ZyXEL Communications Network Router USG 2000 Manual de usuario

www.zyxel.comwww.zyxel.comZyWALL USG 2000Unified Security GatewayCopyright © 2010 ZyXEL Communications CorporationFirmware Version 2.12Edition 1, 3/20

Contents OverviewZyWALL USG 2000 User’s Guide10 Content Filtering ...

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide1006.4 Packet FlowHere is the order in which the ZyWALL applies its features and checks.Fig

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1000Notice Information herein is subject to change without notice. Companies, names,

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1001PPP LicenseCopyright (c) 1993 The Australian National University.All rights res

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1002All rights reserved. Redistribution and use in source and binary forms, with or

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1003This Product includes expat-1.95.6 software under the Expat LicenseExpat Licens

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1004•This license is compatible with The GNU General Public License, Version 2This i

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide10052. Redistributions in binary form must reproduce the above copyright notice, th

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1006be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL docum

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1007This Product includes libevent-1.1a and xinetd-2.3.14 software under the a 3-cl

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1008 * Neither the name of [original copyright holder] nor the names of its

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1009DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide101• You do not need to set up policy routes for 1:1 NAT entries.• You can create Many 1:1

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1010Permission to use, copy, modify, and distribute this software for any purpose wi

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1011"License" shall mean the terms and conditions for use, reproduction,

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1012"Contributor" shall mean Licensor and any individual or Legal Entity o

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1013attribution notices within Derivative Works that You distribute, alongside or a

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1014Contributor harmless for any liability incurred by, or claims asserted against,

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1015USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This s

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1016guarantee your freedom to share and change free software--to make sure the softw

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1017Most GNU software, including some libraries, is covered by the ordinary GNU Gen

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide10180. This License Agreement applies to any software library or other program which

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1019still operates, and performs whatever part of its purpose remains meaningful. (

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide1022 Policy Routes: These are the user-configured policy routes. Configure policy routes to

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1020"work that uses the Library". Such a work, in isolation, is not a deri

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1021version is interface-compatible with the version that the work was made with. c

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide102210. Each time you redistribute the Library (or any work based on the Library), t

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1023Library does not specify a license version number, you may choose any version e

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1024pcmcia-cs-3.2.8, libeeprog, mgetty-1.1.35, gmp-4.1, msmtp-1.4.12 and libqsearch

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1025the software. Also, for each author's protection and ours, we want to make

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1026b) You must cause any work that you distribute or publish, that in whole or in p

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1027source code means all the source code for all modules it contains, plus any ass

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1028whole is intended to apply in other circumstances. It is not the purpose of this

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1029DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide103ZyWALL stops checking the packets against the NAT table and moves on to bandwidth manage

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1030means a mechanism generally accepted in the software development community for t

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide10311.11. "Source Code" means the preferred form of the Covered Code for

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1032Subject to third party intellectual property claims, each Contributor hereby gra

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1033made available via Electronic Distribution Mechanism, must remain available for

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1034You must duplicate the notice in Exhibit A in each file of the Source Code. If i

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1035regulation then You must: (a) comply with the terms of this License to the maxi

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1036(not the initial developer or any other contributor) assume the cost of any nece

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1037granted by You or any distributor hereunder prior to termination shall survive

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1038As between Initial Developer and the Contributors, each party is responsible for

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1039NOTE: The text of this Exhibit A may differ slightly from the text of the notic

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide1046.5.1 FeatureThis provides a brief description. See the appropriate chapter(s) in this U

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1040USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This Pr

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1041Redistribution and use of this software and associated documentation("Soft

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1042Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1043use of gd. If you have questions, ask. "Derived works" includes all p

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1044Copyright (C) 1999, 2000, 2002 Aladdin Enterprises. All rights reserved.This sof

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide10453. This notice may not be removed or altered from any source distribution.COPYR

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1046 * There is no warranty against interference with your enjoyment of the *

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1047 * Greg Roelofs * Tom Tanner * * libpng versions 0.5, May 1995, through 0

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1048 * to the following restrictions: * * 1. The origin of this source code must not

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide10492. Redistributions in binary form must reproduce the above copyright notice, th

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide105subscription to update the anti-virus and IDP/application patrol signatures You must hav

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide1050PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTOR

ZyWALL USG 2000 User’s Guide1051APPENDIX F Legal InformationCopyrightCopyright © 2010 by ZyXEL Communications Corporation.The contents of this public

Appendix F Legal InformationZyWALL USG 2000 User’s Guide1052• This device may not cause harmful interference.• This device must accept any interferenc

Appendix F Legal InformationZyWALL USG 2000 User’s Guide1053Notices Changes or modifications not expressly approved by the party responsible for comp

Appendix F Legal InformationZyWALL USG 2000 User’s Guide1054To obtain the services of this warranty, contact your vendor. You may also refer to the wa

IndexZyWALL USG 2000 User’s Guide1055IndexSymbolsNumerics1 to 1 NAT 1021 to 1 SNAT 1033322 Dynamic DNS 3813DES 4713G 1223G see also cellular 299AAAABa

IndexZyWALL USG 2000 User’s Guide1056and SNMP 827and SSH 818and Telnet 821and VPN connections 444and WWW 803HOST 705RANGE 706SUBNET 706types of 705whe

IndexZyWALL USG 2000 User’s Guide1057real-time alert message 965registration status 552scanner types 561signatures 558statistics 250trial service acti

IndexZyWALL USG 2000 User’s Guide1058truncated-options 615truncated-timestamp-header 616TTCP-detected 615types of 574u-encoding 614undersize-len 615un

IndexZyWALL USG 2000 User’s Guide1059bridge interfaces 278, 319and virtual interfaces of members 319basic characteristics 279effect on routing table 3

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide106and general NAT on the source address. You have to set up the criteria, next-hops, and NA

IndexZyWALL USG 2000 User’s Guide1060computer names 289, 315, 325, 334, 520computer virus 548infection and prevention 561see also virusconcurrent e-ma

IndexZyWALL USG 2000 User’s Guide1061Ddashboard 53, 55, 209Data Encryption Standard, see DESData Terminal Ready, see DTRdate 785daylight savings 786DD

IndexZyWALL USG 2000 User’s Guide1062file structure 725directory traversal attack 613directory traversals 613disclaimer 5, 1051Distinguished Name (DN)

IndexZyWALL USG 2000 User’s Guide1063basic characteristics 279virtual 329Ethernet ports 33, 35default settings 36examples (tutorials) 119exceptional s

IndexZyWALL USG 2000 User’s Guide1064FTP 821additional signaling port 407ALG 401and address groups 823and address objects 823and certificates 822and z

IndexZyWALL USG 2000 User’s Guide1065action 573, 608alerts 572and services 712applying custom signatures 592base profiles 564, 568configuration overvi

IndexZyWALL USG 2000 User’s Guide1066and layer-3 virtualization 278and NAT 391and physical ports 96, 278and policy routes 355and static routes 359and

IndexZyWALL USG 2000 User’s Guide1067Perfect Forward Secrecy 450PFS 450phase 2 settings 449policy enforcement 449remote access 448remote IPSec router

IndexZyWALL USG 2000 User’s Guide1068remote user configuration 175session monitor 249troubleshooting 879where used 111WINS 520LANinterface 33IP addres

IndexZyWALL USG 2000 User’s Guide1069main routing table 102main window 60maintenance menu 60malware 629managed web pages 627management accesstroublesh

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide1076.5.7 Static RoutesUse static routes to tell the ZyWALL about networks not directly con

IndexZyWALL USG 2000 User’s Guide1070NetBIOSBroadcast over IPSec 448Name Server, see NBNS.NetBIOS Name Server, see NBNSNetMeeting 408see also H.323Net

IndexZyWALL USG 2000 User’s Guide1071offset attack 615request-uri-directory attack 614PP1 33P1~P8 LEDs 40P2P (Peer-to-peer) 574attacks 574see also Pee

IndexZyWALL USG 2000 User’s Guide1072port sweep 610port translation, see NATport triggering 360and firewall 356, 876and policy routes 356and service g

IndexZyWALL USG 2000 User’s Guide1073regular expressions 247reject (IDP)both 573, 608receiver 573, 608sender 573, 608related documentation 3Relative D

IndexZyWALL USG 2000 User’s Guide1074SCEP (Simple Certificate Enrollment Protocol) 747scheduletroubleshooting 883schedules 717and content filtering 61

IndexZyWALL USG 2000 User’s Guide1075and firewall 403and RTP 408media inactivity timeout 406signaling inactivity timeout 406signaling port 406troubles

IndexZyWALL USG 2000 User’s Guide1076access policy 482configuration overview 110full tunnel mode 47, 482network access mode 46prerequisites 110remote

IndexZyWALL USG 2000 User’s Guide1077port numbers 712portscan 609portsweep 610RST 610SYN (synchronize) 611SYN flood 611window size 588technical refere

IndexZyWALL USG 2000 User’s Guide1078PPP 872PWR 869RADIUS server 882routing 876schedules 883security settings 871shell scripts 885SIP 876SNAT 876SSL 8

IndexZyWALL USG 2000 User’s Guide1079user portallinks 765logo 490see SSL user screens 493, 499user sessions, see sessionsuser SSL screens 493, 499acce

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide108The ZyWALL only checks regular (through-ZyWALL) firewall rules for packets that are redir

IndexZyWALL USG 2000 User’s Guide1080see also ALG 402VPN 441active protocol 476and NAT 474and the firewall 425basic troubleshooting 877hub-and-spoke,

IndexZyWALL USG 2000 User’s Guide1081and authentication method objects 802and certificates 801and zones 803see also HTTP, HTTPS 148, 799Zzipped filest

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide1093 Name the entry.4 Select the interface from which you want to redirect incoming HTTP re

Table of ContentsZyWALL USG 2000 User’s Guide11Table of ContentsAbout This User's Guide...

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide110Example: Suppose you have a SIP proxy server connected to the DMZ zone for VoIP calls. Yo

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide111Example: See Chapter 7 on page 119.6.5.17 L2TP VPNUse L2TP VPN to let remote users use

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide112Note: With this example, Bob would have to log in using his account. If you do not want h

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide1131 Create a user account for Bill if you have not done so already (Configuration > Obj

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide1146.6 ObjectsObjects store information and are referenced by other features. If you update

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide115If you want to force users to log in to the ZyWALL before the ZyWALL routes traffic for

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide1162 Create an address object for the administrator’s computer (Configuration > Object &g

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide117Always use Maintenance > Shutdown > Shutdown or the shutdown command before you tu

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide118

ZyWALL USG 2000 User’s Guide119CHAPTER 7 TutorialsHere are examples of using the Web Configurator to set up features in the ZyWALL. See also Chapter

Table of ContentsZyWALL USG 2000 User’s Guide123.3 Web Configurator Screens Overview ...

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide120• You want to be able to apply security settings specifically for all VPN tunnels so you create a ne

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1211 Click Configuration > Network > Zone and then the Add icon.2 Enter VPN as the name, select

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1222 Drag physical port 5 onto representative interface ge4 and click Apply.Figure 70 Configuration &

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1233 Click Configuration > Network > Interface > Cellular. Select the 3G device’s entry and c

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1245 Go to the Dashboard. The Interface Status Summary section should contain a “cellular” entry. When

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide125You do not have to change many of the ZyWALL’s settings from the defaults to set up this trunk. You

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1267.3.2 Configure the WAN Trunk 1 Click Configuration > Network > Interface > Trunk. Click t

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1273 Select the trunk as the default trunk and click Apply. Figure 78 Configuration > Network >

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide128In this example, the ZyWALL is router X (1.2.3.4), and the remote IPSec router is router Y (2.2.2.2)

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1297.4.2 Set Up the VPN ConnectionThe VPN connection manages the IPSec SA. You have to set up the add

Table of ContentsZyWALL USG 2000 User’s Guide136.2.1 Interface Types ...

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1304 Enable the VPN connection and name it (“VPN_CONN_EXAMPLE”). Under VPN Gateway select Site-to-site

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1317.5 How to Configure a Hub-and-spoke IPSec VPN Without a VPN ConcentratorA hub-and-spoke IPSec VPN

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide132• My Address: 10.0.0.1• Peer Gateway Address: 10.0.0.2VPN Connection (VPN Tunnel 1): • Local Policy:

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide133• To have all Internet access from the spoke routers to go through the VPN tunnel, set the VPN rule

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1347.6.1 Set Up User AccountsSet up one user account for each user account in the RADIUS server. If it

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1352 Enter the name of the group that is used in Table 20 on page 133. In this example, it is “Finance

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1361 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Config

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide137Note: The users will have to log in using the Web Configurator login screen before they can use HTT

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1381 Click Configuration > AppPatrol. If application patrol and bandwidth management are not enabled

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1393 Double-click the Default policy.Figure 91 Configuration > AppPatrol > Common > http4 C

Table of ContentsZyWALL USG 2000 User’s Guide147.1 How to Configure Interfaces, Port Grouping, and Zones ...

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1405 Click the Add icon in the policy list. In the new policy, select one of the user groups that is al

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1412 Give the schedule a descriptive name. Set up the days (Monday through Friday) and the times (8:30

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1422 Click the Add icon again and create a rule for one of the user groups that is allowed to access th

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1431 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Besid

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1442 Now you add ext-group-user user objects to identify groups based on the group identifier values. S

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide145• Select Endpoint must have Personal Firewall installed and move the Kaspersky Internet Security en

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide146Repeat as needed to create endpoint security objects for other Windows operating system versions.7.8

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1474 Turn on authentication policy and click Apply.Figure 101 Configuration > Auth. Policy T

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide148user access (logging into SSL VPN for example). See Chapter 50 on page 783 for more on service contr

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1494 Select the new rule and click the Add icon.Figure 105 Configuration > System > WWW (First

Table of ContentsZyWALL USG 2000 User’s Guide157.14 How to Use Active-Passive Device HA ...

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1506 Click Apply.Figure 107 Configuration > System > WWW (Second Example Admin Service Rule Con

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide151for ge2 IP address 10.0.0.8 to a H.323 device located on the LAN and using IP address 192.168.1.56.

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1521 Use Configuration > Object > Address > Add to create an address object for the public WAN

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1532 Click Configuration > Network > NAT > Add.Configure a name for the rule (WAN-LAN_H323 he

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1541 Click Configuration > Firewall > Add.In the From field select WAN.In the To field select LAN

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1557.11.1 Create the Address ObjectsUse Configuration > Object > Address > Add to create the

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide156• Keep Enable NAT Loopback selected to allow users connected to other interfaces to access the HTTP

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1571 Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Se

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide158address 1.1.1.2 that you will use on the ge3 interface and map to the IPPBX’s private IP address of

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1597.12.1 Turn On the ALGClick Configuration > Network > ALG. Select Enable SIP ALG and Enable

Table of ContentsZyWALL USG 2000 User’s Guide1610.6 The DDNS Status Screen ...

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1602 Create a host address object named IPPBX-Public for the public WAN IP address 1.1.1.2. Figure 121

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide161•Click OK. Figure 122 Configuration > Network > NAT > Add 7.12.4 Set Up a WAN to DMZ F

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1621 Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Set

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1631 Click Configuration > Firewall > Add. Set the From field as DMZ and the To field as LAN. Se

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1647.13.2 Configure the Policy RouteNow you need to configure a policy route that has the ZyWALL use t

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide165An Ethernet switch connects both ZyWALLs’ ge1 interfaces to the LAN. Whichever ZyWALL is functionin

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1667.14.2 Configure Device HA on the Master ZyWALL1 Log into ZyWALL A (the master) and click Configura

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1673 Set the Device Role to Master. This example focuses on the connection from the LAN (ge1) to the I

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1687.14.3 Configure the Backup ZyWALL1 Connect a computer to ZyWALL B’s ge1 interface and log into its

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1694 Set the Device Role to Backup. Activate monitoring for the ge1 and ge2 interfaces. Set the Synchr

Table of ContentsZyWALL USG 2000 User’s Guide1713.2 Port Grouping ...

