ZyXEL Communications 91-009-073003B manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of ZyXEL Communications 91-009-073003B, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of ZyXEL Communications 91-009-073003B one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of ZyXEL Communications 91-009-073003B. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of ZyXEL Communications 91-009-073003B should contain:
- informations concerning technical data of ZyXEL Communications 91-009-073003B
- name of the manufacturer and a year of construction of the ZyXEL Communications 91-009-073003B item
- rules of operation, control and maintenance of the ZyXEL Communications 91-009-073003B item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of ZyXEL Communications 91-009-073003B alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of ZyXEL Communications 91-009-073003B, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the ZyXEL Communications service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of ZyXEL Communications 91-009-073003B.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the ZyXEL Communications 91-009-073003B item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    www .zyxel.com www .zyxel.com ZyW ALL USG 50 Unified Security Gateway Copyright © 2010 ZyXEL Communications Corporation V ersion 2.21 Edition 2, 11/2010 Default Login Details LAN P ort P3, P4 IP Address https://192.168.1.1 User Name admin Pa ss wo rd 1234[...]

  • Page 2

    [...]

  • Page 3

    About This User's Guide ZyWALL USG 50 User’s Guide 3 About This User's Guide Intended Audience This manual is intended for people who want to want to configure the Z yW AL L using the W eb Configur ator . How T o Use This Guide •R e a d Chapter 1 on page 31 chapter for an overview of features av ailable on the Z yW ALL. •R e a d Cha[...]

  • Page 4

    About This User's Guide ZyWALL USG 50 User’s Guide 4 • W eb Configurator On line H elp Click the help icon in an y screen for help in configuring that screen and supplementary information. • Z yXEL W eb Site Please refer to www .zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help yo[...]

  • Page 5

    About This User's Guide ZyWALL USG 50 User’s Guide 5 •F o r u m This contains discussi ons on Z yXEL prod ucts. Learn from others who use ZyXEL products and share y our experiences as well. Customer Support Should problems arise that cannot be solved by the methods listed above, you shou ld con t act yo u r vend or . If you ca nnot cont ac[...]

  • Page 6

    Document Conventions ZyWALL USG 50 User’s Guide 6 Document Conventions W arnings and Notes These are how warnings and notes are shown in this User’ s Guide. W arnings tell you about things that could harm you or your device. Note: Notes tell you other import ant informat ion (for example, other things you may need to configure or help ful tips)[...]

  • Page 7

    Document Conventions ZyWALL USG 50 User’s Guide 7 Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The Z yW ALL icon is not an exact representation of your device. ZyW A L L Computer N otebook computer Server Firewall Te l e p h o n e Switc h Ro u t er[...]

  • Page 8

    Safety Warnings ZyWALL USG 50 User’s Guide 8 Safety Warnings • Do NO T use this product near water , for exam ple, in a wet basement or n ear a swimming pool. • Do NO T expose your device to dampness, dust or corrosive liquids. • Do NO T store things on the device. • Do NOT install, use, or service this device during a thunderstorm. There[...]

  • Page 9

    Contents Overview ZyWALL USG 50 User’s Guide 9 Contents Overview User ’ s Guide ................................................... ..................................................... .......... ......... 29 Introducing the ZyWALL . ................. ................ ................ ............. ................ ................ ......... .[...]

  • Page 10

    Contents Overview ZyWALL USG 50 User’s Guide 10 Addresses ....... .................... ................... ................... .................... ................... ............. ........... 599 Services .......... ............. ................ ............. ................ ............. ................ ............. ........ ............. [...]

  • Page 11

    Table of Contents ZyWALL USG 50 User’s Guide 11 Table of Contents About This User's Guide ........................................... ..................................................... .......... 3 Document Conventions.................................................................. ......................................... .6 Safety War[...]

  • Page 12

    Table of Contents ZyWALL USG 50 User’s Guide 12 3.3.3 Main Window ... .... ... ............. ... ... ... .... ... ............. ... ... .... ... ... ............. ... ... .... ... ... ............ .5 2 3.3.4 T ables and List s ..... ... ... .... ... ... ............. ... ... .... ... ... ............. ... ... .... ... ... ............. ... ... ..[...]

  • Page 13

    Table of Contents ZyWALL USG 50 User’s Guide 13 6.4 Packet Flow ........... ............. ... .... ... ... ... ... ............. .... ... ... ... .... ............ .... ... ... ... .... ......... .......... 91 6.4.1 Routing T able Checking Flow . ............. ................ ................ ................ ................ ....... 92 6.4.2 NA[...]

  • Page 14

    Table of Contents ZyWALL USG 50 User’s Guide 14 7.3 How to Configure Load Balancing ......... ................. ................ ................ ................ ............ 1 15 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces ..... ................... ................ .........1 15 7.3.2 Configure the WAN T runk ......... .............[...]

  • Page 15

    Table of Contents ZyWALL USG 50 User’s Guide 15 8.1 Overview ... ... .... ... ... ... ............. .... ... ... ... ... ............. .... ... ... ... .... ... ............. ... ... ... .... ... .... .......... 157 8.1.1 What Y ou Can Do in this Chapter .......... ................ ................ ................. ................ . 157 8.2 The[...]

  • Page 16

    Table of Contents ZyWALL USG 50 User’s Guide 16 10.1.1 What Y o u Can Do in this Chapter ..... .......... ................ ............. ................ ............. . 209 10.1.2 What you Need to Know ......... .......... ...... ............. ................ ............. ................ ..... 209 10.2 The Registration Screen .......... .....[...]

  • Page 17

    Table of Contents ZyWALL USG 50 User’s Guide 17 13.2.1 Policy Route Edit Screen ..... ................ ............. ............. ................ ............. ........... 287 13.3 IP S tatic Route Screen ........ ................ ................. ............. ................ ............. ................ .2 9 1 13.3.1 S tatic Route Add/Edi[...]

  • Page 18

    Table of Contents ZyWALL USG 50 User’s Guide 18 18.1 Overview ........... ................ ............. ................ ................ ............. ................ ............ ......... 331 18.1.1 What Y o u Can Do in this Chapter ..... .......... ................ ............. ................ ............. . 331 18.1.2 What Y ou Need to [...]

  • Page 19

    Table of Contents ZyWALL USG 50 User’s Guide 19 22.3 The Session Limit Screen ........... ............. ............. ............. ................ ............. ................ . 3 70 22.3.1 The Session Limit Add/Ed it Screen ... ................ ............. ................ ............. ........... 372 Chapter 23 IPSec VPN ................[...]

  • Page 20

    Table of Contents ZyWALL USG 50 User’s Guide 20 27.1 The ZyWALL SecuExtender Icon .. ............. ............. ................ ............. ................ ........... 433 27.2 S tatistics .............. ............. ................ ............. ................ ................ ............. .......... ........... 434 27.3 View Log .... [...]

  • Page 21

    Table of Contents ZyWALL USG 50 User’s Guide 21 30.4 The Profile Summary Screen .................. ... .......... ............. ................ ............. ................ . 485 30.5 Creating New Profiles .............. ............ ............. ................. ............ ................. ............ ... .. 486 30.5.1 Procedure T o Cre[...]

  • Page 22

    Table of Contents ZyWALL USG 50 User’s Guide 22 32.4 Content Filter Profile Screen ........... ................ ................. ................ ................ .............. 5 40 32.5 Content Filter Categories Screen ....... .......... ................ ............. ............. ................ ........ 540 32.5.1 Content Filter Blocked an[...]

  • Page 23

    Table of Contents ZyWALL USG 50 User’s Guide 23 36.1.1 What Y o u Can Do in this Chapter ..... .......... ................ ............. ................ ............. . 599 36.1.2 What Y ou Need T o Know ............... ............. ................ ............. ................ ............. . 599 36.2 Address Summary Screen ............. ...[...]

  • Page 24

    Table of Contents ZyWALL USG 50 User’s Guide 24 40.1.2 Before Y ou Begin ....... .... ............ ................. ............. ................ ............. ............ ..... 627 40.1.3 Example: Selecting a VPN Authentic ation Method ..... ................ ................ ........... 627 40.2 Authentication Method Ob jects ................[...]

  • Page 25

    Table of Contents ZyWALL USG 50 User’s Guide 25 Chapter 45 System .................................................................................. ....................................... .......... 675 45.1 Overview ........... ................ ............. ................ ................ ............. ................ ............ .........[...]

  • Page 26

    Table of Contents ZyWALL USG 50 User’s Guide 26 45.1 1.1 Configuring V antage CNM ............ ... ... ... .... ... ............. ... ... ... .... ... ... ... .... ... ... ........... 720 45.12 Language Screen ................. ............ ................. ................ ................ ................ .......... .7 2 2 Chapter 46 Log and R[...]

  • Page 27

    Table of Contents ZyWALL USG 50 User’s Guide 27 Chapter 51 T roubleshooting ......................................................... ....................................................... .... 759 51.1 Resetting the ZyWALL ............. ................ ............. ................ ................ ................ ........... 773 51.2 Gettin[...]

  • Page 28

    Table of Contents ZyWALL USG 50 User’s Guide 28[...]

  • Page 29

    29 P ART I User ’ s Guide[...]

  • Page 30

    30[...]

  • Page 31

    ZyWALL USG 50 User’s Guide 31 C HAPTER 1 Introducing the ZyWALL This chapter gives an overview of t he Z yWALL. It explains the front panel ports, LEDs, introduces the manage ment methods, and lists di fferent w ays to start or stop the Z yWALL. 1.1 Overview and Key Default Settings The Z yWALL is a comprehensive security device. It s flexible co[...]

  • Page 32

    Chapter 1 Introducing the ZyWALL ZyWALL USG 50 User’s Guide 32 1.2 Rack-mounted Inst allation The Z yWALL can be mounted on an EIA stan dard size, 19-inch r ack or in a wiring closet with other equipment. Follow th e steps below to mount your ZyW ALL on a standard EIA rac k using a r ack -mounting kit. Make sure the rack will safely support the c[...]

  • Page 33

    Chapter 1 Introducin g the ZyWALL ZyWALL USG 50 User’s Guide 33 3 After attaching both mounting br ackets, posi tion the ZyWALL in the r ack by lining up the holes in the br ackets with the a ppropriate hol es on the r ack. Secure the Z yWALL to the rack with the rack -mounting screws. Figure 2 Rack Mounting 1.3 Front Panel This section introduce[...]

  • Page 34

    Chapter 1 Introducing the ZyWALL ZyWALL USG 50 User’s Guide 34 1.4 Management Overview Y ou can use the follow ing ways to manage the Z yWALL. Web Configurator The W eb Configurator allows easy Z yWALL setup and management usi ng an Internet browser . This User’ s Guid e provides information about the W eb Configurator . Figure 4 Managing the Z[...]

  • Page 35

    Chapter 1 Introducin g the ZyWALL ZyWALL USG 50 User’s Guide 35 Console Port Y ou can use the console port to manage the ZyW ALL usin g CLI comman ds. See the Command Reference Guide for more information about the CLI. The default settings for the console port are as follows. 1.5 S t arting and S topping the ZyW ALL Here are some of the ways to s[...]

  • Page 36

    Chapter 1 Introducing the ZyWALL ZyWALL USG 50 User’s Guide 36 The Z yWALL does not stop or start the system processes when y ou apply configuration fi les or run shel l scripts al though you may temporarily lose access t o network resources.[...]

  • Page 37

    ZyWALL USG 50 User’s Guide 37 C HAPTER 2 Features and Applications This chapter introduces the main features and applications of the Z yWALL. 2.1 Features The Z yWALL ’s security features include VPN, firew all, anti-virus, content filtering, IDP (Intrusion Detection and Prev en tion), ADP (Anomaly Detection and Protection), and certificat es. [...]

  • Page 38

    Chapter 2 Features and Applications ZyWALL USG 50 User’s Guide 38 Firewall The Z yWALL’ s firew all is a stateful inspection firew all. The Z yWALL rest ricts access by screening data packets against defined access rules. It can also inspect sessions. F or example, tr affic from one zone is not allowed unless it is initiated by a computer in an[...]

  • Page 39

    Chapter 2 Features an d Applications ZyWALL USG 50 User’s Guide 39 Anti-Virus Scanner With the anti- v irus packet scanner , your Z yWALL scans files transmitt ing through the enabled interfaces into the network. The Z yWALL helps stop threats at the network edge before they reach th e local host computers. Anti-Sp am The anti-spam feature can ma[...]

  • Page 40

    Chapter 2 Features and Applications ZyWALL USG 50 User’s Guide 40 2.2.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, t elecommuters, and business tr a velers to provide secure access t o y our network. Y ou can also set up additional connections to the Inte rnet to provide better service. Figure 5 Applications: VPN Co[...]

  • Page 41

    Chapter 2 Features an d Applications ZyWALL USG 50 User’s Guide 41 2.2.2.1 Full T unnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subn et as t he local network. This allows them t o access network resources in the same wa y as if th ey were part of the internal network. Figure[...]

  • Page 42

    Chapter 2 Features and Applications ZyWALL USG 50 User’s Guide 42 2.2.3 User-A ware Access Control Set up security policies that restrict access to sensitiv e information and shared resources based on the user who is trying to access it. Figure 7 Applications: User-A ware Access Control 2.2.4 Multiple W AN Interfaces Set up multiple connect ions [...]

  • Page 43

    ZyWALL USG 50 User’s Guide 43 C HAPTER 3 Web Configurator The Z yW ALL W eb Configurator allows easy Z yWALL setup and management using an Internet browser . 3.1 W eb Configurator Requirement s In order to use the W eb Configurat or , you must • Use Internet Explorer 7 or la ter , or Firefox 1.5 or l ater • Allow pop-up wi ndows (block ed by [...]

  • Page 44

    Chapter 3 Web C onfig ur a t or ZyWALL USG 50 User’s Guide 44 2 Open your web browser , and go to http://192.168.1.1 . By default, the Z yWALL automatically routes this req uest to its HT TPS server , and it is recommended to keep this setting. The Login screen appears. Figure 9 Login Screen 3 T y pe the user name (default: “adm in”) and pass[...]

  • Page 45

    Chapter 3 Web Configurator ZyWALL USG 50 User’s Guide 45 5 The screen above appears every time y ou log in using the default user name and default password. If you chang e the passw ord for the default user account, this screen does not appear anymore. Fol low the directions in this screen. If you change the default password, the Login screen ( F[...]

  • Page 46

    Chapter 3 Web C onfig ur a t or ZyWALL USG 50 User’s Guide 46 The icons provide the following functions. 3.3.1.1 About Click this to display basic information about the Z y W ALL. Figure 13 Tit l e B a r The following table describes l abels that can appear in this screen. T able 4 Title Bar: Web Configurator Icon s LABEL DESCRIPTION Logout Click[...]

  • Page 47

    Chapter 3 Web Configurator ZyWALL USG 50 User’s Guide 47 3.3.2 Navigation Panel Use the menu items on the na vigati on panel to open screens to configure Z yW ALL features. Click the arrow in the middle of the right edge of the navi gation panel to hide the navigation panel menus or drag it to resize them. The following sections introduce the Z y[...]

  • Page 48

    Chapter 3 Web C onfig ur a t or ZyWALL USG 50 User’s Guide 48 3.3.2.3 Configuration Menu Use the configurat ion menu screens to configure the ZyW ALL’s features. AppP atrol Statistics Displays bandwidth and protocol statistics. VPN Monitor IPSec Displays and manages the active IPSec SAs. SSL Lists users currently logged into the VPN SSL client [...]

  • Page 49

    Chapter 3 Web Configurator ZyWALL USG 50 User’s Guide 49 Interface Por t Ro le Use this screen to set the Z y WALL’ s flexible ports as LAN1 or DMZ. Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces. PPP Create and manage PPPoE and PPTP interfaces. Cellular Configure a cellular Internet connection for an installed 3G card. VLA[...]

  • Page 50

    Chapter 3 Web C onfig ur a t or ZyWALL USG 50 User’s Guide 50 AppPatrol Gener al Enable or disable traffic management by application and see registration and signature information. Common Manage tr affic of the most commonly used web, file transfer and e-mail protocols. IM Manage instant messenger tr affic. Peer to P eer Manage pee r-to-peer traf[...]

  • Page 51

    Chapter 3 Web Configurator ZyWALL USG 50 User’s Guide 51 Service Service Create and manage TCP and UDP services. Service Group Create and manage groups of services. Schedule Create one-time and recurring schedules. AAA Server Ac tive Directory- Default Configu re the default Ac tiv e Directory settings. Active Directory- Group Create and manage g[...]

  • Page 52

    Chapter 3 Web C onfig ur a t or ZyWALL USG 50 User’s Guide 52 3.3.2.4 Maintenance Menu Use the maintenan ce menu screens to mana ge configuration and firmw are files, run diagnostics, and reb oot or shut down the Z yWALL. 3.3.3 Main Window The main window shows the screen you sele ct in the navigation panel. The main window screens are discussed [...]

  • Page 53

    Chapter 3 Web Configurator ZyWALL USG 50 User’s Guide 53 3.3.3.2 Site Map Click Site MAP to see an o v erview of links to the W eb Configurator screens. Click a screen’ s link to go to that screen. Figure 16 Site Map 3.3.3.3 Object Reference Click Object Reference to open the Object Reference screen. Select the type of object and the individual[...]

  • Page 54

    Chapter 3 Web C onfig ur a t or ZyWALL USG 50 User’s Guide 54 The fields vary with the t ype of object. The following table describes labels that can appear in this screen. 3.3.3.4 CLI Messages Click CLI to look at the CLI commands sen t by th e Web Configurator . These commands appear in a popup window , such as the following. Figure 18 CLI Mess[...]

  • Page 55

    Chapter 3 Web Configurator ZyWALL USG 50 User’s Guide 55 3.3.4.1 Manipulating T able Display Here are some of the ways you can manipulate the W eb Configurator tables. 1 Click a column heading to sort the tabl e’ s entries according to t hat column’ s criteria. Figure 19 Sorting T able Entries by a Column’s Criteria 2 Click the down arrow n[...]

  • Page 56

    Chapter 3 Web C onfig ur a t or ZyWALL USG 50 User’s Guide 56 3 Select a column heading cell’ s right border and dr ag to re-size the column. Figure 21 Resizing a T able Column 4 Select a column heading and dr ag and drop it to change the column order . A green check mark displays nex t to the c olumn’s title when you drag the c olumn to a va[...]

  • Page 57

    Chapter 3 Web Configurator ZyWALL USG 50 User’s Guide 57 3.3.4.2 Wo rking with T able Entries The tables have icons for wo rking with tab le ent ries. A sample is shown next. Y ou can often use th e [Shift ] or [C trl] key to sel e c t mu ltiple entr ies to rem ove, activ ate, or deactiv ate. Figure 24 Common T able Icons Here are descriptions fo[...]

  • Page 58

    Chapter 3 Web C onfig ur a t or ZyWALL USG 50 User’s Guide 58 you can also use the [Shift] or [Ct rl] key to select multiple entries, and then use the arrow button to mov e them to the other list. Figure 25 W orking with Lists[...]

  • Page 59

    ZyWALL USG 50 User’s Guide 59 C HAPTER 4 Installation Setup Wizard 4.1 Inst allation Setup Wizard Screens If you lo g into the W eb Configur ator when the Z yWALL is using its default configuration, the firs t Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscript ion service[...]

  • Page 60

    Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 50 User’s Guide 60 The screens v ary depending on the encapsulation type. R efer to information provided by y our ISP to know what to ente r in each field. Leave a field blank if you don’t have that information. Note: Enter the Internet access in formation exactly as your ISP gave it to you. Fi[...]

  • Page 61

    Chapter 4 Installa tion Setup Wizard ZyWALL USG 50 User’s Guide 61 Note: Enter the Internet access in formation exactly as given to you by your ISP . Figure 28 Internet Access: Ethernet Encapsulation • Encapsulation : This displays the type of Internet connection you are configu ring. • First WAN Interface : This is the number of the in terfa[...]

  • Page 62

    Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 50 User’s Guide 62 4.1.3 Internet Access: PPPoE Note: Enter the Internet access in formation exactly as given to you by your ISP . Figure 29 Internet Access: PPPoE Encapsulation 4.1.3.1 ISP Parameters • T ype the PPP oE Service Nam e from your service pr ovider . PPPoE uses a service name to id[...]

  • Page 63

    Chapter 4 Installa tion Setup Wizard ZyWALL USG 50 User’s Guide 63 4.1.3.2 W AN IP Address Assignment s • WAN Interface : This is the name of the inte rfac e that will conne ct with your ISP . • Zone: This is the se curity zone to wh ic h this interfac e an d Internet co nnection will belong . • IP Address : Enter your (s tatic) public IP a[...]

  • Page 64

    Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 50 User’s Guide 64 4.1.5 ISP Parameters • Authentication Type - Select an authentication protocol for outgoing calls. Options are: • CHAP/PAP - Y our ZyW ALL accepts either CHAP or P AP when requested by the remote no de . • CHAP - Y our ZyW ALL accepts CHAP only . • PAP - Y our ZyW ALL a[...]

  • Page 65

    Chapter 4 Installa tion Setup Wizard ZyWALL USG 50 User’s Guide 65 4.1.6 Internet Access Se tup - Second W AN Interface If you se lected I have two ISPs , after you configure the First WAN Interface , you can configure the Second WAN Interface . The screens for configuring the second WAN interf ace are simil ar to the first (see Section 4.1.1 on [...]

  • Page 66

    Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 50 User’s Guide 66 4.1.7 Internet Access - Finish Y ou have set up your ZyW ALL to access the Intern et. Afte r configuring the WAN interface(s), a screen dis plays with your settings. If they are not correct, click Back . Figure 32 Internet Access: Ethernet Encapsulation Note: If you have not al[...]

  • Page 67

    Chapter 4 Installa tion Setup Wizard ZyWALL USG 50 User’s Guide 67 Use the Registration > Service screen to update your service subscription status. Registration • Select new myZyXEL.com account if you haven ’ t created an account at myZ yXEL.com, select this option and conf igure the following fields to create an account and register your[...]

  • Page 68

    Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 50 User’s Guide 68 • Trial Service Activation: Y ou can try a trial service subscription. The trial period starts the day y ou activate the trial. After the trial expires, you can buy an iCard and enter the license key in the Registration > Service screen to extend the service. Figure 33 Reg[...]

  • Page 69

    ZyWALL USG 50 User’s Guide 69 C HAPTER 5 Quick Setup 5.1 Quick Setup Overview The W eb Configur ator's quick setup wizards help you configure Internet and VPN connection settings. This chapt er pro vid es informa t io n on configu ring the qu ic k setup screens in the W eb Configurator . See the feature-specific chapters in this User’s Gui[...]

  • Page 70

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 70 5.2 W AN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to co nnect to the internet. Click Next . Figure 35 W AN Interface Quick Setup Wizard 5.2.1 Choose an Etherne[...]

  • Page 71

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 71 Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from y our ISP . Figure 37 W AN Interface Setup: S tep 2 The screens v ary depending on what encapsulation type you us e. Re fer to i n f o r m a t i o n p r o v i d e d b y y o u r I S P t o k n o w w h a t t [...]

  • Page 72

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 72 • IP Address Assignment : Select Auto If y our ISP did not assign you a fix ed IP address. Select Static If the ISP assigned a fixed IP address. 5.2.4 W AN and ISP Connection Settings Use this screen to configure the ISP an d WAN interface settings. This screen is read-only if you set the IP A[...]

  • Page 73

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 73 Authentication Ty p e Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: CHAP/PAP - Y our Z yWALL accepts eith er CHAP or P AP when requested by this remote node. CHAP - Y our Z yWALL accepts CHAP on ly . PAP - Y our Z y WALL accepts PAP only . MSCHA[...]

  • Page 74

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 74 5.2.5 Quick Setup Interface Wizard: Summary This screen displa ys the WAN i nterface’ s settings. Figure 40 Interface Wizard: Su mmary W AN (PPTP Shown) The following table describes t he labels in this screen. First DNS Server Second DNS Server These fields only display for an interface with [...]

  • Page 75

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 75 5.3 VPN Quick Setup Click VPN Setup in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen. The VPN wizard creates corresponding VPN connection and VPN gateway settings and ad dress objects that you can use later in configur ing more VPN con necti ons or other features. Click[...]

  • Page 76

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 76 5.4 VPN Setup Wizard: W izard T ype A VPN (Virtual Private Network) tunnel is a secure connecti on to another computer or network. Use this screen to select wh ich type of VPN connection you wan t to configure. Figure 42 VPN Setup Wizard: Wizard T ype Express : Use this wizard to create a VPN co[...]

  • Page 77

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 77 5.5 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 42 on page 76 to display the following screen. Figure 43 VPN Express Wizard: S tep 2 Rule Name : T ype the name used t o identify this VPN connec tion (and VPN gateway) . Y ou may use 1-31 alphanum eric char acte[...]

  • Page 78

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 78 5.5.1 VPN Express Wizard - Configuration Figure 44 VPN Express Wizard: S tep 3 • Secure Gateway : If Any displa ys in this field, it i s not configurable for the chosen scenario. If this field is conf i gurable, enter the W AN IP address or domain name of the remote IPSec devi ce (secure gatew[...]

  • Page 79

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 79 5.5.2 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’ s configuration and also commands that you can copy and paste into another ZLD-based Z yWALL’ s command line interface to configure it. Figure 45 VPN Express Wizard: S tep 4 • Rule Name : Identif[...]

  • Page 80

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 80 5.5.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. Figure 46 VPN Express Wizard: S tep 6 Note: If you have not already do ne so, use t he myZyXEL.com link and register you r ZyW ALL with myZyXEL.com and activate trials of services like Content Filte r . Click Close to exit the wiz[...]

  • Page 81

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 81 5.5.4 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 42 on p age 76 to di spla y the following screen. Figure 47 VPN Advanced Wizard: Scenario Rule Name : T ype the name used t o identify this VPN connec tion (and VPN gateway) . Y ou may use 1-31 alphanum eric [...]

  • Page 82

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 82 • Remote Access (Client R ole ) - Choose this to connect to an IPSec serv er . This Z yWALL is the cli ent (dial-in user) and can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet K ey Exchange) negotiation – phase 1 (Authentica[...]

  • Page 83

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 83 that uses a 168-bit k ey . As a result, 3DES is more secure than DES. It also requires more processing power , result ing in increased latency and decreased throughput. AES128 uses a 128-bit ke y and is faster than 3DES. AES192 uses a 192-bit ke y and AES256 uses a 256- bit key . • Authenticat[...]

  • Page 84

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 84 5.5.6 VPN Advanced Wizard - Phase 2 Phase 2 in an IKE uses the SA t hat was established in phase 1 t o negotiate SAs for IPSec. Figure 49 VPN Advanced Wizard: S tep 4 • Active Protocol : ESP is compatible with NA T , AH is not. • Encapsulation : Tunn el is com p atible with N A T , Transport[...]

  • Page 85

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 85 5.5.7 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings. Figure 50 VPN Advanced Wizard: S tep 5 • Rule Name : Identifies the VPN connection (and the VPN gateway). • Secure Gateway : IP address or domain name of t he remote IPSec device. • Pre-Shared Key :[...]

  • Page 86

    Chapter 5 Quick Setup ZyWALL USG 50 User’s Guide 86 5.5.8 VPN Advanced Wizard - Finish Now you can use the VPN tunnel. Figure 51 VPN Wizard: S tep 6: Advanced Note: If you have not already do ne so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like Content Filter . Click Close to exit the wizard.[...]

  • Page 87

    ZyWALL USG 50 User’s Guide 87 C HAPTER 6 Configuration Basics This information is provided to help yo u configure the ZyW ALL effectively . Some of it is helpf u l wh en you are ju st getti ng started . Som e of it is pr ovi d ed fo r your reference when you configure various features in the Z yWALL. • Section 6.1 on page 87 introduces the Z yW[...]

  • Page 88

    Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 50 User’s Guide 88 change an Ethernet interf ace’ s IP address, the Z y WALL automatically updates the rules or settings that use the interf ace-based, LAN subnet ad dress object. Y ou can use the Configuration > Objects screens to create objects before y ou configure features that use them. If[...]

  • Page 89

    Chapter 6 Configu ra tio n Bas ics ZyWALL USG 50 User’s Guide 89 6.2.1 Interface T ypes There are man y types of interfaces in th e ZyW ALL. In addition to being used in various features, i nterfaces also describe the network that is direct ly connected to the ZyW AL L. • Ethernet interfaces are the foundation for defi ni ng oth er interfaces a[...]

  • Page 90

    Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 50 User’s Guide 90 T able 14 Default Network T opology ZyWALL USG 50 Default Port, Interface, and Zone Configuration • The W AN zone contai ns the wan1 and wan2 interfaces (physical ports P1 and P2 ). They use public IP addresse s to connect to the Internet. • The LAN1 zo ne contains the lan1 in[...]

  • Page 91

    Chapter 6 Configu ra tio n Bas ics ZyWALL USG 50 User’s Guide 91 6.3 T erminology in the ZyW ALL This section highlights some terminolog y or organizati on for ZLD-based Z yWALLs. 6.4 Packet Flow Here is the order in which the Z yWALL applies its features and checks. T raffic in > Defragmentation > ALG > Destination NA T > Routing >[...]

  • Page 92

    Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 50 User’s Guide 92 Packet Flow The packet flow is as follows: • Automatic SNA T and WAN trunk routing for tr affic going from internal to external interfaces (y ou don’t need to configure anything to all LAN to W AN traffic ). The Z yWALL automati cally adds all of the external interfaces to the[...]

  • Page 93

    Chapter 6 Configu ra tio n Bas ics ZyWALL USG 50 User’s Guide 93 of the sections, the Z yWALL stops checking the packets against the routing table and moves on to the other checks, for example the firew all check. Figure 53 Routing T able Checking Flow 1 Direct-connected Subnets : The Z yWALL first checks to see if the packets are destined for an[...]

  • Page 94

    Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 50 User’s Guide 94 4 Auto VPN Policy : The Z yWALL automatically creates these routing entries for the VPN rules. Disabling the IPS ec VPN feature’ s Use Policy Route to control dynamic IPSec rules option moves the routes for dynamic IPSec rules up abov e the policy routes (see Section 23.2 on pag[...]

  • Page 95

    Chapter 6 Configu ra tio n Bas ics ZyWALL USG 50 User’s Guide 95 4 SNA T is also now performed by default and included in the NA T table. 6.5 Feature Configuration Overview This section provi des information about configuring the main features in the Z yW ALL. The features are listed in the same sequence as the menu item(s) in the W eb Co nfigura[...]

  • Page 96

    Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 50 User’s Guide 96 6.5.2 Licensing Registration Use these screens to register your Z yWA LL and subscribe to services l ike anti- virus, IDP and application patrol, more SS L VPN tunnels, and co ntent filtering. Y ou must have Internet access to myZ yXEL.com. 6.5.3 Licensing Up date Use these screen[...]

  • Page 97

    Chapter 6 Configu ra tio n Bas ics ZyWALL USG 50 User’s Guide 97 6.5.5 T runks Use trunks to set up load balancing using two or more interfaces. Example: See Chapter 7 on page 109 . 6.5.6 Policy Routes Use policy routes to o verride the Z yWALL’ s default routing behavior in order to send packets t hrough the appropriate inte rface or VPN tunne[...]

  • Page 98

    Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 50 User’s Guide 98 8 For t h e Next Hop fi el ds, sele ct Interface as the Ty pe if you have a single WAN connection or Trunk if you hav e multiple WAN connections. 9 Select the interface th at you are using for your WAN connection ( wan1 and wan2 are the default WAN interfaces). If you ha ve multip[...]

  • Page 99

    Chapter 6 Configu ra tio n Bas ics ZyWALL USG 50 User’s Guide 99 6.5.9 DDNS Dynamic DNS maps a domain name to a dynamic IP address. The ZyW ALL helps maintain this mapping. 6.5.10 NA T Use Network Address T ranslation (NA T) to make computers on a priv ate network behind the Z yWALL av ailable outside the priv ate network. The Z yWALL only checks[...]

  • Page 100

    Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 50 User’s Guide 100 The Z yWALL does not check to-Z yWALL firew all rules for packets that are redirected by HT TP redirect. It does check regular (through-Z yWALL) firewall rules. Example: Suppose you w ant HT TP requests from your LAN to go to a HT TP pro xy server at IP address 192.16 8.3.80. 1 C[...]

  • Page 101

    Chapter 6 Configu ra tio n Bas ics ZyWALL USG 50 User’s Guide 101 6.5.14 Firewall The firewall controls the tra vel of tr affic between or within zones. Y ou can also configure the firewall to control tr affic for NA T (DNA T) and policy routes (SNA T). Y ou can configure firewall rules based on schedules, specific users (or user groups), source [...]

  • Page 102

    Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 50 User’s Guide 102 6.5.15 IPSec VPN Use IPSec VPN to provide s ecure commu nication between two sites over the Internet or any insecu re network that uses TCP/IP for communication. The Z yWALL also offers hub-and- spoke VPN. Example: See Chapter 7 on page 109 . 6.5.16 SSL VPN Use SSL VPN to gi ve r[...]

  • Page 103

    Chapter 6 Configu ra tio n Bas ics ZyWALL USG 50 User’s Guide 103 2 Click AppPatrol > Peer to Peer to go to the applicati on patrol configur ation screen. Click the BitT orrent application patrol entry’s Edit icon. • Set the default p olicy’ s access to Drop . • Add another policy . • Select the user account that you created for Bob.[...]

  • Page 104

    Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 50 User’s Guide 104 6.5.21 Content Filter Use content filtering to block or allow a ccess to spec ific categories of web site content, individual web sites and web feat ures (such as cookies). Y ou can define which user accounts (or g roups) can access what content and at what times. Y ou must have [...]

  • Page 105

    Chapter 6 Configu ra tio n Bas ics ZyWALL USG 50 User’s Guide 105 6.6 Object s Objects store information and are ref erenced by other features. If you up date this informat ion in re sponse to change s, th e ZyW ALL automa tically propagates the change through the features that use the o bjec t. Move your cu rso r over a configur ation object tha[...]

  • Page 106

    Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 50 User’s Guide 106 6.6.1 User/Group Use these screens to configure the ZyW ALL’s admini strator and user accounts . The Z yWALL provides the following user types. If you want to force us ers to log in to the ZyW ALL before the Z yWALL routes traffic for them, you might have to configure prerequis[...]

  • Page 107

    Chapter 6 Configu ra tio n Bas ics ZyWALL USG 50 User’s Guide 107 Example: Suppose you want to allow an admini strator to use HT TPS to manage the Z yWALL from the W AN. 1 Create an administr ator account ( Configuration > Object > User/Group ). 2 Create an address object for t he administr ator’s computer ( Configuration > Object >[...]

  • Page 108

    Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 50 User’s Guide 108 6.7.4 Diagnostics The Z yWALL can generate a fil e containing the Z yWALL’ s configuration and diagnostic information. It can also ca pture packets going through the Z yWALL’ s interfaces so you can anal yze them to identify network problems. 6.7.5 Shut down Use this to shutd[...]

  • Page 109

    ZyWALL USG 50 User’s Guide 109 C HAPTER 7 Tutorials Here are examples of using the W eb Conf igurator to set up features in the Zy WA L L . Note: The tuto rials featu red he re re qu i r e a bas i c u nd e rs t and i ng o f co nn ec ti ng to and using the W eb Configurator , see Chapt er 3 on page 43 for details. F or field descriptions of indivi[...]

