to set the priority for traffic The smaller the number the higher the priority If you set the maximum bandwidth to 0 the bandwidth priority will be changed to 0 after you click OK That means the route has the highest priority and will get all the bandwidth it needs up to the maximu...

Page 394: ... want to remove it before doing so This is the number of an individual static route Destination This is the destination IP address Subnet Mask This is the IP subnet mask Next Hop This is the IP address of the next hop gateway or the interface through which the traffic is routed The gateway is a router or switch on the same segment as your ZyWALL s interface s The gateway helps forward packets to t...

Page 395: ...occurs If congestion occurs between classes the traffic in the higher class smaller numbered class is generally given priority Combining the classes and drop precedence produces the Gateway IP Select the radio button and enter the IP address of the next hop gateway The gateway is a router or switch on the same segment as your ZyWALL s interface s The gateway helps forward packets to their destinat...

Page 396: ...ient computer Port triggering is used especially when the remote server responses using a different port from the port the client computer used to request a service The ZyWALL records the IP address of a client computer that sends traffic to a remote server to request a service incoming service When the ZyWALL receives a new connection trigger service from the remote server the ZyWALL forwards the...

Page 397: ...licy route is not using among the policy routes that require more bandwidth When you enable maximize bandwidth usage the ZyWALL first makes sure that each policy route gets up to its bandwidth allotment Next the ZyWALL divides up an interface s available bandwidth bandwidth that is unbudgeted or unused by the policy routes depending on how many policy routes require more bandwidth and on their pri...

Page 398: ...Chapter 15 Policy and Static Routes ZyWALL USG 100 200 Series User s Guide 398 ...

Page 399: ...Can Do in this Chapter Use the RIP screen see Section 16 2 on page 400 to configure the ZyWALL to use RIP to receive and or send routing information Use the OSPF screen see Section 16 3 on page 401 to configure general OSPF settings and manage OSPF areas Use the OSPF Area Add Edit screen see Section 16 3 2 on page 408 to create or edit an OSPF area 16 1 2 What You Need to Know The ZyWALL supports ...

Page 400: ...ettings before you can use it in an interface First the Authentication field specifies how to verify that the routing information that is received is the same routing information that is sent This is discussed in more detail in Authentication Types on page 411 Second the ZyWALL can also redistribute routing information from non RIP networks specifically OSPF networks and static routes to the RIP n...

Page 401: ...n 1 and 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the password for MD5 authentication The password can consist of alphanumeric characters and the underscore and it can be up to 16 characters long Redistribute Active OSPF Select this to use RIP to advertise routes that were learned through OSPF Metric Type the cost for routes provided by OSPF The metric re...

Page 402: ...represents a group of adjacent networks and is identified by a 32 bit ID In OSPF this number may be expressed as an integer or as an IP address There are several types of areas The backbone is the transit area that routes packets between other areas All other areas are connected to the backbone A normal area is a group of adjacent networks A normal area has routing information about the OSPF AS an...

Page 403: ...ges to confirm which neighbor layer 3 devices exist and then they exchange database descriptions DDs to create a synchronized link state database The link state database contains records of router IDs their associated links and path costs The link state database is then constantly updated through Link State Advertisements LSA Each router uses the link state database and the Dijkstra algorithm to c...

Page 404: ...ter BDR All of the routers only exchange information with the DR and the BDR instead of exchanging information with all of the other routers in the group The DR and BDR are selected by priority if two routers have the same priority the highest router ID is used The DR and BDR are selected in each group of routers that are directly connected to each other If a router is directly connected to severa...

Page 405: ... and the backbone You cannot create a virtual link to a router in a different area OSPF Configuration Follow these steps when you configure OSPF on the ZyWALL 1 Enable OSPF 2 Set up the OSPF areas 3 Configure the appropriate interfaces See Section 13 3 1 on page 304 4 Set up virtual links as needed 16 3 1 Configuring the OSPF Screen Use the first OSPF screen to specify the OSPF router the ZyWALL u...

Page 406: ...ed Redistribute Active RIP Select this to advertise routes that were learned from RIP The ZyWALL advertises routes learned from RIP to Normal and NSSA areas but not to Stub areas Type Select how OSPF calculates the cost associated with routing information from RIP Choices are Type 1 and Type 2 Type 1 cost OSPF AS cost external cost Metric Type 2 cost external cost Metric the OSPF AS cost is ignore...

Page 407: ...PF areas in the ZyWALL Add Click this to create a new OSPF area Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so This field is a sequential value and it is not associated with a specific area Area This field displays the 32 ...

Page 408: ...outing information about the OSPF AS and about networks outside the OSPF AS Stub This area is an stub area It has routing information about the OSPF AS but not about networks outside the OSPF AS It depends on a default route to send information outside the OSPF AS NSSA This area is a Not So Stubby Area NSSA per RFC 1587 It has routing information about the OSPF AS and networks that are outside the...

Page 409: ...You should set up the virtual link on the ABR that is connected to the other area and on the ABR that is connected to the backbone Add Click this to create a new virtual link Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so ...

Page 410: ...o authentication Text uses a plain text password that is sent over the network not very secure MD5 uses an MD5 password and authentication ID most secure Same as Area has the virtual link also use the Authentication settings above Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters an...

Page 411: ...password and authentication ID MD5 is an authentication method that produces a 128 bit checksum called a message digest for each packet It also includes an authentication ID which can be set to any value between 1 and 255 The ZyWALL only accepts packets if these conditions are satisfied The packet s authentication ID is the same as the authentication ID of the interface that received it The packet...

Page 412: ...Chapter 16 Routing Protocols ZyWALL USG 100 200 Series User s Guide 412 ...

Page 413: ...olicy settings such as firewall rules Anti X and remote management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface auxiliary interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 312 Example Zones 17 1 1 What You Can Do in this Chapter Us...

Page 414: ... example DMZ to DMZ but many other types of zone based security and policy settings do not affect intra zone traffic Inter zone Traffic Inter zone traffic is traffic between interfaces or VPN tunnels in different zones For example in Figure 312 on page 413 traffic between VLAN 1 and the Internet is inter zone traffic This is the normal case when zone based security and policy settings apply Extra ...

Page 415: ...ick this to create a new user configured zone Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the e...

Page 416: ...haracters underscores _ or dashes but the first character cannot be a number This value is case sensitive Block Intra zone Traffic Select this check box to block network traffic between members in the zone Member List Available lists the interfaces and VPN tunnels that do not belong to any zone Select the interfaces and VPN tunnels that you want to add to the zone you are editing and click the rig...

Page 417: ... use the domain name to contact you in NetMeeting CU SeeMe etc or to access your FTP server or Web site regardless of the current IP address Note You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the ZyWALL When registration is complete the DNS service provider gives you ...

Page 418: ...screen Figure 315 Configuration Network DDNS The following table describes the labels in this screen Table 106 Configuration Network DDNS LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove i...

Page 419: ...e alternate interface to use for updating the IP address mapped to the domain name followed by how the ZyWALL determines the IP address for the domain name The ZyWALL uses the backup interface and IP address when the primary interface is disabled its link is down or its connectivity check fails from interface The IP address comes from the specified interface auto detected The DDNS server checks th...

Page 420: ...een Table 107 Configuration Network DDNS Add LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields Enable DDNS Profile Select this check box to use this DDNS entry Profile Name When you are adding a DDNS entry type a descriptive name for this DDNS entry in the ZyWALL You may use 1 31 alphanumeric characters und...

Page 421: ...nterface The ZyWALL uses the IP address of the specified interface This option appears when you select a specific interface in the Primary Binding Address Interface field Auto If the interface has a dynamic IP address the DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name You may want to use this if there are one or more NAT router...

Page 422: ...card feature to alias subdomains to be aliased to the same IP address as your dynamic domain name This feature is useful if you want to be able to use for example www yourhost dyndns org and still reach your hostname Mail Exchanger This option is only available with a DynDNS account DynDNS can route e mail for your domain name to a mail server called a mail exchanger For example DynDNS routes e ma...

Page 423: ...ers in the private network available by using ports to forward packets to the appropriate private IP address Suppose you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT net...

Page 424: ...on 7 13 3 on page 175 for an example of how to configure NAT to allow SIP traffic from the WAN to an IPPBX or SIP server on the DMZ 19 2 The NAT Screen The NAT summary screen provides a summary of all NAT rules and their configuration In addition this screen allows you to create new NAT rules and edit and delete existing NAT rules To access this screen login to the Web Configurator and click Confi...

Page 425: ...eld displays the original destination IP address or address object of traffic that matches this NAT entry It displays any if there is no restriction on the original destination IP address Mapped IP This field displays the new destination IP address for the packet Protocol This field displays the service used by the packets for this NAT entry It displays any if there is no restriction on the servic...

Page 426: ...9 Configuration Network NAT Add The following table describes the labels in this screen Table 109 Configuration Network NAT Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen Enable Rule Use this option to turn the NAT rule on or off Rule Name Type in the name of the NAT rule The name is used to refer to the NAT rule You may use 1 ...

Page 427: ...incoming interface s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface User Defined Select this to manually enter an IP address in the User Defined field For example you could enter a static public IP assigned by the ISP without having to create a virtual interface for it Host address select a host address object to use the IP ad...

Page 428: ...ginal destination ports this NAT rule supports Original End Port This field is available if Mapping Type is Ports Enter the end of the range of original destination ports this NAT rule supports Mapped Start Port This field is available if Mapping Type is Ports Enter the beginning of the range of translated destination ports if this NAT rule forwards the packet Mapped End Port This field is availab...

Page 429: ...ses After you configure your NAT rule settings click the Firewall link to configure a firewall rule to allow the NAT rule s traffic to come in The ZyWALL checks NAT rules before it applies To ZyWALL firewall rules so To ZyWALL firewall rules do not apply to traffic that is forwarded by NAT rules The ZyWALL still checks other firewall rules according to the source IP address and mapped IP address O...

Page 430: ...1 1 1 1 NAT loopback uses the IP address of the ZyWALL s LAN interface 192 168 1 1 as the source address of the traffic going from the LAN users to the LAN SMTP server Figure 321 LAN to LAN Traffic The LAN SMTP server replies to the ZyWALL s LAN IP address and the ZyWALL changes the source address to 1 1 1 1 before sending it to the LAN user The return traffic s source matches the original destina...

Page 431: ...he LAN user without the traffic going through NAT the source would not match the original destination address which would cause the LAN user s computer to shut down the session Figure 322 LAN to LAN Return Traffic 192 168 1 21 LAN 192 168 1 89 Source 1 1 1 1 SMTP NAT Source 192 168 1 21 SMTP ...

Page 432: ...Chapter 19 NAT ZyWALL USG 100 200 Series User s Guide 432 ...

Page 433: ...client connected to the LAN1 zone wants to open a web page its HTTP request is redirected to proxy server A first If proxy server A cannot find the web page in its cache a policy route allows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 323 HTTP Redirect Example 20 1 1 What You Can Do in this Chapter Use the HTTP Redirect screen...

Page 434: ...is 1 Firewall 2 Application Patrol 3 HTTP Redirect 4 Policy Route Even if you set a policy route to the same incoming interface and service as a HTTP redirect rule the ZyWALL checks the HTTP redirect rules first and forwards HTTP traffic to a proxy server if matched You need to make sure there is no firewall rule s blocking the HTTP requests from the client to the proxy server You also need to man...

Page 435: ...owing table describes the labels in this screen Table 110 Configuration Network HTTP Redirect LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an ent...

Page 436: ...t saved settings Table 110 Configuration Network HTTP Redirect continued LABEL DESCRIPTION Table 111 Network HTTP Redirect Edit LABEL DESCRIPTION Enable Use this option to turn the HTTP redirect rule on or off Name Enter a name to identify this rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Sel...

Page 437: ...Chapter 20 HTTP Redirect ZyWALL USG 100 200 Series User s Guide 437 ...

Page 438: ...Chapter 20 HTTP Redirect ZyWALL USG 100 200 Series User s Guide 438 ...

Page 439: ...ns over Internet H 323 A teleconferencing protocol suite that provides audio data and video conferencing FTP File Transfer Protocol an Internet file transfer service The following example shows SIP signaling 1 and audio 2 sessions between SIP clients A and B and the SIP server Figure 326 SIP ALG Example The ALG feature is only needed for traffic that goes through the ZyWALL s NAT 21 1 1 What You C...

Page 440: ...the server from the WAN H 323 ALG The H 323 ALG supports peer to peer H 323 calls The H 323 ALG handles H 323 calls that go through NAT or that the ZyWALL routes You can also make other H 323 calls that do not go through NAT or routing Examples would be calls between LAN IP addresses that are on the same subnet The H 323 ALG allows calls to go out through NAT For example you could make a call from...

Page 441: ...figures the application patrol see Chapter 32 on page 563 to use the same port numbers for SIP traffic Likewise configuring the application patrol to use custom port numbers for SIP traffic also configures SIP ALG to use the same port numbers for SIP traffic Peer to Peer Calls and the ZyWALL The ZyWALL ALG can allow peer to peer VoIP calls for both H 323 and SIP You must configure the firewall and...

Page 442: ... the return traffic for the calls initiated from the LAN IP addresses For example you configure firewall and NAT rules to allow LAN IP address A to receive calls through public WAN IP address 1 You configure different firewall and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2 You configure corresponding policy routes to have calls from LAN IP addr...

Page 443: ...yWALL to allow sessions initiated from the WAN 21 2 The ALG Screen Click Configuration Network ALG to open the ALG screen Use this screen to turn ALGs off or on configure the port numbers to which they apply and configure SIP ALG time outs Note If the ZyWALL provides an ALG for a service you must enable the ALG in order to use the application patrol on that service s traffic Figure 330 Configurati...

Page 444: ... Timeout Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout the ZyWALL deletes the signaling session after the timeout period Enter the SIP signalin...

Page 445: ...s You could also have a trunk with one interface set to active and a second interface set to passive The ZyWALL does not automatically change ALG managed Enable FTP ALG Turn on the FTP ALG to detect FTP File Transfer Program traffic and help build FTP sessions through the ZyWALL s NAT Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic and manage the FTP traffi...

Page 446: ...standard teleconferencing protocol suite that provides audio data and video conferencing It allows for real time point to point and multipoint communication between client computers over a packet based network that does not provide a guaranteed quality of service NetMeeting uses H 323 SIP The Session Initiation Protocol SIP is an application layer control signaling protocol that handles the settin...

Page 447: ...he ZyWALL Suppose you configure access privileges for IP address 192 168 1 27 and use static DHCP to assign it to Tim s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with another MAC address Figure 331 IP MAC Binding Example 22 1 1 What You Can Do in this Chapter Use the Summary and Edit screens Section 22 2 on page...

Page 448: ...2 IP MAC Binding Summary Click Configuration Network IP MAC Binding to open the IP MAC Binding Summary screen This screen lists the total number of IP to MAC address bindings for devices connected to each supported interface Figure 332 Configuration Network IP MAC Binding Summary The following table describes the labels in this screen Table 113 Configuration Network IP MAC Binding Summary LABEL DE...

Page 449: ... of Binding This field displays the interface s total number of IP MAC bindings and IP addresses that the interface has assigned by DHCP Apply Click Apply to save your changes back to the ZyWALL Table 113 Configuration Network IP MAC Binding Summary continued LABEL DESCRIPTION Table 114 Configuration Network IP MAC Binding Edit LABEL DESCRIPTION IP MAC Binding Settings Interface Name This field di...

Page 450: ...the computer s MAC address is in the table the ZyWALL assigns the corresponding IP address You can also access this table from the interface s edit screen Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it...

Page 451: ...WALL is to assign to a device with the entry s MAC address MAC Address Enter the MAC address of the device to which the ZyWALL assigns the entry s IP address Description Enter up to 64 printable ASCII characters to help identify the entry For example you may want to list the computer s owner OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving ...

Page 452: ...the ZyWALL does not apply IP MAC binding Add icon Click the Add icon to add a new entry Click the Remove icon to delete an entry A window displays asking you to confirm that you want to delete it Apply Click Apply to save your changes back to the ZyWALL Table 116 Configuration Network IP MAC Binding Exempt List continued LABEL DESCRIPTION ...

Page 453: ...ting System OS option and security requirements to gain access See Chapter 49 on page 819 for how to configure endpoint security objects to use with authentication policies In the following figure the ZyWALL s authentication policy requires endpoint security checking on local user A A passes authentication and the endpoint security check and is given access Local user B passes authentication but f...

Page 454: ...ust match one of the authentication policy s endpoint security objects in order to gain access Forced User Authentication Instead of making users for which user aware policies have been configured go to the ZyWALL Login screen manually you can configure the ZyWALL to display the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged in yet Note This works with HTT...

Page 455: ...nd click Remove to delete it or them Authentication Policy Summary Use this table to manage the ZyWALL s list of authentication policies Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it...

Page 456: ...lays the source address object to which this policy applies Destination This displays the destination address object to which this policy applies Schedule This field displays the schedule object that dictates when the policy applies none means the policy is active at all times if enabled Authentication This field displays the authentication requirement for users when their traffic matches this pol...

Page 457: ... remove from the member list and click the left arrow button to remove them Figure 338 Configuration Auth Policy Add Exceptional Service 23 2 2 Creating Editing an Authentication Policy Click Configuration Auth Policy and then the Add or Edit icon to open the Endpoint Security Edit screen Use this screen to configure an authentication policy ...

Page 458: ...ame of up to 60 printable ASCII characters for the policy Spaces are allowed This field is available for user configured policies User Authentication Policy Use this section of the screen to determine which traffic requires or does not require the senders to be authenticated in order to be routed Source Address Select a source address or address group for whom this policy applies Select any if the...

Page 459: ...entication Enable EPS Checking Select this to have the ZyWALL check that users computers meet the Operating System OS and security requirements of one of the policy s selected endpoint security objects before granting access Periodical checking time Select this and specify a number of minutes to have the ZyWALL repeat the endpoint security check at a regular interval Available EPS Object Selected ...

Page 460: ...Chapter 23 Authentication Policy ZyWALL USG 100 200 Series User s Guide 460 ...

Page 461: ...ession from within the LAN1 zone and responses to this request are allowed However other Telnet traffic initiated from the WAN or DMZ zone and destined for the LAN1 zone is blocked Communications between the WAN and the DMZ zones are allowed The firewall allows VPN traffic between any of the networks Figure 340 Default Firewall Action 24 1 1 What You Can Do in this Chapter Use the Firewall screens...

Page 462: ...lf is allowed for certain default services described in To ZyWALL Rules on page 463 All other WAN to ZyWALL traffic is dropped From WAN to any other than the ZyWALL Traffic from the WAN to any of the networks behind the ZyWALL is dropped From DMZ to ZyWALL Traffic from the DMZ to the ZyWALL itself is allowed for certain default services described in To ZyWALL Rules on page 463 All other DMZ to ZyW...

Page 463: ...ce which is not in a zone Global Firewall Rules Firewall rules with from any and or to any as the packet direction are called global firewall rules The global firewall rules are the only firewall rules that apply to an interface or VPN tunnel that is not included in a zone The from any rules apply to traffic coming from the interface and the to any rules apply to traffic going to the interface Fir...

Page 464: ...ications such as file sharing applications may use a large number of NAT sessions A single client could use all of the available NAT sessions and prevent others from connecting to or through the ZyWALL The ZyWALL lets you limit the number of concurrent NAT firewall sessions a client can use Finding Out More See Section 6 5 14 on page 108 for related information on the Firewall screens See Section ...

Page 465: ...ewall rules Any traffic that does not match the first firewall rule will match the second rule and the ZyWALL forwards it Now suppose that your company wants to let the CEO use IRC You can configure a LAN1 to WAN firewall rule that allows IRC traffic from the IP address of the CEO s computer You can also configure a LAN to WAN rule that allows IRC traffic from any computer through which the CEO lo...

Page 466: ...service on the WAN The second row blocks LAN1 access to the IRC service on the WAN The third row is the firewall s default policy of allowing all traffic from the LAN1 to go to the WAN Alternatively you configure a LAN1 to WAN rule with the CEO s user name say CEO to allow IRC traffic from any source IP address to go to any destination address Your firewall would have the following configuration T...

Page 467: ... and the ZyWALL would drop it and not check any other firewall rules 24 1 4 Firewall Rule Configuration Example The following Internet firewall rule example allows Doom players from the WAN to IP addresses 192 168 1 10 through 192 168 1 15 Dest_1 on the LAN1 1 Click Configuration Firewall In the summary of firewall rules click Add in the heading row to configure a new first entry Remember the sequ...

Page 468: ...OK Figure 345 Firewall Example Create a Service Object 6 Select From WAN and To LAN1 7 Enter the name of the firewall rule 8 Select Dest_1 is selected for the Destination and Doom is selected as the Service Enter a description and configure the rest of the screen as follows Click OK when you are done Figure 346 Firewall Example Edit a Firewall Rule ...

Page 469: ...on However allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets Virtual interfaces allow you to partition your network into logical sections over the same interface See the chapter about interfaces for more information By putting...

Page 470: ...ific to the selected direction Note the following If you enable intra zone traffic blocking see the chapter about zones the firewall automatically creates implicit rules to deny packet passage between the interfaces in the specified zone Besides configuring the firewall you also need to configure NAT rules to allow computers on the WAN to access LAN devices See Chapter 19 on page 423 for more info...

Page 471: ...Route If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL s LAN IP address return traffic may not go through the ZyWALL This is called an asymmetrical or triangle route This causes the ZyWALL to reset the connection as the connection has not been acknowledged Select this check box to have the ZyWALL permit the use of asymmetrical route topology on the network not ...

Page 472: ...click Inactivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering The following read only fields summarize the rules you have created that app...

Page 473: ...its the passage of packets allow Log This field shows you whether a log and alert is created when packets match this rule or not Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 123 Configuration Firewall continued LABEL DESCRIPTION Table 124 Configuration Firewall Add LABEL DESCRIPTION Create new Object Use to config...

Page 474: ... s IP address should be within the IP address range Source Select a source address or address group for whom this rule applies Select any if the policy is effective for every source Destination Select a destination address or address group for whom this rule applies Select any if the policy is effective for every destination Service Select a service or service group from the drop down list box Acc...

Page 475: ...sions Create rules below to apply other limits for specific users or addresses Rule Summary This table lists the rules for limiting the number of concurrent sessions hosts can have Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s ...

Page 476: ... name to which this session limit rule applies Address This is the address object to which this session limit rule applies Limit This is how many concurrent sessions this user or address is allowed to have Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 125 Configuration Firewall Session Limit continued LABEL DESCRIP...

Page 477: ...e IP address range Address Select a source address or address group for whom this rule applies Select any if the policy is effective for every source address Session Limit per Host Use this field to set a limit to the number of concurrent NAT firewall sessions this rule s users or addresses can have For this rule s users and addresses this setting overrides the Default Session per Host setting in ...

Page 478: ...Chapter 24 Firewall ZyWALL USG 100 200 Series User s Guide 478 ...

Page 479: ...etwork like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The following figure is an example of an IPSec VPN tunnel Figure 353 IPSec VPN Example The VPN tunnel connects the ZyWALL X and the remote peer IPSec router Y These routers then connect the local network A and remote network B...

Page 480: ...y parameters the ZyWALL and the remote IPSec router will use The first phase establishes an Internet Key Exchange IKE SA between the ZyWALL and remote IPSec router The second phase uses the IKE SA to securely establish an IPSec SA through which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network This is illustrated in the following figure Figu...

Page 481: ...remote IPSec router s address but you specify the remote policy the addresses of the devices behind the remote IPSec router This ZyWALL must have a static IP address or a domain name Only the remote IPSec router can initiate the VPN tunnel Choose this to allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users You don t specify the...

Page 482: ...face virtual Ethernet interface VLAN interface or virtual VLAN interface to specify what address the ZyWALL uses as its IP address when it establishes the IKE SA You should set up the interface first See Chapter 13 on page 297 In a VPN gateway you can enable extended authentication If the ZyWALL is in server mode you should set up the authentication method AAA server first The authentication metho...

Page 483: ... match any of the policy routes Clear this to have the ZyWALL automatically obtain source and destination addresses for all dynamic IPSec rules See Section 6 4 2 on page 100 for how this option affects the routing table Ignore Don t Fragment setting in packet header Select this to fragment packets larger than the MTU Maximum Transmission Unit that have the don t fragment bit in the IP header turne...

Page 484: ...ic connection Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive The connect icon is lit when the interface is connected and dimmed when it is disconnected Name This field displays the name of the IPSec SA VPN Gateway This field displays the associated VPN gateway s If there is no VPN gateway this field displays manual key Encapsulation This f...

Page 485: ...Chapter 25 IPSec VPN ZyWALL USG 100 200 Series User s Guide 485 Figure 356 Configuration VPN IPSec VPN VPN Connection Edit IKE ...

Page 486: ...w NetBIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa VPN Gateway Application Scenario Select the scenario that best describes your intended VPN connection Site to site Choose this if the remote IPSec router has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer C...

Page 487: ...Active Protocol Select which protocol you want to use in the IPSec SA Choices are AH RFC 2402 provides integrity authentication sequence integrity replay resistance and non repudiation but not encryption If you select AH you must select an Authentication algorithm ESP RFC 2406 provides encryption and the same services offered by AH but its authentication is weaker If you select ESP you must select...

Page 488: ...oth have a proposal that uses the same authentication algorithm Perfect Forward Secrecy PFS Select whether or not you want to enable Perfect Forward Secrecy PFS and if you do which Diffie Hellman key group to use for encryption Choices are none disable PFS DH1 enable PFS and use a 768 bit random number DH2 enable PFS and use a 1024 bit random number DH5 enable PFS and use a 1536 bit random number ...

Page 489: ...e First and Last IP Address in the Remote Policy Select this to have the ZyWALL check the connection to the first and last IP addresses in the connection s remote policy Make sure one of these is the peer gateway s LAN IP address Log Select this to have the ZyWALL generate a log every time it checks this VPN connection Inbound Outbound traffic NAT Outbound Traffic Source NAT This translation hides...

