ZyXEL Communications 100 Series manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902

Ir para a página of

Bom manual de uso

As regras impõem ao revendedor a obrigação de fornecer ao comprador o manual com o produto ZyXEL Communications 100 Series. A falta de manual ou informações incorretas fornecidas ao consumidor são a base de uma queixa por não conformidade do produto com o contrato. De acordo com a lei, pode anexar o manual em uma outra forma de que em papel, o que é frequentemente utilizado, anexando uma forma gráfica ou manual electrónicoZyXEL Communications 100 Series vídeos instrutivos para os usuários. A condição é uma forma legível e compreensível.

O que é a instrução?

A palavra vem do latim "Instructio" ou instruir. Portanto, no manual ZyXEL Communications 100 Series você pode encontrar uma descrição das fases do processo. O objetivo do manual é instruir, facilitar o arranque, a utilização do equipamento ou a execução de determinadas tarefas. O manual é uma coleção de informações sobre o objeto / serviço, um guia.

Infelizmente, pequenos usuários tomam o tempo para ler o manual ZyXEL Communications 100 Series, e um bom manual não só permite conhecer uma série de funcionalidades adicionais do dispositivo, mas evita a formação da maioria das falhas.

Então, o que deve conter o manual perfeito?

Primeiro, o manual ZyXEL Communications 100 Series deve conte:
- dados técnicos do dispositivo ZyXEL Communications 100 Series
- nome do fabricante e ano de fabricação do dispositivo ZyXEL Communications 100 Series
- instruções de utilização, regulação e manutenção do dispositivo ZyXEL Communications 100 Series
- sinais de segurança e certificados que comprovam a conformidade com as normas pertinentes

Por que você não ler manuais?

Normalmente, isso é devido à falta de tempo e à certeza quanto à funcionalidade específica do dispositivo adquirido. Infelizmente, a mesma ligação e o arranque ZyXEL Communications 100 Series não são suficientes. O manual contém uma série de orientações sobre funcionalidades específicas, a segurança, os métodos de manutenção (mesmo sobre produtos que devem ser usados), possíveis defeitos ZyXEL Communications 100 Series e formas de resolver problemas comuns durante o uso. No final, no manual podemos encontrar as coordenadas do serviço ZyXEL Communications na ausência da eficácia das soluções propostas. Atualmente, muito apreciados são manuais na forma de animações interessantes e vídeos de instrução que de uma forma melhor do que o o folheto falam ao usuário. Este tipo de manual é a chance que o usuário percorrer todo o vídeo instrutivo, sem ignorar especificações e descrições técnicas complicadas ZyXEL Communications 100 Series, como para a versão papel.

Por que ler manuais?

Primeiro de tudo, contem a resposta sobre a construção, as possibilidades do dispositivo ZyXEL Communications 100 Series, uso dos acessórios individuais e uma gama de informações para desfrutar plenamente todos os recursos e facilidades.

Após a compra bem sucedida de um equipamento / dispositivo, é bom ter um momento para se familiarizar com cada parte do manual ZyXEL Communications 100 Series. Atualmente, são cuidadosamente preparados e traduzidos para sejam não só compreensíveis para os usuários, mas para cumprir a sua função básica de informação

Índice do manual

  • Página 1

    www .zyxel.com ZyW ALL USG 100/200 Series Unified Security Gateway User ’ s Guide V ersion 2.10 5/2008 Edition 1 DEFAULT LOGIN LAN1 Port P4 IP Address http://1 92 .168.1.1 User Name admin Password 1234[...]

  • Página 2

    [...]

  • Página 3

    About This User's Guide ZyWALL USG 100/200 Series User’s Gu ide 3 About This User's Guide Intended Audience This manual is intended for pe ople who want to want to conf igure the ZyW ALL using the web configurator . How T o Use This Guide •R e a d Chapter 1 on page 53 chapter for an overview of features available on the ZyW ALL. •R [...]

  • Página 4

    About This User's Guide ZyWALL USG 100/200 Series User’s Guide 4 Click the help icon in any screen for help in configuring that screen and supplementa ry information. • Supporting Disk Refer to the included CD for support documents. • ZyXEL W eb Site Please refer to www .zyxel.com for additional support documentation and pro duct certifi[...]

  • Página 5

    Document Conventions ZyWALL USG 100/200 Series User’s Gu ide 5 Document Conventions W arnings and Notes These are how warnings and notes are shown in this User ’ s Guide. 1 W arnings tell you about things that could harm you or your device. " Notes tell you other important informati on (for example, other things you may need to configure o[...]

  • Página 6

    Document Conventions ZyWALL USG 100/200 Series User’s Guide 6 Icons Used in Figures Figures in this User ’ s Guide may use the followi ng generic icons. The ZyW ALL icon is not an exact representation of your device. ZyW ALL Computer Notebook computer Server Firewall T elephone Switch Router[...]

  • Página 7

    Safety Warnings ZyWALL USG 100/200 Series User’s Gu ide 7 Safety Warnings 1 For your safety , be sure to read and follow all warni ng notices and instructions. • Do NOT use this product near water , for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store thin[...]

  • Página 8

    Safety Warnings ZyWALL USG 100/200 Series User’s Guide 8[...]

  • Página 9

    Contents Overview ZyWALL USG 100/200 Series User’s Gu ide 9 Contents Overview Getting St arted ............................................... ................................................................ ........ 51 Introducing the ZyWALL ..... ................ ................ ................ ................ ................ ..............[...]

  • Página 10

    Contents Overview ZyWALL USG 100/200 Series User’s Guide 10 Anti-X .................................................... .................................................................... ............ 467 Anti-Virus .................. ................ ................ ................ ................. ............ ................. .... .......[...]

  • Página 11

    Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 11 Table of Contents About This User's Guide ..................................................................................... ..................... 3 Document Conventions.................................................................. ......................................... .[...]

  • Página 12

    Table of Contents ZyWALL USG 100/200 Series User’s Guide 12 3.1 Web Configurator Requirements ........ ................ ................. ................ ................ ................ 65 3.2 Web Configurator Access ...................... ................. ................ ................ ................ ............ .6 5 3.3 Web Configurat[...]

  • Página 13

    Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 13 5.2 Zones, Interfac es, and Physical Ports .......... ................ ................ ................ ................ ......1 10 5.2.1 Interface T ypes .... ... ............. ... ... ... .... ... ... ... .... ... ... ............. ... ... .... ... ... ... .... ... ... ... ... ..... [...]

  • Página 14

    Table of Contents ZyWALL USG 100/200 Series User’s Guide 14 6.3 How to Set Up a WLAN I nterface .......... ................. ................ ................ ................ ........... 1 31 6.3.1 How to Set Up User Acc ounts ............. ............. ................ ................ ................ ........ 1 31 6.3.2 How to Creat e the WL[...]

  • Página 15

    Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 15 7.2.4 The VPN S tatus Screen ...... ... ... ... ............. .... ... ... ... .... ... ... ... ... .... ... ............. ... ... ... .... . 178 7.2.5 The DHCP T able Screen .............. ................. ................ ................ ................ ........... 179 7.2.6 The Po[...]

  • Página 16

    Table of Contents ZyWALL USG 100/200 Series User’s Guide 16 10.5.6 Interface Wizard: Summa ry (Non-W AN) ........ ... ... .... ... ... ... ... .... ... ... ............. ... ... .... . 219 10.5.7 Interface Wizard: Summary (W AN) ... ... ............. ................ ................ ............. ........ 219 10.6 The PPP Interfaces Screen .....[...]

  • Página 17

    Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 17 12.4 Policy Routing T echnical Re ference .... ............. ................. ................ ............. ................ . 285 Chapter 13 Routing Protocols ...................................................... ........................................................ ... 287 13.1 [...]

  • Página 18

    Table of Contents ZyWALL USG 100/200 Series User’s Guide 18 17.1.2 What Y ou Need to Know About HTTP Redirect ....... ................ ................ .............. 322 17.2 The HTTP Redirect Screen ........ ............. ................ ................ ................ ................ ........ 3 22 17.2.1 The HTTP Redire ct Edit Screen . ..[...]

  • Página 19

    Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 19 20.4.1 The VPN Concentrator Ad d/Edit Screen ..................... ... ... ... .... ............. ... ... ... ... .... . 370 20.5 The SA Monitor Screen .......... ................... ............. ................ ................ ............. ........... 3 71 20.6 IPSec VPN Background[...]

  • Página 20

    Table of Contents ZyWALL USG 100/200 Series User’s Guide 20 Chapter 25 L2TP VPN ............................................... .......... ........... .......... ......................................... ........ 409 25.1 Overview ................. ............. ................ ................. ................ ................ ............. ..[...]

  • Página 21

    Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 21 Chapter 28 Anti-Vi r us ............... ............................................................................................... ................. 469 28.1 Overview ................. ............. ................ ................. ................ ................ ............. [...]

  • Página 22

    Table of Contents ZyWALL USG 100/200 Series User’s Guide 22 Chapter 30 ADP .. ............................................................................................... ................................ ...... 513 30.1 Overview ................. ............. ................ ................. ................ ................ ............. .[...]

  • Página 23

    Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 23 33.2 Before Y ou Begin ........... ............. ................ ................ ................ ............. ................ .... .... 561 33.3 The Anti-S pam General Screen .................. ............. ................ ................ ................ ........ 5 61 33.3.1 Th[...]

  • Página 24

    Table of Contents ZyWALL USG 100/200 Series User’s Guide 24 35.4.1 Force User Authenticati on Policy Add/Edit Screen ........ ................ ................... ..... 602 35.4.2 User Awar e Login Example ........ .... ... ............. ... ... .... ... ... ... ... .... ... ... ............. ... ... .... . 603 35.5 User /Group T echnical Ref ere[...]

  • Página 25

    Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 25 39.3 Active Directory or LDAP Group Summary Screen ....... ................ .................... .............. 629 39.3.1 Creating an Active Directory or LDAP Group ................. ................ ................ ........ 629 39.4 Configuring a Default RADIUS Server ..... .........[...]

  • Página 26

    Table of Contents ZyWALL USG 100/200 Series User’s Guide 26 Chapter 43 System ...................................................................... ................................................. .......... 665 43.1 Overview ................. ............. ................ ................. ................ ................ ............. .....[...]

  • Página 27

    Table of Contents ZyWALL USG 100/200 Series User’s Gu ide 27 43.12 V antage CNM ...... ................. ................ ................ ................ ................ ................ ..... ... 700 43.12.1 Configuring V antage CNM ........... ................ ................... ................ ................ ..... 700 43.13 Language Scr[...]

  • Página 28

    Table of Contents ZyWALL USG 100/200 Series User’s Guide 28 Chapter 48 Reboot.............................................................. ........................................................... ........... 743 48.1 Overview ................. ............. ................ ................. ................ ................ ............. ...[...]

  • Página 29

    List of Figures ZyWALL USG 100/200 Series User’s Gu ide 29 List of Figures Figure 1 ZyW ALL USG 200 Front Panel ......... ................ ................... ................ ................. .............. ..... 53 Figure 2 ZyW ALL USG 100 Front Panel ......... ................ ................... ................ ................. ...........[...]

  • Página 30

    List of Figure s ZyWALL USG 100/200 Series User’s Guide 30 Figure 39 VPN Advanced Wizard: S tep 2 .......... ... ................ ................. ............ ................. ............. .... 1 00 Figure 40 VPN Advanced Wizard: S tep 3 ........... ... ............. ................ ................ ............. ................ . .... 101 [...]

  • Página 31

    List of Figures ZyWALL USG 100/200 Series User’s Gu ide 31 Figure 82 Network > Routing > P olicy Route ........................ ................. ................ ................ ........... ... 146 Figure 83 Network > Routing > P olicy Route > Add ..... ................ ................... ................ ................ ..... [...]

  • Página 32

    List of Figure s ZyWALL USG 100/200 Series User’s Guide 32 Figure 125 Creating the Address Ob ject for the wan2 Public IP Addr ess .............. ............. ................ . 168 Figure 126 Creating the Virtual Server .. ................ .................... ................ ................ ................ .. ......... 168 Figure 127 S tatu[...]

  • Página 33

    List of Figures ZyWALL USG 100/200 Series User’s Gu ide 33 Figure 168 Network > Interface > Et hernet > Edit > Edit static DHCP table ........... ................... ........... 240 Figure 169 Network > Interface > WLAN > Add (WEP Se curit y ) . ... ... .... ... ... ... ............. ... .... ... ... ... ... .... . 242 Figure[...]

  • Página 34

    List of Figure s ZyWALL USG 100/200 Series User’s Guide 34 Figure 21 1 Multiple Servers Behind NA T E xample ... ................. ................ ............. ................ .............. 3 09 Figure 212 Network > Virtual Server .. ................ ................ ................ ................ ................. ........ ......... 3 [...]

  • Página 35

    List of Figures ZyWALL USG 100/200 Series User’s Gu ide 35 Figure 254 VPN > IPSec VPN > VPN Gateway ........... ... ................ ................ ............. ................ ........ 363 Figure 255 VPN > IPSec VPN > VPN Gateway > Edit . ................ ............. ................ ................ ........... 365 Figure 2[...]

  • Página 36

    List of Figure s ZyWALL USG 100/200 Series User’s Guide 36 Figure 297 VPN > L2TP VPN ....................... ................ ................ ................ ................ .............. ......... ..41 1 Figure 298 VPN > L2TP VPN > Ses sion Monitor ..... .......... ............. ................ ................ ............. ......[...]

  • Página 37

    List of Figures ZyWALL USG 100/200 Series User’s Gu ide 37 Figure 340 IP Security Policy Properties: IP Filter List .... ... ... .... ... ... ... .... ... ............. ... ... ... .... ... ... ........ ... 434 Figure 341 Console: L2TP to Zy W ALL Assign ............. ................ ................ ................ ................ ........ 43[...]

  • Página 38

    List of Figure s ZyWALL USG 100/200 Series User’s Guide 38 Figure 383 Anti-X > IDP > Profile > E dit > IDP Service Group ............... ................ ................... ........... 4 95 Figure 384 Anti-X > IDP > Profile: Query View ... ............. ................ ............. ................ ................ .... .... [...]

  • Página 39

    List of Figures ZyWALL USG 100/200 Series User’s Gu ide 39 Figure 426 Anti-X > Anti-S pam > Black/White List > White List ...................... ................ ................ ..... 567 Figure 427 Anti-X > Anti-S pam > DNSBL .............. ................ ................. ................ ............. ............. .... 5 69 [...]

  • Página 40

    List of Figure s ZyWALL USG 100/200 Series User’s Guide 40 Figure 469 Object > AAA Server > RADIUS > Group > Add .......... ................................ ............. ........ 632 Figure 470 Example: Using Authentication Method in VPN ........ ... ............. ... ... .... ... ... ... .... ... ............. . 636 Figure 471 Objec[...]

  • Página 41

    List of Figures ZyWALL USG 100/200 Series User’s Gu ide 41 Figure 512 SSL Client Aut hentication ................. ................ ................ ................ ................. ........ ......... 689 Figure 513 Secure Web Configurator Login Screen . ....... ................ ................ ............. ................ ........ 6 8 9 Fig[...]

  • Página 42

    List of Figure s ZyWALL USG 100/200 Series User’s Guide 42 Figure 555 WLAN Card Installati on .......... ................ ................. ............. ................ ................ ..... ......... 754 Figure 556 Windows XP: Opening the Serv ices Window ............ ... ... .... ... ... ... ... ............. .... ... ... ... ... .... . 819 [...]

  • Página 43

    List of Tables ZyWALL USG 100/200 Series User’s Gu ide 43 List of Tables T a ble 1 Front Panel LEDs ........ ................ ................ ................. ................ ................ ............ .............. ... 54 T able 2 Managing the ZyW ALL: Cons ole Port ...... ... ............. ................. ................ .............[...]

  • Página 44

    List of Tables ZyWALL USG 100/200 Series User’s Guide 44 T a ble 39 S tatus > Port S tatistics > Switch to Graphic View ............... ................ ................. ................ . 18 2 T a ble 40 S tatus > Current Users ..... ... ... ... .... ... ... ... ... .... ... ... ................ ............. ... .... ... ... ... .... [...]

  • Página 45

    List of Tables ZyWALL USG 100/200 Series User’s Gu ide 45 T a ble 82 Network > Interface > Bridge > Add .............. ................ ................ ................ ................... . .... 264 T able 83 Example: Routing T able Entries for Interfac es ........... ................ ................ ................ ........... 2 65 [...]

  • Página 46

    List of Tables ZyWALL USG 100/200 Series User’s Guide 46 T a ble 125 Objects .............. ................ ................ ................ ................ ................ .............. ............ ........ 386 T a ble 126 VPN > SSL VPN > Ac cess Privilege .................... ................. ................ ................... ..[...]

  • Página 47

    List of Tables ZyWALL USG 100/200 Series User’s Gu ide 47 T a ble 168 ADP > Profile > Traf fic Anomaly .......................... ................. ................ ................ ......... ..... 520 T a ble 169 ADP > Profile > Protocol Anomaly .... ................ .................... ................ ................... ........ [...]

  • Página 48

    List of Tables ZyWALL USG 100/200 Series User’s Guide 48 T able 21 1 Object > AAA Server > Active D irectory (o r LDAP) > Default ........... ................. ................ . 628 T able 212 Objec t > AAA Server > Ac tive Directory (or LDAP) > Group ................ ............. ............ ..... 629 T able 213 Objec t >[...]

  • Página 49

    List of Tables ZyWALL USG 100/200 Series User’s Gu ide 49 T a ble 254 Maintenance > Log > Log Setting ........ ................ .................... ................ ................ ........ ... 718 T a ble 255 Maintenance > Log > Log Setting > E dit (System Log) .............. ................... ................ ..... 721 T a bl[...]

  • Página 50

    List of Tables ZyWALL USG 100/200 Series User’s Guide 50 T a ble 297 Device HA Logs ... ................ ................ ................ ................. ................ ................ . ............. 797 T a ble 298 Routing Protocol Logs ....... ................ ................ ................ .................... ................ ... ..[...]

  • Página 51

    51 P ART I Getting S t arted Introducing the ZyW ALL (53) Features and Applications (57) W eb Configurator (65) Configuration Basics (109) T utorials (125) St atus (171) Registration (185) Signature Update (1 91)[...]

  • Página 52

    52[...]

  • Página 53

    ZyWALL USG 100/200 Series User’s Gu ide 53 C HAPTER 1 Introducing the ZyWALL This chapter gives an overview of the ZyW ALL. It explains the front panel ports, LEDs, introduces the management meth ods, and lists different ways to start or stop the ZyW ALL. 1.1 Overview and Key Default Settings The ZyW ALL is a c omprehensive security device design[...]

  • Página 54

    Chapter 1 Introducing the ZyWALL ZyWALL USG 100/200 Series User’s Guide 54 Figure 2 ZyW ALL USG 100 Front Panel The following table describes the LEDs. 1.3 Management Overview Y ou can use the following ways to manage the ZyW ALL. Web Configurator The web configurator allows easy ZyW ALL setup and management using an Internet browser . This User [...]

  • Página 55

    Chapter 1 Introducing the Zy WALL ZyWALL USG 100/200 Series User’s Gu ide 55 Figure 3 Managing the ZyW ALL: Web Configurato r Command-Line Interface (CLI) The CLI allows you to use text-based comman ds to configure the ZyW ALL. Y ou can access it using remote management (for example, SSH or T elnet) or via the console port. See the Command Refere[...]

  • Página 56

    Chapter 1 Introducing the ZyWALL ZyWALL USG 100/200 Series User’s Guide 56 " It is recommended you use the shutdown command before turning off the ZyW ALL. When you apply configuration files or running shell scripts, t he ZyW ALL does not stop or start the system processes. However , you might lose access to network resources temporarily whi[...]

  • Página 57

    ZyWALL USG 100/200 Series User’s Gu ide 57 C HAPTER 2 Features and Applications This chapter introduces the main feat ures and applications of the ZyW ALL. 2.1 Features The ZyW ALL’ s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prev ention), ADP (Anomaly Dete ction and Protection), and ce[...]

  • Página 58

    Chapter 2 Features and Applications ZyWALL USG 100/200 Series User’s Guide 58 Intrusion Detection and Prevention (IDP) IDP (Intrusion Detection an d Protection) can de tect malicious or suspicious packets and respond instantaneously . It detects pattern-ba sed attacks in order to protect against network- based intrusions. See Section 29.6.2 on pa[...]

  • Página 59

    Chapter 2 Features an d Applications ZyWALL USG 100/200 Series User’s Gu ide 59 Application Patrol Application patrol (App. Patrol) manages instant messenger (IM), peer-to-peer (P2P) applications like MSN and BitT orrent. Y ou can even control the use of a particular application’ s individual features (like text messaging, vo ice, video confere[...]

  • Página 60

    Chapter 2 Features and Applications ZyWALL USG 100/200 Series User’s Guide 60 2.2.2 Interface to In terface (T o/From ZyW A LL) T o: Ethernet -> VLAN -> Encap -> ALG -> DNA T -> Routing -> zFW -> ADP -> RM From: RM -> Routing -> BWM -> Encap -> VLAN -> Ethernet 2.2.3 Interface to In terface (From VPN T unnel[...]

  • Página 61

    Chapter 2 Features an d Applications ZyWALL USG 100/200 Series User’s Gu ide 61 Figure 4 Applications: VPN Connectivity 2.3.2 SSL VPN Network Access Y ou can configure the ZyW ALL to provide SSL VPN network access to remote users. There are two SSL VPN network access modes: reverse proxy and full tunnel. 2.3.2.1 Reverse Proxy Mode In reverse prox[...]

  • Página 62

    Chapter 2 Features and Applications ZyWALL USG 100/200 Series User’s Guide 62 Figure 6 Network Access Mode: Full Tu nnel Mode 2.3.3 User-Aware Access Control Set up security policies that r estrict access to sensitive informa tion and shared resources based on the user who is trying to access it. Figure 7 Applications: User-Awar e Access Control [...]

  • Página 63

    Chapter 2 Features an d Applications ZyWALL USG 100/200 Series User’s Gu ide 63 Figure 8 Applications: Multip le W AN Interfaces 2.3.5 Device HA Set up an additional ZyW ALL as a backup gate way to ensure the default gateway is always available for the network. Figure 9 Applications: Device HA[...]

  • Página 64

    Chapter 2 Features and Applications ZyWALL USG 100/200 Series User’s Guide 64[...]

  • Página 65

    ZyWALL USG 100/200 Series User’s Gu ide 65 C HAPTER 3 Web Configurator The ZyW ALL web co nfigurator allows easy ZyW ALL setup and mana ge ment using an Internet browser . Unless otherwise specified, the ZyW A LL USG 200 screens are shown. 3.1 W eb Configurator Requirement s In order to use the web con figurator , you must • Use Internet Explor[...]

  • Página 66

    Chapter 3 Web C onfig ur a t or ZyWALL USG 100/200 Series User’s Guide 66 Figure 10 Login Screen 3 T ype the user name (default: “adm in”) and password (default: “1234”). If your account is configured to use an AS AS authentication server , use the OTP (One - T ime Password) token to generate a number . Enter it in the One-Time Password f[...]

  • Página 67

    Chapter 3 Web Configurator ZyWALL USG 100/200 Series User’s Gu ide 67 Follow the directions in this screen. If you change the de fault password, the Login screen ( Figure 10 on page 66 ) appears after you click Apply . If you click Ignor e , the main screen appears. Figure 12 Main Screen 3.3 W eb Configurator Main Screen As illustrated in Fi gu r[...]

  • Página 68

    Chapter 3 Web C onfig ur a t or ZyWALL USG 100/200 Series User’s Guide 68 The icons provide th e following functions. 3.3.2 Navigation Panel Use the men u items on the navi gation panel to open screens to configure ZyW ALL features. The following tables describe each menu item. T able 5 Title B ar: Web Co nfigurator Icons ICON DESCRIPTION Help : [...]