  • Page 110

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 11 0 •C o n v e r t P5 (lan2) into a dmz interface. This dmz interface is us ed for a protected local network. It uses IP ad dres s 192.168.4.1 and has a DHCP server . Add it to the LAN zone so all of the LAN zone’ s security policies apply to it. Figure 55 Ethernet In terface, Port Roles, and Zo[...]

  • Page 111

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 111 Click Configuration > Network > Interface > Ethernet and double-click t he wan1 interface’ s entry . Select Use Fixed IP Address and configure the IP address, subnet mask, and defa ult gatewa y settings and click OK . Figure 56 Configura tion > Network > Interface > Ethernet &[...]

  • Page 112

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 11 2 1 Click Configuration > Network > Interface > Ethernet and double-click t he lan2 interfac e’ s entry . The Interface Type should be internal . Set the IP Address to 192.168.4.1 and t he Subnet Mask to 255.255.255.0. Set DHCP to DHCP Server and click OK . Figure 58 Configura tion >[...]

  • Page 113

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 11 3 2 Enter VPN as the name, select WIZ_VPN_Connection and mo ve it to the Member bo x and click OK . Figure 59 Configura tion > Network > Zone > W AN Edit 7.2 How to Configure a Cellular Interface Use 3G cards for cellular W AN (Internet) connections. T able 241 on page 775 lists the compa[...]

  • Page 114

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 11 4 4 Enable the interface and add it to a z one. It is highly recommended that you set the Zone to WAN to apply your W AN zone security settings t o this 3G connection. Leaving Zone set to none has the Z yWALL not apply an y security settings to the 3G connection. Enter the PIN Code provided by the[...]

  • Page 115

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 11 5 6 The Z yWALL automatically adds the cellular interface to the system d efault WA N trunk. If the ZyW ALL is using a user-confi gured trunk as its default trunk and you want this cellular interface to be part of it, use the Trunk screens to add it. This way t he Z yWALL can automatically balance[...]

  • Page 116

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 11 6 1 Click Configuration > Network > Interface > Ethernet and double-clic k the wan1 entry . Enter the availabl e bandwidth (1000 kbps) in the E gress Bandwidth field. Click OK . Figure 64 Configura tion > Network > Interface > Ethernet > Edit (wan1) 2 Re peat the process to se[...]

  • Page 117

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 11 7 2 Name the tru n k a nd se t the Load Balancing Algorithm field to Weighted Round Robin . Add wan1 and enter 2 in the Weight column. Add wan2 and enter 1 in the Weight column. Click OK . Figure 65 Configura tion > Network > Interface > T runk > Add[...]

  • Page 118

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 11 8 3 Select the trunk as the defaul t trunk and click Apply . Figure 66 Configura tion > Network > Interface > T runk 7.4 How to Set Up an IPSec VPN T unnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 76 for [...]

  • Page 119

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 11 9 In this example, the Z yW ALL is router X (1.2.3.4), and the remote IPSec router is router Y (2.2.2.2). Create the VPN tunnel between Z yW ALL X ’s L A N s u b n e t (192.168.1.0/24 ) and the LAN subnet behind peer IPSec router Y (172 .16.1.0/ 24). 7.4.1 Set Up the VPN Gateway The VPN gateway [...]

  • Page 120

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 120 7.4.2 Set Up the VPN Connection The VPN con ne ction mana ges the IPS ec SA. Y ou have to se t up the addres s objects for the local network and remote net work before you can set up th e VPN connection. 1 Click Configuration > Object > Address . Click the Add icon. 2 Give the new address o[...]

  • Page 121

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 121 4 Enable the VPN connection an d na me it (“VPN_CONN_EXAMPLE” ). Under VPN Gateway select Site-to-site and the VPN gateway ( VPN_GW_EXAMPLE ). Under Policy , select LAN1_SUBNE T for the local network and VPN_REMOTE_SUBNET for the remote. Click OK . Figure 70 Configura tion > VPN > IPSec[...]

  • Page 122

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 122 7.5 How to Configure User-aware Access Control Y ou can configure many policies and security s ettings for specific users or groups of users. This is illustr ated in the following example, where you will set up the following p o li c ies. This is a simp l e exa m ple that does not include priorit[...]

  • Page 123

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 123 2 Enter the same us er name that is us ed in the RADIUS server , and set the User Type to ext-user because this user account is authenticated by an external server . Click OK . Figure 71 Configura tion > Object > User/Group > User > Add 3 Re peat this proc ess to set up the remaining [...]

  • Page 124

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 124 2 Enter the name of the group that is used in the example in T able 18 on page 122 . In this example, it is “Finance” . Then, select User/Leo and click the right arro w to move him to the Member list. This example only has one member in this group, so click OK . Of course you could add more m[...]

  • Page 125

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 125 1 Click Configuration > Object > AAA Server > RADIUS . Double-click the radius entry . Configure the RADIUS server’s address authentication port (1812 if you were not told otherwise), key , and click Apply . Figure 73 Configura tion > Object > AAA Server > RADIUS > Add 2 Cl[...]

  • Page 126

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 126 Note: The users will have to lo g in using the W eb Configurator login screen befo re they can use HTTP or MSN. Figure 75 Configura tion > Object > User/Group > Setting > Add (Force Use r Authentication Policy) When the users try to brow se the web (or use an y HT TP/HT TPS applicatio[...]

  • Page 127

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 127 1 Click Configuration > AppPatrol . If application patrol and b andwidth management are not enabled, enable them, and click Apply . Figure 76 Configura tion > AppPatrol > General 2 Click the Common tab and double-clic k the http entry . Figure 77 Configura tion > AppPatrol > Common[...]

  • Page 128

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 128 3 Double-click the Defau lt policy . Figure 78 Configura tion > AppPatrol > Common > http 4 Change the access to Dr op because you do n ot want any one except authorized user groups to browse the web. Click OK . Figure 79 Configura tion > AppPatrol > Common > http > Edit Defa[...]

  • Page 129

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 129 5 Click the Add icon in the policy list. In the ne w policy , select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fiel ds. Click OK . R epeat this process to add exceptions for all the other user grou ps that [...]

  • Page 130

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 130 2 Give the schedule a descriptive name. Set up the d ays (Monday through Friday) and the times (8:30 - 18:00) when Sal es is allowed to use MSN. Click OK . Figure 81 Configura tion > Object > Schedule > Add (Recur ring) 3 Fol low the steps in Section 7.5.4 on page 126 to set up the appro[...]

  • Page 131

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 131 2 Click the Add icon again and create a rule for one of the user groups that is allowed to access the DMZ. Figure 83 Configura tion > Firewall > Add 3 Re peat this proc ess to set up firewall rules for the other user groups that are allowed to access the DMZ. 7.6 How to Use a RADIUS Server [...]

  • Page 132

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 132 1 Click Configuration > Object > AAA Server > RADIUS . Double-click the radius entry . Besides configuring the RADIUS server’ s address, authentication port, and key; set the Group Membership Attribute fiel d to the attri but e that the Z yW ALL is to check t o determine to which group[...]

  • Page 133

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 133 2 Now you add ext -group-user user objects t o identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server . Click Configuration > Object > User/Group > User . Click the Add icon. Enter a user name and set the User Ty[...]

  • Page 134

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 134 • Select Endpoint must have Personal Firewall installed and move the K asper sk y Internet Se c uri ty en tries t o th e allowed list (you can double-click an entry to move it). • Select Endpoint must have Anti-Virus softwa re installed and move the K aspersk y Internet S ec uri ty an d Kaspe[...]

  • Page 135

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 135 Repeat as needed to create endpoint secu rity objects for other Windows operating system versions. 7.7.2 Configure the Authentication Policy Click Configuration > Auth. Policy > Add to open the En dpoint Security Edit screen. Use this screen to configure an authentication p olicy to use end[...]

  • Page 136

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 136 4 T u rn on authentication policy and click Apply . Figure 88 Configura tion > Auth. Policy The following figure shows an error me ssage example when a user’ s computer does not meet an endpoint securi ty object’ s requirements. Click Close to return to the login screen. Figure 89 Example:[...]

  • Page 137

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 137 user access (logging into SSL VPN for example). See Chapter 45 on page 675 for more on service control. The T o-ZyW ALL firewall rules apply to any ki nd of HT TP or HT TPS connection to the Z yWALL . They do not distinguish between administrator management access and user access. If you conf igu[...]

  • Page 138

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 138 4 Select the new rule and click the Add icon. Figure 92 Configura tion > System > WWW (First Example Admin Service Rule Configured) 5 In the Zone field select ALL and set the Action to Deny . Click OK . Figure 93 Configura tion > System > WWW > Service Control Rule Edit[...]

  • Page 139

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 139 6 Click Apply . Figure 94 Configura tion > System > WWW (Sec ond Example Admin Service Ru le Configured) Now administr ator access to the W eb Config urat or can only come from the LAN1 zone. Non-admin users can still use HTTPS to log into the Z yW ALL from any of the Z yWALL’ s zones (to[...]

  • Page 140

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 140 for wan1 IP address 10. 0.0.8 to a H.323 de vice located on the LAN and using IP address 192.168.1.56. Figure 95 W AN to LAN H.323 Peer-to-peer Calls Example 7.9.1 T urn On the ALG Click Configuration > Network > ALG . Select Enable H.323 ALG and Enable H.323 tran sformations and click Appl[...]

  • Page 141

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 141 1 Use Configuration > Object > Address > Add to create an address object for the public W AN IP address (called WAN_IP-for -H323 here). Then use it again t o create an address object for the H.323 de vice’ s priv ate LAN1 IP address (called LAN_H323 here). Figure 97 Create Address Obje[...]

  • Page 142

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 142 2 Click Configuration > Network > NAT > Add. Configure a name for the rule (W AN-LAN_H323 here). Y ou want the LAN H.323 device to receive peer -to-peer calls from the WAN and also be able to initiate calls to t he WAN so you set the Classification to NAT 1:1 . Set the Incoming Interface[...]

  • Page 143

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 143 1 Click Configuration > Firewall > Add . In the From field select W A N. In the To field select LAN1. Configure a name for the rule (WAN-to-LAN_H323 here). Set the Destination to the H.323 device’ s LAN1 IP address object ( LAN_H323 ). LAN_H323 is the destination because the ZyW ALL appli[...]

  • Page 144

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 144 7.10.1 Create the Address Object s Use Configuration > Object > Address > Add to create the addr ess obje cts. 1 Create a host address object named DMZ_HT TP for the HT TP server ’s priv ate IP address of 192.168.3.7. Figure 101 Creating the Address Object for the HTTP Server ’s Priv[...]

  • Page 145

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 145 • K eep Enable NAT Loopback selected to allow users connected to other interfaces to ac ce ss the HTTP server (see NA T Loopback on page 327 for details). Figure 103 Creating the NA T Entry 7.10.3 Set Up a Firewall Rule The firewall blocks traffi c from the W AN zone to the DMZ zone by default [...]

  • Page 146

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 146 1 Click Configuration > Firewall > Add . Set the From field as WAN and the To field as DMZ . Set the Destination to the HT TP server’s DMZ IP address object ( DMZ_HTTP ). DMZ_HTTP is the destination because the Z yW ALL applies NA T to traffic before applying the firewal l rule. Set the A[...]

  • Page 147

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 147 address 1.1.1.2 that you wi ll use on the wan1 interface and map to the IPPBX’ s privat e IP address of 192.168.3.7. The local SIP clients are on the LAN. Figure 105 IPPBX Example Network T opology[...]

  • Page 148

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 148 7.1 1.1 T urn On the ALG Click Configuration > Network > ALG . Select Enable SIP ALG and Enable SIP Transformations and click Apply . Figure 106 Configuration > Netw o rk > ALG 7.1 1.2 Create the Address Object s Use Configuration > Object > Address > Add to create the addr e[...]

  • Page 149

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 149 2 Create a host address object named IPPB X -Pub lic for t hepubli c WAN IP addre ss 1.1.1.2. Figure 108 Creating the Public IP Address Object 7.1 1.3 Setup a NA T Policy for the IPPBX Click Configuration > Network > NAT > Add. • Configure a name for the rule (WAN-DMZ_IPPBX here). • [...]

  • Page 150

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 150 •C l i c k OK . Figure 109 Configu ration > Network > NA T > Add 7.1 1.4 Set Up a W AN to DMZ Firewall Rule for SIP The firewall blocks traffi c from the W AN zone to the DMZ zone by default so you need to create a firew all rule to allow the pu blic to send SIP traffic to the IPPB X. [...]

  • Page 151

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 151 1 Click Configuration > Firewall > Add . Set the From field as WAN and the To field as DMZ . Set the Destination to the IPPBX’ s DMZ IP address object ( DMZ_SIP ). IPPBX_DMZ is the desti nation be caus e the Z yW ALL applies NA T to traffic before applying the firewal l rule. Set the Acce[...]

  • Page 152

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 152 1 Click Configuration > Firewall > Add . Set the From field as DMZ and the To field as LAN . Set the Destination to the IPPBX’ s DMZ IP address object ( DMZ_SIP ). Set the Source to IPPBX_DMZ . Leave the Access field to allow and click OK . Figure 1 1 1 Configuration > Fire wall > A[...]

  • Page 153

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 153 7.12.2 Configure the Policy Route Now you need to configure a policy r out e that has the ZyW ALL use the range of public IP addresses as the source address for W AN to LAN traffic. Click Configuration > Netw ork > Routing > Add . Although adding a descri ption is optional, it is recomme[...]

  • Page 154

    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide 154[...]

  • Page 155

    155 P ART II Technical Reference[...]

  • Page 156

    156[...]

  • Page 157

    ZyWALL USG 50 User’s Guide 157 C HAPTER 8 Dashboard 8.1 Overview Use the Dashboard screens to check status information about the Z yWALL. 8.1.1 What Y ou Can Do in this Chapter Use the Dashboard screens for the following. •U s e t h e m a i n Dashboard screen (see Section 8.2 on page 157 ) to see the Z yWALL’ s general device information, sy [...]

  • Page 158

    Chapter 8 Das hb o ar d ZyWALL USG 50 User’s Guide 158 interface status in widgets that you can re-arrange to suit y our needs. Y ou can also collapse, refresh, and close individual widgets. Figure 1 14 Dashboard The following table describes t he labels in this screen. A B C D E T able 19 Dashboard LABEL DESCRIPTION Widget Setting (A) Use this l[...]

  • Page 159

    Chapter 8 D as hb oa rd ZyWALL USG 50 User’s Guide 159 Device This field displays the name of the device connected to the extension slot (or none if no device is detected). Status This field displays the current status of each interface or device installed in a slot. The possible values depend on what type of interface it is. F or Ethernet interf[...]

  • Page 160

    Chapter 8 Das hb o ar d ZyWALL USG 50 User’s Guide 160 Flash Usage This field displays what percentage of the Z yWALL’ s onboard flash memory is currently being used. Active Sessions This field displays how many tr a ffic sessions are currently open on the Z yWALL. These are the sessions that are tr aversing the Z yWALL. Hover your cursor over [...]

  • Page 161

    Chapter 8 D as hb oa rd ZyWALL USG 50 User’s Guide 161 Status For cellular (3G) interfaces, see Section 9.9 on page 183 for the status that can appear . Syst e m S ta tu s Syst e m Uptime This field displays how long the ZyW ALL has been running since it last restarted or was turned on. Current Date/Time This field displays the current date and t[...]

  • Page 162

    Chapter 8 Das hb o ar d ZyWALL USG 50 User’s Guide 162 8.2.1 The CPU Usage Screen Use this screen to look at a chart of the ZyW ALL’ s recent CPU usage. T o access this screen, click CPU Usage in the dashboard. Figure 1 15 Dashboard > CPU Usage Expiration If the service license is valid, th is shows when it will expire. N/A displays if the s[...]

  • Page 163

    Chapter 8 D as hb oa rd ZyWALL USG 50 User’s Guide 163 The following table describes t he labels in this screen. 8.2.2 The Memory Usage Screen Use this screen to look at a chart of the Z yWALL’ s recent memory (RAM) usage. T o access this screen, click Memory Usage in the dashboard. Figure 1 16 Dashboard > Memory Usage The following table de[...]

  • Page 164

    Chapter 8 Das hb o ar d ZyWALL USG 50 User’s Guide 164 8.2.3 The Active Sessions Screen Use this screen to look at a chart of the Z yWALL’ s recent traff ic ses sion usage. T o access this screen, click Session Usage in the dashboard. Figure 1 17 Dashboard > Session Usage The following table describes t he labels in this screen. T able 22 Da[...]

  • Page 165

    Chapter 8 D as hb oa rd ZyWALL USG 50 User’s Guide 165 8.2.4 The VPN S t atus Screen Use this screen to look at the VPN tunnels that are currently establi shed. T o access this screen, click VPN Status in the das hboard. Figure 1 18 Dashboard > VPN S tatus The following table describes t he labels in this screen. 8.2.5 The DHCP T able Screen U[...]

  • Page 166

    Chapter 8 Das hb o ar d ZyWALL USG 50 User’s Guide 166 The following table describes t he labels in this screen. 8.2.6 The Number of Login Users Screen Use this screen to look at a list of the users current ly logged into the Z yWALL. T o access this screen, click the dashboard’ s Number of Login Users icon. Figure 120 Dashboard > Number of [...]

  • Page 167

    Chapter 8 D as hb oa rd ZyWALL USG 50 User’s Guide 167 The following table describes t he labels in this screen. T able 25 Dashboard > Number of Login Users LABEL DESCRIPTION # This field is a sequential v alue and is not associated wi th any entry . User ID This field displays the user name of each user who is currently logged in to the ZyW A[...]

  • Page 168

    Chapter 8 Das hb o ar d ZyWALL USG 50 User’s Guide 168[...]

  • Page 169

    ZyWALL USG 50 User’s Guide 169 C HAPTER 9 Monitor 9.1 Overview Use the Monitor screens to check stat us and st at i sti cs in formation. 9.1.1 What Y ou Can Do in this Chapter Use the Monitor screens for the foll owi ng. •U s e t h e System Status > Port Statistics screen (see Section 9.2.1 on page 172 ) to look at pack et statistics for eac[...]

  • Page 170

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 170 •U s e t h e Anti-X Statistics > Anti-Virus screen (see Section 9.13 on page 194 ) to start or stop data collection and view virus statistics. •U s e t h e Anti-X Statistics > IDP screen ( Section 9.14 on page 196 ) to start or stop data collection and view IDP statistics. •U s e t h e [...]

  • Page 171

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 171 Stop Click this to stop the window from updating automatically . Y ou can start it again by setting the Poll Interval and clicking Set Interval . Swi tc h t o Graphic View Click this to display the port statistics as a line gr aph. # This field displays the port’ s number in the list. P ort This [...]

  • Page 172

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 172 9.2.1 The Port S t atistics Graph Screen Use this screen to look at a line gr aph of packet statistics for each ph ysical port. T o access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button . Figure 122 Monitor > System S tatus > Port S tatistic[...]

  • Page 173

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 173 9.3 Interface S t atus Screen This screen lists all of the Z yWALL’ s interfaces and gives packet statistics for them. Click Monitor > System Status > Inter face Status to access this screen. Figure 123 Monitor > System S tatus > Interface S tatus Each field is desc ribed in the follo[...]

  • Page 174

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 174 P ort This field displays the physical port number . Status This field displays the current status of each interface. The possible values depend on what type of interface it is. F or Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface does not hav e any[...]

  • Page 175

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 175 9.4 The T raffic St atistics Screen Click Monitor > System Status > T r aff ic Statistics to display the Traffic Statistics screen. This screen provides basic information about the following for example: • Most- visited W eb sites and the number of times each one w a s visited. This count m[...]

  • Page 176

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 176 Y ou use the Traffic Statistics screen to tell the ZyW ALL when to st art an d wh en to stop collec ting information for these reports. Y ou cannot schedule data collection; you ha ve to start and stop it manually in the Traffic Statistics sc reen. Figure 124 Monitor > System S tatus > T raff[...]

  • Page 177

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 177 T raffic T ype Select the type of report to display . Choices are: Host IP Address/User - displays the IP addresses or users with the most traffic and h ow much traffic has been sent to and from each one. Service/Port - displays the most-used protocols or service ports and the amount of tr affic fo[...]

  • Page 178

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 178 The following table displays the maximum number of records shown in the report, the byt e count limit, and the hit c ount li mit. 9.5 The Session Monitor Screen The Session Mo nitor screen displays information about active ses sions for debugging or statistical analysis. It is not poss ible to mana[...]

  • Page 179

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 179 • Number of bytes tr ansmitted (so far) • Durati on (so far) Y ou can look at all the active sessions b y user , service, source IP address, or destination IP address. Y ou can also filter the information by user , protocol / service or service group , source address, and/or desti nation addres[...]

  • Page 180

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 180 User This field displays when View is set to all sessions . T ype the us er whose sessions you want to view . It is not possible to type part of the user name or use wildcards in this field; you must enter the wh ole user name. Service This field displays when View is set to all sessions . Select t[...]

  • Page 181

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 181 9.6 The DDNS S t atus Screen The DD NS Status screen shows the status of the Z yW ALL’s DDNS domain names. Click Monitor > System Stat us > D DNS Status to open the following scree n. Figure 126 Monitor > System S tatus > DDNS S tatus The following table describes t he labels in this [...]

  • Page 182

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 182 established a session with the Z yWALL. Devi ces that have never established a session with the Z yWALL do not d isplay in the list. Figure 127 Monitor > System S tatus > IP/MAC Binding The following table describes t he labels in this screen. 9.8 The Login Users Screen Use this screen to loo[...]

  • Page 183

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 183 The following table describes t he labels in this screen. 9.9 Cellular S t atus Screen This screen displays y our 3G connection status. click Monitor > System Status > Cellular Status to display this scre en. Figure 129 Monitor > System S tatus > Cellular S tatus The following table des[...]

  • Page 184

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 184 Connected Device This field displays the model name of the cellular card. Status No device - no 3G device is connected to the ZyW ALL. No Service - no 3G network is av ailable in the area; you cannot connect to the Internet. Limited Serv ice - returned by the service provider in cases where the SIM[...]

  • Page 185

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 185 9.9.1 More Information This screen displays more informati on on your 3G, such as the signal strength, IMEA/ESN and IMSI that helps identi fy your 3G device and SIM card. Click Monitor > System Status > More Information to display this screen. Note: This screen is only available when the 3G d[...]

  • Page 186

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 186 The following table describes t he labels in this screen. 9.10 Application Patrol S t atistics This screen displays a bandwi dth usage graph and stati stics for selected protocols. Click Monitor > AppPatrol Statistics to open the following screen. T able 36 Monitor > System S tatus > More [...]

  • Page 187

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 187 9.10.1 Application Patrol S t atistics: General Setup Use the top of the Monitor > AppPatrol Statistics screen to configure what to display . Figure 131 Monitor > AppPatrol S tatistics: General Setup The following table describes t he labels in this screen. T able 37 Monitor > AppPatrol S [...]

  • Page 188

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 188 9.10.2 Application Patrol S t atistics: Bandwidth S t atistics The middle of the Monitor > AppPatrol Statistics screen displays a bandwidth usage line gr aph for th e selected protocols. Figure 132 Monitor > AppPatrol S tatistics: Bandwid th S tatistics • The y -axis represents the amount o[...]

  • Page 189

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 189 9.10.3 Application Patrol S t atistics: Protocol St atistics The bottom of the Monitor > AppPatrol Statistics screen displays statistics f or each of the selected protocols. Figure 133 Monitor > AppPatrol S tatistics: Protocol S tatistics The following table describes t he labels in this scre[...]

  • Page 190

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 190 9.10.4 Application Patrol S t atistics: Individual Protocol S t atistics by Rule The bottom of the Monitor > AppPatrol Statistics screen displays statistics f or each of the selected protocols. Click a service’ s name to display this screen with statistics for each of the service’ s applicat[...]

  • Page 191

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 191 The following table describes t he labels in this screen. 9.1 1 The IPSec Monitor Screen Y ou can use the IPSec Monitor screen to display and to manage activ e IPSec SAs. T o access this screen, click Monitor > VPN Monitor > IPSec . The following screen appears. Click a column’ s heading ce[...]

  • Page 192

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 192 Each field is desc ribed in the followi ng table. 9.1 1.1 Regular Expressions in Searching IPSec SAs A question mark (?) lets a single char acte r in the VPN connecti on or policy name vary . For example, use “a?c” (without the quot ation marks) to specify abc, acc and so on. T able 40 Monitor [...]

  • Page 193

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 193 Wildcards (*) let multi ple VPN connection or policy names match the pattern. F or example, use “*abc” (without the quotation marks ) to specify any VPN conn ection or policy name that ends wit h “abc” . A VPN connection named “testabc” would match. There could be any number (of any t y[...]

  • Page 194

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 194 9.13 The Anti-V irus St atistics Screen Click Monitor > Anti-X Statistics > Anti-Virus to displa y the following screen. This screen displays anti- virus statistics. Figure 137 Monitor > Anti-X S tatistics > Anti-Virus: Virus Name User This field displays the account user name used to e[...]

  • Page 195

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 195 The following table describes t he labels in this screen. The statistics displa y as follows when you display the top entries by source. Figure 138 Monitor > Anti-X S tatistics > Anti-Virus: Source IP T able 42 Monitor > Anti-X S tatistics > Anti-Viru s LABEL DESCRIPTION Collect Statist[...]

  • Page 196

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 196 The statistics displa y as follows when you display the top entries by destination. Figure 139 Monitor > Anti-X S tatistics > Anti-Virus: Destination IP 9.14 The IDP S t atistics Screen Click Monitor > Anti-X Statistics > IDP to display the followi ng screen. This screen displays IDP (I[...]

  • Page 197

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 197 The statistics displa y as follows when you display the top entries by source. Figure 141 Monitor > Anti-X S tatistics > IDP: Source T o tal Session Scanned This field displays the number of sessions that the ZyW ALL has checked for intrusion characteristics. To t a l P a c k e t Dropped The [...]

  • Page 198

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 198 The statistics displa y as follows when you display the top entries by destination. Figure 142 Monitor > Anti-X S tatis tics > IDP: Destination 9.15 The Content Filter S t atistics Screen Click Monitor > Anti-X Statistics > Content Filter to displa y the foll owing screen. This screen d[...]

  • Page 199

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 199 The following table describes t he labels in this screen. T able 44 Monitor > Anti-X S tatistics > Content Filter LABEL DESCRIPTION Collect Statistics Select this check box to have the Z yW ALL collect content filtering statistics. The collection starting time displays after you click Apply .[...]

  • Page 200

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 200 9.16 Content Filter Cache Screen Click Monitor > Anti-X Statistics > Content Filter > Cache to display the Content Filter Cache screen. Use this screen to view and configure your Z yWALL ’s URL caching. Y ou can also configure how long a categorized web site address remains in the cache [...]

  • Page 201

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 201 Click a column’ s heading cell to sort the table entries by that column’ s criteria. Click the heading cell again to reverse the sort order . Figure 144 Anti-X > Content Filter > Cache The following table describes t he labels in this screen. T able 45 Anti-X > Content Filter > Cach[...]

  • Page 202

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 202 Category This field shows whether access to the web site’s URL was blocked or allowed. Click the column heading to sort the entries. P oint the triangle up to display the blocked URLs before the URLs to which access w as allowed. P oint the triangle down to display the URLs to which access was al[...]

  • Page 203

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 203 9.17 The Anti-S p am S t atistics Screen Click Monitor > Anti-X Statistics > Anti-Spam to disp lay the following screen. This screen displays sp am statistics. Figure 145 Monitor > Anti-X S tatistics > Anti-S pam The following table describes t he labels in this screen. T able 46 Monito[...]

  • Page 204

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 204 Spam Mails This is the number of e-mails that the Z yWALL has determined to be spam. Spam Mails Detected by Black List This is the number of e-mails that matched an entry in the Z yW ALL’ s anti- spam black list. Spam Mails Detected by DNSBL The Z y WALL can check the sender and relay IP addresse[...]

  • Page 205

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 205 9.18 The Anti-S p am S t atus Screen Click Monitor > Anti-X Statistics > Anti-Spam > Status to display the Anti- Spam Status scre en. Use the Anti-Spam Status screen to see how many e-mail sessions the anti- spam feature is scanning an d statisti cs for the DNSBLs. Figure 146 Monitor > [...]

  • Page 206

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 206 9.19 Log Screen Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regu lar log, you can look at all the log messages by selecting All Logs , or you can select a specific category of log messages (for example, firewall or user). Y ou ca[...]

  • Page 207

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 207 The following table describes t he labels in this screen. T able 48 Monitor > Log LABEL DESCRIPTION Show Filter / Hide Filter Click this button to show or hide th e filter settings. If the filter settings are hidden, the Display , Email Log Now , Refresh , and Clear Log fie lds are a vaila b l e[...]

  • Page 208

    Chapter 9 Monitor ZyWALL USG 50 User’s Guide 208 The W eb Configurator sa ves the f ilter settings if you leav e the View Log screen and return to it later . Priority This field displays the priority of the log message. It has the same range of values as the Priority field above. Category This field displays the log that generated the log message[...]

  • Page 209

    ZyWALL USG 50 User’s Guide 209 C HAPTER 10 Registration 10.1 Overview Use the Configura tion > Licensing > Reg i stratio n screens to register y our Z yWALL and manage its service subscript ions. 10.1.1 What Y ou Can Do in this Chapter •U s e t h e Registration screen (see Section 10.2 on page 211 ) t o register your Z yWALL with myZ yXEL[...]

  • Page 210

    Chapter 10 Re g istr at ion ZyWALL USG 50 User’s Guide 210 Subscription Services A vailable on the ZyW ALL Y ou can have the ZyW ALL use anti-virus, IDP/AppP atrol (Intrusion Detection and Prevention and application patrol ), and cont ent filtering subscripti on services. Y ou can also purchase and enter a license key to hav e the Z yWALL use mor[...]

  • Page 211

    Chapter 10 Registration ZyWALL USG 50 User’s Guide 21 1 10.2 The Registration Screen Use this screen to regi ster your Z y WALL wi th myZ yXEL.com and activate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to op en the screen as shown next. Figure 148 Configu ration > Licensi[...]

  • Page 212

    Chapter 10 Re g istr at ion ZyWALL USG 50 User’s Guide 212 Confirm Password Enter the password again for confirmation. E-Mail Address Enter your e-mail address. Y ou can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. Country Select your country from the drop-down box list. T rial Service Activat[...]

  • Page 213

    Chapter 10 Registration ZyWALL USG 50 User’s Guide 213 Note: If the ZyW ALL is registered already , this screen is read-only and indicates whether trial services are activated (if any). Y ou can still select the unchecked trial service(s) to activate it after registra tion. Use the Service screen to update your service subscription sta tus. Figur[...]

  • Page 214

    Chapter 10 Re g istr at ion ZyWALL USG 50 User’s Guide 214 The following table describes t he labels in this screen. T able 50 Configuration > Licensing > Registration > Service LABEL DESCRIPTION License Status # This is the entry’s position in the list. Service Thi s lists the services that available on the Z yWALL. Status This field [...]

  • Page 215

    ZyWALL USG 50 User’s Guide 215 C HAPTER 11 Interfaces 1 1.1 Interface Overview Use the Interface screens to configure the Z yWALL ’ s interfaces. Y ou can also create interfaces on top of other interfaces. • Ports are the physi cal ports to which you connec t cables. • Interfaces are used within the system operationally . Y ou use them in c[...]

  • Page 216

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 216 1 1.1.2 What Y ou Need to Know Interface Characteristics Interfaces generally have the followi ng characteristics (although not all characteristics apply to each type of interface). • An interface is a logical entit y through which (layer -3) packets pass. • An interface is bound to a p[...]

  • Page 217

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 217 virtual--have a lot of similar characteristics. These characteristics are l isted in the following table and discussed in more d etail below . - * The format of interface names other than the Ether net and ppp interface names is strict. Each na me consists of 2-4 letters (interface type), follo[...]

  • Page 218

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 218 * - Y ou cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. Y ou also cannot add an Ethernet inte rface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top[...]

  • Page 219

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 219 1 A port's IP address v aries as its role changes, mak e sure your computer's IP address is in the same subnet as the ZyW ALL's lan1 , lan2 or dmz IP address. 2 Use the appropriate lan1 , lan2 or dmz IP address to access the Z yWALL. Figure 151 Configu ration > Network > In[...]

  • Page 220

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 220 Unlike other types of interfaces, y ou cannot create new Ethernet i nterfaces nor can you delete an y of them. If an Ethernet interface does not have any ph ysical ports assigned to it (see Section 11.2 on page 218 ), the Ethe r net interface is effectively removed from the Z yWALL, but you[...]

  • Page 221

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 221 Each field is described in the following table. 1 1.3.1 Ethernet Edit The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP set ti ngs, OSPF settings, DHCP settings, connectivit y check, and MAC address settings. T o access this screen, click an Edit icon [...]

  • Page 222

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 222 • Enable and disable RIP i n the underlying physical port or port group . • Select which direction( s) routing information is exchanged - The Z yWALL can receive routing information, send rout ing information, or do both. • Select whic h version of RI P to support in e a ch direction [...]

  • Page 223

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 223 Figure 153 Configuration > Network > Interface > Ethernet > Edit (W AN)[...]

  • Page 224

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 224 Figure 154 Configur ation > Network > Interface > Ethernet > Edit (DMZ) This screen’ s fields are described in the table b elow . T able 55 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click t[...]

  • Page 225

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 225 Interface T ype This field is read-only . Internal is for connecting to a local network. Other corresponding configuration options: DHC P server and DHCP relay . The Z yWALL automatically adds default SNA T settings for traffic flowing from this interface to an external interface. External is f[...]

  • Page 226

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 226 Metric This option appears when Interface Properties is Exter nal or General . Enter the priority of the gateway (if any) on this interface. The Z yW ALL decides which gateway to use based on this priority . The lower the number , the higher the priority . If two or more gateways have the s[...]

  • Page 227

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 227 Check P ort This field only displays when you set the Check Method to tcp . Specify the port number to use for a TCP connectivity check . DHCP Setting These fields appear when Interface Prope rties is Internal or General . DHCP Select what type of DHCP service the Z yWALL provides to the networ[...]

  • Page 228

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 228 First WINS Server , Second WINS Server T ype the IP address of the WINS (Wind ows Internet Naming Service) server that you w ant to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. Lease[...]

  • Page 229

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 229 V2-Broadcast This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the Z yWALL uses multicasting. OSPF Setting See Section 14.3 on page 299 for more information about OSPF . Area Select the area in which this interface belongs. Sele[...]

  • Page 230

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 230 1 1.3.2 Object References When a configur ation screen includes an Object References icon, select a configur ation object and click Object Referenc es to open the Object References screen. Th is s cre en displays whic h c o nf ig u ration set t in g s ref ere nce the selected object. The fi[...]

  • Page 231

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 231 1 1.4 PPP Interfaces Use PPPoE/PPT P interfaces to connect to your ISP . This way , you do not have to install or manage PPP oE/PPTP software on each computer in the network. Figure 156 Example: PPPoE/PP TP Interfaces PPP oE/PPTP interfaces are similar to other interfaces in som e ways. They ha[...]