Page 490: ... and click this to delete it Move To change an entry s position in the numbered list select it and click Move to display a field to type a number for where you want to put that entry and press ENTER to move the entry to the number that you typed This field is a sequential value and it is not associated with a specific NAT record However the order of records is the sequence in which conditions are ...

Page 491: ...click either the Add icon or an existing manual key entry s Edit icon In the VPN Gateway section of the screen select Manual Key Note Only use manual key as a temporary solution because it is not as secure as a regular IPSec SA Figure 357 Configuration VPN IPSec VPN VPN Connection Add Manual Key This table describes labels specific to manual key configuration See Section 25 2 on page 482 for descr...

Page 492: ...but not encryption If you select AH you must select an Authentication Algorithm ESP RFC 2406 provides encryption and the same services offered by AH but its authentication is weaker If you select ESP you must select an Encryption Algorithm and Authentication Algorithm The ZyWALL and remote IPSec router must use the same protocol Encryption Algorithm This field is applicable when the Active Protoco...

Page 493: ... enter 1234567890XYZ for a DES encryption key the ZyWALL only uses 12345678 The ZyWALL still stores the longer key Authentication Key Enter the authentication key which depends on the authentication algorithm MD5 type a unique key 16 20 characters long SHA1 type a unique key 20 characters long You can use any alphanumeric characters or _ If you want to enter the key in hexadecimal type 0x at the b...

Page 494: ...k Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object References Select an entry and click Object References to open a screen that shows which settin...

Page 495: ...eway policy or edit an existing one To access this screen go to the VPN Gateway summary screen see Section 25 3 on page 494 and click either the Add icon or an Edit icon Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 131 Configuration VPN IPSec VPN VPN Gateway continued LABEL DESCRIPTION ...

Page 496: ...Chapter 25 IPSec VPN ZyWALL USG 100 200 Series User s Guide 496 Figure 359 Configuration VPN IPSec VPN VPN Gateway Edit ...

Page 497: ...P address or the IP address corresponding to the domain name 0 0 0 0 is invalid Peer Gateway Address Select how the IP address of the remote IPSec router in the IKE SA is defined Select Static Address to enter the domain name or the IP address of the remote IPSec router You can provide a second IP address or domain name for the ZyWALL to try if it cannot establish an IKE SA with the first one Fall...

Page 498: ... the IKE SA Then select the certificate the ZyWALL uses to identify itself to the remote IPsec router This certificate is one of the certificates in My Certificates If this certificate is self signed import it into the remote IPsec router If this certificate is signed by a CA the remote IPsec router must trust that CA Note The IPSec routers must trust each other s certificates The ZyWALL uses one ...

Page 499: ...aracters including spaces although trailing spaces are truncated This value is only used for identification and can be any string E mail the ZyWALL is identified by an e mail address you can use up to 31 ASCII characters including spaces although trailing spaces are truncated This value is only used for identification and can be any string Peer ID Type Select which type of identification is used t...

Page 500: ... subject alternative name field see the note at the end of this description DNS subject alternative name field E mail subject alternative name field Subject Name subject name maximum 255 ASCII characters including spaces Note If Peer ID Type is IP please read the rest of this section If you type 0 0 0 0 the ZyWALL uses the IP address specified in the Secure Gateway Address field This is not recomm...

Page 501: ... the DES encryption algorithm AES128 a 128 bit key with the AES encryption algorithm AES192 a 192 bit key with the AES encryption algorithm AES256 a 256 bit key with the AES encryption algorithm The ZyWALL and the remote IPSec router must use the same key size and encryption algorithm Longer keys require more processing power resulting in increased latency and decreased throughput Authentication S...

Page 502: ...g a tunnel for example use extended authentication to enforce a user name and password check This way even though they all know the VPN tunnel s security settings each still has to provide a unique user name and password Enable Extended Authentication Select this if one of the routers the ZyWALL or the remote IPSec router verifies a user name and password from the other router using the local user...

Page 503: ...consolidate the policy routes in each spoke router depending on the IP addresses and subnets of each spoke However a VPN concentrator is not for every situation The hub router is a single failure point so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally maintenance for example There is also more burden on the hub router It receives VPN tr...

Page 504: ...e 361 IPSec VPN Concentrator Example This IPSec VPN concentrator example uses the following settings Branch Office A ZyNOS based ZyWALL VPN Gateway VPN Tunnel 1 My Address 10 0 0 2 Peer Gateway Address 10 0 0 1 VPN Connection VPN Tunnel 1 Local Policy 192 168 11 0 255 255 255 0 Remote Policy 192 168 1 0 255 255 255 0 Disable Policy Enforcement Policy Route Source 192 168 11 0 Destination 192 168 1...

Page 505: ...cy Enforcement Concentrator Add VPN tunnel 1 and VPN tunnel 2 to an IPSec VPN concentrator Firewall Block traffic from VPN tunnel 2 from accessing the LAN Branch Office B USG ZyWALL or ZyWALL 1050 VPN Gateway VPN Tunnel 2 My Address 10 0 0 3 Peer Gateway Address 10 0 0 1 VPN Connection VPN Tunnel 2 Local Policy 192 168 12 0 255 255 255 0 Remote Policy 192 168 1 0 255 255 255 0 Disable Policy Enfor...

Page 506: ...reen The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL To access this screen click Configuration VPN IPSec VPN Concentrator The following screen appears Figure 362 Configuration VPN IPSec VPN Concentrator Each field is discussed in the following table See Section 25 4 3 on page 506 for more information 25 4 3 The VPN Concentrator Add Edit Screen The VPN Concentrator ...

Page 507: ...s but the first character cannot be a number This value is case sensitive Member Select the concentrator s IPSec VPN connection policies Note You must disable policy enforcement in each member See Section 25 2 1 on page 484 IPSec VPN connection policies that do not belong to a VPN concentrator appear under Available Select any VPN connection policies that you want to add to the VPN concentrator an...

Page 508: ...tatic IP address or a domain name for either or both IP addresses Sometimes your ZyWALL might offer another alternative such as using the IP address of a port or interface as well You can also specify the IP address of the remote IPSec router as 0 0 0 0 This means that the remote IPSec router can have any IP address In this case only the remote IPSec router can initiate an IKE SA because the ZyWAL...

Page 509: ...trength of DES Advanced Encryption Standard AES is a newer method of data encryption that also uses a secret key AES applies a 128 bit key to 128 bit blocks of data It is faster than 3DES Some ZyWALLs also offer stronger forms of AES that apply 192 bit or 256 bit keys to 128 bit blocks of data In most ZyWALLs you can select one of the following authentication algorithms for each proposal The algor...

Page 510: ...ch other in steps 5 and 6 as illustrated below The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps Figure 366 IKE SA Main Negotiation Mode Steps 5 6 Authentication continued You have to create and distribute a pre shared key The ZyWALL and remote IPSec router use it in the authentication process though it...

Page 511: ...5 on page 511 the ZyWALL and the remote IPSec router authenticate each other successfully In contrast in Table 136 on page 511 the ZyWALL and the remote IPSec router cannot authenticate each other and therefore cannot establish an IKE SA It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router In this case you usually set the peer ID type to Any This is less se...

Page 512: ...ontrast aggressive mode only takes three steps to establish an IKE SA Aggressive mode does not provide as much security because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted It is usually used in remote access situations where the address of the initiator is not known by the responder and both parties want to use pre shared keys for authentication For exa...

Page 513: ...e the same VPN tunnel to connect to a single IPSec router For example this might be used with telecommuters In extended authentication one of the routers the ZyWALL or the remote IPSec router provides a user name and password to the other router which uses a local user database and or an external server to verify the user name and password If the user name or password is wrong the routers do not e...

Page 514: ...ected to the remote IPSec router may be called the remote policy Active Protocol The active protocol controls the format of each packet It also specifies how much of each packet is protected by the encryption and authentication algorithms IPSec VPN includes two active protocols AH Authentication Header RFC 2402 and ESP Encapsulating Security Payload RFC 2406 Note The ZyWALL and remote IPSec router...

Page 515: ...osal and Perfect Forward Secrecy An IPSec SA proposal is similar to an IKE SA proposal see IKE SA Proposal on page 508 except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec SA is established This is called Perfect Forward Secrecy PFS If you enable PFS the ZyWALL and remote IPSec router perform a DH key exchange ever...

Page 516: ...pecify several proposals There is no DH key exchange so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use Note The ZyWALL and remote IPSec router must use the same encryption key and authentication key Authentication and the Security Parameter Index SPI For authentication the ZyWALL and remote IPSec router use the SPI instead of pre shared key...

Page 517: ...te network B If you do not configure it the remote IPSec router may not route messages for computer M through the IPSec SA because computer M s IP address is not part of its local policy To set up this NAT you have to specify the following information Source the original source address most likely computer M s network Destination the original destination address the remote network B SNAT the trans...

Page 518: ...et up this kind of NAT The ZyWALL checks these rules similar to the way it checks rules for a firewall The first part of these rules define the conditions in which the rule apply Original IP the original destination address the remote network B Protocol the protocol TCP UDP or both used by the service requesting the connection Original Port the original destination port or range of destination por...

Page 519: ...Chapter 25 IPSec VPN ZyWALL USG 100 200 Series User s Guide 519 ...

Page 520: ...Chapter 25 IPSec VPN ZyWALL USG 100 200 Series User s Guide 520 ...

Page 521: ...ay device on your network for full tunnel mode access enter access messages or upload a custom logo to be displayed on the remote user screen 26 1 2 What You Need to Know There are two SSL VPN network access modes reverse proxy and full tunnel Reverse Proxy Mode In reverse proxy mode the ZyWALL is a proxy that acts on behalf of the local network servers such as your web and mail servers As the fin...

Page 522: ...71 Network Access Mode Full Tunnel Mode SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks apply Endpoint Security EPS checking to require users computers to comply with defined corporate policies before they can access the SSL VPN tunnel limit user access to specific applications or files on the network allow user access to specific networks assign private IP ...

Page 523: ... User Accounts User Account User Group Configure a user account or user group to which you want to apply this SSL access policy Endpoint Security Endpoint Security Endpoint Security EPS checking makes sure users computers comply with defined corporate policies before they can access the SSL VPN tunnel Application SSL Application Configure an SSL application object to specify the type of applicatio...

Page 524: ...elect it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 31...

Page 525: ...Chapter 26 SSL VPN ZyWALL USG 100 200 Series User s Guide 525 Apply Click Apply to save the settings Reset Click Reset to discard all changes Table 138 VPN SSL VPN Access Privilege LABEL DESCRIPTION ...

Page 526: ...26 SSL VPN ZyWALL USG 100 200 Series User s Guide 526 26 2 1 The SSL Access Policy Add Edit Screen To create a new or edit an existing SSL access policy click the Add or Edit icon in the Access Privilege screen ...

Page 527: ...Chapter 26 SSL VPN ZyWALL USG 100 200 Series User s Guide 527 Figure 373 VPN SSL VPN Access Privilege Add Edit ...

Page 528: ...or user group select the name s in the Selected User Group Objects list and click Endpoint Security EPS Use these fields to make sure users computers meet an endpoint security object s Operating System OS and security requirements before granting access Enable EPS Checking Select this to have the ZyWALL check that users computers meet the Operating System OS and security requirements of one of the...

Page 529: ...s the applications as defined by the selected SSL application settings and the remote user computers are not made to be a part of the local network Assign IP Pool Define a separate pool of IP addresses to assign to the SSL users Select it here The SSL VPN IP pool cannot overlap with IP addresses on the ZyWALL s local networks LAN and DMZ for example the SSL user s network or the networks you speci...

Page 530: ...SSL VPN Login Domain Name SSL VPN Login Domain Name 1 2 Specify a domain name for users to use for SSL VPN login The domain name must be registered to one of the ZyWALL s IP addresses or be one of the ZyWALL s DDNS entries You can specify up to two domain names so you could use one domain name for each of two WAN ports Do not include the host For example www zyxel com is a fully qualified domain n...

Page 531: ...the web browser on the remote user computer The ZyXEL company logo is the default logo Specify the location and file name of the logo graphic or click Browse to locate it Note The logo graphic must be GIF JPG or PNG format The graphic should use a resolution of 127 x 57 pixels to avoid distortion when displayed The ZyWALL automatically resizes a graphic of a different resolution to 127 x 57 pixels...

Page 532: ...y 26 4 Establishing an SSL VPN Connection After you have configured the SSL VPN settings on the ZyWALL use the ZyWALL login screen s SSL VPN button to establish an SSL VPN connection See Section 27 2 on page 536 for details 1 Display the ZyWALL s login screen and enter your user account information the user name and password Click SSL VPN Figure 376 Login Screen ...

Page 533: ...you should see the client portal screen The following shows an example Figure 377 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access an SSL VPN connection is not activated message displays in the Login screen Clear the Login to SSL VPN check box and try logging in again For more information on user portal screens refer to Chapter 27 on page 535 ...

Page 534: ...Chapter 26 SSL VPN ZyWALL USG 100 200 Series User s Guide 534 ...

Page 535: ...Outlook Web Access OWA Network Resource Access Methods As a remote user you can access resources on the local network using one of the following methods Using a supported web browser Once you have successfully logged in through the ZyWALL you can access intranet sites web based applications or web based e mails using one of the supported web browsers Using the ZyWALL SecuExtender client Once you h...

Page 536: ... in and access network resources the domain name or IP address of the ZyWALL the login account user name and password if also required the user name and or password to access the network resource Certificates The remote user s computer establishes an HTTPS connection to the ZyWALL to access the login screen If instructed by your network administrator you must install or import a certificate provid...

Page 537: ...Enter the Address in a Web Browser 2 Click OK or Yes if a security screen displays Figure 380 Login Security Screen 3 A login screen displays Enter the user name and password of your login account If a token password is also required enter it in the One Time Password field 4 Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources Figure 381 Login Scre...

Page 538: ...you get a message about needing Java download and install it and restart your browser and re login If a certificate warning screen displays click OK Yes or Continue Figure 382 Java Needed Message 6 The ZyWALL tries to install the SecuExtender client As shown next you may have to click some pop ups to get your browser to allow the installation Figure 383 ActiveX Object Installation Blocked by Brows...

Page 539: ...s In Internet Explorer click Install Figure 384 SecuExtender Blocked by Internet Explorer 8 The ZyWALL tries to run the ssltun application You may need to click something to get your browser to allow this In Internet Explorer click Run Figure 385 SecuExtender Progress 9 Click Next to use the setup wizard to install the SecuExtender client on your computer Figure 386 SecuExtender Progress ...

Page 540: ...way to finish installing the SecuExtender client on your computer Figure 387 Hardware Installation Warning 11 The Application screen displays showing the list of resources available to you See Figure 388 on page 541 for a screen example Note Available resource links vary depending on the configuration your network administrator made ...

Page 541: ... to go to the Application or File Sharing screen 2 Click this icon to create a bookmark to the SSL VPN user screen in your web browser 3 Click this icon to display the on line help window 4 Click this icon to log out and terminate the secure connection 5 Select your preferred language for the interface 6 This part of the screen displays a list of the resources available to you In the Application s...

Page 542: ...emote user screen click the Add to Favorite icon 2 A screen displays Accept the default name in the Name field or enter a descriptive name to identify this link 3 Click OK to create a bookmark in your web browser Figure 389 Add Favorite 27 5 Logging Out of the SSL VPN User Screens To properly terminate a connection click on the Logout icon in any remote user screen 1 Click the Logout icon in any r...

Page 543: ... 27 SSL User Screens ZyWALL USG 100 200 Series User s Guide 543 3 An information screen displays to indicate that the SSL VPN connection is about to terminate Figure 391 Logout Connection Termination Progress ...

Page 544: ...Chapter 27 SSL User Screens ZyWALL USG 100 200 Series User s Guide 544 ...

Page 545: ...you can access depends on the ZyWALL s configuration 28 2 The Application Screen Click the Application tab to display the screen The Name field displays the descriptive name for an application The Type field displays wether the application is a web site Web Server or web based e mail using Microsoft Outlook Web Access OWA To access a web based application simply click a link in the Application scr...

Page 546: ...Chapter 28 SSL User Application Screens ZyWALL USG 100 200 Series User s Guide 546 ...

Page 547: ...to display and access shared files folders on a file server You can also perform the following actions Access a folder Open a file if your web browser cannot open the file you are prompted to download it Save a file to your computer Create a new folder Rename a file or folder Delete a file or folder Upload a file Note Available actions you can perform in the File Sharing screen vary depending on t...

Page 548: ... the shared folder s available The following figure shows an example with one file share Figure 393 File Sharing 29 3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer 1 Log in as a remote user and click the File Sharing tab 2 Click on a file share icon ...

Page 549: ... 200 Series User s Guide 549 3 If an access user name and password are required a screen displays as shown in the following figure Enter the account information and click Login to continue Figure 394 File Sharing Enter Access User Name and Password ...

Page 550: ...lso click a folder to access it For this example click on a doc file to open the Word document Figure 395 File Sharing Open a Word File 29 3 1 Downloading a File You are prompted to download a file which cannot be opened using a web browser Follow the on screen instructions to download and save the file to your computer Then launch the associated application to open the file ...

Page 551: ...owing the on screen instructions Figure 396 File Sharing Save a Word File 29 4 Creating a New Folder To create a new folder in the file share location click the New Folder icon Specify a descriptive name for the folder You can enter up to 356 characters Then click Add Note Make sure the length of the folder name does not exceed the maximum allowed on the file server Figure 397 File Sharing Save a ...

Page 552: ...up window displays Specify the new name and or file extension in the field provided You can enter up to 356 characters Then click Apply Note Make sure the length of the name does not exceed the maximum allowed on the file server You may not be able to open a file if you change the file extension Figure 399 File Sharing Rename 29 6 Deleting a File or Folder Click the Delete icon next to a file or f...

Page 553: ... Specify the location and or name of the file you want to upload Or click Browse to locate it 3 Click Upload to send the file to the file server 4 After the file is uploaded successfully you should see the name of the file and a message in the screen Figure 400 File Sharing File Upload Note Uploading a file with the same name and file extension replaces the existing file on the file server No warn...

Page 554: ...Chapter 29 SSL User File Sharing ZyWALL USG 100 200 Series User s Guide 554 ...

Page 555: ...e applications must be installed on your computer For example to use the VNC remote desktop program you must have the VNC client installed on your computer 30 1 The ZyWALL SecuExtender Icon The ZyWALL SecuExtender icon color indicates the SSL VPN tunnel s connection status Figure 401 ZyWALL SecuExtender Icon Red the SSL VPN tunnel is not connected You cannot connect to the SSL application and netw...

Page 556: ...or the SSL VPN connection DNS Domain Name System maps a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it Your computer uses the DNS server specified here to resolve domain names for resources you access through the SSL VPN connection WINS Server 1 2 These are the I...

Page 557: ...ABEL DESCRIPTION 2009 03 12 13 35 50 SecuExtender Agent DETAIL Build Datetime Feb 24 2009 10 25 07 2009 03 12 13 35 50 SecuExtender Agent DEBUG rasphone pbk C Documents and Settings 11746 rasphone pbk 2009 03 12 13 35 50 SecuExtender Agent DEBUG SecuExtender log C Documents and Settings 11746 SecuExtender log 2009 03 12 13 35 50 SecuExtender Agent DETAIL Check Parameters 2009 03 12 13 35 50 SecuEx...

Page 558: ...on and select Stop Connection to disconnect the SSL VPN tunnel 30 6 Uninstalling the ZyWALL SecuExtender Do the following if you need to remove the ZyWALL SecuExtender 1 Click start All Programs ZyXEL ZyWALL SecuExtender Uninstall 2 In the confirmation screen click Yes Figure 404 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender Figure 405 ZyWALL SecuEx...

Page 559: ...PN screen see Section 31 2 on page 561 to configure the ZyWALL s L2TP VPN settings 31 1 2 What You Need to Know The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is established first and then an L2TP tunnel is built inside it See Chapter 25 on page 479 for infor...

Page 560: ...this address object in the local policy For the Remote Policy create an address object that uses host type and an IP address of 0 0 0 0 Use this address object in the remote policy You must also edit the Default_L2TP_VPN_GW gateway entry Configure the My Address setting according to your requirements Replace the default Pre Shared Key Policy Route You must configure a policy route to let remote us...

Page 561: ... VPN settings Note Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings The remote users must make any needed matching configuration changes and re establish the sessions using the new settings Figure 408 Configuration VPN L2TP VPN The following table describes the fields in this screen Table 143 Configuration VPN IPSec VPN VPN Connection LABEL DESCRIPTION Create new Object...

Page 562: ...user or user group that can use the L2TP VPN tunnel Use Create new Object if you need to configure a new user account see Section 40 2 1 on page 738 for details Otherwise select any to allow any user with a valid account and password on the ZyWALL to log in Keep Alive Timer The ZyWALL sends a Hello message after waiting this long without receiving any traffic from the remote user The ZyWALL discon...

Page 563: ...roved VoIP call sound quality 32 1 1 What You Can Do in this Chapter Use the General summary screen see Section 32 2 on page 573 to enable and disable application patrol Use the Common Instant Messenger Peer to Peer VoIP and Streaming see Section 32 3 on page 574 screens to look at the applications the ZyWALL can recognize and review the settings for each one You can also enable and disable the ru...

Page 564: ...ion schedule user source and destination information Your custom policies take priority over the policy s default settings Classification of Applications There are two ways the ZyWALL can identify the application The first is called auto The ZyWALL looks at the IP payload OSI level 7 inspection and attempts to match it with known patterns for specific applications Usually this occurs at the beginn...

Page 565: ...ation for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going Use application patrol to set a DSCP value for an application s traffic that the ZyWALL sends out Bandwidth Management When you allow an application you can restrict the bandwidth it uses or even the bandwidth that particular features in the application li...

Page 566: ... before sending the traffic out a LAN1 zone interface Figure 409 LAN1 to WAN Connection and Packet Directions Outbound and Inbound Bandwidth Limits You can limit an application s outbound or inbound bandwidth This limit keeps the traffic from using up too much of the out going interface s bandwidth This way you can make sure there is bandwidth for other applications When you apply a bandwidth limi...

Page 567: ...ty 7 the lowest priority Maximize Bandwidth Usage Maximize bandwidth usage allows applications with maximize bandwidth usage enabled to borrow any unused bandwidth on the out going interface After each application gets its configured bandwidth rate the ZyWALL uses the fairness based scheduler to divide any unused bandwidth on the out going interface amongst applications that need more bandwidth an...

Page 568: ...0 kbps for server B Maximize Bandwidth Usage Effect With maximize bandwidth usage enabled after each server gets its configured rate the rest of the available bandwidth is divided equally between the two So server A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps Then the ZyWALL divides the remaining bandwidth 1000 500 500 equally between the two 500 2 250 kb...

Page 569: ... 385 for a description of DSCP marking 32 1 3 Application Patrol Bandwidth Management Examples Bandwidth management is very useful when applications are competing for limited bandwidth For example say you have a WAN zone interface connected to an ADSL device with a 8 Mbps downstream and 1 Mbps upstream ADSL connection The following sections give some simplified examples of using application patrol...

Page 570: ... Kbps 32 1 3 2 SIP Any to WAN Bandwidth Management Example Manage SIP traffic going to the WAN zone from a VIP user on the LAN or DMZ Outbound traffic to the WAN from the LAN and DMZ is limited to 200 kbps The ZyWALL applies this limit before sending the traffic to the WAN Inbound traffic to the LAN and DMZ from the WAN is also limited to 200 kbps The ZyWALL applies this limit before sending the t...

Page 571: ...rsed WAN to Any instead of Any to WAN 32 1 3 4 HTTP Any to WAN Bandwidth Management Example Inbound traffic gets more bandwidth as the local users will probably download more than they upload and the ADSL connection supports this Second highest priority 2 Set policies for other applications except SIP to lower priorities so the local users HTTP traffic gets sent before non SIP traffic Enable maxim...

Page 572: ...since you do not want to give FTP more bandwidth Figure 415 FTP WAN to DMZ Bandwidth Management Example 32 1 3 6 FTP LAN to DMZ Bandwidth Management Example The LAN and DMZ zone interfaces are connected to Ethernet networks not an ADSL device so you limit both outbound and inbound traffic to 50 Mbps Fourth highest priority 4 Disable maximize bandwidth usage since you do not want to give FTP more b...

Page 573: ...Figure 417 Configuration App Patrol General The following table describes the labels in this screen See Section 32 3 1 on page 575 for more information as well Table 148 Configuration App Patrol General LABEL DESCRIPTION Enable Application Patrol Select this check box to turn on application patrol Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL You ...

Page 574: ...stration Status This field displays whether a service is activated Licensed or not Not Licensed or expired Expired Registration Type This field displays whether you applied for a trial application Trial or registered a service with your iCard s PIN number Standard None displays when the service is not activated Apply new Registration This link appears if you have not registered for the service or ...

Page 575: ...DESCRIPTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific application Status The activate light bulb icon is lit when the entry is active...

Page 576: ...me This field displays the name of the application Classification Specify how the ZyWALL should identify this application Choices are Auto the ZyWALL identifies this application by matching the IP payload with the application s pattern s Service Ports the ZyWALL identifies this application by looking at the destination port in the IP header Service Port This is available if the Classification is S...

Page 577: ...yped Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive This field is a sequential value and it is not associated with a specific condition Note The ZyWALL checks conditions in the order they appear in the list While this sequence does not affect the functionality you might improve the performance of the ZyWALL by putting more common condition...

Page 578: ... fields show the amount of bandwidth the application s traffic that matches the policy can use These fields only apply when Access is set to forward In This is how much inbound bandwidth in kilobits per second this policy allows the application to use Inbound refers to the traffic the ZyWALL sends to a connection s initiator If no displays here this policy does not apply bandwidth management for t...