  • Página 69

    Chapter 3 Web Configurator ZyWALL USG 100/200 Series User’s Gu ide 69 Interface S tatus Use this screen to see information about all of the ZyWALL’ s interfaces and their connection status. Port Role Use this screen to set the ZyWALL’ s fl exibl e ports as LAN1, WLAN, or DMZ. Ethernet Use this screen to manage Ethern et inte rfaces and virtua[...]

  • Página 70

    Chapter 3 Web C onfig ur a t or ZyWALL USG 100/200 Series User’s Guide 70 AppPatrol General Use this screen to enable or disab le tra ffic management by application and see registration and signature information. Common Use this screen to manage traffic of the most commonly used web, file transfer and e-mail protocols. Instant Messenger Use this [...]

  • Página 71

    Chapter 3 Web Configurator ZyWALL USG 100/200 Series User’s Gu ide 71 User/Group User Use this screen to create and manage users. Group Use this screen to create and manage groups of users. Setting Use this screen to manage default settings for all users, ge neral settings for user sessions, and rules to force user authentication . Address Addres[...]

  • Página 72

    Chapter 3 Web C onfig ur a t or ZyWALL USG 100/200 Series User’s Guide 72 3.3.3 Main Window The main window shows the screen you select in th e menu. It is discussed in the rest of this document. Right after you log in, the St a t u s screen is displayed. See Chapter 7 on page 171 for more information about the St a t u s screen. 3.3.4 Message Ba[...]

  • Página 73

    Chapter 3 Web Configurator ZyWALL USG 100/200 Series User’s Gu ide 73 Figure 14 W arnin g Me ss ag e s Click Refr esh Now to update the screen. Close the popup window when you are done with it. Click Clear W arning Messages to re move the current warn ing messages from the window . 3.3.4.2 CLI Messages Click CLI to look at the CLI commands sent b[...]

  • Página 74

    Chapter 3 Web C onfig ur a t or ZyWALL USG 100/200 Series User’s Guide 74 Click Refr esh Now to update the screen. For example, if you just enab led a particular feature, you can look at the commands the web configurator genera ted to enable it. Close the popup window when you are d one with it. See the Command Reference Guide fo r information ab[...]

  • Página 75

    ZyWALL USG 100/200 Series User’s Gu ide 75 C HAPTER 4 Wizard Setup 4.1 Wizard Setup Overview The web configurator's setup wizards help yo u configure initial configuration (Internet) and VPN connection settings. This chapter provides informatio n on configuring the W izard se tup screens in the web configurator . See the featur e-specific ch[...]

  • Página 76

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 76 Figure 16 Wizard Setu p Welcome 4.2 Inst allation Setup, One ISP The wizard screens vary depending on what enca psulation type you use. Refer to information provided by your ISP to kn ow wh at to enter in each field. Leav e a field blank if you don’t have that information. " [...]

  • Página 77

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 77 The following table describes the labels in this screen. 4.3 St ep 1 Internet Access Encapsula tion : Choose the Ethernet option when the W AN port is used as a regular Ethernet. Otherwise, choose PPPoE or PP TP for a dial-up connection ac cording to the information from your ISP .[...]

  • Página 78

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 78 Figure 18 Ethernet Encapsulation: Auto: Finish Y ou have set up your ZyW ALL to access the Internet. " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Y ou can click Next and use the following screen to[...]

  • Página 79

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 79 Figure 19 Ethernet Encapsulation: Static The following table describes the labels in this screen. The ZyW ALL applies the configuration settings. 4.3.3 St ep 2 Inter net Access Ethernet Y ou do not configure this screen if you selected Auto as the IP Address Assignment in the previ[...]

  • Página 80

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 80 " Enter the Internet access information ex actly as given to you by your ISP . W AN Interface : This is the number of the interf ace that will connect with your ISP . Zone: This is the security zone to which this interface and Internet connection will belong. IP Address : Enter[...]

  • Página 81

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 81 4.3.4 PPPoE: Auto IP Address Assignment If you select Auto as the IP Addr ess Assignment in the previous screen, the following screen displays after you click Next . Figure 21 PPPoE Encapsul ation: Auto The following table describes the labels in this screen. The ZyW ALL applies th[...]

  • Página 82

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 82 Figure 22 PPPoE Encapsulatio n: Auto: Fin ish Y ou have set up your ZyW ALL to access the Internet. " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Y ou can click Next and use the following screen to [...]

  • Página 83

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 83 Figure 23 PPPoE Encapsul ation: Static The following table describes the labels in this screen. T able 10 PPPoE Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are config uring . Service Name T ype the PPPoE ser[...]

  • Página 84

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 84 4.3.6 St ep 2 In ternet Access PPPoE " Enter the Internet access information ex actly as given to you by your ISP . 4.3.6.1 ISP Parameters T ype the PPPoE Serv ice Name from your service provider . Ty p e t h e User Name given to you by your ISP . Ty p e t h e Password associat[...]

  • Página 85

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 85 Figure 24 PPPoE Encapsulatio n: Static: Finish Y ou have set up your ZyW ALL to access the Internet. " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Y ou can click Next and use the following screen t[...]

  • Página 86

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 86 Figure 25 PPTP Encapsulation: Auto The following table describes the labels in this screen. Ta b l e 1 1 PPTP Encapsulation: Auto LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. User Name T ype the user name given to [...]

  • Página 87

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 87 The ZyW ALL applies the configuration settings. Figure 26 PPTP Encapsulation: Auto : Finish Y ou have set up your ZyW ALL to access the Internet. " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Y ou [...]

  • Página 88

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 88 4.3.8 PPTP: S tatic IP Address Assignment If you select St a t i c as the IP Addr ess Assignment , the following screen displays. Figure 27 PPTP Encapsulation: Static The following table describes the labels in this screen. T able 12 PPTP Encapsulation: Static LABEL DESCRIPTION ISP [...]

  • Página 89

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 89 4.3.9 St ep 2 In ternet Access PPTP " Enter the Internet access information ex actly as given to you by your ISP . 4.3.9.1 ISP Parameters Ty p e t h e User Name given to you by your ISP . Ty p e t h e Password associated with the user name. Select Nailed-Up if you do not want [...]

  • Página 90

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 90 4.3.9.3 W AN IP Address Assignment s Y ou do not configure this section if you selected Au to as the IP Address Assignment in the previous screen. W AN Interface : This is the connection type on the interface you are configuring to connect with your ISP . Zone: This is the security [...]

  • Página 91

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 91 4.4 Device Registration Use this screen to register your ZyW ALL w ith myZXEL.com and activate trial periods of subscription security feature s if you have not already done so. " Y ou must be connected to the Internet to register . This screen displays a read-only user name an[...]

  • Página 92

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 92 Figure 30 Registration: Re gis ter e d Dev ice 4.5 Inst allation Setup, T wo Internet Service Providers This wizard allows you to configure two in terfaces for Internet access through either two different Internet Service Providers (ISPs) or two dif fere nt accounts with the same IS[...]

  • Página 93

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 93 Figure 31 Internet Acc ess: S tep 1: First W AN Interface After you configure the First W A N Interface , you c an configure the Second W AN Interface . Click Next to continue. Figure 32 Internet Acc ess: S tep 3: Second W AN Interface After you configure the Second W AN Interface [...]

  • Página 94

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 94 Figure 33 Internet Access: Finish " Y ou can register your ZyWALL with myZyXEL.com and activate trials of services like IDP . Use the myZyXEL.com link if you do alrea dy ha ve a myZyXEL.com account. If you already have a myZyXEL.com accou nt, you can click Next and use the foll[...]

  • Página 95

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 95 Figure 34 VPN Wizard: Wizard T ype The following table describes the labels in this screen. 4.7 VPN Wizards A VPN (V irtual Private Network) tunnel is a secure connection to another computer or network. Use the Express wizard to create a VPN connection with another ZLD-based ZyW AL[...]

  • Página 96

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 96 Figure 35 VPN Express Wizard: S tep 2 The following table describes the labels in this screen. 4.8 VPN Express Wizard - Remote Gateway The Remote Gateway policy identifies the IPSec devices at either end of a VPN tunnel. Name : T ype the name used to identify this VP N connection (a[...]

  • Página 97

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 97 Pre-Shar ed Key : T ype the password. Bo th ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII charact ers or 16 to 62 hexa deci mal (“0-9”, “A-F”) characters. Proceed hexadecima l cha r acters with “0x”. Figure 36 VPN Express Wizard: S [...]

  • Página 98

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 98 Figure 37 VPN Express Wizard: S tep 4 The following table describes the labels in this screen. 4.8.2 VPN Express Wizard - Summary This summary of VPN tunnel settings is read-only . Name : Identifies the VPN gateway . Secure Gateway : IP addre ss or domain name of the peer IPSec devi[...]

  • Página 99

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 99 Local Policy : IP address and subnet mask of the computers on the netw ork behind your ZyW ALL that can use the tunnel. Remote Policy : IP address and subnet mask of the co mputers on the network behind th e peer IPSec device that can us e the tunnel. Y ou can copy and paste the Co[...]

  • Página 100

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 100 4.8.4 VPN Advanced Wizard Click the Advanced radio button as shown in Figure 34 on page 95 to display the fol lowing screen. Figure 39 VPN Advanced Wizard: S tep 2 The following table describes the labels in this screen. T able 18 VPN Advanced Wizard: S tep 2 LABEL DESCRIPTION Remo[...]

  • Página 101

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 101 4.8.5 VPN Advanced Wizard - Remote Gateway The Remote Gateway policy identifies the IPSec devices at either end of a VPN tunnel. Name : T ype the name used to identify this VP N connection (and VPN gateway). Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-[...]

  • Página 102

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 102 The following table describes the labels in this screen. 4.8.6 VPN Advanced Wizard - Phase 1 Phases : IKE (Internet Key Exchange) negotiatio n has two pha ses. A phase 1 exchange establishes an IKE SA (Security Association) and phase 2 (Key Ex change) uses the SA to negotiate SAs f[...]

  • Página 103

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 103 " Multiple SAs connecting through a se cure gateway must have the same negotiation mode. Negotiation Mode : Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords. Proposal : 3DES and AES u[...]

  • Página 104

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 104 The following table describes the labels in this screen. T able 20 VPN Advanced Wizard: S tep 4 LABEL DESCRIPTION Phase 2 Setting Active Protocol Select the se curity protocols used for an SA. Both AH and ESP increase ZyW ALL p rocessing requirements and communications latency (del[...]

  • Página 105

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 105 4.8.7 VPN Advanced Wizard - Phase 2 Active Protocol : ESP is compatible with NA T , AH is not. Encapsula tion : T unnel is compatible with NA T , Tr a n s p o r t is not. Proposal : 3DES and AES use encryption. The longer the AES key , the higher the security (this may affect thro[...]

  • Página 106

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 106 4.8.8 VPN Advanced Wizard - Summary This summary of VPN tunnel settings is read-only . Name : Identifies the VPN connec tion (and the VPN gateway). Secure Gateway : IP addre ss or domain name of the peer IPSec device. Pre-Shar ed Key : VPN tunnel password. Local Policy : IP address[...]

  • Página 107

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Gu ide 107 Figure 43 VPN Wizard: S tep 6: Advanced " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Y ou can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 91 )[...]

  • Página 108

    Chapter 4 Wizard Setup ZyWALL USG 100/200 Series User’s Guide 108[...]

  • Página 109

    ZyWALL USG 100/200 Series User’s Gu ide 109 C HAPTER 5 Configuration Basics This section provides info rmation to help y ou configure the ZyW ALL effectively . Some of it is helpful when you are just gettin g started. Some of it is provid ed for your reference when you configure various features in the ZyW ALL. • Section 5.1 on page 10 9 introd[...]

  • Página 110

    Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 11 0 5.2 Zones, Interfaces, and Physical Port s Zones (groups of interfaces and VP N tunnels) simplify security se ttings. Here is an overview of zones, interfaces, and physical ports in the ZyW ALL. Figure 44 Zones, Interfaces, and Physical Ethern et Ports 5.2.1 Interfac[...]

  • Página 111

    Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 111 • Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Then, you can configure the IP address and subnet mask of the bridge. It is also possibl e to configure zone-level security between the[...]

  • Página 112

    Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 11 2 T able 24 ZyWALL USG 100 Defa ult Port, Interface, and Zone Configuration • The W AN zone contains the wan1 and wan2 interfaces (physical ports P1 and P2 ). They use public IP addresses to connect to the Internet. • OP T is specific to the ZyW ALL US G 200 .The O[...]

  • Página 113

    Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 11 3 5.4 Feature Configuration Overview This section provides informatio n about config uring the main features in the ZyW ALL. The features are listed in the same sequence as the menu item(s) in the web configurator . Each feature is organi zed as shown below . 5.4.1 Feat[...]

  • Página 114

    Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 11 4 " PREQUISITES or WHERE USED does no t appear if there are no prerequisites or references in other features to this one. For example, no other features reference DDNS en tries, so there is no WHERE USED entry . 5.4.2 Interface See Section 5.2 on page 110 for back[...]

  • Página 115

    Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 11 5 Example: See Chapter 6 on page 125 . 5.4.5 SSL VPN Use SSL VPN to provide secure netw ork access to remote users. Example: See Chapter 6 on page 125 . 5.4.6 L2TP VPN Use L2TP VPN to let remote users use the L2TP an d IPSec client software included with their computers[...]

  • Página 116

    Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 11 6 Example: See Chapter 6 on page 125 . 5.4.9 DDNS Dynamic DNS maps a domain name to a dynamic IP address. The ZyW ALL helps maintain this mapping. 5.4.10 Policy Routes Use policy routes to control the routing of pa ckets through the ZyW ALL’ s interfaces, trunks, and[...]

  • Página 117

    Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 11 7 " The ZyW ALL checks the policy routes in the order that they are listed. So make sure that your cust om policy route comes befor e any other routes that would also match the FTP traf fic. 5.4.1 1 St atic Routes Use static routes to tell the Zy W ALL about networ[...]

  • Página 118

    Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 11 8 5.4.13 Application Patrol Use application patrol to control which in div iduals can use which services through the ZyW ALL (and when they can do so). Y ou can also specify allowed am ounts of bandwidth and priorities. Y ou must subscribe to use app lication patrol. Y[...]

  • Página 119

    Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 11 9 5.4.16 ADP Use ADP to detect and take action on traffic and protocol anomalies . 5.4.17 Content Filter Use content filtering to block or allow access to specific categories of web site content, individual web sites an d web features (such as cookies). Y ou can define [...]

  • Página 120

    Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 120 The ZyW ALL does not check to-ZyW ALL firewall rules for packets that are redirected by virtual server . It does check regu lar (through-ZyW ALL) firewall rules. Example: Suppose you have an FTP server with a private IP address connect ed to a DMZ port. Y ou could con[...]

  • Página 121

    Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 121 5.5 Object s Objects store information and are referenced by other features. If you up date this information in response to changes, the ZyW ALL automa tically propagates the change through the features that use the object. The following table in troduces the objects. [...]

  • Página 122

    Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 122 5.6 System Management and Maintenance This section introduces some of the management an d m aintenance features in the ZyW ALL. Use Host Name to configure the system and do mai n name for the ZyW ALL. Use Date/Time to configure the current date, time, and time zone in[...]

  • Página 123

    Chapter 5 Configu ra tio n Bas ics ZyWALL USG 100/200 Series User’s Gu ide 123 5.6.3 Licensing Registration Use these screens to register your ZyW ALL and subscribe to services like anti-virus, IDP and application patrol, more SSL VPN tunnels, and content filtering. Y ou must have Internet access to myZyXEL.com. 5.6.4 Licensing Up date Use these [...]

  • Página 124

    Chapter 5 Con figu ra tio n Bas i cs ZyWALL USG 100/200 Series User’s Guide 124[...]

  • Página 125

    ZyWALL USG 100/200 Series User’s Gu ide 125 C HAPTER 6 Tutorials This chapter provides so me examples of using th e web configurator to set up features in the ZyW ALL. See also Chapter 26 on page 415 for an example of configurin g L2TP . 6.1 How to Configure Ethern et Interfaces and Port Roles This tutorial shows how to co nfigure Ethernet interf[...]

  • Página 126

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 126 Click Network > Interface > Ethernet and the wan1 interface’ s Edit icon. Configure the IP address, subnet mask, and default ga teway settings as follows and click OK . Figure 47 Network > In terface > Et hernet > Edit wa n1 6.1.2 How to Configure the OP T Interface f[...]

  • Página 127

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 127 Figure 48 Network > In terface > Et hernet > Edit o pt 2 Set DHCP to DHCP Server and click OK .[...]

  • Página 128

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 128 Figure 49 Network > Interf ac e > Ethe rn e t > Edit opt > More Settings 6.1.3 How to Configure Port Roles Here is how to remove port P6 from the ext-wlan interface and add it to the dmz interface. 1 Click Network > Interface > Port Role . 2 Under P6 select the dmz ([...]

  • Página 129

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 129 6.2 How to Configure a Cellular Interface Use 3G cards for cellular W AN (Internet) connections. Y ou can ha ve up to three simultaneous 3G connections (one 3G d evice in the ZyW ALL’ s PCIMCIA slot and one connected to each of the ZyW ALL’ s two USB ports). T ab le 267 on page 7[...]

  • Página 130

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 130 Figure 52 Network > Interf ac e > Cellular > Edit 5 Go to the St a t u s screen. The Interface S tatus Summary section should contain a “cellular” entry . When its connection stat us is “Connected” you can use the 3G connection to access the Internet.[...]

  • Página 131

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 131 Figure 53 S tatus The ZyW ALL automatically balances the tr affic load amongs t the av a ilab le W AN connections. This enhances overall network throughput. Plus, if a W AN connection goes down, the ZyW ALL sends traffic through the re maining W AN connections. For a simple test, dis[...]

  • Página 132

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 132 1 Click Object > User/Group > User and the Add wlan_user Edit icon. 2 Set the User Name to wlan_us er . Enter (and re-enter) the user ’ s password. Click OK . Figure 54 Object > User/Group > User > Add 3 Use the Add icon in the Object > User/Group > User screen [...]

  • Página 133

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 133 Figure 55 Network > Interfac e > WLAN > Add (WP A/WP A2 Security) 3 T urn on the wireless LAN and click Apply . Figure 56 Network > Interfac e > WLAN[...]

  • Página 134

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 134 6.3.3 How to Set Up the Wireless Client s to Use the WLAN Interface The following sections sho w you how to have a wireless client (not included with the ZyW ALL) use the wireless network. 6.3.3.1 How to Configure the ZyXEL Wireles s Client Utility This example shows how to configure [...]

  • Página 135

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 135 Figure 58 ZyXEL Wireless Client > Profile 3 Select WP A2 as the security type and click Next . Figure 59 ZyXEL Wireless Client > Profile: Security T ype 4 Set the encryption type to TKIP and the EAP type to TTLS . Configure wlan_user as the Login Name and enter the account’ s[...]

  • Página 136

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 136 Figure 60 ZyXEL Wireless Client > Profile: Security Settings 5 Confirm your settings and click Save . Figure 61 ZyXEL Wireless Client > Profile: Save 6 Click Activate Now . Figure 62 ZyXEL Wireless Client > Profile: Activate 7 The ZYXEL_WP A profile displays in your list of p[...]

  • Página 137

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 137 Figure 63 ZyXEL Wireless Client > Profile: Activate Since the ZyXEL utility does not have the wirele ss client validate the ZyW ALL’ s certificate, you can go to Section 6.3.3.4 on page 143 . 6.3.3.2 How to Configure the Funk Odyssey W ireless Client This example shows how to co[...]

  • Página 138

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 138 Figure 65 Odyssey Access Client Manager > Profiles > User Info 3 Click the Authentication tab and select V alidate server ce rtificate . Figure 66 Odyssey Access Client Manager > Profiles > Authentication 4 Click the TTLS tab and select PA P . Then clic k OK .[...]

  • Página 139

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 139 Figure 67 Odyssey Access Client Manager > Profiles > Authentication 5 Click Networks > Add . Figure 68 Odyssey Access Client Manager > Networks 6 Enter the name of the wireless network (“ZYXEL_WP A” in this example) or click Scan to look for it. Then select Authentica[...]

  • Página 140

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 140 Figure 69 Odyssey Access Client Manager > Networks > Add Use the next section to import the ZyW ALL ’ s certificate into the wireless client. 6.3.3.3 How the Wireless Client s Import the ZyW ALL’ s Certificate Y ou must import the ZyW ALL’ s certific ate into th e wireless[...]

  • Página 141

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 141 2 Click Import . Figure 71 Internet Explorer: T ools > Internet Options > Content > Certifica t es 3 Use the wizard screens to import the certificate. Y ou may n eed to change the Files of Ty p e setting to All Files in order to see the certificate file. Figure 72 Internet E[...]

  • Página 142

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 142 Figure 73 Internet Explorer Certificate Impo rt Wizard Certificate S tore Screen 5 If you get a security warning screen, click Y es to proceed. Figure 74 Internet Explorer Certificate Impo rt Wizard Security Warning Screen 6 The Internet Explorer Certificates screen re mains open afte[...]

  • Página 143

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 143 Figure 75 Internet Explorer: T rusted Ro ot Certification Authorities As shown here, the My Certificates screen uses a prefix, follo wed by a hyphen, to indicate what type of information is bein g displayed, such a s Common Na me (CN), Organi zational Unit (OU), Organization (O) and [...]

  • Página 144

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 144 Figure 77 Funk Odyssey Access Wireles s Client Login Example 6.4 How to Set Up an IPSec VPN This example shows how to create the VPN tunnel illustrated below . Figure 78 VPN Example In this example, the ZyW ALL is router X (1.2.3.4), and the remote IPSec router is router Y (2.2.2.2). [...]

  • Página 145

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 145 Figure 79 VPN > IPSec VPN > VPN Gateway > Add 6.4.2 How to Set Up the VPN Connection The VPN co nnection manages the IPSec SA. Y ou ha ve to set up the address objects for the local network and remote network befo re you can set up the VPN connection. 1 Click Object > Add[...]

  • Página 146

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 146 Figure 81 VPN > IPSec VPN > VPN Connection > Add 6.4.3 How to Set Up the Po licy Route for the VPN T unnel Do the following to create a policy route to have the ZyW ALL send traffic through the VPN tunnel. 1 Click Network > Routing > Policy Route . Y ou want this policy[...]

  • Página 147

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 147 and destination address objects here. The next-hop is the VP N connection that you created. Click OK . Figure 83 Network > Routing > Policy Route > Add 3 Now set up the VPN settings on the peer IPSec router and try to establish the VPN tunnel. T o trigger the VPN, either try[...]

  • Página 148

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 148 6.5 How to Configure User-aware Access Control Y ou can configure many policies and security settin gs for specific users or groups of users. This is illustrated in the follo wing example, where you will set up the following policies. This is a simple example that does not include pri[...]

  • Página 149

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 149 2 Enter the name of the group that is used in T abl e 31 on page 148 . In this example, it is “Finance”. Then, select U ser/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK . Of course you c ould add more me[...]

  • Página 150

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 150 Figure 87 Object > Auth. meth od > Add 4 Click System > WWW . In the Authentication section, selec t the new authentication method in the Client Authentication Method field. Click Apply . Figure 88 System > WWW (Authentication) 5 Click Object > User/Gr oup > Setting [...]

  • Página 151

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 151 1 Click AppPatr ol . If application p atrol an d bandwidth manage men t are not enabled, enable them, and click Apply . Figure 90 AppPatrol > General 2 Click the Common tab and then the Edit icon next to the default http service. Figure 91 AppPatrol > Common 3 Click the Default[...]

  • Página 152

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 152 Figure 93 AppPatrol > Common > http > Edit Default 5 Click the Add icon in the policy list . In the new polic y , select one of the use r groups that is allowed to browse the web and set the co rresponding bandwidth restriction in the Inbound and Outbound fields. Click OK . R[...]

  • Página 153

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 153 Figure 95 Object > Schedule > Add (Recurring) 3 Follow the steps in Section 6.5.4 o n page 150 to set up the appropriate policies for MSN in application patrol. Make su re to specif y the schedule when you configure the policy for the Sales group’ s MSN acc ess. 6.5.6 How to [...]

