ZyXEL Communications unified security gateway manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of ZyXEL Communications unified security gateway, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of ZyXEL Communications unified security gateway one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of ZyXEL Communications unified security gateway. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of ZyXEL Communications unified security gateway should contain:
- informations concerning technical data of ZyXEL Communications unified security gateway
- name of the manufacturer and a year of construction of the ZyXEL Communications unified security gateway item
- rules of operation, control and maintenance of the ZyXEL Communications unified security gateway item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of ZyXEL Communications unified security gateway alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of ZyXEL Communications unified security gateway, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the ZyXEL Communications service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of ZyXEL Communications unified security gateway.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the ZyXEL Communications unified security gateway item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    www .zyxel.com www .zyxel.com ZyW ALL USG 20/20W Unified Security Gateway Copyright © 201 1 ZyXEL Communications Corporation V ersion 2.21 Edition 4, 4/2011 Default Login Details LAN P ort P2, P3 IP Address https://192.168.1.1 User Name admin Pa ss wo r d 1234[...]

  • Page 2

    [...]

  • Page 3

    About This User's Guide ZyWALL USG 20/20W User’s Guide 3 About This User's Guide Intended Audience This manual is intended for people who want to want to configure the Z yW ALL using the W eb Configurator . How T o Use This Guide •R e a d Chapter 1 on page 29 chapter for an overview of features available on the Z yW ALL. •R e a d Ch[...]

  • Page 4

    About This User's Guide ZyWALL USG 20/20W User’s Guide 4 • W eb Configurator On line H elp Click the help icon in an y screen for help in configuring that screen and supplementary information. • Z yXEL W eb Site Please refer to www .zyxel.c om for additional support documentation and product certifications. User Guide Feedback Help us he[...]

  • Page 5

    About This User's Guide ZyWALL USG 20/20W User’s Guide 5 •F o r u m This contains discussi ons on Z yXEL prod ucts. Learn from others who use ZyXEL products and share y our experiences as well. Customer Support Should problems arise that cannot be solved by the methods listed above, you shou ld con tact yo ur ven dor . If you can not conta[...]

  • Page 6

    Document Conventions ZyWALL USG 20/20W User’s Guide 6 Document Conventions W arnings and Notes These are how warnings and notes are shown in this User’ s Guide. W arnings tell you about things that could harm you or your device. Note: Notes tell you other import ant informat ion (for e xample, other things you may need to configure or help ful [...]

  • Page 7

    Document Conventions ZyWALL USG 20/20W User’s Guide 7 Icons Used in Figures Figures in this User’ s Guide may use the following generic icons. The Z yWALL icon is not an exact representation of your device. ZyW A L L Computer N otebook computer Server Firewall Te l e p h o n e Switc h Ro u t er[...]

  • Page 8

    Safety Warnings ZyWALL USG 20/20W User’s Guide 8 Safety Warnings • Do NO T use this product near w ater , for exam ple, in a wet basement or n e ar a swimming pool. • Do NO T expose your device to dampness, dust or corrosive liquids. • Do NO T store things on the device. • Do NO T install, use, or service this device during a thunderstorm[...]

  • Page 9

    Contents Overview ZyWALL USG 20/20W User’s Guide 9 Contents Overview User ’ s Guide ......................................... .......... ........... .......... .......................................... ......... 27 Introducing the ZyWALL .............. ............. ................ ............. ............. ................ ............. ..[...]

  • Page 10

    Contents Overview ZyWALL USG 20/20W User’s Guide 10 Schedules .......... ............. ............. ................ ............. ................. ............ ............. .......... ........... 567 AAA Server ............ ................................................................................ ............. ........... .......... 57[...]

  • Page 11

    Table of Contents ZyWALL USG 20/20W User’s Guide 11 Table of Contents About This User's Guide ........................................... ..................................................... .......... 3 Document Conventions....................................................... .................................................... .6 Safety[...]

  • Page 12

    Table of Contents ZyWALL USG 20/20W User’s Guide 12 Chapter 4 Inst allation Setup Wizard .................................................................................... .................. .5 9 4.1 Installation Setup Wizard Sc reens .. ................ ............. ................ ............. ................ .......... 59 4.1.1 Internet [...]

  • Page 13

    Table of Contents ZyWALL USG 20/20W User’s Guide 13 6.5.1 Feature ... ... ............. ... ... .... ... ............. ... ... ... ............. .... ... ... ... ............. ... .... ... .......... ...... 95 6.5.2 Licensing Registration ............ ... ... ............. .... ... ... ............. ... ... .... ... ............. ... ... ... ....[...]

  • Page 14

    Table of Contents ZyWALL USG 20/20W User’s Guide 14 7.5 How to Configure User-aware Access Contro l .......... ............. ................ ............. .............. 120 7.5.1 Set Up Us er Accounts ............... ................ ............. ............. ................ ............. ........ 120 7.5.2 Set Up Us er Groups ............ .[...]

  • Page 15

    Table of Contents ZyWALL USG 20/20W User’s Guide 15 8.2.3 The Active Sessions Screen ............... ............. ................ ............. ............. .............. 173 8.2.4 The VPN S tatus Screen ......... ... ... .... ... ... ............. ... .... ... ............. ... ... ... .... ............ .... . 174 8.2.5 The DHCP T able Scree[...]

  • Page 16

    Table of Contents ZyWALL USG 20/20W User’s Guide 16 1 1.2 Port Role ....... ... ... ... .... ... ... ............. ... ... .... ............. ... ... ... .... ............ .... ... ... ............. . ......... . 220 1 1.3 Ethernet Summary Screen ... ................ ............. ................. ............ ............. ................ ....[...]

  • Page 17

    Table of Contents ZyWALL USG 20/20W User’s Guide 17 Chapter 14 Routing Protocols ...................................................... ..................................................... ...... 313 14.1 Routing Protocols Overview .... ............ ................. ............. ................ ............. ............ ..... 3 13 14.1.1 Wha[...]

  • Page 18

    Table of Contents ZyWALL USG 20/20W User’s Guide 18 18.2.1 The HTTP Redire ct Edit Screen .............. ............. ................ ............. ............. ........ 350 Chapter 19 ALG ................................... .................................................... ..................................... ............ 351 19.1 ALG Ove[...]

  • Page 19

    Table of Contents ZyWALL USG 20/20W User’s Guide 19 23.1 IPSec VPN Overview ........ ............. ............. ................ ............. ................ ............. ........... 391 23.1.1 What Y ou Can Do in this Chapter ..... ... ............. ................ ............. ................ ........ 391 23.1.2 What Y ou Need to Know ..[...]

  • Page 20

    Table of Contents ZyWALL USG 20/20W User’s Guide 20 27.6 Uninstalling the ZyW ALL SecuE xtender ..... ...... ................. ............ ............. ................ ..... 452 Chapter 28 Bandwid th Management .................................................... ................................................. 453 28.1 Overview ........... .[...]

  • Page 21

    Table of Contents ZyWALL USG 20/20W User’s Guide 21 31.1 Overview ........... ................ ............. ............. ................ ............. ................ ............. .. ......... 513 31.2 Viewing Content Filter Re ports ...................... ............. ............. ................ ............. ........... 513 Chapter 32 [...]

  • Page 22

    Table of Contents ZyWALL USG 20/20W User’s Guide 22 35.1 Overview ........... ................ ............. ............. ................ ............. ................ ............. .. ......... 561 35.1.1 What Y ou Can Do in this Chapter ..... ... ............. ................ ............. ................ ........ 561 35.1.2 What Y ou Need[...]

  • Page 23

    Table of Contents ZyWALL USG 20/20W User’s Guide 23 39.1.2 What Y ou Need to Know ......... ................ ............. ................ ............. ............. ........ 589 39.1.3 V erif ying a Certificate ........ ................ ............. ............. ................ ............. .............. 591 39.2 The My Certificates Scree[...]

  • Page 24

    Table of Contents ZyWALL USG 20/20W User’s Guide 24 43.4.2 T ime Server Synchroniz ation .. ............. ................ ............. ................ ............. ........ 635 43.5 Console Port S peed .......... ............. ................ ............. ............. ................ ............. ......... .. 636 43.6 DNS Overview ..... [...]

  • Page 25

    Table of Contents ZyWALL USG 20/20W User’s Guide 25 44.2 Email Daily Report ..... ...... ............. ................ ............. ................ ............. ............. ....... .... 679 44.3 Log Setting Screens ........ ............. ................ ............. ................ ............. ............. ......... .. 681 44.3.1 Log [...]

  • Page 26

    Table of Contents ZyWALL USG 20/20W User’s Guide 26 49.1 Overview ........... ................ ............. ............. ................ ............. ................ ............. .. ......... 725 49.1.1 What Y ou Need T o Know ........... ............. ................. ............ ................. ............ ..... 725 49.2 The Shutdown[...]

  • Page 27

    27 P ART I User ’ s Guide[...]

  • Page 28

    28[...]

  • Page 29

    ZyWALL USG 20/20W User’s Guide 29 C HAPTER 1 Introducing the ZyWALL This chapter gives an overview of t he Z yWALL. It explains the front panel ports, LEDs, introduces the manage ment methods, and lists di fferent w ays to start or stop the Z yW ALL. 1.1 Overview and Key Default Settings The Z yWALL is a comprehensive security devi ce. Its flexib[...]

  • Page 30

    Chapter 1 Introducing the ZyWALL ZyWALL USG 20/20W User’s Guide 30 1 Screw the two screws provided with your Z y W ALL into the wall 150 mm apart (see the figure in step 2). Use screws with 6 mm ~ 8 mm (0.24" ~ 0.31") wide heads. Do not screw the screws all the w ay in to the wall; lea ve a small gap between the head of the screw and th[...]

  • Page 31

    Chapter 1 Introducin g the ZyWALL ZyWALL USG 20/20W User’s Guide 31 The ZyW ALL should be wall-mount ed horizont ally . The ZyW ALL's side p anels with ventilation slot s should not be facing up or down as this position is less safe. USG 20W[...]

  • Page 32

    Chapter 1 Introducing the ZyWALL ZyWALL USG 20/20W User’s Guide 32 1.3 Front Panel This section introduces the Z yWALL’ s front panel. Figure 1 ZyW ALL Front Panel 1.3.1 Front Panel LEDs The following table describes t he LEDs. ZyW A LL USG 20 ZyW ALL USG 20W T able 1 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR Off The Z yWALL is turned o[...]

  • Page 33

    Chapter 1 Introducin g the ZyWALL ZyWALL USG 20/20W User’s Guide 33 1.4 Management Overview Y ou can use the following ways to manage the ZyW ALL. Web Configurator The W eb Configurator allows easy Z yWALL setup and management using an Internet browser . This User’ s Guid e pro vides information about the W eb Configurator . Figure 2 Managing t[...]

  • Page 34

    Chapter 1 Introducing the ZyWALL ZyWALL USG 20/20W User’s Guide 34 console port. See the Command Reference Guide for more information about the CLI. Console Port Y ou can use the console port to manage the Z yWALL using CLI commands. See the Command Reference Guide for more information about the CLI. The default settings for the console port are [...]

  • Page 35

    Chapter 1 Introducin g the ZyWALL ZyWALL USG 20/20W User’s Guide 35 The Z yWALL does not stop or start the system processes when you apply configuration fi les or run shell scripts al though you may temporarily lose ac cess to network resources. Clicking Maintenance > Shutdown > Shutdown or using the shutdown command Clicking Maintenance &g[...]

  • Page 36

    Chapter 1 Introducing the ZyWALL ZyWALL USG 20/20W User’s Guide 36[...]

  • Page 37

    ZyWALL USG 20/20W User’s Guide 37 C HAPTER 2 Features and Applications This chapter introduces the main features and applications of the Z yWALL. 2.1 Features The Z yWALL’ s security features includ e VPN, firew allconte nt filtering, ADP (Anomaly Detection and Protection), and ce rtificates. It also pro vides bandwidth management, NA T , port [...]

  • Page 38

    Chapter 2 Features and Applications ZyWALL USG 20/20W User’s Guide 38 Firewall The Z yWALL ’s firewall is a stat eful inspection firew all. The Z yWALL rest ricts access by screening data packets against defined access rules. It can als o inspect sessions. F or example, traffi c from one zone is not allowed unless it is initiated by a computer [...]

  • Page 39

    Chapter 2 Features an d Applications ZyWALL USG 20/20W User’s Guide 39 2.2 Applications These are some example applications for your Z yW ALL. See also Chapter 7 on page 107 for configur ation tutorial examples. 2.2.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, t elecommuters, and business tr avelers to provide secur[...]

  • Page 40

    Chapter 2 Features and Applications ZyWALL USG 20/20W User’s Guide 40 2.2.2.1 Full T unnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subn et as the local network. This allows them to access network resources in the same wa y as if th ey were part of the internal network. Figur[...]

  • Page 41

    Chapter 2 Features an d Applications ZyWALL USG 20/20W User’s Guide 41 2.2.3 User-A ware Access Control Set up security policies that restrict access to sensitiv e information and shared resources based on the user who is trying t o access it. Figure 5 Applications: User-A ware Access Control[...]

  • Page 42

    Chapter 2 Features and Applications ZyWALL USG 20/20W User’s Guide 42[...]

  • Page 43

    ZyWALL USG 20/20W User’s Guide 43 C HAPTER 3 Web Configurator The Z yW ALL W eb Configur ator allows easy Z y WA LL setup and management using an Internet browser . 3.1 W eb Configurator Requirement s In order to use the W eb Configurator , you must • Use Internet Explorer 7 or la ter , or Firefox 1. 5 or later • Allow pop-up wi ndows (block [...]

  • Page 44

    Chapter 3 Web Con fig ur a tor ZyWALL USG 20/20W User’s Guide 44 2 Open your web browser , and go to http://192.168.1.1 . By default, the Z yW ALL automatically routes this req uest to its HT TPS server , and it is recommended to keep this sett ing. The Login screen appears. Figure 6 Login Screen 3 T ype the user name (default: “adm in”) and [...]

  • Page 45

    Chapter 3 Web Configurator ZyWALL USG 20/20W User’s Guide 45 5 The screen above appears ev ery time you log in using the default user name and default password. If you chang e the passw ord for the default user account, this screen does not appear anymore. Fol low the directions in this sc reen. If you change the default pass word, the Login scre[...]

  • Page 46

    Chapter 3 Web Con fig ur a tor ZyWALL USG 20/20W User’s Guide 46 3.3.1 T itle Bar The title bar pro vides some icons in the upper right corner . Figure 9 Ti t l e B a r The icons provide the following functions. 3.3.1.1 About Click this to display basic information about the Z yWALL. Figure 10 Tit l e B a r T able 4 Title Bar: Web Configurator Ic[...]

  • Page 47

    Chapter 3 Web Configurator ZyWALL USG 20/20W User’s Guide 47 The following table descri bes labels that can appear in this sc reen. 3.3.2 Navigation Panel Use the menu items on the na vigation p anel to open screens to configure Z yW ALL features. Click the arrow in the middle of the right edge of t he navigation panel to hide the navigation pane[...]

  • Page 48

    Chapter 3 Web Con fig ur a tor ZyWALL USG 20/20W User’s Guide 48 3.3.2.2 Monitor Menu The monitor menu screens display status and statistics information. 3.3.2.3 Configuration Menu Use the configurat ion menu screens to configure the ZyW ALL’ s features. T able 6 Monitor Menu Screens Summary FOLDER OR LINK TA B FUNCTION Sys te m S ta tu s Po r [...]

  • Page 49

    Chapter 3 Web Configurator ZyWALL USG 20/20W User’s Guide 49 Interface Por t Ro le Use this screen to set the Z yW ALL’s flexible ports as LAN1 or DMZ. Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces. PPP Create and manage PPPoE and PPTP interfaces. Cellular Configure a cellular Internet connection for an installed 3G card. [...]

  • Page 50

    Chapter 3 Web Con fig ur a tor ZyWALL USG 20/20W User’s Guide 50 BWM Anti- X ADP General Display and manage AD P bindings. Profile Create and manage ADP profiles. Content Filter General Create and manage content filter policies. Filter Profile Create and manage the detailed filtering rules for content filtering policies. Anti-Spam General T urn a[...]

  • Page 51

    Chapter 3 Web Configurator ZyWALL USG 20/20W User’s Guide 51 3.3.2.4 Maintenance Menu Use the mainte nance menu screens to mana ge configuration and firmw are files, run diagnostics, and reb oot or shut down the Z yW ALL. Endpoint Security Create Endpoint Security (EPS) objects. Sys te m Host Name Configure the system and domain name for the Zy W[...]

  • Page 52

    Chapter 3 Web Con fig ur a tor ZyWALL USG 20/20W User’s Guide 52 3.3.3 Main Window The main window shows the screen you sele ct in the navigation panel. The main window screens are discussed in the rest of this document. Right after y ou log in, the Dashboard screen is displa yed. See Chapter 8 on page 165 for more information about the Da shboar[...]

  • Page 53

    Chapter 3 Web Configurator ZyWALL USG 20/20W User’s Guide 53 3.3.3.2 Site Map Click Site MAP to see an o verview of links to the W e b Configurator screens. Click a screen’ s link to go to that screen. Figure 13 Site Map 3.3.3.3 Object Reference Click Object Reference to open the Object Reference screen. Select the t ype of object and the indiv[...]

  • Page 54

    Chapter 3 Web Con fig ur a tor ZyWALL USG 20/20W User’s Guide 54 The fields vary with the type of object. The following table describes labels that can appear in this screen. 3.3.3.4 CLI Messages Click CLI to look at the CLI commands sent by the W eb Configurator . These commands appear in a popup window , such as the following. Figure 15 CLI Mes[...]

  • Page 55

    Chapter 3 Web Configurator ZyWALL USG 20/20W User’s Guide 55 3.3.4.1 Manipulating T able Display Here are some of the ways you can manipulate the W eb Configurator tables. 1 Click a column heading to sort the tabl e’ s entries according to that column’ s criteria. Figure 16 Sorting T able Entries by a Column’ s Criteria 2 Click the down arr[...]

  • Page 56

    Chapter 3 Web Con fig ur a tor ZyWALL USG 20/20W User’s Guide 56 3 Select a column heading cell’ s right border and drag to re-size the column. Figure 18 Resizing a T able Column 4 Select a column heading and drag and drop it to change t he column order . A green check mark displays nex t to th e column’s title when you drag the column to a v[...]

  • Page 57

    Chapter 3 Web Configurator ZyWALL USG 20/20W User’s Guide 57 3.3.4.2 Wo rking with T able Entries The tables have icons for wo rking with table ent ries. A sample is shown next. Y ou can often use th e [Shift] or [C trl] key to sel ect multi ple entrie s to remove, activ ate, or deactiv ate. Figure 21 Common T able Icons Here are descriptions for[...]

  • Page 58

    Chapter 3 Web Con fig ur a tor ZyWALL USG 20/20W User’s Guide 58 you can also use the [Shift] or [ Ctrl] key to select multiple entries, and then use the arrow button to mov e them to the other list. Figure 22 W orking with Lists[...]

  • Page 59

    ZyWALL USG 20/20W User’s Guide 59 C HAPTER 4 Installation Setup Wizard 4.1 Inst allation Setup Wizard Screens If you l og into the W eb Configurator when t he Z yWALL is using its default configuration, the first Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscript ion serv[...]

  • Page 60

    Chapter 4 Ins ta llat ion Setu p Wiza rd ZyWALL USG 20/20W User’s Guide 60 The screens v ary depending on the encapsulation t ype. Refer to information provided by y our ISP to know what to ente r in each field. Leave a field blank if y ou don’t have that information. Note: Enter the Internet access in formation exactly as your ISP gave it to y[...]

  • Page 61

    Chapter 4 Installa tion Setup Wizard ZyWALL USG 20/20W User’s Guide 61 • IP Address : Enter your (s tatic) public IP address. Auto displays i f you selected Auto as the IP Address Assignment in the previous screen. The following fields displa y if you selected stat ic IP address assignment. • IP Subnet Mask : Enter the subnet mask for thi s W[...]

  • Page 62

    Chapter 4 Ins ta llat ion Setu p Wiza rd ZyWALL USG 20/20W User’s Guide 62 • CHAP/PAP - Y our Z yWALL accepts eit her CHAP or P AP when requested by the remote no de. • CHAP - Y our Z yWALL acc epts CHAP only . • PAP - Y our Z yWAL L accepts P AP only . • MSCHAP - Y our Z yWALL accepts MSCHAP only . • MSCHAP-V2 - Y our Z yW ALL accepts [...]

  • Page 63

    Chapter 4 Installa tion Setup Wizard ZyWALL USG 20/20W User’s Guide 63 4.1.4 Internet Access: PPTP Note: Enter the Internet access in formation exactly as given to you by your ISP . Figure 27 Internet Access: PPTP Encap sulation 4.1.5 ISP Parameters • Authentication Type - Select an authentication protocol for outgoing calls. Options are: • C[...]

  • Page 64

    Chapter 4 Ins ta llat ion Setu p Wiza rd ZyWALL USG 20/20W User’s Guide 64 • Select Nailed-Up if you do not want t he connection to time out. Otherwise, type the Idle Timeout in seconds that elapses befo re the rout er automatically disconnects from the PPTP server . 4.1.5.1 PPTP Configuration • Base Interface : This identifies the Ethernet i[...]

  • Page 65

    Chapter 4 Installa tion Setup Wizard ZyWALL USG 20/20W User’s Guide 65 4.1.6 Internet Access - Finish Y ou have set up your Z yWALL to access the Internet. Afte r configuring the WAN interface, a screen displays with your sett ings. If the y are not correct , click Back . Figure 28 Internet Access: Ethernet Encapsulation Note: If you have not alr[...]

  • Page 66

    Chapter 4 Ins ta llat ion Setu p Wiza rd ZyWALL USG 20/20W User’s Guide 66 Use the Registration > Service screen to update your service subscription status. Figure 29 Registration • Select new myZyXEL.com account if you haven ’ t created an accoun t at myZ yXEL.com, select this option and conf igure the following fields to create an accoun[...]

  • Page 67

    Chapter 4 Installa tion Setup Wizard ZyWALL USG 20/20W User’s Guide 67 • Trial Service Activation: Y ou can try a trial service sub scription. The trial period starts the day y ou activate the trial. After the trial expires, you can buy an iCard and enter the license key in the Registration > Service screen to extend the service. Figure 30 R[...]

  • Page 68

    Chapter 4 Ins ta llat ion Setu p Wiza rd ZyWALL USG 20/20W User’s Guide 68[...]

  • Page 69

    ZyWALL USG 20/20W User’s Guide 69 C HAPTER 5 Quick Setup 5.1 Quick Setup Overview The W eb Configurator' s quick setup wizards help you configu re Internet and VPN connection settings. This chapt er provid es informat ion on config uring the quick setup screens in the W eb Configur ator . See the feature-specific chapters in this User’s Gu[...]

  • Page 70

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 70 5.2 W AN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to co nnect to the internet. Click Next . Figure 32 W AN Interface Quick Setup Wizard 5.2.1 Choose an Eth[...]

  • Page 71

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 71 Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from y our ISP . Figure 34 W AN Interface Setup: S tep 2 The screens v ary depending on what encapsulation t ype you use. Refer to i n f o r m a t i o n p r o v i d e d b y y o u r I S P t o k n o w w h a t[...]

  • Page 72

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 72 • IP Address Assignment : Select Auto If y our ISP did not assign you a fix ed IP address. Select Static If the ISP assigned a fixed IP address. 5.2.4 W AN and ISP Connection Settings Use this screen to configure the ISP an d WAN interface settings. This screen is read-only if you set th e[...]

  • Page 73

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 73 Authentication Ty p e Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: CHAP/PAP - Y our ZyW ALL accepts either CHAP or PAP when requested by this remote node. CHAP - Y our ZyW ALL accepts CHAP only . PAP - Y our ZyW ALL accepts P AP only . MSCH[...]

  • Page 74

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 74 5.2.5 Quick Setup Interface Wizard: Summary This screen displays t he WAN i nterface’ s setting s. Figure 37 Interface Wizard: Su mmary W AN (PPTP Shown) The following table descri bes the labels in this screen. First DNS Server Second DNS Server These fields only display for an interface [...]

  • Page 75

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 75 5.3 VPN Quick Setup Click VPN Setu p in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen. The VPN wizard cr eates corresponding VPN connection and VPN gateway settings and ad dress objects that you can use later in configur ing more VPN con necti ons or other features.[...]

  • Page 76

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 76 5.4 VPN Setup Wizard: W izard T ype A VPN (Vi rtual Private Network) tunnel is a secure connecti on to anot her computer or network. Use this screen to select wh ich type of VPN connection you w ant to configure. Figure 39 VPN Setup Wizard: Wizard T ype Express : Use this wizard to create a [...]

  • Page 77

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 77 5.5 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 39 on page 76 to display the following screen. Figure 40 VPN Express Wizard: S tep 2 Rule Name : T ype the name used to identify this VPN c onnection (and VPN gateway) . Y ou may use 1-31 alphanum eric charac[...]

  • Page 78

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 78 5.5.1 VPN Express Wizard - Configuration Figure 41 VPN Express Wizard: S tep 3 • Secure Gateway : If Any displa ys in this field, i t is not configurable for the chosen scenario. If this field is conf igurable, enter the W AN IP address or domain name of the remote IPSec devi ce (secure ga[...]

  • Page 79

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 79 5.5.2 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’ s configuration and also commands that you can copy and paste into another ZLD-based Z yWALL’ s command line interface to c onfigure it. Figure 42 VPN Express Wizard: S tep 4 • Rule Name : Id[...]

  • Page 80

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 80 5.5.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. Figure 43 VPN Express Wizard: S tep 6 Note: If you have not already do ne so, use t he myZyXEL.com link and register you r ZyW ALL with myZyXEL.com and activate trials of services like Content Filter . Click Close to exit the [...]

  • Page 81

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 81 5.5.4 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 39 on p age 76 to display the following screen. Figure 44 VPN Advanced Wizard: Scenario Rule Name : T ype the name used to identify this VPN c onnection (and VPN gateway) . Y ou may use 1-31 alphanum eric[...]

  • Page 82

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 82 • Remote Access (Client R ole) - Choose this to connect to an IPSec serv er . This Z yWALL is the cli ent (dial-in user) and can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Phase 1 Settings There are two phases to e very IKE (Internet K ey Exchange) negotiation – phase 1 (Authen[...]

  • Page 83

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 83 that uses a 168-bit k ey . As a result, 3DES is more secure than DES. It also requires more processing power , result ing in increased latency and decreased throughput. AES128 uses a 128-bi t key and is faster than 3DES. AES192 uses a 192-bit ke y and AES256 uses a 256-bit key . • Authenti[...]

  • Page 84

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 84 • Active Protocol : ESP is compatible with NA T , AH is not. • Encapsulation : Tunn el is com patib le with N A T , Transp ort is not. • Encryption Algorithm : 3DES and AES use encryption. The longer the AES key , the higher the securit y (this may affect throughput). Null uses no encr[...]

  • Page 85

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 85 5.5.7 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings. Figure 47 VPN Advanced Wizard: S tep 5 • Rule Name : Identifies the VPN connection (and the VPN gateway). • Secure Gateway : IP address or domain name of the remote IPSec device. • Pre-Shared Ke[...]

  • Page 86

    Chapter 5 Quick Setup ZyWALL USG 20/20W User’s Guide 86 5.5.8 VPN Advanced Wizard - Finish Now you can use the VPN tunnel. Figure 48 VPN Wizard: S tep 6: Advanced Note: If you have not already do ne so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like Content Filter . Click Close to exit the wizard.[...]

  • Page 87

    ZyWALL USG 20/20W User’s Guide 87 C HAPTER 6 Configuration Basics This information is pro vided to help y ou configure the Z yWALL effectively . Some of it is helpf ul when you are just getting st arted. Som e of it is provi ded for your reference when you configure various features in the Zy WALL. • Section 6.1 on page 87 introduces the Z yWAL[...]

  • Page 88

    Chapter 6 Con fig u ratio n Bas ics ZyWALL USG 20/20W User’s Guide 88 change an Ethernet interf ace’ s IP address, the Z yWALL automatic ally updates the rules or settings that use the interf ace-based, LAN subnet ad dress object. Y ou can use the Configuration > Objects screens to create objects before you configure features that use them. [...]

  • Page 89

    Chapter 6 Configu ra tio n Bas i cs ZyWALL USG 20/20W User’s Guide 89 6.2.1 Interface T ypes There are man y types of interfaces in th e Z yWALL. In addition to being used in various features, i nterfaces also describe the network that is directly connected to the ZyW ALL. • Ethernet interfaces are the foundation for defi ni ng other interfaces[...]

  • Page 90

    Chapter 6 Con fig u ratio n Bas ics ZyWALL USG 20/20W User’s Guide 90 6.2.2 Default Interface and Zone Configuration This section introduces the Z yWA LL’ s default zone member ph ysical interfaces and the default configuration of those interfac es. The following figure uses letters to denote public IP addresses or part of a priv ate IP address[...]

  • Page 91

    Chapter 6 Configu ra tio n Bas i cs ZyWALL USG 20/20W User’s Guide 91 • The DMZ zone contains the dmz interface (physical port P6 ). The DMZ zo ne has servers that are a vailable t o the public. The dmz interface uses private IP address 192.168.3.1 and the co nnected devices use pri vat e IP addresses i n the 192.168.3.2 to 192.168.3.254 r ange[...]

  • Page 92

    Chapter 6 Con fig u ratio n Bas ics ZyWALL USG 20/20W User’s Guide 92 T raffic in > Defragmentation > Destinat io n NA T > Routing > Stateful Firewall > ADP > Applicatio n Classificati on > Content Filter > Ant i-Spam > SNA T > Bandwidth Management > Fragmentation > T raffic Out. Figure 51 Packet Flow The packe[...]

  • Page 93

    Chapter 6 Configu ra tio n Bas i cs ZyWALL USG 20/20W User’s Guide 93 of the sections, the Z yWALL stops checking the packets against the routing table and moves on to the other checks, for example the firew all check. Figure 52 Routing T able Checking Flow 1 Direct-connected Subnets : The Z yWALL first checks to see if the packets are destined f[...]

  • Page 94

    Chapter 6 Con fig u ratio n Bas ics ZyWALL USG 20/20W User’s Guide 94 4 Auto VPN Policy : The Z yWALL automatically creates these routing entri es for the VPN rules. Disabling the IPS ec VPN feature’ s Use Policy Route to control dynamic IPSec rules option moves the routes for dynamic IPSec rules up abov e the policy routes (see Section 23.2 on[...]

  • Page 95

    Chapter 6 Configu ra tio n Bas i cs ZyWALL USG 20/20W User’s Guide 95 4 SNA T is also now performed by default and included in the NA T table. 6.5 Feature Configuration Overview This section provi des information about configuring the main features in the Z yWALL. The features are listed in the same sequence as the menu item(s) in the W e b Confi[...]

  • Page 96

    Chapter 6 Con fig u ratio n Bas ics ZyWALL USG 20/20W User’s Guide 96 6.5.2 Licensing Registration Use these screens to register your Z yWA LL and subscribe to s ervices like more SSL VPN tunnels, and content filtering. Y ou mu st have Internet access to myZyXEL .c om. 6.5.3 Interface See Section 6.2 on page 88 for background information. Note: W[...]

  • Page 97

    Chapter 6 Configu ra tio n Bas i cs ZyWALL USG 20/20W User’s Guide 97 and general NA T on the source address. Y ou have to set up th e criteria, next-hops, and NA T settings first. Example: Y ou have an FTP server connected to P6 (in the DMZ zo ne). Y ou want to limit the amount of F TP tr affic that goes out from the FTP server through y our WAN[...]

  • Page 98

    Chapter 6 Con fig u ratio n Bas ics ZyWALL USG 20/20W User’s Guide 98 6.5.6 S t atic Routes Use static routes to tell the Z yW ALL abou t networks not directly connected to the Zy WA L L . 6.5.7 Zones See Section 6.2 on page 88 for background information. A zone is a group of interfaces and VPN tunnels. T he Zy WALL us es zones, not interfaces, i[...]

  • Page 99

    Chapter 6 Configu ra tio n Bas i cs ZyWALL USG 20/20W User’s Guide 99 Example: Suppose you ha ve an FTP serv er with a private IP address connected to a DMZ port. Y ou could confi gure a NA T rule to forwards FTP sessions from t he WAN t o t he D M Z . 1 Click Configuration > Network > NAT to configure the NA T entry . Add an entry . 2 Name[...]

  • Page 100

    Chapter 6 Con fig u ratio n Bas ics ZyWALL USG 20/20W User’s Guide 100 5 Specify the IP address of the HT TP proxy server . 6 Specify the port number to use for the HT TP traff ic that you forward to the proxy server . 6.5.1 1 ALG The Z yWALL’ s Application Layer Gatewa y (ALG) allows V oIP and F TP applications to go through NA T on the ZyW AL[...]

  • Page 101

    Chapter 6 Configu ra tio n Bas i cs ZyWALL USG 20/20W User’s Guide 101 1 Create a V oIP service obje ct for UDP port 5060 tr affic ( Configuration > Object > Service ). 2 Create an address object for the V oIP server ( Configuration > Object > Address ). 3 Click Configuration > Firewall to go to the firew all configur ation. 4 Sele[...]

  • Page 102

    Chapter 6 Con fig u ratio n Bas ics ZyWALL USG 20/20W User’s Guide 102 6.5.16 Bandwid th Management Use bandwidth management (BWM) to configure a BWM rule for a specific IP address, destination port or IP r ange and specify all owed amounts of bandwidth and priorities. Examples: Suppose you w ant to give a user named Bob FTP access but with a lim[...]

  • Page 103

    Chapter 6 Configu ra tio n Bas i cs ZyWALL USG 20/20W User’s Guide 103 2 Create a schedule for the work day ( Configuration > Object > Schedule ). 3 Click Configuration > Anti-X > Content Filter > Filter Profile . Click the Add icon to go to the sc reen where you ca n configure a category-based profil e. 4 Name the profile and enab[...]

  • Page 104

    Chapter 6 Con fig u ratio n Bas ics ZyWALL USG 20/20W User’s Guide 104 The following table introduces the objects. Y ou can also use this table when you want to delete an object becau se you have to delete re ferences to the object first. 6.6.1 User/Group Use these screens to configure the ZyW ALL’ s administr ator and us er accounts. The Z yWA[...]

  • Page 105

    Chapter 6 Configu ra tio n Bas i cs ZyWALL USG 20/20W User’s Guide 105 6.7 System This section introduces some of the management featu res in the Z yW ALL. Use Host Name to configure the system and domain name for the Z yW ALL. Use Date/Time to configure t he current dat e, time, and time zone in the Z yWALL. Use Console Speed to set the console [...]

  • Page 106

    Chapter 6 Con fig u ratio n Bas ics ZyWALL USG 20/20W User’s Guide 106 6.7.3 File Manager Use these screens to upload, download, de lete, or run scripts of CLI commands. Y ou can manage • Configur ation files. Use configur ation fi l es to back up and restore the complete configuration of the Z yWALL. Y ou can stor e m ultiple configuration fil[...]

  • Page 107

    ZyWALL USG 20/20W User’s Guide 107 C HAPTER 7 Tutorials Here are examples of using the W eb Conf igurator to set up features in the Zy WA L L . Note: The tuto rials featured here require a basi c understand ing of connecting to and using the W eb Configurator , see Chapter 3 on page 43 for details. F or field descriptions of individual screens, s[...]