Page 579: ...e MSN instant messenger service Figure 420 Application Policy Edit The following table describes the labels in this screen OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 150 Application Edit continued LABEL DESCRIPTION Table 151 Application Policy Edit LABEL DESCRIPTION Create new Object Use to configure any new setting...

Page 580: ...y is effective for every destination Access This field controls what the ZyWALL does with packets for this application that match this policy Choices are forward the ZyWALL routes the packets for this application Drop the ZyWALL does not route the packets for this application and does not notify the client of its decision Reject the ZyWALL does not route the packets for this application and notifi...

Page 581: ...ers to the traffic the ZyWALL sends to a connection s initiator If you enter 0 here this policy does not apply bandwidth management for the application s traffic that the ZyWALL sends to the initiator Traffic with bandwidth management disabled inbound and outbound are both set to 0 is automatically treated as the lowest priority 7 If the sum of the bandwidths for routes using the same next hop is ...

Page 582: ...yWALL gives traffic of an application with higher priority bandwidth before traffic of an application with lower priority The ZyWALL uses a fairness based round robin scheduler to divide bandwidth between applications with the same priority The number in this field is ignored if the incoming and outgoing limits are both set to 0 In this case the traffic is automatically treated as being set to the...

Page 583: ... the entry to the number that you typed Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive This field is a sequential value and it is not associated with a specific condition Note The ZyWALL checks conditions in the order they appear in the list While this sequence does not affect the functionality you might improve the performance of the ZyWA...

Page 584: ...and for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 395 for more details BWM These fields show the amount of bandwidth the traffic can use These fields only apply when Access is set to forward In This is how much inbound bandwidth in kilobits per second this policy allows the matc...

Page 585: ...ave the ZyWALL generate a log log log and alert log alert or neither no when traffic matches this policy See Chapter 51 on page 881 for more on logs Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 152 AppPatrol Other continued LABEL DESCRIPTION Table 153 AppPatrol Other Edit LABEL DESCRIPTION Create new Object Use to...

Page 586: ... are TCP and UDP Select any to apply the policy to both TCP and UDP traffic Access This field controls what the ZyWALL does with packets that match this policy Choices are forward the ZyWALL routes the packets Drop the ZyWALL does not route the packets and does not notify the client of its decision Reject the ZyWALL does not route the packets and notifies the client of its decision DSCP Marking Se...

Page 587: ...riority traffic uses all of the actual bandwidth Priority This field displays when the inbound or outbound bandwidth management is not set to 0 Enter a number between 1 and 7 to set the priority for traffic that matches this policy The smaller the number the higher the priority Traffic with a higher priority is given bandwidth before traffic with a lower priority The ZyWALL uses a fairness based r...

Page 588: ...trol ZyWALL USG 100 200 Series User s Guide 588 OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 153 AppPatrol Other Edit continued LABEL DESCRIPTION ...

Page 589: ...ncludes two interfaces to the LAN zone Figure 423 ZyWALL Anti Virus Example 33 1 1 What You Can Do in this Chapter Use the General screens Section 33 2 on page 592 to turn anti virus on or off set up anti virus policies and check the anti virus engine type and the anti virus license and signature status Use the Black White List screen Section 33 3 on page 597 to set up anti virus black blocked and...

Page 590: ...es itself The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable ZyWALL Anti Virus Scanner The ZyWALL has a built in signature database Setting up the ZyWALL between your local network and the Internet allows the ZyWALL to scan files transmitting through t...

Page 591: ...ner can detect polymorphic viruses 2 When a virus is detected an alert message is displayed in Microsoft Windows computers Refer to Appendix C on page 1021 if your Windows computer does not display the alert messages 3 Changes to the ZyWALL s anti virus settings affect new sessions not the sessions that already existed before you applied the changed settings 4 The ZyWALL does not scan the followin...

Page 592: ... on page 285 for how to register for the anti virus service You may need to customize the zones in the Network Zone used for the anti virus scanning direction 33 2 Anti Virus Summary Screen Click Configuration Anti X Anti Virus to display the configuration screen as shown next Figure 424 Configuration Anti X Anti Virus General ...

Page 593: ...readable ASCII characters X5O P AP 4 PZX54 P 7CC 7 EICAR STANDARD ANTIVIRUS TEST FILE H H Policies Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn...

Page 594: ...ion Click this link to go to the screen where you can register for the service Signature Information The following fields display information on the current signature set that the ZyWALL is using Anti Virus Engine Type This field displays whether the ZyWALL is set to use ZyXEL s anti virus engine or the one powered by Kaspersky Upgrading the ZyWALL to firmware version 2 11 and updating the anti vi...

Page 595: ...Enable Select this check box to have the ZyWALL apply this anti virus policy to check traffic for viruses From To Select source and destination zones for traffic to scan for viruses The anti virus policy has the ZyWALL scan traffic coming from the From zone and going to the To zone Protocols to Scan Select which protocols of traffic to scan for viruses HTTP applies to traffic using TCP ports 80 80...

Page 596: ... signature s log Create a log on the ZyWALL when a packet matches a signature s log alert An alert is an e mailed log for more serious events that may need more immediate attention Select this option to have the ZyWALL send an alert when a packet matches a signature s White List Black List Checking Check White List Select this check box to check files against the white list Check Black List Select...

Page 597: ... password encryption Select this check box to have the ZyWALL delete any ZIP files that it is not able to unzip The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip Note The ZyWALL s firmware package cannot go through the ZyWALL with this option enabled The ZyWALL classifie...

Page 598: ... List LABEL DESCRIPTION Enable Black List Select this check box to log and delete files with names that match the black list patterns Use the black list to log and delete files with names that match the black list patterns Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry ...

Page 599: ...t scan for viruses Use up to 80 characters Alphanumeric characters underscores _ dashes question marks and asterisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to specify aa zip ab zip and so on Wildcards let multiple files match the pattern For example use a zip without the quotation marks to specify any file that en...

Page 600: ...anti virus check on files with names that match the white list patterns Use the white list to have the ZyWALL not perform the anti virus check on files with names that match the white list patterns Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activ...

Page 601: ...ript making Internet Explorer run slowly and the computer maybe becoming unresponsive just click No to continue Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure 429 Configuration Anti X Anti Virus Signature Search by Severity ...

Page 602: ... the ZyWALL search the signatures based on your specified criteria Query all signatures and export Click Export to have the ZyWALL save all of the anti virus signatures to your computer in a txt file Query Result This is the entry s index number in the list Name This is the name of the anti virus signature Click the Name column heading to sort your search results in ascending or descending order a...

Page 603: ...Types TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program A file infector is able to copy and attach itself to other programs that are executed on an infected computer Boot Sector Virus This type of virus infects the area of a hard drive that a computer reads and executes during startup The virus causes computer crashes and to some extend renders the i...

Page 604: ...y also share the resources such as CPU time on the computer for file inspection You have to update the virus signatures and or perform virus scans on all computers in the network regularly A network based anti virus NAV scanner is often deployed as a dedicated security device such as your ZyWALL on the network edge NAV scanners inspect real time data traffic such as E mail messages or web that ten...

Page 605: ... on page 609 to add a new profile edit an existing profile or delete an existing profile Use the Anti X IDP Custom Signature screens Section 34 8 on page 624 to create a new signature edit an existing signature delete existing signatures or save signatures to your computer 34 1 2 What You Need To Know Packet Inspection Signatures A signature identifies a malicious or suspicious packet and specifie...

Page 606: ...onfiguration Changes to the ZyWALL s IDP settings affect new sessions not the sessions that already existed before you applied the changed settings Finding Out More See Section 6 5 20 on page 111 for IDP prerequisite information See Chapter 35 on page 641 for anomaly detection and protection See Section 34 9 on page 636 for more information on network based intrusions See Section 34 6 2 on page 61...

Page 607: ...IDP service has not yet been registered a warning screen displays and IDP is not enabled Figure 430 Configuration Anti X IDP General The following table describes the screens in this screen Table 161 Configuration Anti X IDP General LABEL DESCRIPTION General Settings Enable Signature Detection You must register for IDP service in order to use packet inspection signatures If you don t have a standa...

Page 608: ...to specify the zone from which the traffic is coming Use the To field to specify the zone to which the traffic is going From LAN1 To LAN1 means packets traveling from a computer on one LAN1 subnet to a computer on another LAN subnet via the ZyWALL s LAN1 zone interfaces The ZyWALL does not check packets traveling from a LAN1 computer to another LAN1 computer on the same subnet From WAN To WAN mean...

Page 609: ...link to go to the screen where you can register for the service Signature Information The following fields display information on the current signature set that the ZyWALL is using Current Version This field displays the IDP signature set version number This number gets larger as the set is enhanced Signature Number This field displays the number of IDP signatures in this set This number usually g...

Page 610: ...logs not log alerts and no action is taken on packets that trigger them wan Signatures for all services are enabled Signatures with a medium high or severe severity level greater than two generate logs not log alerts and no action is taken on packets that trigger them Signatures with a very low or low severity level less than or equal to two are disabled lan This profile is most suitable for commo...

Page 611: ...RVICE SMTP SNMP SQL TELNET Oracle MySQL are enabled Signatures with a high or severe severity level greater than three generate log alerts and cause packets that trigger them to be dropped Signatures with a low or medium severity level two or three generate logs not log alerts and no action is taken on packets that trigger them Signatures with a very low severity level one are disabled OK Click OK...

Page 612: ...s of the false alarms When you re satisfied that they have been reduced to an acceptable level you could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a signature 34 5 1 Procedure To Create a New Profile To create a new profile 1 Click the Add icon in the Configuration Anti X IDP Profile screen to display a pop up screen allowing you to c...

Page 613: ...t Configuration Anti X IDP Profile and then add a new or edit an existing profile select Packet inspection signatures examine the contents of a packet for malicious data It operates at layer 4 to layer 7 34 6 1 Profile Group View Screen Figure 433 Configuration Anti X IDP Profile Edit Group View ...

Page 614: ...tures by criteria such as name ID severity attack type vulnerable attack platforms service category log options or actions Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Log To edit an item s log option select it and use the Log icon These are the log options no Select this option on an individual signature or a complete ser...

Page 615: ... have the ZyWALL send a reset to both the sender and receiver when a packet matches the signature If it is a TCP attack packet the ZyWALL will send a packet with a RST flag to the receiver and sender If it is an ICMP or UDP attack packet the ZyWALL will send an ICMP unreachable packet This is the entry s index number in the list Status The activate light bulb icon is lit when the entry is active a...

Page 616: ...k OK in the final profile screen to complete the profile Table 164 Configuration Anti X IDP Profile Group View continued LABEL DESCRIPTION Table 165 Policy Types POLICY TYPE DESCRIPTION P2P Peer to peer P2P is where computing devices link directly to each other and can directly initiate communication with each other they do not need an intermediary A device can be both the client and the server In...

Page 617: ... in the overflow buffer region to obtain control of the system install a backdoor or use the victim to launch attacks on other devices Virus Worm A computer virus is a small program designed to corrupt and or alter the operation of other legitimate programs A worm is a program that is designed to copy itself from one computer to another on a network A worm s uncontrolled replication consumes syste...

Page 618: ...within that group If you select original setting for service group logs and or actions all signatures within that group are returned to their last saved settings Figure 434 Configuration Anti X IDP Profile Edit IDP Service Group 34 6 4 Profile Query View Screen Click Switch to query view in the screen as shown in Figure 433 on page 613 to go to a signature query screen In the query view screen you...

Page 619: ...es Group View screen Switch to group view Click this button to go to the IDP profile group view screen where IDP signatures are grouped by service and you can configure activation logs and or actions Query Signatures Select the criteria on which to perform the search Search all custom signatures Select this check box to search for signatures you created or imported in the Custom Signatures screen ...

Page 620: ...the Ctrl key if you want to make multiple selections Action Search for signatures by the response the ZyWALL takes when a packet matches a signature See Table 164 on page 614 for action details Hold down the Ctrl key if you want to make multiple selections Activation Search for activated and or inactivated signatures here Log Search for signatures by log option here See Table 164 on page 614 for o...

Page 621: ...P ZyWALL USG 100 200 Series User s Guide 621 34 6 5 Query Example This example shows a search with these criteria Severity severe and high Attack Type DDoS Platform Windows 2000 and Windows XP computers Service Any ...

Page 622: ...Chapter 34 IDP ZyWALL USG 100 200 Series User s Guide 622 Actions Any Figure 436 Query Example Search Criteria Figure 437 Query Example Search Results ...

Page 623: ... indicates IP version 4 IHL IP Header Length is the number of 32 bit words forming the total length of the header usually five Type of Service The Type of Service also known as Differentiated Services Code Point DSCP is usually set to 0 but may indicate particular quality of service needs from the network Total Length This is the size of the datagram in bytes It is the combined length of the heade...

Page 624: ...ide a router or bridge where the packet is not protected by a link layer cyclic redundancy check Packets with an invalid checksum are discarded by all nodes in an IP network Source IP Address This is the IP address of the original sender of the packet Destination IP Address This is the IP address of the final destination of the packet Options IP options is a variable length list of IP options for ...

Page 625: ...ect an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Export To save an entry or entries as a file on your computer select them and click Export Click Save in the file download dialog box and then select a location and name for the file Custom signatures must end with the rules file name exte...

Page 626: ... to import custom signatures previously saved to your computer to the ZyWALL Note The name of the complete custom signature file on the ZyWALL is custom rules If you import a file named custom rules then all custom signatures on the ZyWALL are overwritten with the new file If this is not your intention make sure that the files you import are not named custom rules File Path Type the file path and ...

Page 627: ...Series User s Guide 627 Try to write signatures that target a vulnerability for example a certain type of traffic on certain operating systems instead of a specific exploit Figure 440 Configuration Anti X IDP Custom Signatures Add Edit ...

Page 628: ...rgets that is the operating systems you want to protect from this intrusion SGI refers to Silicon Graphics Incorporated who manufactures multi user Unix workstations that run the IRIX operating system SGI s version of UNIX A router is an example of a network device Service Select the IDP service group that the intrusion exploits or targets See Table 166 on page 617 for a list of IDP service groups...

Page 629: ...ct Equal Smaller or Greater and then type in a number IP Options IP options is a variable length list of IP options for a datagram that define IP Security Option IP Stream Identifier security and handling restrictions for the military Record Route have each router record its IP address Loose Source Routing specifies a list of IP addresses that must be traversed by the datagram Strict Source Routin...

Page 630: ... Sequence Number Use this field to check for a specific TCP sequence number Ack Number Use this field to check for a specific TCP acknowledgement number Window Size Use this field to check for a specific TCP window size Transport Protocol UDP Port Select the check box and then enter the source and destination UDP port numbers that will trigger this signature Transport Protocol ICMP Type Use this f...

Page 631: ... matter Decode as URI A Uniform Resource Identifier URI is a string of characters for identifying an abstract or physical resource RFC 2396 A resource can be anything that has identity for example an electronic document an image a service today s weather report for Taiwan a collection of other resources An identifier is an object that can act as a reference to something that has identity Example U...

Page 632: ...information about the attack as you can The more specific your signature the less chance it will cause false positives As an example say you want to check if your router is being overloaded with DNS queries so you create a signature to detect DNS query traffic OK Click this button to save your changes to the ZyWALL and return to the summary screen Cancel Click this button to return to the summary ...

Page 633: ... analyzer also known as a network or protocol analyzer such as Wireshark or Ethereal to investigate some more Figure 441 DNS Query Packet Details From the details about DNS query you see that the protocol is UDP and the port is 53 The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2 Therefore enter 010 as the first pattern ...

Page 634: ... as shown in the following figure Figure 442 Example Custom Signature 34 8 3 Applying Custom Signatures After you create your custom signature it becomes available in the IDP service group category in the Configuration Anti X IDP Profile Edit screen Custom signatures have an SID from 9000000 to 9999999 ...

Page 635: ...re You may also want to configure an alert if it is for a serious attack and needs immediate attention After you apply the signature to a zone you can see if it works by checking the logs Monitor Log The Priority column shows warn for signatures that are configured to generate a log only It shows critical for signatures that are configured to generate a log and alert All IDP signatures come under ...

Page 636: ...r server in with the goal of accessing confidential information or destroying information on a computer You must install a host IDP directly on the system being protected It works closely with the operating system monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them Disadvantages of host IDPs are that you have to install them on each device...

Page 637: ...line Snort rules are divided into two logical sections the rule header and the rule options as shown in the following example alert tcp any any 192 168 1 0 24 111 content 00 01 a5 msg mountd access The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options The words before the colons in the rule options section are the option keywords ...

Page 638: ...k Window Size window Transport Protocol UDP In Snort rule header Port In Snort rule header Transport Protocol ICMP Type itype Code icode ID icmp_id Sequence Number icmp_seq Payload Options Snort rule options Payload Size dsize Offset relative to start of payload offset Relative to end of last match distance Content content Case insensitive nocase Decode as URI uricontent Table 171 ZyWALL Snort Equ...

Page 639: ...Chapter 34 IDP ZyWALL USG 100 200 Series User s Guide 639 ...

Page 640: ...Chapter 34 IDP ZyWALL USG 100 200 Series User s Guide 640 ...

Page 641: ...packet inspection 2 ADP traffic and anomaly rules are updated when you upload new firmware This is different from the IDP packet inspection signatures and the system protect signatures you download from myZyXEL com 35 1 2 What You Can Do in this Chapter Use Anti X ADP General Section 35 2 on page 643 to turn anomaly detection on or off and apply anomaly profiles to traffic directions Use Anti X AD...

Page 642: ... can apply ADP profiles to traffic flowing from one zone to another Base ADP Profiles Base ADP profiles are templates that you use to create new ADP profiles The ZyWALL comes with several base profiles See Table 173 on page 645 for details on ADP base profiles ADP Policy An ADP policy refers to application of an ADP profile to a traffic flow Finding Out More See Section 6 5 21 on page 111 for ADP ...

Page 643: ...fic flowing in a specific direction Edit the policies directly in the table Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it...

Page 644: ...o LAN1 means packets traveling from a computer on one LAN1 subnet to a computer on another LAN1 subnet via the ZyWALL s LAN1 zone interfaces The ZyWALL does not check packets traveling from a LAN1 computer to another LAN1 computer on the same subnet From WAN To WAN means packets that come in from the WAN zone and the ZyWALL routes back out through the WAN zone Note Depending on your network topolo...

Page 645: ...guration Anti X ADP Profile Table 173 Base Profiles BASE PROFILE DESCRIPTION none All traffic anomaly and protocol anomaly rules are disabled No logs are generated nor actions are taken all All traffic anomaly and protocol anomaly rules are enabled Rules with a high or severe severity level greater than three generate log alerts and cause packets that trigger them to be dropped Rules with a very l...

Page 646: ...l you could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a rule ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles To create a new profile select a base profile see Table 173 on page 645 and then click OK to go to the profile details screen Type a new profile name enable or disable individual rules and then ed...

Page 647: ...35 ADP ZyWALL USG 100 200 Series User s Guide 647 belonging to this profile make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab Figure 448 Profiles Traffic Anomaly ...

Page 648: ...hresholds and sample times are set high so most traffic anomaly attacks will be detected however you will have more logs and false positives Block Period Specify for how many seconds the ZyWALL blocks all packets from being sent to the victim destination of a detected anomaly attack Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inacti...

Page 649: ...maly tab Name This is the name of the traffic anomaly rule Click the Name column heading to sort in ascending or descending order according to the rule name Log These are the log options To edit this select an item and use the Log icon Action This is the action the ZyWALL should take when a packet matches a rule To edit this select an item and use the Action icon Threshold For flood detection you ...

Page 650: ...Chapter 35 ADP ZyWALL USG 100 200 Series User s Guide 650 Figure 449 Profiles Protocol Anomaly ...

Page 651: ...e valid unique profile names MyProfile mYProfile Mymy12_3 4 These are invalid profile names 1mYProfile My Profile MyProfile Whatalongprofilename123456789012 HTTP Inspection TCP Decoder UDP Decoder ICMP Decoder Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Log To edit an item s log option select it and use the Log icon Selec...

Page 652: ...reject both Select this action on an individual signature or a complete service group to have the ZyWALL send a reset to both the sender and receiver when a packet matches the rule If it is a TCP attack packet the ZyWALL will send a packet with a RST flag to the receiver and sender If it is an ICMP or UDP attack packet the ZyWALL will send an ICMP unreachable packet This is the entry s index numbe...

Page 653: ...n UDP Portscan IP Portscan An IP port scan searches not only for TCP UDP and ICMP protocols in use by the remote computer but also additional IP protocols such as EGP Exterior Gateway Protocol or IGP Interior Gateway Protocol Determining these additional protocols can help reveal if the destination device is a workstation a printer or a router OK Click OK to save your settings to the ZyWALL comple...

Page 654: ...sweep that is they are one to many port scans One host scans a single port on multiple hosts This may occur when a new exploit comes out and the attacker is looking for a specific service These are some port sweep types TCP Portsweep UDP Portsweep IP Portsweep ICMP Portsweep Filtered Port Scans A filtered port scan may indicate that there were no network errors ICMP unreachables or TCP RSTs or res...

Page 655: ...dcast address of the network The router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If an attacker A spoofs the source IP address of the ICMP echo request packet the resulting ICMP traffic will not only saturate the receiving network B but the network of the spoofed sou...

Page 656: ...ores all outstanding SYN ACK responses on a backlog queue SYN ACKs are only moved off the queue when an ACK comes back or when an internal timer ends the three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for other users Figure 452 SYN Flood LAND Attack In a LAND attack hackers flood SYN packets into a network with a spoofed so...

Page 657: ...ab for a space delimiter Apache uses this so if you have an Apache server you need to enable this option ASCII ENCODING ATTACK This rule can detect attacks where malicious attackers use ASCII encoding to encode attack strings Attackers may use this method to bypass system parameter checks in order to get information or privileges from a web server BARE BYTE UNICODING ENCODING ATTACK Bare byte enco...

Page 658: ...accepted by both Apache and IIS web servers OVERSIZE CHUNK ENCODING ATTACK This rule is an anomaly detector for abnormally large chunk sizes This picks up the apache chunk encoding exploits and may also be triggered on HTTP tunneling that uses chunk encoding OVERSIZE REQUEST URI DIRECTORY ATTACK This rule takes a non zero positive integer as an argument The argument specifies the max character dir...

Page 659: ...uld mean the packet was truncated TTCP DETECTED ATTACK T TCP provides a way of bypassing the standard three way handshake found in TCP thus speeding up transactions However this could lead to unauthorized access to the system by spoofing connections UNDERSIZE LEN ATTACK This is when a TCP packet is sent which has a TCP datagram length of less than 20 bytes This may cause some applications to crash...

Page 660: ...h of less than the ICMP header length This may cause some applications to crash TRUNCATED TIMESTAMP HEADER ATTACK This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP Time Stamp header length This may cause some applications to crash Table 177 HTTP Inspection and TCP UDP ICMP Decoders continued LABEL DESCRIPTION ...

Page 661: ...Chapter 35 ADP ZyWALL USG 100 200 Series User s Guide 661 ...

Page 662: ...Chapter 35 ADP ZyWALL USG 100 200 Series User s Guide 662 ...

Page 663: ...ertain web features such as cookies and or block access to specific web sites It can also block access to specific categories of web site content You can create different content filter policies for different addresses schedules users or groups and content filter profiles For example you can configure one policy that blocks John Doe s access to arts and entertainment web pages during the workday a...

Page 664: ...y numbers When a matching policy is found the content filter allows or blocks the request depending on the settings of the filtering profile specified by the policy Some requests may not match any policy The ZyWALL allows the request if the default policy is not set to block The ZyWALL blocks the request if the default policy is set to block External Web Filtering Service When you register for and...

Page 665: ...s Finding Out More See Section 6 5 22 on page 111 for related information on these screens See Section 36 7 on page 685 for content filtering background technical information 36 1 3 Before You Begin You must configure an address object a schedule object and a filtering profile before you can set up a content filter policy You must subscribe to use the external database content filtering see the Li...

Page 666: ...ontent Filter Report Service Select this check box to have the ZyWALL collect category based content filtering statistics Policies This is a list of the configured content filter policies Block web access when no policy is applied Select this check box to stop users from accessing the Internet by default when their attempted access does not match a content filter policy Add Click this to create a ...

Page 667: ...h content filter policy You can define different policies for different time periods none means the content filter policy applies all of the time User This column displays the individual or group to which this policy applies any means the content filter policy applies to all of the web access requests that the ZyWALL receives from any user Filter Profile This column displays the name of the conten...

Page 668: ... filter is not active You can view content filter reports after you register the ZyWALL and activate the subscription service in the Registration screen see Chapter 37 on page 687 License Type This read only field displays what kind of service registration you have for the content filtering database None displays if you have not successfully registered and activated the service Standard displays i...

Page 669: ...allows access to certain categories after the work day is over Select none to have the content filter policy apply all of the time Address Select the address or address group for which you want to use this policy Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any IP address Filter Profile Use the drop down list box to select the c...

Page 670: ... Anti X Content Filter Filter Profile Add or Edit to open the Categories screen Use this screen to enable external database content filtering and select which web site categories to block and or log Note You must register for external content filtering before you can use it See Section 11 2 on page 287 for how to register Table 180 Configuration Anti X Content Filter Filter Profile LABEL DESCRIPTI...

Page 671: ...apter 36 Content Filtering ZyWALL USG 100 200 Series User s Guide 671 See Chapter 37 on page 687 for how to view content filtering reports Figure 456 Configuration Anti X Content Filter Filter Profile Add ...

Page 672: ...ports after you register the ZyWALL and activate the subscription service in the Registration screen see Chapter 37 on page 687 License Type This read only field displays what kind of service registration you have for the content filtering database None displays if you have not successfully registered and activated the service Standard displays if you have successfully registered the ZyWALL and ac...

Page 673: ...es that match the other categories that you select below When external database content filtering blocks access to a web page it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page Select Log to record attempts to access web pages that match the other categories that you select below Action for Unrated Web Page...