  • Page 232

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 232 1 1.4.1 PPP Interface Summary This screen lists every PPP oE/PPTP inte rface. T o access this screen, click Configuration > Network > Interface > PPP . Configuration > Network > Interface > PPP Each field i s described in the table below . T able 57 Configuration > Netw[...]

  • Page 233

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 233 1 1.4.2 PPP Interface Add or Edit Note: Y ou have to set up an ISP account bef ore you create a PPPoE/PP TP interface. This screen lets you configure a PPPoE or PPTP interface. T o access this screen, click the Add icon or an Edit icon in the PPP Interface screen. Status The activ a te (light b[...]

  • Page 234

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 234 Figure 157 Configuration > Network > Interface > PPP > Add Each field is explained in the following table. T able 58 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate [...]

  • Page 235

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 235 Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Name Specify a name for the interface. It can use alphanumeric char acters, hyphens, and underscores, and it can be up to 11 characters long. Base Interface Select the int[...]

  • Page 236

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 236 Interface Pa ra m e t e r s Egress Bandwidth Enter the maximum amount of tr affi c, in kilobits per second, the Z y WALL can send through the inte rface to the network. Allowed values are 0 - 1048576. Ingress Bandwidth This is reserved for future use. Enter the maximum amount of tr affi c, [...]

  • Page 237

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 237 1 1.5 Cellular Configuration Screen (3G) 3G (Third Generation) i s a digital, pack et -switched wireless te chnology . Bandwidth usage is optimized as mult iple users sh are the same channel and bandwidth is only allocated to users when they send da ta. It allows fast tr ansfer of voice and non[...]

  • Page 238

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 238 Aside from selecting the 3G network, the 3G card may also select an av ailable 2.5G or 2.75G network automat ically . See the following table for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies. T o change your 3G W AN settings, click Configuration > Networ k > In[...]

  • Page 239

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 239 Figure 158 Configuration > Network > Interface > Cellular The following table describes t he labels in this screen. 1 1.5.1 Cellular Add/Edit Screen T o change your 3G settings, click Configuration > Network > Interface > Cellular > Add (or Edit ). In the pop-up window that[...]

  • Page 240

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 240 Figure 159 Configur ation > Network > Interface > Cellular > Add[...]

  • Page 241

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 241 The following table describes t he labels in this screen. T able 61 Configuration > Network > Interface > Cellular > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configur ation fields. General Settings[...]

  • Page 242

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 242 Dial String Enter the dial string if your ISP provides a string, w hich would include the APN, to initialize the 3G card. Y ou can enter up to 63 ASCII printable char acters. Spaces are allowed. This field is av ailable only when you insert a GSM 3G card. Authentication Ty p e The ZyW ALL s[...]

  • Page 243

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 243 Egress Bandwidth Enter the maximum amount of tr affic, in kilobits per second, the Z yWALL can send through the interface to the n etwork. Allowed values are 0 - 1048576. This setting is used in W AN load balancing and bandwidth management. Ingress Bandwidth This is reserved for future use. Ent[...]

  • Page 244

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 244 Get Automatically Select this option If your ISP did not assign you a fix ed IP address. This is the default selection. Use Fixed IP Address Select this option If the ISP assigned a fixed IP address. IP Address Assignment Enter the cellular interface’s W AN IP address in this field if you[...]

  • Page 245

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 245 Time Budget Select this and specify the amount of time (in hours) that the 3G connection can be used within one month. If you change the value after you configure and enable budget con trol, the Z yW ALL resets the statistics. Data Budget Select this and specify how much downstream and/or upstr[...]

  • Page 246

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 246 1 1.6 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 160 Example: Before VLAN In this examp le, there are two phy s ical networks and three departments A , B , and C . The physical[...]

  • Page 247

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 247 Figure 161 Example: Af ter VLAN Each VLAN is a separate network wit h se par a te IP addresses, subnet masks, and gateways . Each VLAN also has a unique iden tification number (ID). The ID is a 12- bit v alue that is stored in the MAC head er . The VLANs are connected to switches, and the switc[...]

  • Page 248

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 248 • Between the router and VLAN 3. VLAN Interfaces Overview In the Z yWA LL, each VLAN is called a VLAN interface. As a rout er , the Z yWALL routes tr affic between VLAN interfac es, but it does not route tr affic within a VLAN interface. All tr affic for each VLAN inte rface can go throug[...]

  • Page 249

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 249 1 1.6.2 VLAN Add/Edit This screen lets you configure IP ad dress assignment, interface bandwidth parameters, DHCP setti ngs , and connectivit y check for each VLAN interface. T o access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface i[...]

  • Page 250

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 250 Figure 163 Configuration > Network > Interface > VLAN > Edit[...]

  • Page 251

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 251 Each field is explained in the following table. T able 63 Configuration > Network > Interface > VLAN > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser num ber of configuration fields. General Settings Enable Inte[...]

  • Page 252

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 252 Metric Enter the priority of the gateway (if any) on this interface. The Z yWALL decides which gatewa y to use based on this priority . The lower the number , the higher the priority . If two or more gateways have the same priority , the Z yW ALL uses the one that was configured first. Inte[...]

  • Page 253

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 253 DHCP Select what type of DHCP service the Z yWALL provides to the network. Choices are: None - the ZyW ALL does not provide any DHCP services. There is already a DHCP serv er on the network. DHCP Relay - the Z yWALL ro utes DHCP requests to one or m ore DHCP servers you specify . The DH CP serv[...]

  • Page 254

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 254 Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP addresses are valid. Ena[...]

  • Page 255

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 255 OSPF Setting See Section 14.3 on page 299 for more information about OSPF . Area Select the area in which this interface belongs. Select None to disable OSPF in this interface. Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR[...]

  • Page 256

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 256 1 1.7 Bridge Interfaces This section introduces brid ges and bri dge interfaces and then explains the screens for bridge interfaces. Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the follo wing example, bridge X con[...]

  • Page 257

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 257 If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 i n the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the pack et to port 2 accordingly . Bridge Interface Overview A bridge interface creates a software br idge between the[...]

  • Page 258

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 258 1 1.7.1 Bridge Summary This screen lists every bridge interface and vi rtual interface created on top of bridge interfaces. T o access this screen, cl ick Configuration > Network > Interface > Bridge . Figure 164 Configur ation > Network > Interface > Bridge Each field is [...]

  • Page 259

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 259 1 1.7.2 Bridge Add/Edit This screen lets you configure IP ad dress assignment, interface bandwidth parameters, DHCP setti ngs , and connectivit y check for each bridge interface. T o access this screen, click the Add icon at the top of the Add column in th e Bridge Summary screen, or click an E[...]

  • Page 260

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 260 Figure 165 Configur ation > Network > Interface > Bridge > Add[...]

  • Page 261

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 261 Each field is desc ribed in the table belo w . T able 68 Configuration > Network > Interface > Bridge > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser num ber of configuration fields. General Settings Enable Int[...]

  • Page 262

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 262 Gateway This field is e nabled if you select Use Fixed IP Address . Enter the IP address of the gateway . The Z yWALL sends packets to the gatewa y when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. Metric Enter the [...]

  • Page 263

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 263 IP P ool Start Address Enter the IP address from which the ZyW ALL begins allocating IP addresses. If you want to assign a static IP address to a specific computer , click Add Static DHCP . If this field is blank, the Pool Size must also be blank. In this case, the Z yW ALL can assign every IP [...]

  • Page 264

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 264 1 1.7.3 V irtual Interfaces Add/Edit This screen lets yo u configure IP address assi gnment and interface par ameters for virtual interfaces. T o access this screen, click an Add icon next to an Ethernet Add Click this to create a new entry . Edit Select an entry and click this to be able t[...]

  • Page 265

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 265 interfac e, V LAN inte rf ace, or brid g e in te rface in the respective interface summary screen. Figure 166 Configuration > Network > Interface > Add Each field is desc ribed in the table belo w . T able 69 Configuration > Network > Interface > Add LABEL DESCRIPTION Interfac[...]

  • Page 266

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 266 1 1.8 Interface T echnical Reference Here is more detailed information about interfaces on the Z yW ALL. IP Address Assignment Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routi ng table. Figure 167 Example: Entry in the Routing T [...]

  • Page 267

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 267 because it is a point -to-point interface. F or these interfaces, yo u c a n on ly enter the IP address. In many interfaces, you can also let the IP address and subnet mask be as signed by an external DHCP server on the networ k. In this case, the interface is a DHCP client. Virtual interfaces,[...]

  • Page 268

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 268 If you set the bandwidt h restrictions ve ry high, you effectively remove the restrictions. The Z yWALL also restricts the size of each data packet. The maximum number of bytes in each packet is called the maximum tr ansmission unit (MTU). If a packet is larger than the MTU, the Z yW ALL di[...]

  • Page 269

    Chapter 11 Interfaces ZyWALL USG 50 User’s Guide 269 • IP address - If the DHCP client’s MAC address is in the ZyW ALL’s static DHCP table, the interface assig ns the corresponding IP address. If not, the interface assigns IP addresses from a pool, define d by the starting address of the pool and the pool size. The Z yWALL cannot assign the[...]

  • Page 270

    Chapter 11 In te r fac es ZyWALL USG 50 User’s Guide 270 PPPoE/PPTP Overview P o int -to-Point Protocol ov er Et hernet (PPPoE, RFC 2516) and P oint-to-P oint T u nneling Protocol (PPTP , RFC 2637) are usually used to connect t wo computers over phone lines or broadband connectio ns. PPP oE is often used with cable modems and DSL connections. It [...]

  • Page 271

    ZyWALL USG 50 User’s Guide 271 C HAPTER 12 Trunks 12.1 Overview Use trunks for W AN traffic load balancing to increase o verall network t hroughput and reliability . Load balancing divides traffi c loads between multiple interfaces. This allows y ou to improve quality of service and maximiz e bandwidth utilization for multiple ISP links. Maybe yo[...]

  • Page 272

    Chapter 12 T run k s ZyWALL USG 50 User’s Guide 272 12.1.2 What Y ou Need to Know • Add WAN interfaces to trunks to have multiple connections share the traffi c load. • If one W AN interface’ s connection goes down, the ZyW ALL sends tr affic through another member of the trunk. • For example, you connect one W AN inte rface to one ISP an[...]

  • Page 273

    Chapter 12 Trunks ZyWALL USG 50 User’s Guide 273 2 The Z yWALL is using activ e/active load balanci ng. So when LAN user A tries to access something on the server , th e request goes out through wan2. 3 The server finds that the request comes from wan2’ s IP address instead of w an1’s IP address and rejects the request. If link sticking had b[...]

  • Page 274

    Chapter 12 T run k s ZyWALL USG 50 User’s Guide 274 Since W AN 2 has a smaller load balancing index (meani ng that it is less util ized than WAN 1), the Zy WALL will send the subsequent new session tr affic through WAN 2 . Weighted Round Robin The W eighted Round R obin (WRR) algorit hm is best suited for situations when the bandwidths set for th[...]

  • Page 275

    Chapter 12 Trunks ZyWALL USG 50 User’s Guide 275 interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoi d overloading the interface. In this example figure, the upper threshol d of the first int erface is set to 800K. The Z yWALL sends network tr affic of new sessions that exceed this limit to t[...]

  • Page 276

    Chapter 12 T run k s ZyWALL USG 50 User’s Guide 276 12.2 The T runk Summary Screen Click Configuration > Netw ork > Interface > T r un k to open the Trunk screen. This screen lists th e configured trunks and the load balancing al gorithm that each is configur ed to use. Figure 172 Configu ration > Network > Interface > T runk Th[...]

  • Page 277

    Chapter 12 Trunks ZyWALL USG 50 User’s Guide 277 12.3 Configuring a T runk Click Configuration > Netw ork > Interface > T r un k and then the Add (or Edit ) icon to open the Trunk Edit screen. Use this screen to create or edit a WAN trunk entry . Figure 173 Configu ration > Network > Interface > T runk > Add (or Edit) Enable [...]

  • Page 278

    Chapter 12 T run k s ZyWALL USG 50 User’s Guide 278 Each field is desc ribed in the table belo w . T able 75 Configuration > Network > Interface > T runk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editin g an existing trunk. When adding a new trunk, enter a descriptive name for this trunk. Y ou may use 1-31 al[...]

  • Page 279

    Chapter 12 Trunks ZyWALL USG 50 User’s Guide 279 12.4 T runk T echnical Reference Round Robin Load Balancing Algorithm Ro und R obin scheduli ng services qu eues on a rotating basis and i s activated only when an interface has more traffic than i t can handle. A queue is given an amount of bandwidth irrespec tive of the incoming tr affic on that [...]

  • Page 280

    Chapter 12 T run k s ZyWALL USG 50 User’s Guide 280[...]

  • Page 281

    ZyWALL USG 50 User’s Guide 281 C HAPTER 13 Policy and Static Routes 13.1 Policy and S t atic Routes Overview Use policy routes and static rout es to ov erride the Z yWALL’ s default routing behavior in order to send packets throug h the appropriate interface or VPN tunnel. For example, the next figure shows a computer ( A ) c onnected to the Z [...]

  • Page 282

    Chapter 13 Policy an d Static Routes ZyWALL USG 50 User’s Guide 282 •U s e t h e Static Route screens (see Section 13.3 on page 291 ) to list and configure static routes . 13.1.2 What Y ou Need to Know Policy Routing T raditionally , routing is based on the destination address only and the Z yWALL takes the sho rtest pa th to forward a pack et.[...]

  • Page 283

    Chapter 13 Policy and Static Routes ZyWALL USG 50 User’s Guide 283 Policy Routes V ersus St atic Routes • Policy routes are more flexible tha n static routes. Y ou ca n select m o re c ri ter ia for the tr affic to match and can also use schedules , NA T , and bandwidth management. • Policy routes are only used within the Z yWALL itself . Sta[...]

  • Page 284

    Chapter 13 Policy an d Static Routes ZyWALL USG 50 User’s Guide 284 Finding Out More • See Section 6.5.6 on page 97 for related information on the policy route screens. • See Section 7.12 on page 152 for an example of creating a policy route for usi n g multiple static public W AN IP addresses for LAN to W AN traffic. • See Section 13.4 on [...]

  • Page 285

    Chapter 13 Policy and Static Routes ZyWALL USG 50 User’s Guide 285 The following table describes t he labels in this screen. T able 76 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configur at ion fields. Enable B[...]

  • Page 286

    Chapter 13 Policy an d Static Routes ZyWALL USG 50 User’s Guide 286 DSCP Code This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP v alues or no DSCP marker . default means traffic with a DSCP value of 0. This is usually best effort traffic The “ af ” entries stand for Assured Forw arding. The numb[...]

  • Page 287

    Chapter 13 Policy and Static Routes ZyWALL USG 50 User’s Guide 287 13.2.1 Policy Route Edit Screen Click Configuration > Netw ork > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or e dit a policy route. Figure 176 Configu ration > Network > R[...]

  • Page 288

    Chapter 13 Policy an d Static Routes ZyWALL USG 50 User’s Guide 288 Incoming Select where the pack ets are coming from; any , an interface, a tunnel, an SSL VPN, or the Z yWALL itself . For an interface, a tunnel, or an S SL VPN, you also need to select the indi vidual interface, VPN tunnel, or SSL VPN connection. Source Address Select a source I[...]

  • Page 289

    Chapter 13 Policy and Static Routes ZyWALL USG 50 User’s Guide 289 VPN T unnel This fi eld displays when you select VPN Tu nnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the ZyW ALL directly . Auto Destination Address This field displays when you select VPN Tunnel in the T[...]

  • Page 290

    Chapter 13 Policy an d Static Routes ZyWALL USG 50 User’s Guide 290 Source Network Address T ranslation Select none to not use NA T for the route. Select outgoing-interface to use the IP address of the outgoing interface as the source IP address of the packets that matches this route. If you select outgoin g-interface , you can also configure por[...]

  • Page 291

    Chapter 13 Policy and Static Routes ZyWALL USG 50 User’s Guide 291 13.3 IP S t atic Route Screen Click Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displa ys the configured static routes. Configure static routes to be able to use R IP or OSPF to propagate the rout ing information to other [...]

  • Page 292

    Chapter 13 Policy an d Static Routes ZyWALL USG 50 User’s Guide 292 The following table describes t he labels in this screen. 13.3.1 S t atic Route Add/Edit Screen Select a static route index number and click Add or Edit . The screen shown next appears. Use this screen to configure the required info rmation for a static route. Figure 178 Configu [...]

  • Page 293

    Chapter 13 Policy and Static Routes ZyWALL USG 50 User’s Guide 293 13.4 Policy Routing T echnical Reference Here is more detailed information about some of the features you can configure in policy routing. NA T and SNA T NA T (Network Address T ranslation - NA T , RFC 1631) is the transl ation of the IP address in a packet in one network to a dif[...]

  • Page 294

    Chapter 13 Policy an d Static Routes ZyWALL USG 50 User’s Guide 294 following twelve DSCP encodi ngs from AF11 through AF43. The decimal equiv alent is listed in br ackets. Port T riggering Some services use a dedicated r ange of ports on the client side and a dedicated rang e of ports on the server side. With re gular port forwarding, you set th[...]

  • Page 295

    Chapter 13 Policy and Static Routes ZyWALL USG 50 User’s Guide 295 3 Computer A and game server 1 are connected to ea ch ot her until the connection is closed or times out. Any other computers (such as B or C ) cannot connect to remote server 1 using the s ame port triggering rule as computer A unless they are using a different next hop (gateway [...]

  • Page 296

    Chapter 13 Policy an d Static Routes ZyWALL USG 50 User’s Guide 296[...]

  • Page 297

    ZyWALL USG 50 User’s Guide 297 C HAPTER 14 Routing Protocols 14.1 Routing Protocols Overview Routing protocols give the Z yWALL rout ing information about the network from other routers. The Z yWALL stores this rout ing information in the routing table it uses to make rout in g decision s. In turn, the ZyWALL can also use routing protocols to pro[...]

  • Page 298

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 298 14.2 The RIP Screen RIP (R outing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other rout ers. RIP is a vector -space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest. Unfortunate[...]

  • Page 299

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 299 The following table describes t he labels in this screen. 14.3 The OSPF Screen OSPF (Open Shortest P ath First, RFC 2328) is a link -state protocol designed to distribute routing informatio n within a group of networ ks, called an Autonomous T able 82 Configuration > Network > Rout[...]

  • Page 300

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 300 System (AS). OSPF offers some adv antag es over v ector-space routing protocols like RIP . • OSPF supports variable-lengt h subnet masks, which can be set up to use av ailable IP addresses more efficiently . • OSPF filters and summarizes routing in formation, which reduces the size o[...]

  • Page 301

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 301 Each type of area is illust rated in the following figure. Figure 181 OSPF: T ypes of Areas Thi s OS PF AS co nsi sts of fou r a rea s, a rea s 0- 3. Are a 0 i s a lways t he bac kbo ne . In this example, areas 1, 2, and 3 are all conn ected to it. Area 1 is a normal area. It has routing[...]

  • Page 302

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 302 • An Autonomous System Bounda ry Router (ASBR) exchanges routing information with routers in network s outside the OSPF AS. This is called redistribut ion in OSPF . • A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone route[...]

  • Page 303

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 303 to logically connect the area to t he backbo ne. This is illustr ated in the following example. Figure 183 OSPF: V irtual Link In this example, area 100 does not hav e a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virtual l[...]

  • Page 304

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 304 Click Configuration > Network > Routing > OSPF to open the following screen. Figure 184 Configuration > Ne twork > Routi ng > OSPF The following table describes the labels in this screen. See Secti on 14.3.2 on page 306 for more information as well. T able 84 Configurat[...]

  • Page 305

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 305 T ype Select how OSPF calculates the cost associated with routing information from static routes. Choices are: Type 1 and Type 2 . Type 1 - cost = OSPF AS cost + external cost ( Metric ) Type 2 - cost = external cost ( Metric ); th e OSPF A S cost i s ignore d. Metric T yp e the external[...]

  • Page 306

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 306 14.3.2 OSPF Area Add/Edit Screen The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. T o acce ss this screen, go to the OSPF summary screen (see Section 14.3 on page 299 ), and click either the Add icon or an Edit icon. Figure 185 Configuration > Net[...]

  • Page 307

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 307 14.3.3 V irtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one. When the OS PF add or edit screen (see Section 14.3.2 on page Te x t Authentication Ke y This field is available if the Authenticati on is Text . T ype t[...]

  • Page 308

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 308 306 ) has the T ype set to Normal, a Virtual Link table displ ays. Click either the Add icon or an entry and the Edit icon to di splay a screen lik e the following. Figure 186 Configuration > Netwo rk > Routing > OSPF > Add > Add The following table describes t he labels i[...]

  • Page 309

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 309 Authentication T ypes Authentication is used to guar antee the in tegrity , but not the confidentiality , of routing updates. The tr ansmitting router uses its k ey to encrypt the original message into a smaller messag e, and the smaller message is tr ansmitted with the original message.[...]

  • Page 310

    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide 310[...]

  • Page 311

    ZyWALL USG 50 User’s Guide 31 1 C HAPTER 15 Zones 15.1 Zones Overview Set up zones to configure network securit y and network policies in the Z yWALL. A zone is a group of interfaces and/or VP N tunnels. The Z yW ALL uses zones instead of interfaces in ma ny security and po li c y settings, such as firewall rul es , Anti- X, and remote management[...]

  • Page 312

    Chapter 15 Z o ne s ZyWALL USG 50 User’s Guide 312 15.1.2 What Y ou Need to Know Effect s of Zones on Different T ypes of T raffic Z ones effectiv ely divide tr affic into three types--intr a-zone tr affic, inter -z one traffic, and extr a-zone tr a ffic--which are affected differen tly by zone-based security and policy settings. Intra-zone T raf[...]

  • Page 313

    Chapter 15 Zones ZyWALL USG 50 User’s Guide 313 15.2 The Zone Screen The Zone screen provides a summary of all zones. In addition, this screen allows you to add, ed it, and remo v e zones. T o access this screen, click Configuration > Network > Zone . Configuration > Network > Zone The following t able describes the labels i n this sc[...]

  • Page 314

    Chapter 15 Z o ne s ZyWALL USG 50 User’s Guide 314 15.3 Zone Edit The Zone Edit screen allows you to add or edit a z one. T o access this screen, go to the Zone screen (see Section 15.2 on page 313 ), and click the Add icon o r an Edit icon. Figure 188 Network > Zo ne > Add The following table describes t he labels in this screen. T able 88[...]

  • Page 315

    ZyWALL USG 50 User’s Guide 315 C HAPTER 16 DDNS 16.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 16.1.1 What Y ou Can Do in this Chapter •U s e t h e DDNS screen (see Section 16.2 on page 316 ) to view a list o f the configured DDNS domain names and their details. •U s e t h e DDNS Add/Edit s[...]

  • Page 316

    Chapter 16 DDNS ZyWALL USG 50 User’s Guide 316 Note: Record your DDNS account’s user name, p assword, and domain name to use to configure the ZyW ALL. After , you configur e th e Z yW ALL, it auto matical ly sends updated IP addresses to the DDNS service provider , which help s redirect traffic accordingly . Finding Out More See Section 6.5.9 o[...]

  • Page 317

    Chapter 16 DDNS ZyWALL USG 50 User’s Guide 317 Primary Interface/IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the Z yWALL determines the IP address for the domain name. from interface - The IP address comes from the specified interface. auto detected - The DDNS server checks the[...]

  • Page 318

    Chapter 16 DDNS ZyWALL USG 50 User’s Guide 318 16.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyW ALL or to edit the configuration of an existing domain name. Click Configuratio n > Network > DDNS and then an Add or Edit icon to open this screen. Figure 190 Configu ration > Network [...]

  • Page 319

    Chapter 16 DDNS ZyWALL USG 50 User’s Guide 319 Username T ype the user name used when y ou registered your domain name. Y ou can use up to 31 alphanumeric characters and the u nderscore. Spaces are not allowed. For a Dynu DDNS entry , this user name is the one you use for logging into the service, not the name record ed in your personal informati[...]

  • Page 320

    Chapter 16 DDNS ZyWALL USG 50 User’s Guide 320 IP Address The options av ailable in this field vary by DDNS provider . Interface - The ZyW ALL uses the IP add ress of the spe cified interface. This option appears when y ou sele ct a specific interface in the Backup Binding Address Interface field. Auto - The DDNS server checks the source IP addre[...]

  • Page 321

    ZyWALL USG 50 User’s Guide 321 C HAPTER 17 NAT 17.1 NA T Overview NA T (Network Address T ranslation - NA T , RFC 1631) is the transl ation of the IP address of a host in a packet. For exampl e, the source address of an out going packet, used within one network is change d to a different IP address known within another network. Use Network Addres[...]

  • Page 322

    Chapter 17 NA T ZyWALL USG 50 User’s Guide 322 17.1.2 What Y ou Need to Know NA T is also known as virtual server , port forwarding, or port translation. Finding Out More • See Section 6.5.10 on page 99 for related information on the se screens. • See Section 17.3 on page 327 for technic al background information rel ated to these screens. ?[...]

  • Page 323

    Chapter 17 NAT ZyWALL USG 50 User’s Guide 323 Rem o v e T o remove an entry , select it and click Remove . The Z yW ALL confirms you w ant to remove it before doing so. Activate T o turn on an entry , select it and click Activate . Inactivate T o turn off an entry , select it and click Inactivate . # This field is a sequential v alue, and it is n[...]

  • Page 324

    Chapter 17 NA T ZyWALL USG 50 User’s Guide 324 17.2.1 The NA T Add/Edit Screen The NAT Add/Edit screen lets you create new NA T rules and edit existing ones. T o open this window, open the NAT summary screen. (See Section 17.2 on page 322 .) Then, click on an Add icon or Edit icon to open the following screen. Figure 193 Configu ration > Netwo[...]

  • Page 325

    Chapter 17 NAT ZyWALL USG 50 User’s Guide 325 Classification Select what kind of NA T this rule is to perform. Virtual Server - This mak es computer s on a priv ate netw ork behind the Z yWALL a vailable to a public network outside the ZyW ALL (like the Internet). 1:1 NAT - If the priv ate network server will initiate sessions to the outside clie[...]

  • Page 326

    Chapter 17 NA T ZyWALL USG 50 User’s Guide 326 Mapped IP Subnet/Range This field displays for Many 1:1 NAT . Select to which translated destination IP address subnet or IP address range this NA T rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses. Po r t M a p p i n g Ty p e Use t[...]

  • Page 327

    Chapter 17 NAT ZyWALL USG 50 User’s Guide 327 17.3 NA T T echnical Reference Here is more detailed information about NA T on the Z yWALL. NA T Loopback Suppose a NA T 1:1 rule maps a public IP add ress to the priv ate IP address of a LAN SMTP e-mail server to g ive W AN users access. NA T loopback allows other users to also use the rule’ s orig[...]

  • Page 328

    Chapter 17 NA T ZyWALL USG 50 User’s Guide 328 For examp le, a LAN user’ s computer at IP address 192.168.1. 89 queries a public DNS server to resolve the SMTP server ’s domain name (xxx.LAN-SMTP .com in this example) and gets the SMTP serv er’s mapped public IP address of 1.1.1.1. Figure 194 LAN Computer Queries a Public DNS Server The LAN[...]

  • Page 329

    Chapter 17 NAT ZyWALL USG 50 User’s Guide 329 SMTP server replied directly to the LAN us er without the tr affic going through NA T , the source would not match the original destination address whi ch would cause the LAN user’s comput er to shut down the session. Figure 196 LAN to LAN Return T raffic 192.168.1.21 LAN 192.168.1.89 Source 1.1.1.1[...]

  • Page 330

    Chapter 17 NA T ZyWALL USG 50 User’s Guide 330[...]

  • Page 331

    ZyWALL USG 50 User’s Guide 331 C HAPTER 18 HTTP Redirect 18.1 Overview HT TP redirect forwards the client’ s HTTP request (except HT TP traffic destined for the Z yWALL) to a web pro xy server . In the following example, proxy server A is connecte d to the DMZ interface. When a cl ient connected to the LAN1 zone wa nts to open a web page, its H[...]

  • Page 332

    Chapter 18 HTT P Red ire ct ZyWALL USG 50 User’s Guide 332 18.1.2 What Y ou Need to Know Web Proxy Server A proxy serv er helps client devices make in direct requests to access the Internet or outside network resources/services. A pr oxy server can act as a firewall or an ALG (applicati on layer gatew ay) between th e priv ate network and the Int[...]

  • Page 333

    Chapter 18 HTTP Redirect ZyWALL USG 50 User’s Guide 333 • a application patrol rule to al low HT TP traf fic between dmz and wan1 . • a policy route to forw ard HT TP traffi c from proxy serv er A to the Internet. Finding Out More See Section 6.5.11 on page 99 for related information on these screens. 18.2 The HTTP Redirect Screen T o configu[...]

  • Page 334

    Chapter 18 HTT P Red ire ct ZyWALL USG 50 User’s Guide 334 18.2.1 The HTTP Redirect Edit Screen Click Networ k > HTTP Redi rect to open the HTTP Redirect screen. Then click the Add or Edit icon to open the HTTP Redirect Edit screen where you can configure the rule. Figure 199 Network > HTTP Redirect > Edit The following table describes t[...]

  • Page 335

    ZyWALL USG 50 User’s Guide 335 C HAPTER 19 ALG 19.1 ALG Overview Application Laye r Gateway (ALG) al lows the following applications to oper ate properly through the Z y WALL’ s NA T . • SIP - Session Initiation Protocol (SIP) - An application-la yer protocol that can be used to create voice and multimedia sessions over Internet. • H.323 - [...]

  • Page 336

    Chapter 19 ALG ZyWALL USG 50 User’s Guide 336 19.1.2 What Y ou Need to Know Application Layer Gateway (ALG), NA T and Firewall The Z yWALL can function as an Applicat ion Layer Gatew ay (ALG) to all ow certain NA T un-friendly applications (such as SIP) to operate properly through the Z yWALL ’s NA T and firewall. The Z yWALL dynamically create[...]

  • Page 337

    Chapter 19 ALG ZyWALL USG 50 User’s Guide 337 • There should be only one SIP serv er (t otal) on the ZyW ALL’s private networks. Any other SIP servers must be on the WAN. So for example y ou could hav e a Back -to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN bu t no t on both. • Using the SIP AL G allo[...]

  • Page 338

    Chapter 19 ALG ZyWALL USG 50 User’s Guide 338 can receive incoming calls from t he Internet, LAN IP addresses B and C can still make calls out to t he Internet. Figure 202 V oIP Calls from the W AN with Multiple Outgoing Calls V oIP with Multiple W AN IP Addresses With multiple W AN IP addresses on th e Z yWALL, you can configure different firewa[...]

  • Page 339

    Chapter 19 ALG ZyWALL USG 50 User’s Guide 339 • See Section 19.3 on page 341 for ALG background/technical information. 19.1.3 Before Y ou Begin Y ou must also configure the firewall and enable NA T in the Z yWALL to allow sessions initiated from the W AN. 19.2 The ALG Screen Click Configuration > Network > A LG to open the ALG screen. Use[...]

  • Page 340

    Chapter 19 ALG ZyWALL USG 50 User’s Guide 340 The following table describes t he labels in this screen. T able 96 Configuration > Network > ALG LABEL DESCRIPTION Enable SI P ALG T urn on the SIP ALG to detect SIP traffic and help build SIP sessions through the Z yWALL’ s NA T . Enabling the SIP ALG also allows you to use the application p[...]

  • Page 341

    Chapter 19 ALG ZyWALL USG 50 User’s Guide 341 19.3 ALG T echnical Reference Here is more detailed information about t he Application Layer Gatew ay . ALG Some applications cannot operate through NA T (are NA T un-friendly) becau se they embed IP addres ses and port number s in their packets’ data payload. The Z yWALL examines and uses IP addres[...]

  • Page 342

    Chapter 19 ALG ZyWALL USG 50 User’s Guide 342 connections to the second (passive) int erf ace when the acti ve interface’ s connection goes down. When the active in terface’ s connection fails, the client needs to re-initialize the co nnection through the second inte rface (that was set to passive) in ord er to have the connection go through [...]

  • Page 343

    ZyWALL USG 50 User’s Guide 343 C HAPTER 20 IP/MAC Binding 20.1 IP/MAC Binding Overview IP address to MAC address binding helps en sure that only the i ntended devices get to use privileg ed IP addresses. The Z yWALL uses DHCP to assign IP addresses and records to MAC address it assigned each IP address. The Z yWALL then checks incoming connection[...]

  • Page 344

    Chapter 20 IP/MAC Binding ZyWALL USG 50 User’s Guide 344 20.1.2 What Y ou Need to Know DHCP IP/MAC address bindings are based on the ZyW ALL’s d ynamic and static DHCP entries. Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by inter face. Y ou can use IP /M AC binding with Ethernet, bridge, V LAN interfaces. Y ou can al[...]

  • Page 345

    Chapter 20 IP/MAC Binding ZyWALL USG 50 User’s Guide 345 20.2.1 IP/MAC Binding Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/ MAC Binding Edit screen. Use this screen to configure an interface’ s IP to MAC address binding settings. Figure 207 Configur ation > Network > IP/MAC Binding > Edit The foll[...]

  • Page 346

    Chapter 20 IP/MAC Binding ZyWALL USG 50 User’s Guide 346 20.2.2 S t atic DHCP Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/ MAC Binding Edit screen. Click the A dd or Edit icon to open the foll owing screen. Use this screen to configure an interface’ s IP to MAC address binding settings. Figure 208 Configur[...]

  • Page 347

    Chapter 20 IP/MAC Binding ZyWALL USG 50 User’s Guide 347 20.3 IP/MAC Binding Exempt List Click Configuration > Network > IP /MAC Binding > Exempt List t o o p e n t h e IP/MAC Binding Exempt List screen. Use this scree n to configure ranges of IP addresses to which the Z yWALL does not apply IP/MAC binding. Figure 209 Configur ation >[...]

  • Page 348

    Chapter 20 IP/MAC Binding ZyWALL USG 50 User’s Guide 348[...]

  • Page 349

    ZyWALL USG 50 User’s Guide 349 C HAPTER 21 Authentication Policy 21.1 Overview Use authentication polic ies to contro l who can access the network. Y ou can authenticate users (require them to lo g in) and even perform Endpoint Security (EPS) checking to make sure users’ computers comply with defined corporate policies before they can access t [...]

  • Page 350

    Chapter 21 Auth en tic at ion Policy ZyWALL USG 50 User’s Guide 350 21.1.2 What Y ou Need to Know Authentication Policy and VPN Authentication polici es are applied based on a tr affic flow’ s source and destination IP addresses. If VPN tr affic matches an authentication pol icy’ s source and destination IP addresses, the user must pass authe[...]

  • Page 351

    Chapter 21 Authentication Policy ZyWALL USG 50 User’s Guide 351 Click Configuration > Auth. Policy to display the screen. Figure 21 1 Configuration > Auth. Policy[...]

  • Page 352

    Chapter 21 Auth en tic at ion Policy ZyWALL USG 50 User’s Guide 352 The following table giv es an overview of the objects you can configure. T able 101 Configuration > Auth. Policy LABEL DESCRIPTION Enable Authentication P olicy Select this to turn on the authentication policy feature. Exceptional Services Use this table to list services that [...]