  • Page 108

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 108 •C o n v e r t P5 (lan2) into a dmz interface. This dmz interface is us ed for a protected local network. It uses IP ad dress 192.168.4.1 and has a DHCP serv er . Add it to the LAN zone so all of the LAN zone’ s security policies apply to it. Figure 54 Ethernet In terface, Port Roles, and[...]

  • Page 109

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 109 Click Configuration > Network > Interface > Ethernet and double-clic k the wan1 interface’ s entry . Select Use Fixed IP Address and configure the IP address, subnet mask, and defa ult gatewa y settings and click OK . Figure 55 Configura tion > Network > Interface > Ethern[...]

  • Page 110

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 11 0 1 Click Configuration > Network > Interface > Ethernet and double-clic k the lan2 interfac e’ s entry . The Interface Type should be internal . Set the IP Address to 192.168.4.1 and the Subnet Mask to 255.255.255.0. Set DHCP to DHCP Server and click OK . Figure 57 Configura tion &[...]

  • Page 111

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 111 2 Enter VPN as the name, select WIZ_VPN_Conne ction and mov e it to the Member bo x and click OK . Figure 58 Configura tion > Network > Zone > W AN Edit 7.2 How to Configure a Cellular Interface Use 3G cards for cellular W AN (Internet) connections. T able 2 29 on page 741 l ists the[...]

  • Page 112

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 11 2 4 Enable the interface and add it to a z one. It is highly recommended that you set the Zone to WAN to apply your W AN zone securi ty settings to this 3G connection. Leaving Zone set to none has the Z yW ALL not apply any securit y settings to the 3G connection. Enter the PIN Code provided b[...]

  • Page 113

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 11 3 6 The Z yWALL automatically adds the cellular interface to the system defa ult WA N trunk. If the ZyW ALL is using a user-confi gured trunk as its default trunk and y ou want this cellular interface to be part of it, use the Trunk screens to add it. This way t he Z yWALL can automatically ba[...]

  • Page 114

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 11 4 1 Click Configuration > Network > Interface > Ethernet and double-clic k the wan1 entry . Enter the av ailable bandwidth (1000 kbps) in t he Egress Bandwidth field. Click OK . Figure 63 Configura tion > Network > Interface > Ethernet > Edit (wan1) 2 Go to Configuration &[...]

  • Page 115

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 11 5 2 Name the tru nk and set th e Load Balancing Algorithm field to Weighted Round Robin . Add wan1 and enter 2 in the Weight column. Add cellular1 and enter 1 in the Weight column. Click OK . Figure 64 Configura tion > Network > Interface > T runk > Add[...]

  • Page 116

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 11 6 3 Select the trunk as the defaul t trunk and click Apply . Figure 65 Configura tion > Network > Interface > T runk 7.4 How to Set Up an IPSec VPN T unnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 76 [...]

  • Page 117

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 11 7 In this example, the Z yWALL is router X (1. 2.3.4), and the remote IPSec router is router Y (2.2.2.2). Create the VPN tunnel between Z yW ALL X ’s L A N s u b n e t (192.168.1.0/24 ) and the LAN subnet behind peer IPSec router Y (172 .16.1.0/ 24). 7.4.1 Set Up the VPN Gateway The VPN gate[...]

  • Page 118

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 11 8 7.4.2 Set Up the VPN Connection The VPN con nection mana ges the IP Sec SA. Y ou have to set up th e address objects for the local network and remote net work before you can set up the VPN connection. 1 Click Configuration > Object > Address . Click the Add icon. 2 Give the new address[...]

  • Page 119

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 11 9 4 Enable the VPN connection an d name it (“VPN_CONN_EXAM PLE”). Under VPN Gateway select Site-to-site and the VPN gateway ( VPN_GW_EXAMPLE ). Under Policy , select LAN1_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote. Click OK . Figure 69 Configura tion > VPN > IP[...]

  • Page 120

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 120 7.5 How to Configure User-aware Access Control Y ou can configure many policies and security settings for spec ific users or groups of users. This is illustr ated in the following example, where you will set up the following policie s. This is a simple exam ple that does not include prioriti [...]

  • Page 121

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 121 2 Enter the same us er name that is us ed in the RADIUS server , and set the User Type to ext-user because this user account is authenticated by an external server . Click OK . Figure 70 Configura tion > Object > User/Group > User > Add 3 Re peat this process to set up the remaini[...]

  • Page 122

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 122 2 Enter the name of the group that is used in the example in T able 18 on page 120 . In this example, it is “Finance” . Then, select User/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK . Of cours e you could add mo[...]

  • Page 123

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 123 1 Click Configuration > Object > AAA Server > RADIUS . Double-click the radius entry . Configure the RADIUS server’ s address authentication port ( 1812 if you were not told otherwise), key , and click Apply . Figure 72 Configura tion > Object > AAA Server > RADIUS > Ad[...]

  • Page 124

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 124 Note: The users will have to log in using the W eb Configurator login screen befor e they can use HTTP or MSN. Figure 74 Configura tion > Object > User/Group > Setting > Add (Force Use r Authentication Policy) When the users try to brow se the web (or use an y HT TP/HT TPS applica[...]

  • Page 125

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 125 1 Click Configuration > Object > AAA Server > RADIUS . Double-click the radius entry . Besides configuring the RADIUS server’ s address, authentication port, and key; set the Group Membership Attribute fiel d to the attribute that the Z yW ALL is to check to det ermine to which gro[...]

  • Page 126

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 126 2 Now you add ext -group-user user objects t o identify groups based on the group identifier values. Set up one user account for each group of user account s in the RADIUS server . Click Configuration > Object > User/Group > User . Click the Add icon. Enter a user name and set the Us[...]

  • Page 127

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 127 • Select Endpoint must have Personal Firewall installed and move the K asper sky Interne t Security entr ies to th e allowed list (you can double-click an entry to move it). • Select Endpoint must have Anti-Virus softwa re installed and move the K aspersk y Internet Sec urity and Kasper s[...]

  • Page 128

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 128 Repeat as needed to c reate endpoint s ecu rity objects for othe r Windows ope rating system versions. 7.7.2 Configure the Authentication Policy Click Configuration > Auth. Policy > Add to open the En dpoint Security Edit screen. Use this screen to configure an authentication p olicy to[...]

  • Page 129

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 129 4 T urn on authentication policy and click Apply . Figure 79 Configura tion > Auth. Policy The following figure shows an error me ssage example when a user’ s computer does not meet an endpoint securi ty object’ s requirements. Click Close to return to the login screen. Figure 80 Examp[...]

  • Page 130

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 130 user access (logging into SSL VPN for example). See Chapter 43 on page 629 for more on service control. The T o-Z yWALL firew all rules apply to any ki nd of HT TP or HT TPS connection to the Z yWALL . They do not distinguish between administrator management access and user access. If y ou co[...]

  • Page 131

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 131 4 Select the new rule and click the Add icon. Figure 83 Configura tion > System > WWW (First Example Admin Service Rule Configured) 5 In the Zone field select ALL and set the Action to Deny . Click OK . Figure 84 Configura tion > System > WWW > Service Control Rule Edit[...]

  • Page 132

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 132 6 Click Apply . Figure 85 Configura tion > System > WWW (Sec ond Example Admin Service Ru le Configured) Now administr ator access to the W eb Config ur ator can only come from the LAN1 zone. Non-admin users can still use HT TPS to log into the Z yWALL from an y of the Z yWALL’ s zone[...]

  • Page 133

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 133 for wan1 IP address 10. 0.0.8 to a H.323 de vice located on the LAN and using IP address 192.168.1.56. Figure 86 W AN to LAN H.323 Peer-to-peer Calls Example 7.9.1 T urn On the ALG Click Configuration > Network > ALG . Select Enable H.323 ALG and Enable H.323 transf ormations and click [...]

  • Page 134

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 134 1 Use Configuration > Object > Address > Add to create an address object f or the public W AN IP address (called W AN_IP-for-H323 here). Then use it again to create an address object for the H.323 de vice’ s priv ate LAN1 IP address (called LAN_H323 here). Figure 88 Create Address [...]

  • Page 135

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 135 2 Click Configuration > Network > NAT > Add. Configure a name for the rule (W AN-LAN_H323 here). Y ou want the LAN H.323 device to receive peer-t o-peer calls from the WAN and also be able to initiate calls to t he WAN so you set the Classification to NAT 1:1 . Set the Incoming Inter[...]

  • Page 136

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 136 1 Click Configuration > Firewall > Add . In the From field select W AN. In the To field select LAN1. Configure a name for the rule (WAN-to-LAN_H323 here). Set the Destination to the H.323 device’ s LAN1 IP address object ( LAN_H323 ). LAN_H323 is the destination because the Z y WAL L [...]

  • Page 137

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 137 7.10.1 Create the Address Object s Use Configuration > Object > Address > Add to create the address objects. 1 Create a host address object named DMZ_HT TP for the HT TP server’ s priv ate IP address of 192.168.3.7. Figure 92 Creating t he Address Object for the HTTP Server ’s Pr[...]

  • Page 138

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 138 • K eep Enable NAT Loopback selected to allow users connected to other interfaces to access the HTTP server (see NA T Loopback on page 343 for details). Figure 94 Creating t he NA T Entry 7.10.3 Set Up a Firewall Rule The firewall blocks traffi c from the W AN zone to the DMZ zone by defaul[...]

  • Page 139

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 139 1 Click Configuration > Firewall > Add . Set the From field as WAN and the To field as DMZ . Set the Destination to the HT TP server ’ s DMZ IP address object ( DMZ_HTTP ). DMZ_HTTP is the destination because the Z yW ALL applies NA T to traffic before applying the firewal l rule. Set[...]

  • Page 140

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 140 address 1.1.1.2 that you wi ll use on the wan1 interface and map to the IPPBX’ s privat e IP address of 192.168.3.7. The local SIP clients are on the LAN. Figure 96 IPPBX Example Network T opology[...]

  • Page 141

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 141 7.1 1.1 T urn On the ALG Click Configuration > Network > ALG . Select Enable SIP ALG and Enable SIP Transformations and click Apply . Figure 97 Configura tion > Network > ALG 7.1 1.2 Create the Address Object s Use Configuration > Object > Address > Add to create the addr[...]

  • Page 142

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 142 2 Create a host address object named IPPB X -Public for thepubli c WAN IP addre ss 1.1.1.2. Figure 99 Creating t he Public IP Address Object 7.1 1.3 Setup a NA T Policy for the IPPBX Click Configuration > Network > NAT > Add. • Configure a name for the rule (WAN-DMZ_IPPBX here). ?[...]

  • Page 143

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 143 •C l i c k OK . Figure 100 Configu ration > Network > NA T > Add 7.1 1.4 Set Up a W AN to DMZ Firewall Rule for SIP The firewall blocks traffi c from the W AN zone to the DMZ zone by default so you need to create a fi rewall rule to allow t he pu blic to send SIP traffic to the IPP[...]

  • Page 144

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 144 1 Click Configuration > Firewall > Add . Set the From field as WAN and the To field as DMZ . Set the Destination to the IPPBX’ s DMZ IP address objec t ( DMZ_SIP ). IPPBX_DMZ is the destin ation be caus e the Z yWALL applies NA T to traffic before applying the firewal l rule. Set the [...]

  • Page 145

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 145 1 Click Configuration > Firewall > Add . Set the From field as DMZ and the To field as LAN . Set the Destination to the IPPBX’ s DMZ IP address object ( DMZ_SIP ). Set the Source to IPPBX_DMZ . Leave the Access field to allow and click OK . Figure 102 Configuration > Fi rewall >[...]

  • Page 146

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 146 7.12.2 Configure the Policy Route Now you need to configure a policy r out e that has the ZyW ALL use the range of public IP addresses as the source address for W AN to LAN traffic. Click Configuration > Netw ork > Routing > Add . Although adding a descri ption is optional, it is rec[...]

  • Page 147

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 147 the WLAN interfaces before or af ter you ins tall the wireless LAN card. This example shows how to create a WLAN interface that uses WP A or WP A2 security and the Z yWALL ’s local user database for authentication. 7.13.1 Set Up User Account s The Z yWALL supports T TLS using PAP so you can[...]

  • Page 148

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 148 2 Edit this screen as f ollows. A (internal) name for the WLAN int erface displays. Y ou can modify it if y ou want to. The Z yWALL ’s security settings are configured by zones. Select to which securit y zone you want the WLAN interface to belo ng (the WLAN zone in this example). This deter[...]

  • Page 149

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 149 Figure 106 Configu ration > Network > Interface > WLAN > Ad d[...]

  • Page 150

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 150 3 T urn on the wireless LAN and click Apply . Figure 107 Configu ration > Network > Interface > WLAN 7.13.3 Set Up the Wireless Client s to Use the WLAN Interface The following sections show you how to have a wireless client (not included with the Z yWALL) use the wireless network. 7[...]

  • Page 151

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 151 1 Open the wireless client utility and c lick Profile . Figure 108 ZyXEL Wireless Client 2 Add a new profile. This example uses “Z YXEL_WP A ” as the name. It is also the SSID (name) of the wireless netw ork. Sele ct Infrastructure and click Next . Figure 109 ZyXEL Wireless Client > Pr[...]

  • Page 152

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 152 3 Select WPA2 as the security t ype and click Next . Figure 1 10 ZyXEL Wireless Client > Profile : Security T ype 4 Set the encryption type to TKIP and the EAP type to TTLS . Configure wlan_user as the Login Name and enter the account’ s password (als o wlan_user in this example. In TTLS[...]

  • Page 153

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 153 5 Confirm your setti ngs and click Save . Figure 1 12 ZyXEL Wireless Client > Profile: Save 6 Click Activate Now . Figure 1 13 ZyXEL Wireless Client > Profile : Activate[...]

  • Page 154

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 154 7 The ZYXEL_WPA profile displays in your list of profiles. Figure 1 14 ZyXEL Wireless Client > Profile : Activate Since the Z yXEL utility does not have the wi reless client v alidate the Z y W ALL’ s certificate, you can go to Section 7.13.3.4 on page 162 . 7.13.3.2 Configure the Funk O[...]

  • Page 155

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 155 2 Name the profile (this example uses ZYXEL_WPA ). In th e User Info tab, configure wlan_user as the Login name . In the Password sub-tab, select Prompt for long name and password . Figure 1 16 Odyssey Access Client Manager > Profiles > User Info 3 Click the Authentication tab and selec[...]

  • Page 156

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 156 4 Click the TTLS tab and select PAP . Then click OK . Figure 1 18 Odyssey Access Client Manager > Profiles > Authentica tion 5 Click Networ ks > Add . Figure 1 19 Odyssey Access Client Manager > Networks[...]

  • Page 157

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 157 6 Enter the name of the wireless network (“ ZYXEL_WP A ” in this example) or click Scan to look for it. Then select Authenticate us ing profile and select the profi le you configu red (“ZYXEL_WP A ” in this example) . Click OK . Figure 120 Odyssey Access Client Manager > Networks &[...]

  • Page 158

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 158 1 In Internet Explorer , click Tools > Internet Options > Content and click the Certificates button. Figure 121 Internet Explorer: T ools > Internet Options > Content 2 Click Import . Figure 122 Internet Explorer: T ools > Internet Options > Content > Certificates[...]

  • Page 159

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 159 3 Use the wizard screens to import the ce rtificate. Y ou may need to change the Files of Type setting to All Files in order to see th e certificate file. Figure 123 Internet Explorer Certif icate Import Wizard File Open Screen 4 When you get to the Certificate Store sc reen, select the optio[...]

  • Page 160

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 160 5 If you get a sec urity warning scre en, click Yes to pr oceed. Figure 125 Internet Explorer Certif icate Import Certificate W arning Screen[...]

  • Page 161

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 161 6 The Internet Explorer Certificates screen rema ins open after the import is done. Y ou can see the newly impor t ed certificate listed in the Trusted Root Certification Authorities tab. The v alues in the Issued To and Issued By fields should match thos e in the Z yWALL’ s My Certificates[...]

  • Page 162

    Chapter 7 Tutorials ZyWALL USG 20/20W User’s Guide 162 7.13.3.4 Wireless Client s Use th e WLAN Interface A login screen disp lays when the wirel ess client attem pts to connect to the wireless interface. Enter the us ername and password and c lick OK . Funk Odyssey Access Wireless Client Login Example[...]

  • Page 163

    163 P ART II Technical Reference[...]

  • Page 164

    164[...]

  • Page 165

    ZyWALL USG 20/20W User’s Guide 165 C HAPTER 8 Dashboard 8.1 Overview Use the Dashboard screens to check status information about the Z yWALL. 8.1.1 What Y ou Can Do in this Chapter Use the Dashboard screens for the following. •U s e t h e m a i n Dashboard screen (see Section 8.2 on page 165 ) to see the Z yWALL’ s general device information,[...]

  • Page 166

    Chapter 8 Das hb o ar d ZyWALL USG 20/20W User’s Guide 166 interface status in widgets that you can re-arrange to suit y our needs. Y ou can also collapse, refresh, and close individual widgets. Figure 128 Dashboard A B C D E USG 20[...]

  • Page 167

    Chapter 8 D as hb oa rd ZyWALL USG 20/20W User’s Guide 167 The following table descri bes the labels in this screen. A B C D E USG 20W T able 19 Dashboard LABEL DESCRIPTION Widget Setting (A) Use this link to re-open closed widgets. Widgets that are already open appear grayed out. Up Arrow (B) Click this to collapse a widget. Ref r e s h T i m e [...]

  • Page 168

    Chapter 8 Das hb o ar d ZyWALL USG 20/20W User’s Guide 168 Device This field displays the name of the device conn ected to the extension slot (or none if no device is detected). Status This field displays the current status of each interface or de vice installed in a slot. The possible values depend on what type of interface it is. F or Ethernet [...]

  • Page 169

    Chapter 8 D as hb oa rd ZyWALL USG 20/20W User’s Guide 169 DHCP T able Click this to look at the IP ad dresses currently assigned to the ZyW A LL’ s DHCP clients and the IP addresses re served for specific MAC addresses. See Section 8.2.5 on page 174 . Current Login User This field displays the user name used to log in to the current session, t[...]

  • Page 170

    Chapter 8 Das hb o ar d ZyWALL USG 20/20W User’s Guide 170 Interface Status Summary If an Ethernet interface does not hav e any physical ports associated with it, its entry is displayed in light gr ay text. Click the De tail i c o n t o g o t o a (more detailed) summary screen of interface statistics. # This shows how many interfaces there are. N[...]

  • Page 171

    Chapter 8 D as hb oa rd ZyWALL USG 20/20W User’s Guide 171 8.2.1 The CPU Usage Screen Use this screen to l ook at a char t of the Z yW ALL’ s recent CPU us age. T o access t his screen, click CPU Usage in the dashboard. Figure 129 Dashboard > CPU Usage V ersion This is the version number of the content filtering signatures. Expiration If the[...]

  • Page 172

    Chapter 8 Das hb o ar d ZyWALL USG 20/20W User’s Guide 172 The following table descri bes the labels in this screen. 8.2.2 The Memory Usage Screen Use this screen to look at a chart of the Z yWALL ’ s recent memory (RAM) usag e. T o access this screen, click Memory Usage in the dashboard. Figure 130 Dashboard > Memory Usag e The following ta[...]

  • Page 173

    Chapter 8 D as hb oa rd ZyWALL USG 20/20W User’s Guide 173 8.2.3 The Active Sessions Screen Use this screen to look at a chart of the Z yWALL’ s recent tr affic session usage. T o access this screen, click Session Usage in the dashboard. Figure 131 Dashboard > Sessio n Usage The following table descri bes the labels in this screen. T able 22[...]

  • Page 174

    Chapter 8 Das hb o ar d ZyWALL USG 20/20W User’s Guide 174 8.2.4 The VPN S t atus Screen Use this scr een to look at the VPN tunnels that are currently established. T o access this screen, click VPN Status in the das hboard. Figure 132 Dashboard > VPN S tatus The following table descri bes the labels in this screen. 8.2.5 The DHCP T able Scree[...]

  • Page 175

    Chapter 8 D as hb oa rd ZyWALL USG 20/20W User’s Guide 175 The following table descri bes the labels in this screen. 8.2.6 The Number of Login Users Screen Use this screen to look at a list of the users currently logged into the Z y WALL . T o access this screen, click the dashboard’ s Number of Login Users icon. Figure 134 Dashboard > Numbe[...]

  • Page 176

    Chapter 8 Das hb o ar d ZyWALL USG 20/20W User’s Guide 176 The following table descri bes the labels in this screen. T able 25 Dashboard > Number of Login Users LABEL DESCRIPTION # This field is a sequential v alue and is not associated with any entry . User ID This field displays the user name of each user who is currently logged in to the Zy[...]

  • Page 177

    ZyWALL USG 20/20W User’s Guide 177 C HAPTER 9 Monitor 9.1 Overview Use the Monitor screens to check stat us and statistics information . 9.1.1 What Y ou Can Do in this Chapter Use the Monitor screens for the foll owing. •U s e t h e System Status > Port Statistics screen (see Section 9.2 on page 178 ) to look at packet stat istics for each p[...]

  • Page 178

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 178 •U s e t h e VPN Monitor > IPSec screen ( Section 9.12 on page 196 ) to di splay and manage active IPSec SAs. •U s e t h e VPN Monitor > SSL screen (see Section 9.13 on page 198 ) to list the users currently logged into the VPN SSL client portal. Y ou can also log out individual users[...]

  • Page 179

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 179 The following table descri bes the labels in this screen. T able 26 Monitor > System S t atus > Port S tatistics LABEL DESCRIPTION P oll Interval Enter how often you want this window to be u pdated automatically , and click Set Interval . Set Interval Click this to set the Poll Interval t[...]

  • Page 180

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 180 9.2.1 The Port S t atistics Graph Screen Use this sc reen to look at a l ine graph of packet statisti cs for eac h physical port. T o access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button . Figure 136 Monitor > System S tatus > Port S ta[...]

  • Page 181

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 181 9.3 Interface S t atus Screen This screen lists all of the Z yW ALL’ s interfaces and giv es packet stat istics for them. Click Monitor > System Status > Inter face Status to access this screen. Figure 137 Monitor > System S tatus > Interface S tatus Each field is desc ribed in th[...]

  • Page 182

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 182 P ort This field displays the physical port number . Status This field displays the current status of each interface. The possible values depend on what type of interface it is. F or Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface does not hav e[...]

  • Page 183

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 183 9.4 The T raffic S t atistics Screen Click Monitor > System Status > Tr aff ic Statistics to display the Traffic Statistics screen. This screen provides basic information about the following for example: • Most- visited W eb sites and the number of times each one w as visited. This coun[...]

  • Page 184

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 184 Y ou use the Traffic Statistics screen to tell the Z yWALL when to start and when to stop collec ting information for these reports. Y ou cannot schedule data collection; you ha ve to start and stop it manually in the Traffic Statistics sc reen. Figure 138 Monitor > System S tatus > T raf[...]

  • Page 185

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 185 T raffic T ype Select the type of report to display . Choices are: Host IP Address/User - displays the IP addresses or users with the most traffic and h ow much traffic has been sent to and from each one. Service/Port - displays the most-used protocols or service ports and the amount of tr affi[...]

  • Page 186

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 186 The following table displa ys the maximum number of records shown in the re port, the byt e count limit, and t he hit count limit. 9.5 The Session Monitor Screen The Session Mo nitor screen displays information about active ses sions for debugging or statistical analysis. It is not poss ible to[...]

  • Page 187

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 187 • Number of bytes tr ansmitted (so far) • Durati on (so far) Y ou can look at all the active sessions by user , service, source IP address, or destination IP address. Y ou can also filter the information by user , protocol / service or service group , source address, and/or desti nation add[...]

  • Page 188

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 188 User This field displays when View is set to all sessions . T ype the user whose sessions you want to view . It is not possible to type part of the user name or use wildcards in this field; you must enter the whole user name. Service This field displays when View is set to all sessions . Select[...]

  • Page 189

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 189 9.6 The DDNS S t atus Screen The DDNS Status screen shows the s tatus of t he Zy WALL’ s DDNS d omain names. Click Monitor > System Status > D DNS Status to open the following screen. Figure 140 Monitor > System S tatus > DDNS S tatus The following table descri bes the labels in t[...]

  • Page 190

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 190 established a session with the Z yWALL. Devices that have never establi shed a session with the Z yWALL do not displa y in the list. Figure 141 Monitor > System S tatus > IP/MAC Binding The following table descri bes the labels in this screen. 9.8 The Login Users Screen Use this screen to[...]

  • Page 191

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 191 The following table descri bes the labels in this screen. 9.9 WLAN S t atus Screen The WLAN Stat us screen displ ays the connection s tatus of the wirele ss clients connected to (or trying to connect to) a IEEE 802.11b/g card installed in the Zy WA L L . T o open the station monitor , click Mon[...]

  • Page 192

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 192 9.10 The following table describes the labels in this menu. Cellular S t atus Screen This screen displays y our 3G connection stat us. click Monitor > System Status > Cellular Status to display this scre en. Figure 144 Monitor > System S tatus > Cellular S tatus The following table [...]

  • Page 193

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 193 Status No device - no 3G device is connected to the Z yWALL. No Service - no 3G network is av ailable in the area; you cannot connect to the Internet. Limited Serv ice - returned by the service provider in cases where the SIM card is expired, the user failed to pa y for the service and so on; y[...]

  • Page 194

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 194 9.10.1 More Information This screen displays more informati on on your 3G, such as the signal strength, IMEA/ESN and IMSI that helps identi fy your 3G device and SIM card. Click Monitor > System Status > More Information to display this screen. Note: This screen is only available when the[...]

  • Page 195

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 195 The following table descri bes the labels in this screen. 9.1 1 USB S torage Screen This screen displays i nformation about a connected USB storage device. Click Monitor > System Status > USB Storage to display this scr een. Figure 146 Monitor > System S tatus > USB S torage T able [...]

  • Page 196

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 196 The following table descri bes the labels in this screen. 9.12 The IPSec Monitor Screen Y ou can use the IPSec Monitor screen to display and to manage active IPSec SAs. T o access this screen, clic k Monitor > VPN Monitor > IPSec . The following T able 37 Monitor > System S t atus >[...]

  • Page 197

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 197 screen appears. Click a column’ s heading cell to sort the table entries b y that column’s criteria. Click the headin g cell ag ain to r everse the sort orde r . Figure 147 Monitor > VPN Monitor > IPSec Each field is desc ribed in the followi ng table. T able 38 Monitor > VPN Monit[...]

  • Page 198

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 198 9.12.1 Regular Expressions in Searching IPSec SAs A question mark (?) lets a single char acte r in the VPN connecti on or policy name vary . F or example, use “a?c” (without the quotation marks) to specify abc, acc and so on. Wildcards (*) let multi ple VPN connection or policy names match [...]

  • Page 199

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 199 Once a user logs out, the corresponding entry is removed f rom the Connectio n Monitor screen. Figure 148 Monitor > VPN Monitor > SSL The following table descri bes the labels in this screen. T able 39 Monitor > VPN Monitor > SSL LABEL DESCRIPTION Disconnect Select a connection and [...]

  • Page 200

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 200 9.14 The Content Filter S t atistics Screen Click Monitor > Anti-X Statistics > Content Filter to displa y the following screen. This screen disp lays content filter statisti cs. Figure 149 Monitor > Anti-X S tatistics > Content Filte r The following table descri bes the labels in t[...]

  • Page 201

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 201 Flush Data Click this button to discard all of the screen’ s statistics and update the report display . W e b Request Statistics To t a l W e b Pa g e s Inspected This field displays the numb er of web pages that the ZyW ALL’ s content filter feature has checked. Blocked This is the number [...]

  • Page 202

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 202 9.15 Content Filter Cache Screen Click Monitor > Anti-X Statistics > Content Filter > Cache to display the Content Filter Cache screen. Use this screen to view and configure your Z yWALL ’ s URL caching. Y ou can also configure how long a c ategorized web site address remains in the [...]

  • Page 203

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 203 The following table descri bes the labels in this screen. T able 41 Anti-X > Content Filter > Cache LABEL DESCRIPTION URL Cache Entry R efresh Click this button to reload the list of content filter cache entries. Flush C lick this button to clear all web site addresses from the cache manu[...]

  • Page 204

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 204 9.16 The Anti-S p am St atistics Screen Click Monitor > Anti-X Statistics > Anti-Spam to disp lay the following screen. This screen displays sp am statistics. Figure 151 Monitor > Anti-X S tatistics > Anti-S pam The following table descri bes the labels in this screen. T able 42 Mon[...]

  • Page 205

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 205 Spam Mails This is the number of e-mails that the Z yW ALL has determined to be spam. Spam Mails Detected by Black List This is the number of e-mails that matched an entry in the ZyW ALL’ s anti- spam black list. Spam Mails Detected by DNSBL The Z yWALL can check the sender and relay IP addre[...]

  • Page 206

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 206 9.17 The Anti-S p am St atus Screen Click Monitor > Anti-X Statistics > Anti-Spam > Status to display the Anti- Spam Status scre en. Use the Anti-Spam Status screen to see how many e-mail sessions the anti- spam feature is scanning an d statis tics for the DNSBLs. Figure 152 Monitor &g[...]

  • Page 207

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 207 9.18 Log Screen Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regu lar log, you can look at all the log messages by selecting All Logs , or you can select a specific category of log messages (for example, firewall or user). Y o[...]

  • Page 208

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 208 The following table descri bes the labels in this screen. T able 44 Monitor > Log LABEL DESCRIPTION Show Filter / Hide Filter Click this button to show or hide th e filter settings. If the filter settings are hidd en, the Display , Email Log Now , Refresh , and Clear Log fie lds are av ailab[...]

  • Page 209

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 209 The W e b Configurat or saves the f ilter settings if you leave the View Log screen and return to it later . Priority This field displays the priority of the log message. It has the same range of values as the Priority field above. Category This field displa ys the log that generated the log me[...]

  • Page 210

    Chapter 9 Monitor ZyWALL USG 20/20W User’s Guide 210[...]

  • Page 211

    ZyWALL USG 20/20W User’s Guide 21 1 C HAPTER 10 Registration 10.1 Overview Use the Configura tion > Licensing > Reg i stratio n screens to register y our Z yWALL and manage its service subscript ions. 10.1.1 What Y ou Can Do in this Chapter •U s e t h e Registration screen (see Section 10.2 on page 212 ) t o register your Z yWALL with myZ[...]

  • Page 212

    Chapter 10 Reg i str at ion ZyWALL USG 20/20W User’s Guide 212 Subscription Services A vailable on the ZyW ALL Y ou can have the Z yWALL use and content f ilteri ng subscription services. Y ou can also purchase and enter a license key t o have the ZyW ALL use more SSL VPN tunnels. See the respective User’ s Guid e chapters for more information [...]

  • Page 213

    Chapter 10 Registration ZyWALL USG 20/20W User’s Guide 213 The following table descri bes the labels in this screen. T able 45 Configuration > Licensing > Registration LABEL DESCRIPTION General Settings If you select existing myZy XEL.co m account , only the User Name and Password fields are available. new myZyXEL.com account If you haven?[...]

  • Page 214

    Chapter 10 Reg i str at ion ZyWALL USG 20/20W User’s Guide 214 Note: If the ZyW ALL is registered already , this screen is read-only and indicates whether trial services are activated (if any). Y ou can still select th e unchecked trial service(s) to activate it after registra tion. Use the Service screen to update your service subscription sta t[...]

  • Page 215

    Chapter 10 Registration ZyWALL USG 20/20W User’s Guide 215 The following table descri bes the labels in this screen. T able 46 Configuration > Licensing > Registration > Service LABEL DESCRIPTION License Status # This is the entry’ s position in the list. Service Thi s lists the services that av ailable on the Z yWALL. Status This fiel[...]

  • Page 216

    Chapter 10 Reg i str at ion ZyWALL USG 20/20W User’s Guide 216[...]

  • Page 217

    ZyWALL USG 20/20W User’s Guide 217 C HAPTER 11 Interfaces 1 1.1 Interface Overview Use the Interface screens to configure the Z yWALL ’ s in terfaces. Y ou can also create interfaces on top of other interfaces. • Ports are the physi cal ports to whic h you connec t cables. • Interfaces are used within the system operationally . Y ou use the[...]

  • Page 218

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 218 1 1.1.2 What Y ou Need to Know Interface Characteristics Interfaces generally have the followi ng characteristics (although not all characteristics apply to each t ype of interface). • An interface is a logical entit y through which (lay er-3) packets pass. • An interface is bound to[...]

  • Page 219

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 219 virtual--have a lot of similar characteristics. These characteristics are l isted in the following table and discussed in more detail below . - * The format of interface names other than the Ether net and ppp interface names is strict. Each na me consists of 2-4 letters (interface type), fo[...]

  • Page 220

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 220 * - Y ou cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. Y ou also cannot ad d an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on [...]

  • Page 221

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 221 ports at the lay er-2 (data link, MAC addr ess ) level. This provides wi re-speed throughput bu t no security . Note the following if y ou are configur ing from a computer connected to a lan1 , lan2 or dmz port and change the port's role: 1 A port's IP address v aries as its role [...]

  • Page 222

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 222 1 1.3 Ethernet Summary Screen This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. T o access this screen, click Configuration > Network > Interface > Ethernet . Unlike other types of interfaces, y ou cannot create new Ethernet [...]

  • Page 223

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 223 Each field is described in the following table. 1 1.3.1 Ethernet Edit The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP set tings, OSPF settings, DHCP settings, connectivi ty check, and MAC address settings. T o access this screen, click an Edit ic[...]

  • Page 224

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 224 • Enable and disable RIP i n the underlying physical port or port group . • Select which direction( s) routing information is ex changed - The Z yW ALL can receive routing information, send routing informati on, or do both. • Select whic h version of R IP to support in each direc t[...]

  • Page 225

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 225 Figure 159 Configu ration > Network > Interface > Ethernet > Edit (W AN)[...]

  • Page 226

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 226 Figure 160 Configu ration > Network > Interface > Ethernet > Edit (DMZ) This screen’ s fields are desc ribed in the table below . T able 51 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Clic[...]

  • Page 227

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 227 Interface T ype This field is read-only . Internal is for connecting to a local network. Other corresponding configuration options: DHC P server and DHCP relay . The ZyW ALL automatically adds default SNA T settings for traffic flowing from this interface to an external interface. External [...]

  • Page 228

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 228 Metric This option appears when Interface Properties is Exter nal or General . Enter the priority of the gateway (if any) on this interface. The Z yWALL decides which gateway to use based on this priority . The lower the number , the higher the priority . If two or more gateways have the[...]

  • Page 229

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 229 Check P ort This field only displays when you set the Check Method to tcp . Specify the port number to use for a TCP connectivity check . DHCP Setting These fields appear when Interface Properties is Internal or General . DHCP Select what type of DHCP service the Z yW ALL provides to the ne[...]

  • Page 230

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 230 First WINS Server , S econd WINS Server T ype the IP address of the WINS (Wind ows Internet Naming Service) server that you w ant to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. L[...]

  • Page 231

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 231 V2-Broadcast This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the Z yWALL uses multicasting. OSPF Setting See Section 14.3 on page 315 for more information about OSPF . Area Select the area in which this inte rface belongs.[...]

  • Page 232

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 232 1 1.3.2 Object References When a configuration sc reen includes an Object References icon, select a configur ation object and click Object Referenc es to open the Object References screen. Th is screen disp lays which config uration settings refere nce the selected object. The fi elds sh[...]