Page 674: ...al content filtering s license key is invalid Select Log to record attempts to access web pages that occur when the external content filtering database is unavailable Content Filter Category Service Timeout Specify a number of seconds 1 to 60 for the ZyWALL to wait for a response from the external content filtering server If there is still no response by the time this period expires the ZyWALL blo...

Page 675: ...can connect and send user info sites that make extensive use of tracking cookies without a posted privacy statement and sites to which browser hijackers redirect users Usually does not include sites that can be marked as Spyware Malware Note Sites rated as spyware effects typically have a second category assigned with them Managed Categories These are categories of web pages based on their content...

Page 676: ...t does not include pages that sell gambling related products or machines It also does not include pages for offline casinos and hotels as long as those pages do not meet one of the above requirements Violence Hate Racism This category includes pages that depict extreme physical harm to people or property or that advocate or provide instructions on how to cause such harm It also includes pages that...

Page 677: ...ges that offer educational information distance learning and trade school information or programs It also includes pages that are sponsored by schools educational facilities faculty or alumni groups Cultural Charitable Organization This category includes pages that nurture cultural understanding and foster volunteerism such as 4H the Lions and Rotary Clubs Also encompasses non profit associations ...

Page 678: ...es that provide assistance in finding employment and tools for locating prospective employers News Media This category includes pages that primarily report information or comments on current events or contemporary issues of the day It also includes radio stations and magazines It does not include pages that can be rated in other categories Personals Dating This category includes pages that promote...

Page 679: ... essentially act as your personal hard drive on the Internet Remote Access Tools This category includes pages that primarily focus on providing information about and or methods that enables authorized access to and use of a desktop computer or private network remotely Shopping This category includes pages that provide or advertise the means to obtain goods or services It does not include pages tha...

Page 680: ...earch and sharing across a network without dependence on a central server Streaming Media MP3s This category includes pages that sell deliver or stream music or video content in any format including sites that provide downloads for such viewers Proxy Avoidance This category includes pages that provide information on how to bypass proxy server appliance features or gain access to URLs in any way th...

Page 681: ...ncludes sites that are part of the Web and email spam ecosystem Sites that are determined to be clearly malicious or benign will be placed in a different category Alternative Sexuality Lifestyles This category includes pages that provide information promote or cater to alternative sexual expressions in their myriad forms It includes but is not limited to the full range of non traditional sexual pr...

Page 682: ... to test You can check which category a web page belongs to Enter a web site URL in the text box Test Against Local Cache Click this button to see the category recorded in the ZyWALL s content filtering database for the web page you specified if the database has an entry for it Test Against Content Filter Category Server Click this button to see the category recorded in the external content filter...

Page 683: ...s or keywords from the filter list Figure 458 Configuration Anti X Content Filter Filter Profile Customization The following table describes the labels in this screen Table 182 Configuration Anti X Content Filter Filter Profile Customization LABEL DESCRIPTION Name Enter a descriptive name for this content filtering profile name You may use 1 31 alphanumeric characters underscores _ or dashes but t...

Page 684: ...ing by pointing to this proxy server Allow Java ActiveX Cookies Web proxy to trusted web sites When this box is selected the ZyWALL will permit Java ActiveX and Cookies from sites on the Trusted Web Sites list to the LAN In certain cases it may be desirable to allow Java ActiveX or Cookies from sites that are known and trusted Trusted Web Sites These are sites that you want to allow access to rega...

Page 685: ...words This section allows you to block Web sites with URLs that contain certain keywords in the domain name or IP address Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Blocked URL Keywords This list displays the keywords already added Enter a keyword or a numerical IP address to block You can also...

Page 686: ...our configuration 3 Use the Content Filter Cache screen to configure how long a web site address remains in the cache as well as view those web site addresses see Section 10 19 on page 275 All of the web site address records are also cleared from the local cache when the ZyWALL restarts 4 If the ZyWALL has no record of the web site it queries the external content filter database and simultaneously...

Page 687: ...count register your device and activate the subscription services 37 2 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen You need to register your iCard before you can view content filtering reports Alternatively you can also view content filterin...

Page 688: ...Chapter 37 Content Filter Reports ZyWALL USG 100 200 Series User s Guide 688 2 Fill in your myZyXEL com account information and click Login Figure 460 myZyXEL com Login ...

Page 689: ...isplays Click your ZyWALL s model name and or MAC address under Registered ZyXEL Products the ZyWALL 70 is shown as an example here You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen see Figure 462 on page 690 Figure 461 myZyXEL com Welcome ...

Page 690: ...e 690 4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens Figure 462 myZyXEL com Service Management 5 In the Web Filter Home screen click the Reports tab Figure 463 Content Filter Reports Main Screen ...

Page 691: ...g reports Figure 464 Content Filter Reports Report Home 7 Select a time period in the Date Range field either Allowed or Blocked in the Action Taken field and a category or enter the user name if you want to view single user reports and click Run Report The screens vary according to the report type you selected in the Report Home screen ...

Page 692: ...er 37 Content Filter Reports ZyWALL USG 100 200 Series User s Guide 692 8 A chart and or list of requested web site categories display in the lower half of the screen Figure 465 Global Report Screen Example ...

Page 693: ... Filter Reports ZyWALL USG 100 200 Series User s Guide 693 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested Figure 466 Requested URLs Example ...

Page 694: ...Chapter 37 Content Filter Reports ZyWALL USG 100 200 Series User s Guide 694 ...

Page 695: ...ge 706 to have the ZyWALL check e mail against DNS Black Lists 38 1 2 What You Need to Know White list Configure white list entries to identify legitimate e mail The white list entries have the ZyWALL classify any e mail that is from a specified sender or uses a specified header field and header value as being legitimate see E mail Headers on page 696 for more on mail headers The anti spam feature...

Page 696: ...ally use SMTP to send messages to a mail server The older POP2 requires SMTP for sending messages while the newer POP3 can be used with or without it This is why many e mail applications require you to specify both the SMTP server and the POP or IMAP server even though they may actually be the same server The ZyWALL s anti spam feature checks SMTP TCP port 25 and POP3 TCP port 110 e mails The anti...

Page 697: ...DNSBL is also known as a DNS spam blocking list The ZyWALL can check the routing addresses of e mail against DNSBLs and classify an e mail as spam if it was sent or forwarded by a computer with an IP address in the DNSBL Finding Out More See Section 38 7 on page 708 for more background information on anti spam 38 2 Before You Begin Configure your zones before you configure anti spam 38 3 The Anti ...

Page 698: ...d An e mail session is when an e mail client and e mail server or two e mail servers connect through the ZyWALL Select how to handle concurrent e mail sessions that exceed the maximum number of concurrent e mail sessions that the anti spam feature can handle See the chapter of product specifications for the threshold Select Forward Session to have the ZyWALL allow the excess e mail sessions withou...

Page 699: ...e activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive Priority This is the position of an anti spam policy in the list The ordering of your anti spam policies is important as the ZyWALL applies them in sequence Once traffic matches an anti spam policy the ZyWALL applies that policy and does not check the traffic against any more policies From The anti spa...

Page 700: ...Log Select how the ZyWALL is to log the event when the DNSBL times out or an e mail matches the white list black list or DNSBL no Do not create a log log Create a log on the ZyWALL log alert An alert is an e mailed log for more serious events that may need more immediate attention Select this option to have the ZyWALL send an alert From To Select source and destination zones for traffic to scan fo...

Page 701: ... black list entry as spam Check DNSBL Select this check box to check e mail against the ZyWALL s configured DNSBL domains The ZyWALL classifies e mail that matches a DNS black list as spam Actions for Spam Mail Use this section to set how the ZyWALL is to handle spam mail SMTP Select how the ZyWALL is to handle spam SMTP mail Select drop to discard spam SMTP mail Select forward to allow spam SMTP ...

Page 702: ...of e mails that match the ZyWALL s spam black list Rule Summary Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Status The activate light bulb icon is lit when the entry is active...

Page 703: ...esponding list screen enable the anti spam feature in the anti spam general screen and configure an anti spam policy to use the list Type Use this field to base the entry on the e mail s subject source or relay IP address source e mail address or header Select Subject to have the ZyWALL check e mail for specific content in the subject line Select IP Address to have the ZyWALL check e mail for a sp...

Page 704: ...cimal notation Netmask This field displays when you select the IP type Enter the subnet mask here if applicable Sender E Mail Address This field displays when you select the E Mail type Enter a keyword up to 63 ASCII characters See Section 38 4 2 on page 704 for more details Mail Header Field Name This field displays when you select the Mail Header type Type the name part of an e mail header the p...

Page 705: ...ble 187 Configuration Anti X Anti Spam Black White List White List LABEL DESCRIPTION General Settings Enable White List Checking Select this check box to have the ZyWALL forward e mail that matches an active white list entry without doing any more anti spam checking on that individual e mail Rule Summary Add Click this to create a new entry See Section 38 4 1 on page 703 for details Edit Select an...

Page 706: ...ts DNSBLs Figure 472 Configuration Anti X Anti Spam DNSBL Type This field displays whether the entry is based on the e mail s subject source or relay IP address source e mail address or a header Content This field displays the subject content source or relay IP address source e mail address or header value for which the entry checks OK Click OK to save your changes Cancel Click Cancel to exit this...

Page 707: ...t IP address in the mail header This is the IP of the sender or the first server that forwarded the mail Select last N IPs to have the ZyWALL start checking from the last IP address in the mail header This is the IP of the last server that forwarded the mail Query Timeout Setting SMTP Select how the ZyWALL is to handle SMTP mail mail going to an e mail server if the queries to the DNSBL domains ti...

Page 708: ...least one non spam reply for each of an e mail s routing IP addresses the ZyWALL immediately classifies the e mail as legitimate and forwards it Any further DNSBL replies that come after the ZyWALL classifies an e mail as spam or legitimate have no effect The ZyWALL records DNSBL responses for IP addresses in a cache for up to 72 hours The ZyWALL checks an e mail s sender and relay IP addresses ag...

Page 709: ...separate query to each of its DNSBL domains for IP address b b b b 2 DNSBL A replies that IP address a a a a does not match any entries in its list not spam 3 DNSBL C replies that IP address b b b b matches an entry in its list 4 The ZyWALL immediately classifies the e mail as spam and takes the action for spam that you defined in the anti spam policy In this example it was an SMTP mail and the de...

Page 710: ... another separate query to each of its DNSBL domains for IP address d d d d 2 DNSBL B replies that IP address d d d d does not match any entries in its list not spam 3 DNSBL C replies that IP address c c c c does not match any entries in its list not spam 4 Now that the ZyWALL has received at least one non spam reply for each of the e mail s routing IP addresses the ZyWALL immediately classifies t...

Page 711: ... separate query to each of its DNSBL domains for IP address w x y z 2 DNSBL A replies that IP address a b c d does not match any entries in its list not spam 3 While waiting for a DNSBL reply about IP address w x y z the ZyWALL receives a reply from DNSBL B saying IP address a b c d is in its list 4 The ZyWALL immediately classifies the e mail as spam and takes the action for spam that you defined...

Page 712: ...Chapter 38 Anti Spam ZyWALL USG 100 200 Series User s Guide 712 ...

Page 713: ... the Active Passive Mode screens Section 39 3 on page 716 to use active passive mode device HA You can configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup ZyWALLs Use the Legacy Mode screens Section 39 5 on page 723 to use legacy mode device HA You can configure general legacy mode HA settings including link monitoring co...

Page 714: ... anti virus IDP application patrol and system protect and certificates Note Only ZyWALLs of the same model and firmware version can synchronize Otherwise you must manually configure the master ZyWALL s settings on the backup by editing copies of the configuration files in a text editor for example Finding Out More See Section 6 5 24 on page 112 for related information on these screens See Section ...

Page 715: ...ionship between the master and backup ZyWALLs such as active active or using different ZyWALLs as the master for individual interfaces The master and its backups must all use the same device HA mode Click the link to go to the screen where you can configure the ZyWALL to use the device HA mode that it is not currently using Monitored Interface Summary This table shows the status of the interfaces ...

Page 716: ... the monitored interface s status in the virtual router Active This interface is up and using the virtual IP address and subnet mask Stand By This interface is a backup interface in the virtual router It is not using the virtual IP address and subnet mask Fault This interface is not functioning in the virtual router right now In active passive mode or in legacy mode with link monitoring enabled if...

Page 717: ...ter and backup ZyWALLs Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL Virtual Router and Management IP Addresses If a backup takes over for the master it uses the master s IP addresses These IP addresses are know as the virtual router IP addresses Each interface can also have a management IP a...

Page 718: ...ddresses 39 3 1 Configuring Active Passive Mode Device HA The Device HA Active Passive Mode screen lets you configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup ZyWALLs To access this screen click Configuration Device HA Active Passive Mode Figure 481 Configuration Device HA Active Passive Mode A 192 168 1 1 B 192 168 1 1 ...

Page 719: ...tion This field is available for a backup ZyWALL Select this if this ZyWALL should become the master ZyWALL if a lower priority ZyWALL is the master when this one is enabled If the role is master the ZyWALL preempts by default Cluster Settings Cluster ID Type the cluster ID number A virtual router consists of a master ZyWALL and all of its backup ZyWALLs If you have multiple ZyWALL virtual routers...

Page 720: ... Use synchronization to have a backup ZyWALL copy the master ZyWALL s configuration certificates AV signatures IDP and application patrol signatures and system protect signatures Every interface s management IP address must be in the same subnet as the interface s IP address the virtual router IP address Server Address If this ZyWALL is set to backup role enter the IP address or Fully Qualified Do...

Page 721: ...use the same password If you leave this field blank in the master ZyWALL no backup ZyWALLs can synchronize from it If you leave this field blank in a backup ZyWALL it cannot synchronize from the master ZyWALL Auto Synchronize Select this to get the updated configuration automatically from the specified ZyWALL according to the specified Interval The first synchronization begins after the specified ...

Page 722: ...idge interfaces or disable the bridge interfaces connect the bridge interfaces activate device HA and finally reactivate the bridge interfaces Virtual Router IP VRIP Subnet Mask This is the interface s static IP address and subnet mask in the virtual router Whichever ZyWALL is currently serving as the master uses this virtual router IP address and subnet mask These fields are blank if the interfac...

Page 723: ...erfaces that have static IP addresses You can only enable one VRRP group for each interface and you can only have one active VRRP group for each virtual router If you create a VRRP group for an Ethernet interface that has a VLAN interface configured on it make sure you create a separate VRRP group for the VLAN interface This will avoid an IP conflict if the backup ZyWALL takes over for the master ...

Page 724: ...tion Device HA Legacy Mode LABEL DESCRIPTION General Settings Link Monitoring Enable link monitoring to have the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down This way the backup ZyWALL takes over all of the master ZyWALL s functions Stop Cellular WLAN interfaces while one of monitored interface is fault Select this to have the master ZyWALL shut d...

Page 725: ...er Virtual Router IP Netmask This is the interface s IP address and subnet mask in the virtual router Management IP Netmask This field displays the management IP address and subnet mask of an interface Synchronization Server Address Enter the IP address or Fully Qualified Domain Name FQDN of the ZyWALL from which to get configuration and subscription service updates for services to which the backu...

Page 726: ... to get configuration and subscription service updates automatically from the specified ZyWALL according to the specified Interval The first synchronization begins after the specified Interval the ZyWALL does not synchronize immediately Interval This field is only available if Auto Synchronize is checked Type the number of minutes to wait between synchronizations Apply switch to Legacy Mode This a...

Page 727: ...nterface s IP address for management access You can use this IP address to access the ZyWALL whether it is the master or a backup This management IP address should be in the same subnet as the interface IP address so the backup ZyWALL cannot synchronize with the master via this VRRP interface Manage IP Subnet Mask Enter the subnet mask of the interface s management IP address Role Select the role ...

Page 728: ...on method and password Choices are None this virtual router does not use any authentication method Text this virtual router uses a plain text password for authentication Type the password in the field next to the radio button The password can consist of alphanumeric characters the underscore and some punctuation marks and it can be up to eight characters long IP AH MD5 this virtual router uses an ...

Page 729: ...ckup ZyWALL B are not connected 2 Configure the bridge interface on the master ZyWALL set the bridge interface as a monitored interface and activate device HA 3 Configure the bridge interface on the backup ZyWALL set the bridge interface as a monitored interface and activate device HA B A B A Br0 ge4 ge5 B A Br0 ge4 ge5 Br0 ge4 ge5 ...

Page 730: ...ridge interfaces activate device HA and finally reactivate the bridge interfaces as shown in the following example 1 In this case the ZyWALLs are already connected but the bridge faces have not been configured yet Configure a disabled bridge interface on the master ZyWALL but disable it Then set the bridge interface as a monitored interface and activate device HA B A Br0 ge4 ge5 Br0 ge4 ge5 B A Br...

Page 731: ...terface on the backup ZyWALL Then set the bridge interface as a monitored interface and activate device HA 3 Enable the bridge interface on the master ZyWALL and then on the backup ZyWALL 4 Connect the ZyWALLs B A Br0 ge4 ge5 Br0 ge4 ge5 Disabled Disabled B A Br0 ge4 ge5 Br0 ge4 ge5 B A Br0 ge4 ge5 Br0 ge4 ge5 ...

Page 732: ...ame IP address as the default gateway and forwards traffic for the network ZyWALL B is a backup It is using its management IP address 192 168 10 112 ZyWALL A sends regular messages to ZyWALL B to let ZyWALL B know that ZyWALL A is available If ZyWALL A becomes unavailable it stops sending messages to ZyWALL B ZyWALL B detects this and assumes the role of the master This is illustrated below Figure...

Page 733: ...it is still recommended that the backup ZyWALL synchronize with a master ZyWALL on a secure network The backup ZyWALL gets the configuration from the master ZyWALL The backup ZyWALL cannot become the master or be managed while it applies the new configuration This usually takes two or three minutes or longer depending on the configuration complexity The following restrictions apply with active pas...

Page 734: ...Chapter 39 Device HA ZyWALL USG 100 200 Series User s Guide 734 ...

Page 735: ...access users and other user groups You cannot put admin users in user groups The Setting screen see Section 40 4 on page 743 controls default settings login settings lockout settings and other user settings for the ZyWALL You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them 40 1 2 What You Need To Know User Account A user account defines th...

Page 736: ... 779 respectively Note If the ZyWALL tries to authenticate an ext user using the local database the attempt always fails Once an ext user user has been authenticated the ZyWALL tries to get the user type see Table 194 on page 735 from the external server If the external server does not have the information the ZyWALL sets the user type for this session to User For the rest of the user attributes s...

Page 737: ... not have to log into the ZyWALL to use the network services it provides The ZyWALL automatically routes packets for everyone If you want to restrict network services that certain users can use via the ZyWALL you can require them to log in to the ZyWALL first The ZyWALL is then aware of the user who is logged in and you can create user aware policies that define what services they can use See Sect...

Page 738: ...llowing characters Alphanumeric A z 0 9 there is no unicode support _ underscores Table 195 Configuration Object User Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing...

Page 739: ...ia CIFS or FTP it will use the account settings used for BOB not bob User names have to be different than user group names Here are the reserved user names To access this screen go to the User screen see Section 40 2 on page 738 and click either the Add icon or an Edit icon Figure 488 Configuration User Group User Add adm admin any bin daemon debug devicehaecived ftp games halt ldap users lp mail ...

Page 740: ... 4 31 alphanumeric characters Retype This field is not available if you select the ext user or ext group user type Group Identifier This field is available for a ext group user type user account Specify the value of the AD or LDAP server s Group Membership Attribute that identifies the group to which this user belongs Associated AAA Server Object This field is available for a ext group user type u...

Page 741: ... the number of minutes unlimited Unlike Lease Time the user has no opportunity to renew the session without logging out Configuration Validation Use a user account from the group specified above to test if the configuration is correct Enter the account s user name in the User Name field and click Test OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen witho...

Page 742: ...ame This field displays the name of each user group Description This field displays the description for each user group Member This field lists the members in the user group Each member is separated by a comma Table 197 Configuration Object User Group Group continued LABEL DESCRIPTION Table 198 Configuration User Group Group Add LABEL DESCRIPTION Name Type the name for this user group You may use ...

Page 743: ... have been added to the user group The order of members is not important Select users and groups from the Available list that you want to be members of this group and move them to the Member list You can double click a single entry to move it or use the Shift or Ctrl key to select multiple entries and use the arrow button to move them Move any members you do not want included to the Available list...

Page 744: ...r Authentication Timeout Settings Default Authentication Timeout Settings These authentication timeout settings are used by default when you create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings Edit Double click an entry or select it and cl...

Page 745: ...omatically see Section 40 4 on page 743 the users can select this check box on their screen as well In this case the session is automatically renewed before the lease time expires Reauthentication Time This is the default reauthentication time in minutes for each type of user account It defines the number of minutes the user can be logged into the ZyWALL in one session before having to log in agai...

Page 746: ... limit on the number of simultaneous logins by non admin users If you do not select this access users can login as many times as they want as long as they use different IP addresses Maximum number per access account This field is effective when Limit for access account is checked Type the maximum number of simultaneous logins by each access user User Lockout Settings Enable logon retry limit Selec...

Page 747: ...s maintained in a remote server such as RADIUS or LDAP See Ext Group User Accounts on page 737 for more information about this type Lease Time Enter the number of minutes this type of user account has to renew the current session before the user is logged out You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Admin users renew the session every time the main ...

Page 748: ...tomatically logs them out The ZyWALL sets this amount of time according to the User defined lease time field in this screen Lease time field in the User Add Edit screen see Section 40 2 1 on page 738 Lease time field in the Setting screen see Section 40 4 on page 743 Updating lease time automatically This box appears if you checked the Allow renewing lease time automatically box in the Setting scr...

Page 749: ...a large number of Ext User accounts you might use CLI commands instead of the Web Configurator to create the accounts Extract the user names from the LDAP or RADIUS server and create a shell script that creates the user accounts See Chapter 52 on page 897 for more information about shell scripts Table 202 LDAP RADIUS Keywords for User Attributes KEYWORD CORRESPONDING ATTRIBUTE IN WEB CONFIGURATOR ...

Page 750: ...Chapter 40 User Group ZyWALL USG 100 200 Series User s Guide 750 ...

Page 751: ...ed in dynamic routes firewall rules application patrol content filtering and VPN connection policies For example addresses are used to specify where content restrictions apply in content filtering Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of...

Page 752: ...dd Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 312 for an...

Page 753: ...ddress subnet or gateway if the interface s IP address settings change For example if you change ge1 s IP address the ZyWALL automatically updates the corresponding interface based LAN subnet address object IP Address This field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents Starting IP Address This field is only av...

Page 754: ...ect represents OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 204 Configuration Object Address Address Edit continued LABEL DESCRIPTION Table 205 Configuration Object Address Address Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify t...

Page 755: ..._ or dashes but the first character cannot be a number This value is case sensitive Description This field displays the description of each address group if any You can use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the address and address group objects that have been added to the address group The order of members is not important Select ite...

Page 756: ...Chapter 41 Addresses ZyWALL USG 100 200 Series User s Guide 756 ...

Page 757: ...next level protocol that is sent in this packet This section discusses three of the most common IP protocols Computers use Transmission Control Protocol TCP IP protocol 6 and User Datagram Protocol UDP IP protocol 17 to exchange data with each other TCP guarantees reliable delivery but is slower and more complex Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less reliable ...

Page 758: ...fine IP protocols TCP applications UDP applications ICMP messages user defined services for other types of IP protocols These objects are used in policy routes firewall rules and IDP profiles Use service groups when you want to create the same rule for several services instead of creating separate rules for each service Service groups may consist of services and other service groups The sequence o...

Page 759: ...dit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 312 for an example This field is a sequential v...

Page 760: ...e You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive IP Protocol Select the protocol the service uses Choices are TCP UDP ICMP and User Defined Starting Port Ending Port This field appears if the IP Protocol is TCP or UDP Specify the port number s used by this service If you fill in one of these fields the servic...

Page 761: ...nd click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 312 for an example This field is a sequential value and it is not associated with a spe...

Page 762: ...cters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description of the service group if any You can use up to 60 printable ASCII characters Member List The Member list displays the names of the service and service group objects that have been added to the service group The order of members is not important Select items from the ...

Page 763: ...list of all schedules in the ZyWALL Use the One Time Schedule Add Edit screen Section 43 2 1 on page 765 to create or edit a one time schedule Use the Recurring Schedule Add Edit screen Section 43 2 2 on page 766 to create or edit a recurring schedule 43 1 2 What You Need to Know One time Schedules One time schedules begin on a specific start date and time and end on a specific stop date and time ...

Page 764: ...11 Configuration Object Schedule LABEL DESCRIPTION One Time Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which...

Page 765: ...yWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 312 for an example This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule Start Time...

Page 766: ...llegal dates such as February 31 Hour 0 23 Minute 0 59 StartTime Specify the hour and minute when the schedule begins Hour 0 23 Minute 0 59 StopDate Specify the year month and day when the schedule ends Year 1900 2999 Month 1 12 Day 1 31 it is not possible to specify illegal dates such as February 31 Hour 0 23 Minute 0 59 StopTime Specify the hour and minute when the schedule ends Hour 0 23 Minute...

Page 767: ...ecurring LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartTime Specify the hour and minute when the schedule begins each day Hour 0 23 Minute 0 59 StopTime Specify the hour and minute when the schedule ends...

Page 768: ...Chapter 43 Schedules ZyWALL USG 100 200 Series User s Guide 768 ...

Page 769: ...ects see Chapter 45 on page 779 44 1 1 Directory Service AD LDAP LDAP AD allows a client the ZyWALL to connect to a server to retrieve information from a directory A network example is shown next Figure 507 Example Directory Service Client and Server The following describes the user authentication procedure via an LDAP AD server 1 A user logs in with a user name and password pair 2 The ZyWALL trie...