  • Página 154

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 154 Figure 97 Firewall > LAN1 to DMZ > Edit 3 Click the Add icon at the top of the rule list to cr eate a rule for one of the user groups that is allowed to access the DMZ. 4 Select one of the user groups that is allowed to access the DMZ, and click OK . Figure 98 Firewall > Add [...]

  • Página 155

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 155 Y ou do not have to change many of the ZyW A LL’ s settings from the defaults to set up this trunk. Y ou only have to set up the bandwidth on wan1 and wan2 and chan ge the algorithm that W AN_TRUNK us es. 6.6.1 How to Set Up A vailable Bandwidth on Ethernet Interfaces 1 Click Netwo[...]

  • Página 156

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 156 Figure 101 Network > Interface > T runk > WAN_TRUNK > Edit 6.7 How to Configure Service Control Service control lets you config ure rules that control HTTP an d HTTPS management access (to the web configurator) and separate rules that control HTTP and HTTPS user access (lo[...]

  • Página 157

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 157 Figure 102 System > WWW 3 In the Zone field select LAN1 and click OK . Figure 103 System > WWW > Service Control Rule Edit 4 Click the new rule’ s Add icon.[...]

  • Página 158

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 158 Figure 104 System > WWW (First Example Ad min Service Rule Configured) 5 Set the Zone to ALL and set the Action to Deny . Click OK . Figure 105 System > WWW > Service Control Rule Edit 6 Click Apply .[...]

  • Página 159

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 159 Figure 106 System > WWW (Second Example Ad min Service Rule C onfigured) Now administrator access to th e we b configura tor can only come from the LAN1 zone. Non- admin users can still use HTTPS to log into the ZyW ALL from any of the ZyW ALL’ s zones (to use SSL VPN for exampl[...]

  • Página 160

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 160 6.8.1 How to T urn On the ALG Click Network > A LG . S e lec t Enable H.323 transforma tions and click Apply . Figure 108 Network > ALG 6.8.2 How to Set Up a Vi rtual Server Policy For H.323 In this example, you need a virtual server policy to forward H.323 (TCP port 1720) traff[...]

  • Página 161

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 161 Figure 1 10 Network > Virtual Server > Add 6.8.3 How to Set Up a Firewall Rule For H.323 Here is how to configure a firewall rule t o allo w H.323 (TCP port 1720) traffic received on the W AN_IP-for-H323 IP address to go to LAN1 IP address 192.168.1.56. 1 Click Firewall . In Fr[...]

  • Página 162

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 162 Figure 1 12 Firewall > A dd 4 Configure an address object for the ZyW ALL’ s 10.0.0.8 W AN IP address as follows and click OK . Figure 1 13 Object > Address > Add 5 Configure the screen as follows and click OK . Figure 1 14 Firewall > WAN to LAN > Add Now people can c[...]

  • Página 163

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 163 An Ethernet switch co nnects both ZyW ALLs’ lan1 interfaces to LAN1. Whichever ZyW ALL is functioning as the master uses the defau lt gateway IP address of the LAN1 computers (192.168.1.1) for its lan1 interface and the static public IP address (1.1.1.1) for its wan1 interface. If [...]

  • Página 164

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 164 2 Configure 192.168.1 .3 as the Management IP and 255.255.255.0 as the Subnet Mask . Click OK . Figure 1 17 Device H A > Active-Passive Mode > Edit: Master ZyW ALL Example 3 Set the Device Role to Master . This example focuses on LAN1’ s connection to the Internet through the [...]

  • Página 165

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 165 Figure 1 19 Device H A > General: Master ZyW ALL Example 6.9.3 How to Config ure the Backup ZyW ALL 1 Connect a computer to ZyW ALL B ’s lan1 interface and log into its web configurator . Connect ZyW ALL B to the Internet and subscribe it to the same subscription services (like [...]

  • Página 166

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 166 Figure 121 Device HA > Active- Passive Mode : Backup ZyWALL Example 5 Click the General tab. T urn o n device HA and click Apply . Figure 122 Device HA > General: Master ZyW ALL Example 6.9.4 How to Deploy the Backup ZyW AL L Connect ZyW ALL B ’s lan1 interface to the LAN1 net[...]

  • Página 167

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 167 Maintenance > File Manager > Configuration File screen to save copies of the ZyW ALLs’ configuration fil es that you can compare . 2 T o test your device HA configuration, dis connect ZyW ALL A ’s lan1 or wan1 interface. Computers on LAN1 should still be able to access the [...]

  • Página 168

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 168 Figure 125 Creating the Address Ob ject for the wan2 Public IP Address 6.10.2 How to Configure a V irtual Server Y ou need a virtual server to send H TTP traffic coming to IP address 1.1.1.2 on wa n2 to the HTTP server ’ s private IP addr ess of 192.168.3.7. In the Network > V ir[...]

  • Página 169

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Gu ide 169 The firewall allows traffic from the W AN zone to the DMZ zone by default so your configuration is done. Now the public can go to IP address 1.1.1.2 to access the HTTP server . If a domain name is registered for IP address 1.1.1.2, users can just go to the domain name to access the w[...]

  • Página 170

    Chapter 6 Tutorials ZyWALL USG 100/200 Series User’s Guide 170[...]

  • Página 171

    ZyWALL USG 100/200 Series User’s Gu ide 171 C HAPTER 7 Status 7.1 Overview Use the St a t u s screens to check status in formation about the Z yW ALL. 7.1.1 What Y ou Can Do in the St atus Screens Use the St a t u s screens for the following. • Use the main St a t u s screen (see Section 7.2 on page 171 ) to see the ZyW ALL’ s general device [...]

  • Página 172

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 172 Figure 127 S tatus The following table describes the labels in this screen. T able 32 Status LABEL DESCRIPTION Refresh Interval Select how often you w ant the scre en to automatically refresh. Refresh Now Click this to update the screen immedia tely . Device Information System Name This [...]

  • Página 173

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Gu ide 173 Current Date/ Ti m e This field displays the current date and time in the ZyW ALL. The format is yyyy- mm-dd hh:mm:ss. VPN S tatus Click this to look at the VPN tu nnels that are current ly established. See Section 7.2.4 on p age 178 . DHCP T able Click this to look at the IP addresses [...]

  • Página 174

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 174 Signature Ve r s i o n This field displays the version number , da te, and time of the current se t of signature s the ZyWALL is using. Last Update Ti m e This field displays the last time the Zy W ALL receive d updated signature s. To t a l Signature Number This field displays the total[...]

  • Página 175

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Gu ide 175 7.2.1 The CPU Usage Screen Use this screen to look at a chart of the ZyW A LL’ s recent C PU usage. T o acce ss this screen, click CPU Usage in the St a t u s screen. HA S tatus This field displays the status of the interface in the virtual router . Active - This interface is the mast[...]

  • Página 176

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 176 Figure 128 S tatus > CPU Usage The following table describes the labels in this screen. 7.2.2 The Memory Usage Screen Use this screen to look at a chart of the Zy W ALL’ s recent memory (RAM) usage. T o access this screen, click Memory Usage in the St a t u s screen. T able 33 Statu[...]

  • Página 177

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Gu ide 177 Figure 129 S tatus > Memory Usage The following table describes the labels in this screen. 7.2.3 The Session Usage Screen Use this screen to look at a chart of the ZyW ALL’ s recent traf fic ses sion usage. T o acc ess this screen, click Session Usage in the St a t u s screen. T ab[...]

  • Página 178

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 178 Figure 130 S tatus > Session Usage The following table describes the labels in this screen. 7.2.4 The VPN St atus Screen Use this screen to look at the VPN tunnels that are currently established. T o access this scre en, click VPN S tatus in the St a t u s screen. T able 35 Status >[...]

  • Página 179

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Gu ide 179 Figure 131 S tatus > VPN S tatus The following table describes the labels in this screen. 7.2.5 The DHCP T able Screen Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. T o access this screen, clic[...]

  • Página 180

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 180 The following table describes the labels in this screen. 7.2.6 The Port S tatistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port. T o access this scre en, click Port S tatistics in the St a t u s screen. Figure 133 S tatus > Port S tatistics T abl[...]

  • Página 181

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Gu ide 181 The following table describes the labels in this screen. 7.2.7 The Port S tatistics Graph Screen Use this screen to look at a line graph of pack et statistics for each physi cal port. T o access this screen, click Port S tatistics in the St a t u s screen and then the Switc h to Graphic[...]

  • Página 182

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 182 Figure 134 S tatus > Port S tatistics > Switch to Graphic View The following table describes the labels in this screen. 7.2.8 The Current Users Screen Use this screen to look at a list of the users currently logged into th e ZyW ALL. T o access this screen, click the Number of Logi[...]

  • Página 183

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Gu ide 183 Figure 135 S tatus > Current Users The following table describes the labels in this screen. 7.2.9 The Cellular St atus Detail Screen Use this screen to look at detailed status info rmation for a cellular (3G) card. T o acce ss this screen, click the cellular card’ s Detail icon in [...]

  • Página 184

    Chapter 7 Status ZyWALL USG 100/200 Series User’s Guide 184 Cellular System This field displays the type of the network to which the ZyW ALL is co nne cted. The network type varies depending on the 3G card you inserted and could be UMTS , UMTS/HSDP A , GPRS or EDGE when you insert a GSM 3G card, or 1xRTT , EVDO Rev .0 or EVD O Rev .A whe n you in[...]

  • Página 185

    ZyWALL USG 100/200 Series User’s Gu ide 185 C HAPTER 8 Registration 8.1 Overview Use the Licensing > Registration screens to register your ZyW ALL and manage its service subscriptions. 8.1.1 What Y ou Can Do in the Registration Screens • Use the Registration screen (see Section 8 .2 on page 186 ) to register your ZyW ALL with myZyXEL.com and[...]

  • Página 186

    Chapter 8 Registration ZyWALL USG 100/200 Series User’s Guide 186 Subscription Services A vailable on the ZyW ALL Y ou can have the ZyW ALL use anti-virus, IDP/AppPatrol (Intrusion Detection and Prevention and application patrol), and conten t filtering subscription services. Y ou can also purchase and enter a lic ense key to have the ZyW ALL use[...]

  • Página 187

    Chapter 8 Registration ZyWALL USG 100/200 Series User’s Gu ide 187 Figure 137 Licensing > Registration The following table describes the labels in this screen. T able 42 Licensing > Registration LABEL DESCRIPTION General Setup If you select existing myZyXEL .c om account , only the User Name and Password fields are availab le. new myZyXEL.c[...]

  • Página 188

    Chapter 8 Registration ZyWALL USG 100/200 Series User’s Guide 188 " If the ZyW ALL is register ed already , this screen is read-only and indicates whether trial services are activated (if any). Y ou can still select the unchecked trial service(s) to acti vate it after regist ration. Use the Service screen to update your service subscription [...]

  • Página 189

    Chapter 8 Registration ZyWALL USG 100/200 Series User’s Gu ide 189 8.3 The Service Screen Use this screen to display the status of your service registrations and upgrade licenses. T o activate or extend a standard service subscripti on, purchase an iCard and enter the iCard’ s PIN number (license key) in this screen. Click Licensing > Regist[...]

  • Página 190

    Chapter 8 Registration ZyWALL USG 100/200 Series User’s Guide 190[...]

  • Página 191

    ZyWALL USG 100/200 Series User’s Gu ide 191 C HAPTER 9 Signature Update 9.1 Overview This chapter shows you h o w to upda te the ZyW ALL’ s signature packages. 9.1.1 What Y ou Can Do in the Up date Screens • Use the Licensing > Update > Anti-virus screen ( Se ction 9.2 on page 191 ) to update the anti-virus signatures. Se e Chapter 28 o[...]

  • Página 192

    Chapter 9 Signature Update ZyWALL USG 100/200 Series User’s Guide 192 Figure 140 Licensing > Update >Anti-V irus The following table describes the labels in this screen. LABEL DESCRIPTION Signature Information The following fields d isplay information on the current signature set that the ZyW ALL is using. Anti-Virus Engine T ype This field[...]

  • Página 193

    Chapter 9 Signature Update ZyWALL USG 100/200 Series User’s Gu ide 193 9.3 The IDP/AppPatrol Up date Screen Click Licensing > Up date > IDP/AppPatrol to display the following screen. The ZyW ALL comes with signatures for the ID P and application patrol features. These signatures are continually updated as new attack types evolve. New signat[...]

  • Página 194

    Chapter 9 Signature Update ZyWALL USG 100/200 Series User’s Guide 194 Figure 142 Downloading IDP Signatures Figure 143 Successful IDP Signature Downlo ad 9.4 The System Protect Up date Screen Click Licensing > Up date > System Protect to display the followi ng screen. Use this screen to schedule or immediately download system-protection sig[...]

  • Página 195

    Chapter 9 Signature Update ZyWALL USG 100/200 Series User’s Gu ide 195 Figure 144 Licensing > Update > System Protect The following table describes th e fields in this screen. T able 45 Licensing > Update > System Protect LABEL DESCRIPTION Signature Information The following fields d isplay information on the current signature set tha[...]

  • Página 196

    Chapter 9 Signature Update ZyWALL USG 100/200 Series User’s Guide 196 Figure 145 Downloading System Protect Signatur es Figure 146 Successful System Protect Sign ature Down load[...]

  • Página 197

    197 P ART II Network Interface (199) T runks (269) Policy and S tatic Routes (277) Routing Protocols (287) Zones (299) DDNS (303) V irtual Servers (309) HTTP Redirect (321) ALG (325)[...]

  • Página 198

    198[...]

  • Página 199

    ZyWALL USG 100/200 Series User’s Gu ide 199 C HAPTER 10 Interface 10.1 Interface Overview Use the Interface screens to config ure the ZyW ALL’ s interfaces. Y ou can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. • Interfaces are used within the system operationa lly . Y ou use[...]

  • Página 200

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 200 10.1.2 What Y ou Need to Know About Interfaces Interface Characteristics Interfaces generally have the following character istics (although not all characteristics apply to each type of interface). • An interface is a logical entity th rough which (layer -3) packets pass. • An in[...]

  • Página 201

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 201 T runks and the auxiliary interface have many char acteristics that are speci fic to each type of interface. See Chapter 1 1 on pag e 269 and Section 10.14 on page 261 for details. The other types of interfaces--Ethernet, VLAN, bridge, PPPoE/PP TP , and virtual--have a lot of simila[...]

  • Página 202

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 202 * - Y ou cannot set up a PPPoE/PPTP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridg e. Y ou also cannot add an Ethernet interface or VLAN interface to a bridge if the member inter face has a vi rtual interface or PPPo[...]

  • Página 203

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 203 Figure 147 Network > Interface > S tatus Each field is described in the following table. T able 48 Network > Interface > Status LABEL DESCRIPTION Interface S tatus If an Ethernet interface does not have any ph ysical ports associated with it, its entry is displayed in li[...]

  • Página 204

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 204 S tatus This field displays the current status of each interfa ce. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethern et interface is disable d. Down - The Ethernet inte rface does not have any physi cal ports associated with it[...]

  • Página 205

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 205 10.3 The Port Role Screen T o access this screen, click Network > Interface > Port Role . Use the Port Role screen to set the ZyW ALL’ s flexible ports as part of the la n1, ext-wlan or dmz interfaces. This creates a hardware connection between the physical ports at the laye[...]

  • Página 206

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 206 Each section in this scr een is described below . 10.4 The Ethernet Summary Screen This screen lists every Etherne t interface an d virtual interface created on top of Ethernet interfaces. T o acce ss this screen, click Network > Interface > Ethernet . Unlike other types of int[...]

  • Página 207

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 207 Figure 149 Network > Interface > Ethernet Each field is described in the following table. 10.4.1 The Ethernet Edit Screen Click Network > Interface > Ethernet and then the interface’ s Edit icon to display the Ethernet Edit screen. Use the Ethernet Edit screen to confi[...]

  • Página 208

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 208 " If you create IP address obj ects based on an interfac e’ s IP address, subnet, or gateway , the ZyWA LL automatical ly updates every rule or setting that uses the object whenever the interf ace’s IP address settings change. For example, if you change LAN1’s IP address, [...]

  • Página 209

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 209 Figure 150 Network > Interface > Ethernet > Edit (Opt)[...]

  • Página 210

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 210 Each field is described in the table below . The OP T interface’ s Edit > Configuration screen contains all of the following fields . Not ev ery field is included in othe r interface edit screens. T able 51 Network > Interface > Ethernet > Edit LABEL DESCRIPTION General[...]

  • Página 211

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 21 1 Ingress Bandwidth This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the ZyW ALL can receive from the network through the in terface. Allowed values are 0 - 1048576. MTU Maximum Transmission Unit. T ype the maximum size of each data packet[...]

  • Página 212

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 212 More Setting s/Less Settings Click th is butto n to display a greater or lesser numb er of configuration fields. RIP Setting See Section 13.2 on page 288 for more information about RIP . Enable RIP Select this to ena ble RIP in this i nterface. Direction This field is e ffect ive whe[...]

  • Página 213

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 213 Overwrite Default MAC Address Select this option to have the interf ace use a different MAC address. Either enter the MAC address in the fields or click Clone by host and enter the IP address of the device or computer whose MAC you are cloning. Once it is successfully configured, th[...]

  • Página 214

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 214 10.5 Interface Wizards Y ou can use the interface wizard (instead of the regular Ethernet Edit screen) to configure a W AN, OP T , or PPP (W AN) interface. T o access the interface wizard screens: • Click Network > Interface > Ethernet and then a W AN or OP T interface’ s E[...]

  • Página 215

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 215 Figure 152 Interface Wizard: OPT Interface First Screen The following table describes the labels in this screen. 10.5.2 Interface Wizard: W AN T ype This screen appears if you are configur ing one of the W AN interface s or you use the OP T interface for a W AN connection. Select th[...]

  • Página 216

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 216 Figure 154 Interface Wizard: Non-WAN OP T Interf ace Setup The following table describes the labels in this screen. 10.5.4 Interface Wizard: W AN Zone and IP Address Assignment Use this screen to select to which zone the in terface belongs and whether is should use a fixed or dynamic[...]

  • Página 217

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 217 Figure 155 Interface Wizard: WAN In terface Zone and IP Address Setup The following table describes the labels in this screen. 10.5.5 Interface Wizard: W AN ISP Connection Settings Use this screen to configure th e ISP and W AN interface settings. Figure 156 Interface Wizard: WAN IS[...]

  • Página 218

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 218 The following table describes the labels in this screen. T able 56 Interface Wizard: WAN ISP Connection Settings LABEL DESCRIPTION ISP Parameter Thi s section appears if the interface uses a PPPo E or PPTP Internet connection. User Name Type the user name given to you by your ISP . Y[...]

  • Página 219

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 219 10.5.6 Interface Wizard: Summary (Non-W AN) Use this screen to review the local interface’ s settings. Figure 157 Interface Wizard: Summary (Non-W AN) The following table describes the labels in this screen. 10.5.7 Interface Wizard: Summary (W AN) This screen displays the W AN int[...]

  • Página 220

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 220 Figure 158 Interface Wizard: Summary WA N (PP TP Show n) The following table describes the labels in this screen. T able 58 Interface Wizard: Summary WAN LABEL DESCRIPTION Encapsulation This displays wha t encapsulation this interface uses to connect to the Intern et. Base Interface [...]

  • Página 221

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 221 10.6 The PPP Interfaces Screen Use PPP interfaces (PPPoE/PP TP interfaces) to conn ect to your ISP so you do not have to install or manage PPPoE o r PP TP software on each computer in the network. Figure 159 Example: PPPoE/PP TP Interfaces PPPoE/PP TP interfaces are similar to other[...]

  • Página 222

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 222 10.6.1 PPP Interface Edit Screen This screen lets you configure new or existin g PPPoE/PP TP interfaces. T o access this screen, click the Edit icon in the PPP Interface screen. The PPP interface Edit > Configuration screen is shown here as an example. Y ou can click the Wizard ta[...]

  • Página 223

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 223 Figure 161 Network > Interface > PPP > Edit > Configuration Each field is explained in the following table. T able 60 Network > Interface > PPP > Edit > Configuration LABEL DESCRIPTION General Settings Enable Interface Select this to ena ble this inte rface. [...]

  • Página 224

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 224 Description Ente r a descri ption of this interface. It is not used elsewhere. Y ou can use alphanumeri c and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Connectivity Nailed-Up Select this if the PPPo E/PPTP connection should always be up. Clear this to have t[...]

  • Página 225

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 225 Ingress Bandwidth This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the ZyW ALL can receive from the network through the in terface. Allowed values are 0 - 1048576. MTU Maximum Transmission Unit. T ype the maximum size of each data packet,[...]

  • Página 226

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 226 10.7 Cellular Configuration Screen (3G) 3G (Third Generation) is a digital, packet-s witched wireless technology . Bandwidth usage is optimized as multiple users shar e the same channel and bandwidt h is only allocated to users when they send data. It allows fast transf er of voice a[...]

  • Página 227

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 227 " Install (or connect) a comp atible 3G ca rd to use a cellular connection. See Chapter 50 on page 749 for details. " The W AN IP addresses of a ZyW ALL with multiple W AN interfaces must be on different subnet s. Figure 162 Network > Interface > Cellular The followi[...]

  • Página 228

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 228 10.7.1 Cellular Add/Edit Screen T o change your 3G settings, click Netw ork > Interface > Cellular > Add (or Edit ). In the pop-up windo w that displays, select the slot that you want to configure. The following screen displays. Figure 163 Interface > Cellular > Add[...]

  • Página 229

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 229 The following table describes the labels in this screen. T able 63 Interface > Cellular > Add LABEL DESCRIPTION Enable Interface Select this option to turn on this interface. Interface Properties Interface Name This field is read-only . This is the name of the cellular interfa[...]

  • Página 230

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 230 PIN Code This field displays with a GSM or HS DP A 3G card . A PIN (Persona l Identification Number) code is a key to a 3G card. Wi thout the PIN code, you cannot use the 3G card. Enter the 4-digit PIN code (0000 for example) provide d by your ISP . If you enter the PIN code incorrec[...]

  • Página 231

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 231 10.8 Cellular St atus Screen T o check your 3G connection status, click Network > Interface > Cellular > S tatus . The following screen displays. Figure 164 Interface > Ce llular > S tatus More Se ttings/ Less Settings Click this button to display a gre ater or lesser[...]

  • Página 232

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 232 The following table describes the labels in this screen. T able 64 Interface > Cellular > St atus LABEL DESCRIPTION Refresh Click this button to update the info rmation in the screen. # This field is a sequential value, and it is not associated with any interface. Extension Slo[...]

  • Página 233

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 233 10.9 WLAN Interf ace General Screen The following figure provides an exampl e of a wireless network. The wireless network is in the blue circle. W ireless clients (A and B) connect to an access point (AP) to access other devices (such as the printer) or the Inte rnet. Y our ZyW ALL [...]

  • Página 234

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 234 Figure 166 Network > Interface > WLAN The following table describes the general wireless LAN labels in this screen. T able 65 Network > Interface > WLAN LABEL DESCRIPTION WLAN Device Settings Enable WLAN Device Select this option to turn on the wireless LAN card. It is re[...]

  • Página 235

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 235 10.9.1 WLAN Add/Edit Screen Use the strongest security that every wireless client in the wireless network supports. " WP A2 or WP A2-PSK security is recommended. • Y ou can use the ZyW ALL’ s local user data base to use WP A or WP A2 without usin g an external RADIUS server[...]

  • Página 236

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 236 • WP A2-PSK and WP A-PSK do no t emp loy user authentication an d are known as the personal version of WP A. • WEP is better than no security , but it is still possible for unauthorized devices to figure out the original informat ion pretty quickly . Click Network > Interface [...]

  • Página 237

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 237 Figure 167 Network > Interface > WLAN > Add (No Security)[...]

  • Página 238

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 238 The following table describes the genera l wireless LAN labels in this screen. T able 67 Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION General Settings Enable Interface Select this opti on to turn on the wireless LAN interface. Interface Name S pecify a nu[...]