  • Page 233

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 233 1 1.4 PPP Interfaces Use PPPoE/PPT P interfaces to connect to your ISP . This way , you do not have to install or manage PPP oE/PPTP software on each computer in the network. Figure 162 Example: PPPoE/PP TP Interfaces PPP oE/PPTP interfaces are similar to other interfaces in som e ways. The[...]

  • Page 234

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 234 1 1.4.1 PPP Interface Summary This screen lists every PPP oE/PPTP inte rface. T o access this s creen, click Configuration > Network > Interface > PPP . Figure 163 Configuration > Network > Interface > PPP Each field is desc ribed in the table bel ow . T able 53 Configu[...]

  • Page 235

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 235 1 1.4.2 PPP Interface Add or Edit Note: Y ou have to set up an ISP account bef ore you create a PPPoE/PPTP interface. This screen lets you configure a PPPoE or PPTP interface. T o access this screen, click the Add icon or an Edit icon in the PPP Interface screen. Status The activ ate (light[...]

  • Page 236

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 236 Figure 164 Configuration > Network > Interface > PPP > Add[...]

  • Page 237

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 237 Each field is explained in the following table. T able 54 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to displa y a greate r or lesser num ber of configur ation fields. General Settings Enable [...]

  • Page 238

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 238 IP Address This field is enabled if you select Use Fixed IP Address . Enter the IP address for this interface. Metric Enter the priority of the gatewa y (the ISP) on this interface. The Z yWALL decides which gatewa y to use based on this priority . The lower the number , the higher the p[...]

  • Page 239

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 239 1 1.5 Cellular Configuration Screen (3G) 3G (Third Generation) i s a di gital, pack et -switched wireless te chnology . Bandwidth usage is optimized as mult iple users sh are the same channel and bandwidth is only allocated to users when they send da ta. It allows fast tr ansfer of voice an[...]

  • Page 240

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 240 Aside from selecting the 3G network, the 3G card may also select an av ailable 2.5G or 2.75G network automat ically . See the following table for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies. T o change your 3G W AN settings, click Configuration > Network > [...]

  • Page 241

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 241 Figure 165 Configu ration > Network > Interface > Cellular The following table descri bes the labels in this screen. 1 1.5.1 Cellular Add/Edit Screen T o change your 3G settings, click Configuration > Network > Interface > Cellular > Add (or Edit ). In the pop-up window[...]

  • Page 242

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 242 Figure 166 Configu ration > Network > Interface > Cellular > Add[...]

  • Page 243

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 243 The following table descri bes the labels in this screen. T able 57 Configuration > Network > Interface > Cellular > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to displa y a greater or lesser number of configur ation fields. General Set[...]

  • Page 244

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 244 Dial String En ter the dial string if y our ISP provides a string, which w ould include the APN, to initialize the 3G card. Y ou can enter up to 63 ASCII printable characters. Spaces are allowed. This field is av ailable only when you insert a GSM 3G card. Authentication Ty p e The ZyW A[...]

  • Page 245

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 245 Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the Z yWALL can send through the interface to the network. Allowed values are 0 - 1048576. This setting is used in W AN load balancing and bandwidth management. Ingress Bandwidth This is reserved for future use. E[...]

  • Page 246

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 246 Get Automatically Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP Address Select this option If the ISP assigned a fixed IP address. IP Address Assignment Enter the cellular interface’s W AN IP address in this field if y[...]

  • Page 247

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 247 Time Budget Select this and specify the amount of time (in hours) that the 3G connection can be used within one month. If you change the value after you configure and enable budget control, the Z yW ALL resets the statistics. Data Budget Select this and specify how much downstream and/or up[...]

  • Page 248

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 248 1 1.6 WLAN Interface General Screen This feature is av ailable for USG 20W only . The following figure provides an exam ple of a wireless network. The wireless network is in the blue circle. Wireless clie nts (A and B) connec t to an access point (AP) to access other devi ces (such as th[...]

  • Page 249

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 249 • Every device in a wireless network must use the same S SID. The SSID is the name of the wireless netw ork. It stands for Service Set IDentity . • Different wireless networks in the sa me area should use different channels. Like radio stations or television channels , each wireless net[...]

  • Page 250

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 250 The following table descri bes the labels in this screen. T able 58 Configuration > Network > Interface > WLAN LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesse r number of configuration fields. Enable WLAN Device Se[...]

  • Page 251

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 251 QoS Select the Quality of Service priority for this tr affic. •I f y o u s e l e c t WMM (Wi-Fi Multimedia) from the QoS list, the priority of a data packet depends on the packet’ s IEEE 802.1q or DSCP header . If a pack et has no WMM value assigned to it, it is assi gned the default pr[...]

  • Page 252

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 252 1 1.6.1 WLAN Add/Edit Screen Use the strongest security that ev ery wi reless cl ient in the wireless network supports. Note: WP A2 or WP A2-PSK security is recommended. • Y ou can use the Z yWALL’ s local user da tabase to use WP A or WP A2 without using an external RADIUS server . [...]

  • Page 253

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 253 Figure 169 Configu ration > Network > Interface > WLAN > Add (No Security)[...]

  • Page 254

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 254 The following table descri bes the genera l wireless L AN labels in this screen. T able 60 Configuration > Network > Interf ace > WLAN > Add (No Security) LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to displa y a greater or lesser number [...]

  • Page 255

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 255 IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. Interface Pa ra m e t e r s Egress Bandwidth Enter the maximum[...]

  • Page 256

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 256 P ool Size Enter the number of IP addresse s to allocate. This number must be at least one and is limited by the interface’ s Subnet Mask . For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyW ALL can allocate 10.10.10.10 to 10.10.10.254, o[...]

  • Page 257

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 257 Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information. Out-Only - This interface sends routing information. Send V ersi[...]

  • Page 258

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 258 1 1.6.2 WLAN Add/Edit: WEP Security WEP provides a mechanism for encrypting data using encryption ke ys. Both the Z yWALL and the wireless stations must use the same WEP k ey to encrypt and decrypt data. Y our Z yW ALL allows you to configure up to four 64-bit or 128-bit WEP keys, but on[...]

  • Page 259

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 259 The following table descri bes the WEP-related wireless LAN security lab els. See T able 60 on page 254 for information on the 802.1x fields. 1 1.6.3 WLAN Add/Edit: WP A-PSK/WP A2-PSK Security WP A-PSK or WP A2-PSK security has all of the WLAN interfac e’s users share the same password (p[...]

  • Page 260

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 260 The following table descri bes the WPA -PSK/WP A2-PSK -related wireless LAN security labels. 1 1.6.4 WLAN Add/Edit: WP A/WP A2 Security With WP A or WPA2 security , each user can have a separ ate user name and password. The Z yW ALL uses an external RA DIUS server or the ZyW ALL’ s int[...]

  • Page 261

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 261 Figure 172 Configu ration > Network > Interface > WLAN > Add (WP A/WP A2 Security) The following table describes t he WPA/WP A2-related wireless LAN security labels. T able 63 Configuration > Network > Interface > WLAN > Add (WP A/WP A2 Security) LABEL DESCRIPTION Au[...]

  • Page 262

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 262 1 1.7 WLAN Interface MAC Filter This feature is av ailable for USG 20W only . The MAC filter allows you to give specific wireless clients exclus ive access to the Z yWALL (allow association) or bloc k specific devices from accessing the Z yW ALL (deny as sociation) based on the devices?[...]

  • Page 263

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 263 Figure 173 Network > Interface > WLAN > MAC Filter The following table descri bes the labels in this screen. T able 64 Configuration > Network > Interface > WLAN > MAC Filter LABEL DESCRIPTION Enable MAC Filter Select or clear the check box to enable or disable MAC addr[...]

  • Page 264

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 264 1 1.8 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 174 Example: Before VLAN In this examp le, there are tw o phys ical networks and three departments A , B , and C . The physi[...]

  • Page 265

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 265 • T raffic in side each VLAN is layer-2 commun icatio n (data link layer , MA C addresses). It is handled by the switches. As a res ult, the new swit ch is required to handle tr affic inside VLAN 2. T raffic is only b roadcast inside each VLAN, not each physical network. • T raffic bet [...]

  • Page 266

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 266 1 1.8.1 VLAN Summary Screen This screen lists ev ery VLAN interface and virtual interface created on top of VLAN interfaces. T o access this screen, click Configuration > Network > Interface > VLAN . Figure 176 Configu ration > Network > Interface > VLAN Each field is e[...]

  • Page 267

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 267 1 1.8.2 VLAN Add/Edit This screen lets you configure IP ad dress assignment, interface bandwidth parameters, DHCP setti ngs, and connectivit y check for each VLAN interface. T o access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interfac[...]

  • Page 268

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 268 Figure 177 Configu ration > Network > Interface > VLAN > Edit[...]

  • Page 269

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 269 Each field is explained in the following table. T able 66 Configuration > Network > Interface > VLAN > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to displa y a greate r or lesser num ber of configur ation fields. General Settings Enabl[...]

  • Page 270

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 270 Metric Enter the priority of the gateway (if any) on this interface. The Z yWALL decides which gatewa y to use based on this priority . The lower the number , the higher the priority . If two or more gateways have the same priority , the ZyW ALL uses the one that was configured first. In[...]

  • Page 271

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 271 DHCP Select what type of DHCP service the Z yW ALL provides to the network. Choices are: None - the ZyW ALL does not provide any DHCP services. There is already a DHCP serv er on the network. DHCP Relay - the Z yWALL ro utes DHCP requests to one or more DHCP servers you specify . The DH CP [...]

  • Page 272

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 272 Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP addresses are valid. [...]

  • Page 273

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 273 OSPF Setting See Section 14.3 on page 315 for more information about OSPF . Area Select the area in which this inte rface belongs. Se lect None to disable OSPF in this interface. Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Rout[...]

  • Page 274

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 274 1 1.9 Bridge Interfaces This section introduces bridges and bri dge interfaces and then explains the screens for bridge interfaces. Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the follo wing example, bridge X c[...]

  • Page 275

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 275 If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 i n the table. It also looks up 0A:0A:0A:0A:0A: 0A in the table and sends the packet to port 2 accordingly . Bridge Interface Overview A bridge interface creates a software br idge between[...]

  • Page 276

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 276 remove from a b ridge interface when the underlying interface is added or removed. 1 1.9.1 Bridge Summary This screen lists every bridge interface and vi rtual interface created on top of bridge interfaces. T o access this screen, click Configuration > Network > Interface > Brid[...]

  • Page 277

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 277 1 1.9.2 Bridge Add/Edit This screen lets you configure IP ad dress assignment, interface bandwidth parameters, DHCP setti ngs, and connectivit y check for each bridge interf ace. T o access this screen, click the Add icon at the top of the Add column in t he Bridge Summary screen, or click [...]

  • Page 278

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 278 Figure 179 Configu ration > Network > Interface > Bridge > Add[...]

  • Page 279

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 279 Each field is desc ribed in the table bel ow . T able 71 Configuration > Network > Interface > Bridge > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to displa y a greate r or lesser num ber of configur ation fields. General Settings Enab[...]

  • Page 280

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 280 Gateway This field is e nabled if you select Use Fixed IP Address . Enter the IP address of the gateway . The Z yWALL sends packets to the gatewa y when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. Metric Enter t[...]

  • Page 281

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 281 IP P ool Start Address Enter the IP address from which the ZyW ALL begins allocating IP addresses. If you want to assign a static IP address to a specific computer , click Add Static DH CP . If this field is blank, the Pool Size must also be blank. In this case, the Z yWALL can assign every[...]

  • Page 282

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 282 1 1.9.3 Virtual Interfaces Add/Edit This screen l ets you configure IP address assignment and i nterface par ameters for virtual interfaces. T o access this screen, click an Add icon next to an Ethernet Add Click this to create a new entry . Edit Select an entry and click this to be able[...]

  • Page 283

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 283 interfac e, VLAN inte rface, or brid ge inte rface in the respective interface summary screen. Figure 180 Configuration > Network > Interface > Add Each field is desc ribed in the table bel ow . T able 72 Configuration > Network > Interface > Add LABEL DESCRIPTION Interfac[...]

  • Page 284

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 284 1 1.10 Interface T echnical Reference Here is more detailed information about interfaces on the Z yWALL. IP Address Assignment Most interfaces have an IP address and a subnet mask. Thi s information is used to create an entry in the routi ng table. Figure 181 Example: Ent ry in the Routi[...]

  • Page 285

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 285 because it is a point -to-point interface. F or these in terfaces, you ca n only enter the IP address. In many interfaces, you can also let the IP address and subnet mask be as signed by an external DHCP server on the networ k. In this case, the interface is a DHCP client. Virtual interface[...]

  • Page 286

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 286 If you set the bandwidt h restrictions v ery high, you effectively remove the restrictions. The Z yWALL also restricts the size of each data packet. The maximum number of bytes in each pack et is call ed the maxi mum tr ansmission unit (MTU). If a pack et is larger than the MTU , the Z y[...]

  • Page 287

    Chapter 11 Interfaces ZyWALL USG 20/20W User’s Guide 287 • IP address - If the DHCP client’s MAC address is in the ZyW ALL’ s static DHCP table, the interface assig ns the corresponding IP address. If not, the interface assigns IP addresses from a pool, define d by the starting address of the pool and the pool size. The Z yWALL cannot assig[...]

  • Page 288

    Chapter 11 Inte r fac es ZyWALL USG 20/20W User’s Guide 288 PPPoE/PPTP Overview P oint-to-P oint Protocol over Et hernet (PPPoE, RFC 2516) and Point -to-P oint T unneling Protocol (PPTP , RFC 2637) are usually used to connect two computers over phone lines or broadband connectio ns. PPP oE is often used with cable modems and DSL connections. It p[...]

  • Page 289

    ZyWALL USG 20/20W User’s Guide 289 C HAPTER 12 Trunks 12.1 Overview Use trunks for W AN tr affic load balancing to increase ov erall network throughput and reliability . Load balancing divides tr affic loads between multipl e interfaces. This allows y ou to improve quality of service and maximiz e bandwidth utilization for multiple ISP links. May[...]

  • Page 290

    Chapter 12 Tru n ks ZyWALL USG 20/20W User’s Guide 290 12.1.2 What Y ou Need to Know • Add WAN interfaces to trunks to have multiple connections share the traffi c load. • If one WAN interface’ s conne ction goes down, the Z yWALL sends tr affic through another member of the trunk. • For example, you connect one WAN inte rface to one ISP [...]

  • Page 291

    Chapter 12 Trunks ZyWALL USG 20/20W User’s Guide 291 Spillover The spillove r load ba lancing algorith m sends network traffi c to the first i nterface in the trunk member list until t he interface’ s maximum allowable l oad is reached, then sends the excess network t raffi c of ne w sessions to the next interface in the trunk member list. This[...]

  • Page 292

    Chapter 12 Tru n ks ZyWALL USG 20/20W User’s Guide 292 12.2 The T runk Summary Screen Click Configuration > Netw ork > Interface > Tr unk to open the Trunk screen. This screen lists th e configured trunks and the load balancing al gorithm that each is configured to use. Figure 182 Configu ration > Network > Interface > T runk Th[...]

  • Page 293

    Chapter 12 Trunks ZyWALL USG 20/20W User’s Guide 293 12.3 Configuring a T runk Click Configuration > Netw ork > Interface > Tr unk and then the Add (or Edit ) icon to op en the Trunk Edit screen. Use this screen to create or edit a W AN trunk entry . Figure 183 Configu ration > Network > Interface > T runk > Add (or Edit) Ena[...]

  • Page 294

    Chapter 12 Tru n ks ZyWALL USG 20/20W User’s Guide 294 Each field is desc ribed in the table bel ow . T able 77 Configuration > Network > Interface > T runk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editin g an existing trunk. When adding a new trunk, enter a descriptive name for this trunk. Y ou may use 1-31[...]

  • Page 295

    Chapter 12 Trunks ZyWALL USG 20/20W User’s Guide 295 12.4 T runk T echnical Reference Round Robin Load Balancing Algorithm Ro und R obin schedul ing services queues on a rotating basis and is activ ated only when an interface has more traffic than i t can handle. A que ue is given an amount of bandwidth irrespec tive of the inc oming tr affic on [...]

  • Page 296

    Chapter 12 Tru n ks ZyWALL USG 20/20W User’s Guide 296[...]

  • Page 297

    ZyWALL USG 20/20W User’s Guide 297 C HAPTER 13 Policy and Static Routes 13.1 Policy and S t atic Routes Overview Use policy routes and static rout es to ov erride the Z yW ALL’ s default routing behavior in order t o send pack ets throug h the appr opr iate interface or VPN tunnel . For example, the next figure shows a computer ( A ) c onnected[...]

  • Page 298

    Chapter 13 Policy and Static Rout es ZyWALL USG 20/20W User’s Guide 298 •U s e t h e Static Route screens (see Section 13.3 on page 307 ) to list and configure static routes . 13.1.2 What Y ou Need to Know Policy Routing T raditionally , routing is based on the destination address only and the Z yWALL takes the sho rtest pa th to forward a pack[...]

  • Page 299

    Chapter 13 Policy and Static Routes ZyWALL USG 20/20W User’s Guide 299 • Policy routes are only used within the Z yW ALL itself . Static routes can be propagated to other routers using RI P or OSPF . • P olicy routes take prio rity ov er static ro utes . If you need to use a routing policy on the Z yWALL and propagate it to other routers, y o[...]

  • Page 300

    Chapter 13 Policy and Static Rout es ZyWALL USG 20/20W User’s Guide 300 • See Section 13.4 on page 309 for more b ackground information on policy routing. 13.2 Policy Route Screen Click Configuration > Netw ork > Routing to open the Policy Route screen. Use this screen to see the configured po licy routes and turn policy routing based ban[...]

  • Page 301

    Chapter 13 Policy and Static Routes ZyWALL USG 20/20W User’s Guide 301 The following table descri bes the labels in this screen. T able 78 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configur ation fields. Enabl[...]

  • Page 302

    Chapter 13 Policy and Static Rout es ZyWALL USG 20/20W User’s Guide 302 DSCP Code This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP v alues or no DSCP marker . default means traffic with a DSCP value of 0. This is usually best effort traffic The “ af ” entries stand for Assu red Forwar ding. The[...]

  • Page 303

    Chapter 13 Policy and Static Routes ZyWALL USG 20/20W User’s Guide 303 13.2.1 Policy Route Edit Screen Click Configuration > Netw ork > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure o r edit a policy route. Figure 186 Configu ration > Network &g[...]

  • Page 304

    Chapter 13 Policy and Static Rout es ZyWALL USG 20/20W User’s Guide 304 Incoming Select where the pack ets are coming from; any , an interface, a tunnel, an SSL VPN, or the Z y WALL itself . F or an interface, a tunnel, or an S SL VPN, you also need to select the indi vidual interface, VPN tunnel, or S SL VPN connection. Source Address Select a s[...]

  • Page 305

    Chapter 13 Policy and Static Routes ZyWALL USG 20/20W User’s Guide 305 VPN T unnel This fi eld displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the ZyW ALL directly . Auto Destination Address This field displays when you select VPN Tunnel in th[...]

  • Page 306

    Chapter 13 Policy and Static Rout es ZyWALL USG 20/20W User’s Guide 306 Source Network Address T ranslation Select none to not use NA T for the route. Select outgoing-interface to use the IP address of the outgoing interface as the source IP address of the packets that matches this route. If you select outgoin g-interface , you can also configure[...]

  • Page 307

    Chapter 13 Policy and Static Routes ZyWALL USG 20/20W User’s Guide 307 13.3 IP S t atic Route Screen Click Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displa ys the configured static routes. Configure static routes to be able to use R IP or OSPF to propagate the routing information to oth[...]

  • Page 308

    Chapter 13 Policy and Static Rout es ZyWALL USG 20/20W User’s Guide 308 The following table descri bes the labels in this screen. 13.3.1 S t atic Route Add/Edit Screen Select a static route index number and click Add or Edit . The screen shown next appears. Use this screen to configure the required info rmation for a static route. Figure 188 Conf[...]

  • Page 309

    Chapter 13 Policy and Static Routes ZyWALL USG 20/20W User’s Guide 309 13.4 Policy Routing T e chnical Reference Here is more detai led information about some of the features y ou can configure in policy routing. NA T and SNA T NA T (Network Address T ranslation - NA T , RFC 1631) i s the transl ation of the IP address in a packet in one network [...]

  • Page 310

    Chapter 13 Policy and Static Rout es ZyWALL USG 20/20W User’s Guide 310 following twelve DSCP encodi ngs from AF11 through AF43. The decimal equivalent is listed in br ackets. Port T riggering Some services use a dedicated r ange of ports on the client s ide and a dedicated rang e of ports on the server side. With re gular port forwarding, y ou s[...]

  • Page 311

    Chapter 13 Policy and Static Routes ZyWALL USG 20/20W User’s Guide 31 1 3 Computer A and game server 1 are connected to ea ch ot her until the connection is closed or times out. Any other computers (such as B or C ) cannot connect to remote server 1 using t he same port triggering rule as computer A unless they are using a different next hop (gat[...]

  • Page 312

    Chapter 13 Policy and Static Rout es ZyWALL USG 20/20W User’s Guide 312[...]

  • Page 313

    ZyWALL USG 20/20W User’s Guide 313 C HAPTER 14 Routing Protocols 14.1 Routing Protocols Overview Routing protocols give the Z yWALL rout ing information about the network from other routers. The Z yWALL stores this rout ing information in the routing table it uses to make routing deci sions. In turn, the ZyW ALL can also us e routing protocols to[...]

  • Page 314

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 314 14.2 The RIP Screen RIP (R outing Information Protocol, RFC 1058 and RFC 1389) allows a d evice to exchange routing information with other rout ers. RIP is a vect or-space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest. Unfort[...]

  • Page 315

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 315 The following table descri bes the labels in this screen. 14.3 The OSPF Screen OSPF (Open Shortest P ath First, RFC 2328) is a link -state protocol designed to distribute routing informatio n within a group of networ ks, called an Autonomous T able 84 Configuration > Network > [...]

  • Page 316

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 316 System (AS). OSPF offers some adv antag es over ve ctor-space routing protocols like RIP . • OSPF supports variable-lengt h subnet masks, which can be set up to use av ailable IP addresses more efficientl y . • OSPF filters and summarizes routing in formation, which reduces the s[...]

  • Page 317

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 317 Each type of area is illust rated in the fol lowing figure. Figure 191 OSPF: T ypes of Areas Thi s OS PF AS c ons ist s of fou r a rea s, a rea s 0- 3. A re a 0 i s a lways t he back bo ne. In this example, areas 1, 2, and 3 are all conn ected to it. Area 1 is a normal area. It has r[...]

  • Page 318

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 318 • An Autonomous System Bounda ry Router (ASBR) exchanges routing information with routers in network s outside the OSPF AS. This is called redistribut ion in OSPF . • A backbone router (BR) has at least one interface with area 0. By default, ev ery router in area 0 is a backbone [...]

  • Page 319

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 319 to logically connect the area to t he backbo ne. This is illustr ated in the following example. Figure 193 OSPF: V irtual Link In this example, area 100 does not hav e a direct connect ion to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virt[...]

  • Page 320

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 320 Click Configuration > Network > Routing > OSPF to open the following screen. Figure 194 Configuration > Ne twork > Routi n g > OSPF The following table describes the labels in this screen. See Section 14.3. 2 on pag e 322 for more information as well. T able 86 Conf[...]

  • Page 321

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 321 T ype Select how OSPF calculates the cost associated with routing information from static routes. Choices are: Type 1 and Type 2 . Type 1 - cost = OSPF AS cost + external cost ( Metric ) Type 2 - cost = external cost ( Metric ); th e OSPF A S cost i s ignore d. Metric T ype the exter[...]

  • Page 322

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 322 14.3.2 OSPF Area Add/Edit Screen The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. T o access this scr een, go to the OSPF summary screen (see Section 14.3 on page 315 ), and click either the Add icon or an Edit icon. Figure 195 Configuration >[...]

  • Page 323

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 323 14.3.3 V irtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one. When the OS PF add or edit screen (see Section 14.3.2 on page Te x t Authentication Ke y This field is available if the Authenticati on is Text . T y[...]

  • Page 324

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 324 322 ) has t he T ype set to Normal, a Vi rtual Link table di splays. Click ei ther the Add icon or an entry and the Edit icon to di splay a screen lik e the following. Figure 196 Configuration > Netwo rk > Routing > OSPF > Add > Add The following table descri bes the l[...]

  • Page 325

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 325 Authentication T ypes Authentication is used to guarantee the in tegrity , but not the confidentiality , of routing updates. The tr ansmitting router uses its k ey to encrypt the original message into a smaller messag e, and t he smaller message is tr ansmitted with the original mess[...]

  • Page 326

    Chapter 14 Routing Protocols ZyWALL USG 20/20W User’s Guide 326[...]

  • Page 327

    ZyWALL USG 20/20W User’s Guide 327 C HAPTER 15 Zones 15.1 Zones Overview Set up zones t o configure network security and network policies in the Z yWALL. A zone is a group of interfaces and/or VP N tunnels. The Z yWALL us es zones instead of interfaces in many security and policy settings, such as firewall rules, Anti- X, and remote management. Z[...]

  • Page 328

    Chapter 15 Zo ne s ZyWALL USG 20/20W User’s Guide 328 15.1.2 What Y ou Need to Know Effect s of Zones on Different T ypes of T raffic Z ones effectiv ely divide tr affic into three t ypes--intr a-z one traf fic, inter- zone traffic, and extr a-zone tr affic--which are affected differen tly by zone-based security and policy settings. Intra-zone T [...]

  • Page 329

    Chapter 15 Zones ZyWALL USG 20/20W User’s Guide 329 15.2 The Zone Screen The Zone screen provides a summary of all zones. In addi tion, this screen allows you to add, ed it, and remove zones. T o access this screen, click Conf iguration > Network > Zone . Figure 198 Configu ration > Network > Zone (USG 20W) The following table descri [...]

  • Page 330

    Chapter 15 Zo ne s ZyWALL USG 20/20W User’s Guide 330 15.3 Zone Edit The Zone Edit screen allows you to add or edit a z one. T o access this screen, go to the Zone screen (see Section 15.2 on page 329 ), and click the Add icon o r an Edit icon. Figure 199 Networ k > Zone > Add The following table descri bes the labels in this screen. T able[...]

  • Page 331

    ZyWALL USG 20/20W User’s Guide 331 C HAPTER 16 DDNS 16.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 16.1.1 What Y ou Can Do in this Chapter •U s e t h e DDNS screen (see Section 16.2 on pag e 332 ) to view a list of the configured DDNS domain names and their details. •U s e t h e DDNS Add/Ed[...]

  • Page 332

    Chapter 16 DDNS ZyWALL USG 20/20W User’s Guide 332 Note: Record your DDNS account’s user name, password, and domain name to use to configure the ZyW ALL. After , you configure the Z yW ALL, it auto matically sends updated IP address es to the DDNS service provider , which helps redirect tr affic accordingly . Finding Out More See Section 6.5.8 [...]

  • Page 333

    Chapter 16 DDNS ZyWALL USG 20/20W User’s Guide 333 Primary Interface/IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the Z yWALL determines the IP address for the domain name. from interface - The IP address comes from the specified interface. auto detected - The DDNS server checks[...]

  • Page 334

    Chapter 16 DDNS ZyWALL USG 20/20W User’s Guide 334 16.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the Z yWALL or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen. Figure 201 Configu ration > Netwo[...]

  • Page 335

    Chapter 16 DDNS ZyWALL USG 20/20W User’s Guide 335 Username T ype the user name used when you registered your domain name. Y ou can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed. For a Dynu DDNS entry , this user name is the one you use for logging into the service, not the name record ed in your personal informa[...]

  • Page 336

    Chapter 16 DDNS ZyWALL USG 20/20W User’s Guide 336 IP Address The options av ailable in this field vary by DDNS provider . Interface - The Z yW ALL uses the IP address of the specified interface. This option appears when y ou sele ct a specific interface in the Backup Binding Address Interface field. Auto - The DDNS server checks the source IP ad[...]

  • Page 337

    ZyWALL USG 20/20W User’s Guide 337 C HAPTER 17 NAT 17.1 NA T Overview NA T (Network Address T ranslation - NA T , RFC 1631) i s the transl ation of the IP address of a host in a packet. For exampl e, the source address of an out going packet, used within one net work is change d to a different IP address known within another network. Use Network [...]

  • Page 338

    Chapter 17 NA T ZyWALL USG 20/20W User’s Guide 338 17.1.2 What Y ou Need to Know NA T is also known as virtual server , port forwarding, or port tr anslation. Finding Out More • See Section 6.5.9 on page 98 for related information on these screens. • See Section 17.3 on page 343 for technical background information rel ated to these screens. [...]

  • Page 339

    Chapter 17 NAT ZyWALL USG 20/20W User’s Guide 339 Rem o v e T o remove an e ntry , select it and click Remove . The ZyW ALL confirms you w ant to remove it before doing so. Activate T o turn on an entry , select it and click Activate . Inactivate T o turn off an entry , select it and click Inactivate . # This field is a sequential v alue, and it [...]

  • Page 340

    Chapter 17 NA T ZyWALL USG 20/20W User’s Guide 340 17.2.1 The NA T Add/Edit Screen The NAT Add/Edit screen lets you create new NA T rules and edit existing ones. T o open this window , open the NAT summary screen. (See Section 17.2 on page 338 .) Then, click on an Add icon or Edit icon to open the following screen. Figure 204 Configu ration > [...]

  • Page 341

    Chapter 17 NAT ZyWALL USG 20/20W User’s Guide 341 Classification Select what kind of NA T this rule is to perform. Virtual Server - This mak es comput ers on a pri vat e network b ehind the Z yWALL a vailable to a public network outside the ZyW ALL (like the Internet). 1:1 NAT - If the priv ate network server will initiate sessions to the outside[...]

  • Page 342

    Chapter 17 NA T ZyWALL USG 20/20W User’s Guide 342 Mapped IP Subnet/Range This field displays for Many 1:1 NAT . Select to which translated destination IP address subnet or IP address range this NA T rule forw ards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses. Po r t Ma p pi n g Ty p e Us[...]

  • Page 343

    Chapter 17 NAT ZyWALL USG 20/20W User’s Guide 343 17.3 NA T T echnical Reference Here is more detailed information about NA T on the Z yW ALL. NA T Loopback Suppose a NA T 1:1 rule maps a public IP address to the priv ate IP address of a LAN SMTP e-mail server to g ive W AN users access. NA T loopback allows other users to also use the rule’ s [...]

  • Page 344

    Chapter 17 NA T ZyWALL USG 20/20W User’s Guide 344 For examp le, a LAN user’ s computer at IP address 192.168.1. 89 queries a public DNS server to resolve the SMTP server’s domain name (xxx.LAN- SMTP .com in this example) and gets the SMTP serv er’s mapped public IP address of 1.1.1.1. Figure 205 LAN Computer Que ries a Public DNS Server Th[...]

  • Page 345

    Chapter 17 NAT ZyWALL USG 20/20W User’s Guide 345 SMTP server replied directly to the LAN us er without the tr affic going through NA T , the source would not match the original destination address whi ch would cause the LAN user’s co mputer to shut down the session. Figure 207 LAN to LAN Return T raffic 192.168.1.21 LAN 192.168.1.89 Source 1.1[...]

  • Page 346

    Chapter 17 NA T ZyWALL USG 20/20W User’s Guide 346[...]

  • Page 347

    ZyWALL USG 20/20W User’s Guide 347 C HAPTER 18 HTTP Redirect 18.1 Overview HT TP redirect forw ards the client’ s HT TP request (ex cept HT TP traffic destined for the Z yWALL) to a web pro xy server . In the following example, proxy server A is connecte d to the DMZ interface. When a cl ient co nnected to th e LAN1 zone w ants to open a web pa[...]

  • Page 348

    Chapter 18 HTT P Red ire ct ZyWALL USG 20/20W User’s Guide 348 18.1.2 What Y ou Need to Know Web Proxy Server A proxy serv er helps client devices make i n direct requests to access the Internet or outside network resources/services. A pr oxy server can act as a firewall or an ALG (applicati on layer gatew ay) between th e priv ate network and th[...]

  • Page 349

    Chapter 18 HTTP Redirect ZyWALL USG 20/20W User’s Guide 349 Finding Out More See Section 6.5.10 on page 99 for related information on these screens. 18.2 The HTTP Redirect Screen T o configure redirection of a HT TP request to a proxy server , click Configuratio n > Network > HTTP Redirect . This screen displa ys th e summary of the HT TP r[...]

  • Page 350

    Chapter 18 HTT P Red ire ct ZyWALL USG 20/20W User’s Guide 350 18.2.1 The HTTP Redirect Edit Screen Click Networ k > HTTP Redi rect to open the HTTP Redirect screen. Then click the Add or Edit icon to open the HTTP Redirect Edit screen where you can configure the rule. Figure 210 Network > HTTP Redirect > Edit The following table descri [...]

  • Page 351

    ZyWALL USG 20/20W User’s Guide 351 C HAPTER 19 ALG 19.1 ALG Overview Application Laye r Gateway (ALG) al lows the following applications to oper ate properly through the Z yWALL’ s NA T . • SIP - Session Initiation Protocol (SIP) - An application-la yer protocol that can be used to create voice and multimedia sessions over Internet. • H.323[...]

  • Page 352

    Chapter 19 ALG ZyWALL USG 20/20W User’s Guide 352 19.1.2 What Y ou Need to Know Application Layer Gateway (ALG), NA T an d Firewall The Z yWALL can function as an Applicat ion Layer Gatew ay (ALG) to allow certain NA T un-friendly applications (such as SI P) to operate properly through the Z yWALL ’ s NA T and firewall. The Z yW ALL dynamically[...]

  • Page 353

    Chapter 19 ALG ZyWALL USG 20/20W User’s Guide 353 • There should be only one SIP serv er (t otal) on the ZyW ALL’ s private networks. Any other SIP servers must be on the WAN. So for example y ou could hav e a Back -to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN bu t not on both. • Using the SIP AL G [...]

  • Page 354

    Chapter 19 ALG ZyWALL USG 20/20W User’s Guide 354 can receive incoming calls from t he Internet, LAN IP addresses B and C can still make calls out to t he Internet. Figure 213 V oIP Calls from the W AN with Multiple Outgoing Calls V oIP with Multiple W AN IP Addresses With multiple W AN IP addresses on th e Z yWALL, you can configure different fi[...]

  • Page 355

    Chapter 19 ALG ZyWALL USG 20/20W User’s Guide 355 • See Section 19.3 on page 357 for ALG background/technical information. 19.1.3 Before Y ou Begin Y ou must also configure the firewall and enable NA T in the Z yWALL to al low sessions initiated from the W AN. 19.2 The ALG Screen Click Configuration > Network > A LG to open the ALG screen[...]

  • Page 356

    Chapter 19 ALG ZyWALL USG 20/20W User’s Guide 356 Enable Configure SIP Inactivity Timeout Select this option to have the Z yWALL apply SIP media and signaling inactivity time out limits. SIP Media Inactivity Timeout Use this field to set how many seconds (1~86400) the Z yWALL will allow a SIP session to remain idle (without voice tr affic) before[...]

  • Page 357

    Chapter 19 ALG ZyWALL USG 20/20W User’s Guide 357 19.3 ALG T echnical Reference Here is more detailed information about t he Application Layer Gatew ay . ALG Some applications cannot operate through NA T (are NA T un-friendly) because they embed IP addres ses and port number s in their pack ets’ data payload. The Z yWALL examines and uses IP ad[...]