Page 770: ...d OTP feature Purchase a ZyWALL OTP package in order to use this feature The package contains server software and physical OTP tokens PIN generators Do the following to use OTP See the documentation included on the ASAS CD for details 1 Install the ASAS server software on a computer 2 Create user accounts on the ZyWALL and in the ASAS server 3 Import each token s database file located on the inclu...

Page 771: ...authenticate VPN users Directory Service LDAP AD LDAP Lightweight Directory Access Protocol AD Active Directory is a directory service that is both a directory and a protocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login information on the external server RADIU...

Page 772: ...yCompany c JP Base DN A base DN specifies a directory A base DN usually contains information such as the name of an organization a domain name and or country For example o MyCompany c UK where o means organization and c means country Bind DN A bind DN is used to authenticate with an LDAP AD server For example a bind DN of cn zywallAdmin allows the ZyWALL to log into the LDAP AD server using the us...

Page 773: ...LDAP Server Click Object AAA Server Active Directory or LDAP to display the Active Directory or LDAP screen Click the Add icon or an Edit icon to display the Table 214 Configuration Object AAA Server Active Directory or LDAP LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove...

Page 774: ...IPTION Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the AD or LDAP server Backup Server Address If the AD or LDAP server has a backup server enter its address here Port Specify the port number on the AD or LDAP s...

Page 775: ... US Login Name Attribute Enter the type of identifier the users are to use to log in For example name or e mail address Alternative Login Name Attribute If there is a second type of identifier that the users can use to log in enter it here For example name or e mail address Group Membership Attribute An AD or LDAP server defines attributes for its accounts Enter the name of the attribute that the ...

Page 776: ... is the address of the AD or LDAP server Base DN This specifies a directory For example o ZyXEL c US Host Enter the IP address in dotted decimal notation or the domain name up to 63 alphanumeric characters of a RADIUS server Authentication Port The default port of the RADIUS server for authentication is 1812 You need not change this value unless your network administrator instructs you to do so wi...

Page 777: ...S Add LABEL DESCRIPTION Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the RADIUS server Authentication Port Specify the port number on the RADIUS server to which the ZyWALL sends authentication requests Enter a nu...

Page 778: ...defines attributes for its accounts Select the name and number of the attribute that the ZyWALL is to check to determine to which group a user belongs If it does not display select user defined and specify the attribute s number This attribute s value is called a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these g...

Page 779: ...bject Auth Method screens Section 45 2 on page 780 to create and manage authentication method objects Finding Out More See Section 7 7 3 on page 150 for an example of how to set up user authentication using a radius server 45 1 2 Before You Begin Configure AAA server objects see Chapter 44 on page 769 before you configure authentication method objects 45 1 3 Example Selecting a VPN Authentication ...

Page 780: ...u can create up to 16 authentication method objects Figure 515 Configuration Object Auth Method The following table describes the labels in this screen Table 218 Configuration Object Auth Method LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it ...

Page 781: ...st column is important The ZyWALL authenticates the users using the databases in the local user database or the external authentication server in the order they appear in this screen If two accounts with the same username exist on two authentication servers you specify the ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn t ...

Page 782: ...The ZyWALL confirms you want to remove it before doing so Move To change a method s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed The ordering of your methods is important as ZyWALL authenticates the users using the authentication methods in the order they...

Page 783: ...de 783 Add icon Click Add to add a new entry Click Edit to edit the settings of an entry Click Delete to delete an entry OK Click OK to save the changes Cancel Click Cancel to discard the changes Table 219 Configuration Object Auth Method Add continued LABEL DESCRIPTION ...

Page 784: ...Chapter 45 Authentication Method ZyWALL USG 100 200 Series User s Guide 784 ...

Page 785: ...rusted certificate It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate 46 1 2 What You Need to Know When using public key cryptology for authentication each host has two keys One key is public and can be made openly available The other key is private and must be kept secure These keys work like a handwritten signature in fact certi...

Page 786: ...ion algorithm The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates A certification path is the hierarchy of certification authority certificates that validate a certificate The ZyWALL does not trust a certificate if any certificate on its path has expired or been revoked Certification authoriti...

Page 787: ...etters and numerals to convert a binary PKCS 7 certificate into a printable form Binary PKCS 12 This is a format for transferring public key and private key certificates The private key in a PKCS 12 file is within a password encrypted envelope The file s password is not connected to your certificate s public or private passwords Exporting a PKCS 12 file creates this and you must provide it to decr...

Page 788: ... to open the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Figure 518 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields The secure method may very based on your situation Possible examples would be over the telephone or through an HTTP...

Page 789: ...tificate or a certification request Edit Double click an entry or select it and click Edit to open a screen with an in depth list of information about the certificate Remove The ZyWALL keeps all of your certificates unless you specifically delete them Uploading a new firmware or default configuration file does not delete your certificates To remove an entry select it and click Remove The ZyWALL co...

Page 790: ...wner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certifi...

Page 791: ...LL USG 100 200 Series User s Guide 791 ZyWALL create a self signed certificate enroll a certificate with a certification authority or generate a certification request Figure 520 Configuration Object Certificate My Certificates Add ...

Page 792: ... to which the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore Organization Identify the company or group to which the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore Town City Identify the town or city where the certificate owner is located You can...

Page 793: ...ies when you select Create a certification request and enroll for a certificate immediately online Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the...

Page 794: ...When you select Create a certification request and enroll for a certificate immediately online the certification authority may want you to include a reference number and key to identify you when you send a certification request Fill in both the Reference Number and the Key fields if your certification authority uses the CMP enrollment protocol Just the Key field displays if your certification auth...

Page 795: ...s Edit Screen Click Configuration Object Certificate My Certificates and then the Edit icon to open the My Certificate Edit screen You can use this screen to view in depth certificate information and change the certificate s name Figure 521 Configuration Object Certificate My Certificates Edit ...

Page 796: ...he certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority or gen...

Page 797: ...certificate into a printable form You can copy and paste a certification request into a certification authority s web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a te...

Page 798: ...es screen You must remove any spaces from the certificate s filename before you can import it Figure 522 Configuration Object Certificate My Certificates Import The following table describes the labels in this screen OK Click OK to save your changes back to the ZyWALL You can only change the name Cancel Click Cancel to quit and return to the My Certificates screen Table 222 Configuration Object Ce...

Page 799: ...he certificate on the ZyWALL Cancel Click Cancel to quit and return to the My Certificates screen Table 223 Configuration Object Certificate My Certificates Import continued LABEL DESCRIPTION Table 224 Configuration Object Certificate Trusted Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL s PKI storage space that is currently in use When the ...

Page 800: ...entifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization ...

Page 801: ...s ZyWALL USG 100 200 Series User s Guide 801 authority s list of revoked certificates before trusting a certificate issued by the certification authority Figure 524 Configuration Object Certificate Trusted Certificates Edit ...

Page 802: ...the OSCP or LDAP server details OCSP Server Select this check box if the directory server uses OCSP Online Certificate Status Protocol URL Type the protocol IP address and pathname of the OCSP server ID The ZyWALL may need to authenticate itself in order to assess the OCSP server Type the login name up to 31 ASCII characters from the entity maintaining the server usually a certification authority ...

Page 803: ...e MD5 hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already...

Page 804: ...tificate Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses lowercase letters uppercase letters and numerals to convert a binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificat...

Page 805: ...on in network traffic since the ZyWALL only gets information on the certificates that it needs to verify not a huge list When the ZyWALL requests certificate status information the OCSP server returns a expired current or unknown response Table 226 Configuration Object Certificate Trusted Certificates Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this fi...

Page 806: ...Chapter 46 Certificates ZyWALL USG 100 200 Series User s Guide 806 ...

Page 807: ...e See Section 13 4 on page 313 for information about PPPoE PPTP interfaces See Section 6 6 on page 113 for related information on these screens 47 1 1 What You Can Do in this Chapter Use the Object ISP Account screens Section 47 2 on page 807 to create and manage ISP accounts in the ZyWALL 47 2 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL To access this screen c...

Page 808: ...this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 312 for an example ...

Page 809: ...Your ZyWALL accepts MSCHAP V2 only Encryption Method This field is available if this ISP account uses the PPTP protocol Use the drop down list box to select the type of Microsoft Point to Point Encryption MPPE Options are nomppe This ISP account does not use MPPE mppe 40 This ISP account uses 40 bit MPPE mppe 128 This ISP account uses 128 bit MMPE User Name Type the user name given to you by your ...

Page 810: ...ally disconnects from the PPPoE PPTP server This value must be an integer between 0 and 360 If this value is zero this timeout is disabled OK Click OK to save your changes back to the ZyWALL If there are no errors the program returns to the ISP Account screen If there are errors a message box explains the error and the program stays in the ISP Account Edit screen Cancel Click Cancel to return to t...

Page 811: ...low remote users to access an application via standard web browsers Section 48 2 1 on page 814 You can also use the SSL Application Edit screen to specify the name of a folder on a Linux or Windows file server which remote users can access using a standard web browser Section 48 2 2 on page 816 48 1 2 What You Need to Know Application Types You can configure the following types of SSL applications...

Page 812: ...computer does not use VNC or RDP client software The ZyWALL works with the following remote desktop connection software RDP Windows Remote Desktop supported in Internet Explorer VNC RealVNC TightVNC UltraVNC For example user A uses an SSL VPN connection to log into the ZyWALL Then he manages LAN computer B which has RealVNC server software installed Figure 528 SSL protected Remote Management Webli...

Page 813: ...http info Select Web Page Encryption to prevent users from saving the web content Click Apply to save the settings The configuration screen should look similar to the following figure Figure 529 Example SSL Application Specifying a Web Site for Access 48 2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects Click Configuration Object...

Page 814: ...ation LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object Reference s Select an entry and click Object References to open a screen that shows which settings use the entry See Section...

Page 815: ... have Virtual Network Computing remote desktop server software installed Select RDP to allow users to manage LAN computers that have Remote Desktop Protocol remote desktop server software installed Select Weblink to create a link to a web site that you expect the SSL VPN users to commonly use Name Enter a descriptive name to identify this object You can enter up to 31 characters 0 9 a z A Z and _ ...

Page 816: ...ype is set to RDP or VNC Specify the IP address or Fully Qualified Domain Name FQDN of the computer s that you want to allow the remote users to manage Starting Port Ending Port This field displays if the Server Type is set to RDP or VNC Specify the listening ports of the LAN computer s running remote desktop server software The ZyWALL uses a port number from this range to send traffic to the LAN ...

Page 817: ...up to 31 characters 0 9 a z A Z and _ Spaces are not allowed Shared Path Specify the IP address domain name or NetBIOS name computer name of the file server and the name of the share to which you want to allow user access Enter the path in one of the following formats IP address share name domain name share name computer name share name For example if you enter my server Tmp this allows remote use...

Page 818: ...Chapter 48 SSL Application ZyWALL USG 100 200 Series User s Guide 818 ...

Page 819: ...ure endpoint security objects to use with the authentication policy and SSL VPN features For example an authentication policy could use an endpoint security object that requires a LAN user s computer to pass all of the object s checking items in order to access the network LAN user A passes all of the checks and is given access An SSL VPN tunnel could use a different endpoint security profile that...

Page 820: ...activation Windows registry settings Processes that the endpoint must execute Processes that the endpoint cannot execute The size and version of specific files Multiple Endpoint Security Objects You can configure an authentication policy or SSL VPN policy to use multiple endpoint security objects This allows checking of computers with different OSs or security settings When a client attempts to lo...

Page 821: ...e entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the object See Section 13 3 2 on page 312 for an example Object Name This field displays the descriptive name that identifies this object Description If the entr...

Page 822: ... 100 200 Series User s Guide 822 Apply Click this button to save your changes to the ZyWALL Reset Click this button to return the screen to its last saved settings Table 232 Configuration Object Endpoint Security continued LABEL DESCRIPTION ...

Page 823: ...G 100 200 Series User s Guide 823 49 3 Endpoint Security Add Edit Click Configuration Object Endpoint Security and then the Add or Edit icon to open the Endpoint Security Edit screen Use this screen to configure an endpoint security object ...

Page 824: ...Chapter 49 Endpoint Security ZyWALL USG 100 200 Series User s Guide 824 Figure 535 Configuration Object Endpoint Security Add ...

Page 825: ...s Others allows access for computers not using Windows Linux or Mac OSX operating systems For example you create Windows Linux and Mac OSX endpoint security objects to apply to your LAN users An others object allows access for LAN computers using Solaris HP Android or other operating systems Windows Version If you selected Windows as the operating system select the version of Windows here Endpoint...

Page 826: ...indows Registry If you selected Windows as the operating system you can use the table to list Windows registry values to check on the user s computer Use the Operation field to set whether the value for the registry item in the user s computer has to be equal to greater than less than greater than or equal to less than or equal to or not equal to the value listed in the entry Click Add to create a...

Page 827: ...s to be equal to greater than less than greater than or equal to less than or equal to or not equal to the size or version of the file listed in the entry Click Add to create a new entry Select one or more entries and click Remove to delete it or them The user s computer must pass one of the listed file information checks to pass this checking item OK Click OK to save your changes back to the ZyWA...

Page 828: ...Chapter 49 Endpoint Security ZyWALL USG 100 200 Series User s Guide 828 ...

Page 829: ...g a domain name to its corresponding IP address and vice versa Use the System WWW screens see Section 50 7 on page 844 to configure settings for HTTP or HTTPS access to the ZyWALL and how the login and access user screens look Use the System SSH screen see Section 50 8 on page 861 to configure SSH Secure SHell used to securely access the ZyWALL s command line interface You can specify which zones ...

Page 830: ... page 876 to allow your ZyWALL to be managed by the Vantage CNM server Use the System Language screen see Section 50 14 on page 879 to set a language for the ZyWALL s Web Configurator screens Note See each section for related background information and term definitions 50 2 Host Name A host name is the unique name by which a device is known on a network Click Configuration System Host Name to open...

Page 831: ... Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 234 Configuration System Host Name continued LABEL DESCRIPTION Table 235 Configuration System USB Storage LABEL DESCRIPTION Activate USB storage service Turn USB storage on or off You need to enable USB storage both here and for a specific feature such as system logs or diag...

Page 832: ...LL s time based on your local time zone and date click Configuration System Date Time The screen displays as shown You can manually set the ZyWALL s time and date or have the ZyWALL get the date and time from a time server Figure 538 Configuration System Date and Time The following table describes the labels in this screen Table 236 Configuration System Date and Time LABEL DESCRIPTION Current Time...

Page 833: ...w Click this button to have the ZyWALL get the time and date from a time server see the Time Server Address field This also saves your changes except the daylight saving settings Time Zone Setup Time Zone Choose the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Enable Daylight Saving Daylight saving is a period from late spring to e...

Page 834: ...t Saving Time ends in the United States on the first Sunday of November Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select First Sunday November and type 2 in the at field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving ...

Page 835: ...re configuring the Date Time screen To manually set the ZyWALL date and time 1 Click System Date Time 2 Select Manual under Time and Date Setup 3 Enter the ZyWALL s time in the New Time field 4 Enter the ZyWALL s date in the New Date field 5 Under Time Zone Setup select your Time Zone from the list 6 As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for da...

Page 836: ... 6 DNS Overview DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it Table 238 Configuration System Console Speed LABEL DESCRIPTION Console Port Speed Use the drop down list box to change the speed of the console port Your ZyWALL ...

Page 837: ...ALL s WAN IP address set the DNS server fields to get the DNS server address from the ISP You can manually enter the IP addresses of other DNS servers 50 6 2 Configuring the DNS Screen Click Configuration System DNS to change your ZyWALL s DNS settings Use the DNS screen to configure the ZyWALL to use a DNS server to resolve domain names for ZyWALL system features like VPN DDNS and the time server...

Page 838: ...in zone forwarder entries in the order that they appear in this list Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Note that...

Page 839: ...try Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the...

Page 840: ... domain The ZyWALL allows you to configure address records about the ZyWALL itself or another device This way you can keep a record of DNS names and addresses that people on your network may use frequently If the ZyWALL receives a DNS query for an FQDN for which the ZyWALL has an address record the ZyWALL can send the IP address in a DNS response without having to query a DNS name server 50 6 4 PT...

Page 841: ...one forwarder record Figure 543 Configuration System DNS Domain Zone Forwarder Add Table 240 Configuration System DNS Address PTR Record Edit LABEL DESCRIPTION FQDN Type a Fully Qualified Domain Name FQDN of a server An FQDN starts with a host name and continues all the way up to the top level domain name For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is ...

Page 842: ...specified DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP address es The interface should be activated and set to be a DHCP client The fields below display the read only DNS server IP address es that the ISP assigns N A displays for any DNS server IP add...

Page 843: ... Service Control table to add a service control rule Figure 545 Configuration System DNS Service Control Rule Add Table 242 Configuration System DNS MX Record Add LABEL DESCRIPTION Domain Name Enter the domain name where the mail is destined for IP Address FQDN Enter the IP address or Fully Qualified Domain Name FQDN of a mail server that handles the mail for the domain specified in the field abov...

Page 844: ...Configuration System DNS Service Control Rule Add LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to send DNS queries to the ZyWALL Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the ZyWAL...

Page 845: ...t There is a lease timeout for administrators The ZyWALL automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires You can change the timeout settings in the User Group ...

Page 846: ... Certificates is optional and if selected means the HTTPS client must send the ZyWALL a certificate You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL Please refer to the following figure 1 HTTPS connection requests from an SSL aware web browser go to port 443 by default on the ZyWALL s web server 2 HTTP connection requests from a web browser go to port 8...

Page 847: ...SSL VPN for example Figure 548 Configuration System WWW Service Control The following table describes the labels in this screen Table 244 Configuration System WWW Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the ZyWALL Web Configurator using secure HTTP...

Page 848: ... use HTTPS to log into the ZyWALL to log into SSL VPN for example You can also specify the IP addresses from which the users can access the ZyWALL Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and cl...

Page 849: ...ick Remove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service contr...

Page 850: ...TION Table 245 Configuration System Service Control Rule Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL using this service Select a predefined address object to just allow or deny the computer with the IP address that you specified to a...

Page 851: ... Guide 851 also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet See Chapter 40 on page 735 for more on access user accounts Figure 550 Configuration System WWW Login Page ...

Page 852: ... in the login and access pages Figure 551 Login Page Customization Figure 552 Access Page Customization You can specify colors in one of the following ways Logo Title Message Note Message Background last line of text color of all text Logo Title Message Note Message Window last line of text color of all text Background ...

Page 853: ...tion and file name of the logo graphic or click Browse to locate it Note Use a GIF JPG or PNG of 100 kilobytes or less Click Upload to transfer the specified graphic file from your computer to the ZyWALL Customized Login Page Use this section to set how the Web Configurator login screen looks Title Enter the title for the top of the screen Use up to 64 printable ASCII characters Spaces are allowed...

Page 854: ...rt screen in Internet Explorer Select Yes to proceed to the Web Configurator login screen if you select No then Web Configurator access is blocked Figure 553 Security Alert Dialog Box Internet Explorer Note Message Enter a note to display below the title Use up to 64 printable ASCII characters Spaces are allowed Window Background Set how the window s background looks To use a graphic select Pictur...

Page 855: ...e certificate is from the ZyWALL If Accept this certificate temporarily for this session is selected then click OK to continue in Netscape Select Accept this certificate permanently to import the ZyWALL s certificate into the SSL client Figure 554 Security Certificate 1 Netscape Figure 555 Security Certificate 2 Netscape 50 7 7 3 Avoiding Browser Warning Messages Here are the main reasons your bro...

Page 856: ...ficates issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certificate Refer to Appendix D on page 1027 for details 50 7 7 4 Login Screen After you accept the certificate the ZyWALL login screen appears The lock displayed in the bottom of the browser status bar denotes a secure connection Figure 556 Login Screen Internet Explore...

Page 857: ...rusted CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s 50 7 7 5 1 Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next Figure 558 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown ear...

Page 858: ...ment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard Figure 559 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 560 Personal Certifi...

Page 859: ...en to you by the CA Figure 561 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 562 Personal Certificate Import Wizard 4 ...

Page 860: ... 6 You should see the following screen when the certificate is correctly installed on your computer Figure 564 Personal Certificate Import Wizard 6 50 7 7 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 565 Access the ZyWALL Via HTTPS ...

Page 861: ...the ZyWALL This screen displays even if you only have a single certificate as in the example Figure 566 SSL Client Authentication 3 You next see the Web Configurator login screen Figure 567 Secure Web Configurator Login Screen 50 8 SSH You can use SSH Secure SHell to securely access the ZyWALL s command line interface Specify which zones allow SSH access and from which IP address the access can co...

Page 862: ...the WAN Example 50 8 1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1 Figure 569 How SSH v1 Works Example 1 Host Identification The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key...

Page 863: ...erver 50 8 2 SSH Implementation on the ZyWALL Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the ZyWALL for management using port 22 by default 50 8 3 Requirements for Using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to ...

Page 864: ...ce if needed however you must use the same port number in order to use that service for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 46 on page 785 for details Service Control This s...

Page 865: ... store the host key in you computer Click Yes to continue Figure 571 SSH Example 1 Store Host Key Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule Zone This is the zone on the ZyWALL ...

Page 866: ...ZyWALL using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a message displays prompting you to save the host information of the ZyWALL Type yes and press ENTER Then enter the password to log in to the ZyWALL Figure 573 SSH Example 2 Log in 3 The CLI screen displays next 50 9 Telnet You can use Telnet to access the ZyWALL s command line interface Specify which z...

Page 867: ...er port number for a service if needed however you must use the same port number in order to use that service for remote management Service Control This specifies from which computers you can access which ZyWALL zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 245 on page 850 for details on the screen that opens ...

Page 868: ...L s non configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access Address This is the object name of the IP address es with whi...

Page 869: ...rvice if needed however you must use the same port number in order to use that service for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the ZyWALL for FTP connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 46 on page 785 for details Service Control Thi...

Page 870: ...ry with a hyphen instead of a number is the ZyWALL s non configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access Address This...

Page 871: ...rm network management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that define each piece of information to be collected about a device Examples of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a man...

Page 872: ...N total throughput The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the ZyWALL s MIBs from www zyxel com 50 11 2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs 50 11 3 Configuring SNMP To change your ZyWALL s SNMP settings click Configuration System SNMP tab The screen ...

Page 873: ...rt number for a service if needed however you must use the same port number in order to use that service for remote management Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which is the password for incoming Set requests from the ma...

Page 874: ...ntry select it and click Remove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of...

Page 875: ...agement connections Figure 578 Configuration System Dial in Mgmt The following table describes the labels in this screen Table 252 Configuration System Dial in Mgmt LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields Dial in Server Properties Click Advanced to display more configuration fields and edit the de...

Page 876: ...thout notifying the Vantage CNM administrator Port Speed Use the drop down list box to select the speed of the connection between the ZyWALL s auxiliary port and the external modem Available speeds are 9600 19200 38400 57600 or 115200 bps Initial String Type the AT command string that the ZyWALL returns to the external serial modem connected to the ZyWALL s auxiliary port during connection initial...

Page 877: ...ds Vantage CNM Click Advanced to display more configuration fields or click Basic to display fewer fields Enable Select this check box to allow Vantage CNM to manage your ZyWALL Server IP Address FQDN Enter the IP address or fully qualified domain name of the Vantage server If the Vantage CNM server is on a different subnet to the ZyWALL and is behind a NAT router enter the WAN IP address of the N...

Page 878: ...ect Custom in the Device Management IP field Keepalive Interval Set how often the ZyWALL sends a keep alive packet to the Vantage CNM server if there is no other traffic The keep alive packets maintain the Vantage CNM server s control session Periodic Inform Interval Select this option to have the ZyWALL periodically send Inform messages to the Vantage CNM server HTTPS Authentication When you are ...

Page 879: ...580 Configuration System Language The following table describes the labels in this screen Table 254 Configuration System Language LABEL DESCRIPTION Language Setting Select a display language for the ZyWALL s Web Configurator screens You also need to open a new browser session to display the screens in the new language Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to r...

Page 880: ...Chapter 50 System ZyWALL USG 100 200 Series User s Guide 880 ...

Page 881: ...e where and how to send daily reports and what reports to send Use the Maintenance Log Setting screens Section 51 3 on page 883 to specify settings for recording log messages e mailing them and sending them to a remote server 51 2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your ZyWALL Note Data col...

Page 882: ...00 Series User s Guide 882 Click Configuration Log Report Email Daily Report to display the following screen Configure this screen to have the ZyWALL e mail you system statistics every day Figure 581 Configuration Log Report Email Daily Report ...

Page 883: ...the ZyWALL s system date and time to the subject Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type the e mail address or addresses to which the outgoing e mail is delivered SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when y...

Page 884: ...Settings tab controls which events generate alerts and where alerts are e mailed The Log Settings Summary screen provides a summary of all the settings You can use the Log Settings Edit screen to maintain the detailed settings such as log categories e mail addresses server names etc for any log Alternatively if you want to edit what events is included in each log you can also use the Active Log Su...

Page 885: ...Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific log Name This field displays the type of log setting entry system log logs stored on a USB storage device connected to the ZyWALL or one of the remote servers Log Format This field displays the format of the log Internal system log you can view the log on the Vie...

Page 886: ...Chapter 51 Log and Report ZyWALL USG 100 200 Series User s Guide 886 Figure 583 Configuration Log Report Log Setting Edit System Log ...

Page 887: ...t the day of the week the log is e mailed Time for Sending Log This field is available if the log is e mailed weekly or daily Select the time of day hours and minutes when the log is e mailed Use 24 hour notation SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication...

Page 888: ... Category fields in the View Log tab The Default category includes debugging messages generated by open source software System log Select which events you want to log by Log Category There are three choices disable all logs red X do not log any information from this category enable normal logs green check mark create log messages and alerts from this category enable normal logs and debug logs yell...

Page 889: ...eld when multiple log messages were aggregated Log Consolidation Interval Type how often in seconds to consolidate log information If the same log message appears multiple times it is aggregated into one log message with the text count x where x is the number of original log messages appended at the end of the Message field OK Click this to save your changes and return to the previous screen Cance...