Chapter 7 TutorialsZyWALL USG 2000 User’s Guide1707.14.4 Deploy the Backup ZyWALLConnect ZyWALL B’s ge1 interface to the LAN network. Connect ZyWALL

ZyWALL USG 2000 User’s Guide171CHAPTER 8 L2TP VPN ExampleHere is how to create a basic L2TP VPN tunnel.8.1 L2TP VPN ExampleThis example uses the fol

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide172• Configure the My Address setting. This example uses interface ge2 with static IP address 17

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1738.3 Configuring the Default L2TP VPN Connection Example1 Click Configuration > VPN >

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1743 Select the Default_L2TP_VPN_Connection entry and click Activate and then Apply to turn on t

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide175• The other fields are left to the defaults in this example, click Apply.Figure 140 Config

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1762 Select Connect to a workplace and click Next.Figure 141 Set up a connection or network: C

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1774 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway co

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1786 Click Close. Figure 145 Connect to a workplace: The connection is ready to use7 In the Ne

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1798 Click Security, select Advanced (custom settings) and click Settings.Figure 147 Connect

Table of ContentsZyWALL USG 2000 User’s Guide18Chapter 16Routing Protocols...

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide180inside it. The L2TP tunnel itself does not need encryption since it is inside the encrypted I

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide18113 Select the L2TP VPN connection and click Connect.Figure 152 L2TP to ZyWALL Properties:

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide18215 A window appears while the user name and password are verified and notifies you when the c

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide18317 After the network location has been set, click Close.Figure 156 Set Network Location Su

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide18419 Click the L2TP connection’s View status link to open a status screen. Figure 158 Network

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1858.5.2 Configuring L2TP in Windows XPIn Windows XP do the following to establish an L2TP VPN

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1865 Type L2TP to ZyWALL as the Company Name.Figure 162 New Connection Wizard: Connection Name

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1877 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway co

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide18810 Click Security, select Advanced (custom settings) and click Settings.Figure 166 Connect

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide18912 Click IPSec Settings. Figure 168 L2TP to ZyWALL Properties > Security13 Select the U

Table of ContentsZyWALL USG 2000 User’s Guide1920.2.1 The HTTP Redirect Edit Screen ...

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide19014 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK.Figure 170 L2TP to

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide19118 Click Details to see the address that you received is from the L2TP range you specified o

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1923 Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters.Figure 175

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1938.5.3.2 Configure the Windows 2000 IPSec PolicyAfter you have created the registry entry an

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1943 Click Add > IP Security Policy Management >Add > Finish. Click Close > OK.Figur

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1955 Name the IP security policy L2TP to ZyWALL, and click Next.Figure 182 IP Security Policy

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1967 Leave the Edit Properties check box selected and click Finish.Figure 184 IP Security Poli

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide1979 Select This rule does not specify a tunnel and click Next.Figure 186 IP Security Policy

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide19811 Select Use this string to protect the key exchange (preshared key), type password in the t

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide19913 Type ZyWALL WAN_IP in the Name field. Clear the Use Add Wizard check box and click Add.Fi

Table of ContentsZyWALL USG 2000 User’s Guide2025.1 IPSec VPN Overview ...

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide20015 Configure the following in the Filter Properties window’s Protocol tab. Set the protocol t

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide20117 Select Require Security and click Next. Then click Finish and Close.Figure 194 IP Secu

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide2021 Click Start > Settings > Network and Dial-up connections > Make New Connection. In

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide2034 Select For all users and click Next.Figure 199 New Connection Wizard: Connection Availab

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide2047 Click Security and select Advanced (custom settings) and click Settings.Figure 202 Connec

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide2059 Click Networking and select Layer 2 Tunneling Protocol (L2TP) from the drop-down list box.

Chapter 8 L2TP VPN ExampleZyWALL USG 2000 User’s Guide20612 Click Details and scroll down to see the address that you received is from the L2TP range

207PART IITechnical Reference

208

ZyWALL USG 2000 User’s Guide209CHAPTER 9 Dashboard9.1 OverviewUse the Dashboard screens to check status information about the ZyWALL.9.1.1 What Yo

Table of ContentsZyWALL USG 2000 User’s Guide2129.1.1 What You Need to Know ...

Chapter 9 DashboardZyWALL USG 2000 User’s Guide210interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refre

Chapter 9 DashboardZyWALL USG 2000 User’s Guide211The following front and rear panel labels display when you hover your cursor over a connected inter

Chapter 9 DashboardZyWALL USG 2000 User’s Guide212Device This identifies a device installed in one of the ZyWALL’s extension slots, the Security Exten

Chapter 9 DashboardZyWALL USG 2000 User’s Guide213Status This field displays the current status of each interface. The possible values depend on what

Chapter 9 DashboardZyWALL USG 2000 User’s Guide214Action Use this field to get or to update the IP address for the interface. Click Renew to send a ne

Chapter 9 DashboardZyWALL USG 2000 User’s Guide215Number of Login UsersThis field displays the number of users currently logged in to the ZyWALL. Cli

Chapter 9 DashboardZyWALL USG 2000 User’s Guide2169.2.1 The CPU Usage ScreenUse this screen to look at a chart of the ZyWALL’s recent CPU usage. To a

Chapter 9 DashboardZyWALL USG 2000 User’s Guide217The following table describes the labels in this screen. 9.2.2 The Memory Usage ScreenUse this sc

Chapter 9 DashboardZyWALL USG 2000 User’s Guide2189.2.3 The Session Usage ScreenUse this screen to look at a chart of the ZyWALL’s recent traffic ses

Chapter 9 DashboardZyWALL USG 2000 User’s Guide2199.2.4 The VPN Status ScreenUse this screen to look at the VPN tunnels that are currently establish

Table of ContentsZyWALL USG 2000 User’s Guide2233.1.2 What You Need to Know ...

Chapter 9 DashboardZyWALL USG 2000 User’s Guide220The following table describes the labels in this screen. 9.2.6 The Number of Login Users ScreenUse

Chapter 9 DashboardZyWALL USG 2000 User’s Guide221The following table describes the labels in this screen. Table 27 Dashboard > Number of Login

Chapter 9 DashboardZyWALL USG 2000 User’s Guide222

ZyWALL USG 2000 User’s Guide223CHAPTER 10 Monitor10.1 OverviewUse the Monitor screens to check status and statistics information.10.1.1 What You C

Chapter 10 MonitorZyWALL USG 2000 User’s Guide224•Use the VPN Monitor > L2TP over IPSec screen (see Section 10.13 on page 249) to display and manag

Chapter 10 MonitorZyWALL USG 2000 User’s Guide225The following table describes the labels in this screen. Table 28 Monitor > System Status >

Chapter 10 MonitorZyWALL USG 2000 User’s Guide22610.2.1 The Port Statistics Graph Screen Use this screen to look at a line graph of packet statistics

Chapter 10 MonitorZyWALL USG 2000 User’s Guide22710.3 Interface Status ScreenThis screen lists all of the ZyWALL’s interfaces and gives packet stati

Chapter 10 MonitorZyWALL USG 2000 User’s Guide228Each field is described in the following table. Table 30 Monitor > System Status > Interface

Chapter 10 MonitorZyWALL USG 2000 User’s Guide229HA Status This field displays the status of the interface in the virtual router.Active - This interf

Table of ContentsZyWALL USG 2000 User’s Guide2335.1.4 Before You Begin ...

Chapter 10 MonitorZyWALL USG 2000 User’s Guide23010.4 The Traffic Statistics ScreenClick Monitor > System Status > Traffic Statistics to displa

Chapter 10 MonitorZyWALL USG 2000 User’s Guide231You use the Traffic Statistics screen to tell the ZyWALL when to start and when to stop collecting i

Chapter 10 MonitorZyWALL USG 2000 User’s Guide232Interface Select the interface from which to collect information. You can collect information from Et

Chapter 10 MonitorZyWALL USG 2000 User’s Guide233The following table displays the maximum number of records shown in the report, the byte count limit

Chapter 10 MonitorZyWALL USG 2000 User’s Guide234• Number of bytes transmitted (so far)• Duration (so far)You can look at all the active sessions by u

Chapter 10 MonitorZyWALL USG 2000 User’s Guide235User This field displays when View is set to all sessions. Type the user whose sessions you want to

Chapter 10 MonitorZyWALL USG 2000 User’s Guide23610.6 The DDNS Status ScreenThe DDNS Status screen shows the status of the ZyWALL’s DDNS domain names

Chapter 10 MonitorZyWALL USG 2000 User’s Guide237session with the ZyWALL. Devices that have never established a session with the ZyWALL do not displa

Chapter 10 MonitorZyWALL USG 2000 User’s Guide23810.8 The Login Users Screen Use this screen to look at a list of the users currently logged into the

Chapter 10 MonitorZyWALL USG 2000 User’s Guide23910.9 Cellular Status ScreenThis screen displays your 3G connection status. click Monitor > Syste

Table of ContentsZyWALL USG 2000 User’s Guide2438.7 Anti-Spam Technical Reference ...

Chapter 10 MonitorZyWALL USG 2000 User’s Guide240Status No device - no 3G device is connected to the ZyWALL.Device detected - displays when you connec

Chapter 10 MonitorZyWALL USG 2000 User’s Guide24110.10 Application Patrol StatisticsThis screen displays a bandwidth usage graph and statistics for

Chapter 10 MonitorZyWALL USG 2000 User’s Guide24210.10.2 Application Patrol Statistics: Bandwidth StatisticsThe middle of the Monitor > AppPatrol

Chapter 10 MonitorZyWALL USG 2000 User’s Guide24310.10.3 Application Patrol Statistics: Protocol StatisticsThe bottom of the Monitor > AppPatrol

Chapter 10 MonitorZyWALL USG 2000 User’s Guide24410.10.4 Application Patrol Statistics: Individual Protocol Statistics by RuleThe bottom of the Moni

Chapter 10 MonitorZyWALL USG 2000 User’s Guide245The following table describes the labels in this screen. 10.11 The IPSec Monitor Screen You can us

Chapter 10 MonitorZyWALL USG 2000 User’s Guide246screen appears. Click a column’s heading cell to sort the table entries by that column’s criteria. Cl

Chapter 10 MonitorZyWALL USG 2000 User’s Guide24710.11.1 Regular Expressions in Searching IPSec SAsA question mark (?) lets a single character in th

Chapter 10 MonitorZyWALL USG 2000 User’s Guide24810.12 The SSL Connection Monitor Screen The ZyWALL keeps track of the users who are currently logged

Chapter 10 MonitorZyWALL USG 2000 User’s Guide24910.13 L2TP over IPSec Session Monitor ScreenClick Monitor > VPN Monitor > L2TP over IPSec to

Table of ContentsZyWALL USG 2000 User’s Guide2542.1.1 What You Can Do in this Chapter ...

Chapter 10 MonitorZyWALL USG 2000 User’s Guide25010.14 The Anti-Virus Statistics ScreenClick Monitor > Anti-X Statistics > Anti-Virus to displa

Chapter 10 MonitorZyWALL USG 2000 User’s Guide251The statistics display as follows when you display the top entries by source.Figure 232 Monitor &g

Chapter 10 MonitorZyWALL USG 2000 User’s Guide25210.15 The IDP Statistics ScreenClick Monitor > Anti-X Statistics > IDP to display the followin

Chapter 10 MonitorZyWALL USG 2000 User’s Guide253The statistics display as follows when you display the top entries by source.Figure 235 Monitor &g

Chapter 10 MonitorZyWALL USG 2000 User’s Guide25410.16 The Content Filter Statistics ScreenClick Monitor > Anti-X Statistics > Content Filter t

Chapter 10 MonitorZyWALL USG 2000 User’s Guide25510.17 Content Filter Cache ScreenClick Monitor > Anti-X Statistics > Content Filter > Cach

Chapter 10 MonitorZyWALL USG 2000 User’s Guide256You can remove individual entries from the cache. When you do this, the ZyWALL queries the external c

Chapter 10 MonitorZyWALL USG 2000 User’s Guide257Category This field shows whether access to the web site’s URL was blocked or allowed.Click the colu

Chapter 10 MonitorZyWALL USG 2000 User’s Guide25810.18 The Anti-Spam Statistics ScreenClick Monitor > Anti-X Statistics > Anti-Spam to display

Chapter 10 MonitorZyWALL USG 2000 User’s Guide259Spam Mails This is the number of e-mails that the ZyWALL has determined to be spam.Spam Mails Detect

Table of ContentsZyWALL USG 2000 User’s Guide2646.1.3 Verifying a Certificate ...

Chapter 10 MonitorZyWALL USG 2000 User’s Guide26010.19 The Anti-Spam Status ScreenClick Monitor > Anti-X Statistics > Anti-Spam > Status to

Chapter 10 MonitorZyWALL USG 2000 User’s Guide26110.20 Log ScreenLog messages are stored in two separate logs, one for regular log messages and one

Chapter 10 MonitorZyWALL USG 2000 User’s Guide262The following table describes the labels in this screen. Table 50 Monitor > LogLABEL DESCRIPTIO

Chapter 10 MonitorZyWALL USG 2000 User’s Guide263The Web Configurator saves the filter settings if you leave the View Log screen and return to it lat

Chapter 10 MonitorZyWALL USG 2000 User’s Guide264

ZyWALL USG 2000 User’s Guide265CHAPTER 11 Registration11.1 OverviewUse the Configuration > Licensing > Registration screens to register your Z

Chapter 11 RegistrationZyWALL USG 2000 User’s Guide266Subscription Services Available on the ZyWALLYou can have the ZyWALL use anti-virus, IDP/AppPatr

Chapter 11 RegistrationZyWALL USG 2000 User’s Guide26711.2 The Registration ScreenUse this screen to register your ZyWALL with myZyXEL.com and activ

Chapter 11 RegistrationZyWALL USG 2000 User’s Guide268Confirm Password Enter the password again for confirmation.E-Mail Address Enter your e-mail addr

Chapter 11 RegistrationZyWALL USG 2000 User’s Guide269Note: If the ZyWALL is registered already, this screen is read-only and indicates whether trial

Table of ContentsZyWALL USG 2000 User’s Guide2750.4 Console Port Speed ...

Chapter 11 RegistrationZyWALL USG 2000 User’s Guide270The following table describes the labels in this screen. Table 52 Configuration > Licensing

ZyWALL USG 2000 User’s Guide271CHAPTER 12 Signature Update12.1 OverviewThis chapter shows you how to update the ZyWALL’s signature packages.12.1.1

Chapter 12 Signature UpdateZyWALL USG 2000 User’s Guide27212.2 The Antivirus Update ScreenClick Configuration > Licensing > Update > Anti-Vi

Chapter 12 Signature UpdateZyWALL USG 2000 User’s Guide27312.3 The IDP/AppPatrol Update ScreenClick Configuration > Licensing > Update > ID

Chapter 12 Signature UpdateZyWALL USG 2000 User’s Guide274signatures from myZyXEL.com (see the Registration screens). Use the Update IDP /AppPatrol sc

Chapter 12 Signature UpdateZyWALL USG 2000 User’s Guide27512.4 The System Protect Update Screen Click Configuration > Licensing > Update >

Chapter 12 Signature UpdateZyWALL USG 2000 User’s Guide276The following table describes the fields in this screen. Table 54 Configuration > Licen

ZyWALL USG 2000 User’s Guide277CHAPTER 13 Interfaces13.1 Interface OverviewUse the Interface screens to configure the ZyWALL’s interfaces. You can a

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide27813.1.2 What You Need to Know Interface CharacteristicsInterfaces generally have the following cha

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide279characteristics. These characteristics are listed in the following table and discussed in more de

Table of ContentsZyWALL USG 2000 User’s Guide2851.1.1 What You Can Do In this Chapter ...