  • Página 239

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 239 Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyW ALL can send through the interfac e to the ne twork. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management. Ingress Bandwidth This is reserved for futu[...]

  • Página 240

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 240 Lease time S pecify how long each computer c an use the information (especial ly the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire. days, ho urs, and minutes - select this to enter ho w long IP addresses a[...]

  • Página 241

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 241 10.9.2 WLAN Add/Edit Screen: WEP Security WEP provides a mechanism for encrypting da ta using encryption keys. Both the ZyW ALL and the wireless stations must use the same WEP key to encrypt and decrypt data. Y our ZyW ALL allows you to configure up to four 64-bit or 128-bit WEP key[...]

  • Página 242

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 242 Figure 169 Network > Interface > WLAN > Add (WEP Security) The following table describes the WEP-related wi reless LAN security labels in this s creen. See T able 67 on pa ge 238 for information on the 802.1x fields. 10.9.3 WLAN Add/Edit Scre en: WP A-PSK/WP A2-PSK Security [...]

  • Página 243

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 243 The following table describes the WP A-PSK/WP A2-PSK-related wireless LAN security labels in this screen. 10.9.4 WLAN Add/Edit Screen: WP A/WP A2 Security W ith WP A or WP A2 security , each user can have a separate user name and password. The ZyW ALL uses an external RADIUS server [...]

  • Página 244

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 244 The following table describes the WP A/WP A2 -related wireless LAN security labe ls. T able 70 Network > Interface > WLAN > A d d ( W PA / W PA 2 S e c u r i t y ) LABEL DESCRIPTION Authentication Ty p e Select what the ZyW ALL uses to authenticate the wireless clients. Sele[...]

  • Página 245

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 245 10.10 WLAN Interface MAC Filter Screen The MAC filter allows you to gi ve specific wireless clients ex clusive access to the ZyW ALL (allow association) or block specific devices from accessing the ZyW ALL (deny association) based on the devices’ MAC addresses. T o display your Zy[...]

  • Página 246

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 246 If you set the filter to deny access and add the MAC address of a connec ted device, the ZyW ALL drops the device’ s connection immediatel y . However , if you set the filter to allow only the specified MAC addresses, the ZyW A LL does not immediately disconnect all connected wirel[...]

  • Página 247

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 247 10.12 VLAN Interface Screen A V irtual Local Area Network (VLAN) divid es a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 175 Example: Before VLAN In this example, there are two phys ical networks and three departmen ts A , B , and C[...]

  • Página 248

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 248 Figure 176 Example: After V LAN Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each VLAN also has a unique identification numb er (ID). The ID is a 12-bit value that is stored in the MAC header . The VLANs are co nnected to switches, and the s[...]

  • Página 249

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 249 " Each VLAN interface is created on top of only one Ethernet interface. Otherwise, VLAN interfaces are similar to othe r interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can [...]

  • Página 250

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 250 10.12.2 Configuring the VLAN Add/Edit Screen This screen lets you configure IP address assi gnment, interface bandwidth parameters, DHCP settings, and ping check for each VLAN inte rface. T o access this screen, click the Add icon at the top of the Add column or click an Edit icon ne[...]

  • Página 251

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 251 Figure 178 Network > Interface > VLAN > Edit Each field is explained in the following table. T able 75 Network > Interface > VLAN > Edit LABEL DESCRIPTION General Settings Enable Interface Select this to ena ble this inte rface. Clear this to disable th is interfac[...]

  • Página 252

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 252 Interface Name This field is read-only if you are editing an exi stin g VLAN interface. Enter the number of the VLAN interface. Y ou can use a number from 0~4094. See Chapter 50 on page 749 fo r the total number of VLANs yo u can configure on the ZyW ALL. For example, vlan0, vlan8 , [...]

  • Página 253

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 253 Connectivity Check The interface can regul arly ch eck the connection to the gateway you sp ecified to make sure it is still available. Y ou specify how often t he interface checks the connection, how long to wait for a re sponse before the attempt is a fail ure, and how many consec[...]

  • Página 254

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 254 IP Pool S tart Address Enter the IP add ress from which the Zy W ALL begins allocating IP addresses. If you want to assign a static IP address to a specific computer , click Add St atic DHCP . If this field is blank, the Pool Size must also be blank. In this case, the ZyW ALL can ass[...]

  • Página 255

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 255 10.13 Bridge Interface Screen A bridge creates a connectio n between two or more netw ork segments at the layer-2 (MAC address) level. Unlike the device-wide bridge mode in Zy NOS-based ZyW ALLs, this ZyW ALL ca n bridge traffic between some interfaces while it routes traffic for ot[...]

  • Página 256

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 256 Bridge Interface Overview A bridge interface creates a software bridge be tween the members of the bridge interface. It also becomes the ZyW ALL’ s interface for the resulting network. A bridge interface may co ns is t of the following members: • Zero or one WLAN interfaces • Z[...]

  • Página 257

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 257 10.13.2 Configuring the Bridge Add/Edit Screen This screen lets you configure IP address assi gnment, interface bandwidth parameters, DHCP settings, and ping check for each bridge interface. T o a ccess this screen, click the Add icon at the top of the Ad d column in the Bridge Summ[...]

  • Página 258

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 258 Figure 182 Network > Interface > Bridge > Add[...]

  • Página 259

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 259 Each field is described in the table below . T able 80 Network > Interface > Bridge > Add LABEL DESCRIPTION General Settings Enable Interface Select this to ena ble this inte rface. Clear this to disable th is interface. Interface Properties Interface Name This field is rea[...]

  • Página 260

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 260 Interface Parameters Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyW ALL can send through the interface to the ne twork. Allowed values are 0 - 104857 6. Ingress Bandwidth This is reserved for future use. Enter the maximum amount of traffic, in k[...]

  • Página 261

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 261 10.14 Auxiliary Interface Screen Use the auxiliary interface as a backup W AN in terface or a way to access the ZyW ALL for remote management. First WINS Server , Second WINS Server T ype the IP address of the WINS (Win dows Internet Naming Service) server that you want to send to t[...]

  • Página 262

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 262 " Y ou must connect an external m odem to use the auxiliary port. The ZyW ALL uses the auxiliary interface to dial out in two situations. 1 Y ou click the Connect icon on the ZyW ALL St a t u s screen. 2 The load auxiliary interface must connect to satisfy load -balancing requir[...]

  • Página 263

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 263 10.15 V irtual Interface Screen Use virtual interfaces to tell the ZyW ALL where to route packet s. V irtual interfaces can also be used in VPN gateways (see Chapter 20 on page 351 ) and VRRP groups (see Chapter 34 on page 575 ). V irtual interfaces can be created on top of Ethernet[...]

  • Página 264

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 264 Like other interfaces, virtual in terfaces have an IP address, subnet mask, and gateway used to make routing decisions . Ho wev er , you have to manually specify the IP address and subnet mask; virtual interfaces cannot be DHCP clients. Like other interfaces, you ca n restrict bandwi[...]

  • Página 265

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 265 10.16 Interface T echnical Reference Here is more detailed informati on about interfaces on the ZyW ALL. IP Address Assignment Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routing table. Figure 186 Example: Entry in the Rou[...]

  • Página 266

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 266 In the example above, if the ZyW ALL gets a pack et with a destination address of 5.5.5.5, it might not find any entries in the routing table. In this case, the packet is dropped. However, if there is a default router to which the ZyW ALL should send this packet, yo u can specify it [...]

  • Página 267

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Gu ide 267 In DHCP , every network has at least one DHCP server . When a computer (a DHCP client) joins the network, it submits a DHCP request. The DHCP servers get the request; assign an IP address; and provide the IP address, subnet ma sk, gateway , and availa ble network information to the [...]

  • Página 268

    Chapter 10 Interface ZyWALL USG 100/200 Series User’s Guide 268 WINS WINS (W indows Internet Naming Service) is a W indows implementation of NetBIOS Name Server (NBNS) on W indows. It keeps track of NetBIOS computer names. It stores a mapping table of your network’ s comput er names and IP addresse s. The table is dynamically up da ted for IP a[...]

  • Página 269

    ZyWALL USG 100/200 Series User’s Gu ide 269 C HAPTER 11 Trunks 1 1.1 Overview Use trunks for W AN traffic load balancing to increase overall network throughput and reliability . Load balancing divides traf fic load s between multiple interfa ces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP lin[...]

  • Página 270

    Chapter 11 T run k s ZyWALL USG 100/200 Series User’s Guide 270 • If that interface’ s connection goes down, th e ZyW ALL can still send its traffic t h rough another interface. • Y ou can define multiple trunks for the same phys ical interfaces. Link S ticking Y ou can have the ZyW ALL send each local co mputer ’ s traffic through a sing[...]

  • Página 271

    Chapter 11 Trunks ZyWALL USG 100/200 Series User’s Gu ide 271 Least Load First The least load first algorithm uses the current (or recent) ou tbound bandwidth utilization of each trunk member interface as the load balancin g index(es) when making decisions about to which interface a new session is to be distributed. The outbound bandwidt h utiliz[...]

  • Página 272

    Chapter 11 T run k s ZyWALL USG 100/200 Series User’s Guide 272 Figure 189 Weig hted Round Robin Algorithm Example Spill over The spillover load ba lancing algorithm sends network traf fic to the first interface in the trunk member list until the interface’ s maximum allowable load is reached, then sends the excess network traf fic of new sessi[...]

  • Página 273

    Chapter 11 Trunks ZyWALL USG 100/200 Series User’s Gu ide 273 Figure 191 Network > Interface > T runk The following table describes the items in this screen. 1 1.2.1 The T runk Edit Screen Click Network > Interface > T runk and then the Edit icon to open the T runk Edit screen. T able 87 Network > Interface > Trunk LABEL DESCRIP[...]

  • Página 274

    Chapter 11 T run k s ZyWALL USG 100/200 Series User’s Guide 274 Figure 192 Network > Interface > T runk > Edit Each field is described in the table below . T able 88 Network > Interface > Trunk > Edit LABEL DESCRIPTION Name This is the descriptive name for this trunk. Load Balancing Algorithm Select a load balancing me thod to u[...]

  • Página 275

    Chapter 11 Trunks ZyWALL USG 100/200 Series User’s Gu ide 275 1 1.3 T runk T echnical Reference Round Robin Load Balancing Algorithm Round Robin scheduling services queues on a rota ting basis and is activated only when an interface has more traf fic than it can handle. A queue is giv en an amount of bandwidth irrespective of the incoming traf fi[...]

  • Página 276

    Chapter 11 T run k s ZyWALL USG 100/200 Series User’s Guide 276[...]

  • Página 277

    ZyWALL USG 100/200 Series User’s Gu ide 277 C HAPTER 12 Policy and Static Routes 12.1 Policy and S t atic Routes Overview Use policy routes and static routes to override the ZyW ALL’ s default routing behavior in order to send packe ts through the ap propriate the interface or VPN tunnel. For example, the next figure shows a computer ( A ) conn[...]

  • Página 278

    Chapter 12 Policy an d Static Routes ZyWALL USG 100/200 Series User’s Guide 278 12.1.1 What Y ou Can Do in the Policy and St atic Route Screen s •U s e t h e Policy Route screens (see Section 12.2 on page 279 ) to list and configure pol icy routes. • Use the St a t i c R o u t e screens (see Section 12.3 on page 283 ) to list and configure st[...]

  • Página 279

    Chapter 12 Policy and Sta tic Routes ZyWALL USG 100/200 Series User’s Gu ide 279 Policy Routes V ersus St atic Routes • Policy routes are more flexible than static routes. Y ou can select more criteria for the traffic to match and can also use schedules, NA T , and bandwidth management. • Policy routes are only us ed w ithin the ZyW A LL itse[...]

  • Página 280

    Chapter 12 Policy an d Static Routes ZyWALL USG 100/200 Series User’s Guide 280 The following table describes the labels in this screen. T able 89 Network > Routing > Policy Route LABEL DESCRIPTION Enable BWM This is a globa l setting for enabling or disab ling bandwidth management on the ZyW ALL. Y ou must e nable this setting to have indi[...]

  • Página 281

    Chapter 12 Policy and Sta tic Routes ZyWALL USG 100/200 Series User’s Gu ide 281 12.2.1 Policy Route Edit Screen Click Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or edit a policy route. See NA T Loopback Example on page 317 for an example[...]

  • Página 282

    Chapter 12 Policy an d Static Routes ZyWALL USG 100/200 Series User’s Guide 282 Schedule Select a schedule or select Create Obje ct to configure a new one (see Chapter 38 on page 619 for details). none means th e route is active at all times if enabled. Servi ce Select a service or service group from the drop-down list box. Select Create Object t[...]

  • Página 283

    Chapter 12 Policy and Sta tic Routes ZyWALL USG 100/200 Series User’s Gu ide 283 12.3 IP S t atic Route Screen Click Network > Routing > S tatic Route to open the St a t i c R o u t e screen. This screen displays the configured st atic routes. Configure static routes to be able to use RIP or OSPF to propagate the routing info rmation to oth[...]

  • Página 284

    Chapter 12 Policy an d Static Routes ZyWALL USG 100/200 Series User’s Guide 284 Figure 196 Network > Routing > S tatic Route The following table describes the labels in this screen. 12.3.1 S tatic Route Add/Edit Screen Select a static route index number and click Add or Edit . The screen shown next appears. Use this screen to configure the [...]

  • Página 285

    Chapter 12 Policy and Sta tic Routes ZyWALL USG 100/200 Series User’s Gu ide 285 12.4 Policy Routing T echnical Reference Here is more detailed informat ion abo ut so me of the features you ca n configure in policy routing. NA T and SNA T NA T (Network Address Translation - NA T , RFC 1631 ) is the translat ion of the IP address in a packet in on[...]

  • Página 286

    Chapter 12 Policy an d Static Routes ZyWALL USG 100/200 Series User’s Guide 286 Incoming servic e: Gam e (UDP: 1234) T rigger service: Game -1 (UDP: 5670-5678) 1 Computer A wants to play a multiplayer online game and tries to connect to game server 1 using port 1234. The ZyW ALL reco rds the IP address of computer A when the packets match a polic[...]

  • Página 287

    ZyWALL USG 100/200 Series User’s Gu ide 287 C HAPTER 13 Routing Protocols 13.1 Routing Protocols Overview Routing protocols give th e ZyW ALL routing information about the network from other routers. The ZyW A LL stores this routing inform ation in the routing table it uses to make routing decisions. In tur n, the ZyW ALL can also use routing pro[...]

  • Página 288

    Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 288 13.2 The RIP Screen RIP (Routing Information Protocol, RFC 10 58 and RFC 1389) allows a device to exchange routing information with other routers. RIP is a vector -space routing protocol, an d, like most such protocols, it uses hop count to decide whic h route is the shortest[...]

  • Página 289

    Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Gu ide 289 13.3 The OSPF Screen OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous System (AS). OSPF offers some advantages over vector-space routi ng protocols like RIP . • OS[...]

  • Página 290

    Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 290 • A normal area is a group of ad jacent networks. A normal area has routing information about the OSPF AS, any networks outside the O SPF AS to which it is directly connected, and any networks outside the OSPF AS that pr ovide routing information to any area in the OSPF AS.[...]

  • Página 291

    Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Gu ide 291 • An Area Border Router (ABR) connects two or mo re areas. It is a member of all the areas to which it is connected, and it filters, summ arizes, and exchanges routing informa tion between them. • An Autonomous System Boundary Router (ASBR) exchanges routing informat ion[...]

  • Página 292

    Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 292 Figure 202 OSPF: Vi rtual Link In this example, area 100 does not have a direct connection to the backbone. As a result, yo u should set up a virtual link on both ABR in area 10 . The virtual link becomes the connection between area 100 and the backbone. Y ou cannot create a [...]

  • Página 293

    Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Gu ide 293 The following table describes the labels in this screen. See Section 13.3.2 on page 293 for more information as well. 13.3.2 OSPF Area Add/Edit Screen The OSPF Ar ea Add/Edit screen allows you to create a new area or edit an existing one. T o access this screen, go to the OS[...]

  • Página 294

    Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 294 Figure 204 Network > Routing > OSPF > Edit The following table describes the labels in this screen. T able 97 Network > Routing > OSPF > Edit LABEL DESCRIPTION Area ID T ype the unique , 32-bit identifie r for the area in IP address format. T ype Select the [...]

  • Página 295

    Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Gu ide 295 13.4 Routing Protocol T echnical Reference Here is more detailed info rmation about RIP and OSPF . Authentication T ypes Authentication is used to gu arantee the integrity , but not the confidentiality , of routing updates. The transmitting router uses its key to encrypt the[...]

  • Página 296

    Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 296 • The packet’ s message-digest is the same as the one the ZyW ALL calculates using the MD5 password. For RIP , authentication is not available in RIP ve rsion 1. In R IP version 2, you c an only select one authentication type for all interfaces. For OSPF , the ZyW ALL sup[...]

  • Página 297

    Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Gu ide 297[...]

  • Página 298

    Chapter 13 Routing Protocols ZyWALL USG 100/200 Series User’s Guide 298[...]

  • Página 299

    ZyWALL USG 100/200 Series User’s Gu ide 299 C HAPTER 14 Zones 14.1 Zones Overview Set up zones to configure network security and network policies in the ZyW ALL. A zone is a group of interfaces and VPN tunnels. The Zy W ALL uses zones, not interfaces, in many security and policy settings, such as fi rewall rules and remote management. Zones canno[...]

  • Página 300

    Chapter 14 Z o ne s ZyWALL USG 100/200 Series User’s Guide 300 14.1.2 What Y ou Need to Know A bo ut Zones Effect s of Zones on Different T ypes of T raffic Zones effectively divide traf fic into three typ es--intra-zone traffic, inter-zone traf fic, and extra-zone traffic--which are af fected differen tly by zone-based security and policy settin[...]

  • Página 301

    Chapter 14 Zones ZyWALL USG 100/200 Series User’s Gu ide 301 Figure 206 Network > Zone The following table describes the labels in this screen. 14.2.1 The Zone Edit Screen The Zone Edit screen allows you to edit a zone. T o access this screen, go to the Zone screen (see Section 14.2 on pa ge 300 ), and click an Edit icon. Figure 207 Network &g[...]

  • Página 302

    Chapter 14 Z o ne s ZyWALL USG 100/200 Series User’s Guide 302 Member L ist Av ailabl e Inter face lists the interfaces that do not belong to any zone. The word in front of the name indicates whether this member is an interface or a VPN tunnel. Select any interfaces that you want to add to the zone you are editing , and click the right arrow butt[...]

  • Página 303

    ZyWALL USG 100/200 Series User’s Gu ide 303 C HAPTER 15 DDNS 15.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 15.1.1 What Y ou Can Do in the DDNS Screens • Use the DDNS sc reen (see Section 15.2 on page 304 ) to view a list of the configured DDNS domain names and their details. • Use the DDNS[...]

  • Página 304

    Chapter 15 DDNS ZyWALL USG 100/200 Series User’s Guide 304 " Record your DDNS account’s user na me, p assword, and doma in name to use to configure the ZyW ALL. After , you configure the ZyW ALL, it automati cally sends updated IP addresses to the DDNS service provider , which helps redirect traffic accordingly . Finding Out More See Secti[...]

  • Página 305

    Chapter 15 DDNS ZyWALL USG 100/200 Series User’s Gu ide 305 15.2.1 The Dynamic DNS A dd /Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyW ALL or to edit the configuration of an exis ting domain name. Click Network > DDNS and then an Add or Edit icon to open this screen. Figure 209 Network > DDNS > Add Backu[...]

  • Página 306

    Chapter 15 DDNS ZyWALL USG 100/200 Series User’s Guide 306 The following table describes the labels in this screen. T able 102 Network > DDNS > Add LABEL DESCRIPTION Enable DDNS Profile Se lect this check bo x to use this DDNS entry . Profile Name When you are adding a DDNS entry , type a descriptive name for this DDNS entry in the ZyW ALL.[...]

  • Página 307

    Chapter 15 DDNS ZyWALL USG 100/200 Series User’s Gu ide 307 15.3 The DDNS S t atus Screen The D DNS S tatus screen shows the status of the ZyW ALL’ s DDNS domain names. T o access this screen, login to the web configurator . Whe n the main screen appears, click Network > DDNS > S tatus . The following screen a ppears. IP Address The optio[...]

  • Página 308

    Chapter 15 DDNS ZyWALL USG 100/200 Series User’s Guide 308 Figure 210 Network > DDNS > S tatus The following table describes the labels in this screen. T able 103 Network > DDNS > Status LABEL DESCRIPTION Profile Name This field displays the desc ri ptive profile name for this entry . Domain Name This field displays each domain name t[...]

  • Página 309

    ZyWALL USG 100/200 Series User’s Gu ide 309 C HAPTER 16 Virtual Servers 16.1 V irtual Servers Overview V irtual servers are compute rs on a private network behind the Z yW ALL that you make available outside the private network. If the ZyW ALL has only one public IP address, you can make the computers in the private network availa ble by using po[...]

  • Página 310

    Chapter 16 Virtu al Ser ve rs ZyWALL USG 100/200 Series User’s Guide 310 Finding Out More • See Section 5.4.19 on pag e 1 19 for related informa tion on these screens. • See Section 6. 8.2 on page 160 for an example of how to configure a virtual server to allow H.323 traffic from the W AN to LAN1. • See Section 16.3 on page 313 for ex ample[...]

  • Página 311

    Chapter 16 Virtual Servers ZyWALL USG 100/200 Series User’s Gu ide 31 1 16.2.1 The Vi rtual Server Add/Edit Screen The V irtual Server Add/Edit screen lets you create new virtual servers and edit existing ones. T o open this window , open the Virtual Server summary screen. (See Section 16.2 on page 310 .) Then, click on an Add icon or Edit icon t[...]

  • Página 312

    Chapter 16 Virtu al Ser ve rs ZyWALL USG 100/200 Series User’s Guide 312 Original IP Use the d rop-down list box to in dicate which destination IP add ress this virtual server supports. Choices are: Any - this virtua l server supports the IP address of the selected interface. User Defined - this virtual se rver supports a sp ecific IP address, sp[...]

  • Página 313

    Chapter 16 Virtual Servers ZyWALL USG 100/200 Series User’s Gu ide 313 16.3 NA T 1:1 and NA T Loopback Examples The following sections provid e examples of manually configur ing NA T 1:1 ma pping and a policy route rule for NA T loopback. These are provided for your reference, you can select options in the V irtual Server Add/Edit screen to have [...]

  • Página 314

    Chapter 16 Virtu al Ser ve rs ZyWALL USG 100/200 Series User’s Guide 314 NA T 1:1 Address Objects First create two address objects for the priv ate and public IP addresses (LAN_SMTP and W AN_EG) in the Object > Address screen as shown next. Figure 215 Create Address Objects Figure 216 Address Objects NA T 1:1 Virtual Server This section sets u[...]

  • Página 315

    Chapter 16 Virtual Servers ZyWALL USG 100/200 Series User’s Gu ide 315 Figure 217 NA T 1:1 Example V irtual Server The wan2 interface has a dif ferent IP address th an 1.1.1.1, so in order for the Zy W ALL gateway to be able to do ARP reso lution correctly , you need to create a wan2 virtual server entry . In the Network > V irtual Server scre[...]

  • Página 316

    Chapter 16 Virtu al Ser ve rs ZyWALL USG 100/200 Series User’s Guide 316 Figure 219 NA T 1:1 Example Policy Route Click Network > Routing > Policy Route > Add and configure the screen as shown next. Be careful of where you create the route as routes are ordered in descending priority . Figure 220 Create a Policy Route NA T 1:1 Firewall R[...]

  • Página 317

    Chapter 16 Virtual Servers ZyWALL USG 100/200 Series User’s Gu ide 317 Figure 221 Create a Firewall Rule NA T Loopback Example The NA T 1:1 Example on pa ge 313 maps a public IP address to the private IP address of a LAN1 SMTP mail server to allow users to access the SMTP mail server from the W AN. LAN1 users can also use an IP address to access [...]