Page 890: ... Setting The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device Go to the Log Setting Summary screen see Section 51 3 1 on page 884 and click the USB storage Edit icon Figure 584 Configuration Log Report Log Setting Edit USB Storage ...

Page 891: ...enable normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and it is not associated with a specific entry Log Category This field displays each category of messages The Default category includes debugging messages generated by open source software Selection Select what information ...

Page 892: ...erver Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server syslog Go to the Log Settings Summary screen see Section 51 3 1 on page 884 and click a remote server Edit icon Figure 585 Configuration Log Report Log Setting Edit Remote Server ...

Page 893: ...ngs for all of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and ...

Page 894: ...mple where and how often log information is e mailed or remote server names To access this screen go to the Log Settings Summary screen see Section 51 3 1 on page 884 and click the Active Log Summary button Figure 586 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert Please see Section 51 3 2 on page 88...

Page 895: ...ormation for any category to a connected USB storage device enable normal logs green check mark create log messages and alerts for all categories and save them to a connected USB storage device enable normal logs and debug logs yellow check mark create log messages alerts and debugging information for all categories and save them to a connected USB storage device E mail Server 1 Use the E Mail Ser...

Page 896: ...tegory the ZyWALL does not e mail debugging information however even if this setting is selected E mail Server 1 E mail Select whether each category of events should be included in the log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The ZyWALL does not e mail debugging information even if it is recorded i...

Page 897: ... Use the Configuration File screen see Section 52 2 on page 900 to store and name configuration files You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL Use the Firmware Package screen see Section 52 3 on page 904 to check your current firmware version and upload firmware to the ZyWALL Use the Shell Script scre...

Page 898: ...e 587 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23 37 254 metric 1 exit create address objects for remote management to ZyWALL firewall rules use the address group in case we want to open up remote man...

Page 899: ...y a configuration file or run a shell script the ZyWALL processes the file line by line The ZyWALL checks the first line and applies the line if no errors are detected Then it continues with the next line If the ZyWALL finds an error it stops applying the configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv sto...

Page 900: ...r off and back on the ZyWALL uses the system default conf configuration file with the ZyWALL s default settings If there is a startup config conf the ZyWALL checks it for errors and applies it If there are no errors the ZyWALL uses it and copies it to the lastgood conf configuration file as a back up file If there is an error the ZyWALL generates a log and copies the startup config conf configurat...

Page 901: ...intenance File Manager Configuration File Rename Specify the new name for the configuration file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the ZyWALL You can only delete manually saved con...

Page 902: ...lick Copy to open the Copy File screen Figure 590 Maintenance File Manager Configuration File Copy Specify a name for the duplicate configuration file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Table 262 Maintenance File Manager Configuration File continued LABEL DESCRIPTION ...

Page 903: ...tion this gets the ZyWALL started with a fully valid configuration file as quickly as possible Ignore errors and finish applying the configuration file this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the ZyWALL apply most of your configuration and you can refer to the logs for what to fix Ignore errors and finish ...

Page 904: ...e most recently used valid configuration file that was saved when the device last restarted If you upload and apply a configuration file with an error you can apply lastgood conf to return to a valid configuration Size This column displays the size in KB of a configuration file Last Modified This column displays the date and time that the individual configuration files were last changed or saved U...

Page 905: ...ould not be decompressed option while you download the firmware package See Section 33 2 1 on page 595 for more on the anti virus Destroy compressed files that could not be decompressed option The firmware update can take up to five minutes Do not turn off or reset the ZyWALL while the firmware update is in progress Figure 592 Maintenance File Manager Firmware Package The following table describes...

Page 906: ...ected After five minutes log in again and check your new firmware version in the HOME screen If the upload was not successful the following message appears in the status bar at the bottom of the screen Figure 595 Firmware Upload Error 52 4 The Shell Script Screen Use shell script files to have the ZyWALL use commands that you specify Use a text editor to create the shell script files They must use...

Page 907: ... Click a shell script s row to select it and click Rename to open the Rename File screen Figure 597 Maintenance File Manager Shell Script Rename Specify the new name for the shell script file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Remove Click a shell script file s row to ...

Page 908: ...ay need to wait awhile for the ZyWALL to finish applying the commands This column displays the number for each shell script file entry File Name This column displays the label that identifies a shell script file Size This column displays the size in KB of a shell script file Last Modified This column displays the date and time that the individual shell script files were last changed or saved Uploa...

Page 909: ...oing through the ZyWALL Use the Maintenance Diagnostics Core Dump screens see Section 53 4 on page 916 to have the ZyWALL save a process s core dump to an attached USB storage device if the process terminates abnormally crashes so you can send the file to customer support for troubleshooting Use the Maintenance Diagnostics System Log screens see Section 53 5 on page 917 to download files of system...

Page 910: ...r troubleshooting Figure 600 Maintenance Diagnostics Files Table 265 Maintenance Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file Last modified This is the date and time that the last diagnostic file was created The format is yyyy mm dd hh mm ss Size This is the size of the most recently created diagnostic file Copy the diagnostic file to USB sto...

Page 911: ...IPTION Remove Select files and click Remove to delete them from the ZyWALL Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files that you can save depends on the file sizes and th...

Page 912: ... under Available Interfaces Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list Use the Shift and or Ctrl key to select multiple objects IP Type Select the protocol of traffic for which to capture packets Select any to capture packets for all types of traffic Host IP Select a host IP address object for which to capture packets...

Page 913: ...u may need to set this size larger or delete existing capture files The valid range is 1 to 10000 The ZyWALL stops the capture and generates the capture file when either the file reaches this size or the time period specified in the Duration field expires Split threshold Specify a maximum size limit in megabytes for individual packet capture files After a packet capture file reaches this size the ...

Page 914: ...e ZyWALL s throughput or performance may be affected while a packet capture is in progress After the ZyWALL finishes the capture it saves a separate capture file for each selected interface The total number of packet capture files that you can save depends on the file sizes and the available flash storage space Once the flash storage space is full adding more packet captures will fail Stop Click t...

Page 915: ...eld was set to 1500 bytes Figure 603 Packet Capture File Example This column displays the number for each packet capture file entry The total number of packet capture files that you can save depends on the file sizes and the available flash storage space File Name This column displays the label that identifies the file The file name format is interface name file suffix cap Size This column display...

Page 916: ...mp The following table describes the labels in this screen 53 4 1 Core Dump Files Screen Click Maintenance Diagnostics Core Dump Files to open the core dump files screen This screen lists the core dump files stored on the ZyWALL or a Table 269 Maintenance Diagnostics Core Dump LABEL DESCRIPTION Save core dump to USB storage if ready Select this to have the ZyWALL save a process s core dump to an a...

Page 917: ...mp Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number of packet capture files ...

Page 918: ...d click Remove to delete them from the ZyWALL Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files that you can save depends on the file sizes and the available storage space Fil...

Page 919: ...rite command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset see Section 56 1 on page 940 reset returns the device to its default configuration 54 2 The Reboot Screen The Reboot screen is part of the Web configurator so that remote users can restart the device To access this screen click Maintenance Reboot Figure 607 Maintenan...

Page 920: ...Chapter 54 Reboot ZyWALL USG 100 200 Series User s Guide 920 ...

Page 921: ... the ZyWALL or remove the power Not doing so can cause the firmware to become corrupt 55 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes 55 2 The Shutdown Screen To access this screen click Maintenance Shutdown Figure 608 Maintenance Shutdown Click the Shutdown button to shut down the ZyWALL Wait for the device to shut down before you m...

Page 922: ...Chapter 55 Shutdown ZyWALL USG 100 200 Series User s Guide 922 ...

Page 923: ...uld contact your local vendor Cannot access the ZyWALL from the LAN Check the cable connection between the ZyWALL and your computer or switch Ping the ZyWALL from a LAN computer Make sure your computer s Ethernet card is installed and functioning properly Also make sure that its IP address is in the same subnet as the ZyWALL s In the computer click Start All Programs Accessories and then Command P...

Page 924: ...It is more noticeable with a large browser window You can try shrinking the browser window if this is an issue I cannot access the Internet Check the ZyWALL s connection to the Ethernet jack with Internet access Make sure the Internet gateway device such as a DSL modem is working properly Check the WAN interface s status in the Dashboard Use the installation setup wizard again and make sure that y...

Page 925: ...ng them for certain interfaces Many security settings are usually applied to zones Make sure you assign the interfaces to the appropriate zones When you create an interface there is no security applied on it until you assign it to a zone The ZyWALL is not applying the custom policy route I configured The ZyWALL checks the policy routes in the order that they are listed So make sure that your custo...

Page 926: ... interface You cannot set up a PPP interface virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it My rules and settings that apply to a particular interface no longer work The interface s IP address...

Page 927: ...ecommended that you use a more effective security mechanism Use the strongest security mechanism that all the wireless devices in your network support WPA2 or WPA2 PSK is recommended The wireless security is not following the re authentication timer setting I specified If a RADIUS server authenticates wireless stations the re authentication timer on the RADIUS server has priority Change the RADIUS...

Page 928: ...e does not affect the functionality you might improve the performance of the ZyWALL by putting more commonly used ports at the top of the list The ZyWALL s anti virus scanner cleaned an infected file but now I cannot use the file The scanning engine checks the contents of the packets for virus If a virus pattern is matched the ZyWALL removes the infected portion of the file along with the rest of ...

Page 929: ...no action should be taken The ZyWALL checks all signatures and continues searching even after a match is found If two or more rules have conflicting actions for the same packet then the ZyWALL applies the more restrictive action reject both reject receiver or reject sender drop none in this order If a packet matches a rule for reject receiver and it also matches a rule for reject sender then the Z...

Page 930: ...routing and SNAT behavior for an interface with the Interface Type set to Internal or External The ZyWALL is not applying a policy route s port triggering settings You also need to create a firewall rule to allow an incoming service I cannot get Dynamic DNS to work You must have a public WAN IP address to use Dynamic DNS Make sure you recorded your DDNS account s user name password and domain name...

Page 931: ... the ZyWALL s firewall to permit the use of asymmetrical route topology on the network so it does not reset the connection although this is not recommended since allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets See Asymmetric...

Page 932: ...e devices from the network before testing your new VPN connection The old route may have been learnt by RIP and would take priority over the new VPN connection To test whether or not a tunnel is working ping from a computer at one site to a computer at the other Before doing so ensure that both computers have Internet access via the IPSec routers It is also helpful to have a way to look at the pac...

Page 933: ...configured L2TP correctly on the remote user computers See Section 8 5 on page 191 for examples Make sure you configured an appropriate policy route on the ZyWALL Make sure there is not a firewall between the ZyWALL and the remote users If it is possible that the remote user s public IP address could be in the same subnet as the specified My Address click Configure Network Routing Policy Route Sho...

Page 934: ...ent background is recommended I logged into the SSL VPN but cannot see some of the resource links Available resource links vary depending on the SSL application object s configuration I logged into the SSL VPN but cannot perform some actions in the File Sharing screen The actions that you can perform in the File Sharing screen vary depending on the rights granted to you in the SSL application obje...

Page 935: ...bjects for your LAN that are not based on the interface I configured application patrol to allow and manage access to a specific service but access is blocked If you want to use a service make sure both the firewall and application patrol allow the service s packets to go through the ZyWALL The ZyWALL checks firewall rules before it checks application patrol rules for traffic going through the ZyW...

Page 936: ...e multiple ZyWALL virtual routers on your network use a different cluster ID to identify each virtual router There can only be one master ZyWALL in each virtual router same cluster ID A broadcast storm results when I turn on Device HA Do not connect the bridge interfaces on two ZyWALLs without device HA activated on both Either activate device HA before connecting the bridge interfaces or disable ...

Page 937: ...ion to work Only ZyWALLs of the same model and firmware version can synchronize Device HA synchronization is not working for subscription services Subscribe to services on the backup ZyWALL before synchronizing it with the master ZyWALL Synchronization includes updates for services to which the master and backup ZyWALLs are both subscribed For example a backup subscribed to IDP AppPatrol but not a...

Page 938: ...e key is not included The ZyWALL currently allows the importation of a PKS 7 file that contains a single certificate PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses lowercase letters uppercase letters and numerals to convert a binary PKCS 7 certificate into a printable form Binary PKCS 12 This is a format for transferring public key and private key certificates The private ke...

Page 939: ...ssing When a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first The commands in my configuration file or shell script are not working properly In a configuration file or shell script use or as the first character of a command line to have the ZyWALL treat the line as a comment Your config...

Page 940: ...ZyWALL stops the capture and generates the capture file when either the capture files reach the File Size or the time period specified in the Duration field expires My earlier packet capture files are missing New capture files overwrite existing files of the same name Change the File Suffix field s setting to avoid this 56 1 Resetting the ZyWALL If you cannot access the ZyWALL by any method try re...

Page 941: ...is on and not blinking 2 Press the RESET button and hold it until the SYS LED begins to blink This usually takes about five seconds 3 Release the RESET button and wait for the ZyWALL to restart You should be able to access the ZyWALL using the default settings 56 2 Getting More Troubleshooting Help Search for support information for your model at www zyxel com for more troubleshooting suggestions ...

Page 942: ...Chapter 56 Troubleshooting ZyWALL USG 100 200 Series User s Guide 942 ...

Page 943: ...ns FEATURE SPECIFICATION Ethernet Interfaces Number of Ethernet interfaces 7 All Ethernet interfaces are Gigabit Ethernet full duplex RJ 45 connectors auto negotiation auto MDI MDIX auto crossover Management interface RS 232 DB9F connector port RS 232 DB9M connector USB Slots 2 2 0 plug and play Compatible USB Cards 3G Huawei E220 E270 E160 E169 E800 and E180 Extension Card Slot Slot for optional ...

Page 944: ...es on the bottom panel The centers of the holes are located 156 mm apart Table 274 ZyWALL USG 200 Feature Specifications VERSION FEATURE V2 12 V2 20 of MAC 6 6 Flash Size 256 256 DRAM Size 256 256 INTERFACE VLAN 32 32 Virtual alias 4 per interface 4 per interface PPP system default 3 3 PPP user created NA 4 Bridge 8 8 ROUTING Static Routes 128 128 Policy Routes 500 500 Sessions 40 000 40 000 ARP T...

Page 945: ...00 Maximum address object in one group 128 128 Service Objects 500 500 Service Groups 100 100 Maximum service object in one group 128 128 Schedule Objects 64 64 ISP Account NA 16 Maximum Number of LDAP Groups 4 4 Maximum Number of LDAP Servers for Each LDAP Group 2 2 Maximum Number of RADIUS Groups 4 4 Maximum Number of RADIUS Servers for Each RADIUS Group 2 2 Maximum AD server for each AD group 2...

Page 946: ...ers 4 4 IDP Maximum Number of IDP Profiles 8 8 Custom Signatures 64 64 Maximum Number of IDP Rules 32 32 ADP Maximum Number of ADP Profiles 8 8 Maximum Number of ADP Rules 32 32 Maximum Block Host Number 1000 1000 Maximum Block Period 3600 3600 CONTENT FILTER Maximum Number of Content Filter Policies 16 16 Maximum Number of Content Filter Profiles 16 16 Maximum Number of Forbidden Domain Entries 1...

Page 947: ...r of Anti Virus Rules 32 32 Maximum Number of White List Entries 256 256 Maximum Number of Black List Entries 256 256 Maximum Number of Anti Virus Statistics 500 500 Maximum Anti Virus Statistics Ranking 10 10 SSL VPN Maximum SSL VPN Connections 2 without a license 10 with license 2 without a license 10 with license OTHERS Maximum Number of Device HA VRRP Groups 32 32 Maximum Number of OSPF Areas ...

Page 948: ...aximum Session Limit per Host Rules 1000 1000 APPLICATION PATROL Maximum Rules for Other Protocols 16 16 Maximum Rules for Each Protocol 16 16 Allowed Ports NA 8 Default Ports 8 8 USER PROFILES Maximum Local Users 128 128 Maximum Admin Users 5 5 Maximum User Groups 32 32 Maximum Users in One User Group 128 128 OBJECTS Address Objects 200 200 Address Groups 50 50 Maximum address object in one group...

Page 949: ...Maximum Number of IPSec VPN Tunnels 50 50 Maximum Number of IPSec VPN Concentrators 2 2 CERTIFICATES Certificate Buffer Size 64 K 64 K BUILT IN SERVICES A record 64 64 NS record 8 8 MX record 8 8 Maximum Number of Service Control Entries 16 per service 16 per service Maximum DHCP Host Pool 128 128 Maximum Number of DDNS Profiles 5 5 DHCP Relay 2 per interface 2 per interface CENTRALIZED LOG Log En...

Page 950: ... Anti Spam Rules 32 32 Maximum Number of White List Entries 128 128 Maximum Number of Black List Entries 128 128 Maximum Number of DNSBLs 5 5 Maximum Number of Anti Spam Statistics 500 500 Maximum Anti Spam Statistics Ranking 10 10 ANTI VIRUS Maximum Number of Concurrent ZIP File Decompression Sessions 30 ZIP files 4 RAR LZSS or 1 RAR PPM 30 ZIP files 4 RAR LZSS or 1 RAR PPM Maximum Number of Anti...

Page 951: ...06 1712 1750 1876 1982 1995 1996 2136 2163 2181 2230 2308 2535 2536 2537 2538 2539 2671 2672 2673 2782 3007 3090 Built in service DHCP server RFCs 1542 2131 2132 2485 2489 Built in service HTTP server RFCs 1945 2616 2965 2732 2295 Built in service SNMP agent RFCs 1067 1213 2576 2578 2579 2580 2741 2667 2981 3371 Login LDAP support RFCs 2251 2252 2253 2254 2255 2256 2589 2829 2830 Used by Apache RF...

Page 952: ...force bend or twist the card Figure 609 WLAN Card Installation 57 2 Power Adaptor Specifications Table 277 North American Plug Standards AC POWER ADAPTOR MODEL PSA18R 120P ZA R INPUT POWER 100 240VAC 50 60HZ 0 5A OUTPUT POWER 12VDC 3 5A POWER CONSUMPTION 20 W MAX SAFETY STANDARDS UL CUL UL 60950 1 FIRST EDITIONCSA C22 2 NO 60950 1 03 1ST Table 278 European Plug Standards AC POWER ADAPTOR MODEL PSA...

Page 953: ... Zealand Plug Standards AC POWER ADAPTOR MODEL PSA18R 120P ZS R INPUT POWER 100 240VAC 50 60HZ 0 5A OUTPUT POWER 12VDC 3 5A POWER CONSUMPTION 20 W MAX SAFETY STANDARDS AS NZ60950 Table 281 Japan Plug Standards AC POWER ADAPTOR MODEL PSA18R 120P ZA R INPUT POWER 100 240VAC 50 60HZ 0 5A OUTPUT POWER 12VDC 3 5A POWER CONSUMPTION 20 W MAX SAFETY STANDARDS JET Table 282 China Plug Standards AC POWER AD...

Page 954: ...Chapter 57 Product Specifications ZyWALL USG 100 200 Series User s Guide 954 ...

Page 955: ... zsb port to 80 The content filtering checking for unsafe web sites has been changed to use port 80 due to a configuration change Content filter has been changed zsb port to 23 The content filtering checking for unsafe web sites has been changed to use port 23 due to a configuration change Table 284 Forward Web Site Logs LOG MESSAGE DESCRIPTION s Trusted Web site The device allowed access to a web...

Page 956: ...2 Invalid service license 4 Rating service is restarting 5 Can t connect to rating server 6 Query failed 7 Query timeout 8 Too many queries 9 Unknown reason s website host s s cache hit The web site s category exists in the device s local cache and access was blocked according to a content filter profile 1st s website host 2nd s website category s Not in trusted web list The web site is not a trus...

Page 957: ...am policy with the specified index number d has been added to the end of the list Anti Spam policy d has been deleted The anti spam policy with the specified index number d has been removed Anti Spam policy d has been moved to d The anti spam policy with the specified index number first d was moved to the specified index number second d White List checking has been activated The anti spam white li...

Page 958: ...has been added DNSBL domain s has been modified to s The specified DNSBL domain name first s has been changed to the second s DNSBL domain s has been deleted The specified DNSBL domain name s has been removed DNSBL domain s has been activated The specified DNSBL domain name s has been turned on DNSBL domain s has been deactivated The specified DNSBL domain name s has been turned off Match White Li...

Page 959: ... is the IP address given to the SSL user The s address object is invalid IP in SSL Policy s The listed address object first s is not an allowed IP for the listed SSL policy second s The s address object does not has assignable IP in SSL Policy s There are no more assignable IP addresses in the listed address object first s The address object is used by the listed SSL policy second s The s address ...

Page 960: ...th s in SSL VPN policy s So s will not be injected to client side The IP pool is in the same subnet as the specified address object first s in the listed SSL VPN policy second s so the listed address third s will not be given to an SSL VPN client The s is same subnet with IP pool in SSL VPN policy s So s will not be injected to client side The specified address object first s is in the same subnet...

Page 961: ...the user is using HTTP or HTTPS s s from s has been logged out SSLVPN idle timeout The specified user was signed out by the device due to an idle timeout The first s is the type of user account The second s is the user s user name The third s is the name of the service the user is using HTTP or HTTPS Failed login attempt to SSLVPN from s login on a lockout address An SSL VPN login attempt from the...

Page 962: ...ice because the user name does not exist User s has been denied from L2TP service Disallowed User A user with the specified user name s was denied access to the L2TP over IPSec service because the user name is not specified in the L2TP over IPSec configuration User s has been denied from L2TP service Incorrect Password A user with the specified user name s was denied access to the L2TP over IPSec ...

Page 963: ...zysh group name cannot create too many groups d 1st max group num s cannot find entry s 1st zysh group name 2st zysh entry name s cannot remove entry s 1st zysh group name 2st zysh entry name List OPS can t alloc entry s 1st zysh entry name can t retrieve entry s 1st zysh entry name can t get entry s 1st zysh entry name can t print entry s 1st zysh entry name s cannot retrieve entries from list 1s...

Page 964: ... 1st zysh table name Unable to move entry d 1st zysh entry num s invalid index 1st zysh table name Unable to delete entry d 1st zysh entry num Unable to change entry d 1st zysh entry num s cannot retrieve entries from table 1st zysh table name s invalid old new index 1st zysh table name Unable to move entry d 1st zysh entry num s apply failed at initial stage 1st zysh table name s apply failed at ...

Page 965: ... number first num was moved to the specified index number second num New ADP rule has been appended An ADP rule has been added to the end of the list ADP rule num has been inserted An ADP rule has been inserted num is the number of the new rule ADP rule num has been modified The ADP rule of the specified number has been changed ADP profile name has been deleted The ADP rule with the specified name...

Page 966: ...ess a compressed file because there were too many compressed files at the same time 1st s The protocol of the packet 2nd s The filename of the related file s due to more than one layer compressed file s could not be decompressed The ZyWALL could not decompress a compressed file because it contained other compressed files 1st s The protocol of the packet 2nd s The filename of the related file s due...

Page 967: ... file was too large AV signature update has failed An anti virus signatures update failed for unknown reasons Anti Virus signatures missing refer to your user documentation to recover the default database file When the ZyWALL started it could not find the anti virus signature file See the CLI reference guide for how to restore the default system database Update signature version has failed An atte...

Page 968: ...virus file pattern was deleted from the white or black list 1st s The file pattern 2nd s The white list or black list File pattern s has been added in s An anti virus file pattern was added to the white or black list 1st s The file pattern 2nd s The white list or black list s has been s An anti virus file pattern white list or black list was turned on or off 1st s The white list or black list 2nd ...

Page 969: ...r is using HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out ZyWALL lease timeout The ZyWALL is signing the specified user out due to a lease timeout 1st s The type of user account 2nd s The user s user name 3rd s The name of the service the user is using HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out ZyWALL idle timeout The ZyWALL is signing the specified us...

Page 970: ...name Table 293 myZyXEL com Logs LOG MESSAGE DESCRIPTION Send registration message to MyZyXEL com server has failed The device was not able to send a registration message to MyZyXEL com Get server response has failed The device sent packets to the MyZyXEL com server but did not receive a response The root cause may be that the connection is abnormal Timeout for get server response zysh need to catc...

Page 971: ...ard service activation has failed Because of lack must fields The device received an incomplete response from the myZyXEL com server and it caused a parsing error for the device Service expiration check has failed s The service expiration day check failed this log will append an error message returned by the MyZyXEL com server s error message returned by myZyXEL com server Service expiration check...

Page 972: ...e update has stopped because the device couldn t resolve the myZyXEL com server s FQDN to an IP address through gethostbyname Verify server s certificate has failed Update stop The device could not process an HTTPS connection because it could not verify the myZyXEL com server s certificate The update has stopped Send download request to update server has failed The device s attempt to send a downl...

Page 973: ...ies Anti Virus signature download has succeeded The device successfully downloaded an anti virus signature file Anti Virus signature update has succeeded The device successfully downloaded and applied an anti virus signature file Anti Virus signature download has failed The device still cannot download the anti virus signature after 3 retries System protect signature download has succeeded The dev...

Page 974: ... daily check The device processes a service expiration day check immediately after it starts up After register Do expiration daily check immediately The device processes a service expiration day check immediately after device registration Time is up Do expiration daily check The processes a service expiration day check every 24 hrs Read MyZyXEL com storage has failed Read data from EEPROM has fail...

Page 975: ...t for get server response After the device sent packets to a server the device did not receive any response from the server The root cause may be a network delay issue Download file size is wrong The file size downloaded for AS is not identical with content length Parse HTTP header has failed Device can t parse the HTTP header in a response returned by a server Maybe some HTTP headers are missing ...

Page 976: ... a custom IDP signature failed The error sid and message are displayed Custom signature import error line line sid sid error_message An attempt to import a custom IDP signature failed The errored line number in the file the error sid and error message are displayed Custom signature replace error line line sid sid error_message Custom IDP signature replacing failed Error line number of file sid and...