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide280* - You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide28113.2.1 Port Grouping OverviewUse port grouping to create port groups and to assign physical port

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide282Each section in this screen is described below.13.3 Ethernet Summary ScreenThis screen lists ever

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide283Figure 249 Configuration > Network > Interface > Ethernet Each field is described

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide28413.3.1 Ethernet Edit The Ethernet Edit screen lets you configure IP address assignment, interface

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide285Figure 250 Configuration > Network > Interface > Ethernet > Edit

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide286This screen’s fields are described in the table below. Table 59 Configuration > Network

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide287Use Fixed IP AddressThis option appears when Interface Properties is External or General. Select

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide288Check Period Enter the number of seconds between connection check attempts.Check Timeout Enter the

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide289Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is l

Table of ContentsZyWALL USG 2000 User’s Guide29Chapter 57Product Specifications...

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide290IP Address Enter the IP address to assign to a device with this entry’s MAC address.MAC Address En

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide29113.3.2 Object ReferencesWhen a configuration screen includes an Object References icon, select a

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide292Figure 251 Object References The following table describes labels that can appear in this scr

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide293Figure 252 Example: PPPoE/PPTP InterfacesPPPoE/PPTP interfaces are similar to other interfaces

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide294Figure 253 Configuration > Network > Interface > PPP Each field is described in the

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide29513.4.2 PPP Interface Add or Edit Note: You have to set up an ISP account before you create a PPP

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide296Figure 254 Configuration > Network > Interface > PPP > Add Each field is explaine

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide297Enable InterfaceSelect this to enable this interface. Clear this to disable this interface.Interf

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide298Interface ParametersEgress BandwidthEnter the maximum amount of traffic, in kilobits per second, t

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide29913.5 Cellular Configuration Screen (3G)3G (Third Generation) is a digital, packet-switched wirel

About This User's GuideZyWALL USG 2000 User’s Guide3About This User's GuideIntended AudienceThis manual is intended for people who want to

Table of ContentsZyWALL USG 2000 User’s Guide30

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide300If the signal strength of a 3G network is too low, the 3G card may switch to an available 2.5G or

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide301Figure 255 Configuration > Network > Interface > Cellular The following table descri

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide302Figure 256 Configuration > Network > Interface > Cellular > Add

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide303The following table describes the labels in this screen.Table 65 Configuration > Network >

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide304Dial String Enter the dial string if your ISP provides a string, which would include the APN, to i

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide305Egress BandwidthEnter the maximum amount of traffic, in kilobits per second, the ZyWALL can send

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide306Get Automatically Select this option If your ISP did not assign you a fixed IP address. This is th

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide307Data Budget Select this and specify how much downstream and/or upstream data (in Mega bytes) can

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide30813.6 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide309Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each VLAN

31PART IUser’s Guide

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide310They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the g

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide31113.6.2 VLAN Add/Edit This screen lets you configure IP address assignment, interface bandwidth p

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide312Figure 260 Configuration > Network > Interface > VLAN > Edit

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide313Each field is explained in the following table. Table 67 Configuration > Network > Interf

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide314Metric Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which gate

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide315DHCP Select what type of DHCP service the ZyWALL provides to the network. Choices are:None - the

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide316Lease time Specify how long each computer can use the information (especially the IP address) befo

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide317OSPF Setting See Section 16.3 on page 365 for more information about OSPF.Area Select the area in

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide31813.7 Bridge Interfaces This section introduces bridges and bridge interfaces and then explains th

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide319If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and p

32

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide32013.7.1 Bridge SummaryThis screen lists every bridge interface and virtual interface created on to

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide32113.7.2 Bridge Add/Edit This screen lets you configure IP address assignment, interface bandwidth

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide322Figure 262 Configuration > Network > Interface > Bridge > Add

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide323Each field is described in the table below.Table 72 Configuration > Network > Interface &

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide324Gateway This field is enabled if you select Use Fixed IP Address.Enter the IP address of the gatew

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide325IP Pool Start AddressEnter the IP address from which the ZyWALL begins allocating IP addresses. I

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide326Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it.

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide32713.8 Auxiliary Interface This section introduces the auxiliary interface and then explains the s

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide328Figure 263 Configuration > Network > Interface > Auxiliary Each field is described in

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide32913.9 Virtual Interfaces Use virtual interfaces to tell the ZyWALL where to route packets. Virtua

ZyWALL USG 2000 User’s Guide33CHAPTER 1 Introducing the ZyWALLThis chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs,

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide330cannot change the MTU. The virtual interface uses the same MTU that the underlying interface uses.

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide33113.10 Interface Technical ReferenceHere is more detailed information about interfaces on the ZyW

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide332For example, if the ZyWALL gets a packet with a destination address of 100.100.25.25, it routes th

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide333• Egress bandwidth sets the amount of traffic the ZyWALL sends out through the interface to the n

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide334• IP address - If the DHCP client’s MAC address is in the ZyWALL’s static DHCP table, the interfac

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide335PPPoE/PPTP OverviewPoint-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tun

Chapter 13 InterfacesZyWALL USG 2000 User’s Guide336

ZyWALL USG 2000 User’s Guide337CHAPTER 14 Trunks14.1 OverviewUse trunks for WAN traffic load balancing to increase overall network throughput and r

Chapter 14 TrunksZyWALL USG 2000 User’s Guide33814.1.2 What You Need to Know• Add WAN interfaces to trunks to have multiple connections share the tra

Chapter 14 TrunksZyWALL USG 2000 User’s Guide3392 The ZyWALL is using active/active load balancing. So when LAN user A tries to access something on t

Chapter 1 Introducing the ZyWALLZyWALL USG 2000 User’s Guide34standard EIA rack using a rack-mounting kit. Make sure the rack will safely support the

Chapter 14 TrunksZyWALL USG 2000 User’s Guide340Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWA

Chapter 14 TrunksZyWALL USG 2000 User’s Guide341interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and

Chapter 14 TrunksZyWALL USG 2000 User’s Guide34214.2 The Trunk Summary ScreenClick Configuration > Network > Interface > Trunk to open the T

Chapter 14 TrunksZyWALL USG 2000 User’s Guide34314.3 Configuring a Trunk Click Configuration > Network > Interface > Trunk and then the Add

Chapter 14 TrunksZyWALL USG 2000 User’s Guide344Each field is described in the table below. Table 80 Configuration > Network > Interface >

Chapter 14 TrunksZyWALL USG 2000 User’s Guide34514.4 Trunk Technical ReferenceRound Robin Load Balancing AlgorithmRound Robin scheduling services qu

Chapter 14 TrunksZyWALL USG 2000 User’s Guide346

ZyWALL USG 2000 User’s Guide347CHAPTER 15 Policy and Static Routes15.1 Policy and Static Routes OverviewUse policy routes and static routes to overr

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide348•Use the Static Route screens (see Section 15.3 on page 357) to list and configure s

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide349Policy Routes Versus Static Routes• Policy routes are more flexible than static rou

Chapter 1 Introducing the ZyWALLZyWALL USG 2000 User’s Guide353 After attaching both mounting brackets, position the ZyWALL in the rack by lining up

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide350Finding Out More• See Section 6.5.6 on page 105 for related information on the polic

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide351The following table describes the labels in this screen. Table 81 Configuration

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide352DSCP Code This is the DSCP value of incoming packets to which this policy route appl

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide35315.2.1 Policy Route Edit ScreenClick Configuration > Network > Routing to op

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide354Incoming Select where the packets are coming from; any, an interface, a tunnel, an S

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide355VPN Tunnel This field displays when you select VPN Tunnel in the Type field. Select

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide356Source Network Address TranslationSelect none to not use NAT for the route.Select ou

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide35715.3 IP Static Route ScreenClick Configuration > Network > Routing > Stat

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide358The following table describes the labels in this screen. 15.3.1 Static Route Add/Ed

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide35915.4 Policy Routing Technical ReferenceHere is more detailed information about som

Chapter 1 Introducing the ZyWALLZyWALL USG 2000 User’s Guide361.3.1.1 1000Base-T PortsThe 1000Base-T auto-negotiating, auto-crossover Ethernet ports

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide360following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is li

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide3613 Computer A and game server 1 are connected to each other until the connection is

Chapter 15 Policy and Static RoutesZyWALL USG 2000 User’s Guide362

ZyWALL USG 2000 User’s Guide363CHAPTER 16 Routing Protocols16.1 Routing Protocols OverviewRouting protocols give the ZyWALL routing information abou

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide36416.2 The RIP ScreenRIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a devi

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide365The following table describes the labels in this screen. 16.3 The OSPF ScreenOSPF (Open

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide366System (AS). OSPF offers some advantages over vector-space routing protocols like RIP.• OSP

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide367Each type of area is illustrated in the following figure.Figure 279 OSPF: Types of Areas

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide368• An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide369to logically connect the area to the backbone. This is illustrated in the following exampl

Chapter 1 Introducing the ZyWALLZyWALL USG 2000 User’s Guide371 Insert the transceiver into the slot with the exposed section of PCB board facing dow

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide370Click Configuration > Network > Routing > OSPF to open the following screen.Figure

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide371Type Select how OSPF calculates the cost associated with routing information from static r

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide37216.3.2 OSPF Area Add/Edit Screen The OSPF Area Add/Edit screen allows you to create a new

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide37316.3.3 Virtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide374372) has the Type set to Normal, a Virtual Link table displays. Click either the Add icon o

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide375Authentication TypesAuthentication is used to guarantee the integrity, but not the confide

Chapter 16 Routing ProtocolsZyWALL USG 2000 User’s Guide376

ZyWALL USG 2000 User’s Guide377CHAPTER 17 Zones17.1 Zones OverviewSet up zones to configure network security and network policies in the ZyWALL. A z

Chapter 17 ZonesZyWALL USG 2000 User’s Guide37817.1.2 What You Need to KnowEffects of Zones on Different Types of TrafficZones effectively divide tra

Chapter 17 ZonesZyWALL USG 2000 User’s Guide37917.2 The Zone ScreenThe Zone screen provides a summary of all zones. In addition, this screen allows

Chapter 1 Introducing the ZyWALLZyWALL USG 2000 User’s Guide381 Press down on the top of the fiber-optic cable where it connects to the transceiver to

Chapter 17 ZonesZyWALL USG 2000 User’s Guide38017.3 Zone Edit The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the

ZyWALL USG 2000 User’s Guide381CHAPTER 18 DDNS18.1 DDNS OverviewDynamic DNS (DDNS) services let you use a domain name with a dynamic IP address.18.1

Chapter 18 DDNSZyWALL USG 2000 User’s Guide382Note: Record your DDNS account’s user name, password, and domain name to use to configure the ZyWALL.Aft

Chapter 18 DDNSZyWALL USG 2000 User’s Guide383Primary Interface/IPThis field displays the interface to use for updating the IP address mapped to the

Chapter 18 DDNSZyWALL USG 2000 User’s Guide38418.2.1 The Dynamic DNS Add/Edit ScreenThe DDNS Add/Edit screen allows you to add a domain name to the Z

Chapter 18 DDNSZyWALL USG 2000 User’s Guide385Username Type the user name used when you registered your domain name. You can use up to 31 alphanumeri

Chapter 18 DDNSZyWALL USG 2000 User’s Guide386IP Address The options available in this field vary by DDNS provider.Interface -The ZyWALL uses the IP a

ZyWALL USG 2000 User’s Guide387CHAPTER 19 NAT19.1 NAT OverviewNAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address

Chapter 19 NATZyWALL USG 2000 User’s Guide38819.1.2 What You Need to KnowNAT is also known as virtual server, port forwarding, or port translation.Fi

Chapter 19 NATZyWALL USG 2000 User’s Guide389Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before

Chapter 1 Introducing the ZyWALLZyWALL USG 2000 User’s Guide391.3.2 Maximizing ThroughputThe ZyWALL has one internal bus for ports P1-P7 and another

Chapter 19 NATZyWALL USG 2000 User’s Guide39019.2.1 The NAT Add/Edit ScreenThe NAT Add/Edit screen lets you create new NAT rules and edit existing on

Chapter 19 NATZyWALL USG 2000 User’s Guide391Classification Select what kind of NAT this rule is to perform.Virtual Server - This makes computers on

Chapter 19 NATZyWALL USG 2000 User’s Guide392Mapped IP Subnet/RangeThis field displays for Many 1:1 NAT. Select to which translated destination IP add

Chapter 19 NATZyWALL USG 2000 User’s Guide39319.3 NAT Technical ReferenceHere is more detailed information about NAT on the ZyWALL.NAT LoopbackSuppo

Chapter 19 NATZyWALL USG 2000 User’s Guide394For example, a LAN user’s computer at IP address 192.168.1.89 queries a public DNS server to resolve the

Chapter 19 NATZyWALL USG 2000 User’s Guide395SMTP server replied directly to the LAN user without the traffic going through NAT, the source would not

Chapter 19 NATZyWALL USG 2000 User’s Guide396

ZyWALL USG 2000 User’s Guide397CHAPTER 20 HTTP Redirect20.1 OverviewHTTP redirect forwards the client’s HTTP request (except HTTP traffic destined

Chapter 20 HTTP RedirectZyWALL USG 2000 User’s Guide39820.1.2 What You Need to KnowWeb Proxy ServerA proxy server helps client devices make indirect

Chapter 20 HTTP RedirectZyWALL USG 2000 User’s Guide399• a application patrol rule to allow HTTP traffic between ge4 and ge2.• a policy route to forw

About This User's GuideZyWALL USG 2000 User’s Guide4• Web Configurator Online HelpClick the help icon in any screen for help in configuring that

Chapter 1 Introducing the ZyWALLZyWALL USG 2000 User’s Guide401.4 Management OverviewYou can use the following ways to manage the ZyWALL.SYS Off The

Chapter 20 HTTP RedirectZyWALL USG 2000 User’s Guide40020.2.1 The HTTP Redirect Edit ScreenClick Network > HTTP Redirect to open the HTTP Redirect

ZyWALL USG 2000 User’s Guide401CHAPTER 21 ALG21.1 ALG OverviewApplication Layer Gateway (ALG) allows the following applications to operate properly

Chapter 21 ALGZyWALL USG 2000 User’s Guide40221.1.2 What You Need to KnowApplication Layer Gateway (ALG), NAT and FirewallThe ZyWALL can function as

Chapter 21 ALGZyWALL USG 2000 User’s Guide403• There should be only one SIP server (total) on the ZyWALL’s private networks. Any other SIP servers mu

Chapter 21 ALGZyWALL USG 2000 User’s Guide404can receive incoming calls from the Internet, LAN IP addresses B and C can still make calls out to the In

Chapter 21 ALGZyWALL USG 2000 User’s Guide405• See Section 21.3 on page 407 for ALG background/technical information.21.1.3 Before You BeginYou must

Chapter 21 ALGZyWALL USG 2000 User’s Guide406The following table describes the labels in this screen. Table 101 Configuration > Network > AL

Chapter 21 ALGZyWALL USG 2000 User’s Guide40721.3 ALG Technical ReferenceHere is more detailed information about the Application Layer Gateway.ALGSo

Chapter 21 ALGZyWALL USG 2000 User’s Guide408connections to the second (passive) interface when the active interface’s connection goes down. When the

ZyWALL USG 2000 User’s Guide409CHAPTER 22 IP/MAC Binding22.1 IP/MAC Binding OverviewIP address to MAC address binding helps ensure that only the in

Chapter 1 Introducing the ZyWALLZyWALL USG 2000 User’s Guide41Web ConfiguratorThe Web Configurator allows easy ZyWALL setup and management using an I