  • Page 358

    Chapter 19 ALG ZyWALL USG 20/20W User’s Guide 358 commands from a system running an F TP client. The service all ows users to send commands to the server for uploadi ng and downloading files. H.323 H.323 is a standard teleconferencing p rotocol suite that provid es audio, dat a and video conferencing. It allows for real-time point -to-point and m[...]

  • Page 359

    ZyWALL USG 20/20W User’s Guide 359 C HAPTER 20 IP/MAC Binding 20.1 IP/MAC Binding Overview IP address to MA C address binding help s en sure that only the i ntended devices get to use privileg ed IP addresses. The Z yW ALL uses DHCP to assig n IP addresses and records to MAC address it assigned each IP address. The Z yW ALL then checks incoming c[...]

  • Page 360

    Chapter 20 IP/MAC Binding ZyWALL USG 20/20W User’s Guide 360 20.1.2 What Y ou Need to Know DHCP IP/MAC address bindings are based on the Z yW ALL’ s dynamic and stati c DHCP entries. Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. Y ou can use IP/MAC binding with Ethernet, br idge, VLAN , and WLAN (for U SG[...]

  • Page 361

    Chapter 20 IP/MAC Binding ZyWALL USG 20/20W User’s Guide 361 20.2.1 IP/MAC Binding Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/ MAC Binding Edit screen. Use this screen to configure an interface’ s IP to MAC address binding settings. Figure 218 Configu ration > Network > IP/MAC Binding > Edit The [...]

  • Page 362

    Chapter 20 IP/MAC Binding ZyWALL USG 20/20W User’s Guide 362 20.2.2 S t atic DHCP Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/ MAC Binding Edit screen. Click the Add or Edit icon to open the foll owing screen. Use this screen to configure an interface’ s IP to MAC address binding settings. Figure 219 Confi[...]

  • Page 363

    Chapter 20 IP/MAC Binding ZyWALL USG 20/20W User’s Guide 363 20.3 IP/MAC Binding Exempt List Click Configuration > Network > IP /MAC Binding > Exempt List to o p e n t h e IP/MAC Binding Exempt List screen. Use this scree n to configure ranges of IP addresses to which the Z yW ALL does not apply IP/MAC binding. Figure 220 Configu ration [...]

  • Page 364

    Chapter 20 IP/MAC Binding ZyWALL USG 20/20W User’s Guide 364[...]

  • Page 365

    ZyWALL USG 20/20W User’s Guide 365 C HAPTER 21 Authentication Policy 21.1 Overview Use authentication polic ies to contro l who can access the network. Y ou can authenticate users (require them to lo g in) and even perform Endpoint Security (EPS) checking to make sure users’ computers comply with defined corporate policies before they can acces[...]

  • Page 366

    Chapter 21 Auth en tic at i on Policy ZyWALL USG 20/20W User’s Guide 366 21.1.2 What Y ou Need to Know Authentication Policy and VPN Authentication polici es are applied based on a traffic flow’ s source and destination IP addresses. If VPN tr affic matches an authentication poli cy’ s sour ce and destination IP addresses, the user must pass [...]

  • Page 367

    Chapter 21 Authentication Policy ZyWALL USG 20/20W User’s Guide 367 Click Configuration > Auth. Policy to display the screen. Figure 222 Configuration > Au t h. Policy[...]

  • Page 368

    Chapter 21 Auth en tic at i on Policy ZyWALL USG 20/20W User’s Guide 368 The following table giv es an overview of the objects you can configure. T able 103 Configuration > Auth. Policy LABEL DESCRIPTION Enable Authentication P olicy Select this to turn on the authen tication policy feature. Exceptional Services Use this table to list services[...]

  • Page 369

    Chapter 21 Authentication Policy ZyWALL USG 20/20W User’s Guide 369 21.2.1 Creating/Editing an Authentication Policy Click Configuration > Auth. Policy and then the Add (or Edit ) icon to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy . Status This icon is lit when the entry is active and dimmed w[...]

  • Page 370

    Chapter 21 Auth en tic at i on Policy ZyWALL USG 20/20W User’s Guide 370 Figure 224 Configuration > Aut h. Policy > Add The following table giv es an overview of the objects you can configure. T able 104 Configuration > Auth. Policy > Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to us[...]

  • Page 371

    Chapter 21 Authentication Policy ZyWALL USG 20/20W User’s Guide 371 Schedule Select a schedule that defines when the policy applies. Otherwise, select none and the rule is always effective. This is none and not configur able for the default policy . Authentication Select the authentication requirement for users when their tr affic matches this po[...]

  • Page 372

    Chapter 21 Auth en tic at i on Policy ZyWALL USG 20/20W User’s Guide 372[...]

  • Page 373

    ZyWALL USG 20/20W User’s Guide 373 C HAPTER 22 Firewall 22.1 Overview Use the firewall to block or allow services that use stati c port numbers. The firewall can also limit the number of user sessions. This figure shows the Z yWALL’ s default fi rewall rules in action and demonstr ates how stateful inspection works. User 1 can initiate a T e ln[...]

  • Page 374

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 374 22.1.2 What Y ou Need to Know St ateful Inspection The Z yWALL has a stateful inspection fi rewall. The Z yW ALL restricts acces s by screening data pack ets against defined acce ss rules. It also i nspects sessions. F or example, tr affic from one zone is not all owe d unless it is init iate[...]

  • Page 375

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 375 T o-ZyW ALL Ru les Rule s w ith ZyWALL as the To Zone apply to tr affic going to the Z yWALL itself . By default: • The firewall allows only LAN, WLAN (USG 20W), or W AN computers to access or manage the Z yW ALL. • The Z yW ALL drops most pack ets from the W AN zone to the Z yW ALL itsel[...]

  • Page 376

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 376 Firewall and VPN T raffic After you creat e a VPN tunnel and add it to a z one, you can set the firewall rules applied to VPN tr affic. If you add a VPN t unnel to an exi sting zone (the L AN1 zone for example), you can conf igure a new LAN1 to LAN1 firewall rule or us e intra- zone tr affic [...]

  • Page 377

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 377 the firewall rule to alway s be in effect. The following figure shows the results of this rule. Figure 226 Blocking All LAN to W AN IRC T raf fic Example Y our firewall would have the following rules. • The first row blocks LAN access to the IRC service on the WAN. • The second row i s th[...]

  • Page 378

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 378 Now you configure a LAN1 to WAN f irewall rule that al lows IRC traffi c from the IP address of the CEO’ s computer ( 192.168.1.7 for example) to go to any destination address. Y ou do not need to specify a sch edule since you w ant the firewall rule to always be in effect. The following fi[...]

  • Page 379

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 379 • The first row al lows any LAN1 computer to access the IRC service on the W AN by logging into the Z yWALL with the CEO’ s user name. • The second row blocks LAN1 access to the IRC service on the WAN. • The third row is the firewall’ s default policy of allowing all tr affic from t[...]

  • Page 380

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 380 5 The screen for configuring a se rvice object opens. Configure it a s follows and click OK . Figure 230 Firewall Example: Create a Service Object 6 Select From WAN and To LAN1 . 7 Enter the name of the firewall rule. 8 Select Dest_1 is selected for the Destination and Doom is selected as the[...]

  • Page 381

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 381 9 The firewall rule appears in the firewall rule summary . Figure 232 Firewall Example: Doom Rule in Summary 22.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the Z yWALL ’ s LAN IP address, return traffic may not go thro[...]

  • Page 382

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 382 4 The Z yWALL then sends it to the compu ter on the LAN 1 in Subnet 1 . Figure 233 Using V irtual Interfaces to A void Asymmetrical Routes 22.2.1 Configuring the Firewall Screen Click Configuration > Firewall to open the Firewall screen. Use this screen to enable or disable the firewall an[...]

  • Page 383

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 383 • The ordering of your rules is v ery im portant as rules are applied in sequence. Figure 234 Configuration > F i rewall (USG 20W) The following table descri bes the labels in this screen. T able 109 Configuration > Firewall LABEL DESCRIPTION General Settings Enable Firewall Select th[...]

  • Page 384

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 384 From Z one / To Z o n e This is the direction of travel of pack ets. Select from which zone the packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of pack ets to which they apply . For example, from LAN1 to LAN1 means packets trav eling from a [...]

  • Page 385

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 385 22.2.2 The Firewall Add/Edit Screen In the Firewall screen, click the Edit or Add icon to dis play the Firewall Rule Edit screen. Figure 235 Configuration > Fi rewall > Add The following table descri bes the labels in this screen. Service This displays the service object to which this f[...]

  • Page 386

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 386 22.3 The Session Limit Screen Click Configuration > Firewall > Session Limit to displa y the Firewall Session Limit screen. Use this screen to limit the number of concurrent NA T/ firewall sessions a client can use. Y ou can apply a defaul t limit for all users and Description Enter a d[...]

  • Page 387

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 387 individual limits for specific users, addres ses, or both. The individual li mit takes priority if you apply both. Figure 236 Configu ration > Firewall > Session Limit The following table descri bes the labels in this screen. T able 1 1 1 Configuration > Firewall > Session Limit L[...]

  • Page 388

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 388 22.3.1 The Session Limit Add/Edit Screen Click Configuration > Firewall > Session Limit and the Add or Edit icon to display the Firewall Session Limit Edit screen. Use this screen to configure rules that define a session li mit for specific users or addresses. Figure 237 Configu ration [...]

  • Page 389

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 389 User Select a user name or user group to which to apply the rule. The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out. Otherwise, select any and there is no need for user logging. Note: If you specified an IP address (or[...]

  • Page 390

    Chapter 22 Firewall ZyWALL USG 20/20W User’s Guide 390[...]

  • Page 391

    ZyWALL USG 20/20W User’s Guide 391 C HAPTER 23 IPSec VPN 23.1 IPSec VPN Overview A virtual priv ate network (VPN) pro vides secure communications between sit es without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, aut hentication, access control and audi ting. It is used to transport tr affic o[...]

  • Page 392

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 392 •U s e t h e VPN Gateway screens (see Section 23.2.1 on page 396 ) to manage the ZyW ALL’ s VPN gate ways. A VPN gateway specifies th e IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). Y ou can also activat e and deactivate each VPN gateway . 23.1.2[...]

  • Page 393

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 393 Application Scenarios The Z yW ALL’ s application scenarios make it easier to configure your VPN connection settings. Finding Out More • See Section 6.5.14 on page 101 for related information on these screens. T able 1 13 IPSec VPN Application Scenario s SITE-TO-SITE SITE-TO-SITE WITH DY[...]

  • Page 394

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 394 • See Section 23.4 on page 415 for IPSec VPN background information. • See Section 5.4 on page 76 for the IPSec VPN quick setup wizard. • See Section 7.4 on page 116 for an exampl e of configuring IPSec VPN. 23.1.3 Before Y ou Begin This section briefly exp lains the rela tionship betw[...]

  • Page 395

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 395 SA). Click a column’ s heading cell to so rt the table entries by that column’ s criteria. Click the heading cell again to reverse the sort ord er . Figure 240 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following tabl e. See Section 23. 2.2 o[...]

  • Page 396

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 396 23.2.1 The VPN Connection Add/Edit (IKE) Screen The VPN Connection Add/Edit Gateway screen allows you to creat e a new VPN connection policy or edit an existing one. T o access this screen, go to the Configuration > VPN Connection screen (see Section 23.2 on page 394 ), and click either t[...]

  • Page 397

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 397 Figure 241 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE)[...]

  • Page 398

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 398 Each field is desc ribed in the followi ng table. T able 1 15 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Create new Object[...]

  • Page 399

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 399 Manual K ey Sel ect this option to configure a VPN conn ection policy that uses a manual key instead of IKE k ey management. This may be useful if you hav e problems with IKE k ey management. See Section 23.2.2 on page 403 for how to configure the manual key fields. Note: Only use manual key[...]

  • Page 400

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 400 R emove Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly . Encryption This field is applicable when the Active Protocol is ESP . Select whi[...]

  • Page 401

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 401 Check Method Select how the Z yW ALL checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the ZyW A LL regularly ping the address you specify to make sure traffic can still go through the connection. Y ou may need to configure the p eer [...]

  • Page 402

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 402 Inbound T raffic Source NA T This tr anslation hides the source address of computers in the remote network. Source Select the address object that re presents the original source address (or select Create Object to configure a new one). This is the ad dress object for the remote network. The [...]

  • Page 403

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 403 23.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one us ing a manual key . This is useful if you have problems with IKE key management . T o access this screen, go to the VPN Conne[...]

  • Page 404

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 404 Secure Gateway Address T ype the IP address of the remote IPSec router in the IPSec SA. SPI T ype a un ique SPI (Security P arameter Index) between 256 and 4095 . The SPI is used to identify the Z yW ALL during authentication. The Z yW ALL and remote IP Sec router must u se the same SPI . En[...]

  • Page 405

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 405 Encryption K ey This field is applicable when you select an Encryp tion Algorith m . Enter the encryption key , which depends on the encryption algorithm. DES - type a unique key 8-32 char acters long 3DES - type a unique key 24-32 char acters long AES128 - type a unique key 16-32 characters[...]

  • Page 406

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 406 23.3 The VPN Gateway Screen The VPN Gateway sum mary screen d isplays the IPSec VPN gateway pol icies in the Z yWALL, as wel l as the Z yW ALL’ s addr ess, remote IPSec router’ s address, and associated VPN connections for each one. In add ition, it also lets y ou activat e and deactiv a[...]

  • Page 407

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 407 23.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/Edit screen allo ws you to create a new VPN gatewa y policy or edit an existing one. T o access this screen, go to the VPN Gateway summary screen (see Section 23.3 on page 406 ), and click either the Add icon or an Edit icon. Apply C[...]

  • Page 408

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 408 Figure 244 Configuration > VPN > IPSec VPN > VPN Gateway > Edit Each field is desc ribed in the followi ng table. T able 1 18 Configuration > VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to disp[...]

  • Page 409

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 409 My Address Select how the IP ad dress of the Z yWALL in the IKE SA is de fined. If you select Interface , select the Ethernet interface, VLAN interface, virtual Ethernet interfac e, virtual VLAN interface or PPPoE/ PPTP interface. The I P address of the ZyW ALL in the IKE SA is the IP addres[...]

  • Page 410

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 410 Certificate Select th is to have the Z yWA LL and remote IPSec router use certificates to authenticate each other when they negotiate the IKE SA. Then select the certificate the Z yW ALL uses to identify itself to the remote IPsec router . This certificate is one of the certificates in My Ce[...]

  • Page 411

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 41 1 P eer ID T y pe Sele ct which type of identifi cation is used to identify the remote IPSec router during authentication. Choices are: IP - the remote IPSec router is identified by an IP address DNS - the remote IPSec router is iden tified by a domain name E-mail - the remote IPSec router is[...]

  • Page 412

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 412 Content This field is disabled if the Peer ID Type is Any . T ype the identity of the remote IPSec router during au thentication. The identity depends on the Peer ID Type . If the Z yWALL and remote IPSec router do not use certificates, IP - type an IP address; see the no te at the end of th[...]

  • Page 413

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 413 Negotiation Mode Select the negotiation mode to use to nego tiate the IKE SA. Choices are Main - this encrypts the Z yW ALL’ s and remote IPSec router’s identities but takes more time to establish the IKE SA Aggressive - this is faster but does not encrypt the identities The Z yWALL and [...]

  • Page 414

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 414 NA T T rav ersal Select this if any of these conditions are satisfied. • This IKE S A might be u sed to negotia te IPSec S As that use ESP as the active protocol. • There are one or more NA T route rs between the Z yWALL and remote IPSec router , and these routers do not support IPSec pa[...]

  • Page 415

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 415 23.4 IPSec VPN Background Information Here is some more detailed IP Sec VPN background information. IKE SA Overview The IKE SA provides a secure conn ection between the ZyW ALL and remote IPSec router . It takes sev eral s teps to establish an IKE SA. T he negotiation mode determines how man[...]

  • Page 416

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 416 The Z yWALL sends one or more proposals to the remote IPSec router . (In some devices, you can only set up one propos al.) Each proposal consists of an encryption alg orithm, au thentication algorithm, and DH key group that the Z yWALL wants to use in the IKE SA. The remote IPSec rout er sel[...]

  • Page 417

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 417 keys for the IKE SA and IPSec SA. In main mode, this is done in s teps 3 and 4, as illustr ated next. Figure 246 IKE SA: Main Ne gotiation Mode, S teps 3 - 4: DH Key Exchange DH public-k ey cryptogr aphy is based on DH k ey groups. Each key group is a fixed number of bits long. The longer th[...]

  • Page 418

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 418 Router identity cons ists of ID typ e and content. The ID t ype can be domain name, IP address, or e-mail address, and the content i s a (properly-formatted) d omain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you e[...]

  • Page 419

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 419 the identity of the remote IP Sec router (f or example , extended authentication) or if you are troub leshooting a VPN tunnel. Additional T opics for IKE SA This section provi des more information about IKE SA. Negotiation Mode There are two negotiatio n modes--main mo de and aggress ive mod[...]

  • Page 420

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 420 If router A does NA T , it might change the IP a ddresses, port numbers, or both. If router X and router Y try to establi sh a VPN tunnel, the authentication fa ils because it depends on this information. The rout ers cannot establish a VPN t unnel. Most routers like router A now have an IPS[...]

  • Page 421

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 421 Certificates It is possible for the Z yWALL and remote IP Sec rout er to authenticate each other with certificates. In this case, you do not ha ve to set up the pre-shared k ey , local identity , or remote ident ity because th e certificates pro vide this information inste ad. • Instead of[...]

  • Page 422

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 422 Encap sulation There are two ways to encapsul ate packets. Usually , you should use tu nnel mode because it is more secure. T r ansport mode is only used when the IPSec S A is us ed for communication between the Z yWALL and remote IPSec router (for example, for remote management), not betwee[...]

  • Page 423

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 423 If you enable PFS , the Z yWALL and remote IPSec router perform a DH key exchange every time an IPSe c SA is establ ished, changing the root key from which encryption ke ys are gener ated. As a result , if one encryption k ey is compromised, other encryption keys remain secure. If you do not[...]

  • Page 424

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 424 NA T for Inbound a nd Outbound T raffic The Z yWALL can translate the following t ypes of network addresses in IPSec SA. • Source address in outbound packets - this tr anslation is necessary if you w ant the Z yWALL to ro ute packets from computers outside the local network through the IPS[...]

  • Page 425

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 425 • Destination - the origi nal destinat ion address; the remote network ( B ). • SNA T - the translated source ad dress; the local networ k ( A ). Source Address in Inbound Packets (Inbound T r affic, Source NA T) Y ou can set up this tr anslation if you want to change the source address [...]

  • Page 426

    Chapter 23 IPSec VPN ZyWALL USG 20/20W User’s Guide 426[...]

  • Page 427

    ZyWALL USG 20/20W User’s Guide 427 C HAPTER 24 SSL VPN 24.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VP N router or VPN client software. 24.1.1 What Y ou Can Do in this Chapter •U s e t h e VPN > SSL VPN > Access Privilege screens (see Section 24.2 on page 429 ) [...]

  • Page 428

    Chapter 24 SSL VPN ZyWALL USG 20/20W User’s Guide 428 • apply Endpoint Securit y (EPS) checking to require users’ computers t o comply with defined corpor ate policies before they can access the SSL VPN tunnel. • limit user access t o specific applications or files on the network. • allow user ac cess to specific net works. • assign pri[...]

  • Page 429

    Chapter 24 SSL VPN ZyWALL USG 20/20W User’s Guide 429 24.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. Figure 252 VPN > SSL VPN > Access Privilege The following table descri bes the labels in this screen. T able 122 VPN > SSL VPN > Ac[...]

  • Page 430

    Chapter 24 SSL VPN ZyWALL USG 20/20W User’s Guide 430 24.2.1 The SSL Access Policy Add/Edit Screen T o create a new or edit an existing SSL access pol icy , click the Add or Edit icon in the Access Privilege screen. Figure 253 VPN > SSL VPN > Access Privilege > Add/Edit Apply Click Apply to save the settings. R eset Click Reset to discar[...]

  • Page 431

    Chapter 24 SSL VPN ZyWALL USG 20/20W User’s Guide 431 The following table descri bes the labels in this screen. T able 123 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration Enable P olicy S elect this option to activ[...]

  • Page 432

    Chapter 24 SSL VPN ZyWALL USG 20/20W User’s Guide 432 A vailable EPS Objects / Selected EPS Object s Configured endpoint security objects appear on the left. Select the endpoint security objects to use for this S SL access policy and click the right arrow button to add them to the selected list on the right. Use the [Shift] and/or [Ctrl] key to s[...]

  • Page 433

    Chapter 24 SSL VPN ZyWALL USG 20/20W User’s Guide 433 24.3 The SSL Global Setting Screen Click VPN > SSL V PN and click the Global Setting tab to display the foll owing screen. Use this scre en to set the IP a ddress of the Z yWALL (or a gatew ay device) on your network fo r full tunnel mode ac cess, enter access messages or upl oad a custom l[...]

  • Page 434

    Chapter 24 SSL VPN ZyWALL USG 20/20W User’s Guide 434 24.3.1 How to Upload a Custom Logo Fol low the steps below to upload a custom logo to display on the remote user S SL VPN screens. 1 Click VPN > SSL VPN and click the Global Setting tab to di splay the configur ation screen. 2 Click Browse to locat e the logo grap hic. Make su re the file i[...]

  • Page 435

    Chapter 24 SSL VPN ZyWALL USG 20/20W User’s Guide 435 The following shows an example logo on the remote user screen. Figure 255 Example Logo Graphic Display 24.4 Est ablishing an SSL VPN Connection After you hav e configured the S SL VPN settings on the ZyW ALL, use the ZyW ALL login screen’ s SSL VPN button to es tablish an SSL VPN connection.[...]

  • Page 436

    Chapter 24 SSL VPN ZyWALL USG 20/20W User’s Guide 436 2 SSL VPN connection starts. This may tak e sever al minutes depending on y our network connection. Once the connection is up , you should see the client portal screen. The following shows an example. Figure 257 SSL VPN Client Portal Screen Example If the user account is not set up for SS L VP[...]

  • Page 437

    ZyWALL USG 20/20W User’s Guide 437 C HAPTER 25 SSL User Screens 25.1 Overview This chapter introduces the remote user S SL VPN screens. The following figure shows a network example where a remote user ( A ) logs into the Z y WAL L from the Internet to access the web server ( WWW ) on the local network. Figure 258 Network Examp le 25.1.1 What Y ou[...]

  • Page 438

    Chapter 25 SSL User Scre ens ZyWALL USG 20/20W User’s Guide 438 System Requirement s Here are the browser and computer system requirements for remote user ac cess. • Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit) • Internet Explorer 7 and abov e or Firefox 1.5 and abov e • Using RDP requires Int[...]

  • Page 439

    Chapter 25 SSL User Screens ZyWALL USG 20/20W User’s Guide 439 1 Open a web browser and ent er the web site address or IP addres s of the Z yWALL. For examp le, “http://sslvpn.myc ompany .com” . Figure 259 Enter the Address in a We b Browser 2 Click OK or Yes if a security screen displ ays. Figure 260 Login Security Screen 3 A login screen di[...]

  • Page 440

    Chapter 25 SSL User Scre ens ZyWALL USG 20/20W User’s Guide 440 5 Y our computer starts establish ing a se cure connection to the Z yW ALL after a successful login. Thi s may take up to two minutes. If you get a message about needing Jav a, download and install it and restart y our browser and re-login. If a certificate warning screen displays, c[...]

  • Page 441

    Chapter 25 SSL User Screens ZyWALL USG 20/20W User’s Guide 441 7 The Z yW ALL tries to install the SecuExt end er client. Y ou may need to click a pop- up to get your browser to allow this. In Internet Explorer , click Install . Figure 264 SecuExtender Blocked by Inte rnet Explorer 8 The Z yWALL tries to run the “ssltun” applic at ion. Y ou m[...]

  • Page 442

    Chapter 25 SSL User Scre ens ZyWALL USG 20/20W User’s Guide 442 10 If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender client on y our computer . Figure 267 Hardware Inst allation W arning 11 The Application screen displays showing the list of resources av ailable to you. See Figure 268 on page 443[...]

  • Page 443

    Chapter 25 SSL User Screens ZyWALL USG 20/20W User’s Guide 443 25.3 The SSL VPN User Screens This section describes the main elem ents in the remote us er screens. Figure 268 Remote User Scre en The following table descri bes the various parts of a remote user screen. T able 125 Remote User Screen Overview # DESCRIPTION 1 Click on a menu tab to g[...]

  • Page 444

    Chapter 25 SSL User Scre ens ZyWALL USG 20/20W User’s Guide 444 25.4 Bookmarking the ZyW ALL Y ou can create a bookmark of the ZyW ALL by clicking the Add to Favorite icon. This allows you to access t he Z yWALL using the bookmark wit hout having to enter the address every time. 1 In any remote user screen, click the Add to Favorite icon. 2 A scr[...]

  • Page 445

    Chapter 25 SSL User Screens ZyWALL USG 20/20W User’s Guide 445 3 An information screen displays to indicate that t he SSL VPN connection is about to terminate. Figure 271 Logout: Connection T ermination Progress[...]

  • Page 446

    Chapter 25 SSL User Scre ens ZyWALL USG 20/20W User’s Guide 446[...]

  • Page 447

    ZyWALL USG 20/20W User’s Guide 447 C HAPTER 26 SSL User Application Screens 26.1 SSL User Application Screens Overview Use the Application screen to access web-based applic ations (such as web sites and e-mail) on the network through the SSL VPN conne ction. Which applicat ions you can access depends on the Z yW ALL’ s configur ation. 26.2 The [...]

  • Page 448

    Chapter 26 SSL User Application Screens ZyWALL USG 20/20W User’s Guide 448[...]

  • Page 449

    ZyWALL USG 20/20W User’s Guide 449 C HAPTER 27 ZyWALL SecuExtender The Z yW ALL automatically loads the Z yW ALL SecuExtender client program to y our computer after a successful logi n. The Z yW ALL SecuExtender lets you: • Access servers , remote desktops and mana ge files as if you were on the local network. • Use applications lik e e-mail,[...]

  • Page 450

    Chapter 27 ZyW ALL SecuExten de r ZyWALL USG 20/20W User’s Guide 450 27.2 S t atistics Right- click the Z yW ALL SecuExtender ic on in the system tr ay and selec t Status to open the Status screen. Use this screen to view the ZyW ALL SecuExtender’s statistics. Figure 274 ZyW ALL SecuExtender S t atus The following table descri bes the labels in[...]

  • Page 451

    Chapter 27 ZyWALL SecuExtender ZyWALL USG 20/20W User’s Guide 451 27.3 V iew Log If you have pr oble ms wi th the ZyW ALL SecuExtender , customer support may request you to pro vide information from the log. Right-click the Z yWALL SecuExtender icon in the sys tem tray and select Log to open a notepad file of the Z yWALL SecuExtender’s log. Fig[...]

  • Page 452

    Chapter 27 ZyW ALL SecuExten de r ZyWALL USG 20/20W User’s Guide 452 connected but not send any traffi c throug h it until yo u right-click the icon and resume the connection. 27.5 S top the Connection Right- click the icon and select Stop Connection to disconnect t he SSL VPN tunnel. 27.6 Uninst alling the ZyW ALL SecuExtender Do the following i[...]

  • Page 453

    ZyWALL USG 20/20W User’s Guide 453 C HAPTER 28 Bandwidth Management 28.1 Overview Bandwidth management provides a conv enient way to manage the use of v arious services on the network. It manages ge neral protocols (for example, HT TP and FTP) and applies traffic prioritizat ion to enhance the performance of delay- sensitive applicati ons like vo[...]

  • Page 454

    Chapter 28 Ban dwid th Ma na g em ent ZyWALL USG 20/20W User’s Guide 454 in a network by groupi ng similar types of tr affic together and treating each t ype as a class. Y ou can use CoS to give different priorit ies to different pack et types. DiffServ (Differentia ted Services) is a class of service (CoS) model that marks packets so that they r[...]

  • Page 455

    Chapter 28 Bandwidth Management ZyWALL USG 20/20W User’s Guide 455 Outbound and Inbound Bandwid th Limit s Y ou can limit an application ’s outbound or inbound bandwi dth. This limit keeps the traffic from using up too much of the out -going interface’ s bandwidth. This way you can mak e sure there is bandwidth for other applications. When yo[...]

  • Page 456

    Chapter 28 Ban dwid th Ma na g em ent ZyWALL USG 20/20W User’s Guide 456 Unused bandwidth is di vided equally . Higher priorit y traffic does not get a larger portion of the unused bandwidth. Bandwid th Management Behavior The following sections show how b andwidth management behav es with va rious settings. F or example, you configure DMZ to W A[...]

  • Page 457

    Chapter 28 Bandwidth Management ZyWALL USG 20/20W User’s Guide 457 Maximize Bandwid th Usage Effect With maximize band width usage enab led, after each server gets its configured rate, the rest of the av ailable bandwidth i s divided equally between the two. So server A gets its configured r ate of 300 kbps and serv er B gets its configured r ate[...]

  • Page 458

    Chapter 28 Ban dwid th Ma na g em ent ZyWALL USG 20/20W User’s Guide 458 Here is an ov erview of what the rule s need to accomplish. See the following sections for more details. • SIP traffic from VIP users must get through with the least possible delay regardless of if it is an outgoing call or an incoming call. The VIP users must be able to m[...]

  • Page 459

    Chapter 28 Bandwidth Management ZyWALL USG 20/20W User’s Guide 459 • Enable maximi ze bandwidth us age so the SIP tr affic can borrow unus ed bandwidth. Figure 282 SIP Any to W AN Bandwidth Management Example 28.1.3.3 SIP W AN to Any Ba ndwid th Management Example Y ou also create a policy for calls coming i n from the SIP server on the W AN. I[...]

  • Page 460

    Chapter 28 Ban dwid th Ma na g em ent ZyWALL USG 20/20W User’s Guide 460 28.1.3.5 FTP W AN to DMZ Ba ndwid th Management Example • ADSL supports more downstream than upstream so y ou allow remote users 300 kbps for uploads to the DMZ F TP serv er (outbound) but only 100 kbps for downloads (inbound). • Third highes t priority (3) . • Disable[...]

  • Page 461

    Chapter 28 Bandwidth Management ZyWALL USG 20/20W User’s Guide 461 28.2 TheBandwid th Management Screen The Bandwidth management scre en contro ls the default p olicy for TCP and UDP traffic. Y ou can use source zone, destination zone, destination port, schedule, user , source, and destination information as criteria to create a sequence of speci[...]

  • Page 462

    Chapter 28 Ban dwid th Ma na g em ent ZyWALL USG 20/20W User’s Guide 462 # This field is a sequential v alue, and it is not associated with a specific condition. Note: The ZyW ALL checks conditions in the order they appear in the list. While this sequence does not af fect the functionality , you might improve the performance of the ZyW A LL by pu[...]

  • Page 463

    Chapter 28 Bandwidth Management ZyWALL USG 20/20W User’s Guide 463 28.2.1 The Bandwid th Management Add/Edit Screen The Configuration > Bandwidth Ma nagement Add/Ed it screen allows you to create a new condition or edit an existing one. T o access thi s screen, go to the Configuration > Bandwidth Management screen (see Section 28.2 on page [...]

  • Page 464

    Chapter 28 Ban dwid th Ma na g em ent ZyWALL USG 20/20W User’s Guide 464 The following table descri bes the labels in this screen. T able 132 Configuration > Bandwidth Management LABEL DESCRIPTION Create new Object Use to configure an y new settings obje cts that you need to use in this screen. Enable Select this check box to turn on this poli[...]

  • Page 465

    Chapter 28 Bandwidth Management ZyWALL USG 20/20W User’s Guide 465 Inbound kbps T ype how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the ZyW A LL sends to a connection’ s initiator . If you enter 0 here, this policy does not apply b andwidth management for the matching tr[...]

  • Page 466

    Chapter 28 Ban dwid th Ma na g em ent ZyWALL USG 20/20W User’s Guide 466[...]

  • Page 467

    ZyWALL USG 20/20W User’s Guide 467 C HAPTER 29 ADP 29.1 Overview This chapter introduces ADP (Anomaly Dete ction and Prev ention), anomaly profiles and applying an ADP profile to a traffic direction. ADP p rotects again st anomalies based on violations of prot ocol standards (RFCs – Requests for Comments) and abnormal flows such as p ort scans.[...]

  • Page 468

    Chapter 29 AD P ZyWALL USG 20/20W User’s Guide 468 ADP Profile An ADP profi le is a set of tr affic anomaly rules and prot ocol an omaly rules that you can activat e as a set and configure common l og and action settings. Y ou can apply ADP profiles to traffic flowing from one zone to anoth er . Base ADP Profiles Base ADP profiles are templat es [...]

  • Page 469

    Chapter 29 ADP ZyWALL USG 20/20W User’s Guide 469 29.2 The ADP General Screen Click Configuration > Anti-X > ADP > General . Use this screen to turn anomaly detection on or off and apply an omaly profiles to tr affic directions. Figure 288 Configu ration > Anti-X > ADP > General The following table describes t he screens in this[...]

  • Page 470

    Chapter 29 AD P ZyWALL USG 20/20W User’s Guide 470 29.3 The Profile Summary Screen Use this screen to: • Create a new profile using an existing base profile • Edit an existing prof ile • Delete an existing p rofile Status The activ ate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. From, T o This is[...]

  • Page 471

    Chapter 29 ADP ZyWALL USG 20/20W User’s Guide 471 29.3.1 Base Profiles The Z yWALL comes with base profiles. Y ou use base profiles to crea te new profiles. In the Configuration > Anti-X > ADP > Profile screen, click Add to display the f ollowing screen. Figure 289 Base Profiles These are the default base profiles at the time of writing.[...]

  • Page 472

    Chapter 29 AD P ZyWALL USG 20/20W User’s Guide 472 The following table descri bes the fields in this screen. 29.3.3 Creating New ADP Profiles Y ou may want to create a new prof ile if not all rules in a base profil e are app licable to your networ k. In this case you should disable non-applicable rules so as to improve Z yWALL ADP processing effi[...]

  • Page 473

    Chapter 29 ADP ZyWALL USG 20/20W User’s Guide 473 belonging to this profile, make sure you ha ve clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 291 Profile s: T raf fic Anomaly[...]

  • Page 474

    Chapter 29 AD P ZyWALL USG 20/20W User’s Guide 474 The following table descri bes the fields in this screen. T able 136 Configuration > ADP > Profile > T raffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-), but the first character cannot be [...]

  • Page 475

    Chapter 29 ADP ZyWALL USG 20/20W User’s Guide 475 29.3.5 Protocol Anomaly Profiles Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (PA) rules check for protocol compliance against th e relev ant RFC (Request for Comments). Protocol anomaly detection includes HT TP Inspection, T CP Decoder , UDP Decoder , and ICMP Decoder [...]

  • Page 476

    Chapter 29 AD P ZyWALL USG 20/20W User’s Guide 476 Figure 292 Profile s: Protocol Anomaly[...]

  • Page 477

    Chapter 29 ADP ZyWALL USG 20/20W User’s Guide 477 The following table descri bes the fields in this screen. T able 137 Configuration > ADP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profil e. Y ou may use 1-3 1 alphanumeric characters, underscores( _ ), o r dashes (-), but the first char acter cannot be a[...]