  • Page 353

    Chapter 21 Authentication Policy ZyWALL USG 50 User’s Guide 353 21.2.1 Creating/Editing an Authentication Policy Click Configuration > Auth. Policy and then the Add (or Edit ) icon to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy . Status This icon is lit when the entry is active and dimmed when [...]

  • Page 354

    Chapter 21 Auth en tic at ion Policy ZyWALL USG 50 User’s Guide 354 Figure 213 Configuration > Aut h . Policy > Add The following table giv es an overview of the objects you can configure. T able 102 Configuration > Auth. Policy > Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in[...]

  • Page 355

    Chapter 21 Authentication Policy ZyWALL USG 50 User’s Guide 355 Schedule Select a schedule that defines when the policy applies. Otherwise, select none and the rule is always effective. This is none and not configur able for the default policy . Authentication Select the authentication requirement for users when their tr affic matches this policy[...]

  • Page 356

    Chapter 21 Auth en tic at ion Policy ZyWALL USG 50 User’s Guide 356[...]

  • Page 357

    ZyWALL USG 50 User’s Guide 357 C HAPTER 22 Firewall 22.1 Overview Use the firewall t o block or allow servic es that use static port numbers. Use application patrol (see Chapter 28 on page 437 ) to control services using flexible/ dynamic port numbers. The firewa ll can al so limit the number of user sessions. This figure shows the Z yWALL’ s d[...]

  • Page 358

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 358 22.1.2 What Y ou Need to Know St ateful Inspection The Z yWALL has a stateful inspection fi rewall. The Z yWALL restricts ac cess by screening data pack ets ag ainst defined acce ss rules. It al so i nspec ts sessions. F or example, traffi c from one zone is not allo we d unless it is initiated b[...]

  • Page 359

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 359 • The Z yWALL drops most pac kets from the W AN zone to the Z yWALL itself , except for ESP/AH/IKE/NA TT/HT TPS servic es for VPN tunnels, and gener ates a log. • The Z yWALL drops most p ackets from the DMZ zone to the Z yWALL its elf , except for DNS and NetBIOS traffic, and gener ates a lo[...]

  • Page 360

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 360 Firewall and VPN T raffic After you creat e a VPN tunnel and add it to a z one, you can set the firewall rules applied to VPN tr affi c. If y ou add a VPN tunnel to an exi sting zone ( the LAN1 z one for example), you can conf igu re a new LAN1 to LAN1 firewall rule or use in tr a- zone tr affic [...]

  • Page 361

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 361 the firewall rule to alwa ys be in effect. The following figure shows the results of this rule. Figure 215 Blocking All LAN to W AN IRC Traf fic Example Y our fir ewall would have the following rules. • The first row blocks LAN access to the IRC service on the WAN. • The second row is the fir[...]

  • Page 362

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 362 Now you configure a LAN1 to WAN f irewall rule that allows IRC t raffic f rom the IP address of the CEO’ s computer (192.168.1.7 for example) to go to any destination address. Y ou do not need to specify a sch edule since you want the firewall rule to always be in effect. The following fi gure [...]

  • Page 363

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 363 • The first row al lows any LAN1 computer to access the IRC service on the W AN by logging into the Z yWALL with the CEO’ s user name. • The second row blocks LAN1 access to the IRC service on the WAN. • The third row is the firewall’ s default policy of allowing al l traf fic from the [...]

  • Page 364

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 364 5 The screen for configuring a se rvice object opens. Configure it as follows and click OK . Figure 219 Firewall Example: Create a Service Obje ct 6 Select From WAN and To LAN1 . 7 Enter the name of the firewall rule. 8 Select Dest_1 is selected for the Destination and Doom is selected as the Ser[...]

  • Page 365

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 365 9 The firewall rule appears in the firewall rule summary . Figure 221 Firewall Example: Doom Rule in Summary 22.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the Z yWALL ’ s LAN IP address, return traffic may not go through [...]

  • Page 366

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 366 4 The Z yWALL then sends it to the compu te r on the LAN 1 in Subnet 1 . Figure 222 Using V irtual Interfaces to Avoid Asymmetrical Routes 22.2.1 Configuring the Firewall Screen Click Configuration > Firewall to open the Firewall screen. Use this screen to enable or disable the firewall and as[...]

  • Page 367

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 367 • The ordering of your rules is v ery im portant as rules are applied in sequence. Figure 223 Configuratio n > F irewall The following table describes t he labels in this screen. T able 107 Configuration > Firewall LABEL DESCRIPTION General Settings Enable Firewall Select this check bo x [...]

  • Page 368

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 368 From Z one / To Z o n e This is the dire ction of travel of packets. Select from which zone the packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of pack ets to which they apply . F or example, from LAN1 to LAN1 means packets trav eling from a com[...]

  • Page 369

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 369 22.2.2 The Firewall Add/Edit Screen In the Firewall screen, click the Edit or Add icon to dis p lay the Firewall Rule Edit screen. Figure 224 Configuration > Fi rewall > Add The following table descri bes the labels in this screen. Service This displays the service object to which this fire[...]

  • Page 370

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 370 22.3 The Session Limit Screen Click Configuration > Firewall > Session Limit to displa y the Firewall Session Limit screen. Use this screen to limit th e number of concurrent NA T/ firewall sessions a client can use. Y ou can apply a default limit for all users and Description Enter a descr[...]

  • Page 371

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 371 individual limi ts for specific users, addres ses, or both. The individual li mit takes priority if you apply both. Figure 225 Configuration > Firewall > Session Limit The following table descri bes the labels in this screen. T able 109 Configuration > Firewall > Session Limit LABEL D[...]

  • Page 372

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 372 22.3.1 The Session Limit Add/Edit Screen Click Configuration > Firewall > Session Limit and the Add or Edit icon to display t he Firewall Session Limit Edit screen. Use this screen to configure rules that define a session li mit for specific users or addresses. Figure 226 Configuration >[...]

  • Page 373

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 373 User Select a user name or user group to which to apply the rule. The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out. Otherwise, select any and there is no need for user logging. Note: If you specified an IP address (or add[...]

  • Page 374

    Chapter 22 Firewall ZyWALL USG 50 User’s Guide 374[...]

  • Page 375

    ZyWALL USG 50 User’s Guide 375 C HAPTER 23 IPSec VPN 23.1 IPSec VPN Overview A virtual priv ate network (VPN) provides secure communications b etween sites without the expense of leased site-to-site lines. A s ecure VPN is a combination of tunneling, encryption, aut hentication, access control and auditing. It is used to transport tr affic over t[...]

  • Page 376

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 376 •U s e t h e VPN Gateway screens (see Section 23.2.1 on page 380 ) to manage the ZyW AL L ’s VPN gateways. A VPN gate way specifies the IPSec rout ers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). Y ou can also activat e and deactivate each VPN gateway . 23.1.2 Wh[...]

  • Page 377

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 377 Application Scenarios The Z yW ALL’ s application scenarios make it easier to configure your VPN connection settings. Finding Out More • See Section 6.5.15 on page 102 for related information on the se screens. T able 1 1 1 IPSec VPN Application Scenarios SITE-TO-SITE SITE-TO-SITE WITH DYNAM[...]

  • Page 378

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 378 • See Section 23.4 on page 399 for IPSec VPN background information. • See Section 5.4 on page 76 for the IPSec VPN quick setup wizard. • See Section 7.4 on page 118 for an exampl e of configuring IPSec VPN. 23.1.3 Before Y ou Begin This section briefly exp lains the rela tionship between [...]

  • Page 379

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 379 SA). Click a column’ s heading cell to so rt the table entries by that column’ s criteria. Click the heading cell again to reverse the sort order . Figure 229 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following tabl e. See Secti on 23. 2.2 on pa[...]

  • Page 380

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 380 23.2.1 The VPN Connection Add/Edit (IKE) Screen The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection policy or edit an existing one. T o access this screen, go to the Configuration > VPN Connection screen (see Section 23.2 on page 378 ), and click either the Ad[...]

  • Page 381

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 381 Figure 230 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE)[...]

  • Page 382

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 382 Each field is desc ribed in the followi ng table. T able 1 13 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Create new Object Use[...]

  • Page 383

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 383 Manual K ey Select this option to configure a VPN connection po licy that uses a manual key instead of IKE k ey management. This may be useful if you hav e problems with IKE key management. See Section 23.2 .2 on page 387 for how to configure the manual key fields. Note: Only use manual key as a[...]

  • Page 384

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 384 Re move Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly . Encryption This field is applicable when the Active Protocol is ESP . Select which k[...]

  • Page 385

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 385 Check Method Select how the Z yWALL checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the ZyW ALL regularly ping the address you specify to make sure traffic can still go through the connection. Y ou may need to configure the p eer to res[...]

  • Page 386

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 386 Inbound T raffic Source NA T This translation hides the source address of computers in the remote network. Source Select the address object that re presents the original source address (or select Create Object to configure a new one). This is the address object for the remote network. The size o[...]

  • Page 387

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 387 23.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one us ing a manual key . This is useful if you have problems wi th IKE key management . T o access this screen, go to the VPN Connecti[...]

  • Page 388

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 388 Secure Gateway Address T ype the IP address of the remote IPSec router in the IPSec SA. SPI T ype a unique SPI (Security P arameter Index) between 256 and 4095. The SPI is used to identify the Z yWALL during authentication. The Z yWALL and remote IPSec router must use the same SP I. Encapsulatio[...]

  • Page 389

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 389 Encryption K e y This field is applicable when you select an Encryp tion Algorith m . Enter the encryption key , which depends on the encryption algorithm. DES - type a unique key 8-32 char acters long 3DES - type a unique key 24-32 char acters long AES128 - type a unique key 16-32 characters lo[...]

  • Page 390

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 390 23.3 The VPN Gateway Screen The VPN Gateway sum m ary screen disp l ays the IPSec VPN gateway polici es in the Z yWALL, as wel l as the Z yWALL’ s addr ess, remote IPSec router’s address, and associated VPN connections for each one. In additi on, it also l ets y ou activ at e and deactiv ate[...]

  • Page 391

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 391 23.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/Edit scre en allo ws you to create a new VPN gateway policy or edit an existing one. T o access this screen, go to the VPN Gateway summary screen (see Section 23.3 on page 390 ), and click either the Add icon or an Edit icon. Apply Click[...]

  • Page 392

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 392 Figure 233 Configuration > VPN > IPSec VPN > VPN Gateway > Edit Each field is desc ribed in the followi ng table. T able 1 16 Configuration > VPN > IP Sec VPN > VPN Gateway > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display[...]

  • Page 393

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 393 My Address Select how the IP ad dress of the Z yWAL L in the IKE S A is defined. If you select Interface , select the Ethernet interface, VLAN interface, virtual Ethernet interfac e, virtual VLAN interface or PPPoE/ PPTP interface. The I P address of the ZyW ALL in the IKE SA is the IP address o[...]

  • Page 394

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 394 Certificate Select this to have the Z yWALL and remote IPSec ro uter use certificates to authenticate each other when they negotiate the IKE SA. Then select the certificate the Z yWALL uses to identify itself to the remote IPsec router . This certificate is one of the certificates in My Certific[...]

  • Page 395

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 395 P eer ID T ype Select which type of identifi cation is used to identify the remote IPSec router during authentication. Choices are: IP - the remote IPSec router is identified by an IP address DNS - the remote IPSec router is iden tified by a domain name E-mail - the remote IPSec router is identi[...]

  • Page 396

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 396 Content This field is disabled if the Peer ID Ty pe is Any . T ype the identity of the remote IPSec router during au thentication. The identity depends on the Peer ID Type . If the Z yWALL and remote IPSec router do not use certificates, IP - type an IP address; see the no te at the end of this [...]

  • Page 397

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 397 Negotiation Mode Select the negotiation mode to use to nego tiate the IKE S A. Choices are Main - this encrypts the Z yWALL’ s and remote IPSec router ’ s identities but takes more time to establish the IKE S A Aggressive - this is faster but does not encrypt the identities The Z yWALL and t[...]

  • Page 398

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 398 NA T T raversal Select this if any of these conditions are satisfied. • This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol. • There are one or more NA T routers between the ZyW AL L and remote IPSec router , and these routers do not support IPSec pass-thru o[...]

  • Page 399

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 399 23.4 IPSec VPN Background Information Here is some more detailed IP Sec VPN background information. IKE SA Overview The IKE SA provides a se cure connec ti on between the ZyW ALL and remote IPSec router . It takes sev eral steps t o establish an IKE SA. The neg otiation mode determines how many [...]

  • Page 400

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 400 The Z yWALL sends one or more proposals to the remote IPSec router . (In some devices, you can only set up one propos al.) Each proposal consists of an encryption al gorithm, au thentication algorithm, and DH key group that the Z yWALL wants to use in the IKE SA. The remote IPSec rout er selects[...]

  • Page 401

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 401 keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as illustr a ted next . Figure 235 IKE SA: Main Ne gotiation Mode, S teps 3 - 4: DH Ke y Exchange DH public-k ey cryptogr aph y is b ased on DH k ey groups. Each key group is a fixed number of bits long. The longer th[...]

  • Page 402

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 402 Router identity cons ists of ID typ e and content. The ID type can be domain name, IP address, or e-mail address, and the content i s a (properly-formatted) domai n name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you enter [...]

  • Page 403

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 403 the identity of the remote IP Sec router (f or example , extended authentication) or if you are troub leshooting a VPN tunnel. Additional T opics for IKE SA This section provi des more information about IKE SA. Negotiation Mode There are two negotiati on modes--main mo de and aggressiv e mode. M[...]

  • Page 404

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 404 If router A does NA T , it might change t he IP a ddresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel. Most routers like router A now have an IPSec pass[...]

  • Page 405

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 405 Certificates It is possible for the Z yWALL and remote IP Sec rout er to authenticate each other with certificates. In this case, you do not ha ve to set up the pre-shared k e y , local identity , or remote identity because th e certificates provide this information inste ad. • Instead of usin[...]

  • Page 406

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 406 Encap sulation There are two ways to encapsul ate packets. Usually , you should use tunnel mode because it is more secure. T ransport mode is only used when the IPSec SA is used for communication between the Zy WALL and remote IPSec router (for example, for remote management), not between comput[...]

  • Page 407

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 407 If you enable PFS , the Z yWALL and remote IPSec router perform a DH key exchange every time an IPSec S A is establ ished, changing the root key from which encryption ke ys are gener ated. As a result , if one encryption k ey is compromised, other encryption keys remain secure. If you do not ena[...]

  • Page 408

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 408 NA T for Inbound a nd Outbound T raffic The Z yWALL can tr anslate the following types of network addresses in IPSec S A. • Source address in outbound packets - this tr anslation is necessary if you w ant the Z yWALL t o rout e pack ets from computer s ou tside the loc al ne twork t hroug h th[...]

  • Page 409

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 409 • Destination - the original destinat ion address; the remote network ( B ). • SNA T - the translated sourc e address; the local ne twork ( A ). Source Address in Inbound Packets (Inbound T raffic, Source NA T) Y ou can set up this translati on if you want to change the sourc e addres s of c[...]

  • Page 410

    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide 410[...]

  • Page 411

    ZyWALL USG 50 User’s Guide 41 1 C HAPTER 24 SSL VPN 24.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VP N router or VPN client software. 24.1.1 What Y ou Can Do in this Chapter •U s e t h e VPN > SSL VPN > Access Privilege screens (see Section 24.2 on page 413 ) to [...]

  • Page 412

    Chapter 24 SSL VPN ZyWALL USG 50 User’s Guide 412 • apply Endpoint Security (EPS) checking to require users’ computers t o comply with defined corpor ate policies before they can access the S SL VPN tunnel. • limit user access t o specific applications or fi les on the network. • allow user ac cess to specific net works. • assign privat[...]

  • Page 413

    Chapter 24 SSL VPN ZyWALL USG 50 User’s Guide 413 24.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. Figure 241 VPN > SSL VPN > Access Privilege The following table describes t he labels in this screen. T able 120 VPN > SSL VPN > Access[...]

  • Page 414

    Chapter 24 SSL VPN ZyWALL USG 50 User’s Guide 414 24.2.1 The SSL Access Policy Add/Edit Screen T o create a new or edit an existing SSL access policy , click the Add or Edit icon in the Access Privilege screen. Figure 242 VPN > SSL VPN > Access Privilege > Add/Edit Apply Click Apply to save the settings. R eset Click Reset to discard all[...]

  • Page 415

    Chapter 24 SSL VPN ZyWALL USG 50 User’s Guide 415 The following table describes t he labels in this screen. T able 121 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration Enable P olicy Select this option to activ ate [...]

  • Page 416

    Chapter 24 SSL VPN ZyWALL USG 50 User’s Guide 416 24.3 The SSL Global Setting Screen Click VPN > SSL V PN and click the Global Setting tab to display the foll owing screen. Use this screen to set the IP a ddress of the Z yW ALL (or a gatewa y device) SSL Application List (Optional) The Selectable Application Objects list displays the name(s) o[...]

  • Page 417

    Chapter 24 SSL VPN ZyWALL USG 50 User’s Guide 417 on your network f or full tunnel mode ac cess, enter access messages or upl oad a custom logo to be displ ayed on the remote user screen. Figure 243 VPN > SSL VPN > Global Setting The following table describes t he labels in this screen. T able 122 VPN > SSL VPN > Global Setting LABEL [...]

  • Page 418

    Chapter 24 SSL VPN ZyWALL USG 50 User’s Guide 418 24.3.1 How to Upload a Custom Logo Fol low the steps below to upload a custom logo to displa y on the remote user SSL VPN screens. 1 Click VPN > SSL VPN and click the Global Setting tab to di splay the configur ati on screen. 2 Click Browse to locate the logo graphic . Make su re the fil e is i[...]

  • Page 419

    Chapter 24 SSL VPN ZyWALL USG 50 User’s Guide 419 The following shows an example logo on the remote user screen. Figure 244 Example Logo Graphic Display 24.4 Est ablishing an SSL VPN Connection After you hav e configured the S SL VPN settings on the Z yWALL, us e the Z yWA LL login screen’ s SSL VPN button to establish an S SL VPN connection. S[...]

  • Page 420

    Chapter 24 SSL VPN ZyWALL USG 50 User’s Guide 420 2 SSL VPN connection starts. This may take sever al minutes depending on yo ur network connection. Once the connection is up , you should see the client portal screen. The following shows an example. Figure 246 SSL VPN Client Portal Screen Example If the user account is not set up for SS L VPN acc[...]

  • Page 421

    ZyWALL USG 50 User’s Guide 421 C HAPTER 25 SSL User Screens 25.1 Overview This chapter introduces the remote user S SL VPN screens. The following figure shows a network example where a remote user ( A ) logs into the Z yW ALL from the Internet to access the web serv er ( WWW ) on the local network. Figure 247 Network Exam p le 25.1.1 What Y ou Ne[...]

  • Page 422

    Chapter 25 SSL User Screen s ZyWALL USG 50 User’s Guide 422 System Requirement s Here are the browser and computer system requirements for remote user access. • Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit) • Internet Explorer 7 and above or Firefox 1.5 and abov e • Using RDP requires Internet [...]

  • Page 423

    Chapter 25 SSL User Screens ZyWALL USG 50 User’s Guide 423 1 Open a web browser and enter the web site address or IP address of the Z yW ALL. For examp le, “http://sslvpn.myc ompany .com” . Figure 248 Enter the Address in a We b Browser 2 Click OK or Yes if a security screen displays. Figure 249 Login Security Screen 3 A login screen displays[...]

  • Page 424

    Chapter 25 SSL User Screen s ZyWALL USG 50 User’s Guide 424 5 Y our computer sta rts establishing a se cure connection to the Z yWALL after a successful login. Thi s may take up to two minutes. If you get a message about needing Jav a, download and install it and restart y our browser and re-login. If a certificate warning screen displays, click [...]

  • Page 425

    Chapter 25 SSL User Screens ZyWALL USG 50 User’s Guide 425 7 The Z yW ALL tries to install the SecuExtend er client. Y ou may need to c lick a pop- up to get your browser to allow this. In Internet Explorer , click Install . Figure 253 SecuExtender Blocked by Internet Exp lorer 8 The Z yW ALL tries to run the “ss ltun” applic ation. Y ou may [...]

  • Page 426

    Chapter 25 SSL User Screen s ZyWALL USG 50 User’s Guide 426 10 If a screen like t he following displays, click Continue Anyway to finish installing the SecuExtender client on y our computer . Figure 256 Hardware Inst allation W arning 11 The Application screen displays showing the list of resources av ailable to you. See Figure 257 on page 427 fo[...]

  • Page 427

    Chapter 25 SSL User Screens ZyWALL USG 50 User’s Guide 427 25.3 The SSL VPN User Screens This section describes the main elem ents in the remote us er screens. Figure 257 Remote User Screen The following table describes t he various parts of a remot e user screen. T able 123 Remote User Screen Overview # DESCRIPTION 1 Click on a menu tab to go to[...]

  • Page 428

    Chapter 25 SSL User Screen s ZyWALL USG 50 User’s Guide 428 25.4 Bookmarking the ZyW ALL Y ou can create a boo kmark of the Z yWALL by clicking the Add to Favorite icon. This allows you to access the Z yW ALL using the bookmark without having to enter the address every time. 1 In any remote user screen, click the Add to Favorite icon. 2 A screen [...]

  • Page 429

    Chapter 25 SSL User Screens ZyWALL USG 50 User’s Guide 429 3 An information screen displays to indicate that t he SSL VPN connection is about to terminate. Figure 260 Logout: Connection T ermination Progress[...]

  • Page 430

    Chapter 25 SSL User Screen s ZyWALL USG 50 User’s Guide 430[...]

  • Page 431

    ZyWALL USG 50 User’s Guide 431 C HAPTER 26 SSL User Application Screens 26.1 SSL User Application Screens Overview Use the Application screen to access web-based applic ations (such as web sites and e-mail) on the network through the SSL VPN conne ct i on. Wh ich app l ic a t ion s you can access depends on the Z yWALL’ s configuration. 26.2 Th[...]

  • Page 432

    Chapter 26 SSL User Application Screens ZyWALL USG 50 User’s Guide 432[...]

  • Page 433

    ZyWALL USG 50 User’s Guide 433 C HAPTER 27 ZyWALL SecuExtender The Z yWALL aut omatically loads the Z yW ALL SecuExtender client program to your computer after a successful logi n. The Z yWALL SecuExtender lets you: • Access servers , remote desktops and mana ge files as if you were on the local network. • Use applications like e-mail, file t[...]

  • Page 434

    Chapter 27 ZyW ALL SecuExtende r ZyWALL USG 50 User’s Guide 434 27.2 S t atistics Right- click the Z yW ALL SecuExtender ic on in the system tr ay and s elect Status to open the Status screen. Use this screen to view the ZyW ALL SecuExtender’s statistics. Figure 263 ZyW ALL SecuExtender S tatus The following table describes t he labels in this [...]

  • Page 435

    Chapter 27 ZyWALL SecuExtender ZyWALL USG 50 User’s Guide 435 27.3 V iew Log If you h ave pro b lems w i th th e ZyWALL SecuExtender , customer support may request you to pro vide information from the log. Right -click the Zy WALL SecuExtender icon in the sys tem tr a y and select Log to open a notepad file of the Z yWALL SecuExtender’s log. Fi[...]

  • Page 436

    Chapter 27 ZyW ALL SecuExtende r ZyWALL USG 50 User’s Guide 436 connected but not send any traffi c throug h it until y ou right-click the icon and resume the connection. 27.5 S top the Connection Right- click the icon and select Stop Connection to disconnect t he SSL VPN tunnel. 27.6 Uninst alling the ZyW ALL SecuExtender Do the following if you[...]

  • Page 437

    ZyWALL USG 50 User’s Guide 437 C HAPTER 28 Application Patrol 28.1 Overview Application patrol provides a convenie nt w ay to manage the use of v arious applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to- peer (P2P), V o ice over IP (V oIP), and streaming (RSTP) appl ications.[...]

  • Page 438

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 438 28.1.2 What Y ou Need to Know If you w ant to use a service, mak e sure both the firewall and application patrol allow the service’ s packets to go through the ZyW ALL. Note: The ZyW ALL checks firewall rules befor e it checks application pa trol rules for traffic goin g through th[...]

  • Page 439

    Chapter 28 Application Patrol ZyWALL USG 50 User’s Guide 439 numbers for SIP tr affic. Likewise, configuring the SIP ALG to use custom port numbers for SIP tr affic also configures applicati on patrol to use the same port numbers for SIP tr affic. DiffServ and DSCP Marking QoS is used to prioritize s o urce-to-destinat i on traffic flows. All pac[...]

  • Page 440

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 440 • The outbound tr affic flows from the connection initiator to the connection responder . • The inbound tr affic flows from the connecti on responder to the connection initiator . For example, a LAN1 to WAN connection is initiated from LAN1 and goes to the WAN . • Outbound traf[...]

  • Page 441

    Chapter 28 Application Patrol ZyWALL USG 50 User’s Guide 441 • Inbound tr affic is limited to 500 kbs. The connection initiator i s on the LAN1 so inbound means the traffi c trav eling from the WAN to the LAN1. Figure 268 LAN1 to W AN, Outbound 200 kbps, Inbound 500 kbp s Bandwid th Management Priority • The Z yWALL gives bandwidth to higher [...]

  • Page 442

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 442 outgoing speed of 1000 kbps. Y ou co nfigure policy A for server A ’s tr affic and policy B for server B ’ s traffi c. Figure 269 Bandwid th Management Behavior Configured Rate Effect In the following table the configured r ates total less than the av ailable bandwidth and maximi[...]

  • Page 443

    Chapter 28 Application Patrol ZyWALL USG 50 User’s Guide 443 So server A gets its c onfigured rate of 300 kbps plus 250 kbps for a total of 550 kbps. Server B gets its config ured rate of 200 kbps plus 250 kbps for a total of 450 kbps. Priority and Over Allotm ent of Ban dwidth Effect Server A has a configured rate that equals the total amount of[...]

  • Page 444

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 444 • HT T P traffic needs to be giv en priority over FTP tr affic. • FTP traffic from the W AN to the DMZ must be limited so i t does not interfere with SIP and HT TP traffic. • FTP traffic from the LAN1 to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps c[...]

  • Page 445

    Chapter 28 Application Patrol ZyWALL USG 50 User’s Guide 445 • Enable maximi ze bandwidth usage so the SIP tr affic can borrow unus ed bandwidth. Figure 271 SIP Any to W AN Bandwidth Management Example 28.1.3.3 SIP W AN to Any Ba ndwid th Management Example Y ou also create a policy for calls coming in from the SIP server on the WAN. It is the [...]

  • Page 446

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 446 28.1.3.5 FTP W AN to DMZ Ba ndwid t h Management Example • ADSL supports more downstream than upstream so you al low remote users 300 kbps for uploads to the DMZ F TP serv er (outbound) but only 100 kbps for downloads (inbound). • Third highes t priority (3) . • Disable maximiz[...]

  • Page 447

    Chapter 28 Application Patrol ZyWALL USG 50 User’s Guide 447 28.2 Application Patrol General Screen Use this screen to enable and d isable applicati on patrol. It also lists the registration st atus and details about the sig nature set the Z y WALL is using. Note: Y ou must register for the IDP/AppPatrol signature service (at least the trial) bef[...]

  • Page 448

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 448 28.3 Application Patrol Applications Use the application patrol Common , Instant Messenger , Peer to Peer , VoIP , or Streaming screen to manage traf fic of individual applications. Use the Common screen (shown here as an exam ple) to manage traffic of the most commonly used web , fi[...]

  • Page 449

    Chapter 28 Application Patrol ZyWALL USG 50 User’s Guide 449 Click Configuration > App Patro l > Co mmon to open the following screen. Figure 276 Configur ation > App Patrol > Common The following table describes the labels in this screen. See Secti on 28.3.1 on page 449 for more information as well. 28.3.1 The Application Patrol Edit[...]

  • Page 450

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 450 Streaming screen and click an application’ s Edit icon. The screen displayed here is for the MSN instant messenger service. Figure 277 Application Edit The following table describes t he labels in this screen. T able 131 Application Edit LABEL DESCRIPTION Service Enable Service Sel[...]

  • Page 451

    Chapter 28 Application Patrol ZyWALL USG 50 User’s Guide 451 # This field is a sequential v alue, and it is not associated with a specific entry . Note: The ZyW ALL checks ports in the order they appear in the list. While this sequence does not af fect the functionality , you might improve the performance of the ZyW ALL by putting more commonly u[...]

  • Page 452

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 452 Access This field displays what the Z yWALL does with packets for this application that match this policy . forward - the Z yWALL routes the pack ets for this application. Drop - the Z yWALL does not route the packets for this application and does not notify the client of its decisio[...]

  • Page 453

    Chapter 28 Application Patrol ZyWALL USG 50 User’s Guide 453 28.3.2 The Application Patrol Policy Edit Screen The Application Policy Edit screen allows you to edit a group of settings f or an application. T o access this screen, go to the application patrol Common , Instant Messenger , Peer to Peer , VoIP , or Streaming screen and click an applic[...]

  • Page 454

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 454 Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Ch a p t e r 3 8 o n p a g e 6 1 1 for details). Otherwise, select none to mak e the policy always effective. User Select a user name or user group to which to apply th[...]

  • Page 455

    Chapter 28 Application Patrol ZyWALL USG 50 User’s Guide 455 Action Block For som e applications, you can select individual uses of the application that the policy will have the Z yWALL block. These fields only apply when Access is set to forwar d . Login - Select this option to block users from logging in to a ser ver for this application. Messa[...]

  • Page 456

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 456 28.4 The Other Applications Screen Sometimes, the Z yWALL cannot identify the application. For example, the application might be a new application, or the pack ets might arriv e out of sequence. (The Z yWALL does not re order packets when identifying the application.) The Other (appl[...]

  • Page 457

    Chapter 28 Application Patrol ZyWALL USG 50 User’s Guide 457 Click AppPatrol > Other to open the Other ( applicatio ns) screen. Figure 279 AppPatrol > Other The following table describes the labels in this screen. See Secti on 28.4.1 on page 459 for more information as well. T able 133 AppPatrol > Other LABEL DESCRIPTION Add Click this t[...]

  • Page 458

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 458 Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. Protocol This is the protocol of the traffic to which this policy applies. Access This field displays what the Z yWALL does with [...]

  • Page 459

    Chapter 28 Application Patrol ZyWALL USG 50 User’s Guide 459 28.4.1 The Other Applications Add/Edit Screen The Other Configuration Add/Edit screen allows you to create a new condition or edit an existing one. T o access this screen, go to the Other Protocol screen (see Section 28.4 on page 456 ), and click either the Add icon or an Edit icon. Fig[...]

  • Page 460

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 460 Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Ch a p t e r 3 8 o n p a g e 6 1 1 for details). Otherwise, select any to make the policy always effective. User Select a user name or user group to which to apply the [...]

  • Page 461

    Chapter 28 Application Patrol ZyWALL USG 50 User’s Guide 461 Inbound kbps T ype how much inbound bandwidth , in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the Z yWALL sends to a connection’ s initiator . If you enter 0 here, this policy does not apply bandw idth management for the matching traffic [...]

  • Page 462

    Chapter 28 App licat ion Patr ol ZyWALL USG 50 User’s Guide 462 OK Click OK to save your changes back to the Z yWALL. Cancel Click Cancel to exit this screen without saving your changes. T able 134 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION[...]

  • Page 463

    ZyWALL USG 50 User’s Guide 463 C HAPTER 29 Anti-Virus 29.1 Overview Use the Z yWALL’ s anti-virus feature to pr otect your connect ed network from virus/ spyware infect ion. The Z yWALL checks tr affic going in the direction(s) you specify for signature matches. In the following fi gure the ZyW ALL is set to check traff ic coming from the W AN [...]

  • Page 464

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 464 29.1.2 What Y ou Need to Know Anti-Virus Engines Subscribe to signature files for K aspersky’ s anti-virus engine. After the trial expires, you need to purchase an iCard for the a nti-virus engine you want to use and register it in the Regis tration > Service screen. Y ou must use the Ka[...]

  • Page 465

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 465 3 The scanning engine ch ecks the contents of the packets for virus. 4 If a virus pattern is matched, the Z yWALL removes the infect ed portion of the file along with the rest of the file. The un-infe cted portion of the file before a virus pattern was matched still goes through. 5 If the sen[...]

  • Page 466

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 466 29.2 Anti-V irus Summary Screen Click Configuration > Anti-X > Anti-Virus t o display the configur ation screen as shown next. Figure 282 Configur ation > Anti-X > Anti-Viru s > General The following table describes t he labels in this screen. T able 135 Configuration > Anti[...]

  • Page 467

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 467 Scan EICAR Select this option to have the Z yWALL check for the EICAR test file and treat it in the same way as a real virus file. The EICAR test file is a standardized test file for signature based anti-virus scanners. When the virus scanner detects the EICAR file, it responds in the same wa[...]

  • Page 468

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 468 License T ype This field displays whether you applied for a trial application ( Trial ) or registered a service with your iCard’ s PIN number ( Stand ard ). None displays when the service is not activ ated. Apply new Reg is t r a ti o n This link appears if you have not regi stered for the [...]

  • Page 469

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 469 29.2.1 Anti-V irus Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Virus > General screen to displa y the configur ation screen as shown next. Figure 283 Configur ation > Anti-X > Anti-Viru s > General > Add The following table de[...]

  • Page 470

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 470 Actions When Matched Destroy infected file When you select this check bo x, if a virus pattern is matched, the Z yW ALL overwrites the infected portion of the file (and the rest of the file) with zeros. The un-infected po rtion of the file before a virus pattern was matched goes through unmod[...]

  • Page 471

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 471 29.3 Anti-V irus Black List Click Configuration > Anti-X > Anti-Virus > Black/White List to displa y the screen shown next. Use the Black List screen to set up the Anti-Virus black (blocked) list of virus file patterns. Click a column’ s heading cell to sort the table entries by th[...]

  • Page 472

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 472 The following table describes t he labels in this screen. 29.4 Anti-V irus Black List or White List Add/Edit From the Configuration > Anti-X > Anti-Virus > Black/White List > Black List (or White List ) screen, click the Add icon or an Ed it icon to display the following screen. ?[...]

  • Page 473

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 473 The following table describes t he labels in this screen. 29.5 Anti-V irus White List Click Configuration > Anti-X > Anti-Virus > Black/White List > White List to display the screen shown next. Use the Black/White List screen to set up Anti- Virus black (blocked) and white (allowe[...]

  • Page 474

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 474 column’ s heading cell to sort t he table en tries by that col umn’s criteria. Click the heading cell again to reverse the sort order . Figure 286 Configuration > Anti-X > Anti-Viru s > Black/White List > White List The following table describes t he labels in this screen. 29.[...]

  • Page 475

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 475 If Internet Explorer op en s a warning screen ab out a scri pt making Internet Explorer run slowly and the computer ma ybe becoming unresponsiv e, just click No to continue. Cl ick a column’ s heading ce ll to sort the table entries by that column’s criteria. Click t he head ing cell agai[...]

  • Page 476

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 476 The following table describes t he labels in this screen. T able 140 Configuration > Anti-X > Anti-V irus > Signature LABEL DESCRIPTION Signatures Search Select the criteria on which to perform the search. Select By Name from the drop down list box and type th e name or part of the n[...]