Chapter 22 IP/MAC BindingZyWALL USG 2000 User’s Guide41022.1.2 What You Need to KnowDHCPIP/MAC address bindings are based on the ZyWALL’s dynamic and

Chapter 22 IP/MAC BindingZyWALL USG 2000 User’s Guide411The following table describes the labels in this screen. 22.2.1 IP/MAC Binding EditClick Co

Chapter 22 IP/MAC BindingZyWALL USG 2000 User’s Guide412The following table describes the labels in this screen. 22.2.2 Static DHCP EditClick Config

Chapter 22 IP/MAC BindingZyWALL USG 2000 User’s Guide413screen. Use this screen to configure an interface’s IP to MAC address binding settings. Figur

Chapter 22 IP/MAC BindingZyWALL USG 2000 User’s Guide414The following table describes the labels in this screen. Table 105 Configuration > Netwo

ZyWALL USG 2000 User’s Guide415CHAPTER 23 Authentication Policy23.1 Overview Use authentication policies to control who can access the network. You

Chapter 23 Authentication PolicyZyWALL USG 2000 User’s Guide41623.1.2 What You Need to KnowAuthentication Policy and VPNAuthentication policies are a

Chapter 23 Authentication PolicyZyWALL USG 2000 User’s Guide417Click Configuration > Auth. Policy to display the screen. Figure 310 Configuratio

Chapter 23 Authentication PolicyZyWALL USG 2000 User’s Guide418The following table gives an overview of the objects you can configure. Table 106 Co

Chapter 23 Authentication PolicyZyWALL USG 2000 User’s Guide41923.2.1 Creating/Editing an Authentication PolicyClick Configuration > Auth. Policy

Chapter 1 Introducing the ZyWALLZyWALL USG 2000 User’s Guide42Always use Maintenance > Shutdown > Shutdown or the shutdown command before you tu

Chapter 23 Authentication PolicyZyWALL USG 2000 User’s Guide420Figure 312 Configuration > Auth. Policy > Add The following table gives an ove

Chapter 23 Authentication PolicyZyWALL USG 2000 User’s Guide421Schedule Select a schedule that defines when the policy applies. Otherwise, select non

Chapter 23 Authentication PolicyZyWALL USG 2000 User’s Guide422

ZyWALL USG 2000 User’s Guide423CHAPTER 24 Firewall24.1 OverviewUse the firewall to block or allow services that use static port numbers. Use applica

Chapter 24 FirewallZyWALL USG 2000 User’s Guide42424.1.2 What You Need to KnowStateful InspectionThe ZyWALL has a stateful inspection firewall. The Z

Chapter 24 FirewallZyWALL USG 2000 User’s Guide425• The ZyWALL drops most packets from the DMZ zone to the ZyWALL itself, except for DNS and NetBIOS

Chapter 24 FirewallZyWALL USG 2000 User’s Guide426traffic blocking to allow or block VPN traffic transmitting between the VPN tunnel and other interfa

Chapter 24 FirewallZyWALL USG 2000 User’s Guide427the firewall rule to always be in effect. The following figure shows the results of this rule.Figur

Chapter 24 FirewallZyWALL USG 2000 User’s Guide428Now you configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO’

Chapter 24 FirewallZyWALL USG 2000 User’s Guide429• The first row allows any LAN computer to access the IRC service on the WAN by logging into the Zy

ZyWALL USG 2000 User’s Guide43CHAPTER 2 Features and ApplicationsThis chapter introduces the main features and applications of the ZyWALL.2.1 Featur

Chapter 24 FirewallZyWALL USG 2000 User’s Guide4305 The screen for configuring a service object opens. Configure it as follows and click OK.Figure 318

Chapter 24 FirewallZyWALL USG 2000 User’s Guide4319 The firewall rule appears in the firewall rule summary.Figure 320 Firewall Example: Doom Rule i

Chapter 24 FirewallZyWALL USG 2000 User’s Guide4324 The ZyWALL then sends it to the computer on the LAN in Subnet 1. Figure 321 Using Virtual Interf

Chapter 24 FirewallZyWALL USG 2000 User’s Guide433• The ordering of your rules is very important as rules are applied in sequence.Figure 322 Config

Chapter 24 FirewallZyWALL USG 2000 User’s Guide434From Zone / To ZoneThis is the direction of travel of packets. Select from which zone the packets co

Chapter 24 FirewallZyWALL USG 2000 User’s Guide43524.2.2 The Firewall Add/Edit ScreenIn the Firewall screen, click the Edit or Add icon to display t

Chapter 24 FirewallZyWALL USG 2000 User’s Guide43624.3 The Session Limit ScreenClick Configuration > Firewall > Session Limit to display the Fi

Chapter 24 FirewallZyWALL USG 2000 User’s Guide437individual limits for specific users, addresses, or both. The individual limit takes priority if yo

Chapter 24 FirewallZyWALL USG 2000 User’s Guide43824.3.1 The Session Limit Add/Edit ScreenClick Configuration > Firewall > Session Limit and th

Chapter 24 FirewallZyWALL USG 2000 User’s Guide439User Select a user name or user group to which to apply the rule. The rule is activated only when t

Chapter 2 Features and ApplicationsZyWALL USG 2000 User’s Guide44FirewallThe ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts

Chapter 24 FirewallZyWALL USG 2000 User’s Guide440

ZyWALL USG 2000 User’s Guide441CHAPTER 25 IPSec VPN25.1 IPSec VPN OverviewA virtual private network (VPN) provides secure communications between sit

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide442•Use the VPN Gateway screens (see Section 25.2.1 on page 446) to manage the ZyWALL’s VPN gateways.

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide443Application ScenariosThe ZyWALL’s application scenarios make it easier to configure your VPN conne

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide444• See Section 25.5 on page 469 for IPSec VPN background information.• See Section 5.3 on page 83 fo

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide445SA). Click a column’s heading cell to sort the table entries by that column’s criteria. Click the

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide44625.2.1 The VPN Connection Add/Edit (IKE) ScreenThe VPN Connection Add/Edit Gateway screen allows y

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide447Figure 329 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE)

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide448Each field is described in the following table. Table 118 Configuration > VPN > IPSec VPN

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide449PolicyLocal Policy Select the address corresponding to the local network. Use Create new Object if

Chapter 2 Features and ApplicationsZyWALL USG 2000 User’s Guide45Anti-Virus ScannerWith the anti-virus packet scanner, your ZyWALL scans files transm

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide450Encryption This field is applicable when the Active Protocol is ESP. Select which key size and encr

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide451Check Method Select how the ZyWALL checks the connection. The peer must be configured to respond t

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide452Inbound TrafficSource NAT This translation hides the source address of computers in the remote netw

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide45325.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key scree

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide454Secure Gateway AddressType the IP address of the remote IPSec router in the IPSec SA. SPI Type a un

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide455Encryption Key This field is applicable when you select an Encryption Algorithm. Enter the encrypt

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide45625.3 The VPN Gateway ScreenThe VPN Gateway summary screen displays the IPSec VPN gateway policies

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide45725.3.1 The VPN Gateway Add/Edit ScreenThe VPN Gateway Add/Edit screen allows you to create a new

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide458Figure 332 Configuration > VPN > IPSec VPN > VPN Gateway > Edit

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide459Each field is described in the following table. Table 121 Configuration > VPN > IPSec VPN

Chapter 2 Features and ApplicationsZyWALL USG 2000 User’s Guide462.2.1 VPN ConnectivitySet up VPN tunnels with other companies, branch offices, telec

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide460Pre-Shared KeySelect this to have the ZyWALL and remote IPSec router use a pre-shared key (password

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide461Content This field is read-only if the ZyWALL and remote IPSec router use certificates to identify

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide462Content This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec ro

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide463Negotiation ModeSelect the negotiation mode to use to negotiate the IKE SA. Choices areMain - this

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide464NAT Traversal Select this if any of these conditions are satisfied.• This IKE SA might be used to n

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide46525.4 VPN Concentrator A VPN concentrator combines several IPSec VPN connections into one secure n

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide466• Branch office A’s ZyWALL uses one VPN rule to access both the headquarters (HQ) network and branc

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide467VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.1.0/255.255.255.0• Remote Policy:192.168.11

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide468• The local IP addresses configured in the VPN rules should not overlap.• The concentrator must hav

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide469Concentrator summary screen (see Section 25.4 on page 465), and click either the Add icon or an Ed

Chapter 2 Features and ApplicationsZyWALL USG 2000 User’s Guide47You do not have to install additional client software on the remote user computers f

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide470IKE SA OverviewThe IKE SA provides a secure connection between the ZyWALL and remote IPSec router.I

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide471The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you can only

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide472the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide473Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide474Negotiation ModeThere are two negotiation modes--main mode and aggressive mode. Main mode provides

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide475feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide476• The local and peer ID type and content come from the certificates.Note: You must set up the certi

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide477These modes are illustrated below.In tunnel mode, the ZyWALL uses the active protocol to encapsula

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide478Additional Topics for IPSec SAThis section provides more information about IPSec SA in your ZyWALL.

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide479Each kind of translation is explained below. The following example is used to help explain each on

Chapter 2 Features and ApplicationsZyWALL USG 2000 User’s Guide482.2.3 User-Aware Access ControlSet up security policies that restrict access to sens

Chapter 25 IPSec VPNZyWALL USG 2000 User’s Guide480• SNAT - the translated source address; a different IP address (range of addresses) to hide the ori

ZyWALL USG 2000 User’s Guide481CHAPTER 26 SSL VPN26.1 OverviewUse SSL VPN to allow users to use a web browser for secure remote user login (the remo

Chapter 26 SSL VPNZyWALL USG 2000 User’s Guide482You do not have to install additional client software on the remote user computers for access. Figur

Chapter 26 SSL VPNZyWALL USG 2000 User’s Guide483changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects

Chapter 26 SSL VPNZyWALL USG 2000 User’s Guide48426.2 The SSL Access Privilege ScreenClick VPN > SSL VPN to open the Access Privilege screen. This

Chapter 26 SSL VPNZyWALL USG 2000 User’s Guide485Apply Click Apply to save the settings. Reset Click Reset to discard all changes. Table 127 VPN &g

Chapter 26 SSL VPNZyWALL USG 2000 User’s Guide48626.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy,

Chapter 26 SSL VPNZyWALL USG 2000 User’s Guide487The following table describes the labels in this screen. Table 128 VPN > SSL VPN > Access Pr

Chapter 26 SSL VPNZyWALL USG 2000 User’s Guide48826.3 The SSL Global Setting ScreenClick VPN > SSL VPN and click the Global Setting tab to display

Chapter 26 SSL VPNZyWALL USG 2000 User’s Guide489on your network for full tunnel mode access, enter access messages or upload a custom logo to be dis

Chapter 2 Features and ApplicationsZyWALL USG 2000 User’s Guide492.2.5 Device HASet up an additional ZyWALL as a backup gateway to ensure the defaul

Chapter 26 SSL VPNZyWALL USG 2000 User’s Guide49026.3.1 How to Upload a Custom LogoFollow the steps below to upload a custom logo to display on the r

Chapter 26 SSL VPNZyWALL USG 2000 User’s Guide491The following shows an example logo on the remote user screen. Figure 348 Example Logo Graphic Dis

Chapter 26 SSL VPNZyWALL USG 2000 User’s Guide4922 SSL VPN connection starts. This may take several minutes depending on your network connection. Once

ZyWALL USG 2000 User’s Guide493CHAPTER 27 SSL User Screens27.1 OverviewThis chapter introduces the remote user SSL VPN screens. The following figure

Chapter 27 SSL User ScreensZyWALL USG 2000 User’s Guide494System RequirementsHere are the browser and computer system requirements for remote user acc

Chapter 27 SSL User ScreensZyWALL USG 2000 User’s Guide4951 Open a web browser and enter the web site address or IP address of the ZyWALL. For exampl

Chapter 27 SSL User ScreensZyWALL USG 2000 User’s Guide4965 Your computer starts establishing a secure connection to the ZyWALL after a successful log

Chapter 27 SSL User ScreensZyWALL USG 2000 User’s Guide4977 The ZyWALL tries to install the SecuExtender client. You may need to click a pop-up to ge

Chapter 27 SSL User ScreensZyWALL USG 2000 User’s Guide49810 If a screen like the following displays, click Continue Anyway to finish installing the S

Chapter 27 SSL User ScreensZyWALL USG 2000 User’s Guide49927.3 The SSL VPN User ScreensThis section describes the main elements in the remote user s

About This User's GuideZyWALL USG 2000 User’s Guide5See http://www.zyxel.com/web/contact_us.php for contact information. Please have the follow

Chapter 2 Features and ApplicationsZyWALL USG 2000 User’s Guide50

Chapter 27 SSL User ScreensZyWALL USG 2000 User’s Guide50027.4 Bookmarking the ZyWALLYou can create a bookmark of the ZyWALL by clicking the Add to F

Chapter 27 SSL User ScreensZyWALL USG 2000 User’s Guide5013 An information screen displays to indicate that the SSL VPN connection is about to termin

Chapter 27 SSL User ScreensZyWALL USG 2000 User’s Guide502

ZyWALL USG 2000 User’s Guide503CHAPTER 28 SSL User Application Screens28.1 SSL User Application Screens OverviewUse the Application screen to access

Chapter 28 SSL User Application ScreensZyWALL USG 2000 User’s Guide504

ZyWALL USG 2000 User’s Guide505CHAPTER 29 SSL User File Sharing29.1 OverviewThe File Sharing screen lets you access files on a file server through t

Chapter 29 SSL User File SharingZyWALL USG 2000 User’s Guide50629.2 The Main File Sharing Screen The first File Sharing screen displays the name(s) o

Chapter 29 SSL User File SharingZyWALL USG 2000 User’s Guide5073 If an access user name and password are required, a screen displays as shown in the

Chapter 29 SSL User File SharingZyWALL USG 2000 User’s Guide5084 A list of files/folders displays. Click on a file to open it in a separate browser wi

Chapter 29 SSL User File SharingZyWALL USG 2000 User’s Guide50929.3.2 Saving a FileAfter you have opened a file in a web browser, you can save a cop

ZyWALL USG 2000 User’s Guide51CHAPTER 3 Web ConfiguratorThe ZyWALL Web Configurator allows easy ZyWALL setup and management using an Internet browser

Chapter 29 SSL User File SharingZyWALL USG 2000 User’s Guide51029.5 Renaming a File or FolderTo rename a file or folder, click the Rename icon next t

Chapter 29 SSL User File SharingZyWALL USG 2000 User’s Guide51129.7 Uploading a FileFollow the steps below to upload a file to the file server. 1 Lo

Chapter 29 SSL User File SharingZyWALL USG 2000 User’s Guide512

ZyWALL USG 2000 User’s Guide513CHAPTER 30 ZyWALL SecuExtenderThe ZyWALL automatically loads the ZyWALL SecuExtender client program to your computer a

Chapter 30 ZyWALL SecuExtenderZyWALL USG 2000 User’s Guide51430.2 StatisticsRight-click the ZyWALL SecuExtender icon in the system tray and select St

Chapter 30 ZyWALL SecuExtenderZyWALL USG 2000 User’s Guide51530.3 View LogIf you have problems with the ZyWALL SecuExtender, customer support may re

Chapter 30 ZyWALL SecuExtenderZyWALL USG 2000 User’s Guide516connected but not send any traffic through it until you right-click the icon and resume t

ZyWALL USG 2000 User’s Guide517CHAPTER 31 L2TP VPN31.1 OverviewL2TP VPN lets remote users use the L2TP and IPSec client software included with their

Chapter 31 L2TP VPNZyWALL USG 2000 User’s Guide518• Use transport mode.• Not be a manual key VPN connection. •Use Pre-Shared Key authentication.• Use

Chapter 31 L2TP VPNZyWALL USG 2000 User’s Guide519Finding Out More• See Section 6.5.17 on page 111 for related information on these screens.• See Cha

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide522 Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL automatically ro

Chapter 31 L2TP VPNZyWALL USG 2000 User’s Guide520VPN Connection Select the IPSec VPN connection the ZyWALL uses for L2TP VPN. All of the configured V

ZyWALL USG 2000 User’s Guide521CHAPTER 32 Application Patrol32.1 OverviewApplication patrol provides a convenient way to manage the use of various a

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide52232.1.2 What You Need to KnowIf you want to use a service, make sure both the firewall an

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide523numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom port numbers for

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide524• The outbound traffic flows from the connection initiator to the connection responder. •

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide525Bandwidth Management Priority• The ZyWALL gives bandwidth to higher-priority traffic firs

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide526Configured Rate EffectIn the following table the configured rates total less than the avai

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide527regardless of its priority, server B gets almost no bandwidth with this configuration.