  • Page 478

    Chapter 29 AD P ZyWALL USG 20/20W User’s Guide 478 Action T o edit what action the ZyW ALL takes when a pack et matches a signature, select the signature and use the Act ion icon. original se tting : Select this action to return each signature in a service group to its previously saved configuration. none : Select this action on an individual sig[...]

  • Page 479

    Chapter 29 ADP ZyWALL USG 20/20W User’s Guide 479 29.4 ADP T echnical Reference This section is divided into traff ic anomaly background information and protocol anomaly background information. T raffic Anomaly Background Information The following sections may help you conf igure the traffic anomaly profile screen ( Section 29.3.4 on page 472 ). [...]

  • Page 480

    Chapter 29 AD P ZyWALL USG 20/20W User’s Guide 480 Decoy Port Scans Decoy port scans are s cans where the atta cker has spoofed the source address. These are some decoy scan types: •T C P D e c o y P o r t s c a n • UDP Decoy P ortscan • IP Decoy P ortscan Distributed Port Scans Distributed port scans are many -to-one port scans. Distribute[...]

  • Page 481

    Chapter 29 ADP ZyWALL USG 20/20W User’s Guide 481 Flood Detection Flood attacks satur ate a network with useless data, use up all av ailable bandwidth, and therefore mak e communi cati ons in the network impossible. ICMP Flood Att ack An ICMP flood is broadcasting many pings or UDP pack ets so that so much data is sent to the system, that it sl o[...]

  • Page 482

    Chapter 29 AD P ZyWALL USG 20/20W User’s Guide 482 the initiator responds with an ACK (ack nowledgment). After this handshak e, a connection is established . Figure 294 TCP Three-W ay Handshake A SYN flood attack is when an att acker sends a seri es of SYN packets. Each pack et causes the receiver to reply with a SYN- ACK response. The receiver t[...]

  • Page 483

    Chapter 29 ADP ZyWALL USG 20/20W User’s Guide 483 UDP Flood Attack UDP is a connection-less protocol and it does not require any connection set up procedure to tr ansfer data. A UDP flood attack is possibl e when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it wil l determine [...]

  • Page 484

    Chapter 29 AD P ZyWALL USG 20/20W User’s Guide 484 DOUBLE-ENCODING ATT A C K This rule is IIS specific. IIS does two passes through the request URI, doing decodes in each one. In the first pass, IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is done. In the second pass ASCII, bare byte, and %u encodings are done. IIS-BACKSLASH- EVASION A [...]

  • Page 485

    Chapter 29 ADP ZyWALL USG 20/20W User’s Guide 485 WEBROO T -DIRECTORY - TRA VERSAL A TT ACK This is when a directory traversal tr averses past the web server root directory . This generates much fewer false positives than the directory option, because it doesn’t alert on directory tra versals that stay within the web serv er directory structure[...]

  • Page 486

    Chapter 29 AD P ZyWALL USG 20/20W User’s Guide 486 TRUNCA TED-HEA DER ATT A C K This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP header length. This may cause some applications to crash. TRUNCA TED- TIMEST AMP -HEADER ATT A C K This is when an ICMP packet is sent which has an ICMP datagram length of less[...]

  • Page 487

    ZyWALL USG 20/20W User’s Guide 487 C HAPTER 30 Content Filtering 30.1 Overview Use the content filtering feature to cont rol access to specific web sites or web content. 30.1.1 What Y ou Can Do in this Chapter •U s e t h e General screens ( Section 30.2 on page 489 ) to configure global content filtering settings, configure co ntent filtering p[...]

  • Page 488

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 488 Content Filtering Profiles A content filtering profile convenient ly stores your custom set tings for the following featur es. • Category -based Blocking The Z yWALL can block access to particul ar categories of web site content, such as p or n o gra p hy o r ra c ia l in t o le ra[...]

  • Page 489

    Chapter 30 Co n te nt Fi lt er ing ZyWALL USG 20/20W User’s Guide 489 Since the Z yWALL checks the URL ’ s domain name (or IP addres s) and file path separately , it will not fi nd items that go across the two. F or example, wi th the UR L www .zyxel.com.tw/news/pressroom.php , the Z yW ALL would find “tw” i n the domain name ( www .zyxel.c[...]

  • Page 490

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 490 your list of content filter policies , create a denial of access message or specify a redirect URL and check your external we b filtering service regis tration s tatus. Figure 296 Configuration > Ant i-X > Content F il ter > General The following table descri bes the labels [...]

  • Page 491

    Chapter 30 Co n te nt Fi lt er ing ZyWALL USG 20/20W User’s Guide 491 Move T o change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where y ou want to put that entry and press [ENTER] to move the entry to the number that you typed. # This column lists the index numbers of the content [...]

  • Page 492

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 492 30.3 Content Filter Policy Add or Edit Screen Click Configuration > Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen. Use this screen to confi gure a content License Status This read-only field displays the status of your content-fi[...]

  • Page 493

    Chapter 30 Co n te nt Fi lt er ing ZyWALL USG 20/20W User’s Guide 493 filter policy . A content filter policy defi nes which content filter p rofile should be applied, when it should be app lied, and to whose web access it shoul d be applied. Figure 297 Configu ration > Anti-X > Content Filter > General > Ad d l The following table de[...]

  • Page 494

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 494 30.4 Content Filter Profile Screen Click Configuration > Anti-X > Content Filter > Filter Profile to open the Filter Profile screen. A content filter profile de fines to which web se rvices, web sites or web site categories acce ss is to be all owed or denied. Figure 298 Con[...]

  • Page 495

    Chapter 30 Co n te nt Fi lt er ing ZyWALL USG 20/20W User’s Guide 495 See Chapter 31 on page 513 for how to view content filtering reports. Figure 299 Configu ration > Anti-X > Content Filter > Filter Profile > Add[...]

  • Page 496

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 496 Figure 300 Configu ration > Anti-X > Content Filter > Filter Profile > Add (Co ntinue)[...]

  • Page 497

    Chapter 30 Co n te nt Fi lt er ing ZyWALL USG 20/20W User’s Guide 497 The following table descri bes the labels in this screen. T able 142 Configuration > Anti-X > Content Filter > Filter Profile > Add LABEL DESCRIPTION License Status This read-only field displays the status of y our content-filtering database service registration. No[...]

  • Page 498

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 498 Action for Unsafe W eb Pa g e s Select Pass to allow users to access web pages that match the unsafe categories that you select below . Select Block to prevent users from accessing web pages that match the unsafe categories that you select below . When external database content filte[...]

  • Page 499

    Chapter 30 Co n te nt Fi lt er ing ZyWALL USG 20/20W User’s Guide 499 Action When Category Server Is Unav ailable Select Pass to allow users to access any requested web page if the external content filtering database is unav ailable. Select Block to block access to any requested web page if the external content filtering database is unavailable. [...]

  • Page 500

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 500 Spyware Effects/ Privacy Concerns This category includes pages to which spyw are (as defined in the Spyware/Malware Sources category) reports its findings or from which it alone downloads advertisements. Also includes sites that contain serious privacy issues, such as “phone home?[...]

  • Page 501

    Chapter 30 Co n te nt Fi lt er ing ZyWALL USG 20/20W User’s Guide 501 Nudity This category includes pages containing nude or seminude depictions of the human body . These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature. This category also includes nud[...]

  • Page 502

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 502 Security Concerns Hacking This category includes page s t hat distribute, promote, or provide hacking tools and/or information which may help gain unauthorized access to computer systems and/or computerized communication systems. Hacking encompasses instructions on illegal or questio[...]

  • Page 503

    Chapter 30 Co n te nt Fi lt er ing ZyWALL USG 20/20W User’s Guide 503 Alternative Spirituality/Occult This category includes pages that promote and provide information on religions such as Wicca, Witchcraft or Satanism. Occult practices, atheistic views, voodoo rituals or any oth er form of mysticism are represented here. Includes sites that endo[...]

  • Page 504

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 504 Greeting Cards This category includes pages that facilitate the sending of electronic greeting cards, animat ed cards, or similar electronic messages typically used to mark an event or occasion. P ersonals/Dating This category includes pages that promote interpersonal relationships. [...]

  • Page 505

    Chapter 30 Co n te nt Fi lt er ing ZyWALL USG 20/20W User’s Guide 505 Abortion This category includes pages that provide information or arguments in favor of or against abortion, describe abortion procedures, offer help in obtaining or av oiding abortion, or provide information on the effects, or lack th ereof , of abortion. R estaurants/Dining/ [...]

  • Page 506

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 506 Humor/Jokes This category includes pages that primarily focus on comedy , jokes, fun, e tc. This ma y include pages containing jok es of adult or mature nature. P ages containing humorous Adult/Mature content also have an Adult/Mature category rating. Sports/Recreation This category [...]

  • Page 507

    Chapter 30 Co n te nt Fi lt er ing ZyWALL USG 20/20W User’s Guide 507 Content Servers This category includes servers that provide commercial hosting for a variety of content such as images and media files. These types of serv ers are typically used in con junction with oth er web servers to optimize content retriev al speeds. Non Viewable This ca[...]

  • Page 508

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 508 30.5.1 Content Filter Blocked and W arning Messages These are the content filt ering warning mes sages: 30.6 Content Filter Customization Screen Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the Customization scree[...]

  • Page 509

    Chapter 30 Co n te nt Fi lt er ing ZyWALL USG 20/20W User’s Guide 509 keyword. Use this screen to add or remove specific sites or k eywords from the filter list. Figure 301 Configu ration > Anti-X > Content Filter > Filter Profile > Customization The following table descri bes the labels in this screen. T able 144 Configuration > A[...]

  • Page 510

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 510 Block ActiveX ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX controls are downloaded to your browser , where they remain in case you visit the site again. Java Java is a progr amming languag[...]

  • Page 511

    Chapter 30 Co n te nt Fi lt er ing ZyWALL USG 20/20W User’s Guide 51 1 30.7 Content Filter T echnical Reference This section provi des content filtering background informati on. Forbidden W eb Sites This list displays the forbidden web sites already added. Enter host names such as www .bad-site.com into this text field. Do not enter the complete [...]

  • Page 512

    Chapter 30 Content Filtering ZyWALL USG 20/20W User’s Guide 512 External Content Filter Server Lookup Procedure The content filter lookup process is described below . Figure 302 Content Filter Lookup Procedure 1 A computer behind the Z yW ALL tries to access a web site. 2 The Z yWALL looks up the web site in its cache. If an attempt to access the[...]

  • Page 513

    ZyWALL USG 20/20W User’s Guide 513 C HAPTER 31 Content Filter Reports 31.1 Overview Y ou can view c ontent filtering reports afte r you have activ ated the category -based content filtering sub scription service. See Section 10.1 on page 211 on how to create a myZ y XEL.com account, register your device and activ ate the subscription services. 31[...]

  • Page 514

    Chapter 31 Content Filter Repo rts ZyWALL USG 20/20W User’s Guide 514 2 Fill in your myZ yXEL.com account information and click Login . Figure 303 myZyXEL.co m: Login[...]

  • Page 515

    Chapter 3 1 Content Filt er Reports ZyWALL USG 20/20W User’s Guide 515 3 A welcome screen displays. Cl ick your Z yW ALL’ s model name and/or MAC addr ess under Registered ZyXEL Products (the ZyW ALL 70 is shown as an example here). Y ou can change th e descriptive name for your Z yWALL using the Rename button in the Service Management screen ([...]

  • Page 516

    Chapter 31 Content Filter Repo rts ZyWALL USG 20/20W User’s Guide 516 4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 305 myZyXEL.com: Service Ma nagement 5 In the Web Filter Home screen, click the Reports tab. Figure 306 Content Filter Reports Main Screen[...]

  • Page 517

    Chapter 3 1 Content Filt er Reports ZyWALL USG 20/20W User’s Guide 517 6 Select items under Global Reports to view the corresponding reports. Figure 307 Content Filter Reports: Report Home 7 Select a time period in the Date Range field, ei ther Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view[...]

  • Page 518

    Chapter 31 Content Filter Repo rts ZyWALL USG 20/20W User’s Guide 518 8 A chart and/or list of requested web si te categories displa y in the lower half of the screen. Figure 308 Global Report Scre en Example[...]

  • Page 519

    Chapter 3 1 Content Filt er Reports ZyWALL USG 20/20W User’s Guide 519 9 Y ou can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were reques ted. Figure 309 Requested URLs Examp le[...]

  • Page 520

    Chapter 31 Content Filter Repo rts ZyWALL USG 20/20W User’s Guide 520[...]

  • Page 521

    ZyWALL USG 20/20W User’s Guide 521 C HAPTER 32 Anti-Spam 32.1 Overview The anti-spam feature can mark or disc ard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. T he ZyWALL can also check e-mail aga ins t a DNS black list (DNSBL) of IP addresses of server[...]

  • Page 522

    Chapter 32 Anti- S pa m ZyWALL USG 20/20W User’s Guide 522 Black List Configure black list entri es to identify spam. The black list entries ha ve the Z yWALL classify an y e-mail that is from or forwarded by a specified IP address or uses a specified header field and header v alue as being spam. If an e-mail does not match any of the white list [...]

  • Page 523

    Chapter 32 Anti-Spam ZyWALL USG 20/20W User’s Guide 523 E-mail Header Buffer Size The Z yWALL has a 5 K buffer for an individu al e-mail head er . If an e-ma il’ s header is longer than 5 K, the Z yW ALL only checks up to the first 5 K. DNSBL A DNS Black List (DNSBL) is a serv er that hosts a lis t of IP addresses known or suspected of having s[...]

  • Page 524

    Chapter 32 Anti- S pa m ZyWALL USG 20/20W User’s Guide 524 spam policies. Y ou can also select the action the Z yW ALL takes when the mail sessions threshold is reached. Figure 310 Configu ration > Anti-X > Anti-S pam > General The following table descri bes the labels in this screen. T able 145 Configuration > Anti-X > Anti-S pam [...]

  • Page 525

    Chapter 32 Anti-Spam ZyWALL USG 20/20W User’s Guide 525 32.3.1 The Anti-S p am Policy Add or Edit Screen Click the Add or Edit icon in t he Configuration > Anti-X > Anti-Spam > General scre en to display the configuration sc reen as shown next. Use this screen to configure an anti-spam policy that cont rols what traffic direction of e-ma[...]

  • Page 526

    Chapter 32 Anti- S pa m ZyWALL USG 20/20W User’s Guide 526 check, which e-mail protocols to scan, the scanning opti ons, and t he action to take on spam tr affic. Figure 31 1 Configuration > Anti-X > Anti-S pam > General > Add The following table descri bes the labels in this screen. T able 146 Configuration > Anti-X > Anti-S pa[...]

  • Page 527

    Chapter 32 Anti-Spam ZyWALL USG 20/20W User’s Guide 527 32.4 The Anti-S p am Black List Screen Click Configuration > Anti-X > Anti-Spam > Black / White L ist to display the Anti-Spam Black List screen. Configure the black l ist to identify spam e-mail. Y ou can create black list ent ries based on the sender’s or rela y server’ s IP a[...]

  • Page 528

    Chapter 32 Anti- S pa m ZyWALL USG 20/20W User’s Guide 528 specific subject t ext. Click a column’ s heading cell to sort the table entries by that column’s criteria. Click the headin g cell ag ain to r everse the sort orde r . Figure 312 Configuration > Anti -X > An ti-S pam > Black/ White List > Bla ck List The following table d[...]

  • Page 529

    Chapter 32 Anti-Spam ZyWALL USG 20/20W User’s Guide 529 32.4.1 The Anti-S p am Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to displa y the following screen. Use this screen to configure an anti-spam bl ack list entry to id entify spam e-mail. Y ou can create entries base[...]

  • Page 530

    Chapter 32 Anti- S pa m ZyWALL USG 20/20W User’s Guide 530 32.4.2 Regular Expressions in Black or White List Entries The following applies for a black or white li st entry based on an e-mail subj ect, e- mail address, or e-mail header v alue. • Use a question mark (?) to let a single char acter v ary . For example, use “a?c” (without the qu[...]

  • Page 531

    Chapter 32 Anti-Spam ZyWALL USG 20/20W User’s Guide 531 32.5 The Anti-S p am White List Screen Click Configuration > Anti-X > Anti-Spam > Black/White List and then the White List tab to displa y the Anti-Spam White List screen. Configure the white list to identify legi timate e-mai l. Y ou can create whit e list entries based on the send[...]

  • Page 532

    Chapter 32 Anti- S pa m ZyWALL USG 20/20W User’s Guide 532 32.6 The DNSBL Screen Click Configuration > Anti-X > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to co nfigure the Z yWALL to chec k the sender and relay IP addresses in e-mail headers ag ainst DNS (Domain Name Service)- based spam Black Lists (DNSBLs[...]

  • Page 533

    Chapter 32 Anti-Spam ZyWALL USG 20/20W User’s Guide 533 The following table descri bes the labels in this screen. T able 150 Configuration > Anti-X > Anti-S pam > DNSBL LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to displa y a greate r or lesser num ber of configur ation fields. Enable DNS Black List[...]

  • Page 534

    Chapter 32 Anti- S pa m ZyWALL USG 20/20W User’s Guide 534 32.7 Anti-S p am T echnical Reference Here is more detailed anti-spam information. DNSBL • Th e Z y W A L L c h e c k s o n l y p u b l i c s e n d e r a n d relay IP addresses, it does not check private IP addresses. • The Z yW ALL sends a separ ate query (DNS lookup) for each sender[...]

  • Page 535

    Chapter 32 Anti-Spam ZyWALL USG 20/20W User’s Guide 535 Here is an example of an e- mail classified as spam based on DNSBL replies. Figure 316 DNSBL S pam Detectio n Example 1 The Z yWALL receiv es an e-mail that was se nt from IP address a.a.a.a and rela yed by a n e- ma il ser ver at IP a dd res s b. b.b. b. The Z yWALL send s a separate query [...]

  • Page 536

    Chapter 32 Anti- S pa m ZyWALL USG 20/20W User’s Guide 536 Here is an example of an e-mail classifi ed as legitimate based on DNSBL replies. Figure 317 DNSBL Legitimate E-mail Detection Example 1 The Z yW ALL receives an e-mail that was sent f rom IP address c.c.c.c and rela yed by an e-mail server at IP address d.d.d. d. The Z yWALL sends a sepa[...]

  • Page 537

    Chapter 32 Anti-Spam ZyWALL USG 20/20W User’s Guide 537 If the Z yW ALL receives conflicting DNSBL replies for an e- mail routing IP address, the Z yWALL classifies the e-mail as spam. Here is an example. Figure 318 Conflicting DN SBL Replies Exam ple 1 The Z yWALL receives an e-mail that was sent from IP addres s a.b.c.d and relayed by an e-mail[...]

  • Page 538

    Chapter 32 Anti- S pa m ZyWALL USG 20/20W User’s Guide 538[...]

  • Page 539

    ZyWALL USG 20/20W User’s Guide 539 C HAPTER 33 User/Group 33.1 Overview This chapter describes how t o set up user account s, user groups , and user sett ings for the Z yW ALL. Y ou can also set up rules that c ontrol when users hav e to log in to the Z yWALL before the Z yWALL routes traffic fo r them. 33.1.1 What Y ou Can Do in this Chapter •[...]

  • Page 540

    Chapter 33 Us er /G ro up ZyWALL USG 20/20W User’s Guide 540 Note: The default admin account is alwa ys authenticated locally , regardless of the authentication method setting. (See Chapter 37 on page 573 for more information about authenticat ion methods.) Ext-User Account s Set up an ext-user account if the user is authenti cated by an external[...]

  • Page 541

    Chapter 33 User/Group ZyWALL USG 20/20W User’s Guide 541 See Setting up User Attr ibutes in an External Server on page 553 for a list of attributes and how to set up the at tributes in an external server . Ext-Group-User Account s Ext-Group-User accounts work are similar to ext -user accounts but allow you to group users by the v alue of the grou[...]

  • Page 542

    Chapter 33 Us er /G ro up ZyWALL USG 20/20W User’s Guide 542 33.2 User Summary Screen The User screen provides a summary of all us er accounts. T o access this screen, login to th e W e b Configurator , and click C onfiguration > O bject > User/Group . Figure 319 Configu ration > Object > User/Group The following table descri bes the [...]

  • Page 543

    Chapter 33 User/Group ZyWALL USG 20/20W User’s Guide 543 •- [ d a s h e s ] The first character must be alphabetical (A -Z a- z), an underscore (_), or a dash (- ). Other limitations on user names are: • User names are case-sensitiv e. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP , it will us e t[...]

  • Page 544

    Chapter 33 Us er /G ro up ZyWALL USG 20/20W User’s Guide 544 The following table descri bes the labels in this screen. T able 153 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name T ype the user name for this user account. Y ou may use 1-31 alphanumeric characters, un derscores( _ ), or dashes (-), but the first charact[...]

  • Page 545

    Chapter 33 User/Group ZyWALL USG 20/20W User’s Guide 545 33.3 User Group Summary Screen User groups consist of access users and other user group s. Y ou cannot put admin users in us er groups. The Group screen provides a summar y of all user groups. In addition, this screen allows y ou to add, edit, and remove user groups. T o access this screen,[...]

  • Page 546

    Chapter 33 Us er /G ro up ZyWALL USG 20/20W User’s Guide 546 33.3.1 Group Add/Edit Screen The Group Add/Edit screen allows you to create a new user group or edit an existing one. T o access this screen, go to the Group screen (see Section 33.3 on page 545 ), and click either the Add icon or an Edit icon. Figure 322 Configu ration > User/Group [...]

  • Page 547

    Chapter 33 User/Group ZyWALL USG 20/20W User’s Guide 547 33.4 Setting Screen The Setting screen controls default settings, login settings, lockout settings, and other user settings for the Z yWAL L. Y ou ca n also use this screen to specify when users must log in to the Z yWALL before it routes tr affic for them. Member List The Member list displ[...]

  • Page 548

    Chapter 33 Us er /G ro up ZyWALL USG 20/20W User’s Guide 548 T o access this screen, l ogin to the W eb Configurator , and click Configuration > Object > User/Group > Setting . Figure 323 Configuration > Obje ct > User/Group > Setti ng The following table descri bes the labels in this screen. T able 156 Configuration > Object[...]

  • Page 549

    Chapter 33 User/Group ZyWALL USG 20/20W User’s Guide 549 User T ype These are the kinds of user account the Z yWALL supports. • admin - this user can look at and change the configuration of the Z yWALL • limited-admin - this user can look at the conf iguration of the Z yWALL but n ot to change it • user - this user has access to the ZyW ALL[...]

  • Page 550

    Chapter 33 Us er /G ro up ZyWALL USG 20/20W User’s Guide 550 33.4.1 Default User Authenti cation T imeout Settings Edit Screens The Default Authentication Timeout Settings Edit screen allows y ou to set the default au thenticati on timeout se ttings fo r the select ed type of user acc ount. These default authentication timeout sett ings also cont[...]

  • Page 551

    Chapter 33 User/Group ZyWALL USG 20/20W User’s Guide 551 T o access this screen, g o to the Configuration > Obje ct > User/Group > Setting screen (see Section 33.4 on page 547 ), and click one of the Default Authentication Timeout Settings section’s Edit icons. Figure 324 Configuration > Object > Us er/Group > Setting > Edi[...]

  • Page 552

    Chapter 33 Us er /G ro up ZyWALL USG 20/20W User’s Guide 552 33.4.2 User A ware Login Example Access users cannot use the Web Configur ator to browse the configuration of the Z yWALL . Instead, after access users lo g into the Z yWALL, the following screen appears. Figure 325 W eb Configurator for Non-Admin Users The following table descri bes th[...]

  • Page 553

    Chapter 33 User/Group ZyWALL USG 20/20W User’s Guide 553 33.5 User /Group T echnical Reference This section provi des some informat ion on us ers who use an ex ternal authentication server in order to log in. Setting up User Attributes in an External Server T o set up user attributes, such as reau thentication time, in LDAP or RADIUS servers, use[...]

  • Page 554

    Chapter 33 Us er /G ro up ZyWALL USG 20/20W User’s Guide 554[...]

  • Page 555

    ZyWALL USG 20/20W User’s Guide 555 C HAPTER 34 Addresses 34.1 Overview Address objects can represent a single IP address or a r ange of IP addresses. Address groups are composed of addr ess objects and other address groups. 34.1.1 What Y ou Can Do in this Chapter •T h e Address screen ( Section 34.2 on page 555 ) provides a summary of al l addr[...]

  • Page 556

    Chapter 34 Add re sse s ZyWALL USG 20/20W User’s Guide 556 • RANGE - a range address is defined by a Starting IP Address and an Ending IP Address . • SUBNET - a network address is defined by a Network IP address and Netmask subnet mask. The Address screen provides a summary of all addresses in the ZyW ALL. T o access this screen, click Config[...]

  • Page 557

    Chapter 34 Addresses ZyWALL USG 20/20W User’s Guide 557 34.2.1 Address Add/Edit Screen The Configuration > Address Add/Edit screen allows you to create a new address or edit an existing one. T o access this screen, go to t he Address screen (see Section 34.2 on page 555 ), and click either the Add icon or an Edit icon. Figure 329 Configu ratio[...]

  • Page 558

    Chapter 34 Add re sse s ZyWALL USG 20/20W User’s Guide 558 34.3 Address Group Summary Screen The Address Group screen provides a summary of all address groups. T o access this screen, clic k Configuration > Object > Address > Address Group . Click a column’ s heading cell to sort t he table en tries by that col umn’s criteria. Click [...]

  • Page 559

    Chapter 34 Addresses ZyWALL USG 20/20W User’s Guide 559 34.3.1 Address Group Add/Edit Screen The Address Group Add/Edit screen allows you to create a new address group or edit an existing one. T o access this screen, go to the Address Group screen (see Section 34.3 on page 558 ), and click either the Add icon or an Edit icon. Figure 331 Configu r[...]

  • Page 560

    Chapter 34 Add re sse s ZyWALL USG 20/20W User’s Guide 560[...]

  • Page 561

    ZyWALL USG 20/20W User’s Guide 561 C HAPTER 35 Services 35.1 Overview Use service objects to define T CP applications, UDP applicat ions, and ICMP messages. Y ou can also create service groups to refer to multiple service objects in other features. 35.1.1 What Y ou Can Do in this Chapter •U s e t h e Service screens ( Section 35.2 on page 562 )[...]

  • Page 562

    Chapter 35 Serv ices ZyWALL USG 20/20W User’s Guide 562 Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number . Some port numbers have b een standardized and are used by low- level system processes; man y othe rs have no particular meaning. Unlike T CP and UDP , Internet Control Message Protocol (ICMP , I[...]

  • Page 563

    Chapter 35 Services ZyWALL USG 20/20W User’s Guide 563 entries by that col umn’s criteria. Click the heading cell again to reverse the sort order . Figure 332 Configu ration > Object > Service > Se rvice The following table descri bes the labels in this screen. T able 164 Configuration > Object > Service > Service LABEL DESCRI[...]

  • Page 564

    Chapter 35 Serv ices ZyWALL USG 20/20W User’s Guide 564 35.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. T o access this screen, go to the Service screen (see Section 35.2 on page 562 ), and click either the Add icon or an Edit icon. Figure 333 Configu ration > Object &g[...]

  • Page 565

    Chapter 35 Services ZyWALL USG 20/20W User’s Guide 565 T o access this screen, l og in to the W eb Confi gurator , and click Configuration > Object > Service > Service Group . Figure 334 Configu ration > Object > Service > Service Group The following table describes the labels in this screen. See Section 35.3. 1 on pag e 566 for[...]

  • Page 566

    Chapter 35 Serv ices ZyWALL USG 20/20W User’s Guide 566 35.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows y ou to create a new servic e group or edit an existing one. T o access this screen, go to the Service Group screen (see Section 35.3 on page 564 ), and click either the Add icon or an Edit icon. Figure 335 Con[...]

  • Page 567

    ZyWALL USG 20/20W User’s Guide 567 C HAPTER 36 Schedules 36.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, and content filtering. The Z yWALL supports one-time and recurring schedules. One-time schedul es are effective only once , while recurr ing schedules usually repeat. Both types of sche[...]

  • Page 568

    Chapter 36 Sc he du le s ZyWALL USG 20/20W User’s Guide 568 Finding Out More • See Section 6.6 on page 103 for rel ated informat ion on these screens. • See Section 43.4 on page 631 for information about the Z yWALL’ s current date and time. 36.2 The Schedule Summary Screen The Schedule summary screen provides a summ ary of all schedules in[...]

  • Page 569

    Chapter 36 Schedules ZyWALL USG 20/20W User’s Guide 569 36.2.1 The One-T ime Schedule Add/Edit Screen The One-Time Schedule Add/Edit screen allows you to define a one-ti me schedule or edi t an exi sting one. T o access this screen, go to the Schedule screen (see Section 36.2 on page 568 ), and click either the Add icon or an Edit icon i n the On[...]

  • Page 570

    Chapter 36 Sc he du le s ZyWALL USG 20/20W User’s Guide 570 36.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to defi ne a recurring schedule or edi t an exi sting one. T o access this screen, go to the Schedule screen Date Time StartDate Specify the year , month, and day when the schedule begins. Yea[...]

  • Page 571

    Chapter 36 Schedules ZyWALL USG 20/20W User’s Guide 571 (see Section 36.2 on page 568 ), and click either the Add icon or an Edit icon i n the Recurring se ction. Figure 338 Configu ration > Object > Schedule > Edit (Recurring) The Year , Month , and Day columns are not used in recurring sch edules and are disabled in this screen. The fo[...]

  • Page 572

    Chapter 36 Sc he du le s ZyWALL USG 20/20W User’s Guide 572[...]

  • Page 573

    ZyWALL USG 20/20W User’s Guide 573 C HAPTER 37 AAA Server 37.1 Overview Y ou can use a AAA (Authentication, A uthorization, Accounting) serv er to provide access control to your network. The AAA serv er can be a Activ e Directory , LDAP , or RADIUS server . Use the AAA Server screens to create and manage objects t hat contain settings for using A[...]

  • Page 574

    Chapter 37 AAA Server ZyWALL USG 20/20W User’s Guide 574 37.1.2 RADIUS Server RADIUS (Remote Authentication Dial- In User Service) authentication is a popular protocol used to au thenticate users by me ans of an external server instead of (or in addition to) an internal device user database that is l imited to the memory capacity of the d evice. [...]

  • Page 575

    Chapter 37 AAA Server ZyWALL USG 20/20W User’s Guide 575 •U s e t h e Configuration > Object > AAA Serv er > RADIUS screen ( Section 37.3 on page 579 ) to configure the default extern al RADIUS server to use for user authentication. 37.1.5 What Y ou Need T o Know AAA Servers Supported by the ZyW ALL The following lists the types of aut[...]

  • Page 576

    Chapter 37 AAA Server ZyWALL USG 20/20W User’s Guide 576 organizational boundaries. The following figure shows a basic directory structure branchi ng from countries to organizations to organization al units to individuals. Figure 341 Basic Directory S tructure Distinguished Name (DN) A DN uniquely identifies an entry in a directory . A DN consist[...]

  • Page 577

    Chapter 37 AAA Server ZyWALL USG 20/20W User’s Guide 577 • See Section 7.6 on page 124 for an example of how to use a RADIUS server to authenticate user acco unts based on groups. 37.2 Active Directory or LDAP Server Summary Use the Active Directory or LDAP screen to manage the list of AD or LDAP servers the ZyW ALL can use in authenticati ng u[...]

  • Page 578

    Chapter 37 AAA Server ZyWALL USG 20/20W User’s Guide 578 following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 343 Configura tion > Object > AAA Server > Active Directory (or LDAP) > Ad d The following table descri bes the labels in this screen. T able 172 Configuration > Object > AAA[...]

  • Page 579

    Chapter 37 AAA Server ZyWALL USG 20/20W User’s Guide 579 37.3 RADIUS Server Summary Use the RADIUS screen to manage the list of RADIUS servers the Z yW ALL can use in authenticating users. Base DN S pecify the directory (up to 12 7 alphanumerical characters). For example, o=ZyXEL, c=US . Use SSL S elect Use SSL to establish a secure connection to[...]

  • Page 580

    Chapter 37 AAA Server ZyWALL USG 20/20W User’s Guide 580 Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Figure 344 Configuration > Object > AAA Server > RADIUS The following table descri bes the labels in this screen. T able 173 Configuration > Object > AAA Server > RADIUS LABEL DESCRIP[...]

  • Page 581

    Chapter 37 AAA Server ZyWALL USG 20/20W User’s Guide 581 37.3.1 Adding a RADIUS Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the f ollowing sc reen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 345 Configuration &g[...]

  • Page 582

    Chapter 37 AAA Server ZyWALL USG 20/20W User’s Guide 582 Timeout Specify the timeout period (between 1 and 300 seconds) before the Z yWALL disconn ects from the RADIUS server . In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. K ey Enter a pass[...]

  • Page 583

    ZyWALL USG 20/20W User’s Guide 583 C HAPTER 38 Authentication Method 38.1 Overview Authentication method objects set how the ZyW ALL authenticates wireless, HT TP/ HT TPS clients, and p eer IPSec routers ( ext ended authentic ation) clients. Configure authentication method objects to hav e the Z yW ALL use the local us er database, and/or the aut[...]

  • Page 584

    Chapter 38 Auth en tic ation Method ZyWALL USG 20/20W User’s Guide 584 3 Select Server Mode and select an auth entication method object from the drop- down list box. 4 Click OK to sav e the settings. Figure 346 Example: Using Authentication Method in VPN 38.2 Authentication Method Object s Click Configuration > Object > Auth. Method to disp[...]

  • Page 585

    Chapter 38 Authentication Method ZyWALL USG 20/20W User’s Guide 585 38.2.1 Creating an Authentication Method Object Follow the steps below to create an au thentication method object . 1 Click Configuration > Object > Auth. Method . 2 Click Add . 3 Specify a descriptiv e name for id entification purposes in the Name field. Y ou may use 1-31 [...]

  • Page 586

    Chapter 38 Auth en tic ation Method ZyWALL USG 20/20W User’s Guide 586 7 Click OK to sav e the settings or click Cancel to discard all changes and return to the previous screen. Figure 348 Configuration > O bject > Auth. Met hod > Add The following table descri bes the labels in this screen. T able 176 Configuration > Object > Auth[...]

  • Page 587

    Chapter 38 Authentication Method ZyWALL USG 20/20W User’s Guide 587 Add icon Click Add to add a new entry . Click Edit to edit the settings of an entry . Click Delete to delete an entry . OK Click OK to save the changes. Cancel Click Cance l to discard the changes. T able 176 Configuration > Object > Auth. Method > Add (continued) LABEL [...]

  • Page 588

    Chapter 38 Auth en tic ation Method ZyWALL USG 20/20W User’s Guide 588[...]

  • Page 589

    ZyWALL USG 20/20W User’s Guide 589 C HAPTER 39 Certificates 39.1 Overview The Z yWALL can use certificates (also call ed digital IDs) to authenticate us ers. Certificates are based on public-priv ate k ey pairs. A certificate contains the certificate owner’ s identity and public k ey . Certificates provide a way to exchange public keys fo r use[...]

  • Page 590

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 590 2 Tim keeps the private key and makes the pu blic key op enly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. 3 Tim uses his priv ate key to sign the message and sends it to Jenny . 4 Jenny rece[...]

  • Page 591

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 591 Factory Default Certificate The Zy WALL generates its own unique self-s igned certificate when y ou first turn it on. This cert ificate is refer red to in th e GUI as the fa ctory defau lt certific ate. Certificate File Format s Any certificate that you want to import has to be i n one of[...]