  • Página 318

    Chapter 16 Virtu al Ser ve rs ZyWALL USG 100/200 Series User’s Guide 318 NA T Loopback Virtual Server When a LAN1 user sends SMTP traffic to IP address 1.1.1.1, the traf fic c omes into the ZyW ALL through the LAN1 interface, thus it do es not match the NA T 1:1 mapping’ s virtual server rule for SMTP traffic coming to IP 1 .1.1.1 from W AN2. S[...]

  • Página 319

    Chapter 16 Virtual Servers ZyWALL USG 100/200 Series User’s Gu ide 319 NA T L oopback Po licy Route W ithout a NA T loopback policy route, the LAN1 user SMTP tr af fic goes to the LAN1 SMTP server with the LAN1 computer ’ s IP address as the sourc e. The source address is in the same subnet, so the LAN1 SMTP server replies dir ectly . The retur[...]

  • Página 320

    Chapter 16 Virtu al Ser ve rs ZyWALL USG 100/200 Series User’s Guide 320 Figure 227 Create a Policy Route Now the LAN1 SMTP server replies to the Zy W ALL’ s LAN1 IP address and the ZyW A LL changes the source address to 1.1.1.1 before sending it to the LAN1 user ’ s computer . The source in the return traf fic matches the origin al destinati[...]

  • Página 321

    ZyWALL USG 100/200 Series User’s Gu ide 321 C HAPTER 17 HTTP Redirect 17.1 Overview HTTP redirect forwards the client’ s HTTP re quest (except HTTP traf fic destined for the ZyW ALL) to a web proxy server . In the following example, proxy server A is connected to the dmz interface. When a clie nt connected to the lan1 zone wants to open a web p[...]

  • Página 322

    Chapter 17 HTT P Red ire ct ZyWALL USG 100/200 Series User’s Guide 322 17.1.2 What Y ou Need to Know About HTTP Redirect Web Proxy Server A proxy server helps client devices ma ke indire ct requests to acce ss the Internet or outside network resources/services. A proxy server can act as a firewall or an ALG (a pplication layer gateway) between th[...]

  • Página 323

    Chapter 17 HTTP Redirect ZyWALL USG 100/200 Series User’s Gu ide 323 " Y ou can configure up to one HTTP redirect rule for each (incoming) interface. Figure 230 Network > HTTP Redirect The following table describes the labels in this screen. 17.2.1 The HTTP Redirect Edit Screen Click Network > HTTP Redirect to open the HTTP Redir ect s[...]

  • Página 324

    Chapter 17 HTT P Red ire ct ZyWALL USG 100/200 Series User’s Guide 324 The following table describes the labels in this screen. T able 107 Network > HTTP Redirec t > Edit LABEL DESCRIPTION Enable Use this option to turn the HTTP redirect rule on or off. Name Enter a name to identify this rule. Y ou may use 1-31 alphanumeric characters, unde[...]

  • Página 325

    ZyWALL USG 100/200 Series User’s Gu ide 325 C HAPTER 18 ALG 18.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyW ALL’ s NA T . • FTP - File T ransfer Protocol (FTP) is an Internet file transfer service. • SIP - Session Initiation Protocol (SIP) is an ap plication-layer proto[...]

  • Página 326

    Chapter 18 ALG ZyWALL USG 100/200 Series User’s Guide 326 18.1.2 What Y ou Need to Know A bo ut ALG Application Layer Gateway (ALG), NA T and Firewall The ZyW ALL can function as an Application Laye r Gateway (ALG) to allow certain NA T un- friendly applications (such as SIP ) to operate properly through the ZyW ALL’ s NA T and firewall. The Zy[...]

  • Página 327

    Chapter 18 ALG ZyWALL USG 100/200 Series User’s Gu ide 327 • The SIP ALG allows UDP packets with a sp ecified port destina tion to pass through. • The ZyW ALL allows SIP audio connections. • Y ou do not need to use STUN (Simple T rav ersal of User Datagram Protocol (UDP) through Network Address T ranslators) for V o IP devices behind the Zy[...]

  • Página 328

    Chapter 18 ALG ZyWALL USG 100/200 Series User’s Guide 328 For example, you configure firewall and virt ual server rules to allow LAN IP address A to receive calls through public W AN IP address 1 . Y ou configure dif ferent firewall an d port forwarding rules to allow LAN IP address B to receive calls through public W AN IP address 2 . Y ou co nf[...]

  • Página 329

    Chapter 18 ALG ZyWALL USG 100/200 Series User’s Gu ide 329 Figure 236 Network > ALG The following table describes the labels in this screen. T able 108 Network > ALG LABEL DESCRIPTION Enable SIP T ransformations T urn on the SIP ALG to allow SIP sessions to pass through the ZyWA LL. SIP is a signaling protocol used in V oIP (V oice over IP)[...]

  • Página 330

    Chapter 18 ALG ZyWALL USG 100/200 Series User’s Guide 330 18.3 ALG T echnical Reference Here is more detailed information about the Applica tion Layer Gateway . ALG Some applications can not operate through NA T (are NA T un -friendly) because they embed IP addresses and port numbers in their packets’ data payload. The ZyW ALL examines and uses[...]

  • Página 331

    Chapter 18 ALG ZyWALL USG 100/200 Series User’s Gu ide 331 H.323 H.323 is a standard teleconferen cing protocol suite that provides audio, data and video conferencing. It allows for real-time point- to-point and multipoint communication between client computers over a packet -based network that does not pr ovide a guaranteed quality of service. N[...]

  • Página 332

    Chapter 18 ALG ZyWALL USG 100/200 Series User’s Guide 332[...]

  • Página 333

    333 P ART III Firewall Firewall (335)[...]

  • Página 334

    334[...]

  • Página 335

    ZyWALL USG 100/200 Series User’s Gu ide 335 C HAPTER 19 Firewall 19.1 Overview Use the firewall to block or allow services that us e static port numbers. Use application patrol (see Chapter 27 on pa ge 4 43 ) to control services using fl exible/d ynamic po rt numb ers. This figure shows the ZyW ALL’ s default fi rewall rules in action and demon[...]

  • Página 336

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 336 19.1.2 What Y ou Need to Know Abo ut the Firewall St ateful Inspection The ZyW ALL has a stateful inspection firewa ll. The ZyW ALL restricts a ccess by screening data packets agai nst define d access rules. It al so inspects sessions. For example, traffic from one zone is not allowed[...]

  • Página 337

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Gu ide 337 T o-ZyW ALL Rules Rules with ZyW ALL as the To Z o n e apply to traf fic going to the ZyW ALL itself. By default: • The firewall allows LAN1 and WLAN computers to acces s or ma nage the ZyW ALL. • The ZyW ALL drops most packe t s from the W A N zone to the ZyW ALL itself, except [...]

  • Página 338

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 338 Firewall and VPN T raffic After you create a VPN tunnel and add it to a zo ne, you can set the firewall rules applied to VPN traffic. If you add a VPN tunnel to an ex isting zone (the LAN1 zone for example), you can configure a new LAN to LAN firewall rule or use intra-zone traf fic b[...]

  • Página 339

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Gu ide 339 • The second row is the firewall’ s default policy that allows all traf fic from the LAN to go to the W AN. The ZyW ALL applies the firewall rules in order . So for this example, when the ZyW ALL receives traffic from LAN1, it checks it against the first rule. If the traffic matc[...]

  • Página 340

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 340 • The third row is (still) the firewall’ s default policy of allowing all traf fic from LAN1 to go to the W AN. Alternatively , you configure a LAN to W AN rule with the CEO’ s user name (say CEO) to allow IRC traf fic from any source IP addr ess to go to any destination address[...]

  • Página 341

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Gu ide 341 Figure 240 Firewall Example: Select the Traveling Direction of T raffic 2 Select From W AN and T o L AN1 . Select Create Object in the Destination drop-down list box. Figure 241 Firewall Example: Edit a Firewall Rule 1 3 The screen for configur ing an address obj ect opens. Configure[...]

  • Página 342

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 342 Figure 243 Firewall Example: Create a Service Object 6 Enter the name of the firewall rule. 7 Make sure Dest_1 is selected for the Destination and MyService is selected as the Service . Enter a description and configure the rest of the screen as follows. Click OK when you are done. Fi[...]

  • Página 343

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Gu ide 343 19.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on LAN1 has an IP address in the same subnet as the ZyW ALL’ s LAN1 IP address, return traffic may not go through the ZyW A LL . This is called an asymmetrical or “triangle” route. This cau ses the ZyW ALL to [...]

  • Página 344

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 344 • Besides configurin g the firewall, you also need to configure virtual servers (NA T port forwarding) to allow computers on the W AN to access LAN devices. See Chapter 16 on page 309 for more information. • The ordering of you r rules is very important as rules are applied in seq[...]

  • Página 345

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Gu ide 345 From Zone T o Zone This is the direction of travel of packet s. Select from whi ch zone the packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of packets to which they apply . For exampl e, from LAN1 to LAN1 means packets traveling fro[...]

  • Página 346

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 346 19.2.2 The Firewall Edit Screen In the Fir e wall screen, click the Edit or Add icon to display the Fir ewall Rule Edit screen. Refer to the following table for information on the labels. Figure 248 Firewall > Edit The following table describes the labels in this screen. Add icon C[...]

  • Página 347

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Gu ide 347 Description Enter a descriptive name of up to 60 pr intable ASCII characte rs for the firewall rule. S paces are allowed. Schedule Sel ect a schedule that defines when the rule applie s or select Create Object to configure a new one (see Chap ter 38 on page 619 for de tails). Otherwi[...]

  • Página 348

    Chapter 19 Firewall ZyWALL USG 100/200 Series User’s Guide 348[...]

  • Página 349

    349 P ART IV VPN IPSec VPN (351) SSL VPN (385) SSL User Screens (395) SSL User Application Screens (401) SSL User File Sharing (403) L2TP VPN (409) L2TP VPN Example (415)[...]

  • Página 350

    350[...]

  • Página 351

    ZyWALL USG 100/200 Series User’s Gu ide 351 C HAPTER 20 IPSec VPN 20.1 IPSec VPN Overview A virtual private network (VPN) provides secu re communications between sites without the expense of leased site-to-site lines. A secure VP N is a combination of tunneling, encryption, authentication, access control and a uditing. It is used to transpor t tr[...]

  • Página 352

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 352 • Use the VPN Concentrator screens (see Section 20.4 on page 369 ) to combine several IPSec VPN connections into a single secure network. • Use the SA Monitor screen (see Section 20.5 on page 371 ) to display and manag e the active IPSec SAs. 20.1.2 What Y ou Need to Know About I[...]

  • Página 353

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 353 Y ou should set up the following featu res before you set up the VPN tunnel. • In any VPN connection, you have to select address objects to specify the local policy and remote policy . Y ou should se t up the address objects first. • In a VPN gateway , you can select an Ethernet[...]

  • Página 354

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 354 Each field is discussed in the following table. See Section 20.2.2 on page 360 and Section 20.2.1 on page 355 for more information. T able 1 15 VPN > IPSec VPN > VPN Connection LABEL DESCRIPTION Use Policy Route to control dynamic IPSec rules Leave this cleared to have the ZyWA[...]

  • Página 355

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 355 20.2.1 The VPN Connection Add/Edit (IKE) Screen The VPN Connection Add/Edit Gateway screen allows you to cre ate a new VPN connection policy or edit an existing one. T o access this screen, go to the VPN Connection screen (se e Section 20.2 on page 353 ), and click either the Add ic[...]

  • Página 356

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 356 Figure 252 VPN > IPSec VPN > VPN Connection > Edit (IKE)[...]

  • Página 357

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 357 Each field is described in the following table. T able 1 16 VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION General Settings Click Advanced to display more settings. Click Basic to display fewer settings. Connection Name T ype the name used to identi fy this IPSec[...]

  • Página 358

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 358 SA Life Time T ype the maximum number of se conds the IPSe c SA can last. Shorter life times provide better securi ty . The Zy W ALL automatical ly negotiates a ne w IPSec SA before the current one expires, if th ere are users who are accessing remote resources. Active Protocol Selec[...]

  • Página 359

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 359 Related Settings Add this VPN connection to IPSec_VPN zone. Select this check box to add the VPN connection policy to the IPSec_VPN security zone. Any securi ty rules or settings configured for the IPSec_VPN security zone will also apply to this VPN connection p olicy . More Setting[...]

  • Página 360

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 360 20.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an exist ing one using a manual key . This is useful if you h ave problems with IKE key management. T o acc ess this screen, go to the [...]

  • Página 361

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 361 Figure 253 VPN > IPSec VPN > VPN Connec tion > Manual Key > Edit This table describes labels specific to manual key configuration . See Section 20.2 on page 353 for descriptions of the other fields. T able 1 17 VPN > IPSec VPN > VPN Connec tion > Manual Key >[...]

  • Página 362

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 362 Encapsulation Mode Select which typ e of encapsulati on the IPSec SA uses. Ch oices are T unnel - this mode encrypts the IP header information and the data Tr a n s p o r t - this mode on ly encrypts the data. Y ou should on ly select this if the IPSec SA is used for communication be[...]

  • Página 363

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 363 20.3 The VPN Gateway Screen The VPN Ga tew a y summary screen displays the I PSec VPN gateway policies i n the ZyW ALL, as well as the ZyW ALL’ s address, remote IPSec router ’ s address, and associated VPN connections for each one. In addition, it also lets you activate and dea[...]

  • Página 364

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 364 20.3.1 The VPN Gateway Add/Edit Screen The VPN Gatew a y Add/Edit screen allows you to create a new VP N ga te wa y policy or edit an existing one. T o access this screen, go to the VPN Gateway summa ry screen (see Section 20.3 on page 363 ), and click either the Add icon or an Edit [...]

  • Página 365

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 365 Figure 255 VPN > IPSec VPN > VPN Gateway > Edit Each field is described in the following table. T able 1 19 VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION General Settings VPN Gateway Name T ype the name used to identify this VPN gateway . Y ou may use 1-31[...]

  • Página 366

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 366 Peer Gateway Address Select how the IP address of the remote IPSec router in the IKE SA is defined. Select S t atic Address to enter the domain name or the IP address of the remote IPSec router . Y ou can provid e a second IP address or domain name for the ZyW ALL to try if it cannot[...]

  • Página 367

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 367 Peer ID T ype Select which type of identificatio n is used to i dentify the remo te IPSec router during authentica tion. Choices are: IP - the remote IPSec route r is identified by an IP address DNS - the remote IPSec router is identified by a domain name E-mail - the remote IPSec r[...]

  • Página 368

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 368 Encryption Select which key size and encryption alg orithm to use in the IKE SA. Choices are: DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algori th m AES128 - a 128-bit key with the AES encryption algorithm AES192 - a 192-bit key [...]

  • Página 369

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 369 20.4 The VPN Concentrator Screen A VPN concentrator combines several IPSec VPN connections into one secure network. Figure 256 VPN T opologies (Fully Meshed and Hub and S poke) In a fully-meshed VPN topology ( 1 in the figure), there is a VPN connection between every pair of routers[...]

  • Página 370

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 370 Figure 257 VPN > IPSec VPN > Concentrator Each field is discussed in the following table. See Section 20.4.1 on page 370 for more information. 20.4.1 The VPN Concentrator Add /Edit Screen The VPN Conc en trator Add/Edit screen allows you to create a new VPN concentrator or edit[...]

  • Página 371

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 371 20.5 The SA Monitor Screen Y ou can use the SA Monitor screen to display and to manage active IPSec SAs. T o acce ss this screen, click VPN > IPSec VPN > SA Monitor . The following screen appears. Member This field displays the name of each member in th e concentrator . Note: [...]

  • Página 372

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 372 Figure 260 VPN > IPSec VPN > SA Monitor Each field is described in the following table. T able 122 VPN > IPSec VPN > SA Monitor LABEL DESCRIPTION Name Enter the name of a IPSec SA here and click Search to find it (if it is associated). Y o u can use a keyword or regular e[...]

  • Página 373

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 373 20.6 IPSec VPN Background Information Here is some more detailed I PSec VPN background information. IKE SA Overview The IKE SA provides a secure connection between the ZyW ALL and remote IPSec router . It takes several steps to establish an IKE SA. The negotiation mode determines ho[...]

  • Página 374

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 374 The ZyW ALL sends one or more proposals to the remote IPSec router . (In some devices, you can only set up one proposal.) Each propo sal consists of an encryption algorithm, authentication algorithm, and DH key group that the ZyW ALL wants to use in the IKE SA. The remote IPSec route[...]

  • Página 375

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 375 DH public-key cryptography is b ased on DH key groups. Ea ch key group is a fixed number of bits long. The longer the key , the more secure the encryption, but also the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 key[...]

  • Página 376

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 376 Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properl y-formatted) domain name, IP address, or e- mail address. The content is only used for id entification. Any domain name or e-mail address that[...]

  • Página 377

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 377 Main mode takes six steps to establish an IKE SA. Steps 1 - 2: The ZyW ALL sends its proposals to the remote IPSec router . The remote IPSec router selects an acceptable propos al and sends it back to the ZyW ALL. Steps 3 - 4: The ZyW ALL and the remote IPSe c router exchange pre-sh[...]

  • Página 378

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 378 Extended Authentication Extended authentication is often used when multiple IPSec router s use the same VPN tunnel to connect to a single IPSec router . For exampl e, this might be used with telecommuters. In extended authen tication, one of the routers (the ZyW ALL or the remote IPS[...]

  • Página 379

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 379 IPSec SA Overview Once the ZyW ALL and remote IPSe c router have established the IKE SA, they can securely negotiate an IPSec SA through which to send da ta between compu t ers o n the networks. " The IPSec SA stays connected even if the underlying IKE SA is not available anymo[...]

  • Página 380

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 380 These modes are illustrated below . In tunnel mode, the ZyW ALL uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: • Outside header: The outside IP header contai ns the IP addre ss of the ZyW ALL or remote IPSec router , whicheve r [...]

  • Página 381

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 381 IPSec SA using Manual Keys Y ou might set up an IPSec SA using ma nual keys when you wa nt to es tablish a VPN tunnel quickly , for example, for troubleshooting. Y ou should only do th is as a temporary solution, however , because it is not as secure as a regular IPSec SA . In IPSec[...]

  • Página 382

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 382 Figure 266 VPN Example: NA T for Inbound and Outbound T raffic Source Address in Outbound Packet s (Outbound T raffic, Source NA T) This translation lets the ZyW ALL route packet s from computers that are not part of the specified local network (local policy) through the IPSec SA. Fo[...]

  • Página 383

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Gu ide 383 Y ou have to specify one or more ru les when you set up this kind of NA T . The ZyW ALL checks these rules similar to the way it checks rul es for a firewall. The first part of these rules define the conditions in which the rule apply . • Original IP - the original destina tion ad[...]

  • Página 384

    Chapter 20 IPSec VPN ZyWALL USG 100/200 Series User’s Guide 384[...]

  • Página 385

    ZyWALL USG 100/200 Series User’s Gu ide 385 C HAPTER 21 SSL VPN 21.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VPN router or VPN client software. 21.1.1 What Y ou Can Do in the SSL VPN Screens • Use the VPN > SSL VPN > Access Privilege scree ns (see Section 21.2 o[...]

  • Página 386

    Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Guide 386 Full T unnel Mode In full tunnel mode, a virtual connection is cr eated for remote users with private IP addresses in the same subnet as the local network. This a llows them to access network resources in the same way as if they were part of the internal network. Figure 268 Network Acc[...]

  • Página 387

    Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Gu ide 387 Finding Out More • See Section 5.4.5 on page 1 15 for related information on these screens. • See Section 21.5 on page 392 for how to establish an SSL VPN connec tion to the ZyW ALL (after you have configured the SSL VPN settings on the ZyW ALL). 21.2 The SSL Access Privilege Scre[...]

  • Página 388

    Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Guide 388 Figure 270 VPN > SSL VPN > Access Privilege > Add/Edit The following table describes the labels in this screen. T able 127 VPN > SSL VPN > Access Priv ilege > Add/Edit LABEL DESCRIPTION Configuration Enable Sel ect this option to activate this SSL access policy . Name[...]

  • Página 389

    Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Gu ide 389 21.3 The SSL Connection Monitor Screen The ZyW ALL keeps track of the users who ar e currently logged in to the VPN SSL client portal. Click VPN > SSL VPN in the navigation panel and click the Connection Moni tor tab to display the user list. Use this screen to do the following: ?[...]

  • Página 390

    Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Guide 390 • Log out individual us ers and dele te related session information. Once a user logs out, the corres ponding entry is removed from the Connection Monitor screen. Figure 271 VPN > SSL VPN > Connection Monitor The following table describes the labels in this screen. 21.4 The SSL[...]

  • Página 391

    Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Gu ide 391 Figure 272 VPN > SSL VPN > Global Setting The following table describes the labels in this screen. T able 129 VPN > SSL VPN > Global Setting LABEL DESCRIPTION Global Setting Network Extension IP Address S pecify the IP address of the ZyWALL (or a gateway device) for full t[...]

  • Página 392

    Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Guide 392 21.4.1 How to Upload a Custom Logo Follow the steps below to upload a custom lo go to display on th e remote user SSL VPN screens. 1 Click VPN > SSL VPN and click the Global Setting tab to display the configurati on screen. 2 Click Br owse to locate the logo grap hic. Ma ke sure the[...]

  • Página 393

    Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Gu ide 393 Figure 274 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated” message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal s[...]

  • Página 394

    Chapter 21 SSL VPN ZyWALL USG 100/200 Series User’s Guide 394[...]

  • Página 395

    ZyWALL USG 100/200 Series User’s Gu ide 395 C HAPTER 22 SSL User Screens 22.1 Overview This chapter introduces the remote user SSL VPN screens. The fo llowi ng figure shows a network example where a remote user ( A ) logs into the ZyW ALL from the Internet to access the web server ( WWW ) on the local network. Figure 275 Network Example 22.1.1 Wh[...]

  • Página 396

    Chapter 22 SSL User Screen s ZyWALL USG 100/200 Series User’s Guide 396 • Firefox 1.0 and ab ove • Mozilla 1.7.3 and above • Sun’ s Java (Java Runtime Environment or ‘J RE’) installed and enab led with a minimum version of 1.4. Required Information A remote user needs the followi ng information from the network administrator to log in[...]

  • Página 397

    Chapter 22 SSL User Screens ZyWALL USG 100/200 Series User’s Gu ide 397 Figure 277 Login Security Screen 3 A login screen displays. Enter the user na me and password of you r login account. If a token password is also required, enter it in the One-Time Password field. 4 Select Log into SSL VPN and click Login to log in and establish an SSL VPN co[...]

  • Página 398

    Chapter 22 SSL User Screen s ZyWALL USG 100/200 Series User’s Guide 398 Figure 280 SecuExtender Progress 7 The Application screen displays showing the list of re sources available to you. See Figure 281 on page 39 8 for a screen example. " Available resource lin ks vary depending on the confi guration your network administrator made. 22.3 Th[...]

  • Página 399

    Chapter 22 SSL User Screens ZyWALL USG 100/200 Series User’s Gu ide 399 The following table describes the various parts of a remote user screen. 22.4 Bookmarking the ZyW ALL Y ou can create a bookma rk of the ZyW ALL by clicking the Add to Favorite icon. This allows you to access the ZyW ALL using the bo okmark without having to enter the address[...]

  • Página 400

    Chapter 22 SSL User Screen s ZyWALL USG 100/200 Series User’s Guide 400 Figure 284 Logout: Connection T ermination Progress[...]

  • Página 401

    ZyWALL USG 100/200 Series User’s Gu ide 401 C HAPTER 23 SSL User Application Screens 23.1 SSL User Application Screens Overview Use the Application screen to access web-bas ed applications (such as web sites and e-mail) on the network through the SSL VPN connection. Which appli cations you can access depends on the ZyW ALL’ s configuration. 23.[...]

  • Página 402

    Chapter 23 SSL User Application Screens ZyWALL USG 100/200 Series User’s Guide 402[...]