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide528• FTP traffic from the LAN to the DMZ can use more bandwidth since the interfaces support

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide529• Enable maximize bandwidth usage so the SIP traffic can borrow unused bandwidth.Figure 3

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide535 The screen above appears every time you log in using the default user name and default pass

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide53032.1.3.5 FTP WAN to DMZ Bandwidth Management Example• ADSL supports more downstream than

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide53132.2 Application Patrol General ScreenUse this screen to enable and disable application

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide53232.3 Application Patrol ApplicationsUse the application patrol Common, Instant Messenger,

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide533Click Configuration > App Patrol > Common to open the following screen.Figure 391

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide534Streaming screen and click an application’s Edit icon. The screen displayed here is for th

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide535# This field is a sequential value, and it is not associated with a specific entry.Note:

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide536Access This field displays what the ZyWALL does with packets for this application that mat

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide53732.3.2 The Application Patrol Policy Edit Screen The Application Policy Edit screen allo

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide538Schedule Select a schedule that defines when the policy applies or select Create Object to

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide539Action Block For some applications, you can select individual uses of the application tha

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide543.3.1 Title BarThe title bar provides some icons in the upper right corner.Figure 22 Title

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide54032.4 The Other Applications ScreenSometimes, the ZyWALL cannot identify the application.

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide541Click AppPatrol > Other to open the Other (applications) screen.Figure 394 AppPatrol

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide542Destination This is the destination address or address group for whom this policy applies.

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide54332.4.1 The Other Applications Add/Edit ScreenThe Other Configuration Add/Edit screen all

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide544Schedule Select a schedule that defines when the policy applies or select Create Object to

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide545Inbound kbpsType how much inbound bandwidth, in kilobits per second, this policy allows t

Chapter 32 Application PatrolZyWALL USG 2000 User’s Guide546OK Click OK to save your changes back to the ZyWALL.Cancel Click Cancel to exit this scree

ZyWALL USG 2000 User’s Guide547CHAPTER 33 Anti-Virus33.1 OverviewUse the ZyWALL’s anti-virus feature to protect your connected network from virus/sp

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide54833.1.2 What You Need to Know Anti-Virus EnginesSubscribe to signature files for ZyXEL’s anti-viru

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide5492 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide55hide the navigation panel menus or drag it to resize them. The following sections introduce t

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide55033.1.3 Before You Begin• Before using anti-virus, see Chapter 11 on page 265 for how to register

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide551The following table describes the labels in this screen.Table 143 Configuration > Anti-X >

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide552Protocol These are the protocols of traffic to scan for viruses.FTP applies to traffic using the T

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide55333.2.1 Anti-Virus Policy Add or Edit ScreenClick the Add or Edit icon in the Configuration >

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide554Actions When MatchedDestroy infected fileWhen you select this check box, if a virus pattern is mat

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide55533.3 Anti-Virus Black ListClick Configuration > Anti-X > Anti-Virus > Black/White List

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide556The following table describes the labels in this screen.33.4 Anti-Virus Black List or White List

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide557The following table describes the labels in this screen.33.5 Anti-Virus White ListClick Configur

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide558column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide559If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly an

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide563.3.2.3 Configuration MenuUse the configuration menu screens to configure the ZyWALL’s featur

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide560The following table describes the labels in this screen. Table 148 Configuration > Anti-X &g

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide56133.7 Anti-Virus Technical ReferenceTypes of Computer Viruses The following table describes some

Chapter 33 Anti-VirusZyWALL USG 2000 User’s Guide562A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in t

ZyWALL USG 2000 User’s Guide563CHAPTER 34 IDP34.1 OverviewThis chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), IDP

Chapter 34 IDPZyWALL USG 2000 User’s Guide564IDP ProfilesAn IDP profile is a set of related IDP signatures that you can activate as a set and configur

Chapter 34 IDPZyWALL USG 2000 User’s Guide56534.2 The IDP General ScreenClick Configuration > Anti-X > IDP > General to open this screen. U

Chapter 34 IDPZyWALL USG 2000 User’s Guide566Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Act

Chapter 34 IDPZyWALL USG 2000 User’s Guide56734.3 Introducing IDP Profiles An IDP profile is a set of packet inspection signatures. Packet inspecti

Chapter 34 IDPZyWALL USG 2000 User’s Guide56834.3.1 Base ProfilesThe ZyWALL comes with several base profiles. You use base profiles to create new pro

Chapter 34 IDPZyWALL USG 2000 User’s Guide56934.4 The Profile Summary ScreenSelect Anti-X > IDP > Profile. Use this screen to:• Add a new prof

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide57Interface Port Grouping Configure physical port groups.Ethernet Manage Ethernet interfaces an

Chapter 34 IDPZyWALL USG 2000 User’s Guide57034.5 Creating New Profiles You may want to create a new profile if not all signatures in a base profile

Chapter 34 IDPZyWALL USG 2000 User’s Guide57134.6 Profiles: Packet Inspection Select Configuration > Anti-X > IDP > Profile and then add a

Chapter 34 IDPZyWALL USG 2000 User’s Guide572The following table describes the fields in this screen. Table 153 Configuration > Anti-X > IDP

Chapter 34 IDPZyWALL USG 2000 User’s Guide573Action To edit what action the ZyWALL takes when a packet matches a signature, select the signature and

Chapter 34 IDPZyWALL USG 2000 User’s Guide57434.6.2 Policy TypesThis section describes IDP policy types, also known as attack types, as categorized i

Chapter 34 IDPZyWALL USG 2000 User’s Guide57534.6.3 IDP Service GroupsAn IDP service group is a set of related packet inspection signatures.Scan A s

Chapter 34 IDPZyWALL USG 2000 User’s Guide576The following figure shows the WEB_PHP service group that contains signatures related to attacks on web s

Chapter 34 IDPZyWALL USG 2000 User’s Guide577signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service cat

Chapter 34 IDPZyWALL USG 2000 User’s Guide578Severity Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multipl

Chapter 34 IDPZyWALL USG 2000 User’s Guide57934.6.5 Query ExampleThis example shows a search with these criteria:• Severity: severe and high• Attack

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide58L2TP VPN L2TP VPN Configure L2TP Over IPSec VPN settings.AppPatrol General Enable or disable t

Chapter 34 IDPZyWALL USG 2000 User’s Guide580•Actions: AnyFigure 409 Query Example Search CriteriaFigure 410 Query Example Search Results

Chapter 34 IDPZyWALL USG 2000 User’s Guide58134.7 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to

Chapter 34 IDPZyWALL USG 2000 User’s Guide58234.8 Configuring Custom SignaturesSelect Configuration > Anti-X > IDP > Custom Signatures. The

Chapter 34 IDPZyWALL USG 2000 User’s Guide583Note: The ZyWALL checks all signatures and continues searching even after a match is found. If two or mo

Chapter 34 IDPZyWALL USG 2000 User’s Guide58434.8.1 Creating or Editing a Custom Signature Click the Add icon to create a new signature or click the

Chapter 34 IDPZyWALL USG 2000 User’s Guide585Try to write signatures that target a vulnerability, for example a certain type of traffic on certain op

Chapter 34 IDPZyWALL USG 2000 User’s Guide586The following table describes the fields in this screen. Table 159 Configuration > Anti-X > IDP &

Chapter 34 IDPZyWALL USG 2000 User’s Guide587Fragmentation A fragmentation flag identifies whether the IP datagram should be fragmented, not fragment

Chapter 34 IDPZyWALL USG 2000 User’s Guide588Flow If selected, the signature only applies to certain directions of the traffic flow and only to client

Chapter 34 IDPZyWALL USG 2000 User’s Guide589Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overfl

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide59User/Group User Create and manage users.Group Create and manage groups of users.Setting Manag

Chapter 34 IDPZyWALL USG 2000 User’s Guide59034.8.2 Custom Signature ExampleBefore creating a custom signature, you must first clearly understand the

Chapter 34 IDPZyWALL USG 2000 User’s Guide59134.8.2.2 Analyze PacketsUse the packet capture screen (see Section 53.3 on page 860) and a packet analy

Chapter 34 IDPZyWALL USG 2000 User’s Guide592The final custom signature should look like as shown in the following figure. Figure 415 Example Custom

Chapter 34 IDPZyWALL USG 2000 User’s Guide593You can activate the signature, configure what action to take when a packet matches it and if it should

Chapter 34 IDPZyWALL USG 2000 User’s Guide594destination port is the service port (53 for DNS in this case) that the attack tries to exploit.Figure 41

Chapter 34 IDPZyWALL USG 2000 User’s Guide595Network IntrusionsNetwork-based intrusions have the goal of bringing down a network or networks by attac

Chapter 34 IDPZyWALL USG 2000 User’s Guide596Note: Not all Snort functionality is supported in the ZyWALL.Same IP sameipTransport ProtocolTransport Pr

ZyWALL USG 2000 User’s Guide597CHAPTER 35 ADP35.1 OverviewThis chapter introduces ADP (Anomaly Detection and Prevention), anomaly profiles and appl

Chapter 35 ADPZyWALL USG 2000 User’s Guide598Protocol AnomaliesProtocol anomalies are packets that do not comply with the relevant RFC (Request For Co

Chapter 35 ADPZyWALL USG 2000 User’s Guide59935.2 The ADP General ScreenClick Configuration > Anti-X > ADP > General. Use this screen to tu

Document ConventionsZyWALL USG 2000 User’s Guide6Document ConventionsWarnings and NotesThese are how warnings and notes are shown in this User’s Guide

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide603.3.2.4 Maintenance MenuUse the maintenance menu screens to manage configuration and firmware

Chapter 35 ADPZyWALL USG 2000 User’s Guide60035.3 The Profile Summary ScreenUse this screen to:• Create a new profile using an existing base profile•

Chapter 35 ADPZyWALL USG 2000 User’s Guide60135.3.1 Base ProfilesThe ZyWALL comes with base profiles. You use base profiles to create new profiles.

Chapter 35 ADPZyWALL USG 2000 User’s Guide602The following table describes the fields in this screen. 35.3.3 Creating New ADP Profiles You may want

Chapter 35 ADPZyWALL USG 2000 User’s Guide603belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting th

Chapter 35 ADPZyWALL USG 2000 User’s Guide604The following table describes the fields in this screen. Table 164 Configuration > ADP > Profile

Chapter 35 ADPZyWALL USG 2000 User’s Guide60535.3.5 Protocol Anomaly Profiles Protocol anomaly is the third screen in an ADP profile. Protocol anoma

Chapter 35 ADPZyWALL USG 2000 User’s Guide606Figure 422 Profiles: Protocol Anomaly

Chapter 35 ADPZyWALL USG 2000 User’s Guide607The following table describes the fields in this screen. Table 165 Configuration > ADP > Profil

Chapter 35 ADPZyWALL USG 2000 User’s Guide608Action To edit what action the ZyWALL takes when a packet matches a signature, select the signature and u

Chapter 35 ADPZyWALL USG 2000 User’s Guide60935.4 ADP Technical ReferenceThis section is divided into traffic anomaly background information and pro

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide613.3.3.1 Warning MessagesWarning messages, such as those resulting from misconfiguration, dis

Chapter 35 ADPZyWALL USG 2000 User’s Guide610Decoy Port ScansDecoy port scans are scans where the attacker has spoofed the source address. These are s

Chapter 35 ADPZyWALL USG 2000 User’s Guide611Flood DetectionFlood attacks saturate a network with useless data, use up all available bandwidth, and t

Chapter 35 ADPZyWALL USG 2000 User’s Guide612the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. F

Chapter 35 ADPZyWALL USG 2000 User’s Guide613UDP Flood AttackUDP is a connection-less protocol and it does not require any connection setup procedure

Chapter 35 ADPZyWALL USG 2000 User’s Guide614DOUBLE-ENCODING ATTACKThis rule is IIS specific. IIS does two passes through the request URI, doing decod

Chapter 35 ADPZyWALL USG 2000 User’s Guide615WEBROOT-DIRECTORY-TRAVERSAL ATTACKThis is when a directory traversal traverses past the web server root

Chapter 35 ADPZyWALL USG 2000 User’s Guide616TRUNCATED-HEADER ATTACKThis is when an ICMP packet is sent which has an ICMP datagram length of less than

ZyWALL USG 2000 User’s Guide617CHAPTER 36 Content Filtering36.1 OverviewUse the content filtering feature to control access to specific web sites o

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide618Content Filtering ProfilesA content filtering profile conveniently stores your custom setti

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide619Since the ZyWALL checks the URL’s domain name (or IP address) and file path separately, it

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide62settings reference the object. The following example shows which configuration settings refere

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide620your list of content filter policies, create a denial of access message or specify a redire

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide621Move To change an entry’s position in the numbered list, select it and click Move to displ

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide62236.3 Content Filter Policy Add or Edit ScreenClick Configuration > Anti-X > Content

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide623filter policy. A content filter policy defines which content filter profile should be appl

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide62436.4 Content Filter Profile Screen Click Configuration > Anti-X > Content Filter >

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide625See Chapter 37 on page 641 for how to view content filtering reports. Figure 429 Configu

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide626The following table describes the labels in this screen. Table 170 Configuration > Ant

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide627Action for Unsafe Web PagesSelect Pass to allow users to access web pages that match the u

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide628Action When Category Server Is UnavailableSelect Pass to allow users to access any requeste

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide629Spyware/Malware Sources This category includes pages which distribute spyware and other ma

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide633.3.3.4 CLI MessagesClick CLI to look at the CLI commands sent by the Web Configurator. Thes

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide630Nudity This category includes pages containing nude or seminude depictions of the human bod

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide631Arts/Entertainment This category includes pages that promote and provide information about

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide632Government/Legal This category includes pages sponsored by or which provide information on

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide633Religion This category includes pages that promote and provide information on conventional

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide634Sports/Recreation/HobbiesThis category includes pages that promote or provide information a

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide635Alcohol Sites that promote, offer for sale, glorify, review, or in any way advocate the u

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide63636.5.1 Content Filter Blocked and Warning MessagesThese are the content filtering warning

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide63736.6 Content Filter Customization Screen Click Configuration > Anti-X > Content Fil

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide638Allow Web traffic for trusted web sites onlyWhen this box is selected, the ZyWALL blocks We

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide63936.7 Content Filter Technical ReferenceThis section provides content filtering background

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide64• Sort in ascending alphabetical order• Sort in descending (reverse) alphabetical order• Selec

Chapter 36 Content FilteringZyWALL USG 2000 User’s Guide640External Content Filter Server Lookup ProcedureThe content filter lookup process is describ

ZyWALL USG 2000 User’s Guide641CHAPTER 37 Content Filter Reports37.1 OverviewYou can view content filtering reports after you have activated the cat

Chapter 37 Content Filter ReportsZyWALL USG 2000 User’s Guide6422 Fill in your myZyXEL.com account information and click Login.Figure 433 myZyXEL.co