Page 977: ... the last signature file update failed IDP signature update failed Can not update synchronized file An attempt to update the IDP signatures failed Rebuilding of the IDP device HA synchronized file failed IDP signature update from version version to version version has succeeded An IDP signature update succeeded The previous and updated IDP signature versions are listed IDP system protect signature...

Page 978: ...pt to update the IDP signatures failed due to an internal system error System internal error Create IDP traffic anomaly entry failed There was an internal system error Query signature version failed The device could not get the signature version from the new signature package it downloaded from the update server Can not get signature version The device could not get the signature version from the ...

Page 979: ...file name has been modified IDP profile has been modified name is profile name IDP signatures missing please refer to your user documentation to recover the default database file When the ZyWALL started it could not find the IDP signature file See the CLI reference guide for how to restore the default system database IDP signature size is over system limitation The IDP signature set is too large e...

Page 980: ...f for the listed protocol s traffic Default port s of protocol s has been added The listed default port first s has been added for the listed protocol second s Default port s of protocol s has been removed The listed default port first s has been deleted for the listed protocol second s Rule s s has been moved to index s An application patrol rule has been moved 1st s Protocol name 2nd s From rule...

Page 981: ... is the tunnel name When negotiating Phase 1 and selecting matched proposal My IP Address could not be resolved ID Tunnel s Phase 1 ID mismatch s is the tunnel name When negotiating Phase 1 the peer ID did not match ID Tunnel s Phase 2 Local ID mismatch s is the tunnel name When negotiating Phase 2 and checking IPsec SAs or the ID is IPv6 ID ID Tunnel s Phase 2 Remote ID mismatch s is the tunnel n...

Page 982: ...t match SA Tunnel s Phase 2 pfs unsupported d s is the tunnel name When negotiating Phase 2 this device does not support the PFS specified SA Tunnel s Phase 2 SA encapsulation mismatch s is the tunnel name When negotiating Phase 2 the SA encapsulation did not match SA Tunnel s Phase 2 SA protocol mismatch s is the tunnel name When negotiating Phase 2 the SA protocol did not match SA Tunnel s SA se...

Page 983: ...he remote name The device sent a request to enter Aggressive Mode Send SA KE ID CER T CR HASH SIG NON CE DEL VID ATTR N OTFY s This is a combined message for outgoing IKE packets Start Phase 2 Quick Mode Indicates the beginning of phase 2 using quick mode The cookie pair is 0x 08x 08x 0x 08x 08x Indicates the initiator responder cookie pair The IPSec tunnel s is already established s is the tunnel...

Page 984: ...el s s 0x x 0x x s rekeyed successfully The variables represent the phase 1 name tunnel name old SPI new SPI and the xauth name optional The tunnel was rekeyed successfully Tunnel s s Phase 1 pre shared key mismatch The variables represent the phase 1 name and tunnel name When negotiating phase 1 the pre shared keys did not match Tunnel s s Recving IKE request The variables represent the phase 1 n...

Page 985: ... 0x x SEQ 0x x Packet Anti Replay detected The variables represent the SPI and the sequence number The device received a packet again that it had already received VPN connection s was disabled s is the VPN connection name An administrator disabled the VPN connection VPN connection s was enabled s is the VPN connection name An administrator enabled the VPN connection Due to active connection allowe...

Page 986: ... been disabled Asymmetrical Route has been turned off Table 299 Sessions Limit Logs LOG MESSAGE DESCRIPTION Maximum sessions per host d was exceeded d is maximum sessions per host Table 300 Policy Route Logs LOG MESSAGE DESCRIPTION Can t open bwm_entries Policy routing can t activate BWM feature Can t open link_down Policy routing can t detect link up down status Cannot get handle from UAM user aw...

Page 987: ...oute rule number Policy route rule d was moved to d Rule is moved 1st d the original policy route rule number 2nd d the new policy route rule number Policy route rule d was deleted Rule is deleted d the policy route rule number Policy route rules were flushed Policy routing rules are cleared BWM has been activated The global setting for bandwidth management on the ZyWALL has been turned on BWM has...

Page 988: ...fter an administrator assigns a certificate for SSH the device needs to convert it to a key used for SSH s is certificate name assigned by user TELNET port has been changed to port s An administrator changed the port number for TELNET s is port number assigned by user TELNET port has been changed to default port An administrator changed the port number for TELNET back to the default 23 FTP certifi...

Page 989: ...s retrieved from it Set timezone to s An administrator changed the time zone s is time zone value Set timezone to default An administrator changed the time zone back to the default 0 Enable daylight saving An administrator turned on daylight saving Disable daylight saving An administrator turned off daylight saving DNS access control rules have been reached the maximum number An administrator trie...

Page 990: ...r failed Wizard adds DNS server s failed because DNS zone setting has conflictd Wizard apply DNS server failed because DNS zone conflicted s is the IP address of the DNS server Wizard adds DNS server s failed because Zone Forwarder numbers have reached the maximum number of 32 Wizard apply DNS server fail because the device already has the maximum number of DNS records configured s is IP address o...

Page 991: ...r Port d is down When LINK is down d is the port number s is dead at s A daemon process is gone was killed by the operating system 1st s Daemon Name 2nd s date and time s process count is incorrect at s The count of the listed process is incorrect 1st s Daemon Name 2nd s date and time s becomes Zombie at s A process is present but not functioning 1st s Daemon Name 2nd s date and time When memory u...

Page 992: ...ARP response from an unknown client In total received d arp response packets for the requested IP address The device received the specified total number of ARP response packets for the requested IP address Clear arp cache successfully The ARP cache was cleared successfully Client MAC address is not an Ethernet address A client MAC address is not an Ethernet address DHCP request received via interf...

Page 993: ...is malformed for DynDNS server 1st s is the profile name 2nd s is the FQDN of the profile Update the profile s has failed because the FQDN s is not under your control The owner of this FQDN is not the user 1st s is the profile name 2nd s is the FQDN of the profile Update the profile s has failed because the FQDN s was blocked for abuse The FQDN is blocked by DynDNS 1st s is the profile name 2nd s ...

Page 994: ...ile name Update the profile s has failed because Custom IP was empty The DDNS profile s IP select type is custom and a custom IP was not defined s is the profile name Update the profile s has failed because WAN interface was empty If the DDNS profile s IP select type is iface it needs a WAN iface s is the profile name The profile s has been paused because the VRRP status of WAN interface was stand...

Page 995: ...d DDNS profile cannot be updated because the fail of ping check for HA iface s is the profile name DDNS has been disabled by Device HA DDNS is disabled by Device HA because all VRRP groups are standby DDNS has been enabled by Device HA DDNS is enabled by Device HA because one of VRRP groups is active Disable DDNS has succeeded Disable DDNS Enable DDNS has succeeded Enable DDNS DDNS profile s has b...

Page 996: ...ss can t get memory from OS Can t load s module The connectivity check process can t load module for check link status s the connectivity module currently only ICMP available Can t handle isalive function of s module The connectivity check process can t execute isalive function from module for check link status s the connectivity module currently only ICMP available Create socket error The connect...

Page 997: ...oup has been created s the name of VRRP group Device HA VRRP group s has been modified An VRRP group has been modified s the name of VRRP group Device HA VRRP group s has been deleted An VRRP group has been deleted s the name of VRRP group Device HA VRRP interface s for VRRP Group s has changed Configuration of an interface that belonged to a VRRP group has been changed 1st s VRRP interface name 2...

Page 998: ...s for s Synchronization failed because the Backup could not connect to the Master The object to be synchronized 2ed s The feature name for the object to be synchronized Backup firmware version can not be recognized Stop syncing from Master The firmware version on the Backup cannot be resolved to check if it is the same as on the Master A Backup device only synchronizes from the Master if the Maste...

Page 999: ...nchronized d the retry count Recovring to Backup original state for s has failed An update failed The device will try to recover the failed update feature to the original state before Device HA synchronizes the specified object Recovering to Backup original state for s has succeeded Recovery succeeded when an update for the specified object failed One of VRRP groups has became avtive Device HA Syn...

Page 1000: ...ion on interface s has been changed to Out Only RIP direction on interface s has been changed to Out Only s Interface Name RIP authentication mode has been changed to s RIP authentication mode has been changed to text or md5 RIP text authentication key has been changed RIP text authentication key has been changed RIP md5 authentication id and key have been changed RIP md5 authentication id and key...

Page 1001: ...me 2nd s RIP Version RIP receive version on interface s has been reset to current global version s RIP receive version on interface s has been reset to current global version s 1st s Interface Name 2nd s RIP RIP v2 broadcast on interface s has been disabled RIP v2 broadcast on interface s has been disabled s Interface Name OSPF on interface s has been stopped because Device HA binds this interface...

Page 1002: ... s Interface Name Table 306 NAT Logs LOG MESSAGE DESCRIPTION The NAT range is full The NAT mapping table is full s FTP ALG has succeeded The FTP Application Layer Gateway ALG has been turned on or off s Enable or Disable Extra signal port of FTP ALG has been modified Extra FTP ALG port has been changed Signal port of FTP ALG has been modified Default FTP ALG port has been changed s H 323 ALG has s...

Page 1003: ...s successfully The router created a certificate request with the specified name Generate certificate request s failed errno d The router was not able to create a certificate request with the specified name See Table 292 on page 1005 for details about the error number Generate PKCS 12 certificate s successfully The router created a PKCS 12 format certificate with the specified name Generate PKCS 12...

Page 1004: ...icate request name Import PKCS 7 certificate s into Trusted Certificate successfully The device imported a PKCS 7 format certificate into Trusted Certificates s is the certificate request name Decode imported certificate s failed The device was not able to decode an imported certificate s is certificate the request name Export PKCS 12 certificate s from My Certificate successfully The device expor...

Page 1005: ...certificate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not used 5 Certificate is not valid 6 Certificate signature was not verified correctly 7 Certificate was revoked by a CRL 8 Certificate was not added to the cache 9 Certificate decoding failed 10 Certificate was not found anywhere 11 Cert...

Page 1006: ...ber set and a user tried to use the disconnect aux command Interface s will reapply because Device HA become active status Device ha became active and is using a PPP base interface the PPP interface must reapply s is the interface name Interface s will reapply because Device HA is not running Device ha was deleted and free PPP base interface PPP interface must reapply s is the interface name Inter...

Page 1007: ...me s status s TxP kts u RxPkts u Colli u T xB s u RxB s u UpTime s Port statistics log This log will be sent to the VRPT server 1st s physical port name 2nd s physical port status 1st u physical port Tx packets 2nd u physical port Rx packets 3rd u physical port packets collisions 4th u physical port Tx Bytes s 5th u physical port Rx Bytes s 3rd s physical port up time name s status s TxP kts u RxP...

Page 1008: ... connection timed out due to a lack of response from the PPPOE server s PPP interface name Interface s create failed because has no member A bridge interface has no member s bridge interface name Interface cellular Application Error Code d n The listed error code d was generated due to an internal cellular interface error An error d occurred while negotiating with the device in s Please try to rem...

Page 1009: ...ck the PIN code setting The listed cellular interface d does has the wrong PIN code configured Unable to query the signal quality from the device in s Please try to remove then insert the device The ZyWALL could not check the signal strength for the listed cellular interface d This could be due to an error or being out of range of the ISP s cellular station Interface cellular d cannot connect to t...

Page 1010: ...s has been configured The configuration of the specified WLAN interface s has been changed Interface s has been deleted The specified WLAN interface s has been removed Create interface s has failed Wlan device does not exist The wireless device failed to create the specified WLAN interface s Remove the wireless device and reinstall it System internal error No 802 1X or WPA enabled IEEE 802 1x or W...

Page 1011: ...of the wireless client is listed second s Incorrect username or password for WPA or WPA2 enterprise internal authentication Interface s MAC s A wireless client used an incorrect WPA or WPA2 user name or user password and failed authentication by the ZyWALL s local user database while trying to connect to the specified WLAN interface first s The MAC address of the wireless client is listed second s...

Page 1012: ...ace and this representative interface is set to DHCP client and has more than one member in its group In this case the DHCP client will renew s interface name Port Grouping s has been changed An administrator configured port grouping s interface name Table 312 Force Authentication Logs LOG MESSAGE DESCRIPTION Force User Authentication will be enabled due to http server is enabled Force user authen...

Page 1013: ...DHCP pool are already assigned to DHCP clients so there is no IP address to give to the listed DHCP client DHCP server offered s to s s The DHCP server feature gave the listed IP address to the computer with the listed hostname and MAC address Requested s from s s The ZyWALL received a DHCP request for the specified IP address from the computer with the listed hostname and MAC address No applicabl...

Page 1014: ...il server are correct but the listed sender e mail address does not match the listed SMTP e mail account Failed to connect to mail server s The ZyWALL could not connect to the SMTP e mail server s The address configured for the server may be incorrect or there may be a problem with the ZyWALL s or the server s network connection Table 316 IP MAC Binding Logs LOG MESSAGE DESCRIPTION Drop packet s u...

Page 1015: ...k fail in s The Windows automatic update setting on a user s computer did not match the specified EPS object Windows security patch check fail in s The Windows security patch on a user s computer did not match the specified EPS object Antivirus check fail in s A user s computer did not match the anti virus software check in the specified EPS object Personal firewall check fail in s A user s comput...

Page 1016: ...ries User s Guide 1016 Windows version check fail in s A user s computer did not match the Windows version check in the specified EPS object EPS checking result is pass A user s computer passed the EPS check Table 318 EPS Logs LOG MESSAGE DESCRIPTION ...

Page 1017: ...r further information about port numbers If the Protocol is TCP UDP or TCP UDP this is the IP port number If the Protocol is USER this is the IP protocol number Description This is a brief explanation of the applications that use this service or the situations in which this service is used Table 319 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC A...

Page 1018: ...ned 2 Internet Group Management Protocol is used when sending packets to a specific group of hosts IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol NEW ICQ TCP 5190 An Internet chat program NEWS TCP 144 A protocol f...

Page 1019: ...tocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midrange systems UNIX syst...

Page 1020: ...l File Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution Table 319 Commonly Used Services continued NAME PROTOCOL PORT S DESCRIPTION ...

Page 1021: ... alert message on Miscrosoft Windows based computers If the log shows that virus files are being detected but your Miscrosoft Windows based computer is not displaying an alert message use one of the following procedures to make sure your computer is set to display the messages Windows XP 1 Click Start Control Panel Administrative Tools Services Figure 610 Windows XP Opening the Services Window ...

Page 1022: ...User s Guide 1022 2 Select the Messenger service and click Start Figure 611 Windows XP Starting the Messenger Service 3 Close the window when you are done Windows 2000 1 Click Start Settings Control Panel Administrative Tools Services Figure 612 Windows 2000 Opening the Services Window ...

Page 1023: ...lose the window when you are done Windows 98 SE Me For Windows 98 SE Me you must open the WinPopup window in order to view real time alert messages Click Start Run and enter winpopup in the field provided and click OK The WinPopup window displays as shown Figure 614 Windows 98 SE WinPopup If you want to display the WinPopup window at startup follow the steps below for Windows 98 SE steps are simil...

Page 1024: ...0 200 Series User s Guide 1024 1 Right click on the program task bar and click Properties Figure 615 WIndows 98 SE Program Task Bar 2 Click the Start Menu Programs tab and click Advanced Figure 616 Windows 98 SE Task Bar Properties 3 Double click Programs and click StartUp ...

Page 1025: ...USG 100 200 Series User s Guide 1025 4 Right click in the StartUp pane and click New Shortcut Figure 617 Windows 98 SE StartUp 5 A Create Shortcut window displays Enter winpopup in the Command line field and click Next Figure 618 Windows 98 SE Startup Create Shortcut ...

Page 1026: ...ut or accept the default and click Finish Figure 619 Windows 98 SE Startup Select a Title for the Program 7 A shortcut is created in the StartUp pane Restart the computer when prompted Figure 620 Windows 98 SE Startup Shortcut Note The WinPopup window displays after the computer finishes the startup process see Figure 614 on page 1023 ...

Page 1027: ...ificates These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it However because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers you will need to import the ZyXEL created certificate into your web browser and flag that certificate a...

Page 1028: ...n then the first time you browse to it you are presented with a certification error Figure 621 Internet Explorer 7 Certification Error 2 Click Continue to this website not recommended Figure 622 Internet Explorer 7 Certification Error 3 In the Address Bar click Certificate Error View certificates Figure 623 Internet Explorer 7 Certificate Error ...

Page 1029: ... USG 100 200 Series User s Guide 1029 4 In the Certificate dialog box click Install Certificate Figure 624 Internet Explorer 7 Certificate 5 In the Certificate Import Wizard click Next Figure 625 Internet Explorer 7 Certificate Import Wizard ...

Page 1030: ...o Automatically select certificate store based on the type of certificate click Next again and then go to step 9 Figure 626 Internet Explorer 7 Certificate Import Wizard 7 Otherwise select Place all certificates in the following store and then click Browse Figure 627 Internet Explorer 7 Certificate Import Wizard ...

Page 1031: ... Select Certificate Store dialog box choose a location in which to save the certificate and then click OK Figure 628 Internet Explorer 7 Select Certificate Store 9 In the Completing the Certificate Import Wizard screen click Finish Figure 629 Internet Explorer 7 Certificate Import Wizard ...

Page 1032: ... Finally click OK when presented with the successful certificate installation message Figure 631 Internet Explorer 7 Certificate Import Wizard 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page a sealed padlock icon appears in the address bar Click it to view the page s Website Identification information Figure 632 Internet Explorer 7 Website Identification ...

Page 1033: ...le if one has been issued to you 1 Double click the public key certificate file Figure 633 Internet Explorer 7 Public Key Certificate File 2 In the security warning dialog box click Open Figure 634 Internet Explorer 7 Open File Security Warning 3 Refer to steps 4 12 in the Internet Explorer procedure beginning on page 1027 to complete the installation process Removing a Certificate in Internet Exp...

Page 1034: ... 100 200 Series User s Guide 1034 1 Open Internet Explorer and click Tools Internet Options Figure 635 Internet Explorer 7 Tools Menu 2 In the Internet Options dialog box click Content Certificates Figure 636 Internet Explorer 7 Internet Options ...

Page 1035: ...ertificates Authorities tab select the certificate that you want to delete and then click Remove Figure 637 Internet Explorer 7 Certificates 4 In the Certificates confirmation click Yes Figure 638 Internet Explorer 7 Certificates 5 In the Root Certificate Store dialog box click Yes Figure 639 Internet Explorer 7 Root Certificate Store ...

Page 1036: ...ox The following example uses Mozilla Firefox 2 on Windows XP Professional however the screens can also apply to Firefox 2 on all platforms 1 If your device s Web Configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error 2 Select Accept this certificate permanently and click OK Figure 640 Firefox 2 Website Certified by an Unknown...

Page 1037: ...rs in the address bar which you can click to open the Page Info Security window to view the web page s security information Figure 641 Firefox 2 Page Info Installing a Stand Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you ...

Page 1038: ...tificates ZyWALL USG 100 200 Series User s Guide 1038 1 Open Firefox and click Tools Options Figure 642 Firefox 2 Tools Menu 2 In the Options dialog box click Advanced Encryption View Certificates Figure 643 Firefox 2 Options ...

Page 1039: ...Web Sites Import Figure 644 Firefox 2 Certificate Manager 4 Use the Select File dialog box to locate the certificate and then click Open Figure 645 Firefox 2 Select File 5 The next time you visit the web site click the padlock in the address bar to open the Page Info Security window to see the web page s security information ...

Page 1040: ...Removing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2 1 Open Firefox and click Tools Options Figure 646 Firefox 2 Tools Menu 2 In the Options dialog box click Advanced Encryption View Certificates Figure 647 Firefox 2 Options ...

Page 1041: ...Delete Figure 648 Firefox 2 Certificate Manager 4 In the Delete Web Site Certificates dialog box click OK Figure 649 Firefox 2 Delete Web Site Certificates 5 The next time you go to the web site that issued the public key certificate you just removed a certification error appears Opera The following example uses Opera 9 on Windows XP Professional however the screens can apply to Opera 9 on all pla...

Page 1042: ...irst time you browse to it you are presented with a certification error 2 Click Install to accept the certificate Figure 650 Opera 9 Certificate signer not found 3 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Figure 651 Opera 9 Security information ...

Page 1043: ...a Stand Alone Certificate File in Opera Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Open Opera and click Tools Preferences Figure 652 Opera 9 Tools Menu ...

Page 1044: ...Appendix D Importing Certificates ZyWALL USG 100 200 Series User s Guide 1044 2 In Preferences click Advanced Security Manage certificates Figure 653 Opera 9 Preferences ...

Page 1045: ...0 200 Series User s Guide 1045 3 In the Certificates Manager click Authorities Import Figure 654 Opera 9 Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open Figure 655 Opera 9 Import certificate ...

Page 1046: ...a 9 Install authority certificate 6 Next click OK Figure 657 Opera 9 Install authority certificate 7 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9 ...

Page 1047: ...ting Certificates ZyWALL USG 100 200 Series User s Guide 1047 1 Open Opera and click Tools Preferences Figure 658 Opera 9 Tools Menu 2 In Preferences Advanced Security Manage certificates Figure 659 Opera 9 Preferences ...

Page 1048: ... certificate you just removed a certification error appears Note There is no confirmation when you delete a certificate authority so be absolutely certain that you want to go through with it before clicking the button Konqueror The following example uses Konqueror 3 5 on openSUSE 10 3 however the screens apply to Konqueror 3 5 on all Linux KDE distributions 1 If your device s Web Configurator is s...

Page 1049: ...61 Konqueror 3 5 Server Authentication 3 Click Forever when prompted to accept the certificate Figure 662 Konqueror 3 5 Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page s security details Figure 663 Konqueror 3 5 KDE SSL Information ...

Page 1050: ...te when prompted you can install a stand alone certificate file if one has been issued to you 1 Double click the public key certificate file Figure 664 Konqueror 3 5 Public Key Certificate File 2 In the Certificate Import Result Kleopatra dialog box click OK Figure 665 Konqueror 3 5 Certificate Import Result The public key certificate appears in the KDE certificate manager Kleopatra Figure 666 Kon...

Page 1051: ...page s security details Removing a Certificate in Konqueror This section shows you how to remove a public key certificate in Konqueror 3 5 1 Open Konqueror and click Settings Configure Konqueror Figure 667 Konqueror 3 5 Settings Menu 2 In the Configure dialog box select Crypto 3 On the Peer SSL Certificates tab select the certificate you want to delete and then click Remove Figure 668 Konqueror 3 ...

Page 1052: ... 4 The next time you go to the web site that issued the public key certificate you just removed a certification error appears Note There is no confirmation when you remove a certificate authority so be absolutely certain you want to go through with it before clicking the button ...

Page 1053: ...independent network which is commonly referred to as an ad hoc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 669 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and...

Page 1054: ... An Extended Service Set ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless ne...

Page 1055: ...m an adjacent AP access point to reduce interference Interference occurs when radio signals from different access points overlap causing interference and degrading performance Adjacent channels partially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channe...

Page 1056: ...ue you set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS Request To Send message to the AP for permission to send it The AP then responds with a CTS Clear to Send message to all other stations within its range to notify them to defer their transmission It also reserves and confirms with the requesting station the time frame for the requested transmiss...

Page 1057: ...mble Type Preamble is used to signal that data is coming to the receiver Short and long refer to the length of the synchronization field in a packet Short preamble increases performance as less time sending preamble means more time for sending data All IEEE 802 11 compliant wireless adapters support long preamble but not all support short preamble Use long preamble if you are unsure what preamble ...

Page 1058: ...ese wireless security methods available on your ZyWALL Note You must enable the same wireless security settings on the ZyWALL and on all wireless clients that you want to associate with it IEEE 802 1x In June 2001 the IEEE 802 1x standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional Table 320 IEEE 802 11g DATA RATE MBPS MODUL...

Page 1059: ... the RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization Determines the network services available to authenticated users once they are connected to the network Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and ...

Page 1060: ...eract with an EAP compatible RADIUS server an access point helps a wireless station and a RADIUS server perform authentication The type of authentication you use depends on the RADIUS server and an intermediary AP s that supports IEEE 802 1x For EAP TLS authentication type you must first have a wired connection to the network and obtain the certificate s from a certificate authority CA A certifica...

Page 1061: ...Client authentication is then done by sending username and password through the secure connection thus client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 PEAP Protected EAP Like EAP TTLS server side certificate authentication is used to establish a secure connection then use simple username ...

Page 1062: ... t have an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key that only requires a single identical password entered into each access point wireless gateway and wireless client As long as the passwords match a wireless client will be granted access to a WLAN If the AP or the wireless clients do not support WPA2 just use WPA or WPA PSK depending on whether you have an external RADIU...

Page 1063: ...MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC If they do not match it is assumed that the data has been tampered with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt data on a Wi...

Page 1064: ... client how to use WPA At the time of writing the most widely available supplicant is the WPA patch for Windows XP Funk Software s Odyssey client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client However you must run Windows XP to use it WPA 2 with RADIUS Application Example To set up WPA 2 you need the IP address of the RA...

Page 1065: ...A 2 with RADIUS Application Example WPA 2 PSK Application Example A WPA 2 PSK application looks as follows 1 First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters including spaces and symbols 2 The AP checks each wireless client s password and allows it to join the network only if t...

Page 1066: ...re for each authentication method or key management protocol type MAC address filters are not dependent on how you configure these security features Table 323 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL KEY IEEE 802 1X Open None No Disable Enable without Dynamic WEP Key Open WEP No Enable with Dynamic WEP Key Yes Enable without ...

Page 1067: ...he antenna s coverage area Antenna Gain Antenna gain measured in dB decibel is the increase in coverage within the RF beam width Higher antenna gain improves the range of the signal for better communications For an indoor site each 1 dB increase in antenna gain results in a range increase of approximately 2 5 For an unobstructed outdoor site each 1dB increase in gain results in a range increase of...