  • Page 592

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 592 2 Make sure that the certificat e has a “. cer” or “.crt” file name extension. Figure 349 Remote Ho st Certi fica t es 3 Double-click the certificate’ s icon to open the Certificate window . Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.[...]

  • Page 593

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 593 39.2 The My Certificates Screen Click Configuration > Object > Ce rtificate > My Certificates to open the My Certificates screen. This is the ZyW ALL’s summary list of certi ficates and certification requests. Figure 351 Configu ration > Object > Certificate > My Certi[...]

  • Page 594

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 594 39.2.1 The My Certificates Add Screen Click Configuration > Object > Cert ificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the T ype This field displays what kind of certificate this is. REQ represents a ce rtificatio[...]

  • Page 595

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 595 Z yWALL create a self-si gned certificate, enroll a certificate with a certification authority or gener ate a certification request. Figure 352 Configu ration > Object > Certificate > My Certificates > Add[...]

  • Page 596

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 596 The following table descri bes the labels in this screen. T able 178 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name T ype a name to identify this certificate. Y ou can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’ ,.=- character[...]

  • Page 597

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 597 Create a certification request and save it locally for later manual enrollment Select this to have the Z yWALL gener ate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authorit y . Cop[...]

  • Page 598

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 598 If you confi gured the My Certificate Create screen to hav e the Z yWALL enroll a certificate and the certificate enrol lment is not successful , you see a screen wi th a Return button that take s you back to the My Certificate Create screen. Click Return and check your information in the[...]

  • Page 599

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 599 39.2.2 The My Certificates Edit Screen Click Configuration > Object > Cert ificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. Y ou can use this screen to vie w in-depth certificate information an d change the certificate’ s name. Figure 353[...]

  • Page 600

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 600 The following table descri bes the labels in this screen. T able 179 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate . Y ou can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[[...]

  • Page 601

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 601 K ey Algorithm This field displays the t ype of algorithm that was used to gener ate the certificate’s k ey pair (the Z yWALL uses RS A encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative Name This field displays the certificate owner‘s IP ad[...]

  • Page 602

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 602 39.2.3 The My Certificates Import Screen Click Configuration > Object > Certific ate > My Certificates > Import to open the My Certificate Import screen. F ollow the instructions in this screen to save an existi ng certificate to t he Z yWALL. Note: Y ou can import a certifica[...]

  • Page 603

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 603 39.3 The T rusted Certificates Screen Click Config uration > Object > C ert ificate > Truste d Certificates to open the Trusted Certificates screen. This screen d isplays a summary list of certificates that yo u have set t he ZyWALL to ac cept as trusted. The Z yW ALL also accept[...]

  • Page 604

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 604 39.3.1 The T rusted Certificates Edit Screen Click Configuration > Object > Cert ificate > Trusted Certificates and then a certificate’ s Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificat e, chan ge the cer[...]

  • Page 605

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 605 authority’ s list of revoked certificates befo re trusting a certificate issued by the certification authority . Figure 356 Configu ration > Object > Certificate > T rusted Certificates > Ed it[...]

  • Page 606

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 606 The following table descri bes the labels in this screen. T able 182 Configuration > Object > Certificate > T rusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifyin g name of this certificate. Y ou can change the name. Y ou can use up to 31 alphan[...]

  • Page 607

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 607 T ype This field displays general inform ation about the ce rtificate. CA-signed means that a Certification Authority signed the certificate. Self -signed means that the certificate’ s owne r signed the certificate (not a certification authority). X.50 9 means that this certificate w as[...]

  • Page 608

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 608 39.3.2 The T rusted Certificates Import Screen Click Configuration > Object > Certificat e > Trusted Certificates > Import to open the Trusted Certifica tes Import screen. Follow the i nstructions in this screen to save a trusted certificate to the Z yW ALL. Note: Y ou must re[...]

  • Page 609

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 609 The following table descri bes the labels in this screen. 39.4 Certificates T echnical Reference OCSP OCSP (Online Certificate Stat us Protocol) allows an application or device to check whether a certificate is v alid. With OC SP the Z yWALL c hecks the status of individual certificates i[...]

  • Page 610

    Chapter 39 Certificates ZyWALL USG 20/20W User’s Guide 610[...]

  • Page 611

    ZyWALL USG 20/20W User’s Guide 61 1 C HAPTER 40 ISP Accounts 40.1 Overview Use ISP accounts to manage Internet Se rvice Prov ider (ISP) account information for PPPoE/PPTP interfaces. An ISP account is a profile of settings for Internet access using PPP oE or PPTP . Finding Out More • See Section 11.4 on page 233 for information about PPP oE/PPT[...]

  • Page 612

    Chapter 40 IS P Accou n ts ZyWALL USG 20/20W User’s Guide 612 The following table descri bes the labels in this screen. See the ISP Accou nt Edit section below for more information as well. 40.2.1 ISP Account Edit The ISP Account Edit screen lets you add i nformation about new accounts and edit inform ation about existing accoun ts. T o open this[...]

  • Page 613

    Chapter 40 IS P Accou n ts ZyWALL USG 20/20W User’s Guide 613 The following table descri bes the labels in this screen. T able 185 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you ar e editing an existing account. T ype in the profile name of the ISP account. The profile name is u [...]

  • Page 614

    Chapter 40 IS P Accou n ts ZyWALL USG 20/20W User’s Guide 614 Compression Select On button to turn on stac compression, and select Off to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about fou r . Idle Timeout This value specifies the number of seconds that must elapse with[...]

  • Page 615

    ZyWALL USG 20/20W User’s Guide 615 C HAPTER 41 SSL Application 41.1 Overview Y ou use S SL application objects i n SSL VPN. Configure an S SL application object to specify the t ype of application and the address of t he local computer , server , or web site SSL us ers are to be able to access. Y ou can apply one or more SSL application objects i[...]

  • Page 616

    Chapter 41 SSL Application ZyWALL USG 20/20W User’s Guide 616 Remote Desktop Connections Use SSL VPN to allow remote users to ma nage LAN computers. Depending on the functions supported by the remote deskto p softw are, they can install or remove software, run progr ams, change settings , an d open, copy , create, and delete f iles. This is usefu[...]

  • Page 617

    Chapter 41 SSL Application ZyWALL USG 20/20W User’s Guide 617 2 Click the Add button and select Web Application in the Ty pe field. In the Server Type field, select Web Server . Enter a descripti ve name in the Display Name field. For example, “CompanyIntranet” . In the Address field, enter “http:// info” . Select Web Page Encryption to p[...]

  • Page 618

    Chapter 41 SSL Application ZyWALL USG 20/20W User’s Guide 618 The following table descri bes the labels in this screen. 41.2.1 Creating/Editing a W eb-based SSL Application Object A web-based application allows remote user s to access an application via standard web browsers. T o configure a web-based application, click the Ad d or Edit button in[...]

  • Page 619

    Chapter 41 SSL Application ZyWALL USG 20/20W User’s Guide 619 The following table descri bes the labels in this screen. T able 187 Configuration > Object > SSL Application > Add/Edit: Web Applica tion LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings This displays for VNC or RDP type web application objects. Click this butt[...]

  • Page 620

    Chapter 41 SSL Application ZyWALL USG 20/20W User’s Guide 620 Entry Point This field displays if the Server Type is s et to Web Server or OWA . This field is optional. Y ou onl y need to configure this field if you need to specify the name of the directory or file on the local server as the home page or home directory on the user screen. Server A[...]

  • Page 621

    ZyWALL USG 20/20W User’s Guide 621 C HAPTER 42 Endpoint Security 42.1 Overview Use Endpoint Security (EPS), also known as endpoi nt control, to make sure users’ computers comply with defined corpor ate policies before they can access the network or an SSL VPN tunnel. After a su ccessful user authenticati on, a user’s computer must meet the en[...]

  • Page 622

    Chapter 42 End po int Secu rity ZyWALL USG 20/20W User’s Guide 622 42.1.1 What Y ou Can Do in this Chapter Use the Configuration > Object > Endpoint Security screens ( Sect ion 42.2 on page 623 ) to create and manage endpoint securit y objects. 42.1.2 What Y ou Need to Know What End point Security Can Check The settings endpoint securi ty c[...]

  • Page 623

    Chapter 42 Endpoint Security ZyWALL USG 20/20W User’s Guide 623 42.2 End point Security Screen The Endpoint Security screen displa ys the endpoint security objects you hav e configured on the Z yWALL. Click Configuration > Obje ct > Endpoint Security to display the screen. Figure 365 Configuration > O bject > Endpoint Securit y The fo[...]

  • Page 624

    Chapter 42 End po int Secu rity ZyWALL USG 20/20W User’s Guide 624 42.3 End point Security Add/Edit Click Configuration > Object > End point Security and then the Add (or Edit ) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint secu rity object. Figure 366 Configuration > O bject > Endpoint Secu [...]

  • Page 625

    Chapter 42 Endpoint Security ZyWALL USG 20/20W User’s Guide 625[...]

  • Page 626

    Chapter 42 End po int Secu rity ZyWALL USG 20/20W User’s Guide 626 The following table giv es an overview of the objects you can configure. T able 189 Configuration > Object > End point Security > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration f[...]

  • Page 627

    Chapter 42 Endpoint Security ZyWALL USG 20/20W User’s Guide 627 Checking Item - Anti-V irus Software If you selected Windows as the operating system, you can select wh ether or not the user’s com puter is required to have anti- virus softw are installed. Move the permitted anti- virus software packages from the Available list to the Allowe d An[...]

  • Page 628

    Chapter 42 End po int Secu rity ZyWALL USG 20/20W User’s Guide 628 Checking Item - File Information If you selected Windows or Linux as the oper ating system, you can use this table to check details of specific files on the user’s computer . Use the Operation field to set whether the size or version of the file on the user’s computer has to b[...]

  • Page 629

    ZyWALL USG 20/20W User’s Guide 629 C HAPTER 43 System 43.1 Overview Use the system screens to configure general Z yWALL settings. 43.1.1 What Y ou Can Do in this Chapter •U s e t h e System > Host Name screen (see Section 43.2 on page 630 ) to configure a unique name for the ZyW ALL in your network. •U s e t h e System > USB Storage scr[...]

  • Page 630

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 630 • Y our ZyW ALL can act as an SNMP agent, which allows a manager station to manage and monitor the ZyW ALL through the network. Use the System > SNMP screen (see Section 43.11 on page 670 ) to configur e SNMP sett ings, including from which z ones SNMP can be used to access the Z yW ALL.[...]

  • Page 631

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 631 43.3 USB S torage The Z yWALL can use a connected USB device to store the system log and other diagnostic information. Use this screen to turn on this feature and set a disk full war ni ng lim i t. Note: Only connect one USB device. It must a llow writing (it cannot be read-only) an d use the F[...]

  • Page 632

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 632 a software mechan ism to set th e time manu ally or get the current time and date from an ex ternal server . T o change your Z yWALL’ s time based on your local time zone and date, click Configuration > System > Date/Time . The screen displays as shown. Y ou can manually set the Z yW [...]

  • Page 633

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 633 New Time (hh- mm-ss) This field displays the last updated time from the time server or the last time configured manually . When you set Time and Date Setu p to Manual , enter the new time in this field and then click Apply . New Date (yyyy -mm-dd) This field displays the last updated date from [...]

  • Page 634

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 634 43.4.1 Pre-defined NTP T ime Servers List When you turn on the Z y W ALL for the firs t time, the date and t ime start at 2003- 01-01 00:00:00. The Z yW ALL then attempts to synchronize with one of the following pre-defined list of Netw ork Time Protocol (NTP) time servers. The Z yWALL contin[...]

  • Page 635

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 635 43.4.2 T ime Server Synchronization Click the Synchronize Now button to get t he time and date from the t ime server you specified in the Time Server Address field. When the Please Wait... screen a ppears, you may hav e to wait up to one minute. Figure 370 Synchronizatio n in Process The Curren[...]

  • Page 636

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 636 5 Under Time and Date Setup , enter a Time Server A ddress ( T able 193 on page 634 ). 6 Click Apply . 43.5 Console Port S peed This section shows y ou how t o set the console port speed when y ou connect to the Z yWALL via the console port using a terminal emulation program. See Ta b l e 2 o[...]

  • Page 637

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 637 43.6.1 DNS Server Address Assignment The Z yWALL can get the DNS server addresses in the following w ays. • The ISP tells you the DNS serv er addresses, usually in the form of an info rmat ion sh eet , whe n you sign u p. If you r ISP give s you DN S ser ver addresses, manually enter them in [...]

  • Page 638

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 638 The following table descri bes the labels in this screen. T able 195 Configuration > System > DNS LABEL DESCRIPTION Address/PTR Rec o r d This record specifies the mapping of a Fully -Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For ex ample[...]

  • Page 639

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 639 DNS Serv er This is the IP address of a DN S server . This field displays N/A if you have the Z yW ALL get a DNS server IP address from the ISP dynamically but the specified interface is not active. Query Via This is the interface through whic h the Z yWALL sends DNS queries to the entry’ s D[...]

  • Page 640

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 640 43.6.3 Address Record An address record cont ains the mapping of a Fully -Qua lified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. F or example, www .zyxel.com is a fully qualified domain name, w here “www” is the host, “zyxel” is the second-level do[...]

  • Page 641

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 641 The following table descri bes the labels in this screen. 43.6.6 Domain Zone Forwarder A domain zone forwarder contai ns a DNS server’ s IP address. The ZyW ALL can query the DNS server to resolve domain zones for features lik e VPN, DDNS and the time server . A domain zone is a full y qualif[...]

  • Page 642

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 642 The following table descri bes the labels in this screen. 43.6.8 MX Record A MX (Mail eXchange) record indicat es whic h host is responsible for the mail for a particular domain, that is, c ontrols where mail is sent for that domain. If you do not configure proper MX records for your domain o[...]

  • Page 643

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 643 43.6.9 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 375 Configuration > Syste m > DNS > MX Record Add The following table descri bes the labels in this screen. 43.6.10 Adding a DNS Service Control Rule Click the Add icon in the Service Control[...]

  • Page 644

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 644 The following table descri bes the labels in this screen. 43.7 WWW Overview The following figure shows secure and insecure management of the Z yW ALL coming in from the W AN. HT TPS and SSH access are secure. HT TP and T elnet access are not secure. • See Section 6.7.1 on page 105 for relat[...]

  • Page 645

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 645 1 Y ou have disabled that service in the corresponding screen. 2 The allowed IP address (a ddress object) i n the Service Control table does not match the client IP address (t he Zy WALL di sallows the session). 3 The IP address (address object) in the Service Control table is not in the allowe[...]

  • Page 646

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 646 Please refer to the following figure. 1 HT TPS connection requests from an SSL - aware web browser go to port 443 (by default) on the Z yW ALL’ s web server . 2 HT TP connection requests fr om a web brow ser go t o port 80 (by default) on the Zy WA L L ’s w e b s e r v e r . Figure 377 HT[...]

  • Page 647

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 647 Note: Admin Service Control deals with management access (to the W eb Configurator). User Service Control deals with user access to the ZyW ALL (logging into SSL VPN for example). Figure 378 Configu ration > System > WWW > Service Control The following table descri bes the labels in th[...]

  • Page 648

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 648 Server P ort The HTTPS server listens on port 443 by default. If you change the HT TPS server port to a diffe rent number on the Z yWALL, for example 8443, then you must notify people who need to acce ss the ZyW ALL W eb Configurator to use “https://Z yWALL IP Address: 8443 ” as the URL. [...]

  • Page 649

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 649 HT TP Enable Select the check box to allow or disallow the com puter with the IP address that matches the IP address(es) in the Serv ice Con trol table to access the Z yW ALL W eb Configur ator using HT TP connections. Server P ort Y ou may change the server port number for a service if needed,[...]

  • Page 650

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 650 43.7.5 Service Control Rules Click Add or Edit in the Service Cont rol table in a WWW , SSH , Telnet , FTP or SNMP screen to add a service control rule. Figure 379 Configuration > System > Service Control Rule > Edit The following table descri bes the labels in this screen. 43.7.6 Cu[...]

  • Page 651

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 651 also customize the page that di splays after an access user logs into the W eb Configurator to access n etwork servi ces like the In ternet. See Chapter 33 on page 539 for more on access user accounts. Figure 380 Configu ration > System > WWW > Login Page[...]

  • Page 652

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 652 The following figures identify the part s you can customize in the login and access pages. Figure 381 Login Page Customization Figure 382 Access Page Customization Y ou can specify colors in one of the foll owing ways: Logo Ti t l e Message Note Message Background (last line of text) (color o[...]

  • Page 653

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 653 •C l i c k Color to displa y a screen of web-safe c olors from which to choose. • Enter the name of the desired color . • Enter a pound sig n (#) followed by the six -digit hexadecimal number that represents the desired color . For example, use “#000000” for black. • Enter “rgb”[...]

  • Page 654

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 654 43.7.7 HTTPS Example If you hav en’t changed the default HT TP S port on the ZyWALL, then in your browser enter “https://Z yW ALL IP Address/” as the web site address where “Z yWALL IP Add ress” is the IP address or domain name of the ZyW ALL you wish to access. 43.7.7.1 Internet Ex[...]

  • Page 655

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 655 43.7.7.2 Net scape Na vigator W arning Messages When you attempt to access the Z yWALL HT TPS server , a Website Certified by an Unknown Authority scre en pop s up aski ng if yo u trust the server certificate. Click Examine Certificate if you w ant to verif y that the certificate is from the Zy[...]

  • Page 656

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 656 • The issuing certificat e authority of the Z yWALL’ s HT TPS server certificate is not one of the browser’s trusted certificate authorities. The issuing certificate authorit y of the Z yWALL's f actory defaul t certificate is the Z yW ALL itself since the certificate is a self -si[...]

  • Page 657

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 657 Apply for a certificate from a Certificatio n Au thority (CA) that is trusted by the Z yWALL (see the Z yWALL’ s Trusted CA We b C o n f i g u r a t o r s c r e e n ) . Figure 387 ZyW ALL T rusted CA Screen The CA sends you a package containing the CA ’s trusted certifi cate(s), your person[...]

  • Page 658

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 658 43.7.7.5.2 Installing Y our Personal Certificate(s) Y ou need a password in advance. The CA may issue the password or you may have to specify it during th e enrollment. Double-click the pe rsonal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next[...]

  • Page 659

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 659 3 Enter the password g iven to y ou by the CA. Figure 391 Persona l Certificate Import Wizard 3 4 Have the wizard determine where the ce rtificate should be sav ed on your computer or se lect Place all certificates in the following store and choose a different location. Figure 392 Persona l Cer[...]

  • Page 660

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 660 5 Click Finish to complet e the wizard and begin the import process. Figure 393 Persona l Certificate Import Wizard 5 6 Y ou should see the following screen when the certificate is correctly installed on your com pu ter . Figure 394 Persona l Certificate Import Wizard 6 43.7.7.6 Using a Certi[...]

  • Page 661

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 661 2 When Authenticate Client Certificates is selected on the Z yWALL, the following screen asks you t o select a personal cert ificate to send to th e Z yW ALL. This screen displays even if you only ha ve a si ngle certificate as in the example. Figure 396 SSL Client Authentication 3 Y ou next se[...]

  • Page 662

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 662 SSH is a secure communication protocol t hat combines authentication and data encryption to pro vide secure encryp ted communication between two hosts over an unsecured network. In the following figure , computer A on the Internet uses SSH to securely connect to the WAN port of the ZyW ALL fo[...]

  • Page 663

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 663 2 Encryption Method Once the identification is v erified, both the client and server must agree on the type of encryption method t o use. 3 Authentication and Data T r ansmission After the identification i s verified and da ta encryption activ ated, a secure tunnel is established between the cl[...]

  • Page 664

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 664 Note: It is recommended that you disable T elnet and FTP when you configure SSH for secure connections. Figure 400 Configuration > Sy st em > SSH The following table descri bes the labels in this screen. T able 203 Configuration > System > SSH LABEL DESCRIPTION Enable Select the c[...]

  • Page 665

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 665 43.8.5 Secure T elnet Using SSH Examples This section shows two examples usin g a command interface and a gr aphical interface SSH client progr am to remotely access the Z yW ALL. The configur ation and connection steps are similar for most S SH client progr ams. Refer t o your SSH client progr[...]

  • Page 666

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 666 Enter the password to log in to the Z yW ALL. The CLI screen displays next. 43.8.5.2 Example 2: Linux This section describes how to access the Z yW ALL using the OpenSSH client program t hat comes with most Linux distributi ons. 1 T est whether the SSH service is a vailable on the Z yWALL. En[...]

  • Page 667

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 667 43.9.1 Configuring T elnet Click Configuration > System > TELNET to configure your Z yWALL for remote T elnet access. Use this screen to specify from whi ch zones T elnet can be used to manage the Z yWALL. Y ou can also speci fy from which IP ad dresses the access can come. Figure 404 Con[...]

  • Page 668

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 668 43.10 FTP Y ou can upload and download the Z yWALL’ s firmware and configuration files using FTP . T o use this feature, your computer must have an FTP client. Please see Chapter 45 on page 693 for more information about firmw are and configuration files. 43.10.1 Configuring FTP T o change [...]

  • Page 669

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 669 be used to access the Z yW ALL. Y ou can also specify from which IP addresses the access can come. Figure 405 Configu ration > System > FTP The following table descri bes the labels in this screen. T able 205 Configuration > System > FTP LABEL DESCRIPTION Enable Select the check box[...]

  • Page 670

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 670 43.1 1 SNMP Simple Network Manageme nt Protocol is a prot ocol use d for ex changing management information between network devices. Y our ZyW ALL supports SNMP agent functionality , which allows a manager stat ion to manage and monitor the Z yW ALL through the network. The Z yW ALL supports [...]

  • Page 671

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 671 and version two (SNMPv2c). The next fi gure illustrates an SNMP management operation. Figure 406 SNMP Manageme nt Model An SNMP managed network consists of two m ain types of component: agents and a manager . An agent i s a m anagement software module that resides in a mana ged de vice (the Z y[...]

  • Page 672

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 672 • GetNext - Allows the manager to retrieve the next object v ariable from a table or list within an agent. In SNMPv1, when a manager wants to retriev e all elements of a table from an agent, it initiates a Get oper ation, followed by a series of GetNext oper ations. • Set - Allows the man[...]

  • Page 673

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 673 settings, including from whic h zones SNMP can be used to access t he ZyW ALL. Y ou can also specify from which IP addresses the access can come. Figure 407 Configuration > Sy st em > SNMP The following table descri bes the labels in this screen. T able 207 Configuration > System > [...]

  • Page 674

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 674 43.12 V ant age CNM V antage CNM (Centralized Network Management) is a browser-based global management solution that allows an admi nistr ator from any l ocation to easily configure, manage, monitor and troubleshoot Z yXEL devices located worldwide. See the V antage CNM Use r's Guide for[...]

  • Page 675

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 675 43.12.1 Configuring V ant age CNM V antage CNM is di sabled on th e device by default. Click Configuration > System > Vantage CNM to configure your device’ s V antage CNM settings. Figure 408 Configu ration > System > V antage CNM The following table descri bes the labels in this [...]

  • Page 676

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 676 Tr a n s f e r Protocol Select whether the V antage CNM sessions should use regular HT TP connections or secure HT TPS connections. Note: HTTPS is recommended. The V antage CNM server must use the same setting. Device Management IP Select Auto to ha ve the Z yWALL allow V antage CNM sessions [...]

  • Page 677

    Chapter 43 System ZyWALL USG 20/20W User’s Guide 677 43.13 Language Screen Click Configuration > Sys tem > Language to open the following screen. Use this screen to select a d isplay language for the Z yWALL’ s W eb Configurator screens. Figure 409 Configu ration > System > Language The following table descri bes the labels in this [...]

  • Page 678

    Chapter 43 Sy ste m ZyWALL USG 20/20W User’s Guide 678[...]

  • Page 679

    ZyWALL USG 20/20W User’s Guide 679 C HAPTER 44 Log and Report 44.1 Overview Use these screens to configure da ily reporting an d log sett ings. 44.1.1 What Y ou Can Do In this Chapter •U s e t h e Email Daily Report screen ( Section 44.2 on page 679 ) to configure where and how to send daily reports and what reports to s end. •U s e t h e Mai[...]

  • Page 680

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 680 Click Configuration > Log & Report > Email Daily Report to displa y the following screen. Configure this screen to have the ZyWALL e-m ail yo u sys tem statistics ev ery day . Figure 410 Configu ration > Log & Report > Email Daily Report[...]

  • Page 681

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 681 The following table descri bes the labels in this screen. 44.3 Log Setting Screens The Log Setting screens control log messages and alerts. A log message stores the info rmation f or viewin g (for e xample, in the View Log tab) or regular e- mailing later , and an alert is e-mailed imme[...]

  • Page 682

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 682 The Log Setting tab also controls what information is saved in each log. For t he system log, you can also specify whic h log messages are e -mailed, where they are e-mailed, and how often they are e-mailed. For alerts, the Log Settings tab controls whic h events gener ate alerts and wh[...]

  • Page 683

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 683 44.3.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes th e e-mail profiles). Go to the Log Settings Summary screen (see Section 44.3.1 on page 682 ), and cl ick the system log Edit icon. # This field is[...]

  • Page 684

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 684 Figure 412 Configu ration > Log & Report > Log Setting > Edit (Syste m Log)[...]

  • Page 685

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 685 The following table descri bes the labels in this screen. T able 212 Configuration > Log & Report > Log Setting > Edit (System Log ) LABEL DESCRIPTION E-Mail Se rver 1/2 Active Sele ct this to send log messages and alerts according to the information in this section. Y ou s[...]

  • Page 686

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 686 E-mail Server 1 Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories. Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings. enable normal logs (green check mark) - e-mail log[...]

  • Page 687

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 687 Active Sele ct this to activate log consolidation. Log consolidation aggregates multiple log messages th at arrive within the specified Log Consolidation Interval . In the View Log tab , the text “[count= x ]” , where x is the number of original log messages, is appended at the end [...]

  • Page 688

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 688 44.3.3 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 44.3.1 on page 682 ), and click a remote serv er Edit icon. Figure 413 Configu ration > Lo[...]

  • Page 689

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 689 The following table descri bes the labels in this screen. T able 213 Configuration > Log & Report > Log Setting > Edit (Remote Se rver) LABEL DESCRIPTION Log Settings for Remote Server Active Select this check box to send log information according to the information in this[...]

  • Page 690

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 690 44.3.4 Active Log Summary Screen The Active L og Summary screen allows you to vi ew and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let y ou change other lo g settings (for exampl e, where and how often log in[...]

  • Page 691

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 691 The following table descri bes the fields in this screen. T able 214 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION System log Use the System Log drop-down list to change the log settings for all of the log categories. disable all logs (re[...]

  • Page 692

    Chapter 44 Log and Report ZyWALL USG 20/20W User’s Guide 692 Syst em log Select whi ch events y ou want to log by Log Category . There are three choices: disable all logs (red X) - do not log any information from this category enable normal logs (green checkmark) - create log messages and alerts from this category enable normal logs and debug log[...]

  • Page 693

    ZyWALL USG 20/20W User’s Guide 693 C HAPTER 45 File Manager 45.1 Overview Configuration files d efine the Z yW ALL’ s settings. Shell scrip ts are files of commands that you can store on the Z y W ALL and run when you need th em. Y ou can apply a configur ation file or run a sh ell script without the Z yWALL restarting. Y ou can store multiple [...]

  • Page 694

    Chapter 45 File Manager ZyWALL USG 20/20W User’s Guide 694 These files have the same syntax, which is also identical to the way y ou run CLI commands manually . An example is shown below . While configur ation files and shell scri pts hav e the same syntax, the ZyW ALL applies configur ation files differently than it runs shell scripts. This is e[...]

  • Page 695

    Chapter 45 File Manager ZyWALL USG 20/20W User’s Guide 695 Y our configuration files or shel l scripts can use “exit” or a command l ine consisting of a single “! ” to have the Zy WALL exit sub command mode. Note: “exit” or “!'” must follow sub commands if it is to make the ZyW ALL exit sub command mode. Line 3 in the followi[...]

  • Page 696

    Chapter 45 File Manager ZyWALL USG 20/20W User’s Guide 696 45.2 The Configuration File Screen Click Maintenance > File Manager > Configuration File to open the Configuration File screen. Use the Configuration File screen to store, run, and name configur ation files. Y ou can also download configur ation files from the Z yWALL to y our compu[...]

  • Page 697

    Chapter 45 File Manager ZyWALL USG 20/20W User’s Guide 697 The following table descri bes the labels in this screen. T able 216 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Ren a m e Use this button to change the label of a configur ation file on the Z yWALL. Y ou can only rename manually saved configur ation files. Y o[...]

  • Page 698

    Chapter 45 File Manager ZyWALL USG 20/20W User’s Guide 698 Copy Use this button to save a duplicate of a configur ation file on the Z y W ALL. Click a configuration file’ s row to select it and click Copy to open the Copy File screen. Figure 418 Maintenan ce > File Manager > Configuration F ile > Copy Specify a name for the duplicate c[...]

  • Page 699

    Chapter 45 File Manager ZyWALL USG 20/20W User’s Guide 699 Apply Use this button to have the Z yWALL use a specific configur ation file. Click a configuration file’ s row to select it and click Apply to have th e Z yWALL use that configuration f ile. The ZyW ALL does not have to restart in order to use a different configurat ion file, although [...]

  • Page 700

    Chapter 45 File Manager ZyWALL USG 20/20W User’s Guide 700 45.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmware Package screen. Use the Firmware Package screen to check your current firmware version and upload firmw are to the Z yWALL. File Name This column displays the label that identif[...]

  • Page 701

    Chapter 45 File Manager ZyWALL USG 20/20W User’s Guide 701 Note: The Web Configurator is the recommended method for uploading firmware. Y ou only need to use the comma nd line interface if you need to recover the firmware. See the CLI Reference Guide for how to d etermine if you need to recover the firmware and how to recover it. Find the firm wa[...]

  • Page 702

    Chapter 45 File Manager ZyWALL USG 20/20W User’s Guide 702 Note: The ZyW ALL automatically reboot s after a successful uploa d. The Z yWALL automatically restarts causi ng a temporary network d isconnect. In some operating systems, you may see the following icon on your desktop. Figure 422 Networ k T emporarily Disconn ected After five minutes, l[...]

  • Page 703

    Chapter 45 File Manager ZyWALL USG 20/20W User’s Guide 703 Each field is desc ribed in the followi ng table. T able 218 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Ren a m e Use this button to change the label of a shell script file on the Z yWALL. Y ou cannot rename a shell script to the name of another shell script in the [...]

  • Page 704

    Chapter 45 File Manager ZyWALL USG 20/20W User’s Guide 704 Apply Use this button to have the Z yW ALL use a specific shell script file. Click a shell script file’ s row to select it and click Apply to ha ve the Z yWALL use that shell s cript file. Y ou may need to wait awhile for the Z yWALL to finish applying the commands. # This column displa[...]

  • Page 705

    ZyWALL USG 20/20W User’s Guide 705 C HAPTER 46 Diagnostics 46.1 Overview Use the diagnostics scre ens for troubleshooting. 46.1.1 What Y ou Can Do in this Chapter •U s e t h e Maintenance > Diagnostics screen (see Sect ion 46.2 on page 705 ) to generate a file containing the ZyW ALL’ s configuration and diagnostic informatio n if you need [...]

  • Page 706

    Chapter 46 Diagnostics ZyWALL USG 20/20W User’s Guide 706 Click Maintenance > Diagn ostics to open the Diagnostic screen. Figure 427 Maintenance > Diagnostics The following table descri bes the labels in this screen. 46.2.1 The Diagnostics Files Screen Click Maintenance > Diagnostics > Files to open the diagnostic files screen. This s[...]

  • Page 707

    Chapter 46 Diagnostics ZyWALL USG 20/20W User’s Guide 707 The following table descri bes the labels in this screen. 46.3 The Packet Capture Screen Use this screen to capture network traffi c going throu gh the ZyW ALL’s interfaces. Studying these packet captures may help you i dentify network problems. Cl ick Maintenance > Diagnostics > P[...]

  • Page 708

    Chapter 46 Diagnostics ZyWALL USG 20/20W User’s Guide 708 Note: New capture files overwrit e existing files of the same name. Change the File Suffix field’s sett ing to avoid this. Figure 429 Maintenance > Diagnostics > Packe t Capture The following table descri bes the labels in this screen. T able 221 Maintenance > Diagnostics > P[...]

  • Page 709

    Chapter 46 Diagnostics ZyWALL USG 20/20W User’s Guide 709 Continuously capture and overwrite old ones Select this to have the ZyW ALL keep capturin g traffic and overwriting old packet capture entries when the available storage space runs out. Save data to onboard stor age only Select this to have the ZyW ALL only store pack et capture entries on[...]

  • Page 710

    Chapter 46 Diagnostics ZyWALL USG 20/20W User’s Guide 710 46.3.1 The Packet Capture Files Screen Click Maintenance > Diagnostics > Packet Capture > Files to open the packet capture files screen. This screen list s the fi les of packet captures stored on the Z yW ALL or a connected USB stor age device. Y ou can download the files t o your[...]

  • Page 711

    Chapter 46 Diagnostics ZyWALL USG 20/20W User’s Guide 71 1 The following table descri bes the labels in this screen. 46.3.2 Example of V iewing a Packet Capture File Here is an example of a packet capture file viewed in the Wire shark packet analyzer . Notice that the size of frame 15 on the wire is 1514 bytes while the captured size is only 1500[...]

  • Page 712

    Chapter 46 Diagnostics ZyWALL USG 20/20W User’s Guide 712 Figure 431 Packe t Capture File Example 46.4 Core Dump Screen Use the Core Dump screen to hav e the Z yWALL save a process’ s core dump to an attached USB stor age device if the proc ess terminates abnormally (cr ashes). Y ou may need to send this file t o customer support for troublesho[...]

  • Page 713

    Chapter 46 Diagnostics ZyWALL USG 20/20W User’s Guide 713 The following table descri bes the labels in this screen. 46.4.1 Core Dump Files Screen Click Ma intenance > Diagnostics > Core Dump > Files to open the core dump files screen. This screen li sts the core dump files stored on the Z yW ALL or a connected USB stor age device. Y ou m[...]

  • Page 714

    Chapter 46 Diagnostics ZyWALL USG 20/20W User’s Guide 714 46.5 The System Log Screen Click Maintenance > Diagnostics > System Log to open the system log files screen. This screen lists th e files of system logs stored on a connected USB storage devic e. The files are in comma separated value (csv) format. Y ou can download them to your comp[...]

  • Page 715

    ZyWALL USG 20/20W User’s Guide 715 C HAPTER 47 Packet Flow Explore 47.1 Overview Use this to get a clear picture on how the ZyW ALL determines where to forward a packet and how to change the source IP address of the packet according to your current settings. Thi s function provid es you a summary o f all y our routin g and SNA T settings and help[...]

  • Page 716

    Chapter 47 Pack et Flow Explore ZyWALL USG 20/20W User’s Guide 716 Note: Once a packet matches the criteria of a routing rule, the ZyW ALL t akes the corresponding action a nd does not perform any further flow checking. Figure 435 Maintenance > Pa cket Flow Explore > Routing S tatus (Direct Route) Figure 436 Maintenance > Pa cket Flow Ex[...]