Chapter 37 Content Filter ReportsZyWALL USG 2000 User’s Guide6433 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under

Chapter 37 Content Filter ReportsZyWALL USG 2000 User’s Guide6444 In the Service Management screen click Content Filter in the Service Name column to

Chapter 37 Content Filter ReportsZyWALL USG 2000 User’s Guide6456 Select items under Global Reports to view the corresponding reports.Figure 437 Co

Chapter 37 Content Filter ReportsZyWALL USG 2000 User’s Guide6468 A chart and/or list of requested web site categories display in the lower half of th

Chapter 37 Content Filter ReportsZyWALL USG 2000 User’s Guide6479 You can click a category in the Categories report or click URLs in the Report Home

Chapter 37 Content Filter ReportsZyWALL USG 2000 User’s Guide648

ZyWALL USG 2000 User’s Guide649CHAPTER 38 Anti-Spam38.1 OverviewThe anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mai

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide654 Select a column heading and drag and drop it to change the column order. A green check mark

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide650Black ListConfigure black list entries to identify spam. The black list entries have the ZyWALL cla

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide651E-mail Header Buffer SizeThe ZyWALL has a 5 K buffer for an individual e-mail header. If an e-mail

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide652spam policies. You can also select the action the ZyWALL takes when the mail sessions threshold is

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide65338.3.1 The Anti-Spam Policy Add or Edit ScreenClick the Add or Edit icon in the Configuration >

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide654check, which e-mail protocols to scan, the scanning options, and the action to take on spam traffic

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide65538.4 The Anti-Spam Black List ScreenClick Configuration > Anti-X > Anti-Spam > Black /Wh

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide656specific subject text. Click a column’s heading cell to sort the table entries by that column’s cri

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide65738.4.1 The Anti-Spam Black or White List Add/Edit ScreenIn the anti-spam Black List or White List

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide65838.4.2 Regular Expressions in Black or White List EntriesThe following applies for a black or whit

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide65938.5 The Anti-Spam White List ScreenClick Configuration > Anti-X > Anti-Spam > Black/Whi

Chapter 3 Web ConfiguratorZyWALL USG 2000 User’s Guide66Here are descriptions for the most common table icons.3.3.4.3 Working with ListsWhen a list o

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide66038.6 The DNSBL Screen Click Configuration > Anti-X > Anti-Spam > DNSBL to display the ant

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide661The following table describes the labels in this screen. Table 177 Configuration > Anti-X >

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide66238.7 Anti-Spam Technical ReferenceHere is more detailed anti-spam information.DNSBL• The ZyWALL ch

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide663Here is an example of an e-mail classified as spam based on DNSBL replies. Figure 446 DNSBL Spam

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide664Here is an example of an e-mail classified as legitimate based on DNSBL replies. Figure 447 DNSBL

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide665If the ZyWALL receives conflicting DNSBL replies for an e-mail routing IP address, the ZyWALL clas

Chapter 38 Anti-SpamZyWALL USG 2000 User’s Guide666

ZyWALL USG 2000 User’s Guide667CHAPTER 39 Device HA39.1 OverviewDevice HA lets a backup ZyWALL (B) automatically take over if the master ZyWALL (A)

Chapter 39 Device HAZyWALL USG 2000 User’s Guide668• Legacy mode allows for more complex relationships between the master and backup ZyWALLs, such as

Chapter 39 Device HAZyWALL USG 2000 User’s Guide66939.2 Device HA GeneralThe Configuration > Device HA General screen lets you enable or disable

ZyWALL USG 2000 User’s Guide67CHAPTER 4 Installation Setup Wizard4.1 Installation Setup Wizard Screens If you log into the Web Configurator when the

Chapter 39 Device HAZyWALL USG 2000 User’s Guide67039.3 The Active-Passive Mode Screen Virtual RouterThe master and backup ZyWALL form a single ‘virt

Chapter 39 Device HAZyWALL USG 2000 User’s Guide671B form a virtual router that uses cluster ID 1. ZyWALLs C and D form a virtual router that uses cl

Chapter 39 Device HAZyWALL USG 2000 User’s Guide672192.168.1.5 and ZyWALL B has its own LAN management IP address of 192.168.1.6. These do not change

Chapter 39 Device HAZyWALL USG 2000 User’s Guide673The following table describes the labels in this screen. See Section 39.4 on page 675 for more inf

Chapter 39 Device HAZyWALL USG 2000 User’s Guide674Monitored Interface SummaryThis table shows the status of the device HA settings and status of the

Chapter 39 Device HAZyWALL USG 2000 User’s Guide67539.4 Configuring an Active-Passive Mode Monitored InterfaceThe Device HA Active-Passive Mode Moni

Chapter 39 Device HAZyWALL USG 2000 User’s Guide676A bridge interface’s device HA settings are not retained if you delete the bridge interface.Figure

Chapter 39 Device HAZyWALL USG 2000 User’s Guide67739.5 The Legacy Mode ScreenVirtual Router Redundancy Protocol (VRRP)Legacy mode device HA uses Vi

Chapter 39 Device HAZyWALL USG 2000 User’s Guide67839.6 Configuring the Legacy Mode ScreenThe Device HA Legacy Mode screen lets you configure general

Chapter 39 Device HAZyWALL USG 2000 User’s Guide679Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and cl

Chapter 4 Installation Setup WizardZyWALL USG 2000 User’s Guide684.1.1 Internet Access Setup - WAN Interface Use this screen to set how many WAN int

Chapter 39 Device HAZyWALL USG 2000 User’s Guide680Use the VRRP Group Add/Edit screen to add or edit VRRP groups.• You can only use interfaces that ha

Chapter 39 Device HAZyWALL USG 2000 User’s Guide681The following table describes the labels in this screen. Table 182 Configuration > Device H

Chapter 39 Device HAZyWALL USG 2000 User’s Guide68239.7 Device HA Technical ReferenceActive-Passive Mode Device HA with Bridge InterfacesHere are two

Chapter 39 Device HAZyWALL USG 2000 User’s Guide6831 Make sure the bridge interfaces of the master ZyWALL (A) and the backup ZyWALL (B) are not conne

Chapter 39 Device HAZyWALL USG 2000 User’s Guide6844 Connect the ZyWALLs.Second Option for Connecting the Bridge Interfaces on Two ZyWALLsAnother opti

Chapter 39 Device HAZyWALL USG 2000 User’s Guide6852 Configure a corresponding disabled bridge interface on the backup ZyWALL. Then set the bridge in

Chapter 39 Device HAZyWALL USG 2000 User’s Guide686Legacy Mode ZyWALL VRRP ApplicationIn VRRP, a virtual router represents a number of ZyWALLs associa

Chapter 39 Device HAZyWALL USG 2000 User’s Guide687If ZyWALL A becomes available again, ZyWALL A preempts ZyWALL B and becomes the master again (the

Chapter 39 Device HAZyWALL USG 2000 User’s Guide688

ZyWALL USG 2000 User’s Guide689CHAPTER 40 User/Group40.1 OverviewThis chapter describes how to set up user accounts, user groups, and user settings

Chapter 4 Installation Setup WizardZyWALL USG 2000 User’s Guide69Note: Enter the Internet access information exactly as given to you by your ISP.Figu

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide690Note: The default admin account is always authenticated locally, regardless of the authentication

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide691See Setting up User Attributes in an External Server on page 703 for a list of attributes and how

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide69240.2 User Summary ScreenThe User screen provides a summary of all user accounts. To access this s

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide693•- [dashes]The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-).

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide694The following table describes the labels in this screen. Table 185 Configuration > User/Grou

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide69540.3 User Group Summary ScreenUser groups consist of access users and other user groups. You can

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide69640.3.1 Group Add/Edit ScreenThe Group Add/Edit screen allows you to create a new user group or ed

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide69740.4 Setting Screen The Setting screen controls default settings, login settings, lockout settin

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide698To access this screen, login to the Web Configurator, and click Configuration > Object > Use

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide699User Type These are the kinds of user account the ZyWALL supports.• admin - this user can look at

Document ConventionsZyWALL USG 2000 User’s Guide7Icons Used in FiguresFigures in this User’s Guide may use the following generic icons. The ZyWALL ic

Chapter 4 Installation Setup WizardZyWALL USG 2000 User’s Guide704.1.3 Internet Access: PPPoENote: Enter the Internet access information exactly as g

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide70040.4.1 Default User Authentication Timeout Settings Edit ScreensThe Default Authentication Timeou

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide701To access this screen, go to the Configuration > Object > User/Group > Setting screen (s

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide70240.4.2 User Aware Login ExampleAccess users cannot use the Web Configurator to browse the configu

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide70340.5 User /Group Technical ReferenceThis section provides some information on users who use an e

Chapter 40 User/GroupZyWALL USG 2000 User’s Guide704

ZyWALL USG 2000 User’s Guide705CHAPTER 41 Addresses41.1 OverviewAddress objects can represent a single IP address or a range of IP addresses. Addre

Chapter 41 AddressesZyWALL USG 2000 User’s Guide706• RANGE - a range address is defined by a Starting IP Address and an Ending IP Address.• SUBNET - a

Chapter 41 AddressesZyWALL USG 2000 User’s Guide70741.2.1 Address Add/Edit ScreenThe Configuration > Address Add/Edit screen allows you to create

Chapter 41 AddressesZyWALL USG 2000 User’s Guide70841.3 Address Group Summary ScreenThe Address Group screen provides a summary of all address groups

Chapter 41 AddressesZyWALL USG 2000 User’s Guide70941.3.1 Address Group Add/Edit ScreenThe Address Group Add/Edit screen allows you to create a new

Chapter 4 Installation Setup WizardZyWALL USG 2000 User’s Guide714.1.3.2 WAN IP Address Assignments • WAN Interface: This is the name of the interfa

Chapter 41 AddressesZyWALL USG 2000 User’s Guide710

ZyWALL USG 2000 User’s Guide711CHAPTER 42 Services42.1 OverviewUse service objects to define TCP applications, UDP applications, and ICMP messages.

Chapter 42 ServicesZyWALL USG 2000 User’s Guide712Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number. Som

Chapter 42 ServicesZyWALL USG 2000 User’s Guide713entries by that column’s criteria. Click the heading cell again to reverse the sort order.Figure 47

Chapter 42 ServicesZyWALL USG 2000 User’s Guide71442.2.1 The Service Add/Edit ScreenThe Service Add/Edit screen allows you to create a new service or

Chapter 42 ServicesZyWALL USG 2000 User’s Guide715To access this screen, log in to the Web Configurator, and click Configuration > Object > Ser

Chapter 42 ServicesZyWALL USG 2000 User’s Guide71642.3.1 The Service Group Add/Edit ScreenThe Service Group Add/Edit screen allows you to create a ne

ZyWALL USG 2000 User’s Guide717CHAPTER 43 Schedules43.1 OverviewUse schedules to set up one-time and recurring schedules for policy routes, firewall

Chapter 43 SchedulesZyWALL USG 2000 User’s Guide718Finding Out More• See Section 6.6 on page 114 for related information on these screens.• See Sectio

Chapter 43 SchedulesZyWALL USG 2000 User’s Guide71943.2.1 The One-Time Schedule Add/Edit ScreenThe One-Time Schedule Add/Edit screen allows you to d

Chapter 4 Installation Setup WizardZyWALL USG 2000 User’s Guide72• CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by the remote node

Chapter 43 SchedulesZyWALL USG 2000 User’s Guide72043.2.2 The Recurring Schedule Add/Edit ScreenThe Recurring Schedule Add/Edit screen allows you to

Chapter 43 SchedulesZyWALL USG 2000 User’s Guide721(see Section 43.2 on page 718), and click either the Add icon or an Edit icon in the Recurring sec

Chapter 43 SchedulesZyWALL USG 2000 User’s Guide722

ZyWALL USG 2000 User’s Guide723CHAPTER 44 AAA Server44.1 Overview You can use a AAA (Authentication, Authorization, Accounting) server to provide a

Chapter 44 AAA ServerZyWALL USG 2000 User’s Guide72444.1.2 RADIUS Server RADIUS (Remote Authentication Dial-In User Service) authentication is a popu

Chapter 44 AAA ServerZyWALL USG 2000 User’s Guide725•Use the Configuration > Object > AAA Server > RADIUS screen (Section 44.3 on page 729)

Chapter 44 AAA ServerZyWALL USG 2000 User’s Guide726organizational boundaries. The following figure shows a basic directory structure branching from c

Chapter 44 AAA ServerZyWALL USG 2000 User’s Guide727• See Section 7.7 on page 142 for an example of how to use a RADIUS server to authenticate user a

Chapter 44 AAA ServerZyWALL USG 2000 User’s Guide728following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure

Chapter 44 AAA ServerZyWALL USG 2000 User’s Guide72944.3 RADIUS Server SummaryUse the RADIUS screen to manage the list of RADIUS servers the ZyWALL

Chapter 4 Installation Setup WizardZyWALL USG 2000 User’s Guide734.1.6 Internet Access Setup - Second WAN InterfaceIf you selected I have two ISPs,

Chapter 44 AAA ServerZyWALL USG 2000 User’s Guide730Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Figure 4

Chapter 44 AAA ServerZyWALL USG 2000 User’s Guide73144.3.1 Adding a RADIUS Server Click Configuration > Object > AAA Server > RADIUS to dis

Chapter 44 AAA ServerZyWALL USG 2000 User’s Guide732Timeout Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from

ZyWALL USG 2000 User’s Guide733CHAPTER 45 Authentication Method45.1 Overview Authentication method objects set how the ZyWALL authenticates HTTP/HTT

Chapter 45 Authentication MethodZyWALL USG 2000 User’s Guide7343 Select Server Mode and select an authentication method object from the drop-down list

Chapter 45 Authentication MethodZyWALL USG 2000 User’s Guide73545.2.1 Creating an Authentication Method Object Follow the steps below to create an a

Chapter 45 Authentication MethodZyWALL USG 2000 User’s Guide7367 Click OK to save the settings or click Cancel to discard all changes and return to th

Chapter 45 Authentication MethodZyWALL USG 2000 User’s Guide737Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Cl

Chapter 45 Authentication MethodZyWALL USG 2000 User’s Guide738

ZyWALL USG 2000 User’s Guide739CHAPTER 46 Certificates46.1 OverviewThe ZyWALL can use certificates (also called digital IDs) to authenticate users.