  • Página 403

    ZyWALL USG 100/200 Series User’s Gu ide 403 C HAPTER 24 SSL User File Sharing 24.1 Overview The File Sharing screen lets you access files on a file server th rough the SSL VPN connection. 24.1.1 What Y ou Need to Know About the SSL VPN File Sharing Use the File Sharing screen to display and access shared files/folders on a file server . Y ou can [...]

  • Página 404

    Chapter 24 SSL Use r File Sharing ZyWALL USG 100/200 Series User’s Guide 404 Figure 286 File Sharing 24.3 Opening a File or Folder Y ou can open a file if the file extension is recognized by the web browser and the associate d application is installed on your computer . 1 Log in as a remote user and click the File Sharing tab. 2 Click on a file s[...]

  • Página 405

    Chapter 24 SS L User File Sh aring ZyWALL USG 100/200 Series User’s Gu ide 405 4 A list of files/folders displays. Click on a f ile to open it in a separate browser window . Y ou can also clic k a folder to access it. For this exam ple, click on a .doc file to open the W ord document. Figure 288 File Sharing: Open a W ord File 24.3.1 Downloading [...]

  • Página 406

    Chapter 24 SSL Use r File Sharing ZyWALL USG 100/200 Series User’s Guide 406 Figure 289 File Sharing: Save a W ord File 24.4 Creating a New Folder T o create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder . Y o u can ente r up to 356 characters. Then click Add . " Make sure the l[...]

  • Página 407

    Chapter 24 SS L User File Sh aring ZyWALL USG 100/200 Series User’s Gu ide 407 Figure 291 File Sharing: Rename A popup window displa ys. Spe cify the new name an d/or file extension in the field provided. Y ou can enter up to 356 characters. Then click Apply . " Make sure the length of the name does not exceed the maximum allowed on the file[...]

  • Página 408

    Chapter 24 SSL Use r File Sharing ZyWALL USG 100/200 Series User’s Guide 408 24.7 Uploading a File Follow the steps below to upload a file to the file server . 1 Log into the remote user screen and click the File Sharing tab. 2 Specify the location and/or name of th e file you want to upload. Or click Br owse to locate it. 3 Click Upload to send [...]

  • Página 409

    ZyWALL USG 100/200 Series User’s Gu ide 409 C HAPTER 25 L2TP VPN 25.1 Overview L2TP VPN lets remote users use the L2TP and IP Sec client software included with their computers’ operating systems to securely connect to the network behind the ZyW ALL. The remote users do not need their own IP Sec gateways or VPN client software. Figure 295 L2TP V[...]

  • Página 410

    Chapter 25 L2T P VPN ZyWALL USG 100/200 Series User’s Guide 410 IPSec Configuration Required for L2TP VPN Y ou must configure an IPSe c VPN co nnection for L2TP VPN to use (see Chapter 20 on page 351 for details). The IPSe c VPN connection must: • Be enabled. • Use transport mode. • Not be a manual ke y VPN connection. •U s e Pre-S hared [...]

  • Página 411

    Chapter 25 L2TP VPN ZyWALL USG 100/200 Series User’s Gu ide 41 1 Finding Out More • See Section 5.4.6 on page 1 15 for related information on these screens. • See Chapter 26 on page 415 for an example of how to create a basic L2TP VPN tunnel. 25.2 L2TP VPN Screen Click VPN > L2TP VPN to open the following screen. Use this screen to configu[...]

  • Página 412

    Chapter 25 L2T P VPN ZyWALL USG 100/200 Series User’s Guide 412 25.3 L2TP VPN Session Monitor Screen Click VPN > L2TP VPN > Session Monitor to open the following scr een. Use this screen to display and manage the ZyW ALL’ s connected L2TP VPN sessions. Figure 298 VPN > L2TP VPN > Session Monitor The following table describes the fie[...]

  • Página 413

    Chapter 25 L2TP VPN ZyWALL USG 100/200 Series User’s Gu ide 413 Hostname This field displays the name of the computer that has this L2TP VPN connection with the ZyWALL. Assigned IP This fie ld displays the IP address that the ZyWALL assigned for the remote user ’s computer to use within the L2TP VPN tunnel. Public IP This field displays the pub[...]

  • Página 414

    Chapter 25 L2T P VPN ZyWALL USG 100/200 Series User’s Guide 414[...]

  • Página 415

    ZyWALL USG 100/200 Series User’s Gu ide 415 C HAPTER 26 L2TP VPN Example This chapter shows how to create a basic L2TP VPN tunnel. 26.1 L2TP VPN Example This chapter uses the following settings in creating a basic L2TP VPN tunnel. Figure 299 L2TP VPN Example • The ZyW ALL’ s has a static IP addre ss of 172.16.1.2 for the wan1 interface. • T[...]

  • Página 416

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 416 Figure 300 VPN > IPSec VPN > VPN Gateway > Edit • Configure the My Addr ess setting. This exam ple uses interface wan1 with static IP address 172.16.1.2 . • Select Pre-Shar ed Key and configure a password. This example uses top-secret . Click OK . 2 Click the [...]

  • Página 417

    Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 417 Figure 302 VPN > IPSec VPN > VPN Connection > Edit 2 Click the Policy Advanced button. Enforce an d configu re t h e local and remote policies. •F o r t h e Local Policy , create an address object that u ses host type and contains the My Address IP address that you[...]

  • Página 418

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 418 26.4 Configuring the L2TP VPN Settings Example 1 Click VPN > L2TP VPN to open the following screen. Figure 304 VPN > L2TP VPN Example 2 Configure the following. • Enable the connection. • Set it to use the Default_L2TP_VPN_Connection VPN co nnection. • Configur[...]

  • Página 419

    Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 419 Figure 305 Routing > Add: L2TP VPN Example 2 Configure the following. • Enable the policy route . • Set the policy route’ s Sour ce Addr ess to the address object that you want to allow the remote users to access ( LAN1_SUBNET in this example). • Set the Destinatio[...]

  • Página 420

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 420 2 Click Next in the We l c o m e screen. 3 Select Connect to the network at my workplace and click Next . Figure 306 New Connection Wizard: Netwo rk Connection T ype 4 Select V irtual Private Network connection and click Next . Figure 307 New Connection Wizard: Network Con[...]

  • Página 421

    Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 421 Figure 308 New Connection Wizard: Conn ection Name 6 Select Do not dial the initial connection and click Ne xt . Figure 309 New Connection Wizard: Public Network 7 Enter the domain name or W AN IP address configured as the My Address in the VPN gateway configuration that the [...]

  • Página 422

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 422 Figure 310 New Connection Wizard: VPN Server Selection 8 Click Finish . 9 The Connect L2TP to ZyW ALL screen appears. Click Properties > Security . Figure 31 1 Connect L2TP to ZyWALL 10 Click Security , select Advanced (custom settings) and click Settings . 172.16.1.2[...]

  • Página 423

    Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 423 Figure 312 Connect L2TP to ZyW ALL: S ecurity 11 Select Optional encryption (conne ct even if no encryption) and the Allow these pro tocols radio button. Select Unencrypted password (P AP) and clear all of the other check boxes. Click OK . Figure 313 Connect ZyW ALL L2TP: Sec[...]

  • Página 424

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 424 Figure 314 L2TP to Z y WALL Pr operties > Security 13 Select the Use pre-shar ed key for authentication check box and enter the pre-shared key used in the VPN gateway configuratio n that the ZyW ALL is using for L2TP VPN. Click OK . Figure 315 L2TP to Z y WALL Pr operti[...]

  • Página 425

    Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 425 Figure 317 Connect L2TP to ZyW ALL 16 A window appears while the us er na me and password are verified. 17 A ZyW ALL-L2TP icon displays in your system tray . Double-click it to open a status screen. Figure 318 ZyW ALL-L2TP System T ray Icon 18 Click Details to see the address[...]

  • Página 426

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 426 1 Click St a r t > R u n . T ype regedit and click OK . Figure 320 S tarting the Registry Editor 2 Click Registry > Export Registry File and save a b ackup copy of your registry . Y ou can go back to using this backup if you misconfigure the registry settings. 3 Sele[...]

  • Página 427

    Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 427 Figure 323 ProhibitIpSec DWORD V alue 6 Restart the computer an d co n tinue with the next section. 26.6.2.2 Configure the W indows 2000 IPSec Policy After you have created the registry entry and re started the computer , use the se directions to configure an IPSec policy for[...]

  • Página 428

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 428 Figure 326 Add > IP Security Policy Management > Finish 4 Right-click IP Security Policies on Local Machine and click Cr eate IP Security Policy . Click Next in the welcome scree n. Figure 327 Create IP Security Policy 5 Name the IP security policy L2TP to ZyW ALL , [...]

  • Página 429

    Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 429 Figure 328 IP Security Policy: Name 6 Clear the Activate the default response rule check box and click Next . Figure 329 IP Security Policy: Request for Secure Communication 7 Leave the Edit Properties check box selected and click Finish . Figure 330 IP Security Policy: Compl[...]

  • Página 430

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 430 8 In the properties d ialog box, click Add > Next . Figure 331 IP Security Policy Properties > Add 9 Select This rule does not specify a tunnel and click Next . Figure 332 IP Security Policy Properties : Tunnel En dpoint 10 Select All network connections an d c lick [...]

  • Página 431

    Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 431 Figure 333 IP Security Policy Pr opertie s: Network T ype 11 Select Use this string to protect the key exchange (preshar ed key) , type password in the text box, and click Next . Figure 334 IP Security Policy Proper ties: Authentication Method 12 Click Add .[...]

  • Página 432

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 432 Figure 335 IP Securit y Policy Properties: IP Filt er List 13 Ty p e ZyW ALL W AN_IP in the Name field. Clear the Use A dd Wizard check box and click Add . Figure 336 IP Security Policy Prop erties: IP Filter List > Add 14 Configure the following in the Addressing tab. [...]

  • Página 433

    Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 433 Figure 337 Filter Propertie s: Addressing 15 Configure the following in the Filter Properties window’ s Protocol tab. Set the protocol type to UDP from port 1701. Select To a n y p o r t . Click Apply , OK, and then Close . Figure 338 Filter Properti es: Protocol 16 Select [...]

  • Página 434

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 434 Figure 339 IP Securit y Policy Properties: IP Filt er List 17 Select Require Security and click Next . Then click Finish and Close . Figure 340 IP Securit y Policy Properties: IP Filt er List 18 In the Console window , right-click L2TP to ZyW ALL and select Assign . Figure[...]

  • Página 435

    Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 435 26.6.2.3 Configure the W indows 2000 Network Connection After you have configured the IPSec policy , use these directions to create a network connection. 1 Click S tart > Settings > Network and Dial-up connections > Make New Connection . In the wizard welcome screen,[...]

  • Página 436

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 436 Figure 344 New Connection Wizard: Destination Address 4 Select For all users and click Next . Figure 345 New Connection Wizard: Connection Availability 5 Name the co nnection L2TP to ZyW ALL and click Finish . Figure 346 New Connection Wizar d: Namin g the Connection 172.1[...]

  • Página 437

    Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 437 6 Click Pr operties . Figure 347 Connect L2TP to ZyW ALL 7 Click Security and select Advanced (custom settings) and click Settings . Figure 348 Connect L2TP to ZyW ALL: S ecurity 8 Select Optional encryption allowed (c onnect even if no encryption) and the Allow these protoco[...]

  • Página 438

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 438 Figure 349 Connect L2TP to ZyW ALL: S ecurity > Advanced 9 Click Networking and select Layer 2 T unneling Pr otocol (L2TP) from the drop-down list box. Click OK . Figure 350 Connect L2TP to ZyW ALL: Networking 10 Enter your user name and password and click Connect . It [...]

  • Página 439

    Chapter 26 L2TP VPN Example ZyWALL USG 100/200 Series User’s Gu ide 439 Figure 351 Connect L2TP to ZyW ALL 11 A ZyW ALL-L2TP icon displays in your system tray . Double-click it to open a status screen. Figure 352 ZyW ALL-L2TP System T ray Icon 12 Click Details and scroll down to see the address that you received is from the L2TP range you specifi[...]

  • Página 440

    Chapter 26 L2T P VPN E xam p le ZyWALL USG 100/200 Series User’s Guide 440[...]

  • Página 441

    441 P ART V Application Patrol Application Patrol (443)[...]

  • Página 442

    442[...]

  • Página 443

    ZyWALL USG 100/200 Series User’s Gu ide 443 C HAPTER 27 Application Patrol 27.1 Overview Application patrol provides a co nvenient way to m anage the use of various application s on the network. It manages general protocols (for ex am ple, http and ftp) and instant messenger (IM), peer-to-peer (P 2P), V oice over IP (V oIP), an d streaming (RSTP)[...]

  • Página 444

    Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 444 27.1.2 What Y ou Need to Know About Application Patrol " The ZyW ALL checks firewall rules before it checks application patrol rules for traffic going through the ZyW ALL. If you want to use a service, make sure both the firewall and applicat ion patrol allow the ser[...]

  • Página 445

    Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 445 The application patrol band width management is more flexible and powerful than the bandwidth management in pol icy routes. Application patrol controls TCP and UDP traf fic. Use policy routes to manage o ther types of traffic (like ICMP). " Bandwidth management in poli[...]

  • Página 446

    Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 446 • Inbound traffic is limited to 500 kbs. Th e connection initiator is on LAN1 so inbound means the traffic traveling from the W AN to the LAN1. Figure 355 LAN 1to W AN, Outbound 200 kbp s, Inbound 500 kbps Bandwid th Manag ement Priority • The ZyW ALL gives bandwidth [...]

  • Página 447

    Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 447 Figure 356 Bandwidth Ma nagement Behavior Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usa ge is disabled, both servers get their configured rate. Priority Effect Here the configured rates [...]

  • Página 448

    Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 448 Priority and Over Allotment of Bandwid th Effect Server A has a configured rate that equals the total amount of available bandwidth and a higher priority . Y ou should regard extreme over allotment of traffic wi th different priorities (as shown here) as a configura tion [...]

  • Página 449

    Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 449 Figure 357 Application Patrol B andwidth Managem ent Example 27.1.3.1 Setting the Interface’ s Bandwid th Use the interface screens to set the W AN zone in te rface ’ s upstream bandwidth to be equal to (or slightly less than) what th e connected device can supp ort. Th[...]

  • Página 450

    Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 450 Figure 358 SIP Any to W AN Bandwidth Management Example 27.1.3.3 SIP W AN to Any Bandwid th Management Example Y ou also crea te a policy for calls coming in from the SIP server on the W AN. It is the same as the SIP Any to W AN policy , but with the directio ns reversed [...]

  • Página 451

    Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 451 Figure 360 FTP W AN to DMZ Bandwid th Management Example 27.1.3.6 FTP LAN to DMZ Bandwid th Management Example • The LAN and DMZ zone interfaces are connected to Ethernet networks (not an ADSL device) so you l imit both outbound and i nbound traffic to 50 Mbps. • Fourth[...]

  • Página 452

    Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 452 " Y ou must register for the IDP/AppPatrol signature serv ice (at least the trial) before you can use it. See Chapter 8 on pa ge 185 for how to register . Click AppPatr ol to open the following screen. Figure 362 AppPatrol > General The following table describes t[...]

  • Página 453

    Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 453 27.3 Application Patrol Applications Use the application patrol Common , Instant Messenger , Peer to Peer , Vo I P , or St r e a m i n g screen to manage traffic o f individual applications. Use the Common screen (shown here as an example) t o manage traffic of the most com[...]

  • Página 454

    Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 454 27.3.1 The Application Patrol Edit Screen Use this screen to edit the settin gs for an applicat ion. T o access this screen, go to the application patrol Comm on , Instant Me ssenger , Peer to Peer , Vo I P , or St r e a m i n g scree n and click an application’ s Edit [...]

  • Página 455

    Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 455 Service Port This is available if the Classification is Service Ports . Y ou can view and edit the ports used to identify this application. Add icon Whe n the Classification is Service Ports , this column provides icons to add and remove port numbers used to identify the ap[...]

  • Página 456

    Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 456 27.3.2 The Application Pa trol Policy Edit Screen The Application Policy Edit screen allows you to edit a group of settings for an application. T o access this screen, go to the application patrol Common , Instant Messenger , Peer to Peer , Vo I P , or St r e a m i n g sc[...]

  • Página 457

    Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 457 Schedule Select a schedule that defines when the policy app lies or select Create Object to configure a new one (see Chapter 38 on page 619 for details). Otherwise, select none to make the policy always effec tive. User Select a user n ame or user group to which to apply th[...]

  • Página 458

    Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 458 27.4 The Other Applications Screen Sometimes, the ZyW ALL cannot identify the application. For example, the application might be a new application, or the pac ke ts might arrive out of sequence . (The ZyW ALL does not reorder packets when iden tifying the application.) Th[...]

  • Página 459

    Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 459 Figure 366 AppPatrol > Other The following table describes the labels in this screen. See Section 27.4.1 on page 460 for more information as well. T able 141 AppPatrol > Other LABEL DESCRIPTION Policy This table lists the policies config ured for traffic which does no[...]

  • Página 460

    Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 460 27.4.1 The Other Applic ations Add/Edit Screen The Other Configuration Add/Ed it screen allows you to create a new condition or edit an existing one. T o access this scre en, go to the Other Protocol screen (see Section 27.4 on p age 458 ), and click either the Add icon o[...]

  • Página 461

    Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 461 Figure 367 AppPatrol > Other > Edit The following table describes the labels in this screen. T able 142 AppPatrol > Other > Edit LABEL DESCRIPTION Enable Select this check box to turn on this policy . Port Use this field to specify a speci fic port number to whi[...]

  • Página 462

    Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 462 27.5 Application Patrol St atistics This screen displays a band width usage gr aph and statistics for selected protocols. Click AppPatr ol > S tatistics to open the following screen. 27.5.1 Application Patrol S t atistics: General Setup Use the top of the AppPatr ol &g[...]

  • Página 463

    Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 463 Figure 368 AppPatrol > S tatistics: General Setup The following table describes the labels in this screen. 27.5.2 Application Patrol St atistics: Bandwi d th St atistics The middle of the AppPatrol > S tatistics screen displays a bandwidth usage line graph for the sel[...]

  • Página 464

    Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 464 • Different colors represent dif ferent protocols. 27.5.3 Application Patrol St atistics: Protocol St atistics The bottom of the AppPatrol > S tatistics screen displays statistics for each of the selected protocols. Figure 370 AppPatrol > S tatistics: Pr otocol S [...]

  • Página 465

    Chapter 27 Application Patrol ZyWALL USG 100/200 Series User’s Gu ide 465 Inbound Kbps This is the incoming bandwidth usage for traffic that matched this protocol rule, in kilobits per second. This is the protocol ’s traf fic that the ZyWALL sends to the initiator of the co nnection. So for a connection initiated from the LAN to the W AN, the t[...]

  • Página 466

    Chapter 27 App licat ion Patr ol ZyWALL USG 100/200 Series User’s Guide 466[...]

  • Página 467

    467 P ART VI Anti-X Anti-V irus (469) IDP (483) ADP (513) Content Filtering (531) Content Filter Reports (551) Anti-Spam (559)[...]

  • Página 468

    468[...]

  • Página 469

    ZyWALL USG 100/200 Series User’s Gu ide 469 C HAPTER 28 Anti-Virus 28.1 Overview Use the ZyW ALL’ s anti-virus feature to protect your connected network from viru s/spyware infection. The ZyW ALL checks traffic going in the direction(s) you spe cify for signature matches. In the following figure the ZyW ALL is set to check traffic coming from t[...]

  • Página 470

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 470 28.1.2 What Y ou Need to Know Abo ut Anti-V irus Anti-Virus Engines Subscribe to signature files for ZyXEL ’ s anti- virus engine or one powered by Kaspersky . When using the trial, you can switch from one engine to the other in the Registration screen. After the trial expires, [...]

  • Página 471

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Gu ide 471 " Since the ZyW ALL erases t he infected portion of the file before sending it, you may not be able to open the file. Notes About the ZyW ALL Anti-Virus The following lists important note s about the anti-virus scanner: 1 The ZyW ALL anti-virus scanner can detect po lymorphi[...]

  • Página 472

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 472 Figure 372 Anti-X > Anti-Virus > General The following table describes the labels in this screen. T able 145 Anti-X > Anti-V irus > General LABEL DESCRIPTION General Settings Click Adva nced to display more settings. Click Basic to display fewer settings. Enable Anti -[...]

  • Página 473

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Gu ide 473 28.2.1 Anti-V irus Policy Add or Edit Screen Click the Add or Edit icon in the Anti-X > Anti-V irus > General screen to display the configuration screen as sh own next. Add icon Click the Add icon in the heading row to add a new first entry . The Active displa ys whether th[...]

  • Página 474

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 474 Figure 373 Anti-X > Anti-Virus > Gene ral > Add The following table describes the labels in this screen. T able 146 Anti-X > Anti-Virus > Gener al > Add LABEL DESCRIPTION Enable Se lect this check box to have the ZyW ALL appl y this anti-virus policy to check tra[...]

  • Página 475

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Gu ide 475 28.3 Anti-V irus Black List Click Anti-X > Anti-V irus > Black/White List to display the screen shown next. Use the Black List screen to set up the Anti-V irus black (blocked) list of virus file patterns. Log These are the log options: no : Do not create a log when a packet[...]

  • Página 476

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 476 Figure 374 Anti-X > Anti-Virus > Black/White List > Black List The following table describes the labels in this screen. 28.4 Anti-V irus Black List or White List Add/Edit From the Anti-X > Anti-V irus > Black/White List > Black List (or White List ) screen, click[...]

  • Página 477

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Gu ide 477 Figure 375 Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add The following table describes the labels in this screen. 28.5 Anti-V irus White List Click Anti-X > Anti-V irus > Black/White List > Wh ite List to display the screen shown n[...]

  • Página 478

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 478 Figure 376 Anti-X > Anti-Viru s > Black/White List > White List The following table describes the labels in this screen. 28.6 Signature Searching Click Anti-X > Anti-V irus > Signature to display this screen. Use this screen to locate signatures and display details [...]

  • Página 479

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Gu ide 479 Figure 377 Anti-X > Anti-Virus > Signature: Search by Severity The following table describes the labels in this screen. T able 150 Anti-X > Anti-V irus > Signature LABEL DESCRIPTION Signatures Search Select the criteria on wh ic h to perform the search. Select By Name[...]

  • Página 480

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 480 28.7 Anti-V irus T echnical Reference T ypes of Computer Viruses The following table describes some of the common computer viruses. Computer V irus Infection and Prevention The following describes a simple life cycle of a computer virus. 1 A computer gets a copy of a virus from a [...]

  • Página 481

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Gu ide 481 • HA V scanners are slow in stopping virus thre ats through real-time traffic (such as from the Internet). • HA V scanners may reduce computing performan ce as they also share the resourc es (such as CPU time) on the computer for file inspection. • Y ou have to update the v[...]

  • Página 482

    Chapter 28 Anti- Viru s ZyWALL USG 100/200 Series User’s Guide 482[...]

  • Página 483

    ZyWALL USG 100/200 Series User’s Gu ide 483 C HAPTER 29 IDP 29.1 Overview This chapter introduces pack et inspection IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic flow , custom signatures and updating signatures. An IDP system can detect malicious or suspic ious packets and respond instantaneously . [...]

  • Página 484

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 484 " Y ou can only apply one IDP profile to one traffic flow . Base IDP Profiles Base IDP profiles are templates that you use to create new IDP profiles.The ZyW ALL comes with several base profiles. See T able 154 on page 488 for details on base profiles. IDP Policies An IDP policy refe[...]

  • Página 485

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 485 Figure 378 Anti-X > IDP > General The following table describes th e screens in this screen. T able 152 Anti-X > IDP > General LABEL DESCRIPTION General Setup Enable Signature Detection Y ou must register for IDP service in orde r to use packet inspection signature s. If you d[...]