Page 1068: ... 20 degrees very directional to 120 degrees less directional Directional antennas are ideal for hallways and outdoor point to point applications Positioning Antennas In general antennas should be mounted as high as practically possible and free of obstructions In point to point application position both antennas at the same height and in a direct line of sight to each other to attain the best perf...

Page 1069: ...S ARE LISTED IN THE NOTICE OR APPENDIX BELOW ZYXEL MAY HAVE DISTRIBUTED TO YOU HARDWARE AND OR SOFTWARE OR MADE AVAILABLE FOR ELECTRONIC DOWNLOADS THESE FREE SOFTWARE PROGRAMS OF THRID PARTIES AND YOU ARE LICENSED TO FREELY COPY MODIFY AND REDISTIBUTE THAT SOFTWARE UNDER THE APPLICABLE LICENSE TERMS OF SUCH THIRD PARTY NONE OF THE STATEMENTS OR DOCUMENTATION FROM ZYXEL INCLUDING ANY RESTRICTIONS O...

Page 1070: ...y maintenance technical or other support for the resultant modified Software You may not copy reverse engineer decompile reverse compile translate adapt or disassemble the Software or any part thereof nor shall you attempt to create the source code from the object code for the Software Except as and only to the extent expressly permitted in this License you may not market co brand and private labe...

Page 1071: ...OR FREE OR IN AN UNINTERUPTED FASHION OR THAT ANY DEFECTS OR ERRORS IN THE SOFTWARE WILL BE CORRECTED OR THAT THE SOFTWARE IS COMPATIBLE WITH ANY PARTICULAR PLATFORM SOME JURISDICTIONS DO NOT ALLOW THE WAIVER OR EXCLUSION OF IMPLIED WARRANTIES SO THEY MAY NOT APPLY TO YOU IF THIS EXCLUSION IS HELD TO BE UNENFORCEABLE BY A COURT OF COMPETENT JURISDICTION THEN ALL EXPRESS AND IMPLIED WARRANTIES SHAL...

Page 1072: ...erminate this License Agreement for any reason including but not limited to if ZyXEL finds that you have violated any of the terms of this License Agreement Upon notification of termination you agree to destroy or return to ZyXEL all copies of the Software and Documentation and to certify in writing that all known copies including backup copies have been destroyed All provisions relating to confid...

Page 1073: ... notice Companies names and data used in examples herein are fictitious unless otherwise noted No part may be reproduced or transmitted in any form or by any means electronic or mechanical for any purpose except the express written permission of ZyXEL Communications Corporation This Product includes ppp software under the PPP License PPP License Copyright c 1993 The Australian National University ...

Page 1074: ...et License Netkit Telnet License Copyright c 1989 Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in bina...

Page 1075: ...l copies and that both the copyright notice and this permission notice appear in supporting documentation and that the name University of Delaware not be used in advertising or publicity pertaining to distribution of the software without specific written prior permission The University of Delaware makes no representations about the suitability this software for any purpose It is provided as is wit...

Page 1076: ...tware under the an X11 style License an X11 style license This is a Free Software License This license is compatible with The GNU General Public License Version 1 This license is compatible with The GNU General Public License Version 2 This is just like a Simple Permissive license but it requires that a copyright notice be maintained ________________________________________ Permission is hereby gr...

Page 1077: ...pen Source licenses In case of any license issues related to OpenSSL please contact openssl core openssl org OpenSSL License Copyright c 1998 2008 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice t...

Page 1078: ...ucts derived from this software without prior written permission For written permission please contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software d...

Page 1079: ...OSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software writte...

Page 1080: ...lder is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistributio...

Page 1081: ... directory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR...

Page 1082: ...software under the a 3 clause BSD License a 3 clause BSD style license This is a Free Software License This license is compatible with The GNU General Public License Version 1 This license is compatible with The GNU General Public License Version 2 This is the BSD license without the obnoxious advertising clause It s also known as the modified BSD license Note that the University of California now...

Page 1083: ...cts derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCI...

Page 1084: ... CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Id COPYRIGHT v 1 6 2 2 2002 02 12 06 05 48 marka Exp Portions Copyright C 1996 2001 Nominum Inc Permission to use copy modify and distribute this software for any...

Page 1085: ...hereby granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL DIRECT INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF U...

Page 1086: ... or management of such entity whether by contract or otherwise or ii ownership of fifty percent 50 or more of the outstanding shares or iii beneficial ownership of such entity You or Your shall mean an individual or Legal Entity exercising permissions granted by this License Source form shall mean the preferred form for making modifications including but not limited to software source code documen...

Page 1087: ...e Work 2 Grant of Copyright License Subject to the terms and conditions of this License each Contributor hereby grants to You a perpetual worldwide non exclusive no charge royalty free irrevocable copyright license to reproduce prepare Derivative Works of publicly display publicly perform sublicense and distribute the Work and such Derivative Works in Source or Object form 3 Grant of Patent Licens...

Page 1088: ...ht statement to Your modifications and may provide additional or different license terms and conditions for use reproduction or distribution of Your modifications or for any such Derivative Works as a whole provided Your use reproduction and distribution of the Work otherwise complies with the conditions stated in this License 5 Submission of Contributions Unless You explicitly state otherwise any...

Page 1089: ...her Contributor and only if You agree to indemnify defend and hold each Contributor harmless for any liability incurred by or claims asserted against such Contributor by reason of your accepting any such warranty or additional liability END OF TERMS AND CONDITIONS Version 1 1 Copyright c 1999 2003 The Apache Software Foundation All rights reserved Redistribution and use in source and binary forms ...

Page 1090: ...TA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation For more informa...

Page 1091: ...reedom of use not price Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software and use pieces of it in new free programs and that you are informed that you can do these things To protect your rights we need...

Page 1092: ... General Public License therefore permits such linking only if the entire combination fits its criteria of freedom The Lesser General Public License permits more lax criteria for linking other code with the library We call this license the Lesser General Public License because it does Less to protect the user s freedom than the ordinary General Public License It also provides other free software d...

Page 1093: ...rary or any derivative work under copyright law that is to say a work containing the Library or a portion of it either verbatim or with modifications and or translated straightforwardly into another language Hereinafter translation is included without limitation in the term modification Source code for a work means the preferred form of the work for making modifications to it For a library complet...

Page 1094: ...f identifiable sections of that work are not derived from the Library and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Library the distribution of the whole must be on the ter...

Page 1095: ... may be a derivative work of the Library even though the source code is not Whether this is true is especially significant if the work can be linked without the Library or if the work is itself a library The threshold for this to be true is not precisely defined by law If such an object file uses only numerical parameters data structure layouts and accessors and small macros and small inline funct...

Page 1096: ...y received a copy of these materials or that you have already sent this user a copy For an executable the required form of the work that uses the Library must include any data and utility programs needed for reproducing the executable from it However as a special exception the materials to be distributed need not include anything that is normally distributed in either source or binary form with th...

Page 1097: ...e that contradict the conditions of this License they do not excuse you from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not distribute the Library at all For example if a patent license would not permit royalty free redistribution of the Library by all ...

Page 1098: ... the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE LIBRARY TO THE EXTENT PERMI...

Page 1099: ...e are designed to take away your freedom to share and change it By contrast the GNU General Public License is intended to guarantee your freedom to share and change free software to make sure the software is free for all its users This General Public License applies to most of the Free Software Foundation s software and to any other program whose authors commit to using it Some other Free Software...

Page 1100: ...t clear that any patent must be licensed for everyone s free use or not licensed at all The precise terms and conditions for copying distribution and modification follow TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 0 This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General...

Page 1101: ...rint such an announcement your work based on the Program is not required to print an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separ...

Page 1102: ...quivalent access to copy the source code from the same place counts as distribution of the source code even though third parties are not compelled to copy the source along with the object code 4 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will autom...

Page 1103: ...ection is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 8 If the distribution and or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries so tha...

Page 1104: ...OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH A...

Page 1105: ... identified as the Initial Developer in the Source Code notice required by Exhibit A 1 7 Larger Work means a work which combines Covered Code or portions thereof with code not governed by the terms of this License 1 8 License means this document 1 8 1 Licensable means having the right to grant to the maximum extent possible whether at the time of the initial grant or subsequently acquired any and ...

Page 1106: ...rge 1 12 You or Your means an individual or a legal entity exercising rights under and complying with all of the terms of this License or a future version of this License issued under Section 6 1 For legal entities You includes any entity which controls is controlled by or is under common control with You For purposes of this definition control means a the power direct or indirect to cause the dir...

Page 1107: ... or otherwise dispose of 1 Modifications made by that Contributor or portions thereof and 2 the combination of Modifications made by that Contributor with its Contributor Version or portions of such combination the licenses granted in Sections 2 2 a and 2 2 b are effective on the date Contributor first makes Commercial Use of the Covered Code Notwithstanding Section 2 2 b above no patent license i...

Page 1108: ...is derived directly or indirectly from Original Code provided by the Initial Developer and including the name of the Initial Developer in a the Source Code and b in any notice in an Executable version or related documentation in which You describe the origin or ownership of the Covered Code 3 4 Intellectual Property Matters a Third Party Claims If Contributor has knowledge that a license under a t...

Page 1109: ...ntributor as a result of warranty support indemnity or liability terms You offer 3 6 Distribution of Executable Versions You may distribute Covered Code in Executable form only if the requirements of Sections 3 1 3 2 3 3 3 4 and 3 5 have been met for that Covered Code and if You include a notice stating that the Source Code version of the Covered Code is available under the terms of this License i...

Page 1110: ...tion Netscape may publish revised and or new versions of the License from time to time Each version will be given a distinguishing version number 6 2 Effect of New Versions Once Covered Code has been published under a particular version of the License You may always continue to use it under the terms of that version You may also choose to use such Covered Code under the terms of any subsequent ver...

Page 1111: ... Developer or a Contributor the Initial Developer or Contributor against whom You file such action is referred to as Participant alleging that such Participant s Contributor Version directly or indirectly infringes any patent then any and all rights granted by such Participant to You under Sections 2 1 and or 2 2 of this License shall upon 60 days notice from Participant terminate prospectively un...

Page 1112: ...party s negligence to the extent applicable law prohibits such limitation Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages so this exclusion and limitation may not apply to you 10 U S government end users The Covered Code is a commercial item as that term is defined in 48 C F R 2 101 Oct 1995 consisting of commercial computer software and commercia...

Page 1113: ...he Covered Code under Your choice of the MPL or the alternative licenses if any specified by the Initial Developer in the file described in Exhibit A Exhibit A Mozilla Public License The contents of this file are subject to the Mozilla Public License Version 1 1 the License you may not use this file except in compliance with the License You may obtain a copy of the License at http www mozilla org ...

Page 1114: ...s as appropriate to package The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce...

Page 1115: ...les the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portion...

Page 1116: ...vision of the license THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OPENLDAP FOUNDATION ITS CONTRIBUTORS OR THE AUTHOR S OR OWNER S OF THE SOFTWARE BE LIABLE FOR ANY DIRECT INDIRECT...

Page 1117: ...lating to PNG copyright 1999 2000 2001 2002 Greg Roelofs Portions relating to gdttf c copyright 1999 2000 2001 2002 John Ellson ellson lucent com Portions relating to gdft c copyright 2001 2002 John Ellson ellson lucent com Portions copyright 2000 2001 2002 2003 2004 2005 2006 2007Pierre Alain Joye pierre libgd org Portions relating to JPEG and to color quantization copyright 2000 2001 2002 Doug B...

Page 1118: ...Web Softwarehttp www millstream com au view code tablekit Version 1 2 1 2007 03 11 Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and...

Page 1119: ...s not required 2 Altered source versions must be plainly marked as such and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution L Peter Deutschghost aladdin com This Product includes libpng software under the below License Copyright c year copyright holders This software is provided as is without any express or implied ...

Page 1120: ... 6 August 15 2004 through 1 2 12 June 27 2006 are Copyright c 2004 2006 Glenn Randers Pehrson and are distributed according to the same disclaimer and license as libpng 1 2 5 with the following individual added to the list of Contributing Authors Cosmin Truta libpng versions 1 0 7 July 1 2000 through 1 2 5 October 3 2002 are Copyright c 2000 2002 Glenn Randers Pehrson and are distributed according...

Page 1121: ...is with the user libpng versions 0 97 January 1998 through 1 0 6 March 20 2000 are Copyright c 1998 1999 2000 Glenn Randers Pehrson and are distributed according to the same disclaimer and license as libpng 0 96 with the following individuals added to the list of Contributing Authors Tom Lane Glenn Randers Pehrson Willem van Schaik libpng versions 0 89 June 1996 through 0 96 May 1997 are Copyright...

Page 1122: ...e Guy Eric Schalnat Paul Schmidt Tim Wegner The PNG Reference Library is supplied AS IS The Contributing Authors and Group 42 Inc disclaim all warranties expressed or implied including without limitation the warranties of merchantability and of fitness for any purpose The Contributing Authors and Group 42 Inc assume no liability for direct indirect incidental special exemplary or consequential dam...

Page 1123: ...ibuting Authors and Group 42 Inc specifically permit without fee and encourage the use of this source code as a component to supporting the PNG file format in commercial products If you use this source code in a product acknowledgment is not required but would be appreciated This Product includes ftp tls software under the below License Copyright C 1997 and 1998 WIDE Project All rights reserved Re...

Page 1124: ... OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Copyright c 1985 1989 1993 1994 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the abo...

Page 1125: ...bove copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes software developed by the NetBSD Foundation Inc and its contributors 4 Neither the name of The NetBSD Foundation ...

Page 1126: ...Appendix F Open Software Announcements ZyWALL USG 100 200 Series User s Guide 1126 ...

Page 1127: ...lication or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Your use of the ZyWALL is subject to the terms and conditions of any related service providers Tra...

Page 1128: ...nce will not occur in a particular installation If this device does cause harmful interference to radio television reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect...

Page 1129: ...arranty Period of this product During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operat...

Page 1130: ...of this warranty contact your vendor You may also refer to the warranty policy for the region in which you bought the device at http www zyxel com web support_warranty_info php Registration Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com ...

Page 1131: ...cess users 736 737 custom page 850 forcing login 454 idle timeout 745 logging in 454 multiple logins 746 see also users 736 Web Configurator 748 access users see also force user authentication policies account myZyXEL com 287 user 735 accounting server 769 Active Directory see AD active protocol 514 AH 514 and encapsulation 515 ESP 514 active sessions 230 236 251 ActiveX 684 AD 769 772 773 775 776...

Page 1132: ...view 108 FTP 440 H 323 440 446 IPPBX on DMZ tutorial 172 peer to peer calls 441 RTP 446 see also VoIP pass through 440 SIP 440 tutorial 165 Anomaly Detection and Prevention see ADP answer rings 875 antenna directional 1068 gain 1067 omni directional 1068 anti spam 695 701 action for spam mails 701 alerts 700 black list 696 701 concurrent e mail sessions 279 698 configuration overview 112 DNSBL 697...

Page 1133: ...riority 569 priority effect 568 protocol statistics 263 264 registration status 574 service ports 564 statistics 261 trial service activation 288 troubleshooting 925 931 935 troubleshooting signatures update 924 unidentified applications 582 updating signatures 293 vs firewall 461 464 applications 41 AppPatrol see application patrol 293 ASAS Authenex Strong Authentication System 770 ASCII encoding...

Page 1134: ...rver 769 auto VPN policy 101 AUX port 874 see also auxiliary interface 874 auxiliary interface 299 363 874 troubleshooting 927 when used 363 B backdoor attacks 617 backing up configuration files 900 backslashes 658 bad length options attack 659 bandwidth egress 326 ingress 326 usage statistics 262 bandwidth limit troubleshooting 928 bandwidth management 563 and policy routes 393 behavior 567 confi...

Page 1135: ...t Protocol CMP 793 Certificate Revocation List CRL 786 vs OCSP 805 certificates 785 advantages of 786 and CA 786 and FTP 869 and HTTPS 846 and IKE SA 513 and SSH 864 and synchronization device HA 733 and VPN gateways 482 and WWW 848 certification path 786 796 802 expired 786 factory default 787 file formats 787 fingerprints 797 803 importing 790 in IPSec 498 not used for encryption 786 revoked 786...

Page 1136: ...5 content filtering 663 664 and address groups 663 664 669 and address objects 663 664 669 and registration 668 670 672 and schedules 663 664 and user groups 663 and users 663 by category 664 674 by keyword in URL 664 685 by URL 664 684 by web feature 664 684 cache 275 686 categories 674 category service 672 configuration overview 111 default policy 664 666 external web filtering service 672 686 f...

Page 1137: ...k monitoring 723 management access 714 management IP address 714 modes 713 monitored interfaces 717 721 password 721 prerequisites 112 role 725 synchronization 714 733 synchronization password 721 725 synchronization port number 720 725 troubleshooting 936 937 tutorial 179 virtual router 716 virtual router and management IP addresses 717 VRID 725 device High Availability see device HA 713 device i...

Page 1138: ...n Protocol see DHCP dynamic peers in IPSec 486 dynamic routes 101 dynamic WEP key exchange 1061 DynDNS 417 DynDNS see also DDNS 417 Dynu 417 E EAP Authentication 1060 e Donkey 616 EGP Exterior Gateway Protocol 653 egress bandwidth 326 EICAR 593 e mail 695 daily statistics report 882 header buffer 697 headers 696 virus 603 e Mule 616 Encapsulating Security Payload see ESP encapsulation and active p...

Page 1139: ...ess 342 filtered port scan 654 Firefox 47 firewall 461 462 actions 474 and address groups 458 474 and address objects 458 474 and ALG 439 442 and application patrol 564 and H 323 ALG 440 and HTTP redirect 434 and IPSec SA 464 and IPSec VPN 932 and logs 459 474 and NAT 470 and port triggering 392 930 and schedules 459 474 580 583 586 and service groups 474 and services 474 758 and SIP ALG 441 and u...

Page 1140: ... RTP 446 signaling port 444 troubleshooting 931 HA status see device HA 716 header checksum 624 hidden node 1055 host based intrusions 636 HSDPA 325 HTTP inspection 649 657 over SSL see HTTPS redirect to HTTPS 848 vs HTTPS 846 HTTP redirect 433 and application patrol 434 and firewall 434 and interfaces 436 and policy routes 434 configuration overview 107 packet flow 434 prerequisites 107 troublesh...

Page 1141: ... updating signatures 293 verifying custom signatures 635 IEEE 802 11g 1057 IEEE 802 1q VLAN IGP Interior Gateway Protocol 653 IHL IP Header Length 623 IIS backslash evasion attack 658 emulation 658 encoding 658 server 657 unicode 658 unicode codepoint encoding attack 658 IKE SA aggressive mode 508 512 and certificates 513 and RADIUS 513 and to device firewall 932 authentication algorithms 508 509 ...

Page 1142: ... also virtual interfaces VLAN see also VLAN interfaces where used 104 WLAN 298 internal interface 99 307 Internet access troubleshooting 924 935 Internet Control Message Protocol see ICMP Internet Explorer 47 Internet Message Access Protocol see IMAP 696 Internet Protocol IP 623 Internet Protocol Security see IPSec Intrusion Detection and Prevention see IDP 605 intrusions host 636 network 637 IP I...

Page 1143: ...ation 514 encryption algorithms 509 encryption key manual keys 516 local policy 514 manual keys 516 NAT for inbound traffic 516 NAT for outbound traffic 516 Perfect Forward Secrecy PFS 515 proposal 515 remote policy 514 search by name 266 search by policy 266 Security Parameter Index SPI manual keys 516 see also IPSec see also VPN source NAT for inbound traffic 517 source NAT for outbound traffic ...

Page 1144: ...ubleshooting 923 LEDs 36 legitimate e mail 695 level 4 inspection 564 level 7 inspection 564 license key 290 upgrading 290 licensing 285 Lightweight Directory Access Protocol see LDAP link sticking 374 378 lists 59 load balancing 373 algorithms 375 380 least load first 375 round robin 381 see also trunks 373 session oriented 375 spillover 376 tutorial 124 weighted round robin 376 local user databa...

Page 1145: ...onitor screens 241 monitored interfaces 717 device HA 721 MPPE Microsoft Point to Point Encryption 809 MSCHAP Microsoft Challenge Handshake Authentication Protocol 365 809 MSCHAP V2 Microsoft Challenge Handshake Authentication Protocol Version 2 365 809 MTU 326 multiple slash encoding 658 multiple WAN IP addresses 178 multi slash encoding attack 658 mutation virus 603 mute 875 My Certificates see ...

Page 1146: ...duction to 93 schedules 763 services and service groups 757 SSL application 811 users user groups 735 obsolete options attack 659 offset patterns 631 One Time Password OTP 770 Online Certificate Status Protocol OCSP 805 vs CRL 805 Open Shortest Path First see OSPF OPT zone 117 order of feature application 99 OSI Open System Interconnection 605 609 OSI level 4 564 OSI level 7 564 OSPF 401 402 and E...

Page 1147: ...929 930 Personal Identification Number code see PIN code PFS Perfect Forward Secrecy 488 515 phishing 674 physical ports and interfaces 94 packet statistics 242 packet statistics graph 244 PIN code 325 PIN generator 770 pointer record 840 Point to Point Protocol over Ethernet see PPPoE Point to Point Tunneling Protocol see PPTP policy enforcement in IPSec 487 policy route multiple WAN IP addresses...

Page 1148: ...otocol usage statistics 263 264 protocol anomaly 642 657 detection 649 proxy servers 434 web see web proxy servers PSK 1063 PTR record 840 public server tutorial 169 Public Key Infrastructure PKI 786 public private key pairs 785 Q QoS 385 565 query view IDP 614 618 quick setup wizard 75 Quick Start Guide 3 R rack mounted installation 34 RADIUS 770 771 1059 advantages 770 and IKE SA 513 and PPPoE 3...

Page 1149: ...cations 251 traffic statistics 248 reset 940 vs reboot 919 RESET button 38 940 response strings 875 reverse proxy mode 42 521 RFC 1058 RIP 400 1389 RIP 400 1587 OSPF areas 402 1631 NAT 395 1889 RTP 446 2131 DHCP 369 2132 DHCP 369 2328 OSPF 401 2338 VRRP 723 2402 AH 487 514 2406 ESP 487 514 2510 Certificate Management Protocol or CMP 793 2516 PPPoE 371 2637 PPTP 371 2890 GRE 371 3261 SIP 446 RIP 40...

Page 1150: ...7 service set 334 Service Set IDentity See SSID 329 331 service subscription status 290 service trials 288 services 757 758 1017 and device HA 714 and firewall 474 758 and IDP 758 and policy routes 758 and port triggering 392 subscription 286 where used 113 Session Initiation Protocol see SIP session limits 464 474 session monitor 251 session monitor L2TP VPN 269 sessions 251 sessions usage 230 23...

Page 1151: ...s 865 and certificates 864 and zones 865 client requirements 863 encryption methods 863 for secure Telnet 865 how connection is established 862 versions 863 with Linux 866 with Microsoft Windows 865 SSID 329 331 SSL 521 529 845 access policy 522 and AAA 775 and AD 775 and LDAP 775 certificates 536 client 555 client virtual desktop logo 531 computer names 529 connection monitor 268 full tunnel mode...

Page 1152: ... protocol 263 264 traffic 248 status bar 57 warning message popup 57 stopping the device 38 streaming protocols management 563 strict source routing 624 stub area 402 STUN 441 and ALG 441 subscription services 286 and synchronization device HA 714 AppPatrol 288 content filtering 288 IDP 288 new IDP AppPatrol signatures 288 see also IDP SSL VPN 286 SSL VPN see also SSL VPN status 290 574 594 trial ...

Page 1153: ...ntrol Protocol see TCP transport encapsulation 487 Transport Layer Security TLS 869 trapdoor attacks 617 trial subscription services 288 triangle routes 469 allowing through the firewall 471 vs virtual interfaces 469 Triple Data Encryption Standard see 3DES trojan attacks 617 troubleshooting 909 916 923 admin user 937 anti virus 925 928 anti virus signatures update 924 application patrol 925 931 9...

Page 1154: ...decoy portscan 654 distributed portscan 654 flood attack 657 messages 757 port numbers 758 portscan 653 portsweep 654 u encoding attack 658 UltraVNC 812 undersize len attack 659 undersize offset attack 659 unreachables ICMP 654 unsafe web pages 673 unsolicited commercial e mail 695 update configuration overview 103 prerequisites 104 updating anti virus signatures 292 IDP and application patrol sig...

Page 1155: ...or Ext User 736 ext group user type 736 Ext User type 736 ext user type 736 groups see user groups Guest type 736 lease time 740 limited admin type 736 lockout 746 logged in 256 prerequisites for force user authentication policies 114 reauthentication time 741 types of 735 user type 736 user names 738 UTF 8 decode 658 UTF 8 encoding attack 658 V Vantage CNM 876 Vantage Report VRPT 885 893 virtual ...

Page 1156: ...ter ID VR ID 732 VRRP groups 723 and interfaces 723 and to device firewall 723 authentication 723 role desired 727 see also VRRP W WAN multiple IP addresses 178 WAN trunk 101 WAN_TRUNK 34 warm start 38 warning message popup 57 warranty 1129 note 1129 Web attack 617 Web Configurator 37 47 access 47 access users 748 requirements 47 supported browsers 47 web features ActiveX 684 cookies 684 Java 684 ...

Page 1157: ...xample 1064 WPA2 1062 user authentication 1063 vs WPA2 PSK 1063 wireless client supplicant 1064 with RADIUS application example 1064 WPA2 Pre Shared Key WPA2 PSK 1062 WPA2 PSK 1062 1063 application example 1065 WPA PSK 1062 1063 application example 1065 WWW 846 and address groups 850 and address objects 850 and authentication method objects 849 and certificates 848 and zones 850 see also HTTP HTTP...