Chapter 4 Installation Setup WizardZyWALL USG 2000 User’s Guide74Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide7402 Tim keeps the private key and makes the public key openly available. This means that anyone wh

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide741Factory Default CertificateThe ZyWALL generates its own unique self-signed certificate when you

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide7422 Make sure that the certificate has a “.cer” or “.crt” file name extension.Figure 490 Remote

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide74346.2 The My Certificates Screen Click Configuration > Object > Certificate > My Certi

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide74446.2.1 The My Certificates Add ScreenClick Configuration > Object > Certificate > My C

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide745ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide746The following table describes the labels in this screen. Table 210 Configuration > Object &

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide747Create a certification request and save it locally for later manual enrollmentSelect this to ha

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide748If you configured the My Certificate Create screen to have the ZyWALL enroll a certificate and t

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide74946.2.2 The My Certificates Edit ScreenClick Configuration > Object > Certificate > My

Chapter 4 Installation Setup WizardZyWALL USG 2000 User’s Guide75• Select existing myZyXEL.com account if you already have an account at myZyXEL.com

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide750The following table describes the labels in this screen. Table 211 Configuration > Object

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide751Key Algorithm This field displays the type of algorithm that was used to generate the certifica

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide75246.2.3 The My Certificates Import Screen Click Configuration > Object > Certificate >

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide75346.3 The Trusted Certificates Screen Click Configuration > Object > Certificate > T

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide75446.3.1 The Trusted Certificates Edit Screen Click Configuration > Object > Certificate &g

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide755authority’s list of revoked certificates before trusting a certificate issued by the certificat

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide756The following table describes the labels in this screen. Table 214 Configuration > Object

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide757Type This field displays general information about the certificate. CA-signed means that a Cert

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide75846.3.2 The Trusted Certificates Import Screen Click Configuration > Object > Certificate

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide759The following table describes the labels in this screen. 46.4 Certificates Technical Reference

Chapter 4 Installation Setup WizardZyWALL USG 2000 User’s Guide76

Chapter 46 CertificatesZyWALL USG 2000 User’s Guide760

ZyWALL USG 2000 User’s Guide761CHAPTER 47 ISP Accounts47.1 OverviewUse ISP accounts to manage Internet Service Provider (ISP) account information fo

Chapter 47 ISP AccountsZyWALL USG 2000 User’s Guide762The following table describes the labels in this screen. See the ISP Account Edit section below

Chapter 47 ISP AccountsZyWALL USG 2000 User’s Guide763The following table describes the labels in this screen. Table 217 Configuration > Object

Chapter 47 ISP AccountsZyWALL USG 2000 User’s Guide764Compression Select On button to turn on stac compression, and select Off to turn off stac compre

ZyWALL USG 2000 User’s Guide765CHAPTER 48 SSL Application48.1 OverviewYou use SSL application objects in SSL VPN. Configure an SSL application objec

Chapter 48 SSL ApplicationZyWALL USG 2000 User’s Guide766Remote Desktop ConnectionsUse SSL VPN to allow remote users to manage LAN computers. Dependin

Chapter 48 SSL ApplicationZyWALL USG 2000 User’s Guide7672 Click the Add button and select Web Application in the Type field. In the Server Type fiel

Chapter 48 SSL ApplicationZyWALL USG 2000 User’s Guide768The following table describes the labels in this screen. 48.2.1 Creating/Editing a Web-base

Chapter 48 SSL ApplicationZyWALL USG 2000 User’s Guide769The following table describes the labels in this screen. Table 219 Configuration > Obj

ZyWALL USG 2000 User’s Guide77CHAPTER 5 Quick Setup5.1 Quick Setup OverviewThe Web Configurator's quick setup wizards help you configure Intern

Chapter 48 SSL ApplicationZyWALL USG 2000 User’s Guide77048.2.2 Creating/Editing a File Sharing SSL Application ObjectYou can specify the name of a f

Chapter 48 SSL ApplicationZyWALL USG 2000 User’s Guide771The following table describes the labels in this screen. Table 220 Configuration > Obj

Chapter 48 SSL ApplicationZyWALL USG 2000 User’s Guide772

ZyWALL USG 2000 User’s Guide773CHAPTER 49 Endpoint Security49.1 Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure u

Chapter 49 Endpoint SecurityZyWALL USG 2000 User’s Guide77449.1.1 What You Can Do in this ChapterUse the Configuration > Object > Endpoint Secu

Chapter 49 Endpoint SecurityZyWALL USG 2000 User’s Guide77549.2 Endpoint Security ScreenThe Endpoint Security screen displays the endpoint security

Chapter 49 Endpoint SecurityZyWALL USG 2000 User’s Guide776Apply Click this button to save your changes to the ZyWALL. Reset Click this button to retu

Chapter 49 Endpoint SecurityZyWALL USG 2000 User’s Guide77749.3 Endpoint Security Add/EditClick Configuration > Object > Endpoint Security and

Chapter 49 Endpoint SecurityZyWALL USG 2000 User’s Guide778Figure 508 Configuration > Object > Endpoint Security > Add

Chapter 49 Endpoint SecurityZyWALL USG 2000 User’s Guide779The following table gives an overview of the objects you can configure. Table 222 Confi

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide785.2 WAN Interface Quick SetupClick WAN Interface in the main Quick Setup screen to open the WAN In

Chapter 49 Endpoint SecurityZyWALL USG 2000 User’s Guide780Checking Item - Personal FirewallIf you selected Windows as the operating system, you can s

Chapter 49 Endpoint SecurityZyWALL USG 2000 User’s Guide781Checking Item - File InformationIf you selected Windows or Linux as the operating system,

Chapter 49 Endpoint SecurityZyWALL USG 2000 User’s Guide782

ZyWALL USG 2000 User’s Guide783CHAPTER 50 System50.1 OverviewUse the system screens to configure general ZyWALL settings. 50.1.1 What You Can Do

Chapter 50 SystemZyWALL USG 2000 User’s Guide784• Connect an external serial modem to the AUX port to provide a management connection in case the ZyWA

Chapter 50 SystemZyWALL USG 2000 User’s Guide78550.3 Date and Time For effective scheduling and logging, the ZyWALL system time must be accurate. Th

Chapter 50 SystemZyWALL USG 2000 User’s Guide786Manual Select this radio button to enter the time and date manually. If you configure a new time and d

Chapter 50 SystemZyWALL USG 2000 User’s Guide78750.3.1 Pre-defined NTP Time Servers ListWhen you turn on the ZyWALL for the first time, the date and

Chapter 50 SystemZyWALL USG 2000 User’s Guide78850.3.2 Time Server SynchronizationClick the Synchronize Now button to get the time and date from the

Chapter 50 SystemZyWALL USG 2000 User’s Guide7895 Under Time and Date Setup, enter a Time Server Address (Table 225 on page 787).6 Click Apply.50.4

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide79Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your IS

Chapter 50 SystemZyWALL USG 2000 User’s Guide79050.5.1 DNS Server Address AssignmentThe ZyWALL can get the DNS server addresses in the following ways

Chapter 50 SystemZyWALL USG 2000 User’s Guide791The following table describes the labels in this screen. Table 227 Configuration > System >

Chapter 50 SystemZyWALL USG 2000 User’s Guide792DNS Server This is the IP address of a DNS server. This field displays N/A if you have the ZyWALL get

Chapter 50 SystemZyWALL USG 2000 User’s Guide79350.5.3 Address Record An address record contains the mapping of a Fully-Qualified Domain Name (FQDN)

Chapter 50 SystemZyWALL USG 2000 User’s Guide794The following table describes the labels in this screen. 50.5.6 Domain Zone Forwarder A domain zone

Chapter 50 SystemZyWALL USG 2000 User’s Guide795The following table describes the labels in this screen. 50.5.8 MX Record A MX (Mail eXchange) recor

Chapter 50 SystemZyWALL USG 2000 User’s Guide79650.5.9 Adding a MX Record Click the Add icon in the MX Record table to add a MX record.Figure 516 C

Chapter 50 SystemZyWALL USG 2000 User’s Guide797The following table describes the labels in this screen. 50.6 WWW OverviewThe following figure show

Chapter 50 SystemZyWALL USG 2000 User’s Guide798• See To-ZyWALL Rules on page 424 for more on To-ZyWALL firewall rules.• See Section 7.9 on page 147 f

Chapter 50 SystemZyWALL USG 2000 User’s Guide799It relies upon certificates, public keys, and private keys (see Chapter 46 on page 739 for more infor

Safety WarningsZyWALL USG 2000 User’s Guide8Safety Warnings• Do NOT use this product near water, for example, in a wet basement or near a swimming poo

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide80• IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Stat

Chapter 50 SystemZyWALL USG 2000 User’s Guide800Note: Admin Service Control deals with management access (to the Web Configurator). User Service Contr

Chapter 50 SystemZyWALL USG 2000 User’s Guide801Server Port The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a

Chapter 50 SystemZyWALL USG 2000 User’s Guide802HTTPEnable Select the check box to allow or disallow the computer with the IP address that matches the

Chapter 50 SystemZyWALL USG 2000 User’s Guide80350.6.5 Service Control RulesClick Add or Edit in the Service Control table in a WWW, SSH, Telnet, FT

Chapter 50 SystemZyWALL USG 2000 User’s Guide804also customize the page that displays after an access user logs into the Web Configurator to access ne

Chapter 50 SystemZyWALL USG 2000 User’s Guide805The following figures identify the parts you can customize in the login and access pages.Figure 523

Chapter 50 SystemZyWALL USG 2000 User’s Guide806•Click Color to display a screen of web-safe colors from which to choose.• Enter the name of the desir

Chapter 50 SystemZyWALL USG 2000 User’s Guide80750.6.7 HTTPS ExampleIf you haven’t changed the default HTTPS port on the ZyWALL, then in your browse

Chapter 50 SystemZyWALL USG 2000 User’s Guide80850.6.7.2 Netscape Navigator Warning MessagesWhen you attempt to access the ZyWALL HTTPS server, a Web

Chapter 50 SystemZyWALL USG 2000 User’s Guide809• The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browse

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide81Authentication TypeUse the drop-down list box to select an authentication protocol for outgoing ca

Chapter 50 SystemZyWALL USG 2000 User’s Guide810Apply for a certificate from a Certification Authority (CA) that is trusted by the ZyWALL (see the ZyW

Chapter 50 SystemZyWALL USG 2000 User’s Guide81150.6.7.5.2 Installing Your Personal Certificate(s)You need a password in advance. The CA may issue t

Chapter 50 SystemZyWALL USG 2000 User’s Guide8123 Enter the password given to you by the CA.Figure 533 Personal Certificate Import Wizard 34 Have th

Chapter 50 SystemZyWALL USG 2000 User’s Guide8135 Click Finish to complete the wizard and begin the import process.Figure 535 Personal Certificate

Chapter 50 SystemZyWALL USG 2000 User’s Guide8142 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to se

Chapter 50 SystemZyWALL USG 2000 User’s Guide815SSH is a secure communication protocol that combines authentication and data encryption to provide se

Chapter 50 SystemZyWALL USG 2000 User’s Guide8162 Encryption MethodOnce the identification is verified, both the client and server must agree on the t

Chapter 50 SystemZyWALL USG 2000 User’s Guide817Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections

Chapter 50 SystemZyWALL USG 2000 User’s Guide81850.7.5 Secure Telnet Using SSH ExamplesThis section shows two examples using a command interface and

Chapter 50 SystemZyWALL USG 2000 User’s Guide819Enter the password to log in to the ZyWALL. The CLI screen displays next. 50.7.5.2 Example 2: LinuxT

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide825.2.5 Quick Setup Interface Wizard: SummaryThis screen displays the WAN interface’s settings.Figur

Chapter 50 SystemZyWALL USG 2000 User’s Guide82050.8.1 Configuring TelnetClick Configuration > System > TELNET to configure your ZyWALL for rem

Chapter 50 SystemZyWALL USG 2000 User’s Guide82150.9 FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP. To use

Chapter 50 SystemZyWALL USG 2000 User’s Guide822be used to access the ZyWALL. You can also specify from which IP addresses the access can come.Figure

Chapter 50 SystemZyWALL USG 2000 User’s Guide82350.10 SNMP Simple Network Management Protocol is a protocol used for exchanging management informati

Chapter 50 SystemZyWALL USG 2000 User’s Guide824and version two (SNMPv2c). The next figure illustrates an SNMP management operation. Figure 548 SN

Chapter 50 SystemZyWALL USG 2000 User’s Guide825• GetNext - Allows the manager to retrieve the next object variable from a table or list within an ag

Chapter 50 SystemZyWALL USG 2000 User’s Guide826settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from

Chapter 50 SystemZyWALL USG 2000 User’s Guide82750.11 Dial-in ManagementConnect an external serial modem to the AUX port to provide a management con

Chapter 50 SystemZyWALL USG 2000 User’s Guide828Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up

Chapter 50 SystemZyWALL USG 2000 User’s Guide82950.12 Vantage CNM Vantage CNM (Centralized Network Management) is a browser-based global management

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide835.3 VPN Quick SetupClick VPN Setup in the main Quick Setup screen to open the VPN Setup Wizard We

Chapter 50 SystemZyWALL USG 2000 User’s Guide83050.12.1 Configuring Vantage CNM Vantage CNM is disabled on the device by default. Click Configuration

Chapter 50 SystemZyWALL USG 2000 User’s Guide831Transfer ProtocolSelect whether the Vantage CNM sessions should use regular HTTP connections or secur

Chapter 50 SystemZyWALL USG 2000 User’s Guide83250.13 Language Screen Click Configuration > System > Language to open the following screen. Use

ZyWALL USG 2000 User’s Guide833CHAPTER 51 Log and Report51.1 OverviewUse these screens to configure daily reporting and log settings. 51.1.1 What

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide834Click Configuration > Log & Report > Email Daily Report to display the following scr

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide835The following table describes the labels in this screen. 51.3 Log Setting Screens The Log Se

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide836The Log Setting tab also controls what information is saved in each log. For the system log, y

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide83751.3.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide838Figure 555 Configuration > Log & Report > Log Setting > Edit (System Log)

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide839The following table describes the labels in this screen. Table 245 Configuration > Log &

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide845.4 VPN Setup Wizard: Wizard TypeA VPN (Virtual Private Network) tunnel is a secure connection to

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide840E-mail Server 1 Use the E-Mail Server 1 drop-down list to change the settings for e-mailing lo

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide841Active Select this to activate log consolidation. Log consolidation aggregates multiple log m

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide84251.3.3 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed set

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide843The following table describes the labels in this screen. Table 246 Configuration > Log

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide84451.3.4 Active Log Summary ScreenThe Active Log Summary screen allows you to view and to edit

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide845The following table describes the fields in this screen. Table 247 Configuration > Log

Chapter 51 Log and ReportZyWALL USG 2000 User’s Guide846System log Select which events you want to log by Log Category. There are three choices:disabl

ZyWALL USG 2000 User’s Guide847CHAPTER 52 File Manager52.1 OverviewConfiguration files define the ZyWALL’s settings. Shell scripts are files of com

Chapter 52 File ManagerZyWALL USG 2000 User’s Guide848 These files have the same syntax, which is also identical to the way you run CLI commands manua

Chapter 52 File ManagerZyWALL USG 2000 User’s Guide849Your configuration files or shell scripts can use “exit” or a command line consisting of a sing

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide855.5 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 52 on page 84

Chapter 52 File ManagerZyWALL USG 2000 User’s Guide85052.2 The Configuration File ScreenClick Maintenance > File Manager > Configuration File t

Chapter 52 File ManagerZyWALL USG 2000 User’s Guide851The following table describes the labels in this screen. Table 249 Maintenance > File Man

Chapter 52 File ManagerZyWALL USG 2000 User’s Guide852Copy Use this button to save a duplicate of a configuration file on the ZyWALL. Click a configur

Chapter 52 File ManagerZyWALL USG 2000 User’s Guide853Apply Use this button to have the ZyWALL use a specific configuration file.Click a configuratio

Chapter 52 File ManagerZyWALL USG 2000 User’s Guide85452.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to o

Chapter 52 File ManagerZyWALL USG 2000 User’s Guide855Note: The Web Configurator is the recommended method for uploading firmware. You only need to u

Chapter 52 File ManagerZyWALL USG 2000 User’s Guide856After you see the Firmware Upload in Process screen, wait two minutes before logging into the Zy

Chapter 52 File ManagerZyWALL USG 2000 User’s Guide857Note: You should include write commands in your scripts. If you do not use the write command, t

Chapter 52 File ManagerZyWALL USG 2000 User’s Guide858Copy Use this button to save a duplicate of a shell script file on the ZyWALL. Click a shell scr

ZyWALL USG 2000 User’s Guide859CHAPTER 53 Diagnostics53.1 OverviewUse the diagnostics screens for troubleshooting. 53.1.1 What You Can Do in this

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide865.5.1 VPN Express Wizard - Configuration Figure 54 VPN Express Wizard: Step 3 • Secure Gateway:

Chapter 53 DiagnosticsZyWALL USG 2000 User’s Guide860The following table describes the labels in this screen. 53.3 The Packet Capture ScreenUse this