  • Page 477

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 477 29.7 Anti-V irus T echnical Reference T ypes of Computer V iruses The following table describes some of the common computer vi ruses. Computer Virus Inf ection and Prevention The following describes a simpl e life cycle of a computer virus. 1 A computer gets a copy of a virus from a source su[...]

  • Page 478

    Chapter 29 Anti- Viru s ZyWALL USG 50 User’s Guide 478 A host-b ased anti- virus (HAV) scanner is often software installed on computers and/or servers in the network. It i nspects files for virus patterns as they are moved i n and out of the hard driv e. However , host- based anti-virus scanners cannot eliminate all viruses for a number of reason[...]

  • Page 479

    ZyWALL USG 50 User’s Guide 479 C HAPTER 30 IDP 30.1 Overview This chapter introduces pack et inspection IDP (Intrusi on, Detection and Prevention), IDP profiles, binding an IDP prof ile to a tr affic flow , custom signatures and updating signatures. An IDP system can detect malicious or suspicious packets and respond i nstantaneously . IDP on the[...]

  • Page 480

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 480 IDP Profiles An IDP profile is a set of related IDP sign atures that y o u can activ ate as a set and configure common log and action s ettings. Y ou can apply IDP profiles to traff ic flowing from one zone to another . For ex ample, appl y the default LAN_IDP p rofile to any tr affic going to the LA[...]

  • Page 481

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 481 30.2 The IDP General Screen Click Configuration > Anti-X > IDP > Ge neral to open this scree n. Use this screen to turn IDP on or off , bind IDP profiles to t raffic direct ions, and view registra tion and signature information. Note: Y ou must register in order to use packet inspection signa[...]

  • Page 482

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 482 Add Click this to cr eate a new entry . Select an entry and click Add to create a new entry after the selected entry . Edit Select an entry and click this to be able to modify it. Re move Select an entry and click this to delete it. Activate T o turn on an entry , select it and click Activate . Inact[...]

  • Page 483

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 483 30.3 Introducing IDP Profiles An IDP profile is a set of packet inspection signatures. P acket inspection si gnatures examine packet content for malicious data. Pack et inspection applies t o OSI (Open System Int erconnection) layer -4 to lay er-7 contents. Y ou need to subscribe for IDP se rvice in o[...]

  • Page 484

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 484 30.3.1 Base Profiles The Z yW ALL comes with sever al base profiles. Y ou use base profiles to create new profiles. In the Configuration > Anti-X > IDP > Profile screen, cli c k Add to display the following screen. Figure 289 Base Profiles The following table descri bes this screen. T able 1[...]

  • Page 485

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 485 30.4 The Profile Summary Screen Select Anti-X > IDP > Profile . Use this screen to: • Add a new profile • Edit an existing prof ile • Delete an existing profile. Click a column’ s heading cell to sort the table entries by that column’ s criteria. Click the heading cell again to reverse[...]

  • Page 486

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 486 30.5 Creating New Profiles Y ou may want to create a new profile if not all signatures in a base profile are applicable to your network. In this case y ou should disable non-applicable signatures so as t o improve Z yWALL IDP p rocessing efficiency . Y ou may also f ind that certain signatures are tr[...]

  • Page 487

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 487 30.6 Profiles: Packet Inspection Select Configuration > Anti -X > IDP > Pr ofile and then add a new or edit an existing profile select. P acket inspection signatures examine the contents of a packet for mal icious data. It oper ates at lay er-4 to lay er-7. 30.6.1 Profile > Group V iew Scr[...]

  • Page 488

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 488 The following table describes t he fields in this screen. T able 145 Configuration > Anti-X > IDP > Profile > Group View LABEL DESCRIPTION Name This is the name of the profile. Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-), bu t the first character cannot be a[...]

  • Page 489

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 489 Action T o edit what action the Z yW ALL takes when a packet matches a signature, select the signature and use the Action icon. none : Select this action on an individual signature or a complete service group to have the Z yWALL tak e no action when a packet matches the signature(s). drop : Select thi[...]

  • Page 490

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 490 30.6.2 Policy T ypes This section describes IDP poli cy types, also known as attack types, as c a tegorized in the ZyW ALL. Y ou may refer to these types when categorizing your own custom rules. Log These are the log options. T o edit this, select an item and use the Log icon. Action This is the acti[...]

  • Page 491

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 491 30.6.3 IDP Service Group s An IDP service group is a set of re lated packet i nspection signatures. Scan A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels. A network scan occurs[...]

  • Page 492

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 492 The following figure shows the WEB_PHP se rvice group that contains signatures related to attacks on web servers us ing PHP exploits . PH P (PHP: Hypertext Preprocessor) is a serv er-side HTML embedd ed scripting language that allows web developers to build dynamic websites. Logs and actions appl ied[...]

  • Page 493

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 493 30.6.4 Profile > Query V iew Screen Click Switch to query view in the screen as shown in Figure 291 on page 487 to go to a signature query screen. In the query view screen, you can search for signatures by criteria such as name, ID , severity , attack type, vulnerable attack platforms, service cate[...]

  • Page 494

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 494 Severity Search for signatures by severit y level(s). Hold down the [Ctrl] key if you want to make multiple selections. These ar e the sev erities as defi ned in the Z yWALL. The number in brackets is the number you use if using comman d s . Severe (5): These denote attacks that try to run arbitrary [...]

  • Page 495

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 495 30.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attac k T ype: DDoS • Platform: Windows 2000 and Wind ows XP computers •S e r v i c e : A n y[...]

  • Page 496

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 496 •A c t i o n s : A n y Figure 294 Query Example Search Criteria Figure 295 Query Example Search Result s[...]

  • Page 497

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 497 30.7 Introducing IDP Custom Signatures Create custom signatures for new attack s or attacks peculiar to y our network. Custom signatures c an also be sav ed to/f rom y our computer so as to s hare with others. Y ou nee d some knowledge of packet header s and attack type s to creat e your own custom si[...]

  • Page 498

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 498 30.8 Configuring Custom Signatures Select Configuration > Anti-X > IDP > Cu stom Signature s. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort. Click t he Add icon to create a new signature or click the Edit icon to edit an existing sig[...]

  • Page 499

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 499 Note: The ZyW A LL checks all signatures and contin ues searching even af ter a match is found. If two or more rules have conflicting actions fo r the sa me p acket, then the ZyW ALL applies the more restrictive action ( reject-both, reject-receiver or reject-sender , drop, none in this order). If a p[...]

  • Page 500

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 500 30.8.1 Creating or Editing a Custom Signature Click the Add icon to c reate a new signature or c lick the Edit icon to edit an existing signature in the screen as shown in Figure 297 on page 499 . A packet must match all items you configur e in this screen before it matches the signature. The more sp[...]

  • Page 501

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 501 T ry to write signatures that target a vulnerabil ity , for example a certain t ype of traffic on certain operating s ystems, instead of a specific exploit. Figure 298 Configur ation > Anti-X > IDP > Custom Signatures > Add/Edit[...]

  • Page 502

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 502 The following table describes the fields in this screen. T able 151 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name T ype the name of y our custom signature. Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-), but the first charac[...]

  • Page 503

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 503 Fragmentation A fragm entation flag identifies whether the IP datagram should be fragmented, not fr agmented or is a reserved bit. Some intrusions can be identified by this flag. Select the check box and then select the flag that the intrusion uses. Fragmentation Offset When an IP datagram is fr agmen[...]

  • Page 504

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 504 Flow If selected, the signature only ap plies to certain directions of the traffic flow and only to c lients or servers. Select Flow and then select the identifying options. Established : The signature only checks for es tablished T CP connections Stateless : The signature is triggered regardless of [...]

  • Page 505

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 505 P ayload Size This field may be used to check for abn ormally sized packets or for detecting buffer overflows . Select the check box, then select Equal , Smalle r or Greater and then type the payload size. Stream rebuilt packets are not checked regardless of the size of the payload. Add Click this to [...]

  • Page 506

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 506 30.8.2 Custom Signature Example Before creating a custom signature, you must first clearly understand the vulnerabilit y . 30.8.2.1 Underst a nd the V ulnerability Check the ZyW ALL logs when the attack oc curs. Use web sites such as Google or Security F ocus t o get as much i nformatio n ab out the [...]

  • Page 507

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 507 30.8.2.2 Analyze Packet s Use the packet capture screen (se e Section 48.3 on page 750 ) and a packet analyzer (also known as a network or pr otocol analyzer) such as Wireshark or Ethereal to inv estigate some more. Figure 299 DNS Query Pa cket Details From the details about DNS query you see th at th[...]

  • Page 508

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 508 The final custom signature should look like as shown in the following figure. Figure 300 Example Custom Signatu re 30.8.3 Applying Custom Signatures After you create your custom signature, i t becomes avai lable in the IDP service group category in the Configuration > Anti-X > IDP > Profile [...]

  • Page 509

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 509 Y ou can activate the signature, configu r e what action to take when a packet matches it and if it should gener ate a log or alert i n a profil e. Then bind the profil e to a zone. Figure 301 Example: Custom Signat ure in IDP Profile 30.8.4 V erifying Custom Signatures Configure th e sig nature to cr[...]

  • Page 510

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 510 destination port is the service port (53 for DNS in this case) that the attack tries to exploit. Figure 302 Custom Signature Log 30.9 IDP T echnical Reference This section contains some background information on IDP . Host Intrusions The goal of host -based intrusions is to infi ltrate files on a n i[...]

  • Page 511

    Chapter 30 IDP ZyWALL USG 50 User’s Guide 51 1 Network Intrusions Network -based intrusions have the goal of bringi ng down a ne twork or networks by attacking computer(s), switch(es), rout er(s) or modem(s). If a LAN switch is compromised for example, then the wh ole LA N is com promised. Ho st-based intrusions may be used to cause network - ba [...]

  • Page 512

    Chapter 30 ID P ZyWALL USG 50 User’s Guide 512 Note: Not all Snort functionality is supported in the ZyW ALL. Same IP sameip T r ansport Protocol T r ansport Protocol: T CP P ort (In Snort rule header) Flow flow Flags flags Sequen ce Number seq Ack Number ack Window Size window T r ansport Protocol: UDP (In Snort rule header) P ort (In Snort rule[...]

  • Page 513

    ZyWALL USG 50 User’s Guide 513 C HAPTER 31 ADP 31.1 Overview This chapter introduces ADP (Anomaly De tection and Prev ention), a nomaly profiles and applying an ADP profile to a traffic direction. AD P p rot ec ts ag ain st anomalies based on violations of prot ocol standards (RFCs – Requests for Comments) and abnormal flows such as p ort scans[...]

  • Page 514

    Chapter 31 AD P ZyWALL USG 50 User’s Guide 514 Protocol Anomalies Protocol anomalies are packets t hat do not comply with the relevant RFC (R equest For Comments). Protocol anomaly detect ion includes HT TP Inspection, TCP Decoder , UDP Decoder and ICMP Decoder . Protocol anomaly rules may be updated when you up load new firmware. ADP Profile An [...]

  • Page 515

    Chapter 31 ADP ZyWALL USG 50 User’s Guide 515 31.2 The ADP General Screen Click Configuration > Anti-X > ADP > General . Use this screen to turn anomaly detection on or off and apply an omaly profiles to tr affic directions. Figure 303 Configur ation > Anti-X > ADP > General The following table describes t he screens in this scr[...]

  • Page 516

    Chapter 31 AD P ZyWALL USG 50 User’s Guide 516 31.3 The Profile Summary Screen Use this screen to: • Create a new profile using an existing base profile • Edit an existing prof ile • Delete an existing profile Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. From, T o This is the d[...]

  • Page 517

    Chapter 31 ADP ZyWALL USG 50 User’s Guide 517 31.3.1 Base Profiles The Z yWALL comes with base profiles. Y ou use base profiles to crea te new profiles. In the Configuration > Anti-X > ADP > Profile screen, click Add to display the following screen. Figure 304 Base Profiles These are the default base profiles at the ti me of writing. 31.[...]

  • Page 518

    Chapter 31 AD P ZyWALL USG 50 User’s Guide 518 The following table describes t he fields in this screen. 31.3.3 Creating New ADP Profiles Y o u may want to create a new profile if not all rules in a base profile are app licable to your networ k. In this case you should disable non-applicable rules so as to improve Z yWALL ADP processing efficienc[...]

  • Page 519

    Chapter 31 ADP ZyWALL USG 50 User’s Guide 519 belonging to this profile, mak e sure you hav e clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 306 Profile s: T raffic Anomaly[...]

  • Page 520

    Chapter 31 AD P ZyWALL USG 50 User’s Guide 520 The following table describes t he fields in this screen. T able 156 Configuration > ADP > Prof ile > T raffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-), but the first character cannot be a n[...]

  • Page 521

    Chapter 31 ADP ZyWALL USG 50 User’s Guide 521 31.3.5 Protocol Anomaly Profiles Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (PA) rules check for protocol compliance against th e relev ant RFC (Request for Comments). Protocol anomaly detection includes HT TP Inspection, T CP Decoder , UDP Decoder , and ICMP Decoder wher[...]

  • Page 522

    Chapter 31 AD P ZyWALL USG 50 User’s Guide 522 Figure 307 Profile s: Protocol Anomaly[...]

  • Page 523

    Chapter 31 ADP ZyWALL USG 50 User’s Guide 523 The following table describes t he fields in this screen. T able 157 Configuration > ADP > Prof ile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profil e. Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dash es (-), but the first character cannot be a numb[...]

  • Page 524

    Chapter 31 AD P ZyWALL USG 50 User’s Guide 524 Action T o edit what action the ZyW ALL takes when a packet matches a signature, select the signature and use the Act ion icon. original se tting : Select this action to return each signature in a service group to its previously saved configuration. none : Select this action on an individual signatur[...]

  • Page 525

    Chapter 31 ADP ZyWALL USG 50 User’s Guide 525 31.4 ADP T echnical Reference This section is divided i nto traff ic anomaly background information and protocol anomaly background information. T raffic Anomaly Background Information The following sections may help you conf igure the traffic anomaly profile screen ( Section 31.3.4 on page 518 ). Por[...]

  • Page 526

    Chapter 31 AD P ZyWALL USG 50 User’s Guide 526 Decoy Port Scans Decoy port scans are scans where the atta cker has spoofed the source address . These are some decoy scan types: •T C P D e c o y P o r t s c a n • UDP Decoy P ortscan • IP Decoy P ortscan Distributed Port Scans Distributed port scans are many -to-one port scans. Distributed po[...]

  • Page 527

    Chapter 31 ADP ZyWALL USG 50 User’s Guide 527 Flood Detection Flood attacks satur ate a network with useless data, use up all a vailabl e bandwidth, and therefore mak e communi cati ons in the network impossible. ICMP Flood Att ack An ICMP flood is broadcasting many p ings or UDP pack ets so that so much data is sent to the system, that it sl ows[...]

  • Page 528

    Chapter 31 AD P ZyWALL USG 50 User’s Guide 528 the initiator responds with an ACK (ack nowledgment). After this handshak e, a connection is established. Figure 309 TCP Three-W ay Handshake A SYN flood attack is when an attacker sends a series of SYN packets. Each packet causes the receiver to reply with a SYN- ACK response. The receiv er then wa [...]

  • Page 529

    Chapter 31 ADP ZyWALL USG 50 User’s Guide 529 UDP Flood Attack UDP is a connection-less protocol and it does not require any connection setup procedure to tr ansfer d ata. A UDP flood at tack is p ossible when an at tack er s ends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it wil l determine [...]

  • Page 530

    Chapter 31 AD P ZyWALL USG 50 User’s Guide 530 DOUBLE-ENCODING ATT A C K This rule is IIS specific. IIS does two passes through the request URI, doing decodes in each one. In the first pass, IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is done. In the second pass ASCII, bare byte, and %u encodings are done. IIS-BACKSLASH- EVASION A TT A[...]

  • Page 531

    Chapter 31 ADP ZyWALL USG 50 User’s Guide 531 WEBROO T -DIRECTOR Y - TRAV ERSAL A TT ACK This is when a directory traversal tr averses past the web server root directory . This generates much fewer false positives than the directory option, because it doesn’t alert on directory tra versals that stay within the web serv er directory structure. I[...]

  • Page 532

    Chapter 31 AD P ZyWALL USG 50 User’s Guide 532 TRUNCA TED-HEADER ATT A C K This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP header length. This may cause some applications to crash. TRUNCA TED- TIMEST AMP-HEADER ATT A C K This is when an ICMP packet is sent which has an ICMP datagram length of less than [...]

  • Page 533

    ZyWALL USG 50 User’s Guide 533 C HAPTER 32 Content Filtering 32.1 Overview Use the content filtering feature to cont rol access to specific web sites or web content. 32.1.1 What Y ou Can Do in this Chapter •U s e t h e General screens ( Section 32.2 on page 535 ) to configure global content filtering settings, configure co ntent filtering polic[...]

  • Page 534

    Chapter 32 Content Filtering ZyWALL USG 50 User’s Guide 534 Content Filtering Profiles A content filtering profile convenient ly stores your custom set tings for the following featur es . • Category -based Bl ocking The Z yWALL can block access to particular categories of web site content, such as p o r n o g ra ph y o r rac i al i n t o le ra [...]

  • Page 535

    Chapter 32 Co n te nt F ilt ering ZyWALL USG 50 User’s Guide 535 Since the Z y WALL checks the URL ’ s domain name (or IP addres s) and fil e path separately , it will not find items that go across the t wo. F or example, wi th the URL www .zyxel.com.tw/news/pressroom.php , the Z yWALL would find “t w” in the domain name ( www .zyxel.com.tw[...]

  • Page 536

    Chapter 32 Content Filtering ZyWALL USG 50 User’s Guide 536 your list of content filter policies , create a denial of access message or specify a redirect URL and check your external we b filtering service regis tration status. Figure 31 1 Configuration > Anti-X > Con tent Filter > General The following table describes t he labels in thi[...]

  • Page 537

    Chapter 32 Co n te nt F ilt ering ZyWALL USG 50 User’s Guide 537 Move T o change an entry’ s position in the numbered list, select it and click Move to display a field to type a number for where y ou want to put that entry and press [ENTER] to move the entry to the number that you typed. # This column lists the index numbers of the content filt[...]

  • Page 538

    Chapter 32 Content Filtering ZyWALL USG 50 User’s Guide 538 32.3 Content Filter Policy Add or Edit Screen Click Configuration > Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen. Use this screen to configure a content License Status This read-only field displays the status of your content-filteri[...]

  • Page 539

    Chapter 32 Co n te nt F ilt ering ZyWALL USG 50 User’s Guide 539 filter policy . A content filter policy defi nes which content filt er profile should be applied, when it should be app lied, and to whose web access it shoul d be applied. Figure 312 Configu ration > Anti-X > Content Filter > General > Ad d l The following table describ[...]

  • Page 540

    Chapter 32 Content Filtering ZyWALL USG 50 User’s Guide 540 32.4 Content Filter Profile Screen Click Configuration > Anti-X > Content Filter > Filter Profile to open the Filter Profile screen. A content filter profile de fines to which web se rvices, web sites or web site categories acce ss is to be all owed or denied. Figure 313 Configu[...]

  • Page 541

    Chapter 32 Co n te nt F ilt ering ZyWALL USG 50 User’s Guide 541 See Chapter 33 on page 557 for how to view content filtering reports. Figure 314 Configur ation > Anti-X > Content Filter > Filter Profile > Add[...]

  • Page 542

    Chapter 32 Content Filtering ZyWALL USG 50 User’s Guide 542 The following table describes t he labels in this screen. T able 162 Configuration > Anti-X > Cont ent Filter > Filter Profile > Add LABEL DESCRIPTION License Status This read-only field displays the status of y our content-filtering database service registration. Not License[...]

  • Page 543

    Chapter 32 Co n te nt F ilt ering ZyWALL USG 50 User’s Guide 543 Action for Unsafe W eb Pa g e s Select Pass to allow users to access web pages that match the unsafe categories that you select below . Select Block to prevent users from accessing web pages that match the unsafe categories that you select below . When external database content filt[...]

  • Page 544

    Chapter 32 Content Filtering ZyWALL USG 50 User’s Guide 544 Action When Category Server Is Unav ailable Sele ct Pass to allow users to access any requested web page if the external content filtering database is unav ailable. Select Block to block access to any requested web page if the external content filtering database is unavailable. Select Wa[...]

  • Page 545

    Chapter 32 Co n te nt F ilt ering ZyWALL USG 50 User’s Guide 545 Spyware/Malware Sources This category includes pages which distribute spyware and other malware. Spyware and malw are are defined as software which takes control of y our computer , modifies computer settings, collects or reports personal information, or misrepresents itself by tric[...]

  • Page 546

    Chapter 32 Content Filtering ZyWALL USG 50 User’s Guide 546 Nudity This category includes pages containing nude or seminude depictions of the human body . These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature. This category also includes nudist or nat[...]

  • Page 547

    Chapter 32 Co n te nt F ilt ering ZyWALL USG 50 User’s Guide 547 Arts/Entertainment This category incl udes pages that promote and provide information about motion pictures, videos, television, music and programming guides, books, comics, movie theatres, galleries, artists or reviews on entertainment. Business/Economy This category includes pages[...]

  • Page 548

    Chapter 32 Content Filtering ZyWALL USG 50 User’s Guide 548 Government/Legal This category includes pages sponsored by or which provide information on government, government agencies and government services such as taxation and emergency services. It also includes pages that discuss or explain laws of various governmental entities. Military This [...]

  • Page 549

    Chapter 32 Co n te nt F ilt ering ZyWALL USG 50 User’s Guide 549 Re ligion This category includes pages that promote and provide information on conventional or unconventional religious or quasi-religious subjects, as well as churches, synagogues, or other houses of worship. It does not include pages containing alternative religions such as Wicca [...]

  • Page 550

    Chapter 32 Content Filtering ZyWALL USG 50 User’s Guide 550 Sports/Recreation/ Hobbies This category includes pages that promote or provide information about spectator sports, recreational activities, or hobbies. This includes pages that discuss or promote camping, gardening, and collecting. T ravel This category includes pages that promote or pr[...]

  • Page 551

    Chapter 32 Co n te nt F ilt ering ZyWALL USG 50 User’s Guide 551 Alcohol Sites that promote, offer for sale, glorify , review , or in any wa y advocate the use or creation of alcoholic bever ages, including but not limited to beer , wine , and hard liquors. Pages that sell alcohol as a subset of other products such as restaurants or grocery store[...]

  • Page 552

    Chapter 32 Content Filtering ZyWALL USG 50 User’s Guide 552 32.5.1 Content Filter Blocked and W arning Messages These are the content filtering warnin g messages. The messages f or blocked access are the same but do not include the buttons. Figure 315 Content Filter W arning Messages Placeholders This category includes pages that are under constr[...]

  • Page 553

    Chapter 32 Co n te nt F ilt ering ZyWALL USG 50 User’s Guide 553 32.6 Content Filter Customization Screen Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the Customization screen. Y ou can create a list of good (allowed) web site addresses and a list of bad (blo cked) web site ad[...]

  • Page 554

    Chapter 32 Content Filtering ZyWALL USG 50 User’s Guide 554 Allow W eb traffic for trusted web sites only When this box is selected, the Z yWALL blocks W eb access to sites that are not on the Trusted Web Sites list. If they are chosen carefully , this is the most effective w ay to block objectionable material. Re stricted W eb F eatures Select t[...]

  • Page 555

    Chapter 32 Co n te nt F ilt ering ZyWALL USG 50 User’s Guide 555 32.7 Content Filter T echnical Reference This section provi des content filtering background informati on. Forbidden W eb Sites This list displays the forbidden web sites already added. Enter host names such as www .bad-site.com into this text field. Do not enter the complete URL of[...]

  • Page 556

    Chapter 32 Content Filtering ZyWALL USG 50 User’s Guide 556 External Content Filter Server Lookup Procedure The content filter lookup process is described below . Figure 317 Content Filter Lookup Procedure 1 A computer behind the Z yWALL tries to access a web site. 2 The Z yWALL looks up the web site in its cache. If an attempt to access the web [...]

  • Page 557

    ZyWALL USG 50 User’s Guide 557 C HAPTER 33 Content Filter Reports 33.1 Overview Y ou can view content filtering reports afte r you ha ve activ ated the category-based content filtering sub scription service. See Section 10.1 on page 209 on how to create a myZ yXEL.com account, register your device and activ ate the subscription services. 33.2 V i[...]

  • Page 558

    Chapter 33 Content Filter Reports ZyWALL USG 50 User’s Guide 558 2 Fill in your myZ yXEL.com account information and click Login . Figure 318 myZyXEL.com: Lo gin[...]

  • Page 559

    Chapter 3 3 Content Filt er Reports ZyWALL USG 50 User’s Guide 559 3 A welcome screen displays. Cl ick your Z yWALL’ s model name and/or MAC address under Registered ZyXEL Products (the ZyW ALL 70 is shown as an exa m ple here). Y ou can change the descriptive name for your ZyW ALL using th e Rename button in the Service Management screen (see [...]

  • Page 560

    Chapter 33 Content Filter Reports ZyWALL USG 50 User’s Guide 560 4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 320 myZyXEL.com: Service Ma nagement 5 In the Web Filter Home screen, click the Reports tab. Figure 321 Content Filter Reports Main Screen[...]

  • Page 561

    Chapter 3 3 Content Filt er Reports ZyWALL USG 50 User’s Guide 561 6 Select items under Global Reports to view the corresponding reports. Figure 322 Content Filter Reports: Report Home 7 Select a time period in the Da te R ange field, ei ther Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view s[...]

  • Page 562

    Chapter 33 Content Filter Reports ZyWALL USG 50 User’s Guide 562 8 A chart and/or list of requeste d web site categories disp lay in the lower half of the screen. Figure 323 Global Report Scre en Example[...]

  • Page 563

    Chapter 3 3 Content Filt er Reports ZyWALL USG 50 User’s Guide 563 9 Y ou can click a category in the Categ ories report or click URLs in the Report Home screen to see the URLs that were requ es te d. Figure 324 Requested URLs Example[...]

  • Page 564

    Chapter 33 Content Filter Reports ZyWALL USG 50 User’s Guide 564[...]

  • Page 565

    ZyWALL USG 50 User’s Guide 565 C HAPTER 34 Anti-Spam 34.1 Overview The anti-spam feature can mark or disc ard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use t he black list to identify spam e- mail. T he ZyWA LL can also check e-mail aga ins t a DNS black l ist (DNSBL) of IP addresses of server[...]

  • Page 566

    Chapter 34 Anti- S pa m ZyWALL USG 50 User’s Guide 566 Black List Configure black list entri es to identify spam. The black list entries ha ve the Z yWALL classify an y e-mail that is from or forwarded by a specified IP address or uses a specified header field and header v alue as being spam. If an e-mail does not match any of the white list entr[...]

  • Page 567

    Chapter 34 Anti-Spam ZyWALL USG 50 User’s Guide 567 E-mail Header Buffer Size The Z yW ALL has a 5 K buffer for an individu al e-mail header . If an e-mail’ s header is longer than 5 K, the Z yWALL only checks up to the fi rst 5 K. DNSBL A DNS Black List (DNSBL) is a serv er that hosts a list of IP addresses known or suspected of having sent or[...]

  • Page 568

    Chapter 34 Anti- S pa m ZyWALL USG 50 User’s Guide 568 spam policies. Y ou can also select t he action the Z yWALL takes when the mail sessions threshold is reached. Figure 325 Configu ration > Anti-X > Anti-S pam > General The following table describes t he labels in this screen. T able 164 Configuration > Anti-X > Anti-S pam >[...]

  • Page 569

    Chapter 34 Anti-Spam ZyWALL USG 50 User’s Guide 569 34.3.1 The Anti-S p am Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Spam > General screen to display the configuration sc reen as shown next. Use this screen to configure an anti-spam policy that cont rols what traffic direction of e-mail to [...]

  • Page 570

    Chapter 34 Anti- S pa m ZyWALL USG 50 User’s Guide 570 check, which e-mail protocols to scan, the scanning options, and the action to t ake on spam tr affic. Figure 326 Configu ration > Anti-X > Anti-S pam > General > Add The following table describes t he labels in this screen. T able 165 Configuration > Anti-X > Anti-S pam >[...]

  • Page 571

    Chapter 34 Anti-Spam ZyWALL USG 50 User’s Guide 571 34.4 The Anti-S p am Black List Screen Click Configuration > Anti-X > Anti-Spam > Black / White L ist to display the Anti-Spam Black List screen. Configure the black li st to identify spam e-mail. Y ou can create black l ist entries based on the sender’s or rela y server’ s IP addre[...]

  • Page 572

    Chapter 34 Anti- S pa m ZyWALL USG 50 User’s Guide 572 specific subject t ext. Click a column’ s heading cell to s ort the tabl e entries by that column’s criteria. Click t he head ing cell again t o reverse t he sort o rder . Figure 327 Configuration > Anti -X > Anti-S pam > Black/Wh i te List > Black Li st The following table de[...]

  • Page 573

    Chapter 34 Anti-Spam ZyWALL USG 50 User’s Guide 573 34.4.1 The Anti-S p am Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to displa y the following screen. Use this screen to configure an anti-spam bl ack list entry to identify spam e-mail. Y ou can create entries based on [...]

  • Page 574

    Chapter 34 Anti- S pa m ZyWALL USG 50 User’s Guide 574 34.4.2 Regular Expressions in Black or White List Entries The following applies for a black or white li st entry based on an e-mail subj ect, e- mail address, or e-mail header v alue. • Use a question mark (?) to let a single char acter vary . F or example, use “a?c” (without the quotat[...]

  • Page 575

    Chapter 34 Anti-Spam ZyWALL USG 50 User’s Guide 575 34.5 The Anti-S p am White List Screen Click Configuration > Anti-X > Anti-Spam > Black/White List and then the White List tab to displa y the Anti-Spam White List screen. Configure the white list to identify legi timate e-mail. Y ou can create white list entries based on the sender’s[...]

  • Page 576

    Chapter 34 Anti- S pa m ZyWALL USG 50 User’s Guide 576 34.6 The DNSBL Screen Click Configuration > Anti-X > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to co nfigure the Z yWALL to chec k the sender and relay IP addresses in e-mail headers ag ainst DNS (Domain Name Service)-based spam Black Lists (DNSBLs). Fi[...]

  • Page 577

    Chapter 34 Anti-Spam ZyWALL USG 50 User’s Guide 577 The following table describes t he labels in this screen. T able 169 Configuration > Anti-X > Anti-S pam > DNSBL LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser num ber of configuration fields. Enable DNS Black List (DNSB[...]

  • Page 578

    Chapter 34 Anti- S pa m ZyWALL USG 50 User’s Guide 578 34.7 Anti-S p am T echnical Reference Here is more detailed anti-spam information. DNSBL • T h e Zy W A L L c h e c k s o n l y p u b l i c s e n d e r a n d relay IP addresses, it does not check private IP addresses. • The Z yWALL sends a sep arate query (DNS lookup) for each sender or r[...]

  • Page 579

    Chapter 34 Anti-Spam ZyWALL USG 50 User’s Guide 579 Here is an example of an e- mail classified as spam based on DNSBL repl ies. Figure 331 DNSBL S pam Detection Example 1 The Z yW ALL receives an e- mail that was se nt from IP address a.a.a.a and relay ed by a n e -ma il ser ver at IP add re ss b. b.b. b. The Zy WALL send s a separ ate query to [...]

  • Page 580

    Chapter 34 Anti- S pa m ZyWALL USG 50 User’s Guide 580 Here is an example of an e-mail classifi ed as legitimate based on DNSBL replies. Figure 332 DNSBL Legitimate E-mail Detection Example 1 The Z yWALL receives an e-mail that was sent f rom IP address c.c.c.c and rela yed by an e-mail server at IP address d.d.d. d. The ZyW ALL sends a separate [...]

  • Page 581

    Chapter 34 Anti-Spam ZyWALL USG 50 User’s Guide 581 If the Z yWALL receiv es conf licting DNSBL replies for an e-mail routing IP address, the Z yWALL classifies the e-mail as spam. Here is an example. Figure 333 Conflicting DN SBL Replies Ex ample 1 The Z yW ALL receives an e-mail that was sent from IP addres s a.b.c.d and relayed by an e-mail se[...]

  • Page 582

    Chapter 34 Anti- S pa m ZyWALL USG 50 User’s Guide 582[...]

  • Page 583

    ZyWALL USG 50 User’s Guide 583 C HAPTER 35 User/Group 35.1 Overview This chapter describes how t o set up user accounts, user groups, and user settings for the Z yWAL L. Y ou can also set up rules that c ontrol when users have to log in to the Z yWALL before the Zy WALL routes traffic for them. 35.1.1 What Y ou Can Do in this Chapter •T h e Use[...]

  • Page 584

    Chapter 35 Us er /G ro up ZyWALL USG 50 User’s Guide 584 Note: The default admin account is alwa ys authenticated locally , regardless of the authentication method setting. (See Chapter 39 on page 617 for more information about authenticat ion methods.) Ext-User Account s Set up an ext-user account if the user is authenti cated by an external ser[...]

  • Page 585

    Chapter 35 User/Group ZyWALL USG 50 User’s Guide 585 See Setting up User Attr ibutes in an External Server on page 5 97 for a lis t of attributes and how to set up the at tributes in an external server . Ext-Group-User Account s Ext-Group-User accounts work are similar to ext -user accounts but allow you to group users by the value of the group m[...]

  • Page 586

    Chapter 35 Us er /G ro up ZyWALL USG 50 User’s Guide 586 35.2 User Summary Screen The User screen provides a summary of all us er accounts. T o access this screen, login to th e W eb Con figurator , an d click Co nfiguration > Object > User/Group . Figure 334 Configu ration > Object > User/Group The following table describes t he labe[...]

  • Page 587

    Chapter 35 User/Group ZyWALL USG 50 User’s Guide 587 •- [ d a s h e s ] The first character must be alphabetical (A -Z a-z), an underscore (_), or a dash (- ). Other limitations on user names are: • User names are case-sensitiv e. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP , it will us e the ac[...]

  • Page 588

    Chapter 35 Us er /G ro up ZyWALL USG 50 User’s Guide 588 The following table describes t he labels in this screen. T able 172 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name T ype the user name for this user account. Y ou may use 1-3 1 alphanumeric characters, un derscores( _ ), or dashes (-), but the first character [...]

  • Page 589

    Chapter 35 User/Group ZyWALL USG 50 User’s Guide 589 35.3 User Group Summary Screen User groups consist of access users and other user groups. Y ou cannot put admin users in user groups. The Gr oup screen provides a summar y of all user groups. In addition, this screen allows y o u to add, edi t, and remove user groups. T o access this screen, lo[...]

  • Page 590

    Chapter 35 Us er /G ro up ZyWALL USG 50 User’s Guide 590 35.3.1 Group Add/Edit Screen The Group Add/Edit screen allows you to create a new user group or edit an existing one. T o access this screen, go to the Group screen (see Section 35.3 on page 589 ), and click either the Ad d icon or an Edit icon. Figure 337 Configu ration > User/Group >[...]