  • Página 486

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 486 29.2.1 Configuring IDP Policies Click Anti-X > IDP > General and then an Add or Edit icon to display the following screen. Use this scr een to apply an IDP profile to traffic flowing from one zone to another . (Icons) Click the Add icon in the headi ng row to add a new first entry .[...]

  • Página 487

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 487 Figure 379 Anti-X > IDP > General > Add The following table describes th e screens in this screen. 29.3 Introducing IDP Profiles An IDP profile is a set of packet inspection signatures. Packet inspection signatures examine packet co ntent for malicious data. Packet inspection app[...]

  • Página 488

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 488 Figure 380 Base Profiles The following table describes this screen. 29.4 The Profile Summary Screen Select Anti-X > IDP > Pr ofile . Use this screen to: • Add a new profile • Edit an existing profile • Delete an existing profile T able 154 Base Profiles BASE PROFILE DESCRIPTIO[...]

  • Página 489

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 489 Figure 381 Anti-X > IDP > Profile The following table describes th e fields in this screen. 29.5 Creating New Profiles Y ou may want to create a ne w profile if not all signatures in a base profile are applicable to your network. In this case you should disable non-applicable signat[...]

  • Página 490

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 490 3 T ype a new profile name 4 Enable or disable individu al signatures. 5 Edit the default log options an d actions. 29.6 Profiles: Packet Inspection Select Anti-X > IDP > Pr ofile and the n add a new or edit an existing profile select. Packet inspection signatures examine the conten[...]

  • Página 491

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 491 Figure 382 Anti-X > IDP > Profile > Edit : Group View[...]

  • Página 492

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 492 The following table describes th e fields in this screen. T able 156 Anti-X > IDP > Profile > Group V iew LABEL DESCRIPTION Name This is the name of the profile. Y ou may use 1-31 alphanumeric chara cters, underscores( _ ), or dashes (-), but the first character cannot be a numbe[...]

  • Página 493

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 493 29.6.2 Policy T ypes This section describes IDP policy types, also kn own as attack types, as categorized in the ZyW ALL. Y ou may refer to these types wh en categorizing your own custom rules. Action Se lect what action the ZyWALL should take when a p acket matches a signatu re here. ori[...]

  • Página 494

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 494 29.6.3 IDP Service Group s An IDP service group is a set of related packet inspec tion signatures. DoS/DDoS The goa l of Denial of Service (DoS) at tacks is not to steal information, but to disable a device or network on the Internet. A distributed denial-of-service (DDoS) attack is one i[...]

  • Página 495

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 495 The following figure sh ows the WEB_PHP service g roup that contains signatures related to attacks on web servers using PHP ex ploits. PHP (PHP: Hypertext Preprocessor) is a server- side HTML embedded scripting language that allows web developers to build d ynamic websites. Logs and actio[...]

  • Página 496

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 496 Figure 384 Anti-X > IDP > Profile: Query View The following table describes th e fields in this screen. T able 159 Anti-X > IDP > Profile: Query View LABEL DESCRIPTION Name This is the name of the profile that you created in the IDP > Profiles > Gr oup View screen. Switc[...]

  • Página 497

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 497 29.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attack T ype: DDoS • Platform: W indo ws 2000 and W ind ows XP computers •S e r v i c e : A n y • Actions: Any Figure 385 Query Example Sear ch Criteria Search Click this button t[...]

  • Página 498

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 498 Figure 386 Query Example Sear ch Results 29.7 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. Y ou nee d some knowledge of packet headers a[...]

  • Página 499

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 499 Figure 387 IP v4 Packet Headers The header fields are discussed below: T able 160 IP v4 Packet Headers HEADER DESCRIPTIO N V ersion The value 4 indi cates IP version 4. IHL IP Header Len gth is the number of 32 b it words forming the total length of the header (usually five). T ype of Ser[...]

  • Página 500

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 500 29.8 Configuring Custom Signatures Select Anti-X > IDP > Custom Signature s. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature. Y[...]

  • Página 501

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 501 The following table describes th e fields in this screen. 29.8.1 Creating or Editing a Custom Signature Click the Add icon to create a new signature or click the Edit icon to edit an existing signature in the screen as shown in Figure 388 on page 500 . A packet must match all items you co[...]

  • Página 502

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 502 Figure 389 Anti-X > IDP > Custom Signatures > Add/Edit[...]

  • Página 503

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 503 The following table describes the fields in this screen. T able 162 Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name T ype the name of your custom si gnature. Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-), but the fi rst character ca[...]

  • Página 504

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 504 IP Options IP opti ons is a vari able-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier , (security and handling restrictions for the military), Record Route (have each router record its IP address), Loos e Source Routing (specifies a list of IP[...]

  • Página 505

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 505 29.8.2 Custom Signature Example Before creating a custom signature, you must fi rst clearly understand the vulnerability . 29.8.2.1 Underst and the V ulnerability Check the ZyW ALL logs when the attack occurs . Use web sites such as Google or Security Focus to get as much informat ion abo[...]

  • Página 506

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 506 29.8.2.2 Analyze Packet s Then use a packet sniffer such as TCPdum p or Ethereal to investigate some more. From the NetBIOS header you see that the first byte ‘00’ defines the message type. The next three bytes represent the length of data , so you can ignore it. Therefore enter |00| [...]

  • Página 507

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 507 Figure 393 Example Custom Signature[...]

  • Página 508

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 508 29.8.3 Applying Custom Signatures After you create your custom signature, it beco mes available in the IDP service group category in the IDP > Profile > Packet Inspection screen. Custom signatures have an SID from 9000000 t o 9999999. Y ou can activate the signa ture, configure what[...]

  • Página 509

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 509 Figure 395 Custom Signature Log 29.9 IDP T echnical Reference This section contains some background information on IDP . Host Intrusions The goal of host-based intrusions is to infiltrate files on an in dividual computer or server in with the goal of accessing conf idential information or[...]

  • Página 510

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 510 The rule header contains the rule's: • Action •P r o t o c o l • Source and destination IP addresses and netmasks • Source and destination ports information. The rule option section contains alert messages and information on which parts of the packet should be inspected to de[...]

  • Página 511

    Chapter 29 IDP ZyWALL USG 100/200 Series User’s Gu ide 51 1 " Not all Snort functionality is supported in the ZyW ALL.[...]

  • Página 512

    Chapter 29 ID P ZyWALL USG 100/200 Series User’s Guide 512[...]

  • Página 513

    ZyWALL USG 100/200 Series User’s Gu ide 513 C HAPTER 30 ADP 30.1 Overview This chapter introduces ADP (Anomaly Detection and Prev ention), anomaly profiles and applying an ADP profile to a traffic direc tion. ADP protects agains t anomalies base d on violations of prot ocol standards (RFC s – Requ ests for Comments) and abnormal flows such as p[...]

  • Página 514

    Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 514 ADP Profile An ADP profile is a set of traffic anomaly rules and protocol anomaly rules that you can activate as a set and configure common log an d action settings. Y ou can apply ADP profiles to traffic flowing from on e zone to another . Base ADP Profiles Base ADP profiles are template[...]

  • Página 515

    Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 515 The following table describes th e screens in this screen. 30.2.1 Configuring ADP Policies Click Anti-X > ADP > General and then an Add or Edit icon to display the following screen. Use this screen to apply an ADP profile to a traf fic direction. Figure 397 Anti-X > ADP > Gene[...]

  • Página 516

    Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 516 The following table describes th e screens in this screen. 30.3 The Profile Summary Screen Use this screen to: • Create a new profi le using an existing base profil e • Edit an existing profile • Delete an existing profile 30.3.1 Base Profiles The ZyW ALL comes with base profiles. Y[...]

  • Página 517

    Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 517 These are the default base profiles at the time of writing. 30.3.2 Configuring The ADP Profile Summary Screen Select Anti-X > ADP > Pr ofile . Figure 399 Anti-X > ADP > Profile The following table describes th e fields in this screen. 30.3.3 Creating New ADP Profiles Y ou may [...]

  • Página 518

    Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 518 ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles. T o create a new profile, select a base profile (see T able 166 on page 517 ) and then click OK to go to the profile details screen. T ype a new profile name, en able or disable individual rules and then edit [...]

  • Página 519

    Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 519 Figure 400 Profiles: T raffic Anomaly[...]

  • Página 520

    Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 520 The following table describes th e fields in this screen. 30.3.5 Protocol Anomaly Profiles Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (P A) rules check for protocol compliance ag ainst the rele vant RFC (Request for Comments). Protocol anomaly detection inclu[...]

  • Página 521

    Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 521 Protocol anomaly rules may be upda ted when you upload n e w firmware. 30.3.6 Protocol Anomaly Configuration In the Anti-X > ADP > Pr ofile screen, click the Edit icon or click the Add icon and choose a base profile, then select the Protocol Anomaly tab. If you made changes to other[...]

  • Página 522

    Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 522 Figure 401 Profiles: Proto c ol Anomaly[...]

  • Página 523

    Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 523 The following table describes th e fields in this screen. 30.4 T echnical Reference This section is divided into traf fic anomaly background information and protocol anomaly background informatio n. T raffic Anomaly Background Information The following sections may help you conf igure the[...]

  • Página 524

    Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 524 Many connection attempts to di fferent ports (services) may in dicate a port scan. These are some port scan types: • TCP Portscan • UDP Portscan • IP Portscan An IP port scan searches not only fo r TCP , UDP and ICMP protocols in use by the rem ote computer , but also addition al IP[...]

  • Página 525

    Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 525 Flood Detection Flood attacks saturate a netw ork with useless data, use up all available bandwidth, and therefore make communications in the network impossible. ICMP Flood Att ack An ICMP flood is broadcasting man y pings or UDP packets so that so much data is sent to the system, that it[...]

  • Página 526

    Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 526 Figure 403 TCP Three-W ay Handshake A SYN flood attack is when an attacker se nds a series of SYN packets. Each packe t causes the receiver to reply with a SYN-ACK response. Th e receiver then waits for the ACK that follows the SYN-ACK, and stores all outstanding S YN-ACK responses on a b[...]

  • Página 527

    Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 527 Protocol Anomaly Background Information The following sections may help you configur e the protocol anomaly profile screen (see Section 30.3.5 on page 5 2 0 ) HTTP Inspection and TC P/UDP/ICMP Decoders The following table gi ves some information on the HTTP in spection, TCP decoder , UDP [...]

  • Página 528

    Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 528 OVERSIZE-CHUNK- ENCODING A TT ACK This rule is an anomaly detector for abnormall y large chunk sizes. This picks up the apache chunk encod ing exploits and may also be triggered on HTTP tunneling t hat uses chun k en coding. OVERSIZE-REQUEST -URI- DIRECTOR Y A TT ACK This rule takes a non[...]

  • Página 529

    Chapter 30 ADP ZyWALL USG 100/200 Series User’s Gu ide 529 TRUNCA TED-HEADER AT TA C K This is when a UDP packet is sent wh ich has a UDP datagram length of less the UDP header length. This may cause some applications to crash. UNDERSIZE-LEN A TT A CK This is when a UDP packet is sent which has a UDP length field of less than 8 bytes. This may ca[...]

  • Página 530

    Chapter 30 AD P ZyWALL USG 100/200 Series User’s Guide 530[...]

  • Página 531

    ZyWALL USG 100/200 Series User’s Gu ide 531 C HAPTER 31 Content Filtering 31.1 Overview Use the content filtering feature to control a ccess to specific web sites or web content. 31.1.1 What Y ou Can Do in the Content Filter Screens • Use the Ge neral screens ( Section 31.2 on page 533 ) to configure global content filtering settings, configure[...]

  • Página 532

    Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 532 The ZyW ALL can disabl e web proxies and bloc k web features such as ActiveX controls, Java applets and cookies. • Customize W eb Site Acce ss Y ou can specify URLs to which the ZyW ALL bloc ks access. Y ou can alternatively b lock access to all URLs except ones that you sp[...]

  • Página 533

    Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 533 31.2 Content Filter General Screen Click Anti-X > Content Filter > General to open the Content Filter General scre en. Use this screen to enable content filtering, view and order your list of content filter policies, create a denial of access message or sp ecify a[...]

  • Página 534

    Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 534 Filter Profile This column displays the name of the content filter prof ile that each content filter policy uses. The content fil ter profile defines to which web services, web sites or web site categories access is to be allowed or denied. Add Click the Add icon at the top o[...]

  • Página 535

    Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 535 31.3 Content Filter Policy Add or Edit Screen Click Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen. Use this screen to configure a content filter policy . A content filter policy defines which content filter profile sho[...]

  • Página 536

    Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 536 31.4 Content Filter Profile Screen Click Anti-X > Content Filter > Filter Pr ofile to open the Filter Profile screen. A content filter profile defines to which web services, web s ites or web site categories access is to be allowed or denied. Figure 407 Anti-X > Cont[...]

  • Página 537

    Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 537 1 Log into myZyXEL.com and click y our d evice’ s link to open it’ s Service Management screen. 2 Click Content Filter in the Service Name field to open th e Blue Coat login screen. 3 Enter your ZyXEL device's MAC address (in lower case) in the Name field. Y ou[...]

  • Página 538

    Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 538 Unrated Web Pages Select Block to prevent users from accessing web p a ges that the external web filtering service has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access me ssage that you co nfigured in the[...]

  • Página 539

    Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 539 Alcohol/T obacco Selecting this category excludes pages that promote or offer the sale alcohol/tobacco products, or provide the means to create them. It also includes pages that glorify , tout, or otherwise encourage the consumpti on of alcohol/tobacco. It does not incl[...]

  • Página 540

    Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 540 Alternative S pirituality/ Occult Selecting this category exclude s pages that promote a nd provide information on religions such as Wi cca, Witchcraft or Satanism. Occult practices, atheistic view s, voodoo rituals or an y other form of mysticism are represented here. Includ[...]

  • Página 541

    Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 541 Computers/Internet Selecting this category excludes pages that sponsor or provide information on computers, technology , the Internet and technology- related organiza tions and companies. Search Engines/Portals Selecting thi s category excludes pages th at support searc[...]

  • Página 542

    Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 542 Religion Selecting this category e xcludes pages that pro mote and provide information on conventional or unconventional religio us or quasi-religious subjects, as well as churches, synagogue s, or other houses of worship. It does not include pages containing alternative reli[...]

  • Página 543

    Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 543 31.6 Content Filter Customization Screen Click Anti-X > Content Filter > Filter Pr ofile > Add or Edit > Customization to open the Customization screen. Y ou can create a list of good (allowed) web site address es and a list of bad (blocked) web site address[...]

  • Página 544

    Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 544 Figure 409 Anti-X > Content Filter > F ilter Profile > Customization The following table describes the labels in this screen. T able 175 Anti-X > Content Filter > F ilter Profile > Customization LABEL DESCRIPTION Name Enter a descriptive name for this c onte[...]

  • Página 545

    Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 545 Java Java is a programming language an d devel opment environment for building downloadable Web components or Internet and intranet business applications of all kinds. Cookies Cookies are files stored on a com puter ’s hard drive. Some web servers use them to track us[...]

  • Página 546

    Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 546 31.7 Content Filter Cache Screen Click Anti-X > Content Filter > Cache to display the Content Filter Cache screen. Use this screen to view and configure your ZyW ALL’ s URL caching. Y o u can also configure how long a categorized web site address rema ins in the c ach[...]

  • Página 547

    Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 547 Figure 410 Anti-X > Content Filter > Cache The following table describes the labels in this screen. T able 176 Anti-X > Content Filter > Cache LABEL DESCRIPTION URL Cache Entry Flush C l ick thi s bu tt on to cl ear all web site addresses from the cache manu[...]

  • Página 548

    Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 548 31.8 Content Filter T echnical Reference This section provides content f iltering background information. External Content Filter Server Lookup Procedure The content filter lookup pro cess is described below . Figure 41 1 Content Filter Lookup Procedure 1 A computer behind th[...]

  • Página 549

    Chapter 31 Co n te nt F ilt ering ZyWALL USG 100/200 Series User’s Gu ide 549 3 Use the Content Filter C ache screen to configure how long a web site address remains in the cache a s well as view those web site addresses (see Section 31.7 on page 546 ). All of the web site address rec ords are also cleared from the local cache when the ZyW ALL re[...]

  • Página 550

    Chapter 31 Content Filtering ZyWALL USG 100/200 Series User’s Guide 550[...]

  • Página 551

    ZyWALL USG 100/200 Series User’s Gu ide 551 C HAPTER 32 Content Filter Reports 32.1 Overview Y ou can view content filtering reports after you have activated the category-based content filtering subscription service. See Chapter 8 on pa ge 185 on how to create a myZyXEL.com account, register your device and activate the subscription services. 32.[...]

  • Página 552

    Chapter 32 Content Filter Reports ZyWALL USG 100/200 Series User’s Guide 552 3 A welcome screen displays. Click your ZyW ALL’ s model name and/or MAC address under Registered ZyXEL Pr oducts . Y ou can change the descriptive name for your ZyW ALL using the Rename button in the Service Management screen (see Figure 414 on page 552 ). Figure 413 [...]

  • Página 553

    Chapter 3 2 Content Filt er Reports ZyWALL USG 100/200 Series User’s Gu ide 553 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. Y ou can find this MAC address in the Service Management screen ( Figure 414 on page 552 ). T ype your myZyXEL.com account password in the Password field. 6 Click Submit . Figure 415 Blue [...]

  • Página 554

    Chapter 32 Content Filter Reports ZyWALL USG 100/200 Series User’s Guide 554 Figure 417 Blue Coat: Report Ho me 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Ta k e n field and a category (or enter the user name if you want to view sing le user reports) and click Run Report .The screens vary accordin g to[...]

  • Página 555

    Chapter 3 2 Content Filt er Reports ZyWALL USG 100/200 Series User’s Gu ide 555 Figure 418 Global Report Screen Example 11 Y ou can click a ca tegory in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.[...]

  • Página 556

    Chapter 32 Content Filter Reports ZyWALL USG 100/200 Series User’s Guide 556 Figure 419 Requested URLs Example 32.3 W eb Site Submission Y ou may find that a web site has not been ac cura tely categorized or that a web site’ s contents have changed and the content filtering cate gory needs to be updat ed. Use the following procedure to submit t[...]

  • Página 557

    Chapter 3 2 Content Filt er Reports ZyWALL USG 100/200 Series User’s Gu ide 557 Figure 420 Web Pag e Review Process Screen 3 T ype the web site’ s URL in the field and click Submit to have the web site reviewed.[...]

  • Página 558

    Chapter 32 Content Filter Reports ZyWALL USG 100/200 Series User’s Guide 558[...]

  • Página 559

    ZyWALL USG 100/200 Series User’s Gu ide 559 C HAPTER 33 Anti-Spam 33.1 Overview The anti-spam feature can mark or dis card spam (unsolicited commercial or junk e-mail). Use the white list to id entify legitimate e-mail. Use the black list to identify spam e-mail. The ZyW ALL can also check e-mail agains t a DNS black list (DNSBL) of IP addresses [...]

  • Página 560

    Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 560 matches a black list entry as spam and immediately takes the configur ed action for dealing with spam. If an e-mail matches a blacklist en try , the ZyW ALL does not perform any more anti-spam checking on that individual e-mail. A properly configured black list helps catch spam e-[...]

  • Página 561

    Chapter 33 Anti-Spa m ZyWALL USG 100/200 Series User’s Gu ide 561 Figure 421 DNSBL Example 1 The ZyW ALL checks the e-mail’ s header for sender or relay IP addresses and sends them to all of the DNSBL doma ins configured in the ZyW ALL. 2 The DNSBL servers reply as to whether or no t the IP addresses match an entry in their list. In this exampl[...]

  • Página 562

    Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 562 Figure 422 Anti-X > Anti-S pam > General The following table describes the labels in this screen. T able 177 Anti-X > Anti-S pam > General LABEL DESCRIPTION General Settings Click Advanced to display more settings. Click Basic to display fewer settings. Enable Anti - S[...]

  • Página 563

    Chapter 33 Anti-Spa m ZyWALL USG 100/200 Series User’s Gu ide 563 33.3.1 The Anti-Sp am Policy Add or Edit Screen Click the Add or Edit icon in the Anti-X > Anti-Spam > General screen to display the configuration screen as shown ne xt. Use this scree n to configure an anti-spam policy that controls what traffic direction of e-mail to check,[...]

  • Página 564

    Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 564 The following table describes the labels in this screen. 33.4 The Anti-S p am Black List Screen Click Anti-X > Anti-Spam > Black / White List to display the Anti-Spam Black List screen. Configure the black list to identify spam e-mail. Y ou can cre ate black list entries bas[...]

  • Página 565

    Chapter 33 Anti-Spa m ZyWALL USG 100/200 Series User’s Gu ide 565 Figure 424 Anti-X > Anti-S pam > Black/White List > Black List The following table describes the labels in this screen. 33.4.1 The Anti-Sp am Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display[...]

  • Página 566

    Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 566 Use this screen to configure an anti-spam blac k list entry to identify spam e-mail. Y ou can create entries based on specific subject text, or the sender ’ s or relay’ s IP address or e-mail address. Y ou can also cre ate entries tha t ch eck for particular header fields and [...]

  • Página 567

    Chapter 33 Anti-Spa m ZyWALL USG 100/200 Series User’s Gu ide 567 33.4.2 Regular Expressions in Black or White List Entries The following applies for a black or w hite list en try based on an e-mail subject, e-mail address, or e-mail header value. • Use a question mark (?) to let a single char acter vary . For example, use “a?c” (without th[...]

  • Página 568

    Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 568 33.6 The DNSBL Screen Click Anti-X > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to configure the ZyW ALL to check the se nder and relay IP addr esses in e-mail headers against DNS (Domain Na me Service )-based spam Black Lists (DN SBLs). T otal [...]

  • Página 569

    Chapter 33 Anti-Spa m ZyWALL USG 100/200 Series User’s Gu ide 569 Figure 427 Anti-X > Anti-S pam > DNSBL The following table describes the labels in this screen. T able 182 Anti-X > Anti-S pam > DNSBL LABEL DESCRIPTION Enable DNS Black List (DNSBL) Checking Select this to have the ZyW ALL check the sender and relay IP addresses in e- [...]

  • Página 570

    Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 570 33.6.1 The DNSBL Add/Edit Screen Click the Add or Edit icon in the Anti-X > Anti-Spam > DNSBL screen to display the configuration screen as sh own next. Use this screen to specify a DNSB L (spam IP addr ess blacklis t). Y ou need to enter the name of a domain that maintains [...]

  • Página 571

    Chapter 33 Anti-Spa m ZyWALL USG 100/200 Series User’s Gu ide 571 The following table describes the labels in this screen. 33.7 The Anti-S pa m St atus Screen Click Anti-X > Anti-Spam > S tatus to display the Anti-Spam S t atus screen. Use the Anti-Spam S tatus screen to see how many e-mail s essions the anti-spam feature is scanning and st[...]

  • Página 572

    Chapter 33 Anti- S pa m ZyWALL USG 100/200 Series User’s Guide 572 Avg. Response T ime (sec) This is the average for how long it takes to receive a reply from this DNSBL. No Response Thi s is how many DNS qu eries the ZyW ALL sent to thi s DNSBL without receiving a reply . T able 184 Anti-X > Anti-S pam > S tatus (continued) LABEL DESCRIPTI[...]

  • Página 573

    573 P ART VII Device HA Device HA (575)[...]

  • Página 574

    574[...]

  • Página 575

    ZyWALL USG 100/200 Series User’s Gu ide 575 C HAPTER 34 Device HA 34.1 Overview Device HA lets a backup ZyW ALL ( B ) automatically take over if a master ZyW ALL ( A ) fails. Figure 430 Device HA Backup T aking Over for the Master 34.1.1 What Y ou Can Do in the Device HA Screens • Use the Ge neral screen ( Section 34.2 on page 576 ) to configur[...]

  • Página 576

    Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 576 Management Access Y ou can configure a se parate management IP address for each interface. Y ou can use it to access the ZyW ALL for management whether the ZyW ALL is the master or a backup. The management IP address should be in the sa me subnet as the interface IP address. Synchron[...]