Chapter 53 DiagnosticsZyWALL USG 2000 User’s Guide861The following table describes the labels in this screen. Table 253 Maintenance > Diagnosti

Chapter 53 DiagnosticsZyWALL USG 2000 User’s Guide86253.3.1 The Packet Capture Files ScreenClick Maintenance > Diagnostics > Packet Capture >

Chapter 53 DiagnosticsZyWALL USG 2000 User’s Guide86353.3.2 Example of Viewing a Packet Capture FileHere is an example of a packet capture file view

Chapter 53 DiagnosticsZyWALL USG 2000 User’s Guide864

ZyWALL USG 2000 User’s Guide865CHAPTER 54 Reboot54.1 OverviewUse this to restart the device (for example, if the device begins behaving erratically)

Chapter 54 RebootZyWALL USG 2000 User’s Guide866

ZyWALL USG 2000 User’s Guide867CHAPTER 55 Shutdown55.1 OverviewUse this to shutdown the device in preparation for disconnecting the power. See also

Chapter 55 ShutdownZyWALL USG 2000 User’s Guide868

ZyWALL USG 2000 User’s Guide869CHAPTER 56 TroubleshootingThis chapter offers some suggestions to solve problems you might encounter. • You can also r

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide875.5.2 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’s c

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide870• Ping the ZyWALL from a LAN computer. Make sure your computer’s Ethernet card is installed a

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide871I cannot update the IDP/application patrol signatures.• Make sure your ZyWALL has the IDP/ap

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide872The ZyWALL checks the firewall rules in the order that they are listed. So make sure that you

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide873The data rates through my cellular connection are no-where near the rates I expected.The act

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide874The ZyWALL is not applying my application patrol bandwidth management settings.Bandwidth mana

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide875The ZyWALL’s performance seems slower after configuring IDP.Depending on your network topolo

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide876The ZyWALL routes and applies SNAT for traffic from some interfaces but not from others.The Z

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide877I cannot get the application patrol to manage H.323 traffic.Make sure you have the H.323 ALG

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide878• The ZyWALL and remote IPSec router must use the same authentication method to establish the

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide879of its Trusted Certificates to authenticate the remote IPSec router’s certificate. The trust

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide885.5.3 VPN Express Wizard - Finish Now you can use the VPN tunnel.Figure 56 VPN Express Wizard: S

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide880I uploaded a logo to show in the SSL VPN user screens but it does not display properly. The l

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide881decompressed option while you download the firmware package. See Section 33.2.1 on page 553

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide882• You may need to disable STP (Spanning Tree Protocol).• The master and its backups must all

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide883I cannot add the admin users to a user group with access users.You cannot put access users a

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide8842 You must remove any spaces from the certificate’s filename before you can import the certif

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide885I uploaded a logo to use as the screen or window background but it does not display properly

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide886See the CLI Reference Guide for how to determine if you need to recover the firmware and how

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide8872 Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide8885 Use the handle to slide out the power module and remove it.Figure 577 Removing the Power

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide8898 Connect the power cord to the new ZyWALL power module.9 Reconnect the power cord to the po

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide895.5.4 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 52 on pag

Chapter 56 TroubleshootingZyWALL USG 2000 User’s Guide890

ZyWALL USG 2000 User’s Guide891CHAPTER 57 Product SpecificationsThe following specifications are subject to change without notice. See Chapter 2 on p

Chapter 57 Product SpecificationsZyWALL USG 2000 User’s Guide892This table gives details about the ZyWALL’s features. AUX port RS-232, DB

Chapter 57 Product SpecificationsZyWALL USG 2000 User’s Guide893Static Routes 10,000 (shared with the policy routes)10,000 (shared with the policy ro

Chapter 57 Product SpecificationsZyWALL USG 2000 User’s Guide894Maximum Number of LDAP Groups 32 32 32Maximum Number of LDAP Servers for Each LDAP Gro

Chapter 57 Product SpecificationsZyWALL USG 2000 User’s Guide895Syslog Servers 4 4 4IDPMaximum Number of IDP Profiles 32 32 32Custom Signatures 512 5

Chapter 57 Product SpecificationsZyWALL USG 2000 User’s Guide896The following table, which is not exhaustive, lists standards referenced by ZyWALL fea

Chapter 57 Product SpecificationsZyWALL USG 2000 User’s Guide89757.1 3G PCMCIA Card InstallationOnly insert a compatible 3G card. Slide the connecto

Chapter 57 Product SpecificationsZyWALL USG 2000 User’s Guide898

ZyWALL USG 2000 User’s Guide899APPENDIX A Log DescriptionsThis appendix provides descriptions of example log messages for the ZLD-based ZyWALLs. The

Contents OverviewZyWALL USG 2000 User’s Guide9Contents OverviewUser’s Guide ...

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide90• Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the clien

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide900 Table 261 Blocked Web Site LogsLOG MESSAGE DESCRIPTION%s :%s The rating server responded

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide901%s: Proxy mode is detectedThe system detected a proxy connection and blocked access accordi

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide902Black List checking has been activated.The anti-spam black list has been turned on.Black Lis

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide903Table 263 SSL VPN LogsLOG MESSAGE DESCRIPTION%s %s from %s has logged in SSLVPNA user has

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide904The %s address-object is wrong type for 'network' in SSL Policy %s.The listed addr

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide905%s %s is accessed. sent=<bytes> rcvd=<bytes>The listed SSL VPN access was used

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide906Table 264 L2TP Over IPSec LogsLOG MESSAGE DESCRIPTIONThe configuration of L2TP over IPSec

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide907The ZySH logs deal with internal system errors. Table 265 ZySH LogsLOG MESSAGE DESCRIPTIO

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide908Can't remove %s 1st:zysh list nameTable OPS%s: cannot retrieve entries from table!1st:z

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide909Table 266 ADP LogsLOG MESSAGE DESCRIPTIONfrom <zone> to <zone> [type=<type

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide91that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processi

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide910Table 267 Anti-Virus LogsLOG MESSAGE DESCRIPTIONInitializing Anti-Virus signature referenc

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide911AV signature update has failed. Can not update last update time.The anti-virus signatures u

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide912Anti-Virus rule %d has been modified.The anti-virus rule of the specified number has been ch

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide913Table 268 User LogsLOG MESSAGE DESCRIPTION%s %s from %s has logged in ZyWALLA user logged

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide914 Failed login attempt to ZyWALL from %s (login on a lockout address)A login attempt came fro

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide915Registration has failed. Because of lack must fields.The device received an incomplete resp

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide916Do device register. The device started device registration.Do trial service activation.The d

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide917Device has latest signature file; no need to updateThe device already has the latest versio

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide918Get server response has failed.The device sent packets to the server, but did not receive a

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide919Self signed certificate.Verification of a server’s certificate failed because it is self-si

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide925.5.6 VPN Advanced Wizard - Phase 2 Phase 2 in an IKE uses the SA that was established in phase 1

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide920Enable IDP engine succeeded.The device turned on the IDP engine.Disable IDP engine succeeded

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide921Add custom signature error: signature <sid> is over length.An attempt to add a custom

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide922from <zone> to <zone> [type=<type>] <message> , Action: <action&g

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide923Duplicate sid <sid> in import file at line <linenum>.The listed signature ID is

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide924Protocol %s has been enabled.The listed protocol has been turned on in the application patro

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide925 Table 272 IKE LogsLOG MESSAGE DESCRIPTIONPeer has not announced DPD capabilityThe remote

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide926[SA] : Tunnel [%s] Phase 1 invalid protocol%s is the tunnel name. When negotiating Phase-1,

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide927Could not dial manual key tunnel "%s"%s is the tunnel name. The manual key tunnel

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide928 VPN gateway %s was enabled%s is the gateway name. An administrator enabled the VPN gateway.

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide929 Get outbound transform failWhen outgoing packet need to be transformed, the engine cannot

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide93• Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select th

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide930 Firewall %s %s rule %d was %s.1st %s is from zone, 2nd %s is to zone, %d is the index of t

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide931 The policy route %d uses empty user group!Use an empty object group.%d: the policy route r

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide932HTTPS port has been changed to port %s.An administrator changed the port number for HTTPS.%s

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide933Console baud has been reset to %d.An administrator changed the console port baud rate back

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide934DNS access control rule %u has been moved to %d.An administrator moved the rule %u to index

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide935 Access control rule %u of %s was modified.An access control rule was modified successfully

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide936DHCP Server executed with cautious mode disabledDHCP Server executed with cautious mode disa

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide937Device is rebooted by administrator!An administrator restarted the device.Insufficient memo

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide938Update the profile %s has failed because the feature requested is only available to donators

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide939The profile %s has been paused because the HA interface of VRRP status was standby.The prof

Chapter 5 Quick SetupZyWALL USG 2000 User’s Guide945.5.8 VPN Advanced Wizard - Finish Now you can use the VPN tunnel.Figure 61 VPN Wizard: Step 6:

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide940 Table 279 Connectivity Check LogsLOG MESSAGE DESCRIPTIONCan't open link_up2 Cannot r

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide941 Can't use MULTICAST IP for destinationThe connectivity check process can't use m

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide942%s file not existed, Skip syncing it for %sThere is no file to be synchronized from the Mast

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide943Device HA authentication type for VRRP group %s maybe wrong.A VRRP group’s Authentication T

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide944 Table 281 Routing Protocol LogsLOG MESSAGE DESCRIPTIONRIP on interface %s has been stoppe

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide945RIP md5 authentication id and key have been deleted.RIP md5 authentication id and key have

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide946 Invalid OSPF virtual-link %s authentication of area %s.Virtual-link %s authentication has b

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide947 Register SIP ALG signal port=%d failed.SIP ALG apply signal port failed.%d: Port numberReg

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide948SCEP enrollment "%s" successfully, CA "%s", URL "%s"The device

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide949 Export X509 certificate "%s" from "Trusted Certificate" successfullyTh

ZyWALL USG 2000 User’s Guide95CHAPTER 6 Configuration BasicsThis information is provided to help you configure the ZyWALL effectively. Some of it is

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide950 25 Database method failed due to timeout.26 Database method failed.27 Path was not verified

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide951Interface %s is enabled.An administrator enabled an interface. %s: interface name.Interface

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide952Interface %s connect failed: MS-CHAP authentication failed.MS-CHAP authentication failed (th

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide953"SIM card has been successfully unlocked by PUK code on interface cellular%d.You enter

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide954 "Cellular device [%s %s] has been removed from %s.The cellular device (identified by

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide955 Table 287 Force Authentication LogsLOG MESSAGE DESCRIPTIONForce User Authentication

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide956 Table 289 DHCP LogsLOG MESSAGE DESCRIPTIONCan't find any lease for this client - %

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide957Table 291 IP-MAC Binding LogsLOG MESSAGE DESCRIPTIONDrop packet %s-%u.%u.%u.%u-%02X:%02X:

Appendix A Log DescriptionsZyWALL USG 2000 User’s Guide958

ZyWALL USG 2000 User’s Guide959APPENDIX B Common ServicesThe following table lists some commonly-used services and their associated protocols and por

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide96objects whenever the interface’s IP address settings change. For example, if you change an

Appendix B Common ServicesZyWALL USG 2000 User’s Guide960ESP (IPSEC_TUNNEL)User-Defined 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling p

Appendix B Common ServicesZyWALL USG 2000 User’s Guide961PPTP TCP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public

Appendix B Common ServicesZyWALL USG 2000 User’s Guide962TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to F

ZyWALL USG 2000 User’s Guide963APPENDIX C Displaying Anti-Virus AlertMessages in WindowsWith the anti-virus packet scan, when a virus is detected, yo

Appendix C Displaying Anti-Virus Alert Messages in WindowsZyWALL USG 2000 User’s Guide9642 Select the Messenger service and click Start.Figure 581 W

Appendix C Displaying Anti-Virus Alert Messages in WindowsZyWALL USG 2000 User’s Guide9652 Select the Messenger service and click Start Service.Figur

Appendix C Displaying Anti-Virus Alert Messages in WindowsZyWALL USG 2000 User’s Guide9661 Right-click on the program task bar and click Properties. F

Appendix C Displaying Anti-Virus Alert Messages in WindowsZyWALL USG 2000 User’s Guide9674 Right-click in the StartUp pane and click New, Shortcut. F

Appendix C Displaying Anti-Virus Alert Messages in WindowsZyWALL USG 2000 User’s Guide9686 Specify a name for the shortcut or accept the default and c

ZyWALL USG 2000 User’s Guide969APPENDIX D Importing CertificatesThis appendix shows you how to import public key certificates into your web browser.

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide976.2.1 Interface Types There are many types of interfaces in the ZyWALL. In addition to b

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9701 If your device’s Web Configurator is set to use SSL certification, then the first ti

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9714 In the Certificate dialog box, click Install Certificate.Figure 594 Internet Expl

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9726 If you want Internet Explorer to Automatically select certificate store based on the

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9738 In the Select Certificate Store dialog box, choose a location in which to save the

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide97410 If you are presented with another Security Warning, click Yes.Figure 600 Internet

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide975Installing a Stand-Alone Certificate File in Internet ExplorerRather than browsing to

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9761 Open Internet Explorer and click Tools > Internet Options.Figure 605 Internet E

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9773 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9786 The next time you go to the web site that issued the public key certificate you just

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9793 The certificate is stored and you can now connect securely to the Web Configurator.

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide986.2.2 Default Interface and Zone ConfigurationThis section introduces the ZyWALL’s defaul

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9801 Open Firefox and click Tools > Options.Figure 612 Firefox 2: Tools Menu2 In the

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9813 In the Certificate Manager dialog box, click Web Sites > Import.Figure 614 Fi

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide982Removing a Certificate in FirefoxThis section shows you how to remove a public key cer

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9833 In the Certificate Manager dialog box, select the Web Sites tab, select the certifi

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9841 If your device’s Web Configurator is set to use SSL certification, then the first ti

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide985Installing a Stand-Alone Certificate File in OperaRather than browsing to a ZyXEL Web

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9862 In Preferences, click Advanced > Security > Manage certificates.Figure 623 O

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9873 In the Certificates Manager, click Authorities > Import.Figure 624 Opera 9: C

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9885 In the Install authority certificate dialog box, click Install.Figure 626 Opera 9

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9891 Open Opera and click Tools > Preferences.Figure 628 Opera 9: Tools Menu2 In Pr

Chapter 6 Configuration BasicsZyWALL USG 2000 User’s Guide99• The DMZ zone contains the ge4, ge5, and ge6 interfaces (physical ports P4, P5, and P6).

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9903 In the Certificates manager, select the Authorities tab, select the certificate that

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9912 Click Continue.Figure 631 Konqueror 3.5: Server Authentication3 Click Forever whe

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide992Installing a Stand-Alone Certificate File in KonquerorRather than browsing to a ZyXEL

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9933 The next time you visit the web site, click the padlock in the address bar to open

Appendix D Importing CertificatesZyWALL USG 2000 User’s Guide9944 The next time you go to the web site that issued the public key certificate you just

ZyWALL USG 2000 User’s Guide995APPENDIX E Open Software AnnouncementsEnd-User License Agreement for “ZyWALL USG 2000” WARNING: ZyXEL Communications

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide996You may not remove any proprietary notice of ZyXEL or any of its licensors from a

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide9976.No WarrantyTHE SOFTWARE IS PROVIDED "AS IS." TO THE MAXIMUM EXTENT

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide9989.Audit RightsZyXEL SHALL HAVE THE RIGHT, AT ITS OWN EXPENSE, UPON REASONABLE PRI

Appendix E Open Software AnnouncementsZyWALL USG 2000 User’s Guide999bridge-utils 0.9.5. http://linux-net.osdl.org/index.php/Bridgedhcpcd-1.3.22-pl4