  • Page 591

    Chapter 35 User/Group ZyWALL USG 50 User’s Guide 591 35.4 Setting Screen The Setting screen controls default settings, login settings, loc kout settings, and other user settings for the Z yWALL. Y ou ca n also use this screen to specify when users must log in to the Z yWALL before it rout es traffic for t hem. Member List The Member list displays[...]

  • Page 592

    Chapter 35 Us er /G ro up ZyWALL USG 50 User’s Guide 592 T o access this screen, login to the W eb Configurator , and click Configuration > Object > User/Group > Setting . Figure 338 Configuration > Obje ct > User/Group > Sett i ng The following table descri bes the labels in this screen. T able 175 Configuration > Object >[...]

  • Page 593

    Chapter 35 User/Group ZyWALL USG 50 User’s Guide 593 User T ype These are the kinds of user account the Z yWALL supports. • admin - this user can look at and change the configuration of the Z yWALL • limited-admin - this user can look at the conf iguration of the Z y WALL but not to change it • user - this user has access to the ZyW ALL’s[...]

  • Page 594

    Chapter 35 Us er /G ro up ZyWALL USG 50 User’s Guide 594 35.4.1 Default User Authenti cation T imeout Settings Edit Screens The Default Authentication Timeout Settings Edit screen allows you to set the default au th ent ication tim e out settin g s fo r th e selected typ e of us er account. These default authentication timeout sett ings also cont[...]

  • Page 595

    Chapter 35 User/Group ZyWALL USG 50 User’s Guide 595 T o access this screen, go to the Configuration > Obje ct > User/Group > Setting screen (see Section 35.4 on page 591 ), and click one of the Default Authentication Timeout Settings section’s Edit icons. Figure 339 Configuration > Object > User/Group > Setting > Edit The [...]

  • Page 596

    Chapter 35 Us er /G ro up ZyWALL USG 50 User’s Guide 596 35.4.2 User A ware Login Example Access users cannot use the W eb Configurator to browse the configuration of the Z yWALL . Instead, after access users lo g into the Z yWALL, the following screen appears. Figure 340 W eb Configurator for Non-Admin Users The following table describes t he la[...]

  • Page 597

    Chapter 35 User/Group ZyWALL USG 50 User’s Guide 597 35.5 User /Group T echnical Reference This section provi des some informat ion on us e rs who use an exte rn al authentication server in order to log in. Setting up User Attributes in an External Server T o set up user attributes, such as reau thentication time, in LDAP or R ADIUS servers, use [...]

  • Page 598

    Chapter 35 Us er /G ro up ZyWALL USG 50 User’s Guide 598[...]

  • Page 599

    ZyWALL USG 50 User’s Guide 599 C HAPTER 36 Addresses 36.1 Overview Address objects can represent a single IP address or a r ange of IP addresses. Address groups are composed of addr ess objects and other address groups. 36.1.1 What Y ou Can Do in this Chapter •T h e Address screen ( Section 36.2 on page 599 ) provides a summary of al l addresse[...]

  • Page 600

    Chapter 36 Add re sse s ZyWALL USG 50 User’s Guide 600 • RANGE - a range address is defined by a Starting IP Address and an Ending IP Address . • SUBNET - a network address is defined by a Network IP address and Netmask subnet mask. The Address screen provides a summary of all addresses in the Z yWALL. T o access this screen, click Configurat[...]

  • Page 601

    Chapter 36 Addresses ZyWALL USG 50 User’s Guide 601 36.2.1 Address Add/Edit Screen The Configuration > Address Add/Edit screen allows you to create a new address or edit an existing one. T o access this screen, go to the Address screen (see Section 36.2 on page 599 ), and click either the Add icon or an Edit icon. Figure 344 Configu ration >[...]

  • Page 602

    Chapter 36 Add re sse s ZyWALL USG 50 User’s Guide 602 36.3 Address Group Summary Screen The Address Group screen provides a summary of all address groups. T o access this screen, click C onfiguration > Object > Address > Address Group . Click a column’ s heading cell to sort t he table en tries by that col umn’s criteria. Click the [...]

  • Page 603

    Chapter 36 Addresses ZyWALL USG 50 User’s Guide 603 36.3.1 Address Group Add/Edit Screen The Address Group Add/Edit screen allows you to create a new addres s group or edit an existing one. T o access this screen, go to the Address Group screen (see Section 36.3 on page 602 ), and click either the Add icon or an Edit icon. Figure 346 Configu rati[...]

  • Page 604

    Chapter 36 Add re sse s ZyWALL USG 50 User’s Guide 604[...]

  • Page 605

    ZyWALL USG 50 User’s Guide 605 C HAPTER 37 Services 37.1 Overview Use service objects to define T CP applications, UDP applications, and ICMP messages. Y ou can also create service groups to refer to multip le service objects in other features. 37.1.1 What Y ou Can Do in this Chapter •U s e t h e Service screens ( Section 37.2 on page 606 ) to [...]

  • Page 606

    Chapter 37 Serv ice s ZyWALL USG 50 User’s Guide 606 Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number . Some port numbers hav e b een standardized and are used by low- level system processes; man y othe rs have no particular meaning. Unlike T CP and UDP , Internet Control Message Protocol (ICMP , IP [...]

  • Page 607

    Chapter 37 Services ZyWALL USG 50 User’s Guide 607 entries by that col umn’s criteria. Click the heading cell again to reverse the sort order . Figure 347 Configu ration > Object > Service > Service The following table describes t he labels in this screen. T able 183 Configuration > Object > Service > Service LABEL DESCRIPTION[...]

  • Page 608

    Chapter 37 Serv ice s ZyWALL USG 50 User’s Guide 608 37.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. T o access this screen, go to the Service screen (see Section 37.2 on page 606 ), and click either the Ad d icon or an Edit icon. Figure 348 Configu ration > Object >[...]

  • Page 609

    Chapter 37 Services ZyWALL USG 50 User’s Guide 609 T o access this screen, log in to the W eb Configurator , and cli ck Configuration > Object > Service > Service Group . Figure 349 Configu ration > Object > Service > Service Group The following table describes the labels in this screen. See Secti on 37.3.1 on page 610 for more [...]

  • Page 610

    Chapter 37 Serv ice s ZyWALL USG 50 User’s Guide 610 37.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. T o access this screen, go to the Service Gro up screen (see Section 37.3 on page 608 ), and click either the Add icon or an Edit icon. Figure 350 Configu[...]

  • Page 611

    ZyWALL USG 50 User’s Guide 61 1 C HAPTER 38 Schedules 38.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content f iltering. The Z yWALL supports one- time and recurring schedules. One-time schedules are effective only once, while recurring schedul es us ually repeat. [...]

  • Page 612

    Chapter 38 Sc he du le s ZyWALL USG 50 User’s Guide 612 Finding Out More • See Section 6.6 on page 105 for rel ated informat ion on these screens. • See Section 45.3 on page 676 for information about the Z yWALL’ s current date and time. 38.2 The Schedule Summary Screen The Schedule summary screen provides a summ ary of all schedules in the[...]

  • Page 613

    Chapter 38 Sc hedules ZyWALL USG 50 User’s Guide 613 38.2.1 The One-T ime Schedule Add/Edit Screen The One-Time Schedule Add/Edit screen allows you to define a one-ti me schedule or edit an existing one. T o access this screen, go to the Schedule screen (see Section 38.2 on page 612 ), and click either the Add icon or an Edit icon i n the One Tim[...]

  • Page 614

    Chapter 38 Sc he du le s ZyWALL USG 50 User’s Guide 614 38.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to defi ne a recurring schedule or edit an existing one. T o access this screen, go to the Schedule screen Date Time StartDate Specify the year , month, and day when the schedule be gins. Year - 1[...]

  • Page 615

    Chapter 38 Sc hedules ZyWALL USG 50 User’s Guide 615 (see Section 38.2 on page 612 ), and click either the Add icon or an Edit icon i n the Recurring se ct ion. Figure 353 Configu ration > Object > Schedule > Edit (Recurring) The Year , Month , and Day columns are not used in recurring sched ules and are disabled in this screen. The foll[...]

  • Page 616

    Chapter 38 Sc he du le s ZyWALL USG 50 User’s Guide 616[...]

  • Page 617

    ZyWALL USG 50 User’s Guide 617 C HAPTER 39 AAA Server 39.1 Overview Y ou can use a AAA (Authentication, Authorization, Accounting) server to pro vide access control to your network. The AAA serv er can be a Acti ve Directory , LDAP , or RADIUS server . Use the AAA Server screens to create and manage objects that contain settings for using AAA ser[...]

  • Page 618

    Chapter 39 AAA Server ZyWALL USG 50 User’s Guide 618 39.1.2 RADIUS Server RADIUS (Remote Authentication Dial- In User Service) authentication is a popular protocol used to au thenticate users by me ans of an external server instead of (or in addition to) an internal device user database that is l imited to the memory capacity of the d evice. In e[...]

  • Page 619

    Chapter 39 AAA Server ZyWALL USG 50 User’s Guide 619 •U s e t h e Configuration > Object > AAA Serv er > RADIUS screen ( Section 39.3 on page 623 ) to configure the default extern al RADIUS server to use for user authentication. 39.1.5 What Y ou Need T o Know AAA Servers Supported by the ZyW ALL The following lists the types of authent[...]

  • Page 620

    Chapter 39 AAA Server ZyWALL USG 50 User’s Guide 620 organizational boundaries. The following figure shows a basic directory structure branchi ng from countries to organizations to organization al units to individuals. Figure 356 Basic Direc tory S tructure Distinguished Name (DN) A DN uniquely identifies an entry in a directory . A DN consists o[...]

  • Page 621

    Chapter 39 AAA Server ZyWALL USG 50 User’s Guide 621 • See Section 7.6 on page 131 for an example of how to use a RADIUS server to authenticate user acco unts based on groups. 39.2 Active Directory or LDAP Server Summary Use the Active Directory or LDAP screen to manage the list of AD or LDAP servers the Zy W ALL can use in auth enticating user[...]

  • Page 622

    Chapter 39 AAA Server ZyWALL USG 50 User’s Guide 622 following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 358 Configura tion > Object > AAA Server > Active Directory (or LDAP) > Ad d The following table describes t he labels in this screen. T able 191 Configuration > Object > AAA Ser[...]

  • Page 623

    Chapter 39 AAA Server ZyWALL USG 50 User’s Guide 623 39.3 RADIUS Server Summary Use the RADIUS screen to manage the list of RADIUS servers the Z yWALL can use in authenticating users. Base DN S pecify the directory (up to 127 alphanumerical characters). For example, o=ZyXEL, c=US . Use SSL S elect Use SSL to establish a secure connection to the A[...]

  • Page 624

    Chapter 39 AAA Server ZyWALL USG 50 User’s Guide 624 Click Configuratio n > Object > AAA Server > RADIUS to display the RADIUS screen. Figure 359 Configuration > Object > AAA Server > RADIUS The following table describes t he labels in this screen. T able 192 Configuration > Object > AAA Server > RADIUS LABEL DESCRIPTIO[...]

  • Page 625

    Chapter 39 AAA Server ZyWALL USG 50 User’s Guide 625 39.3.1 Adding a RADIUS Server Click Configuratio n > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to disp lay the followi ng scree n. Use th is screen to create a new AD or LDAP entry or edit an existing one. Figure 360 Configuration >[...]

  • Page 626

    Chapter 39 AAA Server ZyWALL USG 50 User’s Guide 626 Timeout S pecify the timeout period (betwee n 1 and 300 seconds) before the Z yWALL disconn ects from the RADIUS server . In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. K ey Enter a passwo[...]

  • Page 627

    ZyWALL USG 50 User’s Guide 627 C HAPTER 40 Authentication Method 40.1 Overview Authentication method objects set how the ZyW ALL authenticates wireless, HTTP/ HT TPS clients, and peer IPSec routers (ext ended authentication) clients. Configure authentication method objects to hav e the Z yWALL use the lo cal us er database, and/or the authenticat[...]

  • Page 628

    Chapter 40 Auth en tic ation Method ZyWALL USG 50 User’s Guide 628 3 Select Server Mode and select an auth entication method object from the drop- down list box. 4 Click OK to sav e the settings. Figure 361 Example: Using Authentication Method in VPN 40.2 Authentication Method Object s Click Configuration > Object > Auth. Method to disp lay[...]

  • Page 629

    Chapter 40 Authentication Method ZyWALL USG 50 User’s Guide 629 40.2.1 Creating an Authentication Method Object Follow the steps below to create an au thentica ti on me thod object. 1 Click Configuration > Object > Auth. Method . 2 Click Add . 3 Specify a descriptiv e name for identi fication purpos es in the Name field. Y ou may use 1-31 a[...]

  • Page 630

    Chapter 40 Auth en tic ation Method ZyWALL USG 50 User’s Guide 630 7 Click OK to sav e the settings or click Ca ncel to discard all changes and return to the previous screen. Figure 363 Configuration > O bj e ct > Auth. Meth od > Add The following table describes t he labels in this screen. T able 195 Configuration > Object > Auth.[...]

  • Page 631

    Chapter 40 Authentication Method ZyWALL USG 50 User’s Guide 631 Add icon Click Ad d to add a new entry . Click Edit to edit the settings of an entry . Click Delete to delete an entry . OK Click OK to save the changes. Cancel Click Cancel to discard the changes. T able 195 Configuration > Object > Auth. Method > Add (continued) LABEL DESC[...]

  • Page 632

    Chapter 40 Auth en tic ation Method ZyWALL USG 50 User’s Guide 632[...]

  • Page 633

    ZyWALL USG 50 User’s Guide 633 C HAPTER 41 Certificates 41.1 Overview The Z yWALL can use certificates (also call ed digital IDs) to authentic ate users. Certificates are based on public-priv ate key pairs. A certifi cate contains the certificate owner’ s identity and public k e y . Certificates provide a way to exchange public keys fo r u s e [...]

  • Page 634

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 634 2 Tim keeps the private key and makes the pu blic key op enly av ailable. This means that anyone who receives a message seeming to come from Tim c an read it and verify whether it is really from him or not. 3 Tim uses his priv ate key to sign the message and s ends it to Jenny . 4 Jenny recei[...]

  • Page 635

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 635 Factory Default Certificate The Zy W ALL gener ates its own unique self -s igned certific ate when you first turn it on. This cert if i cat e is referred to in the GUI as the fa ctory defa u lt certific a t e. Certificate File Format s Any certificate that you w a nt to import has to be in on[...]

  • Page 636

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 636 2 Make sure that the certificat e has a “. cer” or “.crt” file name extension. Figure 364 Remote Ho st Certi fica tes 3 Double-click the certificate’ s icon to open the Certificate window . Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figu[...]

  • Page 637

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 637 41.2 The My Certificates Screen Click Configuration > Object > Ce rtificate > My Certificates to open the My Certificates screen. This is th e ZyW AL L’s summary l ist of ce rtificat es a nd certification requests. Figure 366 Configu ration > Object > Certificate > My Cert[...]

  • Page 638

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 638 41.2.1 The My Certificates Add Screen Click Configuration > Object > Cert ificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the T ype This field displays what kind of certificate this is. REQ represents a certification req[...]

  • Page 639

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 639 Z yWALL create a self-si gned certificate, enroll a certificate with a certification authority or gener ate a certification request. Figure 367 Configu ration > Object > Certificate > My Certificates > Add[...]

  • Page 640

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 640 The following table describes t he labels in this screen. T able 197 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name T ype a name to identify this certificate. Y ou can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’ ,.=- characters. S[...]

  • Page 641

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 641 Create a certification request and save it locally for later manual enrollment Select this to have the Z yWALL gener ate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority . Copy the[...]

  • Page 642

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 642 If you confi gu red the My Certificate Create screen to hav e the Zy WALL enroll a certificate and the certificate enrol lment is not successful, y ou see a screen with a Return button that take s you back to the My Certificate Create screen. Click Return and check your information in the My [...]

  • Page 643

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 643 41.2.2 The My Certificates Edit Screen Click Configuration > Object > Cert ificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. Y ou can use this screen to view in-depth certificate information an d change the certificate’ s name. Figure 368 Conf[...]

  • Page 644

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 644 The following table describes t he labels in this screen. T able 198 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This fi eld displays the identifying name of this certificate. Y ou can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}?[...]

  • Page 645

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 645 K ey Algorithm This field displays the type of algorithm that was used to generate the certificate’s k ey pair (the Z yWALL uses RS A encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative Name This field displays the certificate owner‘s IP address [...]

  • Page 646

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 646 41.2.3 The My Certificates Import Screen Click Configuration > Object > Certific ate > My Certificates > Import to open the My Certificate Import screen. F ollow the instructions in this screen to save an exi sting certificate to t he Z yWALL. Note: Y ou can import a certificate t[...]

  • Page 647

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 647 41.3 The T rusted Certificates Screen Click C onfiguration > O bject > Cert ificate > Truste d Certificates to open the Trusted Certificates screen. This screen d isplays a summary list of certificates that yo u have set t he ZyWALL to ac cept as trusted. The ZyW A LL also accepts an[...]

  • Page 648

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 648 41.3.1 The T rusted Certificates Edit Screen Click Configuration > Object > Cert ificate > Trusted Certificates and then a certificate’ s Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certifica t e, ch an ge the certi[...]

  • Page 649

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 649 authority’ s list of revoked certifi cates befo re trusting a certificate issued by the certification authority . Figure 371 Configu ration > Object > Certificate > T rusted Certificates > Edit[...]

  • Page 650

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 650 The following table describes t he labels in this screen. T able 201 Configuration > Object > Certificate > T rusted Certificates > Edit LABEL DESCRIPTION Name This fie ld displays the identifyin g name of this certificate. Y ou can change the name. Y ou can use up to 31 alphanume[...]

  • Page 651

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 651 T ype This field displays general inform ation about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’ s owne r signed the certificate (not a certification authority). X.509 means that this certificate was created[...]

  • Page 652

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 652 41.3.2 The T rusted Certificates Import Screen Click Configuration > Object > Certificat e > Trusted Certificates > Import to open the Trusted Certifica tes Import screen. Follow the inst ructions in this screen to save a trusted certificate to the Z yWALL. Note: Y ou must remove [...]

  • Page 653

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 653 The following table describes t he labels in this screen. 41.4 Certificates T echnical Reference OCSP OCSP (Online Certificate Stat us Protocol) allows an application or device to check whether a certificate is v alid. With OC SP the Z yWALL checks the status of individual certificates instea[...]

  • Page 654

    Chapter 41 Certificates ZyWALL USG 50 User’s Guide 654[...]

  • Page 655

    ZyWALL USG 50 User’s Guide 655 C HAPTER 42 ISP Accounts 42.1 Overview Use ISP accounts to manage Internet Se rvice Prov ider (ISP) account information for PPPoE/PPTP interfaces. An ISP account is a profile of settings for Internet access using PPP oE or PPTP . Finding Out More • See Section 11.4 on page 231 for information about PPP oE/PPTP int[...]

  • Page 656

    Chapter 42 IS P Accoun ts ZyWALL USG 50 User’s Guide 656 The following table describes t he labels in this screen. See the ISP Accou nt Ed it section below for more information as well. 42.2.1 ISP Account Edit The ISP Account Edit screen lets you add i nformation about new accounts and edit inform ation about existing accoun ts. T o ope n this wi[...]

  • Page 657

    Chapter 42 IS P Accoun ts ZyWALL USG 50 User’s Guide 657 The following table describes t he labels in this screen. T able 204 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you ar e editing an existing account. T ype in the profile name of the ISP account. The profile name is used to[...]

  • Page 658

    Chapter 42 IS P Accoun ts ZyWALL USG 50 User’s Guide 658 Compression Select On button to turn on stac compression, and select Off to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about fou r . Idle Timeout This value specifies the number of seconds that must elapse without o[...]

  • Page 659

    ZyWALL USG 50 User’s Guide 659 C HAPTER 43 SSL Application 43.1 Overview Y ou use S S L application objects in S SL VPN. Configure an SSL application object to specify the t ype of application and the address of t he local computer , server , or web site SSL us ers are to be able to access. Y ou can apply one or more SSL application objects in th[...]

  • Page 660

    Chapter 43 SSL Application ZyWALL USG 50 User’s Guide 660 Remote Desktop Connections Use SSL VPN to allow remote users to ma nage LAN computers. Depending on the functions supported by the remote deskto p softw are, they can install or remove software, run progr ams, change set tings, an d open, copy , create, and delete files. This is useful for[...]

  • Page 661

    Chapter 43 SSL Application ZyWALL USG 50 User’s Guide 661 2 Click the Add button and select Web Application in the Ty pe field. In the Server Type field, select Web Server . Enter a descriptive name in t he Display Name field. For example, “CompanyIntranet” . In the Address field, enter “http:// info” . Select Web Page Encryption to prev [...]

  • Page 662

    Chapter 43 SSL Application ZyWALL USG 50 User’s Guide 662 The following table describes t he labels in this screen. 43.2.1 Creating/Editing a W eb-based SSL Application Object A web-based application all ows remote user s to access an application via standard web browsers. T o configure a web-based application, click the Add or Edit button in the[...]

  • Page 663

    Chapter 43 SSL Application ZyWALL USG 50 User’s Guide 663 The following table describes t he labels in this screen. T able 206 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings This displays for VNC or RDP type web application objects. Click this button to[...]

  • Page 664

    Chapter 43 SSL Application ZyWALL USG 50 User’s Guide 664 Server Address(es) This field displays if the Serve r Type is s et to RDP or VNC . Specify the IP address or Fully-Qua lifi ed Domain Name (FQDN) of the computer(s) that you want to allow the remote users to manage. Starting Port Ending Port This field displays if the Serve r Type is s et [...]

  • Page 665

    ZyWALL USG 50 User’s Guide 665 C HAPTER 44 Endpoint Security 44.1 Overview Use Endpoint Security (EPS), also known as endpoi nt control, to make sure users’ computers comply with defined corpor ate policies before they can access the network or an SSL VPN tunnel. After a su ccessful user authenticati on, a user’ s computer must meet the endpo[...]

  • Page 666

    Chapter 44 End po int Secu rity ZyWALL USG 50 User’s Guide 666 44.1.1 What Y ou Can Do in this Chapter Use the Configuration > Object > Endpoint Security screens ( Sect ion 44.2 on page 667 ) to create and manage endpoint securit y objects. 44.1.2 What Y ou Need to Know What End point Security Can Check The settings endpoint securi ty can c[...]

  • Page 667

    Chapter 44 Endpoint Security ZyWALL USG 50 User’s Guide 667 44.2 End point Security Screen The Endpoint Security screen displays the endpoi nt security objects you have configured on the Z y WALL. Click Configuration > Obje ct > E nd point Security to display the screen. Figure 380 Configuration > O bject > Endpoint Security The follo[...]

  • Page 668

    Chapter 44 End po int Secu rity ZyWALL USG 50 User’s Guide 668 Apply Click this button to save your changes to the Z yWALL. R eset C lick this button to return the screen to its last -saved settings. T able 207 Configuration > Object > Endpoint Se curity (continued) LABEL DESCRIPTION[...]

  • Page 669

    Chapter 44 Endpoint Security ZyWALL USG 50 User’s Guide 669 44.3 End point Security Add/Edit Click Configuration > Object > Endpo int Security and then the Add (or Edit ) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint secu rity object.[...]

  • Page 670

    Chapter 44 End po int Secu rity ZyWALL USG 50 User’s Guide 670 Figure 381 Configuration > O bject > Endpoint Sec u rity > Add[...]

  • Page 671

    Chapter 44 Endpoint Security ZyWALL USG 50 User’s Guide 671 The following table giv es an overview of the objects you can configure. T able 208 Configuration > Object > Endpoint Se curity > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. [...]

  • Page 672

    Chapter 44 End po int Secu rity ZyWALL USG 50 User’s Guide 672 Checking Item - Personal Firewall If you selected Windows as the operating system, you can select whether or not the user’s computer is required to have personal firew all softw are installed. Move the permitted personal firewalls from the Available list to the Allowed Personal Fire[...]

  • Page 673

    Chapter 44 Endpoint Security ZyWALL USG 50 User’s Guide 673 Checking Item - File Information If you selected Windows or Linux as the oper ating system, you can use this table to check details of specific files on the user’s computer . Use the Operation field to set whether the size or version of the file on the user’s computer has to be equal[...]

  • Page 674

    Chapter 44 End po int Secu rity ZyWALL USG 50 User’s Guide 674[...]

  • Page 675

    ZyWALL USG 50 User’s Guide 675 C HAPTER 45 System 45.1 Overview Use the system screens to configure general Z yWALL settings. 45.1.1 What Y ou Can Do in this Chapter •U s e t h e System > Host Name screen (see Section 45.2 on page 676 ) to configure a unique name for the ZyW ALL in your network. •U s e t h e System > Date/Tim e screen ([...]

  • Page 676

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 676 • V antage CNM (Centralized Network Ma nagement) is a browser -based global management tool that allows an admini str ator to manage ZyXEL devices. Use the System > Vantage CNM screen (see Section 45.11 on page 719 ) to allow your Z yWALL to be managed b y the V antage CNM server . •U s e t[...]

  • Page 677

    Chapter 45 System ZyWALL USG 50 User’s Guide 677 a software mechan is m to set the time m anu ally or get the current time and date from an ex ternal server . T o change your Z yWALL’ s time based on your local time zone and date, click Configuration > System > Date/Time . The screen displays as shown. Y ou can manually set the Z yWALL’[...]

  • Page 678

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 678 New Time (hh- mm-ss) This field displays the last updated time from the time server or the last time configured manually . When you set Time and Date Setu p to Manual , enter the new time in this field and then click Apply . New Date (yyyy -mm-dd) This field displays the last updated date from the[...]

  • Page 679

    Chapter 45 System ZyWALL USG 50 User’s Guide 679 45.3.1 Pre-defined NTP T ime Servers List When you turn on the Z yWALL for the firs t time, the date and time start at 2003- 01-01 00:00:00. The Z yWALL then atte mpts to synchronize with one of the following pre-defined list of Netw ork Time Protocol (NTP) time servers. The Z yWALL continues to us[...]

  • Page 680

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 680 45.3.2 T ime Server Synchronization Click the Synchronize Now button to get the time and date from the t ime server you specified in the Time Server Address field. When the Please Wait... screen a ppears, you may have to wait up to one minute. Figure 384 Synchronizatio n in Process The Current Tim[...]

  • Page 681

    Chapter 45 System ZyWALL USG 50 User’s Guide 681 5 Under Time and Date Setup , enter a Time Server A ddress ( T able 211 on page 679 ). 6 Click Apply . 45.4 Console Port S peed This section shows you how to set the cons ole port speed when you connect to the Z yWALL via the console port using a terminal emulation program. See Ta b l e 2 o n page [...]

  • Page 682

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 682 45.5.1 DNS Server Address Assignment The Z yWALL can get the DNS server ad dresses in the following w ays. • The ISP tells you the DNS serv er addresses, usually in the form of an info r mat io n sh e et, wh en yo u sig n u p. If you r ISP g ives yo u DNS s erve r addresses, manually enter them [...]

  • Page 683

    Chapter 45 System ZyWALL USG 50 User’s Guide 683 The following table describes t he labels in this screen. T able 213 Configuration > Syste m > DNS LABEL DESCRIPTION Address/PTR Rec o r d This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For ex ample, www [...]

  • Page 684

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 684 DNS Serv er This is the IP address of a DN S server . This field displays N/A if you have the Z yWALL get a DNS server IP address from the ISP dynamically but the specified interface is not active. Query Via This is the interface through whic h the ZyW ALL sends DNS queries to the entry’ s DNS s[...]

  • Page 685

    Chapter 45 System ZyWALL USG 50 User’s Guide 685 45.5.3 Address Record An address record contains the mapping of a Fully-Qua lified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. F or example, www .zyxel.com is a fully qualified domain name, where “www” is the ho st, “zyxel” is the second-level domain, an[...]

  • Page 686

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 686 The following table describes t he labels in this screen. 45.5.6 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address. The Z yWALL can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server . A domain z one is a full y qualifi ed [...]

  • Page 687

    Chapter 45 System ZyWALL USG 50 User’s Guide 687 The following table describes t he labels in this screen. 45.5.8 MX Record A MX (Mail eXchange) record indicat es whic h host is respons ibl e for the mail for a particular domain, that is, c ontrols where mail is sent for that domain. If you do not configure proper MX records for your domain or ot[...]

  • Page 688

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 688 45.5.9 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 389 Configuration > Syste m > DNS > MX Record Add The following table describes t he labels in this screen. 45.5.10 Adding a DNS Service Control Rule Click the Add icon in the Service Control ta[...]

  • Page 689

    Chapter 45 System ZyWALL USG 50 User’s Guide 689 The following table describes t he labels in this screen. 45.6 WWW Overview The following figure shows secure and insecure management of the Z yWALL coming in from the W AN. HT TPS and SSH access are secure. HTTP and T elnet access are not secure. • See Section 6.7.1 on page 106 for related infor[...]

  • Page 690

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 690 1 Y ou have disabled that service in the corres ponding screen. 2 The allowed IP address (a ddress object) i n th e Service Control table does not match the client IP address (the Z yWALL disallows the session). 3 The IP address (address object) in the Service Control table is not in the allowed z[...]

  • Page 691

    Chapter 45 System ZyWALL USG 50 User’s Guide 691 Please refer to the following figure. 1 HT TPS connection requests from an SSL - aw are web browser go to port 443 (by default) on the Z yWALL’ s web server . 2 HT TP connection requests from a web brow ser go to port 80 (by default) on the Zy W A L L ’s w e b s e r v e r . Figure 391 HTTP/HTTP[...]

  • Page 692

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 692 Note: Admin Service Contro l deals with management access (to the W eb Configurator). User Service Control deals with user access to the ZyW A LL (logging into SSL VPN for example). Figure 392 Configur ation > System > WWW > Service Control The following table describes t he labels in thi[...]

  • Page 693

    Chapter 45 System ZyWALL USG 50 User’s Guide 693 Server P ort The HTTPS server listens on port 443 by default. If you change the HT TPS server port to a different number on the ZyW ALL, for example 8443, then you must notify people who need to acce ss the ZyW ALL W eb Configurator to use “https://Z yWALL IP Address: 8443 ” as the URL. Authent[...]

  • Page 694

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 694 HT TP Enable Select the check box to allow or disallo w the computer with the IP address that matches the IP address(es) in the Serv ice Con trol table to access the Z y WALL W eb Configurator using HT TP connections. Server P ort Y ou may change the server port number for a service if needed, how[...]

  • Page 695

    Chapter 45 System ZyWALL USG 50 User’s Guide 695 45.6.5 Service Control Rules Click Add or Edit in the Service Cont rol table in a WWW , SSH , Telnet , FTP or SNMP screen to add a service control rule. Figure 393 Configur ation > System > Service Control Rule > Edit The following table describes t he labels in this screen. 45.6.6 Customi[...]

  • Page 696

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 696 also customize the page that di splays after an access user l ogs into the W eb Configurator to access network serv ices like th e Internet. S ee Chapter 35 on page 583 for more on access user accounts. Figure 394 Configu ration > System > WWW > Login Page[...]

  • Page 697

    Chapter 45 System ZyWALL USG 50 User’s Guide 697 The following figures identify the p arts you can customize in the login and access pages. Figure 395 Login Page Customization Figure 396 Access Page Customization Y ou can specify colors in one of the following w ays: Logo Ti t l e Message Note Message Background (last line of text) (color of all [...]

  • Page 698

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 698 •C l i c k Color to displa y a screen of web-safe colors from which to choose. • Enter the name of the desired color . • Enter a pound sig n (#) followed by the six -digit hexadecimal number that represents the desired color . F or example, use “#000000” for black. • Enter “rgb” fo[...]

  • Page 699

    Chapter 45 System ZyWALL USG 50 User’s Guide 699 45.6.7 HTTPS Example If you hav e n’t changed the default HT TP S port on the ZyW A L L, th en in your browser enter “https://Z yWALL IP Address/” as the web site address where “Z yWALL IP Address” is the IP address or domain name of the Z yWALL y ou wish to access. 45.6.7.1 Internet Expl[...]

  • Page 700

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 700 45.6.7.2 Net scape Na vigator W arning Messages When you attempt to access the Z yWALL HT TPS server , a Website Certified by an Unknown Authority scre en p op s up a ski ng if yo u trust the server certificate. Click Examine Certificate if you w ant to verif y that the certificate is from the Zy [...]

  • Page 701

    Chapter 45 System ZyWALL USG 50 User’s Guide 701 • The issuing certificat e authority of the Z yWALL’ s HT TPS server certificate is not one of the browser’s trusted certificate authorities. The issuing certificate authorit y of the Z yWALL 's factory defa ul t certificate is t he Zy WALL itself since the certificate is a self -signed [...]

  • Page 702

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 702 Apply for a certificate from a Certificatio n Au thority (CA) that is trusted by the Z yWALL (see the Z yWALL’ s Trusted CA We b C o n f i g u r a t o r s c r e e n ) . Figure 401 ZyW ALL T rusted CA Screen The CA sends you a package containing the CA ’ s trusted certificate(s), your personal [...]

  • Page 703

    Chapter 45 System ZyWALL USG 50 User’s Guide 703 45.6.7.5.2 Installing Y our Personal Certificate(s) Y ou need a password in advance. The CA may issue the password or you may have to specify it during th e enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to beg[...]

  • Page 704

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 704 3 Enter the password g iven to yo u by the CA. Figure 405 Persona l Certificate Import Wizard 3 4 Have the wizard determine where the ce rtificate should be sav ed on your computer or se le ct Place all certificates in the following store and choose a different location. Figure 406 Persona l Certi[...]

  • Page 705

    Chapter 45 System ZyWALL USG 50 User’s Guide 705 5 Click Finish to complet e the wi zard and begin the import process. Figure 407 Persona l Certificate Import Wizard 5 6 Y ou should see the fo llowing screen when the certificate is correctly installed on your com pu ter . Figure 408 Persona l Certificate Import Wizard 6 45.6.7.6 Using a Certifica[...]

  • Page 706

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 706 2 When Authenticate Client Certificates is selected on the Z yW ALL, the following screen asks you t o select a personal cert ificate to send to th e ZyW ALL. This screen displays ev en if you only have a si ngle certificate as in the example. Figure 410 SSL Client Authentication 3 Y ou ne xt see [...]

  • Page 707

    Chapter 45 System ZyWALL USG 50 User’s Guide 707 SSH is a secure communication protocol t hat combines authentication and data encryption to provide secure encryp ted communication between two hosts over an unsecured network. In the following figure , computer A on the Internet uses SSH to securely connect to the WAN port of the Z yWALL for a man[...]

  • Page 708

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 708 2 Encryption Method Once the identification is v erified, both the client and server must agree on the type of encryption method t o use. 3 Authentication and Data T ransmission After the identification i s verified and da ta encryp tion activ ated, a sec ure tunnel is established between the clie[...]

  • Page 709

    Chapter 45 System ZyWALL USG 50 User’s Guide 709 Note: It is recommended that you disable T elnet and FTP when you configure SSH for secure connections. Figure 414 Configuration > Syst em > SSH The following table describes t he labels in this screen. T able 221 Configuration > Syste m > SSH LABEL DESCRIPTION Enable Select the check b[...]

  • Page 710

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 710 45.7.5 Secure T elnet Using SSH Examples This section shows two examples usin g a command interface and a gr aphical interface SSH client progr am to remotely access the Z yWALL. The configur ation and connection steps are similar for most S SH client prog r ams. R efer to your SSH client progr am[...]