  • Page 717

    Chapter 47 Packet Flow Explore ZyWALL USG 20/20W User’s Guide 717 Figure 439 Maintenance > Pa cket Flow Explore > Routing S tatus (Dynamic VPN) Figure 440 Maintenance > Pa cket Flow Explore > Routing S tatus (S tatic-Dynamic Route) Figure 441 Maintenance > Pa cket Flow Explore > Routing S tatus (Default W AN T runk) Figure 442 M[...]

  • Page 718

    Chapter 47 Pack et Flow Explore ZyWALL USG 20/20W User’s Guide 718 The following table descri bes the labels in this screen. T able 226 Maintenance > Packet Flow Explore > Routing S tatus LABEL DESCRIPTION Ro ut i n g Flow This section shows you the flow of how the Z yWALL determines where to route a packet. Click a function box to display [...]

  • Page 719

    Chapter 47 Packet Flow Explore ZyWALL USG 20/20W User’s Guide 719 47.3 The SNA T S t atus Screen The SNAT Status screen allows you to view and quickly link to specific source NA T (SNA T) settings. Click a function box in t he SNAT Flow section, the related SNA T rules (activated) will d isplay in the SNAT Table section. T o access this screen, c[...]

  • Page 720

    Chapter 47 Pack et Flow Explore ZyWALL USG 20/20W User’s Guide 720 • use policy routes to control 1-1 NA T by using the policy control-virtual- server-rules activate command. Note: Once a packet matches the criteria of an SNA T rule, the ZyW ALL takes the corresponding action a nd does not perform any further flow checking. Figure 443 Maintenan[...]

  • Page 721

    Chapter 47 Packet Flow Explore ZyWALL USG 20/20W User’s Guide 721 The following table descri bes the labels in this screen. T able 227 Maintenance > Packet Flow Explore > SNA T S tat us LABEL DESCRIPTION SNA T Flow This section shows you the flow of how the ZyW ALL changes the source IP address for a packet according to the rules you hav e [...]

  • Page 722

    Chapter 47 Pack et Flow Explore ZyWALL USG 20/20W User’s Guide 722[...]

  • Page 723

    ZyWALL USG 20/20W User’s Guide 723 C HAPTER 48 Reboot 48.1 Overview Use this to restart the device (for example, if the device begins behaving erratically). See also Secti on 1.5 on page 34 for information on d ifferent ways to start and stop the Z yWALL. 48.1.1 What Y ou Need T o Know If you applied changes in the W eb config urator , these were[...]

  • Page 724

    Chapter 48 Reboot ZyWALL USG 20/20W User’s Guide 724[...]

  • Page 725

    ZyWALL USG 20/20W User’s Guide 725 C HAPTER 49 Shutdown 49.1 Overview Use this to shutdown t he device in preparat ion for disconnecting the power . See also Section 1.5 on page 34 for information on di fferent ways to st art and stop t he Zy WA L L . Always use the Maintenance > S hut down > Shut down screen or the “shut down” command [...]

  • Page 726

    Chapter 49 Shu tdo wn ZyWALL USG 20/20W User’s Guide 726[...]

  • Page 727

    ZyWALL USG 20/20W User’s Guide 727 C HAPTER 50 Troubleshooting This chapter offers some suggestions to solv e problems you might encounter . • Y ou can also refer to the logs (see Chapter 9 on page 207 ). F or indiv idual log descriptions, see the User ’ s Guide appendix Appendix A on page 747 . For the ord er in which t he ZyW ALL applies it[...]

  • Page 728

    Chapter 50 Tro u ble sh oo tin g ZyWALL USG 20/20W User’s Guide 728 • If you ’ve f orgo tten the Z yWALL’s IP ad dres s, you c an us e the comm ands through the consol e port to check it. Connect yo ur computer to the CONSOLE port using a console cable. Y our computer should ha ve a termi nal emulation communications program (such as Hype r[...]

  • Page 729

    Chapter 50 Troubleshooting ZyWALL USG 20/20W User’s Guide 729 The Z yWALL checks the firewall rules in the order that they are listed. So make sure that your custom firewall rule come s before an y other rules that the tr affic would also match. I cannot enter the interface name I want. • The format of interface names other than the Eth ernet i[...]

  • Page 730

    Chapter 50 Tro u ble sh oo tin g ZyWALL USG 20/20W User’s Guide 730 The actual cellular data r ate you obtain v aries depending on the cellular d evice you us e, the signal strength to the serv ice pr ovider’ s base stat ion, and so on . I created a cellular interface but cannot connect through it. • Make sure yo u have a compatible 3G device[...]

  • Page 731

    Chapter 50 Troubleshooting ZyWALL USG 20/20W User’s Guide 731 At the time of writing, the Z yW ALL does not support ingress bandwidth management. I uploaded a custom signature file and now all of my earlier custom signatures are gone. The name of th e complete c ustom signat ure file on th e Z yWALL is ‘custom.ru les’ . If you import a file n[...]

  • Page 732

    Chapter 50 Tro u ble sh oo tin g ZyWALL USG 20/20W User’s Guide 732 • Make sure y ou recorded your DDNS account’ s user name, password, and domain name and have entered them properly in the Z yWALL. • Y ou may need to configure the DD NS entry’ s IP Address setting t o Auto if the interface has a dynamic IP address or there are one or mor[...]

  • Page 733

    Chapter 50 Troubleshooting ZyWALL USG 20/20W User’s Guide 733 Here are some general suggest ions. See also Chapter 23 on page 391 . • The system log can often help to identify a configur ation prob lem. • If you enable NA T tr aversal, t he remo te IPSec device must also ha ve NA T traversal enabled. • The Z yW ALL and remot e IPSec router [...]

  • Page 734

    Chapter 50 Tro u ble sh oo tin g ZyWALL USG 20/20W User’s Guide 734 • If you set up a VPN tunnel acros s the In ternet, make sure your ISP supports AH or ESP (whichever you are using). • If you ha ve the Z yW ALL and remot e IPSec router use certificates to aut henticate each other , Y ou must set up the certificates for the Z yW ALL and remo[...]

  • Page 735

    Chapter 50 Troubleshooting ZyWALL USG 20/20W User’s Guide 735 The Z yWALL automatically updates address objec ts based on an interface’ s IP address, subnet, or gatew ay if the in t erface’ s IP address settings change. However , you need to manually edit any a ddress objects for your LAN that are not based on the interface. I cannot get the [...]

  • Page 736

    Chapter 50 Tro u ble sh oo tin g ZyWALL USG 20/20W User’s Guide 736 I cannot get a certificate to import into the ZyW ALL. 1 For My Certificates , you can import a certificate that matches a corresponding certification request that was g enerated by the Z yW ALL. Y ou can also import a certificate in PKCS#12 format, incl uding th e certificat e?[...]

  • Page 737

    Chapter 50 Troubleshooting ZyWALL USG 20/20W User’s Guide 737 I uploaded a logo to use as the screen or window background but it does not display properly . Make sure the logo file is a GIF , JPG, or PNG of 100 kilobytes or less. The ZyW ALL’ s traffic throug hput rate decreased after I started collecting traf fic statistics. Data collection ma[...]

  • Page 738

    Chapter 50 Tro u ble sh oo tin g ZyWALL USG 20/20W User’s Guide 738 See the CLI Reference Guide for how to determin e if you need to rec over the firmware and how to recover it. My packet capture captured less than I wanted or failed. The packet capture screen’ s File Size sets a maximum size limit for the total combined size of all the capture[...]

  • Page 739

    Chapter 50 Troubleshooting ZyWALL USG 20/20W User’s Guide 739 2 Press the RESET button and hold it until the SYS LED begins to blink. (Thi s usually takes about fiv e seconds.) 3 Release the RESET button, and wait for the Z yWALL to restart. Y ou should be able to access the Z yWALL using the default sett ings. 50.2 Getting More T roubleshooting [...]

  • Page 740

    Chapter 50 Tro u ble sh oo tin g ZyWALL USG 20/20W User’s Guide 740[...]

  • Page 741

    ZyWALL USG 20/20W User’s Guide 741 C HAPTER 51 Product Specifications The following specific ations a re subj ect to change without notice. See Chapter 2 on page 37 for a gener al overvi ew of key feat ures. This table provides b asic device specifications. This table p rovides hard ware specific ations. It is recommended that you do NOT wall-mou[...]

  • Page 742

    Chapter 51 Product Specifications ZyWALL USG 20/20W User’s Guide 742 This table give s details about the Z yW ALL’ s features. T able 230 ZyWALL Feature Specifications FEATUR E # of MAC 5 (USG 20) 6 (USG 20W) Flash Size 128 DRAM Size 256 INTERFACE VLAN 8 Virtual (alias) 4 per interface PPP (system default) 1 PPP (user created) 2 Bridge 2 ROUTIN[...]

  • Page 743

    Chapter 51 Product Specifications ZyWALL USG 20/20W User’s Guide 743 Service Groups 50 Maximum service object in one group 64 Schedule Objects 16 ISP Account 4 Maximum Number of LDAP Groups 2 Maximum Number of LDAP Serv ers for Each LDAP Group 2 Maximum Number of RADIUS Groups 2 Maximum Number of RADIUS Serv ers for Each RADIUS Group 2 Maximum AD[...]

  • Page 744

    Chapter 51 Product Specifications ZyWALL USG 20/20W User’s Guide 744 The following table, which is not exhaustiv e, lists standards ref erenced by Zy WALL features. CONTENT FILTER Maximum Number of Content Filter Policies 8 Maximum Number of Content Filter Profiles 8 Maximum Number of Forbidden Domain Entries 64 per profile Maximum Number of T ru[...]

  • Page 745

    Chapter 51 Product Specifications ZyWALL USG 20/20W User’s Guide 745 51.1 Power Adaptor S pecifications Built-in service, DNS server RFCs 1034, 1035, 112 3, 1183, 1535, 1536, 17 06, 1712, 1750, 1876, 1982 , 1995, 1996, 2136 , 2163, 2181, 2230, 2308, 2535 , 2536, 2537, 2538 , 2539, 2671, 2672, 2673, 2782 , 3007, 3090 Built-in service, DHCP server [...]

  • Page 746

    Chapter 51 Product Specifications ZyWALL USG 20/20W User’s Guide 746 T able 233 European Plug Standards AC POWER ADAPT OR MODEL P SA18R -120P (ZE)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POW ER 12VDC, 1. 5A POWER CONSUMPTION 20 W MAX. SAFETY ST ANDARDS TUV , CE (EN 60950-1) T able 234 United Kingdom Plug Standards AC POWER ADAPT OR MODEL P[...]

  • Page 747

    ZyWALL USG 20/20W User’s Guide 747 A PPENDIX A Log Descriptions This appendix provides descript ions of example log message s for the ZLD-based Z yW ALLs. The logs do not all apply to all of the ZLD-based Z yW ALLs. Y ou will not necessecarily see al l of these logs in your device. T able 238 Content Filter Logs LOG MESSAGE DESCRIPTION Content fi[...]

  • Page 748

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 748 T able 240 Blocked Web Site Logs LOG MESSAGE DESCRIPTION %s :%s The rating server responded that the web site is in a specified category and access was blocked according to a content filter profile. 1st %s: website host 2nd %s: website category %s: Unrated The rating server respond[...]

  • Page 749

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 749 %s: Proxy mode is detected The system detected a proxy connection and blocked access according to a profile. %s: website host %s: Forbidden Web site The web site is in forbidden web site list. %s: website host %s: Keyword blocking The web content matched a user defined keyword. %s: we[...]

  • Page 750

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 750 Black List checking has been activated. The anti-spam black list has been turned on. Black List checking has been deactivated. The anti-spam black list has been turned off . Black List rule %d has been added. The anti-spam black list rule with the specified index nu mber (%d) has b[...]

  • Page 751

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 751 T able 242 SSL VPN Logs LOG MESSAGE DESCRIPTION %s %s from %s has logged in SSLVPN A user has logged into SSL VPN. The first %s is the type of user account. The second %s is the user ’ s user name. The third %s is the name of the service the user is using (HT TP or HTTPS). %s %s fro[...]

  • Page 752

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 752 The %s address-object is wrong type for 'network' in SSL Policy %s. The listed address object (first %s ) is n ot the right kin d to be specified as a network in the listed SSL VPN policy (second %s). The SSL VPN policy %s has been changed 'ip- pool' value. The [...]

  • Page 753

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 753 %s %s from %s has been logged out SSLVPN (re- auth timeout) The specified user was signed out by the device due to a re- authentication timeout. The first %s is the type of user account. The second %s is the user ’ s user name. The third %s is the name of the service the user is usi[...]

  • Page 754

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 754 The Z ySH logs deal with internal system errors. T able 243 ZySH Logs LOG MESSAGE DESCRIPTION Invalid message queue. Maybe someone starts another zysh daemon. ZySH daemon is instructed to reset by %d 1st:pid num System integrity error! Group OPS cannot close property group cannot c[...]

  • Page 755

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 755 Can't remove %s 1st:zysh list name Table OPS %s: cannot retrieve entries from table! 1st:zysh table name %s: index is out of range! 1st:zysh table name %s: cannot set entry #%d 1st:zysh table name,2st: zysh entry num %s: table is full! 1st:zysh table name %s: invalid old/new inde[...]

  • Page 756

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 756 T able 244 ADP Logs LOG MESSAGE DESCRIPTION from <zone> to <zone> [type=<type>] <message> , Action: <action>, Severity: <severity> The Z yWALL detected an anomaly in traffic tr aveling between the specified zones. The <type> = {scan-detecti[...]

  • Page 757

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 757 T able 245 User Logs LOG MESSAGE DESCRIP TION %s %s from %s has logged in ZyWALL A user logged into the ZyW ALL. 1st %s: The type of user account. 2nd %s: The user ’s user name. 3rd %s: The name of the servi ce the user is using (HT TP , HTTPS, F TP , T el net , SSH, o r co nsole ).[...]

  • Page 758

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 758 Failed login attempt to ZyWALL from %s (login on a lockout address) A login attempt came from an IP address that the Z yWALL has locked out. %u.%u.%u.%u: the source address of the user’ s login attempt Failed login attempt to ZyWALL from %s (reach the max. number of user) The Z y[...]

  • Page 759

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 759 Registration has failed. Because of lack must fields. The device received an incomplete response from the myZ yXEL.com serv er and it caused a parsing error for the device. %s:Trial service activation has failed:%s. T rail service activation failed for th e specifi ed service, an erro[...]

  • Page 760

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 760 Do device register. The device started device registration. Do trial service activation. The device started tr ail service activation. Do standard service activation. The device started standard service activ ation. Do expiration check. The device started the service expiration da [...]

  • Page 761

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 761 Build query message failed. Some information was missing in the packets that the device sent to the server . Resolve server IP has failed. The device could not resolv e the m yZ yXEL.com server's FQDN to an IP address through gethostbyname(). Connect to MyZyXEL.com server has fai[...]

  • Page 762

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 762 Content-Filter service has expired. The content filtering service period has expired. The device can find this through either a service expir ation day check via MyZ yXEL.com server or by the device’ s own count. Unknown TLS/SSL version: %d. The device only supports SSL v3 protoc[...]

  • Page 763

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 763 [DPD] No response from peer. Using existing Phase-1 SA in %u seconds. Trying with Phase-1 rekey. The device’ s DPD feature has not detected a response from the remote IPSec router . %u is the retry time. [HASH] : Tunnel [%s] Phase 1 hash mismatch %s is the tunnel name. When negotiat[...]

  • Page 764

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 764 [SA] : Tunnel [%s] Phase 1 key group mismatch %s is the tunnel name. When negotiating Phase-1, the DH group of the attribute list `attrs' did not match the security policy . [SA] : Tunnel [%s] Phase 1 negotiation mode mismatch %s is the tunnel name. When negotiating Phase-1, t[...]

  • Page 765

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 765 IKE Packet Retransmit When retransmitting the IKE packets. Phase 1 IKE SA process done When Phase 1 negotiation is complete. Recv Main Mode request from [%s] %s is the remote name; When receiving a request to enter Main mode. Recv Aggressive Mode request from [%s] %s is the remote nam[...]

  • Page 766

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 766 XAUTH succeed! My name: %s %s is the my xauth name. This indicates that my name is valid. XAUTH succeed! Remote user: %s %s is the remote xauth name. This indicate that a remote user’s name is v alid Dynamic Tunnel [%s:%s:0x%x:%s] built successfully The variables represent the ph[...]

  • Page 767

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 767 Outbound transform operation fail After encryption or hardware accelerated processing, the hardware acceler ator dropped a packet (e.g. , resource overflow , corrupt packet, and so on). Packet too big with Fragment Off An outgoing packet needed to be tr ansformed, but the fragment fla[...]

  • Page 768

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 768 Firewall %s %s rule %d has been moved to %d. 1st %s is from zone, 2nd %s is to zone, 1st %d is the old index of the rule 2nd %d is the new index of the rule Firewall %s %s rule %d has been deleted. 1st %s is from zone, 2nd %s is to zone, %d is the index of the rule Firewall %s %s r[...]

  • Page 769

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 769 The policy route %d uses empty source address group! Use an empty object group. %d: the policy route rule number The policy route %d uses empty destination address group! Use an empty object group. %d: the policy route rule number The policy route %d uses empty service group Use an em[...]

  • Page 770

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 770 T able 252 Built-in Services Logs LOG MESSAGE DESCRIPTION User on %u.%u.%u.%u has been denied access from %s HT TP/HTT PS/TELNET/SSH/FTP/SNMP access to the device was d en ied . %u.%u.%u.%u is IP address %s is HT TP/HT TPS/SSH/SNMP/FTP/TELNET HTTPS certificate:%s does not exist. HT[...]

  • Page 771

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 771 SNMP port has been changed to port %s. An administrator changed the port number for SNMP . %s is port number assigned by user SNMP port has been changed to default port. An administrator changed the port number for SNMP back to the default (161). Console baud ha s been changed to %s. [...]

  • Page 772

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 772 DNS access control rule %u has been moved to %d. An administrator mo ved the rule %u to index %d. %u is previous index %d variable is current index The default record of Zone Forwarder have reached the maximum number of 128 DNS servers. The default record DNS servers is more than 1[...]

  • Page 773

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 773 Access control rule %u of %s was modified. An access control rule was modified successfully . %u is the index of the access control rule. %s is HT TP/HT TPS/SSH/SNMP/FTP/TELNET . Access control rule %u of %s was deleted. An access control rule was removed successfully . %u is the inde[...]

  • Page 774

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 774 DHCP Server executed with cautious mode disabled DHCP Server ex ecuted with cautious mode disabled. Received packet is not an ARP response packet A packet was received but it is not an ARP response packet. Receive an ARP response The device received an ARP response. Receive ARP res[...]

  • Page 775

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 775 Device is rebooted by administrator! An administr ator restarted the device. Insufficient memory. Cannot allocate system memory . Connect to dyndns server has failed. Cannot connect to members.dyndns.org to update DDNS. Update the profile %s has failed because of strange server respon[...]

  • Page 776

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 776 Update the profile %s has failed because the feature requested is only available to donators. Update profile failed because the feature requested is only av ailable to donators, %s is the profile name. Update the profile %s has failed because of error response. Update profile faile[...]

  • Page 777

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 777 DDNS profile %s has been renamed as %s. Rename DDNS profile, 1st %s is the original profile name, 2nd %s is the new profile name. DDNS profile %s has been deleted. Delete DDNS profile, %s is the profile name, DDNS Initialization has failed. Initialize DDNS failed, All DDNS profiles ar[...]

  • Page 778

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 778 The connectivity- check is activate for %s interface The link status of interface is still activate after check of connectivity check process. %s: interface name The connectivity- check is fail for %s interface The link status of interface is fail after check of connectivity check [...]

  • Page 779

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 779 Can't get MAC address of %s interface! The connectivity check process can't get MAC address of interface. %s: interface name To send ARP REQUEST error! The connectivity check process can't send ARP request packet. The %s routing status seted to DEAD by connectivity-chec[...]

  • Page 780

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 780 RIP redistribute static routes has been enabled. RIP redistribute static routes has been enabled. RIP on interface %s has been deactivated. RIP on interface %s has been deactiv ated. %s: Interface Name RIP direction on interface %s ha s been changed to BiDir. RIP direction on inter[...]

  • Page 781

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 781 Invalid OSPF %s authentication of area %s. OSPF md5 or text authentication has been set without setting md5 authentication id and key , or text authentication key first. Invalid OSPF virtual- link %d md5 authentication of area %s. Virtual-link %s md5 authentication has been set wit ho[...]

  • Page 782

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 782 %s SIP ALG has succeeded. The SIP ALG has been turned on or off . %s: Enable or Disable Extra signal port of SIP ALG has been modified. Extra SIP ALG port has been changed. Signal port of SIP ALG has been modified. Default SIP ALG port has been changed. Register SIP ALG extra port=[...]

  • Page 783

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 783 Prepare to import "%s" into "My Certificate" %s is the name of a certificate request. Prepare to import "%s" into Trusted Certificate" %s is the name of a certificate request. CMP enrollment "%s" successfully, CA "%s", URL "%[...]

  • Page 784

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 784 Export X509 certificate "%s" from "My Certificate" failed The device was not able to export a x509 format certificate from My Certificates. %s is the certificate request name. Export X509 certificate "%s" from "Trusted Certificate" failed The[...]

  • Page 785

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 785 15 CRL is too old. 16 CRL is not v alid. 17 CRL signature was not verified correctly . 18 CRL was not found (anywhere). 19 CRL was not added to the cache. 20 CRL decoding failed. 21 CRL is not currently v alid, but in the future. 22 CRL contains duplicate serial numbers. 23 Time inter[...]

  • Page 786

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 786 (%s MTU - 8) < %s MTU, %s may not work correctly. An administrator configured ethernet, vlan or bridge and this interface is base interface of PPP interface. PPP interface MTU > (base interface MTU - 8), PPP interface may not run correctly because PPP packets will be fr agmen[...]

  • Page 787

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 787 Interface %s is disconnected. A PPP interface disconnected successfully . %s: interface name. Interface %s connect failed: Peer not responding. The interface’ s connection w ill be terminated because the server did not send any LCP packets. %s: interface name. Interface %s connect f[...]

  • Page 788

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 788 "SIM card of interface cellular%d in %s is damaged or not inserted. Please remove the device, then check the SIM card. The SIM card for the c ellular de vice associated with the listed cellular interface (%d) cannot be detected. The SIM card may be missing, not inserted proper[...]

  • Page 789

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 789 Interface cellular%d required authentication password.Please set password in cellular%d edit page. Y ou need to manually enter the password for the listed cellular interface (%d). "Cellular%d (IMSI=%s or ESN=%s) over time budget!(budget = %d seconds). The listed cellular interfac[...]

  • Page 790

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 790 Duplicated interface name. A duplicate name was not permitted for an interface. This Interface can not be renamed. An interface’s name cannot be changed. Virtual interface is not supported o n this type of interface. A virtual interface was not created on an interface because the[...]

  • Page 791

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 791 name=%s,status=%s,TxP kts=%u, RxPkts=%u,Colli.=%u,T xB/s=%u, RxB/s=%u,UpTime=%s This log is sent to the VRPT server to show the specified PPP/ Cellular interface’s statistics and uptime. The arguments represent the interface name, interface status, interface Tx packets, in terface R[...]

  • Page 792

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 792 Station association has failed. Maximum associations have reached the maximum number. Interface: %s, MAC: %s. A wireless client with the specified MAC address (second %s) failed to connect to the specified WLAN interface (first %s) because the WLAN interface already has its maximum[...]

  • Page 793

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 793 T able 261 Port Grouping Logs LOG MESSAGE DESCRIPTION Interface %s li nks up because of changing Port Group. Enable DHCP client. An administrator used port -grouping to assign a port to a representative Interface and this representative interface is set to DHCP client and only h as on[...]

  • Page 794

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 794 ERROR:#%s, %s R un script failed, this log will be what wrong CLI command is and what error message is. 1st %s is CLI command. 2nd %s is error message when apply CLI command. WARNING:#%s, %s Run script failed, this log will be what wrong CLI command is and what warning message is. [...]

  • Page 795

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 795 T able 265 E-mail Daily Report Logs LOG MESSAGE DESC RIPTION Email Daily Report has been activated. The daily e-mail report function has been turned on. The Z yWALL will e-mail a daily report about the selected items at the scheduled time if the required settings are configured correc[...]

  • Page 796

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 796 T able 267 Auth. Policy Logs LOG MESSAGE DESCRIPTION Auth. P olicy featuer is disabled. The auth. policy feature is not enabled. Auth. policy %d is disabled. The specified auth. policy rule is not activ ated. System integrit y error! The Z yWALL canno t get the auth. policy rule an[...]

  • Page 797

    Appendix A Log Descriptions ZyWALL USG 20/20W User’s Guide 797 Windows version check fail in %s A user ’s computer did not match the Windows version check in the specified EPS object. EPS checking result is pass. A user’ s computer passed the EPS check. T able 268 EPS Logs LOG MESSAGE DESCRIPTION[...]

  • Page 798

    Appendix A Log Desc rip tio ns ZyWALL USG 20/20W User’s Guide 798[...]

  • Page 799

    ZyWALL USG 20/20W User’s Guide 799 A PPENDIX B Common Services The following table lists some commonly-used services and their associated protocols and port numbers. F or a comprehe ns ive list of port numbers, ICMP type/ code numbers and services , visit the IANA (Internet Assigned Number Authority) web site. • Name : This is a short, descrip [...]

  • Page 800

    Appendix B Commo n Servic es ZyWALL USG 20/20W User’s Guide 800 ESP (IPSEC_TUNNEL) User -Defin ed 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP TCP TCP 20 21 File T ransfer Program, a progr[...]

  • Page 801

    Appendix B Common Services ZyWALL USG 20/20W User’s Guide 801 PPTP TCP 1723 Point -to-Point T unneling Protocol enables secure transfer of data ov er public networks. This is the control channel. PPTP_TUNNEL (GRE) User -Defin ed 47 PPTP (Point -to-Point T unneling Protocol) enables secure transfer of data over public networks. This is the data ch[...]

  • Page 802

    Appendix B Commo n Servic es ZyWALL USG 20/20W User’s Guide 802 TFTP UDP 69 T rivial File T ransfer Protocol is an Internet file transfer protocol similar to FTP , but uses the UDP (User Datagram Protoco l) rather than TCP (T ransmission Control Protocol). VDOLIVE TCP 7000 Another videoconferencing solution. T able 269 Commonly Used Services (con[...]

  • Page 803

    ZyWALL USG 20/20W User’s Guide 803 A PPENDIX C W ireless LANs Wireless LAN T opologies This section discuss es ad-hoc and infr astructure wi reless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configur ation is an in depend ent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B , C). Any time t wo o[...]

  • Page 804

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 804 with each other . When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with eac h other . Figure 450 Basic Service Set ESS An Extended Service Set (ES S) consists of a series of overlapping BS Ss, each containing an access point, w[...]

  • Page 805

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 805 An ESSID (ES S IDentification) uniquely id entifies each ESS . All access points and their associated wirel ess clients within the same ESS must ha ve the same ESSID in order to comm unicate. Figure 451 Infrastructure WLAN Channel A channel is the r adio frequency(ies ) used by wireless [...]

  • Page 806

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 806 wireless gatewa y , but out-of -range of ea ch other , so they cannot "hear" each other , that is they do not know if the channel is currently being used. Therefore, they are consider ed hi dden from each other . Figure 452 RTS/ C T S When station A sends data to the AP , it mi[...]

  • Page 807

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 807 Note: Enabling the R TS Threshold causes redundant n etwork overhead that could negatively affe ct the throughput performance instead of providin g a remedy . Fragment ation Threshold A Fragmentation Threshold is the maximum data fr agment size (between 256 and 2432 bytes) that can be se[...]

  • Page 808

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 808 (and vice versa) at 11 Mbps o r lowe r depe nding on range. IEEE 802.11g has sever al intermediate rate steps between the maximum and minimum data r ates. The IEEE 802.11g data rate and modulation are as follows: Wireless Security Overview Wireless security is vital to your ne twork to p[...]

  • Page 809

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 809 accounting and control features. It is su pported by Windows XP and a number of network devices. Some adva ntages of IEEE 802.1x are: • User based identification that allows fo r roaming. • Support for RADIUS (R emote Authentication Dial In User S ervice, RFC 2138, 2139) for central [...]

  • Page 810

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 810 The following types of RADIUS messag es are exchanged between the access point and the RADIUS server for user accounting: •A c c o u n t i n g - R e q u e s t Sent by the ac cess point requesting accounting. • Accounting-R esponse Sent by the RADIUS server to indicate th at it has st[...]

  • Page 811

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 81 1 authentication method does not support data encryption wi th dynamic session key . Y ou must configure WEP encry ption keys for data encryption. EAP-TLS (T ransport Layer Security) With EAP- TLS, digital certifications are n eeded by both the server and the w ireless clients for mutu al[...]

  • Page 812

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 812 Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For ad ded security , certificate-based au thenti cations (EAP- TLS, EAP- TTLS and PEAP) use dynamic k eys for data encryption . They are often deploy ed in corpor ate environments, but for public deployment, a simple user name a[...]

  • Page 813

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 813 use Advanc ed Encryption Standard (AES) in the Counter mode with Cipher b lock chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP . TKIP uses 128-bit k eys that are dynami cal ly generated and d istributed by the authentication server . AES (A dva[...]

  • Page 814

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 814 authentication. These two features are op tional and ma y not be supported in all wireless dev ices. K ey caching allows a wireless client to stor e the PMK it deriv ed through a successful authentication wit h an AP . The wi reless client uses t he PMK when it tries to connect to the sa[...]

  • Page 815

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 815 4 The RADIUS server distribut es the PMK to the AP . The AP th en sets up a key hierarchy and management system, usin g the PMK to dynamic ally generate unique data encryption k eys. The keys are used to encrypt ev ery data packet that is wirelessly communicated between the AP and the wi[...]

  • Page 816

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 816 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create tempor al encryption keys. They use these keys to encrypt data exchanged between them. Figure 454 WP A(2)-PSK Authentication Security Parameters Summary Re fer[...]

  • Page 817

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 817 Antenna Overview An antenna couples RF signals onto air . A tr ansmitter within a wireless device sends an RF signal to the antenna, whic h propagates the signal through the air . The antenna also operates in reverse by capturing RF signals fr om the air . P ositioning the antennas prope[...]

  • Page 818

    Appendix C Wireless LANs ZyWALL USG 20/20W User’s Guide 818 • Omni-directional antennas send t he RF sign al out in all directions on a horiz ontal plane. The cover age area is torus-sh aped (like a donut) which makes these antennas ideal for a room environment. With a wide co verage area, it is poss ible to make circular o verlapping cov erage[...]

  • Page 819

    ZyWALL USG 20/20W User’s Guide 819 A PPENDIX D Importing Certificates This appendix shows you how to import public key certificates into yo ur web browser . Public key certificates are used by web br owsers to ensure that a secure web site is legitimate. When a certificate authorit y such as V e riSign, Comodo, or Network Solutions, to name a few[...]

  • Page 820

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 820 1 If your device’ s W eb Configur ator is set to use S SL certificati on, then the first time you browse to i t you are presented with a certif ication error . Figure 455 Internet Explorer 7: Cert ification Error 2 Click Continue to this website (not recommended) . Figure 456 [...]

  • Page 821

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 821 4 In the Certificate dialog bo x, click Install Certificate . Figure 458 Internet Explorer 7: Cert ificate 5 In the Certificate Import Wizard , click Next . Figure 459 Internet Explorer 7: Cert ificate Import Wizard[...]

  • Page 822

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 822 6 If you w ant Internet E xplorer to Automatically select certificate store based on the type of certificate , click Next again and then go to step 9. Figure 460 Internet Explorer 7: Cert ificate Import Wizard 7 Otherwise, select Place all certifica tes in the following store an[...]

  • Page 823

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 823 8 In the Select Certificate Store dialog box, choose a location in which to sa ve the certificate and then clic k OK . Figure 462 Internet Explorer 7: Select Certificate S tore 9 In the Completing the Certificate Import Wizard screen, click Finish . Figure 463 Internet Explorer [...]

  • Page 824

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 824 10 If you are presented with another Security Warning , c lick Yes . Figure 464 Internet Explorer 7: Securit y W arning 11 Finally , click OK when presented with the successful certificate installation message. Figure 465 Internet Explorer 7: Cert ificate Import Wizard 12 The ne[...]

  • Page 825

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 825 Inst alling a St and-Alone Certific ate File in Internet Explorer Rather t han browsing to a Z yXEL W e b Co nfigur ator and installing a public key certificate when prompted, y ou can install a stand- alone certific ate file if one has been issued to you. 1 Double-click the pub[...]

  • Page 826

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 826 1 Open Internet Explorer and click Tools > Internet Options . Figure 469 Internet Explorer 7: T ools Menu 2 In the Internet Options dialog box, cl ick Conte nt > Certificates . Figure 470 Internet Explorer 7: I nternet Options[...]

  • Page 827

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 827 3 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certif icate that yo u w ant to delete, and then click Remove . Figure 471 Internet Explorer 7: Cert ificates 4 In the Certificates confirmation, click Yes . Figure 472 Internet Exp[...]

  • Page 828

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 828 6 The next time you go to the web site that issued the public key certificat e you just removed, a certification error appears. Firefox The following example uses Mozilla Firefox 2 on Windows XP Professional; however , the screens can also apply to Firefox 2 on all platforms. 1 [...]

  • Page 829

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 829 3 The certificate is stored and you ca n now connect securely to the W eb Configurator . A sealed padlock appears in the address bar , which you can click to open the Page Info > Security windo w to view the web page’ s security informat ion. Figure 475 Firefox 2: Page Info[...]

  • Page 830

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 830 1 Open Firefox and click Tools > Options . Figure 476 Firefox 2: T ools Menu 2 In the Options dialog bo x, click Advanced > Encryption > View Certificat es . Figure 477 Firefox 2: Options[...]

  • Page 831

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 831 3 In the Certificate Manager dialog box, cl ick Web S ites > Import . Figure 478 Firefox 2: Cert ificate Manager 4 Use the Select File dialog bo x to locate the certificate and then click Op en . Figure 479 Firefox 2: Se lect File 5 The next time you vi sit the web site, clic[...]

  • Page 832

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 832 Removing a Certificate in Firefox This section shows y ou how to remove a public key certificate in Fi refox 2. 1 Open Firefox and click Tools > Options . Figure 480 Firefox 2: T ools Menu 2 In the Options dialog bo x, click Advanced > Encryption > View Certificat es . [...]

  • Page 833

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 833 3 In the Certificate Manager dialog box, select the Web Sites tab , select the certificate that you w ant to remove, and then click Delete . Figure 482 Firefox 2: Cert ificate Manager 4 In the Delete Web Site Certificates dialog bo x, click OK . Figure 483 Firefox 2: Delete W eb[...]

  • Page 834

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 834 1 If your device’ s W eb Configur ator is set to use S SL certificati on, then the first time you browse to i t you are presented with a certif ication error . 2 Click Install to accept the certi ficate. Figure 484 Opera 9: Certifica te signer not found 3 The next time you vi [...]

  • Page 835

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 835 Inst alling a St and-Alone Ce rtificate File in Opera Rather t han browsing to a Z yXEL W e b Co nfigur ator and installing a public key certificate when prompted, y ou can install a stand- alone certific ate file if one has been issued to you. 1 Open Opera and click Tools > [...]

  • Page 836

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 836 2 In Preferences , click Advanced > Security > Manage certificates . Figure 487 Opera 9: Prefer ences[...]