  • Page 711

    Chapter 45 System ZyWALL USG 50 User’s Guide 71 1 Enter the password to log in to the Z yWALL. The CLI screen displays next. 45.7.5.2 Example 2: Linux This section describes how to access the Z yWALL using the OpenSSH client program t hat comes with most Linux dis tributions. 1 T est whether the SSH service is av ailable on the Z yWALL. Enter “[...]

  • Page 712

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 712 45.8.1 Configuring T elnet Click Configuration > System > TELNET to configure your Z yWALL for remote T elnet access. Use this screen to speci fy from which zones T elnet can be used to manage the Z yW ALL. Y ou can also specif y from which IP addresses t he access can come. Figure 418 Confi[...]

  • Page 713

    Chapter 45 System ZyWALL USG 50 User’s Guide 713 45.9 FTP Y ou ca n upload and download the Z yWALL’ s firmware and configur ation files using FTP . T o use this feature, your computer must have an FTP client. Please see Chapter 47 on page 737 for more information about firmw are and configuration files. 45.9.1 Configuring FTP T o change your Z[...]

  • Page 714

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 714 be used to access the Z yWALL. Y ou can also specify from which IP addresses the access can come. Figure 419 Configu ration > System > FTP The following table describes t he labels in this screen. T able 223 Configuration > Syste m > FTP LABEL DESCRIPTION Enable Select the check box to[...]

  • Page 715

    Chapter 45 System ZyWALL USG 50 User’s Guide 715 45.10 SNMP Simple Network Manageme nt Protocol is a protocol used for ex changing management information between network de vices. Y our Z yWALL supports SNMP agent functionality , which allows a manager station to manage and moni tor the Z yW ALL through the network. The Z yWALL supports SNMP v e [...]

  • Page 716

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 716 and version two (SNMPv2c). The next fi gure illustrates an SNMP management operation. Figure 420 SNMP Manageme nt Model An SNMP managed network consists of two main types of component: agents and a manager . An agent is a management software module that resides in a ma naged de vice (the Z yWALL )[...]

  • Page 717

    Chapter 45 System ZyWALL USG 50 User’s Guide 717 • GetNext - Allows the manager to retriev e the next object variable from a tabl e or list within an agent. In SNMPv1, when a mana ger wants to retriev e all elements of a table from an agent, it initiates a Get operat ion, followed by a series of GetNext oper ations. • Set - Allows the manager[...]

  • Page 718

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 718 settings, including from which z ones SNMP can be used to access the Z y W ALL. Y ou can also specify from whi ch IP addresses the access can come. Figure 421 Configuration > Sy st em > SNMP The following table describes t he labels in this screen. T able 225 Configuration > Syste m > [...]

  • Page 719

    Chapter 45 System ZyWALL USG 50 User’s Guide 719 45.1 1 V ant age CNM V antage CNM (Centralized Network Management ) is a browser-based global management solution that allows an admi nistr ator from any location to easily configure, manage, monitor and troubleshoot Z yXEL devices located worldwide. See the V antage CNM User's Guide for detai[...]

  • Page 720

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 720 45.1 1.1 Configuring V ant age CNM V antage CNM is disabled on th e devi ce by default. Click Configuration > System > Vantage CNM to configure your device’ s V antage CNM settings. Figure 422 Configu ration > System > V antage CNM The following table describes t he labels in this sc[...]

  • Page 721

    Chapter 45 System ZyWALL USG 50 User’s Guide 721 Tr a n s f e r Protocol Select whether the V antage CNM sessions should use regular HT TP connections or secure HT TPS connections. Note: HTTPS is recommended. The V antage CNM server must use the same setting. Device Management IP Select Auto to have the Z yWALL allow V antage CNM sessions to conn[...]

  • Page 722

    Chapter 45 Sy stem ZyWALL USG 50 User’s Guide 722 45.12 Language Screen Click Configuration > Sys tem > Language to open the following screen. Use this screen to select a d isplay language for the Z yWALL’ s W eb Configurator screens. Figure 423 Configu ration > System > Language The following table describes t he labels in this scr[...]

  • Page 723

    ZyWALL USG 50 User’s Guide 723 C HAPTER 46 Log and Report 46.1 Overview Use these screens to configure da ily reportin g an d log sett in gs. 46.1.1 What Y ou Can Do In this Chapter •U s e t h e Email Daily Report screen ( Section 46.2 on page 723 ) to config ure where and how to send daily reports and what reports to s end. •U s e t h e Main[...]

  • Page 724

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 724 Click Configuration > Log & Report > Email Daily Report to displa y the following screen. Configure this screen to have t h e ZyW ALL e-m a il you s yste m statistics ev ery day . Figure 424 Configur ation > Log & Report > Email Daily Report[...]

  • Page 725

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 725 The following table describes t he labels in this screen. 46.3 Log Setting Screens The Log Setting screens control log messages and alerts. A log message stores the info rmation fo r viewin g (for exam ple, in the View Log tab) or regular e- mailing later , and an alert is e-mailed immediat[...]

  • Page 726

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 726 The Log Setting tab also controls what information is saved in each log. Fo r the system log, you can also specify whic h log messages are e-mailed, where they are e-mailed, and how often they are e-mailed. For alerts, the Log Settings tab controls which ev ents gener ate alerts and where a[...]

  • Page 727

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 727 46.3.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes th e e-mail profiles). Go to the Log Settings Summary screen (see Section 46.3.1 on page 726 ), and cl ick the system log Edit icon. # This field is a s[...]

  • Page 728

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 728 Figure 426 Configu ration > Log & Report > Log Setting > Edit (Syste m Log)[...]

  • Page 729

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 729 The following table describes t he labels in this screen. T able 230 Configuration > Log & Repo rt > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Se rv er 1/2 Active Sele ct this to send log messages and alerts according to the information in this section. Y ou spec[...]

  • Page 730

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 730 E-mail Server 1 Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories. Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings. enable normal logs (green check mark) - e-mail log mes[...]

  • Page 731

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 731 Active Sele ct this to activate log consolidation. Log consolidation aggregates multiple log messages th at arrive within the specified Log Consolidation Interval . In the View Log tab , the text “[count= x ]” , where x is the number of original log messages, is appended at the end of t[...]

  • Page 732

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 732 46.3.3 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 46.3.1 on page 726 ), and click a remote serv er Edit icon. Figure 427 Configu ration > Log &a[...]

  • Page 733

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 733 The following table describes t he labels in this screen. T able 231 Configuration > Log & Repo rt > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for Remote Server Active Select this check box to send log information according to the information in this sec[...]

  • Page 734

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 734 46.3.4 Active Log Summary Screen The Active Log Summar y screen allows you to view and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let y ou change other lo g settings (for exampl e, where and how often log info rm[...]

  • Page 735

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 735 The following table describes t he fields in this screen. T able 232 Configuration > Log & Repo rt > Log Setting > Active Log Summary LABEL DESCRIPTION System log Use the System Log drop-down list to change the log settings for all of the log categories. disable all logs (red X[...]

  • Page 736

    Chapter 46 Log and Report ZyWALL USG 50 User’s Guide 736 Syst em log Select whi ch events y ou want to log by Log Category . There are three choices: disable all logs (red X) - do not log any information from this category enable normal logs (green checkmark) - create log messages and alerts from this category enable normal logs and debug logs (y[...]

  • Page 737

    ZyWALL USG 50 User’s Guide 737 C HAPTER 47 File Manager 47.1 Overview Configuration files d efine the Z y WALL’ s settings. Shell scripts are files of commands that you can store on the Z y WALL and run when you need them. Y ou can apply a configuration file or run a sh ell script without the Z yWALL restarting. Y ou can store multiple configur[...]

  • Page 738

    Chapter 47 File Manager ZyWALL USG 50 User’s Guide 738 These files have the same syntax, which is also identical to the way y ou run CLI commands manually . An example is shown below. While configur ation files and shell scri pts have the same syntax, the ZyW ALL applies configur ation files differently than it runs shell scripts. This is explain[...]

  • Page 739

    Chapter 47 File Manager ZyWALL USG 50 User’s Guide 739 Y our configur ation files or shell scripts can use “exit” or a command line consisting of a single “! ” to have the Z yWALL exit sub c ommand mode. Note: “exit” or “!'” must follow sub commands if it is to make the ZyW ALL exit sub command mode. Line 3 in the following e[...]

  • Page 740

    Chapter 47 File Manager ZyWALL USG 50 User’s Guide 740 47.2 The Configuration File Screen Click Maintenance > File Manager > Configuration File to open the Configuration File screen. Use the Configuration File screen to store, run, and name configur at ion files. Y ou can also download configuration files from the Z yWALL to y our computer [...]

  • Page 741

    Chapter 47 File Manager ZyWALL USG 50 User’s Guide 741 The following table describes t he labels in this screen. T able 234 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Ren a m e Use this button to change the label of a configuration file on the Z yWALL. Y ou can only rename manually saved configuration f iles. Y ou can[...]

  • Page 742

    Chapter 47 File Manager ZyWALL USG 50 User’s Guide 742 Copy Use this button to sav e a duplicate of a configuration file on the ZyW ALL. Click a configuration file’ s row to select it and click Copy to open the Copy File screen. Figure 432 Maintenan ce > File Manager > Configuration F ile > Copy Specify a name for the duplicate configu[...]

  • Page 743

    Chapter 47 File Manager ZyWALL USG 50 User’s Guide 743 Apply Use this button to have the Z yW ALL use a specific configuration file. Click a configuration file’ s row to select it and click Apply to have the Z yWALL use that configuration file. Th e Z yWALL does not have to restart in order to use a different configurat ion file, although you w[...]

  • Page 744

    Chapter 47 File Manager ZyWALL USG 50 User’s Guide 744 47.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmware Package screen. Use the Firmware Package screen to check your current firmware version and upload firmw are to the ZyW ALL. File Name This column displays the label that identifies [...]

  • Page 745

    Chapter 47 File Manager ZyWALL USG 50 User’s Guide 745 Note: The Web Configurator is the recommended method for uploading firmware. Y ou only need to use the comma nd line interface if you need to recover the firmware. See the CLI Reference Guide for how to d etermine if you need to recover the firmware and how to recover it. Find the firm ware p[...]

  • Page 746

    Chapter 47 File Manager ZyWALL USG 50 User’s Guide 746 After you see the Firmware Upload in Process screen, wait two minu tes befor e logging in to the ZyW ALL a ga i n. Figure 435 Firmware Upload In Process Note: The ZyW ALL automatically reboots aft er a successful upload. The Z yWALL automatically restarts causi ng a temporary network d isconn[...]

  • Page 747

    Chapter 47 File Manager ZyWALL USG 50 User’s Guide 747 Note: Y ou should include write commands in your scripts. If you do not use the write command, the changes will be lost when the ZyW ALL rest arts. Y ou could use multiple write commands in a long script. Figure 438 Maintenance > F ile Manager > Shell Script Each field is desc ribed in [...]

  • Page 748

    Chapter 47 File Manager ZyWALL USG 50 User’s Guide 748 Copy Use this button to save a duplicate of a shell script file on the Z yWALL. Click a shell script file’ s row to select it and click Copy to open the Copy File screen. Figure 440 Maintenance > File Ma nager > Shell Script > Copy Specify a name for the duplicate file. Use up to 2[...]

  • Page 749

    ZyWALL USG 50 User’s Guide 749 C HAPTER 48 Diagnostics 48.1 Overview Use the diagnostics screen s for troubleshooting. 48.1.1 What Y ou Can Do in this Chapter •U s e t h e Maintenance > Diagnostics screen (see Sect ion 48.2 on page 749 ) to generate a file containing the ZyW ALL’s configur ation and diagnostic information if you need to pr[...]

  • Page 750

    Chapter 48 Diagnostics ZyWALL USG 50 User’s Guide 750 The following table describes t he labels in this screen. 48.3 The Packet Capture Screen Use this screen to capture network traffi c going throu gh th e Z yWALL’ s interf ace s. Studying these packet captures may help you i dentify network problems. Click Maintenance > Diagnostics > Pa[...]

  • Page 751

    Chapter 48 Diagnostics ZyWALL USG 50 User’s Guide 751 The following table describes t he labels in this screen. T able 238 Maintenance > Diagnostics > Packet Ca pture LABEL DESCRIPTION Interfaces Enabled interfaces (except for virtual interfaces) appear under Available Interfaces . Select interfaces for which to capture packets and click th[...]

  • Page 752

    Chapter 48 Diagnostics ZyWALL USG 50 User’s Guide 752 48.3.1 The Packet Capture Files Screen Click Maintenance > Diagnostics > Packet Capture > Files to open the packet capt ure files screen. This screen lists the files of pack et captures the Z yWALL has performed. Y ou can download the files to your computer where you can study them us[...]

  • Page 753

    Chapter 48 Diagnostics ZyWALL USG 50 User’s Guide 753 48.3.2 Example of V iewing a Packet Capture File Here is an example of a packet capture file viewed in the Wiresh ark packet analyzer . Notice that the size of fr ame 15 on the wire is 1514 bytes while the captured size is only 1500 bytes. The Z yWALL t runcated the fr ame because the capture [...]

  • Page 754

    Chapter 48 Diagnostics ZyWALL USG 50 User’s Guide 754[...]

  • Page 755

    ZyWALL USG 50 User’s Guide 755 C HAPTER 49 Reboot 49.1 Overview Use this to restart the device (for example, if the device beg ins behaving erratically). See also Secti on 1.5 on page 35 for information on d ifferent ways to start and stop the Z yWALL. 49.1.1 What Y ou Need T o Know If you applied changes in the W eb config ur ator , these were s[...]

  • Page 756

    Chapter 49 Reboot ZyWALL USG 50 User’s Guide 756[...]

  • Page 757

    ZyWALL USG 50 User’s Guide 757 C HAPTER 50 Shutdown 50.1 Overview Use this to shutdown t he device in preparat ion for disconnecting the power . See also Section 1.5 on page 35 for information on different w ays to start and stop the Zy WA L L . Always use the Maintenance > S hut down > Shut down screen or the “shut down” command before[...]

  • Page 758

    Chapter 50 Shu tdo wn ZyWALL USG 50 User’s Guide 758[...]

  • Page 759

    ZyWALL USG 50 User’s Guide 759 C HAPTER 51 Troubleshooting This chapter offers some suggestions to solv e problems you might encounter . • Y ou can also refer to the logs (see Chapter 9 on page 206 ). For individual lo g descriptions, see the User’ s Guide appendix Appendix A on page 783 . • For t he order in which the Z yWALL applies its f[...]

  • Page 760

    Chapter 51 Tro u blesh oo tin g ZyWALL USG 50 User’s Guide 760 • If you ’ve fo rgo tten the ZyWALL’s IP addre ss, yo u can u se t h e c omm a nds through the consol e port to check it. C onnect your compu ter to the CONSOLE port using a console cable. Y our computer should hav e a terminal emulation communications program (such as Hype rT e[...]

  • Page 761

    Chapter 51 Troubleshooting ZyWALL USG 50 User’s Guide 761 • Make sure y our Z yWALL has the cont en t filter category service registered and that the license i s not expired. Purchase a new license if the lic ense is expired. • Make sure y our Z yWALL is connected to the Internet. I configured security setti ngs but the ZyW ALL is not ap plyi[...]

  • Page 762

    Chapter 51 Tro u blesh oo tin g ZyWALL USG 50 User’s Guide 762 I cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface on an Ethernet interface. Y ou cann ot set up a PPP interface, virt ual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. Y ou also cannot add an Ether[...]

  • Page 763

    Chapter 51 Troubleshooting ZyWALL USG 50 User’s Guide 763 • If the Z yWALL has multiple WAN interfaces, mak e sure their IP addresses are o n different subnets. I cannot configure a particular VLAN interface on top of an Ethernet interface even though I have it configur ed it on top of anot her Ethernet interface. Each VLAN interface is created[...]

  • Page 764

    Chapter 51 Tro u blesh oo tin g ZyWALL USG 50 User’s Guide 764 matched still goes through. Since the Z y W ALL erases the infect ed portion of the file before sending it, you may not be able to open the file. The ZyW ALL is not scanni ng some zipped files. The Z yWALL cannot unzip password prote cte d Z I P files or a ZIP file within another ZIP [...]

  • Page 765

    Chapter 51 Troubleshooting ZyWALL USG 50 User’s Guide 765 Z yWALL are overwritten with the new file. If this is not your intention, make sure that the files you import are not named ‘custom.rules’ . I cannot configure some items in ID P that I can configure in Snort. Not all Snort functionalit y is supported in the Z yWALL. The ZyW ALL’s pe[...]

  • Page 766

    Chapter 51 Tro u blesh oo tin g ZyWALL USG 50 User’s Guide 766 • The Z yW ALL may not determine the proper IP address if there is an HT TP proxy server between the Z yWALL and the DDNS serv er . I cannot create a second H TTP redirect rule for an incoming interface. Y ou can configu re up to one HTTP redire ct rule for each (incoming) interface[...]

  • Page 767

    Chapter 51 Troubleshooting ZyWALL USG 50 User’s Guide 767 I cannot set up an IPSec VPN tunnel to another device. If the IPSec tunnel does not build properly , the problem is likely a configur ation error at one of the IPSec routers. Log in to both Z yXEL IPSec routers and check the settings in each field methodically and slowly . Make sure both t[...]

  • Page 768

    Chapter 51 Tro u blesh oo tin g ZyWALL USG 50 User’s Guide 768 • Make sure the T o-ZyW ALL firewall rules al low IPSec VPN traffic to the Z yWALL. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP prot ocol 50. • The Z yW ALL supports UDP port 500 and UDP port 4500 for NA T tr aversal. If you enable this, make sure the T o-Z yW A[...]

  • Page 769

    Chapter 51 Troubleshooting ZyWALL USG 50 User’s Guide 769 Av ailable resource links vary depend ing on the SSL applic ation object’s configu ration. I cannot download the ZyW ALL’s firmware package. The Z yWALL’ s firmware package cannot g o through the Z yWALL when yo u enable the anti-virus Destroy compressed files that could not be decom[...]

  • Page 770

    Chapter 51 Tro u blesh oo tin g ZyWALL USG 50 User’s Guide 770 I configured policy r outes to manage the bandwidth of TCP and UDP traf fic but the bandwidth management is not being applied properly . It is recommended to use application patrol instead of policy routes to manage the bandwidth of TCP and UDP tr affic. I cannot get the RADIUS se rve[...]

  • Page 771

    Chapter 51 Troubleshooting ZyWALL USG 50 User’s Guide 771 I cannot get a certificate to import into the ZyW ALL. 1 For My Certificates , you can import a certificate that matches a corresponding certification request that w as generated by the Z yWALL. Y ou can also import a certificate in PKCS#12 format, includ ing th e certific ate’ s public [...]

  • Page 772

    Chapter 51 Tro u blesh oo tin g ZyWALL USG 50 User’s Guide 772 I uploaded a logo to use as the screen or window background but it does not display properly . Make sure the logo file is a GIF , JPG, or PNG of 100 kilobytes or less. The ZyW ALL’s traffic throug hput rate decreased af ter I started collecting traffic statistics. Data collection ma[...]

  • Page 773

    Chapter 51 Troubleshooting ZyWALL USG 50 User’s Guide 773 See the CLI Reference Guide for how to determin e if you need to recover the firmware and how to recover it. My packet capture captured less than I wanted or failed. The packet capture screen’ s File Size sets a maximum size l imit for the total combined size of all the capture files on [...]

  • Page 774

    Chapter 51 Tro u blesh oo tin g ZyWALL USG 50 User’s Guide 774 2 Press the RESET button and hold it until the SYS LED begins to blink. (Thi s usually takes about fiv e seconds.) 3 Release the RESET button, and wait for the Z yWALL to restart. Y ou should be able to access the Z yWALL using the default settings. 51.2 Getting More T roubleshooting [...]

  • Page 775

    ZyWALL USG 50 User’s Guide 775 C HAPTER 52 Product Specifications The followin g s pe cificat io ns are sub j ect to change without notice. See Chapter 2 on page 37 for a gener al overview of key f eatures. This table provides b asic device specifications. This table p r ov ides hardware s pe cificat i ons. T able 240 Default Login Information AT[...]

  • Page 776

    Chapter 52 Product Specifications ZyWALL USG 50 User’s Guide 776 This table give s details about the Z yWALL’ s features. T able 242 ZyWALL Feature Specifications FEATUR E # of MAC 6 Flash Size 256 DRAM Size 256 INTERFACE VLAN 16 Virtual (alias) 4 per interface PPP (system default) 2 PPP (user created) 4 Bridge 4 ROUTING Static Routes 128 P oli[...]

  • Page 777

    Chapter 52 Product Specifications ZyWALL USG 50 User’s Guide 777 Address Groups 50 Maximum address object in one group 128 Service Objects 200 Service Groups 50 Maximum service object in one group 128 Schedule Objects 32 ISP Account 8 Maximum Number of LDAP Groups 2 Maximum Number of LDAP Serv ers for Each LDAP Group 2 Maximum Number of RADIUS Gr[...]

  • Page 778

    Chapter 52 Product Specifications ZyWALL USG 50 User’s Guide 778 Custom Signatures 16 Maximum Number of IDP R ules 16 ADP Maximum Number of ADP Profiles 8 Maximum Number of ADP Ru les 16 Maximum Block Host Number 1000 Maximum Block Period 3600 CONTENT FILTER Maximum Number of Content Filter Policies 16 Maximum Number of Content Filter Profiles 16[...]

  • Page 779

    Chapter 52 Product Specifications ZyWALL USG 50 User’s Guide 779 The following table, which is not exhaust ive, lists standards referenced by Z yW ALL features. T able 243 Standards Referenced by Features FEATUR E ST ANDARD S REFERENCED Interface-Bridge A subset of the ANSI/IEEE 802.1d standard Interface RFCs 2131, 2132, 1541 Interface-PPP RFCs 1[...]

  • Page 780

    Chapter 52 Product Specifications ZyWALL USG 50 User’s Guide 780 52.1 Power Adaptor S pecifications T able 244 North American Plug Standards AC POWER ADAPT OR MODEL P SA18R -120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POW E R 12V DC , 1. 5A POWER CONSUMPTION 20 W MAX. SAFETY ST ANDARDS UL, CUL (UL 60950-1 FIRST EDITION CSA C22.2 NO. [...]

  • Page 781

    Chapter 52 Product Specifications ZyWALL USG 50 User’s Guide 781 POWER CONSUMPTION 20 W MAX. SAFETY ST ANDARDS CCC T able 249 China Plug Standards[...]

  • Page 782

    Chapter 52 Product Specifications ZyWALL USG 50 User’s Guide 782[...]

  • Page 783

    ZyWALL USG 50 User’s Guide 783 A PPENDIX A Log Descriptions This appendix provides descript ions of example log message s for the ZLD-based Z yWA LLs. The logs do not all apply to all of the ZLD-based Z yWALLs. Y ou will not necessecarily see al l of th ese logs in your de vice. T able 250 Content Filter Logs LOG MESSAGE DESCRIPTION Content filte[...]

  • Page 784

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 784 T able 252 Blocked Web Site Logs LOG MESSAGE DESCRIPTION %s :%s The rating server responded that the web site is in a specified category and access was blocked according to a content filter profile. 1st %s: website host 2nd %s: website category %s: Unrated The rating server responded th[...]

  • Page 785

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 785 %s: Proxy mode is detected The system detected a proxy connection an d blocked access according to a profile. %s: website host %s: Forbidden Web si te The web site is in forbidden web site list. %s: website host %s: Keyword blocking The web content matched a user defined keyword. %s: webs[...]

  • Page 786

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 786 Black List checking has been activated. The anti-spam black list has been turned on. Black List checking has been deactivated. The anti-spam black list has been turned off . Black List rule %d has been added. The anti-spam black list rule with the specified index number (%d) has been ad[...]

  • Page 787

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 787 T able 254 SSL VPN Logs LOG MESSAGE DESCRIPTION %s %s from %s has logged in SSLVPN A user has logged into SSL VPN. The first %s is the type of user account. The second %s is the user’s user name. The third %s is the name of the service the u ser is using (HT TP or HTTPS). %s %s from %s [...]

  • Page 788

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 788 The %s address-object is wrong type for 'network' in SSL Policy %s. The listed address object (first %s ) is not the right kind to be specified as a network in the listed SSL VPN policy (second %s). The SSL VPN policy %s has been changed 'ip- pool' value. The IP pool[...]

  • Page 789

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 789 %s %s from %s has been logged out SSLVPN (re- auth timeout) The specified user was signed out by the device due to a re- authentication timeout. The first %s is the type of user account. The second %s is the user’s user name. The third %s is the name of the service the u ser is using (H[...]

  • Page 790

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 790 The Z ySH logs deal with internal system errors. T able 255 ZySH Logs LOG MESSAGE DESCRIPTION Invalid message queue. Maybe someone starts another zysh daemon. ZySH daemon is instructed to reset by %d 1st:pid num System integrity error! Group OPS cannot close property group cannot close [...]

  • Page 791

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 791 Can't remove %s 1st:zysh list name Table OPS %s: cannot retrieve entries from table! 1st:zysh table name %s: index is out of range! 1st:zysh table name %s: cannot set entry #%d 1st:zysh table name,2st: zysh entry num %s: table is full! 1st:zysh table name %s: invalid old/new index! 1[...]

  • Page 792

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 792 T able 256 ADP Logs LOG MESSAGE DESCRIPTION from <zone> to <zone> [type=<type>] <message> , Action: <action>, Severity: <severity> The Z y WALL detected an anomaly in tr affic trav eling between the specified zones. The <type> = {scan-detection([...]

  • Page 793

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 793 T able 257 Anti-Virus Logs LOG MESSAGE DES CRIPTION Initializing Anti-Virus signature reference table has failed. The Z yWALL failed to initialize the anti-virus signatures due to an internal error . Reloading Anti-Virus signature database has failed. The Z yWALL failed to reload the anti[...]

  • Page 794

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 794 AV signature update has failed. Can not update last update time. The anti-virus signatur es update did not succeed. AV signature update has failed. (Replacement failure) Anti-virus signatures update failed because th e ZyW ALL was not able to replace the old set of anti- virus signature[...]

  • Page 795

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 795 Anti-Virus rule %d has been modified. The anti-virus rule of the specified number has been changed. Anti-Virus rule %d has been inserted. An anti- virus rule has been inserted. %d is the number of the new rule. Anti-Virus rule %d has been appended. The anti-virus rule with the listed numb[...]

  • Page 796

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 796 T able 258 User Logs LOG MESSAGE DES CRIPTION %s %s from %s has logged in ZyWALL A user logged into the ZyW ALL. 1st %s: The type of user account. 2nd %s: The user ’s user name. 3rd %s: The name of the servi ce the user is using (HT TP , HTTPS, F T P , T eln e t, SS H , or conso le) .[...]

  • Page 797

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 797 Failed login attempt to ZyWALL from %s (login on a lockout address) A login attempt came from an IP address that the Z yWALL has locked out. %u.%u.%u.%u: the source address of the user’ s login attempt Failed login attempt to ZyWALL from %s (reach the max. number of user) The Z yWALL bl[...]

  • Page 798

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 798 Registration has failed. Because of lack must fields. The device received an incomplete response from the myZ yXEL.com server and it caused a parsing error for the device. %s:Trial service activation has failed:%s. T rail service activ ation failed for the specified service, an error me[...]

  • Page 799

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 799 Do device register. The device started device registration. Do trial service activation. The device started tr ail service activation. Do standard service activation. The device started standard service activ ation. Do expiration check. The device started the service expiration da y check[...]

  • Page 800

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 800 Device has latest signature file; no need to update The device already has the latest version of the signature file so no update is needed. Connect to update server has failed. The device cannot connect to the update server . Wrong format for packets received. The device ca nnot parse t[...]

  • Page 801

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 801 Get server response has failed. The device sent packets to the server , but did not receive a response. The root cause may be that the connection is abnormal. Expiration daily- check has failed:%s. The daily check for service expiration failed, an error m e ssage returned by the MyZyXEL.c[...]

  • Page 802

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 802 Self signed certificate. V erification of a server’ s certificate failed because it is self- signed. Self signed certificate in certificate chain. V erification of a server’s certificate failed because there is a self-signed certificate in the server’s certificate chain. Verify pe[...]

  • Page 803

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 803 Enable IDP engine succeeded. The device turned on the IDP engine. Disable IDP engine succeeded. The device turned off the IDP engine. IDP service is not registered. IDP will not be activated. The IDP service could has not been turned on and the IDP signatures will not be updated because t[...]

  • Page 804

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 804 Add custom signature error: signature <sid> is over length. An attempt to add a custom IDP signature failed because the signature’s contents were too long. Edit custom signature error: signature <sid> is over length. An attempt to edit a custom IDP signature failed because[...]

  • Page 805

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 805 from <zone> to <zone> [type=<type>] <message> , Action: <action>, Severity: <severity> The Z yWALL detected an intrusion in tr affic trav eling between the specified zones. The <type> = {scan-detection(<attack>) | flood- detection(<attack[...]

  • Page 806

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 806 Duplicate sid <sid> in import file at line <linenum>. The listed signature ID is duplicated at the listed line number in the signature file. IDP rule <num> has been deleted. The listed IDP rule has been removed. IDP rule <num> has been moved to <num>. The I[...]

  • Page 807

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 807 Protocol %s has been enabled. The listed protocol has been turned on in the application patrol. Protocol %s has been disabled. The listed protocol has been turned off in the application patrol. Classification mode of protocol %s has been modified to portless. The device will now use the p[...]

  • Page 808

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 808 T able 262 IKE Logs LOG MESSAGE DESCRIPTION Peer has not announced DPD capability The remote IPSec router has not announced its dead peer detection (DPD) capability to this device. [COOKIE] Invalid cookie, no sa found Cannot find SA according to the cookie. [DPD] No response from peer. [...]

  • Page 809

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 809 [SA] : Tunnel [%s] Phase 1 invalid protocol %s is the tunnel name. When nego tiating Phase-1, the packet was not a ISKAMP pack et in the protocol field. [SA] : Tunnel [%s] Phase 1 invalid transform %s is the tunnel name. When negotiating Phase-1, the transform ID w as invalid. [SA] : Tunn[...]

  • Page 810

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 810 Could not dial manual key tunnel "%s" %s is the tunnel name. The manual k ey tunnel cannot be dialed. DPD response with invalid ID When receiving a DPD response with inv alid ID ignored. DPD response with no active request When receiving a DPD re sponse with no active query . [...]

  • Page 811

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 81 1 VPN gateway %s was enabled %s is the gatewa y name. An administrator enabled the VPN gateway . XAUTH fail! My name: %s %s is the my xauth name. This indicates that m y name is inv alid. XAUTH fail! Remote user: %s %s is the remote xauth name. This indicates that a remote user’s name is[...]

  • Page 812

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 812 Get outbound transform fail When outgoing packet need to be transformed, the engine cannot obtain the transform context. Inbound transform operation fail After encryption or hardware accelerated processing, the hardware acceler ator dropped a packet (resource shortage, corrupt packet, i[...]

  • Page 813

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 813 Firewall %s %s rule %d was %s. 1st %s is from zone, 2nd %s is to zone, %d is the index of the rule 3rd %s is appended/inserted/modified Firewall %s %s rule %d has been moved to %d. 1st %s is from zone, 2nd %s is to zone, 1st %d is the old index of the rule 2nd %d is the new index of the r[...]

  • Page 814

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 814 The policy route %d uses empty user group! Use an empty object group. %d: the policy route rule number The policy route %d uses empty source address group! Use an empty object group. %d: the policy route rule number The policy route %d uses empty destination address group! Use an empty [...]

  • Page 815

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 815 T able 267 Built-in Services Logs LOG MESSAGE DESCRIPTION User on %u.%u.%u.%u has been denied access from %s HT TP/HTT PS/TELNET/SSH/FTP/SNMP access to the device was d en ied . %u.%u.%u.%u is IP address %s is HT TP/HTTPS/SSH/SNMP/FTP/TELNET HTTPS certificate:%s does not exist. HTTPS serv[...]

  • Page 816

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 816 SNMP port has been changed to port %s. An administrator changed the port number for SNMP . %s is port number assigned by user SNMP port has been changed to default port. An administrator changed the port nu mber for SNMP back to the default (161). Console baud has b een changed to %s. A[...]

  • Page 817

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 817 DNS access control rule %u has been moved to %d. An administrator mo ved the rule %u to index %d. %u is previous index %d variable is current index The default record of Zone Forwarder have reached the maximum number of 128 DNS servers. The default record DNS servers is more than 128. Int[...]

  • Page 818

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 818 Access control rule %u of %s was modified. An access control rule was modified successfully . %u is the index of the access control rule. %s is HT TP/HTTPS/SSH/SNMP/FTP/TELNET . Access control rule %u of %s was deleted. An access control rule was removed successfully . %u is the index o[...]

  • Page 819

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 819 DHCP Server executed with cautious mode disabled DHCP Server ex ecuted with cautious mode disabled. Received packet is not an ARP response pack et A packet was received but it is not an ARP response packet. Receive an ARP response The device received an ARP response. Receive ARP response [...]

  • Page 820

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 820 Device is rebooted by administrator! An administr ator restarted the device. Insufficient memory. Cannot allocate system memory . Connect to dyndns server has failed. Cannot connect to members.dyndns.org to update DDNS. Update the profile %s has failed because of strange server response[...]

  • Page 821

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 821 Update the profile %s has failed because the feature requested is only available to donators. Update profile failed because the feature requested is only av ailable to donators, %s is the profile name. Update the profile %s has failed because of error response. Update profile failed becau[...]

  • Page 822

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 822 DDNS profile %s has been renamed as %s. Rename DDNS profile, 1st %s is the original profile name, 2nd %s is the new profile name. DDNS profile %s has been deleted. Delete DDNS profile, %s is the profile name, DDNS Initialization has failed. Initialize DDNS failed, All DDNS profiles are [...]

  • Page 823

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 823 The connectivity- check is activate for %s interface The link status of interface is still activate after check of connectivity check process. %s: interface name The connectivity- check is fail for %s interface The link status of interface is fail after check of connectivity check process[...]

  • Page 824

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 824 Can't get MAC address of %s interface! The connectivity check process can't get MAC address of interface. %s: interface name To send ARP REQUEST error! The connectivity check process can't send ARP request packet. The %s routing status seted to DEAD by connectivity-check [...]

  • Page 825

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 825 RIP redistribute static routes has been enabled. RIP redistribute static routes has been enabled. RIP on interface %s has been deactivated. RIP on interface %s has been deactivated. %s: In terface Name RIP direction on interface %s has b een changed to BiDir. RIP direction on interface %s[...]

  • Page 826

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 826 Invalid OSPF %s authentication of area %s. OSPF md5 or text authentication has been set without setting md5 authentication id and key , or text authentication key first. Invalid OSPF virtual- link %d md5 authentication of area %s. Virtual-link %s md5 authentication has been set wit hout[...]

  • Page 827

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 827 %s SIP ALG has succeeded. The SIP ALG has been turned on or off . %s: Enable or Disable Extra signal port of SIP ALG has been modified. Extra SIP ALG port has been changed. Signal port of SIP ALG has been modified. Default SIP ALG port has been changed. Register SIP ALG extra port=%d fail[...]

  • Page 828

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 828 Prepare to import "%s" into "My Certificate" %s is the name of a certificate request. Prepare to import "%s" into Trusted Certificate" %s is the name of a certificate request. CMP enrollment "%s" successfully, CA "%s", URL "%s&[...]

  • Page 829

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 829 Export X509 certificate "%s" from "My Certificate" failed The device was not able to export a x509 format certificate from My Certificates. %s is the certificate request name. Export X509 certificate "%s" from "Trusted Certificate" failed The device[...]

  • Page 830

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 830 15 CRL is too old. 16 CRL is not v alid. 17 CRL signature was not verified correctly . 18 CRL was not f ound (anywhere). 19 CRL was not added to the cache. 20 CRL decoding failed. 21 CRL is not currently v alid, but in the future. 22 CRL contains duplicate serial numbers. 23 Time interv[...]

  • Page 831

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 831 (%s MTU - 8) < %s MTU, %s may not work correctly. An administrator configured ethernet, vlan or bridge and this interface is base interface of PPP interface. PPP interface MTU > (base interface MTU - 8), PPP interface may not run correctly because PPP packets will be fr agmented by [...]

  • Page 832

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 832 Interface %s is disconnected. A PPP interface disconnected successfully . %s: interface name. Interface %s connect failed: Peer not responding. The interface’ s connection w ill be terminated because the server did not send any LCP packets. %s: interface name. Interface %s connect fai[...]

  • Page 833

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 833 "SIM card of interface cellular%d in %s is damaged or not inserted. Please remove the device, then check the SIM card. The SIM card for the cellular device associated with the listed cellular interface (%d) cannot be detected. The SIM card may be missing, not inserted properly , or d[...]

  • Page 834

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 834 Interface cellular%d required authentication password.Please set password in cellular%d edit page. Y ou need to manually enter the password for the listed cellular interface (%d). "Cellular%d (IMSI=%s or ESN=%s) over time budget!(budget = %d seconds). The listed cellular interface [...]

  • Page 835

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 835 Duplicated interface name. A duplicate name was not permitted for an interface. This Interface can not be renamed. An interface’s name cannot be changed. Virtual interface is not supported on t his type of interface. A virtual interface was not created on an interface because the type o[...]

  • Page 836

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 836 name=%s,status=%s,TxP kts=%u, RxPkts=%u,Colli.=%u,T xB/s=%u, RxB/s=%u,UpTime=%s This log is sent to the VRPT server to show the specified PPP/ Cellular interface’s statistics and uptime. The arguments represent the interface name, interface status, interface Tx packets, in terface Rx [...]

  • Page 837

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 837 T able 277 Force Authentication Logs LOG MESSAGE DESCRIPTION Force User Authentication will be enabled due to http server is enabled. Force user authentication will be turned on because HT TP server was turned on. Force User Authentication will be disabled due to http server is disabled. [...]

  • Page 838

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 838 Running %s... An administr ator ran the listed shell script. %s is script file name. Going to rollback previous running- config. Applying the configuration file failed and the Z yWALL is going to roll back to the previous running-config. T able 279 DHCP Logs LOG MESSAGE DESCRIPTION Can&[...]

  • Page 839

    Appendix A Log Descriptions ZyWALL USG 50 User’s Guide 839 Failed to send report. Mail From address %s1 is inconsistent with SMTP account %s2. The user name and password configured for authenticating with the e-mail server are correct, but the (listed) sender e- mail address does not match the (listed) SMTP e-mail account. Failed to connect to ma[...]

  • Page 840

    Appendix A Log Descrip tio ns ZyWALL USG 50 User’s Guide 840 T able 283 EPS Logs LOG MESSAGE DESCRIPTION Windows service pack check fail in %s The Windows service pack on a user’s computer did not match the specified EPS object. Windows auto update check fail in %s The Windows automatic update setting on a user’ s computer did not match the s[...]

  • Page 841

    ZyWALL USG 50 User’s Guide 841 A PPENDIX B Common Services The following table lists some commonl y-used services and their associated protocols and port numbers. F or a comprehe nsiv e list of port numbers, ICMP type/ code numbers and services , visit the IANA (Internet Assigned Number Authority) web site. • Name : This is a short, descrip tiv[...]

  • Page 842

    Appendix B Com mon Servic es ZyWALL USG 50 User’s Guide 842 ESP (IPSEC_TUNNEL) User -Defined 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP TCP TCP 20 21 File T ransfer Progr am, a program t[...]

  • Page 843

    Appendix B Common Services ZyWALL USG 50 User’s Guide 843 PPTP TCP 1723 Point -to-P oint T unneling Protocol enables secure transfer of data ov er public networks. This is the control channel. PPTP_TUNNEL (GRE) User -Defined 47 PPTP (P oint-to-Point T unneling Protocol) enables secure transfer of data over public networks. This is the data channe[...]

  • Page 844

    Appendix B Com mon Servic es ZyWALL USG 50 User’s Guide 844 TFTP UDP 69 T rivial File T ransfer Protocol is an Internet file transfer protocol similar to FTP , but uses the UDP (User Datagram Protocol) r ather than TCP (T ransmission Control Protocol). VDOLIVE TCP 7000 Another videoconferencing solution. T able 284 Commonly Used Services (continu[...]

  • Page 845

    ZyWALL USG 50 User’s Guide 845 A PPENDIX C Importing Certificates This appendix shows you how to import public k ey certificates into your web browser . Public key certificates are used by web br owsers to ensure that a secure web site is legitimate. When a certificate authorit y such as V eriSign, Comodo, or Network Solutions, to name a few , re[...]

  • Page 846

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 846 1 If your device’ s W eb Configurator is set to use S SL certification, then the first time you browse to i t you are presented with a certificati on error . Figure 447 Internet Explorer 7: Cert ification Error 2 Click Continue to this website (not recommended) . Figure 448 Intern[...]

  • Page 847

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 847 4 In the Certificate dialog bo x, click Install Certificate . Figure 450 Internet Explorer 7: Cert ificate 5 In the Certificate Import Wizard , click Next . Figure 451 Internet Explorer 7: Cert ificate Import Wizard[...]

  • Page 848

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 848 6 If you w ant Internet Explorer to Automatically select certificate store based on the type of certificate , click Next again and then go to step 9. Figure 452 Internet Explorer 7: Cert ificate Import Wizard 7 Otherwise, se lect Place all certificates in the following store and the[...]

  • Page 849

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 849 8 In the Select Certificate Store dialog box, choose a location in which to sa ve the certificate and then clic k OK . Figure 454 Internet Explorer 7: Select Certificate S tore 9 In the Completing the Certificate Import Wizard screen, click Finish . Figure 455 Internet Explorer 7: C[...]

  • Page 850

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 850 10 If you are presented with another Security Warning , c lick Yes . Figure 456 Internet Explorer 7: Security W arning 11 Finally , click OK when presented with the successful certificate installation message. Figure 457 Internet Explorer 7: Cert ificate Import Wizard 12 The next ti[...]

  • Page 851

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 851 Inst alling a St and-Alone Certific ate File in Internet Explorer Rather t han browsing to a Z yXEL W eb Co nfigurator and installing a public k ey certificate when prompted, y ou can install a stand- alone certific ate file if one has been issued to you. 1 Double-click the public k[...]

  • Page 852

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 852 1 Open Internet Explorer and click Tools > Internet Options . Figure 461 Internet Explorer 7: T ools Menu 2 In the Internet Options dialog box, cl ick Conte nt > Certificates . Figure 462 Internet Explorer 7: I nternet Options[...]

  • Page 853

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 853 3 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificat e that yo u w ant to delete, and then click Remove . Figure 463 Internet Explorer 7: Cert ificates 4 In the Certificates confirmation, click Yes . Figure 464 Internet Explore[...]

  • Page 854

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 854 6 The next time you go to the web site that issued the public k ey certificate you just removed, a certification error appears. Firefox The following example uses Mozilla Firefox 2 on Windows XP Professional; however , the screens can also apply to Firefox 2 on all platforms. 1 If y[...]

  • Page 855

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 855 3 The certificate is stored and you ca n now connect securely to the W eb Configurator . A sealed padlock appears in the address bar , which you can click to open the Page Info > Security windo w to view the web page’ s security informat ion. Figure 467 Firefox 2: Page Info Ins[...]

  • Page 856

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 856 1 Open Firefox and click Tools > Options . Figure 468 Firefox 2: T ools Menu 2 In the Options dialog bo x, cli ck Advanced > Encryption > View Certifica t es . Figure 469 Firefox 2: Options[...]

  • Page 857

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 857 3 In the Certificate Manager dialog box, cl ick Web S ites > Import . Figure 470 Firefox 2: Cert ificate Manager 4 Use the Select File dialog bo x to locate the certificate and then click Op en . Figure 471 Firefox 2: Select File 5 The next time you visit the web site, click the [...]

  • Page 858

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 858 Removing a Certificate in Firefox This section shows y ou how to remove a public key certificate in Fi refox 2. 1 Open Firefox and click Tools > Options . Figure 472 Firefox 2: T ools Menu 2 In the Options dialog bo x, cli ck Advanced > Encryption > View Certifica t es . Fi[...]

  • Page 859

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 859 3 In the Certificate Manager dialog box, select the Web Sites tab , select the certificate that you w ant to remove, and then click Delete . Figure 474 Firefox 2: Cert ificate Manager 4 In the Delete Web Site Certificates dialog bo x, cli ck OK . Figure 475 Firefox 2: Delete W eb Si[...]

  • Page 860

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 860 1 If your device’ s W eb Configurator is set to use S SL certification, then the first time you browse to i t you are presented with a certificati on error . 2 Click Install to accept the certi ficate. Figure 476 Opera 9: Certificate signer not found 3 The next time you visit the [...]

  • Page 861

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 861 Inst alling a St and-Alone Ce rtifica te File in Opera Rather t han browsing to a Z yXEL W eb Co nfigurator and installing a public k ey certificate when prompted, y ou can install a stand- alone certific ate file if one has been issued to you. 1 Open Opera and click Tools > Pref[...]

  • Page 862

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 862 2 In Preferences , click Advanced > Security > Manage certificates . Figure 479 Opera 9: Prefer ences[...]

  • Page 863

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 863 3 In the Certificates Manager , click Authorities > Import . Figure 480 Opera 9: Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open. Figure 481 Opera 9: Import certif icate[...]

  • Page 864

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 864 5 In the Install authority certificate dialog box, c lick Ins tall . Figure 482 Opera 9: Inst all authority certificate 6 Next, click OK . Figure 483 Opera 9: Inst all authority certificate 7 The next time you visit the web site, click the padlock in the address bar to open the Secu[...]

  • Page 865

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 865 1 Open Opera and click Tools > Preferences . Figure 484 Opera 9: T ools Menu 2 In Preferences , Advanced > Security > Manage certificates . Figure 485 Opera 9: Prefer ences[...]

  • Page 866

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 866 3 In the Certificates manager , sele ct the Authorities tab, select th e ce rtificat e that you wan t to rem ove , an d the n c lic k Delete . Figure 486 Opera 9: Certificate manager 4 The next time you go to the web site that issued the public k ey certificate you just removed, a c[...]

  • Page 867

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 867 2 Click Continue . Figure 487 Konquero r 3.5: Server Authentication 3 Click Forever when prompted to accept the certificate. Figure 488 Konquero r 3.5: Server Authentication 4 Click the padlock in the addr ess bar to open the KDE SSL Information window and view the web page’ s sec[...]

  • Page 868

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 868 Inst alling a St and-Alone Ce rtificate File in Konqueror Rather t han browsing to a Z yXEL W eb Co nfigurator and installing a public k ey certificate when prompted, y ou can install a stand- alone certific ate file if one has been issued to you. 1 Double-click the public key cert [...]

  • Page 869

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 869 3 The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Inf ormation window to view the web page’ s security details. Removing a Certificate in Konqueror This section shows y ou how to remove a public k e y certificate in K onqueror 3.5. 1 [...]

  • Page 870

    Appendix C Importing Certificates ZyWALL USG 50 User’s Guide 870 4 The next time you go to the web site that issued the public k ey certificate you just removed, a certification error appears. Note: There is no confirmation wh en you remove a certificate authority , so be absolutely certain you want to go through with it before clicking the butto[...]

  • Page 871

    ZyWALL USG 50 User’s Guide 871 A PPENDIX D Open Sof tware Announcement s End-User License Agreement for “ZyW ALL USG 50” WARNING: Z yXEL Communications Corp. IS WILLING T O LICENSE THE SOFTWARE T O YOU ONL Y UPON THE CONDITION THA T YOU ACCEPT ALL OF THE TERMS CONT AINED IN THIS LICENSE AG REEMENT . PLEASE READ THE TERMS CAREFULL Y BEFORE COM[...]

  • Page 872

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 872 therein shall remain at all t imes with ZyXEL. Any other use of the Software by any other entity is strictl y forbidden and is a violation of this License Agreement. 3. Copyright The Software and Documentation contain mat erial that is protected by International Copyright Law [...]

  • Page 873

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 873 Y ou acknowledge that the Software contai ns proprietary tr ade secrets of Z yXEL and you hereby agree to maintain the confidenti ality of the Software using at least as great a degree of care as you use to maintai n the confidentiality of your own most confidential information[...]

  • Page 874

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 874 THIS LICENSE AGRE EM ENT IS EXPRES SL Y MADE SUBJECT TO ANY APPLICABLE LAWS, REGULA TIONS, ORDERS, OR O T HE R RESTRICTIONS ON THE EXPOR T OF THE SOFTWARE OR INFORMA TION ABOU T SUCH SOF TWARE WHICH MA Y BE IMPOSED FROM TIME T O TIME. YO U SHALL NOT EXPOR T THE SOF TWARE, DOCU[...]

  • Page 875

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 875 NOTE: Some components of this product incorpor ate source code covered under the open source code licenses. Further , fo r at least three (3) y ears from the date of distribution of the appl icable product or softw are, we will give to an yone who contacts us at the Zy XEL T ec[...]

  • Page 876

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 876 The above copyri ght notice and this permission not ice shall be included in al l copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND ,EXPRESS OR IMPLIED , INCLUDING BUT NO T LIMITED T O THE W ARRANTIES OF ME[...]

  • Page 877

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 877 ------------ --- /* ================== =============== ================= * Copyright (c) 1998-2008 The OpenSSL Project. All rights reserv ed. * * Redistributi on and use in source and binary forms, with or without * modification, are permitted provided that the fol lowing condi[...]

  • Page 878

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 878 * * 5. Products derived from this software ma y not be called "OpenSSL" * nor may " OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. R edistributions of any form wh atsoev er must retain the following * acknow[...]

  • Page 879

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 879 * * This product includes cryptograp hic software wri tten by Eric Y oung * (eay@cryptsoft.com). This produc t i ncludes softw are written by Tim * Hudson (tjh @cryptsoft.com). * */ Origin al SSLea y License ------------ ----------- /* Copyright (C) 1995- 1998 Eric Y oung (eay@[...]

  • Page 880

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 880 * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or te xtual) provided with the packag e. * * Redistributi on and use in source and binary forms, with or without * modification, ar[...]

  • Page 881

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 881 * IMPLIED WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PA RT I C U L A R P U R P O S E * ARE DISCLAIMED . IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT , INDIRECT , INCI DENT AL, SPECIAL, EXEMPLARY , OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NO T [...]

  • Page 882

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 882 This is the BSD license wit hout the obnoxious advertising claus e. It's also known as the "modified BSD license." Note that the University of Cali fornia now prefers this license to the BSD li cense with advertising clause , and now allows BSD itself to be used[...]

  • Page 883

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 883 OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. This Product incl udes httpd software developed by t he Apache Software Foundation under Apache License. Apache License V ersion 2.0, January 2004 http://www .apache.org/licenses/ TERMS AND CONDITIO NS FO R U[...]

  • Page 884

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 884 work of authorship. F or the purposes of this License, Deriv ative W orks shall not include works that remain separable from, or merely link (or bind by n ame) to the interfaces of , the W or k and Derivative W orks there of . "Contribution" shall mean an y work of a[...]

  • Page 885

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 885 (b) Y ou must cause any modifi ed files to carry promi nent notices stating that Y ou changed the fil es ; and (c) Y ou must re tain , in the Source fo rm of any Derivative W orks that Y ou distribute, all cop yright, patent, trademark, and attribution notices from the Source f[...]

  • Page 886

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 886 8. Limitation of Liabil it y . In no event and under no legal theory , whether in tort (including negligence), contract, or othe rwise, unless required by applicabl e law (such as deliber ate and grossly negligent ac ts) or agreed to in writing, shall an y Contributor be liabl[...]

  • Page 887

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 887 THIS SOF TWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NO T LIMITED T O, THE IMPLI ED WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PA R TICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AP ACHE SOF TWARE FOUNDA TION OR ITS[...]

  • Page 888

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 888 Public License is the better strategy to use in any particular case, based on the explanations below . When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure tha t you have t he f ree dom to distribu[...]

  • Page 889

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 889 derivati ve of the original li brary . The ordinary General Public License therefore permits such linking only if the entire co mbination fits its criteria of freedom. The Lesser Gener al Public License permits more lax cri teria for linking other code with the library . W e ca[...]

  • Page 890

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 890 software library or work which has been distri buted under these terms. A "work based on the Library" means either the Libr ary or any deriv ative work under copyright law: that is to say , a work containing the Library or a portion of it, ei ther verbatim or with mo[...]

  • Page 891

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 891 part of a whole which is a work based on the Li br ary , the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every p art regardless of who wrote it. Thu s, it is not the inten[...]

  • Page 892

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 892 significant if the work can be link ed without the Library , or if the work is its elf a library . The threshold for this to be true is not precisely defined by l aw . If such an object file uses only numerical para meters, data structure lay outs and accessors, and small macr[...]

  • Page 893

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 893 include anything that is normally distribute d (in either source or binary form) with the major components (compiler , kernel, and so on) of the operating syst em on which the executable runs, unless that component itself accompanies the executable. It may happen that this re q[...]

  • Page 894

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 894 License. If you cannot distribute so as to satisfy si multaneously yo ur obligations under this License and any other pertinent obligations, then as a consequence y ou may not distribut e the Library at all. F or example, if a patent license would not permit roy alty -free red[...]

  • Page 895

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 895 NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBR ARY , TO THE EXTENT PE RMIT TED BY APPLICABLE L A W . EXCEPT WHEN OTHERWISE ST A TED IN WRITING THE COPYRIGHT HOLDERS AND/ OR O THER P AR TIES PROVIDE THE LIBRARY "AS IS"[...]

  • Page 896

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 896 commit to using it. (Some other Free Softw are Foundati on s oftware is cove red by the GNU Libr ary General Public License i nstead.) Y ou can apply it to y our programs, too. When we speak of free software, we ar e referring to freedo m, not price. Our General Publi c Licens[...]

  • Page 897

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 897 copying, distribution and modifi cati on are not covered by this License; they are outside its scope. The act of running the Prog ram is not restricted , and the output from the Program is cov ered only if its contents constitute a work based on the Program (independent of havi[...]

  • Page 898

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 898 Program) on a volume of a storage or distribution medium does not bring the other work under the sc ope of this License . 3. Y ou may copy and distri bute the Progr a m ( or a work based on it, under Section 2) in object code or executabl e form under the terms of Sections 1 a[...]

  • Page 899

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 899 all its terms and conditions for copying, distributing or modifyi ng the Program or works based on it. 6. Each time you redist ribute the Program (or any work b ased on the Progr am), the recipient automatically receiv es a license from the original licensor to copy , distribut[...]

  • Page 900

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 900 Program does not specify a version number of this License, you may choose any version ever published by the Free Softw a re Foundation. 10. If you wish to incorporate parts of the Progr am into other free programs whose distribution c onditions are diffe rent, write to the aut[...]

  • Page 901

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 901 The Regents of the University of California . All rights reserved. R edistribution and use in source and binary forms, with or without modification, are permitted provided that the fol lowing conditions are met: Re distributions of source co de must retain the above c opyright [...]

  • Page 902

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 902 NONINFRINGE M EN T . IN NO EVENT SHALL THE AUTHORS OR COP YRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DA MAGES OR O THER LIABILITY , WHETHER IN AN ACTION OF CONTRACT , TOR T OR O THERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR O THER DEALINGS IN THE[...]

  • Page 903

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 903 Copyright 1999-2003 The OpenLD AP F oundation, Redwood City , California, USA. All Rights R eserved. P ermission to copy and distribut e verbatim copies of this document is gr anted. This Product includes libpng software under t he Libpng License This copy of the libpng notices[...]

  • Page 904

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 904 disclaimer and license as libpng-0.96, with the following indivi dual s added to the list of Contributing Authors: To m L a n e Glenn Randers-P e hrson Willem v an Schaik libpng versions 0.89, June 1996, t hrough 0.96, May 1997, are Copyright (c) 1996, 1997 Andreas Dilger Dist[...]

  • Page 905

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 905 2. Altered versions must be plainl y mark ed as such and must not be misrepresented as being the original source. 3. This Copyright notice ma y not be remove d or altered from any source or altered source distribution. The Contributing Authors and Group 42, Inc . specificall y [...]

  • Page 906

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 906 This Product includes pcmcia-cs software under the MPL License Mozilla Public Lice n s e V ersion 1.1 1. Definitions. 1.0.1. "Commercial Use" means distribution or ot herwise making the Covered Code a vailable to a t hird party . 1.1. "Contributor" means ea[...]

  • Page 907

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 907 1.8.1. "Licensable" means having the rig h t to grant, to the maxim um ex ten t pos s ib le, w het he r at the time of th e initial g rant or subse que ntly acquired, any an d al l of the rights convey ed herein. 1.9. "Modifications" means any addition to or[...]

  • Page 908

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 908 2.1. The Initial Developer Gr ant. The Initial Developer hereby gr ants Y ou a world-wide, royalty -fre e, non-exclusive license, subject t o third part y intellect ual propert y claims: a. under intellectual property rights (oth er than patent or trademark) Lic ensable by Ini[...]

  • Page 909

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 909 The Modifications which Y ou create or to which Y ou contribute are governed by the terms of this License, including without limitation Section 2.2. The Source Code version of Cov ered Code may be distributed only under the terms of this License or a future version of this Lice[...]

  • Page 910

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 910 (b) Contributor APIs If Contributor's Modifications include an application progr amming interface and Contributor has knowledge of patent lice nses which are reason ably necessary to implement that API, Contributor must also include this information in the legal file. (c)[...]

  • Page 911

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 91 1 alone, not by the Initial Developer or an y Contributor . Y ou hereby agree to indemn ify the Initial D evel o p e r a nd ever y Contribut o r fo r any liability in c urred by the Initial Developer or such Contributor as a result of any such terms Y ou offer . 3.7. Larger W or[...]

  • Page 912

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 912 "MOZILLAPL", "MOZPL", "Netscape", "MPL ", "NPL" or any confusingly similar phrase do not appear in y our license (ex cep t to note that y our license differs from this License) and (b) otherwise make it clear that Y our version[...]

  • Page 913

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 913 payment arr angement are not mutually agr eed upon in writing by the parties or the litigation claim is not wi thdrawn, the rig hts granted by P articipant to Y ou under Sections 2.1 and/or 2.2 auto matica lly terminate at the expiration of the 60 day notice period specified ab[...]

  • Page 914

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 914 11. Miscellaneous This License represents the complete agreement concerning subject matter hereof . If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent ne cessary to mak e it enforceable. This License shall be go ve[...]

  • Page 915

    Appendix D Open Software Announcements ZyWALL USG 50 User’s Guide 915 The Original Code is ______________________________ ________. The Initial Developer of the Original Code is ________________________. P ortions created by ______________________ are Copyright (C) ___ ___ _______________________. All Rights Reserv ed. Contributor(s): ___________[...]

  • Page 916

    Appendix D O pen Software Announcements ZyWALL USG 50 User’s Guide 916[...]

  • Page 917

    ZyWALL USG 50 User’s Guide 917 A PPENDIX E Legal Information Copyright Copyright © 2010 by Z yXEL Communications Corporation. The contents of this publication ma y not be reproduced in any part or as a whole, transcrib ed, stored in a retriev al syst em, tr anslated into any la nguage, or transmitted in an y form or by any me ans, electronic, me[...]

  • Page 918

    Appendix E Leg al In fo rm at ion ZyWALL USG 50 User’s Guide 918 • This device may not cause harmful interference. • This dev ice must acc e pt any interf erence received, including interference that may cause undesired operations. This device has been tested and found to comply with the limits for a Clas s B digital device pursuant to P art [...]

  • Page 919

    Appendix E Legal Information ZyWALL USG 50 User’s Guide 919 Notices Changes or modifications not expressly appro ved by the party responsible for compliance could v oid the user's authority to oper ate the equipment. This Class B digital appar atus complies with Canadian ICES-003. Cet appareil numérique de la classe B est conforme à la nor[...]

  • Page 920

    Appendix E Leg al In fo rm at ion ZyWALL USG 50 User’s Guide 920 T o obtain the services of this warr anty , conta ct yo ur ve ndor . Y ou may als o re fer to the warrant y policy for the region in wh ich you bought the devic e at http:// www .zyxel.com/ web/support_warr anty_info.php . Registration Re gister your product online t o receive e-mai[...]

  • Page 921

    Index ZyWALL USG 50 User’s Guide 921 Index Numerics 3322 Dynamic DNS 315 3DES 400 3G 11 3 3G see also cellular 237 A AAA Base DN 620 Bind DN 620 , 623 directory structure 619 Distinguished Name, see DN DN 620 , 621 , 623 , 624 password 623 port 622 , 625 search time limit 623 SSL 623 AAA server 617 AD 619 and users 584 directory service 617 LDAP [...]

  • Page 922

    Index ZyWALL USG 50 User’s Guide 922 types of 599 where used 105 address record 685 admin user troubleshooting 770 admin users 583 multiple logins 594 see also users 583 ADP 513 base profiles 514 , 51 7 configuration o v erv iew 103 false negatives 518 false positives 518 inline profile 518 monitor profile 518 port scanning 525 prerequisites 103 [...]

  • Page 923

    Index ZyWALL USG 50 User’s Guide 923 APN 241 Application Layer Gatewa y , see ALG application order 91 application patrol 437 actions 438 and firewall 438 and HT TP redirect 332 bandwidth management 439 bandwidth management behavior 441 bandwidth management examples 443 bandwidth statistics 188 classification 438 configuration o v erv iew 102 con[...]

  • Page 924

    Index ZyWALL USG 50 User’s Guide 924 and routing protocols 309 MD5 309 , 400 SHA1 400 text 309 Authentication Header , see AH authentication method objects 627 and users 584 and WWW 694 create 629 example 627 where used 105 authentication policy 349 exceptional services 352 authentication type 73 , 65 7 Authentication, Authorization, Accounting s[...]

  • Page 925

    Index ZyWALL USG 50 User’s Guide 925 certificate troubleshooting 771 Certificate Authority (CA) see certificates Certificate Management Protocol (CMP) 641 Certificate Revocation List (CRL) 63 4 vs OCSP 653 certificates 633 advantages of 63 4 and CA 634 and FTP 714 and HT TPS 690 and IKE SA 405 and SSH 709 and VPN gateways 378 and WWW 693 certific[...]

  • Page 926

    Index ZyWALL USG 50 User’s Guide 926 and address objects 533 , 534 , 539 and registration 538 , 540 , 542 and schedules 533 , 534 and user groups 533 and users 533 by category 534 , 544 by keyword (in URL) 534 , 555 by URL 534 , 554 by web feature 534 , 55 4 cache 200 , 556 categories 544 category service 542 configuration o v erv iew 104 default[...]

  • Page 927

    Index ZyWALL USG 50 User’s Guide 927 directory service 617 file structure 619 directory trav ersal attack 529 directory trav ersals 529 disclaimer 5 , 917 Distinguished Name (DN) 620 , 621 , 62 3 , 624 Distributed Denial of Service (DDoS) attacks 490 distributed port scans 526 DN 620 , 621 , 623 , 624 DNS 681 address records 685 domain name forwa[...]

  • Page 928

    Index ZyWALL USG 50 User’s Guide 928 and VPN gateways 378 IKE SA 404 ext-user troubleshooting 770 F false negatives 486 , 518 false positives 486 , 518 , 520 FCC interference statement 917 feature specifications 776 features overview 37 file decompression (in anti-virus) 470 file extensions configuration files 737 shell scripts 737 file infector [...]

  • Page 929

    Index ZyWALL USG 50 User’s Guide 929 ge2 32 ge3 32 Generic Rou ting Encapsulation, see GRE. global SSL setting 416 user portal logo 418 GRE 270 GSM 242 Guide CLI Reference 3 Quick Start 3 H header checksum 498 host-based intrusions 510 HSDPA 242 HT TP inspection 521 , 529 over SSL, see HTTPS redirect to HT TPS 693 vs HTTPS 691 HT TP redirect 331 [...]

  • Page 930

    Index ZyWALL USG 50 User’s Guide 930 Snort signatures 51 1 statistics 196 traffic directions 479 trial service activation 212 troubleshooting 760 , 764 troubleshooting signatures update 760 verifying custom signatures 509 IEEE 802.1q VLAN IGP (Interior Gateway Protocol) 52 5 IHL (IP Header Length) 497 IIS backslash-evasion attack 530 emulation 53[...]

  • Page 931

    Index ZyWALL USG 50 User’s Guide 931 Internet Protocol Security , see IPSec Internet Protocol (IP) 497 intrusions host 510 network 51 1 Intrusion, Detection and Prevention see IDP 479 IP address 32 IP alias, see virtual interfaces IP decoy portscan 526 IP distributed portscan 526 IP options 498 , 503 IP policy routing, see policy routes IP pool 4[...]

  • Page 932

    Index ZyWALL USG 50 User’s Guide 932 IP/MAC binding 343 exempt list 347 monitor 181 static DHCP 346 ISP account CHAP 657 CHAP/PAP 657 MPPE 657 MSCHAP 657 MSCHAP-V2 657 PAP 657 ISP accounts 655 and PPPoE/PPTP interfaces 231 , 655 authentication type 657 encryption method 657 stac compression 658 J Jav a 554 permissions 43 Jav aScripts 43 K key p a[...]

  • Page 933

    Index ZyWALL USG 50 User’s Guide 933 configuration o v erv iew 107 descriptions 783 e-mail profiles 725 e-mailing log messages 207 , 729 formats 727 log consolidation 730 settings 725 syslog servers 725 system 725 types of 725 loose source routing 498 M MAC address and VLAN 247 Ethernet interface 225 ran ge 159 macro virus 477 mail sessions thres[...]

  • Page 934

    Index ZyWALL USG 50 User’s Guide 934 Name Server , see NBNS. NetBIOS Name Server , see N BNS NetMeeting 342 see also H.323 Netscape Navigator 43 network access mode 40 full tunnel 41 , 41 1 Network Address T ranslation, see NA T network list, see SSL 416 network policy , see VPN connections Network Time Protocol (NTP) 679 network -based intrusion[...]

  • Page 935

    Index ZyWALL USG 50 User’s Guide 935 P P2P (Peer-to-peer) 490 attacks 490 see also Peer-to-peer packet flow 91 inspection signatures 483 , 487 scan 464 statistics 170 , 172 packet capture 750 example 753 files 752 troubleshooting 773 packet captures downloading files 752 padding 498 PAP (P assword Authentication Protocol) 657 password 32 Password[...]

  • Page 936

    Index ZyWALL USG 50 User’s Guide 936 PPP interfaces subnet mask 266 PPPoE 27 0 and RADIUS 270 TCP port 1723 270 PPPoE/PPTP interfaces 216 , 231 and ISP accounts 231 , 655 basic characteristics 217 gateway 231 subnet mask 231 PPTP 270 and GRE 270 as VPN 270 privacy concerns 545 problems 759 product overview 31 registration 920 profiles packet insp[...]

  • Page 937

    Index ZyWALL USG 50 User’s Guide 937 anti-virus 194 collecting data 176 configuration o v erv iew 107 content filtering 198 daily 724 daily e-mail 724 IDP 196 specifications 178 traffic statistics 175 reset 773 vs reboot 755 RESET button 35 , 773 RFC 1058 (RIP) 298 1389 (RIP) 298 1587 (OSPF areas) 300 1631 (NA T) 293 1889 (RTP) 342 2131 (DHCP) 26[...]

  • Page 938

    Index ZyWALL USG 50 User’s Guide 938 and firewall 606 and IP protocols 606 and policy routes 606 service subscription status 214 services 605 , 841 and firewall 370 and port triggering 290 subscription 210 where used 105 Session Initiation Protocol, see SIP session limits 360 , 370 sessions 178 sessions usage 160 , 164 severity (IDP) 485 , 489 SH[...]

  • Page 939

    Index ZyWALL USG 50 User’s Guide 939 and certificates 709 and zones 710 client requirements 708 encryption methods 708 for secure T elnet 710 how connection is established 707 vers ion s 708 with Linux 71 1 with Microsoft Windows 710 SSL 41 1 , 416 , 690 access policy 41 1 and AAA 623 and AD 623 and LDAP 623 certificates 422 client 433 client vir[...]

  • Page 940

    Index ZyWALL USG 50 User’s Guide 940 content filtering 212 IDP 212 new IDP/AppPatrol signatures 212 see also IDP SSL V PN 210 SSL VPN, see also SSL VPN status 214 , 448 , 467 upgrading 214 supported browsers 43 SWM 285 SYN flood 528 syntax conv entions 6 syslog 727 , 733 syslog servers, see also logs system log, see logs system name 159 , 676 sys[...]

  • Page 941

    Index ZyWALL USG 50 User’s Guide 941 ext-user 770 firewall 761 firmware package 769 firmware upload 772 FTP 766 HT TP redirect 766 H.323 766 IDP 760 , 764 IDP signatures up date 760 interface 761 Internet access 760 , 769 IPSec VPN 767 LEDs 759 logo 771 logs 772 management access 771 packet capture 773 packet flow 91 performance 763 , 764 , 765 p[...]

  • Page 942

    Index ZyWALL USG 50 User’s Guide 942 local user database 619 user awareness 585 User Datagram Protocol, see UDP user group objects 583 user groups 583 , 585 and content filtering 533 and firewall 370 , 373 and policy routes 287 , 288 , 451 , 454 , 457 , 460 configuration o v erv iew 106 user name 32 rules 586 user objects 583 user portal links 65[...]

  • Page 943

    Index ZyWALL USG 50 User’s Guide 943 VLAN interfaces 216 , 248 and Ethernet interfaces 24 8 , 763 basic characteristics 217 V oIP pass through 342 and firewall 338 and NA T 338 and policy routes 337 , 338 see also ALG 336 VPN 375 active protocol 405 and NA T 403 and the firewall 360 basic troubleshooting 767 IKE SA, see IKE SA IPSec 375 IPSec SA [...]

  • Page 944

    Index ZyWALL USG 50 User’s Guide 944 and VPN 88 , 31 1 and WWW 695 block intra- zone traffic 314 , 366 configuration o v erv iew 98 default 89 extra- zone traffic 312 inter- zone traffic 312 intra- zone traffic 312 prerequisites 98 types of traffic 312 where used 98 ZyW A L L t e r m i n o l ogy differences 91 ZyX E L web site 4[...]