  • Page 837

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 837 3 In the Certificates Manager , click Authorities > Import . Figure 488 Opera 9: Certificate manage r 4 Use the Import certificate dialog box to locate the certificate and then click Open. Figure 489 Opera 9: Import certif icate[...]

  • Page 838

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 838 5 In the Install authority certificate dialog box, c lick In stall . Figure 490 Opera 9: Inst all authority certificate 6 Next, click OK . Figure 491 Opera 9: Inst all authority certificate 7 The next time you vi sit the web site, click t he padlock in the address bar to open th[...]

  • Page 839

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 839 1 Open Opera and click Tools > Preferences . Figure 492 Opera 9: T ools Menu 2 In Preferences , Advanced > Security > Manage certificates . Figure 493 Opera 9: Prefer ences[...]

  • Page 840

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 840 3 In the Certificates manager , select the Authorities tab, select th e certific ate that you wa nt to rem ove, a nd th en c lick Delete . Figure 494 Opera 9: Certificate manage r 4 The next time you go to the web site that issued the public key certificat e you just removed, a [...]

  • Page 841

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 841 2 Click Continue . Figure 495 Konquero r 3.5: Server Authentication 3 Click Forever when prompted to accept the certificate. Figure 496 Konquero r 3.5: Server Authentication 4 Click the padlock in the add ress bar to open the KDE SSL Information window and view the web page’ s[...]

  • Page 842

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 842 Inst alling a St and-Alone Ce rtificate File in Konqueror Rather t han browsing to a Z yXEL W e b Co nfigur ator and installing a public key certificate when prompted, y ou can install a stand- alone certific ate file if one has been issued to you. 1 Double-click the public ke y[...]

  • Page 843

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 843 3 The next time you vi sit the web site, click t he padlock in the address bar to open the KDE SSL Inf ormation window to view the web page’ s security details. Removing a Certificate in Konqueror This section shows y ou how to remove a public key certificate in K onqueror 3.5[...]

  • Page 844

    Appendix D Importing Certificates ZyWALL USG 20/20W User’s Guide 844 4 The next time you go to the web site that issued the public key certificat e you just removed, a certification error appears. Note: There is no confirmation wh en you remove a certificate authority , so be absolutely certain you want to go through with it before clicking the b[...]

  • Page 845

    ZyWALL USG 20/20W User’s Guide 845 A PPENDIX E Open Sof tware Announcement s End-User License Agreement for “ZyW ALL USG 20” WARNING: Z yXEL Communications Corp . IS WILLING T O LICENSE THE SOFTWARE T O YOU ONL Y UPON THE CONDITION THA T YOU ACCEPT ALL OF THE TERMS CONT AINED IN THIS LICENSE AG REEMENT . PLEASE READ THE TERMS CAREFULL Y BEFOR[...]

  • Page 846

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 846 therein shall remain at al l times with Z yXEL. Any other use of the Soft ware by an y other entity is strictl y forbidden and is a violation of this License Agreement. 3. Copyright The Software and Documentation contain mat erial that is protected by International Copyrig[...]

  • Page 847

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 847 Y ou acknowledge that the Software contai ns propri etary trade sec rets of Z yXEL and you hereby agree to maintai n the confidentiality of t h e Software using at l east as great a degree of care as you use to maintai n the confidentiality of your own most confidential inf[...]

  • Page 848

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 848 THIS LICENSE AGRE EMENT IS EXPRES SL Y MADE SUBJECT T O ANY APPLICABLE LAWS, REGULA TIONS, ORDERS, OR OTHE R RESTRICT IONS ON THE EXPOR T OF THE SOFTWARE OR INFORMA TION ABOU T SUCH SOFTWARE WHICH MA Y BE IMPOSED FROM TIME T O TIME. YO U SHALL NOT EXPOR T THE SOFTWARE, DOC[...]

  • Page 849

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 849 NOTE: Some components of this product incorpor ate source code co vered under the open source code licenses. Further , fo r at least three ( 3) years from the date of distribution of the appl icable product or softw are, we will giv e to anyone who contacts us at the Z yXEL[...]

  • Page 850

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 850 The above copyri ght notice and this permis sion notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND ,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED T O THE W ARRANTIES OF M[...]

  • Page 851

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 851 ------------ --- /* ================== =============== ================= * Copyright (c) 1998-2008 The OpenSSL Project. All rights reserv ed. * * Redistributi on and use in source and binary forms, with or without * modification, are permitted provided that the followi ng c[...]

  • Page 852

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 852 * * 5. Products derived from this software ma y not be called "OpenSSL" * no r may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. R edistributions of any form wh atsoever must retain the following * ack[...]

  • Page 853

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 853 * * This product includes cryptograp hic software wri tten by Eric Y oung * (eay@cryptsoft.com). This produc t includes softw are written by Tim * Hudson (tjh @cryptsoft.com). * */ Origin al SSLea y License ------------ ----------- /* Copyright (C) 1995- 1998 Eric Y oung (e[...]

  • Page 854

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 854 * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or te xtual) provided with the packag e. * * Redistributi on and use in source and binary forms, with or without * modification[...]

  • Page 855

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 855 * IMPLIED WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PA RT I C U L A R P U R P O S E * ARE DISCLAIMED . IN NO EVENT SHALL THE A UTHOR OR CONTRIBUT ORS BE LIABLE * FOR ANY DIRECT , INDIRECT , INCI DENT AL, SPECIAL, EXEMPLARY , OR CONSEQUENTIAL * DAMAGES (IN CLUDING, BU[...]

  • Page 856

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 856 This is the BSD license wit hout the obnoxious advertising claus e. It's also known as the "modified BSD license." Note that the University of Cali fornia now prefers this license to the BSD license with advertising clause , and now allows BSD itself to be u[...]

  • Page 857

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 857 OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. This Product incl udes httpd softwa re developed by t he Apache Software Foundation under Apache License. Apache License V ersion 2.0, January 2004 http://www .apache.org/licenses/ TERMS AND CONDITIO NS F[...]

  • Page 858

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 858 work of authorship. F or the purposes of this License, Derivativ e W orks shall not include works that remain separable from, or merely link (or bind by n ame) to t he interfaces of , the W or k and Derivative W orks thereof . "Contribution" shall mean an y work [...]

  • Page 859

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 859 (b) Y ou must cause an y modified files t o carry prominent notices stat ing that Y ou changed the files ; and (c) Y ou m ust retain, in the Source fo rm o f any Derivativ e W orks that Y ou distribute, all cop yright, patent, tr ademark, and attribution notices from the So[...]

  • Page 860

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 860 8. Limitation of Liabil ity . In no event and under no legal theory , whether in tort (including negligence), contract, or othe rwise, unless required by applicab le law (such as deliber ate and grossly negligent ac ts) or agreed to in writing, shall an y Contributor be li[...]

  • Page 861

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 861 THIS SOF TWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NO T LIMITED TO , THE IMPLIED WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A P A R TICULAR PURPOSE ARE DISCLAIMED . IN NO EVENT SHALL THE AP ACHE SOFTWARE FOUNDA TION OR[...]

  • Page 862

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 862 Public License is the better strategy to use in any particular case, based on the explanations below . When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are de signed to m ake su re t hat you h ave th e fr eed om to [...]

  • Page 863

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 863 derivati ve of the original library . The ordinary Gener al Public License theref ore permits such linking only if the entire co mbination fits its criteria of freedom. The Lesser Gener al Public License permits more lax cri teria for linking other code wi th the library . [...]

  • Page 864

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 864 software library or work which has been distri buted under these terms. A "work based on the Library" means either the Libr ary or any deriv ative work under copyright law: that is to say , a work cont aining the Libr ary or a porti on of it , either verbatim or [...]

  • Page 865

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 865 part of a whole which is a work based on the Li brary , the distribution of t he whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every p art regardless of who wrote it. Thu s, it is not th e [...]

  • Page 866

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 866 significant if the work can be link ed without the Library , or if the work is itself a library . The threshold for this to be true is not preci sely defined by law . If such an object file uses only numerical parameters, data structure lay outs and accessors, and small ma[...]

  • Page 867

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 867 include anything that is normally dist ribute d (in either sour ce or binary form ) with the major components (compiler , kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that thi[...]

  • Page 868

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 868 License. If you cannot distribute so as to satisf y simultaneously y our obligations under this License and an y other pertinent obligations, then as a consequence you may not distribut e the Library at all. F or example, if a patent license would not permit roy alty -free[...]

  • Page 869

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 869 NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBR ARY , TO THE EXTENT PERMI T TED BY APP LICABLE LAW . EXCEPT WHEN OTHERWISE ST A TED IN WRITING THE COPYRIGHT HOLDERS AND/ OR O THER PAR TIES PROVIDE THE LIBRARY "AS IS&quo[...]

  • Page 870

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 870 commit to using it. (Some other Free Softw are Foundati on software is cov ered by the GNU Libr ary Gener al Public License inst ead.) Y ou can apply it t o your programs, too. When we speak of free software, we ar e referring to fr eedo m, not price. Our General Publi c L[...]

  • Page 871

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 871 copying, distribution and modificati on are not covered by this License; they are outside its scope. The act of running the Prog ram is not rest ricted, and the output from the Program is cov ered only if its contents constitute a work based on the Program (independent of h[...]

  • Page 872

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 872 Program) on a volume of a storage or distribution medium does not bring the other work under the sc ope of this License. 3. Y ou may copy and distribute the Progr a m (or a work based on it , under Section 2) in object code or executabl e form under the terms of Sections 1[...]

  • Page 873

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 873 all its terms and conditions for copying, distributing or modifyi ng the Program or works based on it. 6. Each time you redist ribute the Program (or an y work based on the Progr am), the recipient automatically receiv es a license from the original licensor to copy , distr[...]

  • Page 874

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 874 Program does not specify a version number of this License, you may choose any version ever published by the Free Softw are Foundation. 10. If you wish to incorporate parts of the Progr am into other free programs whose distribution c onditions are diffe rent, write to the [...]

  • Page 875

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 875 The Regents of the University of California . All rights reserved. R edistribution and use in source and binary forms, with or without modification, are permit ted provided that the fol lowing conditions are met: Re distributions of source co de must retain the above c opyr[...]

  • Page 876

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 876 NONINFRINGE MENT . IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DA MAGES OR OTHER LIABILITY , WHETHER IN AN ACTION OF CONTRACT , TOR T OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR O THER DEALINGS IN THE [...]

  • Page 877

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 877 Copyright 1999-2003 The OpenLD AP F oundation, R edwood City , California, USA. All Rights R eserved. P ermission to copy and distribute verbat im copies of this document is gr anted. This Product includes libpng software under t he Libpng License This copy of the libpng no[...]

  • Page 878

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 878 disclaimer and license as libpng-0.96, with the following indivi duals added to the list of Contributing Authors: To m L a n e Glenn Randers-P ehrson Willem v an Schaik libpng versions 0.89, June 1996, t h rough 0.96, Ma y 1997, are Copyright (c) 1996, 1997 Andreas Dilger [...]

  • Page 879

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 879 2. Altered versions must be plainl y mark ed as such and must not be misrepresented as being the original source. 3. This Copyright notice ma y not be remo ve d or alt ered from any source or altered source distribution. The Contributing Authors and Group 42, Inc . specific[...]

  • Page 880

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 880 This Product includes pcmcia-cs software under the MPL License Mozilla Public Licen se V ersion 1.1 1. Definitions. 1.0.1. "Commercial Use" means distribution or ot herwise making the Covered Code available to a third party . 1.1. "Contributor" means ea[...]

  • Page 881

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 881 1.8.1. "Licensable" means having the rig ht to grant, to the maximum extent possibl e, whether at the time of th e initial g rant or subseque ntly acquired, any an d all of the rights convey ed herein. 1.9. "Modifications" means any addition to or deleti[...]

  • Page 882

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 882 2.1. The Initial Developer Gr ant. The Initial Developer hereby gr ants Y ou a world-wide, roy alty-free, non-exclusive license, subjec t to third part y intellect ual property claims: a. under intellectual property rights (oth er than patent or tr ademark) Licensable by I[...]

  • Page 883

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 883 The Modifications which Y ou create or to which Y ou contribute are go verned by the terms of this License, including without limitation Section 2.2. The Source Cod e version of Cov ered Code may be distribut ed only under the terms of this License or a future version of th[...]

  • Page 884

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 884 (b) Contributor APIs If Contributor's Modifications include an application progr amming interface and Contributor has knowledge of patent lice nses which are reason ably necessary to implement that API, Contributor must also include this information in the legal fi le[...]

  • Page 885

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 885 alone, not by the Initial Developer or an y Contributor . Y ou hereby agree to indemn ify the Initia l Developer a nd every Contrib utor for any liab ility incurre d by the Initial Developer or such Contributor as a result of any such terms Y ou offer . 3.7. Larger W orks. [...]

  • Page 886

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 886 "MOZILLAPL", "MOZPL", "Netscape", "MPL ", "NPL" or any confusingly similar phrase do not appear in y our license (excep t to note that y our license differs from this License) and (b) otherwise make it clear that Y our vers[...]

  • Page 887

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 887 payment arr angement are not mutually agr eed upon in writing b y the parties or the litigation claim is not wi thdrawn, the rig hts granted by P articipant to Y ou under Sections 2.1 and/or 2.2 aut omatica lly terminate at t he expiration of the 60 day notice period specif[...]

  • Page 888

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 888 11. Miscellaneous This License represents the complete agreement concerning subject matter hereof . If any provision of this License is held to be unenforceab le, such provision shall be reformed only to the extent ne cessary to mak e it enforceable. This License shall be [...]

  • Page 889

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 889 The Original Code is ______________________________ ________. The Initial Developer of the Original Code is ________________________. P ortions created by ______________________ are Copyright (C) ______ _______________________. All Rights Reserv ed. Contributor(s): ________[...]

  • Page 890

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 890 End-User License Agreement for “ZyW ALL USG 20W” WARNING: Z yXEL Communi cations Corp. IS WILLING T O LICENSE THE SOFTWARE T O YOU ONL Y UPON THE CONDITION THA T YOU ACCEPT ALL OF THE TERMS CONT AINED IN THIS LICENSE AG REEMENT . PLEASE READ THE TERMS CAREFULL Y BEFORE[...]

  • Page 891

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 891 4. R estrictions Y ou may not publish, displa y , disclose, sell, rent, lease, modify , store, loan, distribute, or create deriv ative works of the Software, or any part thereof . Y ou may not assign, su blicense, c onvey or othe rwise tr ansfer , pledge as securit y or oth[...]

  • Page 892

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 892 THE SOFTWARE IS PROVIDED "AS IS ." T O THE MAXIMUM EXTENT PERMIT TE D BY LAW , Z yXEL DISCLAIMS ALL W ARRANTIES OF ANY KI ND, EIT HER EXPRES SED OR IMPLIED, INCLUDING, WITHOUT LIMIT A TION, IMPLIED W ARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PA R T ICULAR P[...]

  • Page 893

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 893 Z yXEL SHALL HA VE THE RIGHT , A T ITS OWN EXPENSE, UPON REASONABLE PRIOR NOTICE, T O PERIODICALL Y INSPECT AN D AUDIT Y OUR RECORDS T O ENSURE YOUR COMPLIANCE WITH THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT . 10. T ermination This License Agreement is effective unt[...]

  • Page 894

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 894 be reproduced or tr ansmitted in any fo rm or by any means, electronic or mechanical, for an y purpose, except th e express written permission of Z yXEL Communications Corporation. This Product incl udes ntp software under the NTP License NTP License Copyright (c) David L.[...]

  • Page 895

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 895 an X11-style license This is a Free Softwa re License This license is compatible with The GNU General Public License, V ersion 1 This license is compatible with The GNU General Public License, V ersion 2 This is just l ike a Simple Permissiv e license, but it requi res that[...]

  • Page 896

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 896 * are met: * * 1. Redist ributions of source co de must retain the abov e copyright * notice, this list of conditions and the following disclaimer . * * 2. R edistributions in binary form must reproduce the above cop yright * notice, this list of conditions and the followi[...]

  • Page 897

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 897 * acknowledgment: * "This prod uct includes softwa re developed by the OpenSSL Project * for use in the OpenSSL T oolkit (http://www. openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED W ARRANTIES[...]

  • Page 898

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 898 Origin al SSLea y License ------------ ----------- /* Copyright (C) 1995- 1998 Eric Y oung (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Y oung (eay@crypt soft.com). * The implementation w as written so as to conform[...]

  • Page 899

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 899 * are met: * 1. Redist ributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer . * 2. R edistributions in binary form must reproduce the above cop yright * notice, this list of conditions and the following disclaimer[...]

  • Page 900

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 900 * OR SERVICES; LOSS OF USE, DA T A, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY , WHETHER IN CONTRACT , STRICT * LIABILITY , OR TOR T (INCLUDING NE GLIGENCE OR O THERWISE) ARISING IN ANY WA Y * OUT OF THE USE OF THIS SOFTWARE, EVEN[...]

  • Page 901

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 901 • Redi stributions in binary form must rep roduce the above copyright notice, this list of con ditions a nd the following disclaim er in the docume ntation an d/or other materials provided with the distribution. • Neither the name of [original copyright holder] nor the [...]

  • Page 902

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 902 TERMS AND CONDITIO NS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright [...]

  • Page 903

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 903 by , or on behalf of , the Licensor for th e purpose of discussing and improving the W o rk, but excluding communication that is conspicuously marked or otherwi se designated in writing b y the copyright owner as "Not a Contrib ution." "Contributor" shal[...]

  • Page 904

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 904 within the So urce form or doc umentation , if provided along with the Derivati ve W orks; or , within a display gener ated by the Deriv ative W orks, if and wherever such third-party notices norm ally appear . The contents of the NOTICE file are for informational purposes[...]

  • Page 905

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 905 rights consistent with thi s License. However , in accepting such obligations, Y ou may act only on Y our own behalf and on Y o ur sole responsibility , not on behalf of any other Contribut or , and only if Y ou agree to indemnify , defend, and hold each Contributor harmles[...]

  • Page 906

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 906 This software consis ts of voluntary contribut ions made by many individ uals on behalf of the Apache Softw are Found ati on. F or more infor mation on the Apache Software F oundation, pleas e see <http://www .apache.org/>. P ortions of this softw are are based upon [...]

  • Page 907

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 907 translate to cert ain responsibilities for you if you d istribute copies of the li brary or if you modi fy it. For example, if you distribute copi es of the libr ary , whether gratis or for a fee, you must give the recipients all t he rights that we gav e you. Y ou must mak[...]

  • Page 908

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 908 For examp le, on rare occasions, there may be a special need to encour age the widest possible use of a cert ain library , so that i t becomes a de-facto standard. T o achieve th is, non-free prog rams mus t be allowed to use the lib rary . A more frequent case is that a f[...]

  • Page 909

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 909 are outside its scope. The act of runnin g a progr am using the Libr ary is not restricted, and output from such a progra m is covered only if its contents constitute a work based on the Library (ind ependent of the use of the Library in a tool for writing it). Whether that[...]

  • Page 910

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 910 3. Y ou may opt to apply the terms of th e ordinary GNU General Public License instead of this License to a given copy of the Libr ary . T o do this, you must alter all the notices that refer to this Lic ense, so that they refer to the ordinary GNU General Public License, [...]

  • Page 911

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 91 1 6. As an except ion to the Sections abov e, you may also combine or link a "work that uses the Library" with the Lib rary to produce a work containing portions of the Libr ary , and distribute that work unde r terms of your choice, provided that the terms permit [...]

  • Page 912

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 912 7. Y ou may place library facilities that are a work based on the Lib rary side-by -side in a single libr ary together with other libr ary facilities not covered by this License, and distribute such a combined library , provided that the separat e distribution of the work [...]

  • Page 913

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 913 other circumstances. It is not the purpose of this section to induce you t o infringe any patents or other property right clai ms or to contest val idity of an y such claims; this section has the sole purpose of protecting the integrity of the free software distribut ion sy[...]

  • Page 914

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 914 LIBRARY IS WITH Y OU. SHOULD THE LI BRAR Y PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESS ARY SERV ICING, REP AIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LA W OR AGREED T O IN WRITING WILL ANY COPYRIGHT HOLDER, OR AN Y OTHER PAR TY WHO MA Y MODIFY [...]

  • Page 915

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 915 or use pieces of it in new free progra ms; and that y ou know you can do these things . T o protect your right s, we need to make restrictions that forb id anyone to deny you these rights or to ask y ou to surrender the rights. These rest rictions tr anslate to certain resp[...]

  • Page 916

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 916 publish on each copy an appropriate copy right notice and disclaimer of warr anty; keep intact all t he notices that refer to this License and to the absence of any warr anty; and give an y other recipients of the Program a c opy of this License along with the Program. Y o[...]

  • Page 917

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 917 a) Accompany it with the complete corre sponding machine-readable source c ode, which must be distributed under the te rms of Sections 1 and 2 abo ve on a medium customarily used for sof tware interchange; or , b) Accompany i t with a written of fer , valid for at least thr[...]

  • Page 918

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 918 herein. Y ou are not responsible for e nforcin g compliance by third p arties to this License. 7. If , as a consequence of a court judgment or allegat ion of patent infringement or for any other reason (not limited to pate nt issues), condit ions are imposed on y ou (wheth[...]

  • Page 919

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 919 Our decision will be guided by the two go als of preserving the free status of all derivati ves of our free software and of promoting the s haring and reuse of software gener ally . NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WAR RANTY FOR TH[...]

  • Page 920

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 920 Re distributions in binary f o rm must reproduce the above cop yright notice, this list of conditions and the followi ng disclaim er in the documentation and/or other materials provided with the dis tribution. Neither the name of the Univ ersity nor of the Labor atory may [...]

  • Page 921

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 921 This Product includes openldap software under the OpenLdap License The Public License V ersion 2.8, 17 August 2003 Re distribution and us e of this software and assoc iated documentation("Softw are"), wi th or wit hout modification, are permitted pro vided that th[...]

  • Page 922

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 922 This copy of the libpng notices is provided for your con venience. In case of any discrepancy between this copy and the notice s in t he file png.h that is included in the libpng distribution, t he latter shall prev ail. COPYRIGHT NOTICE, DISCLAIMER, and LICENSE: If you mo[...]

  • Page 923

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 923 libpng-0.88, with the fol lowing individuals added to t he list of Contributing Authors: John Bowler Ke v i n B ra c e y Sam Bushell Magnus Holmgren Greg Roelofs To m Ta n n e r libpng versions 0.5, May 1995, through 0.88, January 1996, are Copyright (c) 1995, 1996 Guy Eric[...]

  • Page 924

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 924 format in commercial products. If y ou use this s ource code in a product, acknowledgment is not required but would be appreciated. A "png_get_copyright" function is av ailabl e, for convenient use in "about" box es and the like: printf("%s",p[...]

  • Page 925

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 925 1.0.1. "Commercial Use" means distribution or ot herwise making the Covered Code available to a third party . 1.1. "Contributor" means each e ntity that creates or contributes to the creation of Modificati ons. 1.2. "Contributor V ersion" means[...]

  • Page 926

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 926 1.9. "Modifications" means any addition to or deletion from the substance or structure of either the Original Code or any previous Modificati ons. When Covered Code is released as a series of files, a Mod ification is: a. Any addition to or deletion from the cont[...]

  • Page 927

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 927 The Initial Developer hereby gr ants Y ou a world-wide, roy alty-free, non-exclusive license, subjec t to third part y intellect ual property claims: a. under intellectual property rights (oth er than patent or tr ademark) Licensable by Initi al Develope r to use, reproduc [...]

  • Page 928

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 928 The Modifications which Y ou create or to which Y ou contribute are go verned by the terms of this License, including without limitation Section 2.2. The Source Cod e version of Cov ered Code may be distribut ed only under the terms of this License or a future version of t[...]

  • Page 929

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 929 (b) Contributor APIs If Contributor's Modifications include an application progr amming interface and Contributor has knowledge of patent lice nses which are reason ably necessary to implement that API, Contributor must also include this information in the legal fi le.[...]

  • Page 930

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 930 alone, not by the Initial Developer or an y Contributor . Y ou hereby agree to indemn ify the Initia l Developer a nd every Contrib utor for any liab ility incurre d by the Initial Developer or such Contributor as a result of any such terms Y ou offer . 3.7. Larger W orks.[...]

  • Page 931

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 931 "MOZILLAPL", "MOZPL", "Netscape", "MPL ", "NPL" or any confusingly similar phrase do not appear in y our license (excep t to note that y our license differs from this License) and (b) otherwise make it clear that Y our versi[...]

  • Page 932

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 932 payment arr angement are not mutually agr eed upon in writing b y the parties or the litigation claim is not wi thdrawn, the rig hts granted by P articipant to Y ou under Sections 2.1 and/or 2.2 aut omatica lly terminate at t he expiration of the 60 day notice period speci[...]

  • Page 933

    Appendix E Open Software Announcements ZyWALL USG 20/20W User’s Guide 933 11. Miscellaneous This License represents the complete agreement concerning subject matter hereof . If any provision of this License is held to be unenforceab le, such provision shall be reformed only to the extent ne cessary to mak e it enforceable. This License shall be g[...]

  • Page 934

    Appendix E O pen Software Announcements ZyWALL USG 20/20W User’s Guide 934 The Original Code is ______________________________ ________. The Initial Developer of the Original Code is ________________________. P ortions created by ______________________ are Copyright (C) ______ _______________________. All Rights Reserv ed. Contributor(s): _______[...]

  • Page 935

    ZyWALL USG 20/20W User’s Guide 935 A PPENDIX F Legal Information Copyright Copyright © 2011 by Z yXEL Communications Corpor ation. The contents of this publication ma y not be reproduced in an y part or as a whole, transcrib ed, stored in a retriev al syst em, tr anslated into an y langua ge, or transmitted in an y form or by any me ans, electro[...]

  • Page 936

    Appendix F Legal Informati on ZyWALL USG 20/20W User’s Guide 936 • This device may not cause harmful interference. • This dev ice must acc ept any inte rference received, including interference that may cause undesired operations. This device has been tested and found to comply with the limits for a Clas s B digital device pursuant to P art 1[...]

  • Page 937

    Appendix F Legal Information ZyWALL USG 20/20W User’s Guide 937 Notices Changes or modifications not expressly appro ved by the party responsible for compliance could v oid the user's authority to oper ate the equipment. This Class B digital appar atus complies wi th Canadian ICES-003. Cet appareil numérique de la clas se B est conforme à [...]

  • Page 938

    Appendix F Legal Informati on ZyWALL USG 20/20W User’s Guide 938 T o obtain the services of this w arrant y , co ntac t you r vend or . Y ou may al so re fer to the warr anty policy for the region in wh ich you bought the devic e at http:// www .zyxel.com/ web/support_warr anty_info.php . Registration Re gister your product online t o receive e-m[...]

  • Page 939

    Index ZyWALL USG 20/20W User’s Guide 939 Index Symbols Numerics 3322 Dynamic DNS 331 3DES 416 3G 111 3G see also cellular 239 A AAA Base DN 576 Bind DN 576 , 579 directory structure 575 Distinguished Name, see DN DN 576 , 577 , 579 , 580 password 579 port 578 , 581 search time limit 579 SSL 579 AAA server 573 AD 575 and users 540 directory servic[...]

  • Page 940

    Index ZyWALL USG 20/20W User’s Guide 940 and VPN connections 394 and WWW 650 HOST 555 RANGE 556 SUBNET 556 types of 555 where used 104 address record 640 admin user troubleshooting 735 admin users 539 multiple logins 550 see also users 539 ADP 467 base profiles 468 , 47 1 configuration o verview 102 false negatives 472 false positives 472 inline [...]

  • Page 941

    Index ZyWALL USG 20/20W User’s Guide 941 double-encoding 484 IIS-backslash-evasion 484 IIS-unicode-codepoint-encoding 484 multi-slash-encoding 484 network -based 38 non-RFC -defined-char 484 non-RFC-HT TP-delimiter 484 obsolete-options 485 oversize -chunk -encoding 484 oversize-le n 485 oversize-offset 485 oversize-request -uri-directory 484 self[...]

  • Page 942

    Index ZyWALL USG 20/20W User’s Guide 942 cellular 111 , 239 APN 243 band selection 246 interfaces 218 signal quality 194 , 195 SIM card 244 status 195 system 194 , 19 5 troubleshooting 729 , 730 Centralized Network Management see V antage CNM 630 , 674 certificate troubleshooting 736 Certificate Authority (CA) 81 1 see certificates Certificate Ma[...]

  • Page 943

    Index ZyWALL USG 20/20W User’s Guide 943 connection troubleshooting 732 connection monitor (in SSL) 19 8 connectivity check 228 , 238 , 24 5 , 270 , 282 , 400 console port 34 speed 636 content filter troubleshooting 728 content filtering 487 , 488 and address groups 487 , 488 , 493 and address objects 487 , 488 , 493 and registration 492 , 494 , [...]

  • Page 944

    Index ZyWALL USG 20/20W User’s Guide 944 direct routes 301 directory 573 directory service 573 file structure 575 directory trav ersal attack 483 directory trav ersals 483 disclaimer 5 , 935 Distinguished Name (DN) 576 , 577 , 57 9 , 580 distributed port scans 480 DN 576 , 577 , 579 , 580 DNS 256 , 636 address records 640 domain name forwarders 6[...]

  • Page 945

    Index ZyWALL USG 20/20W User’s Guide 945 Extended Service Set IDentification. See ESSID. Extended Service S et, See ESS 804 ext-user troubleshooting 735 F false negatives 472 false positives 472 , 474 FCC interference statement 935 feature specifications 742 features overview 37 file extensions configuration files 693 shell scripts 693 file manag[...]

  • Page 946

    Index ZyWALL USG 20/20W User’s Guide 946 Quick Start 3 H H.323 132 , 358 additional signaling port 356 ALG 351 , 358 and firewall 352 and R TP 358 signaling port 356 hidden node 805 HSDPA 244 HT TP inspection 475 , 483 over SSL, see HT TPS redirect to HT TPS 648 vs HTTPS 646 HT TP redirect 347 and firewall 348 and interfaces 350 and policy routes[...]

  • Page 947

    Index ZyWALL USG 20/20W User’s Guide 947 troubleshooting 729 types 89 interfaces 88 , 107 , 217 and DNS servers 287 and HT TP redirect 350 and layer-3 virtualization 21 8 and NA T 341 and physical ports 88 , 218 and policy routes 305 and static routes 309 and VPN gateways 394 and zones 88 , 218 as DHCP relays 286 as DHCP servers 286 , 630 backup,[...]

  • Page 948

    Index ZyWALL USG 20/20W User’s Guide 948 transport encapsulation 399 tunnel encapsul ation 399 VPN gateway 394 IPSec SA active protocol 421 and firewall 376 , 733 and to-Z yWALL firewall 73 3 authentication algorithms 415 , 416 authentication key (manual keys) 423 destination NA T for inbound traffic 425 encapsulation 422 encryption algorithms 41[...]

  • Page 949

    Index ZyWALL USG 20/20W User’s Guide 949 see also trunks 289 session-oriented 290 spillover 291 tutorial 11 3 weighted round robin 290 local user database 575 log troubleshooting 737 log messages categories 686 , 689 , 690 , 691 debugging 207 regular 207 types of 207 log options 526 logged in users 175 login custom page 650 default settings 741 S[...]

  • Page 950

    Index ZyWALL USG 20/20W User’s Guide 950 and address objects 306 and address objects (HOST) 34 1 and ALG 352 , 354 and firewall 382 and interfaces 341 and policy routes 298 , 305 and to-Z yWALL firewall 34 3 and V oIP pass through 354 and VPN 419 and VPN, see also VPN configuration o verview 98 limitations 310 loopback 343 port forwarding, see NA[...]

  • Page 951

    Index ZyWALL USG 20/20W User’s Guide 951 backup designated (BDR) 318 designated (DR) 318 internal (IR) 317 link state adv ertisemen ts priority 318 types of 317 other documentation 3 OT P (One- Time Password) 574 outgoing bandwidth 245 oversize chunk -encoding attack 48 4 len attack 485 offset attack 485 request-uri-directory attack 484 P packet [...]

  • Page 952

    Index ZyWALL USG 20/20W User’s Guide 952 Po st Office Protocol, see POP 522 power off 35 , 725 power on 34 PPP 288 troubleshooting 729 PPP interfaces subnet mask 284 PPPoE 28 8 and RADIUS 288 TCP port 1723 288 PPPoE/PPTP interfaces 218 , 233 and ISP accounts 233 , 61 1 basic characteristics 219 gateway 233 subnet mask 233 PPTP 288 and GRE 288 as [...]

  • Page 953

    Index ZyWALL USG 20/20W User’s Guide 953 configuration o verview 105 content filtering 200 daily 680 daily e-mail 680 specifications 186 traffic statistics 183 reset 738 vs reboot 723 RESET button 34 , 738 RFC 1058 (RIP) 314 1389 (RIP) 314 1587 (OSPF areas) 316 1631 (NA T ) 309 1889 (RTP) 358 2131 (DHCP) 286 2132 (DHCP) 286 2328 (OSPF) 315 2402 ([...]

  • Page 954

    Index ZyWALL USG 20/20W User’s Guide 954 Service Set IDentity , See SSID. 249 , 251 service subscription status 215 services 561 , 799 and firewall 386 and port triggering 306 subscription 212 where used 104 Session Initiation Protocol, see SIP session limits 376 , 386 sessions 186 sessions usage 169 , 173 SHA1 416 shell script troubleshooting 73[...]

  • Page 955

    Index ZyWALL USG 20/20W User’s Guide 955 SecuExtender 449 see also SSL VPN 427 troubleshooting 734 user application screens 447 user screen bookmarks 444 user screens 437 , 443 user screens access methods 437 user screens certificates 438 user screens login 438 user screens logout 444 user screens required information 438 user screens system requ[...]

  • Page 956

    Index ZyWALL USG 20/20W User’s Guide 956 RST 480 SYN (synchronize) 481 SYN flood 481 technical reference 163 Te l n e t 666 and address groups 668 and address objects 668 and zones 668 with SSH 665 T emporal K ey Integrity Protocol (TKIP) 812 terminology differences with Zy NOS 91 three-way handshake 482 throughput rate troubleshooting 737 TightV[...]

  • Page 957

    Index ZyWALL USG 20/20W User’s Guide 957 tutorials 107 U UDP 561 decoder 475 , 483 decoy portscan 480 distributed portscan 480 flood attack 483 messages 561 port numbers 562 portscan 479 portsweep 480 u-encoding attack 484 UltraVNC 616 undersize-len attack 485 undersize-offset attack 485 unreachables (ICMP) 480 unsafe web pag es 498 unsolicited c[...]

  • Page 958

    Index ZyWALL USG 20/20W User’s Guide 958 lockout 550 prerequisites for force user authentication policies 104 reauthentication time 545 types of 539 user (type) 540 user names 542 UTF-8 decode 484 UTF-8-encoding attack 484 V Va n t a g e C N M 674 Va n t a g e Re p o r t ( V R P T ) 683 , 689 virtual interfaces 218 basic characteristics 219 not D[...]

  • Page 959

    Index ZyWALL USG 20/20W User’s Guide 959 Windows Internet Naming Service, see WINS Windows Internet Naming Service, see WINS. Windows Internet Naming Service. See WINS. Windows Remote Desktop 616 WINS 230 , 256 , 271 , 281 , 287 , 432 WINS server 230 , 256 wireless clients 191 MAC filter 262 wireless client 248 wireless client WPA supplicants 814[...]