  • Página 577

    Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 577 Figure 431 Device HA > General The following table describes the labels in this screen. T able 185 Device HA > General LABEL DESCRIPTION Enable Device HA T urn the ZyWALL’s d evice HA fe ature on or off. Device HA Mode This displays whet he r th e ZyW ALL is currently se t [...]

  • Página 578

    Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 578 34.3 The Active-Passive Mode Screen Virtual Router The master and backup ZyW ALL form a single ‘v irtual router ’. In the following example, master ZyW ALL A and backup ZyW ALL B form a virtual router . Figure 432 V i rtual Router Cluster ID Y ou can have multiple ZyW ALL virtual[...]

  • Página 579

    Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 579 Enable monitoring for the same interfaces on the master and backup ZyW ALLs. Each monitored interface must have a static IP addr e ss and be connecte d to the same subnet as the corresponding interface on the backup or master ZyW ALL. Virtual Router and Manage ment IP Addresses •[...]

  • Página 580

    Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 580 Figure 435 Device HA > Active-Passive Mode The following table describes the labels in this screen. See Section 34.4 on page 58 2 for more information as well. T able 186 Device HA > Active-Passive Mode LABEL DESCRIPTION Device Role Select the de vice HA ro le that the ZyWALL p[...]

  • Página 581

    Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 581 Authentication Select the aut hentication method the vi rtu al router uses. Every interface in a virtual router must use the same authentica tion method and password. Choices are: None - this virtual router does not use any authentication method. Te x t - this virtual router uses a[...]

  • Página 582

    Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 582 34.4 Configuring an Active-Passive Mode Monitored Interface The Device HA Active-Passive Mode Monitored Interface Edit scre en lets you enable or disable monitoring of an interf ace and set the interface’ s management IP address and subnet mask. T o access this screen, click De vic[...]

  • Página 583

    Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 583 34.5 The Legacy Mode Screen Virtual Router Redundan cy Protocol (VRRP) Legacy mode device HA uses V irtual Router Redundancy Protocol (VRRP) to create redundant backup gateways to ensure that a default gateway is alway s av ail able. The ZyW ALL uses a custom VRRP implementation an[...]

  • Página 584

    Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 584 Figure 437 Device HA > Legacy Mode The following table describes the labels in this screen. See T able 189 on page 586 for more information as well. T able 188 Device HA > Legacy Mode LABEL DESCRIPTION Link Monitoring Enable link monitoring to have the master Z yWALL shut down [...]

  • Página 585

    Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 585 34.7 The Legacy Mode Add/Edit Screen Use the VRRP Group Add/Edit screen to add or edit VRRP grou ps. • Y ou can only use interfa ces that have static IP addresses. In addition, yo u should set the static IP address to the IP address of the virtual router . • Y ou can only enabl[...]

  • Página 586

    Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 586 Figure 438 Device HA > Legacy Mode > Add The following table describes the labels in this screen. T able 189 Device HA > Legacy Mode > Add LABEL DESCRIPTION Enable VRRP Group Select this to make the spec ified interface part of the vi rtual router . Clear thi s to take th[...]

  • Página 587

    Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 587 34.8 Device HA T echnical Reference Legacy Mode ZyW ALL VRRP Application In VRRP , a virtual router represents a number of ZyW ALLs associated with one IP address, the IP address of the default gateway . Each vi rtual router is identified by a unique 8-bit identification number cal[...]

  • Página 588

    Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 588 Figure 439 Example: VRRP , Normal Operation The VR ID is not shown. In normal operation, ZyW ALL A is the master . It has the same IP address as the default gateway and forwards traffic for the network. ZyW ALL B is a backup. It is using its management IP address 192.168.10.1 12. ZyW[...]

  • Página 589

    Chapter 34 Dev ice HA ZyWALL USG 100/200 Series User’s Gu ide 589 • System protect signatures • Certificates ( My Certificates , and T rusted Certificates ) Synchronization does not change the device HA settin gs in the backup ZyW ALL. Synchronization af fects the entire device configuration. Y ou can only configure one set of settings for sy[...]

  • Página 590

    Chapter 34 Device HA ZyWALL USG 100/200 Series User’s Guide 590[...]

  • Página 591

    591 P ART VIII Object s User/Group (593) Addresses (607) Services (613) Schedules (619) AAA Server (625) Authentication Method (635) Certificates (639) SSL Application (657)[...]

  • Página 592

    592[...]

  • Página 593

    ZyWALL USG 100/200 Series User’s Gu ide 593 C HAPTER 35 User/Group 35.1 Overview This chapter describes how to se t up user accounts, user grou ps, and user settings for the ZyW ALL. Y ou can also set up rules that contro l whe n users have to log in to the ZyW ALL before the ZyW ALL routes traffic for them. 35.1.1 What Y ou Can Do Using The User[...]

  • Página 594

    Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 594 " The default admin account is always authenticated locally , regardless of the authentication method setting. (See Chapter 39 on page 625 for more information about aut hentication methods.) Ext-User Account s Set up an Ext-User account if the user is authenticated by an e[...]

  • Página 595

    Chapter 35 User/Group ZyWALL USG 100/200 Series User’s Gu ide 595 " Y ou cannot put access users and admin users in the same user group. " Y ou cannot put the default admin account into any user group. The sequence of members in a user group is not important. User Awareness By default, users do not have to log into the ZyW ALL to use th[...]

  • Página 596

    Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 596 Figure 441 Object > User/Gr oup The following table describes the labels in this screen. 35.2.1 User Add/Edit Screen The User Add/Edit screen allows you to create a new user account or edit an existing one. 35.2.1.1 Rules for User Names Enter a user name from 1 to 31 characte[...]

  • Página 597

    Chapter 35 User/Group ZyWALL USG 100/200 Series User’s Gu ide 597 T o access this screen, go to the User screen (see Section 35.2 on page 595 ), and click either the Add icon or an Edit icon. Figure 442 User/Group > User > Edit The following table describes the labels in this screen. • operator • radius-users • root • shutdown • s[...]

  • Página 598

    Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 598 35.3 User Group Summary Screen User groups consist of ac cess users and other user grou ps. Y o u cannot put admin users in user groups. The Group screen provides a summary of all u ser groups. In add ition, this screen allows you to add, edit, and remove user gr oups. T o acces[...]

  • Página 599

    Chapter 35 User/Group ZyWALL USG 100/200 Series User’s Gu ide 599 Figure 444 User/Group > Group > Add The following table describes the labels in this screen. 35.4 Setting Screen The Setting screen controls default settings, login settings, lock out settings, and other user settings for the ZyW ALL. Y ou can also use this sc reen to specify[...]

  • Página 600

    Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 600 Figure 445 Object > User/Group > Setting The following table describes the labels in this screen. T able 196 Object > User/Group > Setting LABEL DESCRIPTION User Default Setting User T ype Select the default u ser type when you create a new user account. Y ou can sti[...]

  • Página 601

    Chapter 35 User/Group ZyWALL USG 100/200 Series User’s Gu ide 601 Maximum number per access account This field is effective wh en Limit ... for access account is checked. T ype the maximum number of simu ltaneous logins by each access u ser . User Lockout Setting Enable logon retry limit Select this check box to set a limit on the numb er of time[...]

  • Página 602

    Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 602 35.4.1 Force User Authenti cation Policy Add/Edit Screen Use this screen to specify a cond ition when users must log in or do not have to log in to the ZyW ALL before their HTTP traffic can pass through the ZyW ALL. Figure 446 Object > User/Group > Setting > Add/Edit So[...]

  • Página 603

    Chapter 35 User/Group ZyWALL USG 100/200 Series User’s Gu ide 603 The following table describes the labels in this screen. 35.4.2 User A w are Login Example Access users cannot use the W eb configurator to browse the configuration of the ZyW ALL. Instead, when acce ss users log in to the Zy W ALL (forced in the screen as shown in Figure 445 on pa[...]

  • Página 604

    Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 604 The following table describes the labels in this screen. 35.5 User /Group T echnical Reference This section provides some inform ation on users who use an exte rnal authentication server in order to log in. Setting up User Attributes in an External Server T o set up user attribu[...]

  • Página 605

    Chapter 35 User/Group ZyWALL USG 100/200 Series User’s Gu ide 605 Creating a Large Number of Ext-User Account s If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the web configurator , to create the accounts. Extract the user names from the LDAP or RADIUS server , and create a shell script that crea[...]

  • Página 606

    Chapter 35 Us er /G ro up ZyWALL USG 100/200 Series User’s Guide 606[...]

  • Página 607

    ZyWALL USG 100/200 Series User’s Gu ide 607 C HAPTER 36 Addresses 36.1 Overview Address objects can represent a single IP address or a ra nge of IP addres ses. Address groups are composed of address objects and other address groups. 36.1.1 What Y ou Can Do Using The Addresses Screens •T h e Addr ess screen ( Section 36.2 on page 607 ) provides [...]

  • Página 608

    Chapter 36 Add re sse s ZyWALL USG 100/200 Series User’s Guide 608 Figure 450 Object > Address > Address The following table describes the labels in this screen. See Section 36.2.1 on page 608 for more information as well. 36.2.1 Address Add/Edit Screen The Addr ess Add/Edit screen allows you to create a new address or edit an existing one.[...]

  • Página 609

    Chapter 36 Addresses ZyWALL USG 100/200 Series User’s Gu ide 609 The following table describes the labels in this screen. 36.3 Address Group Summary Screen The Addr es s Group screen provides a summary of all address groups. T o access this screen, click Object > Address > Addr ess Group . Figure 452 Object > Address > Address Group T[...]

  • Página 610

    Chapter 36 Add re sse s ZyWALL USG 100/200 Series User’s Guide 610 The following table describes the labels in this screen. See Section 36.3.1 on page 610 for more information as well. 36.3.1 Address Group Add/Edit Screen The Addr ess Group Add/Edit screen allows you to create a new address group or edit an existing one. T o access this screen, g[...]

  • Página 611

    Chapter 36 Addresses ZyWALL USG 100/200 Series User’s Gu ide 61 1 Available This field displays the names of the addre ss and address group objects that can be added to the address group. Select address and address group objects that you want to be members of this group and click th e right arrow to add them to the member list. Member Thi s field[...]

  • Página 612

    Chapter 36 Add re sse s ZyWALL USG 100/200 Series User’s Guide 612[...]

  • Página 613

    ZyWALL USG 100/200 Series User’s Gu ide 613 C HAPTER 37 Services 37.1 Overview Use service objects to define TCP applicatio ns, UDP applications, and ICMP messages. Y ou can also create service groups to refer to multiple service objects in other features. 37.1.1 What Y ou Can Do in the Services Screens •U s e t h e Service screens ( Section 37[...]

  • Página 614

    Chapter 37 Serv ice s ZyWALL USG 100/200 Series User’s Guide 614 Service Object s and Service Group s Use service objects to define IP prot ocols. • TCP applications • UDP applications • ICMP messages • user -defined services (for other types of IP protocols) These objects are us ed in policy rout es, firewall rules, and IDP profiles. Use[...]

  • Página 615

    Chapter 37 Services ZyWALL USG 100/200 Series User’s Gu ide 615 The following table describes the labels in this screen. 37.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. T o access this screen, go to the Service screen (see Section 37.2 o n page 614 ), and click either the [...]

  • Página 616

    Chapter 37 Serv ice s ZyWALL USG 100/200 Series User’s Guide 616 37.3 The Service Group Summary Screen The Service Gr oup summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. T o access this screen, log in to the web configurator, and click Object > Service > S[...]

  • Página 617

    Chapter 37 Services ZyWALL USG 100/200 Series User’s Gu ide 617 37.3.1 The Service Group Add/Edit Screen The Service Gr oup Add/Edit screen allows you to create a new service group or edit an existing one. T o access this screen, go to the Service Group screen (see Section 37.3 on page 616 ), and click either the Add icon or an Edit icon . Figure[...]

  • Página 618

    Chapter 37 Serv ice s ZyWALL USG 100/200 Series User’s Guide 618[...]

  • Página 619

    ZyWALL USG 100/200 Series User’s Gu ide 619 C HAPTER 38 Schedules 38.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and cont ent filtering. The ZyW ALL supp orts one-time and recurring schedules. One-time schedules ar e effective only once, while recu rring schedules usua[...]

  • Página 620

    Chapter 38 Sc he du le s ZyWALL USG 100/200 Series User’s Guide 620 38.2 The Schedule Summary Screen The Schedule summary screen provides a summary of all schedules in the ZyW ALL. T o access this screen, click Object > Schedule . Figure 458 Object > Schedule The following table describes the labels in this screen. See Section 38.2.1 on pag[...]

  • Página 621

    Chapter 38 Sc hedules ZyWALL USG 100/200 Series User’s Gu ide 621 38.2.1 The One-T ime Schedule Add/Edit Screen The One-Time S chedule Add/Edit screen allows you to define a one-time schedule or edit an existing one. T o access this screen, go to the Schedule screen (see Section 38.2 on pa ge 620 ), and click either the Add icon or an Edit icon i[...]

  • Página 622

    Chapter 38 Sc he du le s ZyWALL USG 100/200 Series User’s Guide 622 38.2.2 The Recurring Sc hedule Add/Edit Screen The Recurring Schedu le Add/Edit screen allows you to de fine a recurring schedule or ed it an existing one. T o access this screen, go to the Schedule screen (see Section 38.2 on page 620 ), and click either the Add icon or an Edit [...]

  • Página 623

    Chapter 38 Sc hedules ZyWALL USG 100/200 Series User’s Gu ide 623 Week Days Select each day of the week the re curring schedule is effective. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. T able 210 Object > Schedule > Edit (Recurring) ( c ontinued) LABEL DESCRIPTIO[...]

  • Página 624

    Chapter 38 Sc he du le s ZyWALL USG 100/200 Series User’s Guide 624[...]

  • Página 625

    ZyWALL USG 100/200 Series User’s Gu ide 625 C HAPTER 39 AAA Server 39.1 Overview Y ou can use a AAA (Authentication, Authoriza tion, Accounting) server to provide access control to your network. The AAA server can be a Active Directory , LDAP , or RADIUS server . Use the AAA Ser ver screens to create and manage ob jects that contain settings for [...]

  • Página 626

    Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Guide 626 Figure 462 RADIUS Server Network Example 39.1.3 ASAS ASAS (Authenex S trong Authentication System ) is a RADIUS server that works with the One-T ime Password (OTP) feature. Purchas e a ZyW ALL OTP package in order to use this feature. The package contains server software and physica[...]

  • Página 627

    Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Gu ide 627 RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external or built-in RADIUS server . RADIUS authentication allows you to validate a lar ge number of users from a central location. Finding Out More Se[...]

  • Página 628

    Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Guide 628 Bind DN A bind DN is used to authenticate with an LDAP/AD server . For example a bind DN of cn=zywallAdmin allows the ZyW ALL to log into the LDAP/AD server using the user name of zywallAdmin . The bind DN is used in conjunc tion with a bind password. When a bind DN is not specified[...]

  • Página 629

    Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Gu ide 629 39.3 Active Directory or LDAP Group Summary Screen Y ou can configure a group of AD or LDAP servers in the Active Directory (or LDAP ) > Group screen. This is useful if you have more tha n one AD se rver or more than one LDAP server for user authentication in a network. Y ou can[...]

  • Página 630

    Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Guide 630 Figure 466 Object > AAA Server > Active Directory (or LDAP) > Group > Add The following table describes the labels in this screen. T able 213 Object > AAA Server > Active Dir ectory (or LDAP) > Group > Add LABEL DESCRIPTION Configuration All AD or LDAP se rve[...]

  • Página 631

    Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Gu ide 631 39.4 Configuring a Default RADIUS Server T o configure the default extern al RADIUS server to use fo r user authentication, click Object > AAA Server > RADIUS to display the screen as shown. Figure 467 Object > AAA Server > RADIUS > Default The following table descri[...]

  • Página 632

    Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Guide 632 39.5 Configuring a Group of RADIUS Servers Y ou can configure a group of RADIUS servers in the RADIUS > Group screen. This is useful if you have more than one authentication se rver for user authentication in a network. Click Object > AAA Server > RADIUS > Group to displ[...]

  • Página 633

    Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Gu ide 633 The following table describes the labels in this screen. T able 216 Object > AAA Server > RADIUS > Group > Add LABEL DESCRIPTION Configuration All RADIUS servers in a group s hare the same settings in the fields below . Name Enter a descriptive name (up to 63 alphanumer[...]

  • Página 634

    Chapter 39 AAA Server ZyWALL USG 100/200 Series User’s Guide 634[...]

  • Página 635

    ZyWALL USG 100/200 Series User’s Gu ide 635 C HAPTER 40 Authentication Method 40.1 Overview Authentication method objects set how the ZyW ALL authenticates HTTP/HTTPS clients, peer IPSec routers (extended authentication), L2TP VPN, and wireless clients. Configure authentication method objects to have the Zy W ALL use the local user database, and/[...]

  • Página 636

    Chapter 40 Auth en tic ation Method ZyWALL USG 100/200 Series User’s Guide 636 Figure 470 Example: Using Authentication Method in VPN 40.2 V iewing Authentication Method Objects Click Object > Auth. Method to display the screen as shown. " Y ou can create up to 16 auth entication method objects. Figure 471 Object > Auth. Method The fol[...]

  • Página 637

    Chapter 40 Authentication Method ZyWALL USG 100/200 Series User’s Gu ide 637 40.3 Creating an Authentication Method Object Follow the steps below to create an authentication method object. 1 Click Object > Auth. Method . 2 Click Add . 3 Specify a descriptive name fo r identification purposes in the Name field. Y ou may use 1-31 alphanumeric ch[...]

  • Página 638

    Chapter 40 Auth en tic ation Method ZyWALL USG 100/200 Series User’s Guide 638 The following table describes the labels in this screen. T able 218 Object > Auth. Method > Add LABEL DESCRIPTION Name S pecify a descriptive name for identification purposes. Y o u may use 1-31 alp hanu meric characters, underscores(_), or dashes (-), but the fi[...]

  • Página 639

    ZyWALL USG 100/200 Series User’s Gu ide 639 C HAPTER 41 Certificates 41.1 Overview The ZyW ALL can use certificates (also called digita l IDs) to authenticate users. Certificates are based on public-priva te key pairs. A certificate contains the certificate owner ’ s identity and public key . Certificates provide a way to exchange public keys f[...]

  • Página 640

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 640 message, no-one can have altered it (because they cannot re-sign the message with T im’ s private key). 5 Additionally , Jenny uses her own private key to sign a message and T im uses Jenny’ s public key to v e rify the message. The ZyW ALL uses certificates base d on publ ic-[...]

  • Página 641

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 641 • PEM (Base-64) encoded PKCS#7: This Pr ivacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numera ls to convert a binary PKCS#7 certificate into a printable form. • Binary PKCS#12: This is a format fo r transferring public key and private key certi[...]

  • Página 642

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 642 Figure 474 Certificate Details 4 Use a secure method to verify that the certificate owner ha s the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HT[...]

  • Página 643

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 643 41.2.1 The My Certificates Add Screen Click Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the ZyW ALL create a self-signed certificate, enroll a certificate with a certification auth ority or gen[...]

  • Página 644

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 644 Figure 476 Object > Certificate > My Certificates > Add The following table describes the labels in this screen. T able 220 Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name T ype a name to identify th is certific ate. Y ou can use up to 31 alph[...]

  • Página 645

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 645 Organization Identify the company or group to which the certificate ow ner belongs. Y ou can use up to 31 characters. Y ou can use a lphanumeric characte rs, the hyphen and the underscore. Country Identify the nation whe re the certificat e owner is located. Y ou can use up to 31[...]

  • Página 646

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 646 If you configured the My Cert ific ate Create screen to have t h e ZyW ALL enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certif icate Create screen. Click Return and check your information[...]

  • Página 647

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 647 Figure 477 Object > Certificate > My Certificates > Edit The following table describes the labels in this screen. T able 221 Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificat e. Y ou [...]

  • Página 648

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 648 T ype T his field displays general informa ti on about the certificat e. CA-signed mea ns that a Certification Authority signed the certificate . Self-sign ed mean s that the certificate’s owner signed the certificate (not a certification authority). “X.509” means that this [...]

  • Página 649

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 649 41.2.3 The My Certif icates Import Screen Click Object > Certificate > My Certificates > Import to open the My Certif icate Import screen. Follow the instruc tions in this screen to save an existing certificate to the ZyW ALL. " Y ou can import a certificate that ma[...]

  • Página 650

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 650 The following table describes the labels in this screen. 41.3 The T rusted Certificates Screen Click Object > Certificate > T rusted Certificates to open the T rusted Certificates screen. This screen displays a summary list of certificate s that you have set the ZyW ALL to a[...]

  • Página 651

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 651 41.3.1 The T rusted Ce rtificates Edit Screen Click Object > Certificate > T rusted Certificates and then a certificate’ s Edit icon to open the T rusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate?[...]

  • Página 652

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 652 Figure 480 Object > Certificate > Tr us ted Certificates > Edit The following table describes the labels in this screen. T able 224 Object > Certificate > T r usted Certificat es > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certi[...]

  • Página 653

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 653 Refresh Click Refresh to display the certification path. Enable X.509v3 CRL Distribution Points and OCSP checking Select this check box to have the ZyWALL check incoming certificates that ar e signed by this certificate against a Cert ificate Revocati on List (CRL) or an OCSP ser[...]

  • Página 654

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 654 41.3.2 The T rusted Cert ificates Import Screen Click Object > Certificate > T rusted Certificates > Import to open the T rusted Certificates I mport screen. Follow the instructions in this screen to save a trusted certificate to the ZyW ALL. " Y ou must remove any s[...]

  • Página 655

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Gu ide 655 Figure 481 Object > Certificate > Tr us ted Certificates > Import The following table describes the labels in this screen. 41.4 Certificates T echnical Reference OCSP OCSP (Online Certificate Status P rotocol) allows an application or device to check whether a certificat[...]

  • Página 656

    Chapter 41 Certificates ZyWALL USG 100/200 Series User’s Guide 656[...]

  • Página 657

    ZyWALL USG 100/200 Series User’s Gu ide 657 C HAPTER 42 SSL Application 42.1 Overview Y ou use SSL application objects in SSL VPN. Co nfigure an SSL application object to specify a service and a corresponding IP addres s of the se rver on th e local network. Y ou can app ly one or more SSL application objects in the VPN > SSL VPN screen for a [...]

  • Página 658

    Chapter 42 SSL Application ZyWALL USG 100/200 Series User’s Guide 658 1 Click Object > SSL Application in the navigation panel. 2 Click the Add button and select W eb Application in the Ty p e field. 3 Enter a descriptive name in the Display Name field. For example , “Co mp an yIn tran e t”. 4 In the Address field, enter “http://info”.[...]

  • Página 659

    Chapter 42 SSL Application ZyWALL USG 100/200 Series User’s Gu ide 659 42.2.1 Creating/Editing a We b-based SSL Application Object A web-based application allows remote user s to access an application via standard web browsers. T o configure a web-based application, click the Add or Edit button in the SSL Application screen and se lect W eb Appli[...]

  • Página 660

    Chapter 42 SSL Application ZyWALL USG 100/200 Series User’s Guide 660 42.2.2 Creating/Editing a File Sharing SSL Application Object Y ou can specify the name of a folder on a file server (Linux or W indows) which remote users can access. Remote users can access files using a standa rd web browser and files are displayed as links on the screen. T [...]

  • Página 661

    Chapter 42 SSL Application ZyWALL USG 100/200 Series User’s Gu ide 661 " Y ou must then configure the shared folder on the file server for remote access. Refer to the document that co mes with your file server . Shared Path S pecify the IP add ress, doma in name or NetBIOS name (computer name) of the file server and the name of the share to [...]

  • Página 662

    Chapter 42 SSL Application ZyWALL USG 100/200 Series User’s Guide 662[...]

  • Página 663

    663 P ART IX System System (665)[...]

  • Página 664

    664[...]

  • Página 665

    ZyWALL USG 100/200 Series User’s Gu ide 665 C HAPTER 43 System 43.1 Overview Use the system screens to conf igure general ZyW ALL settings. 43.1.1 What Y ou Can Do In The System Screens •U s e t h e System > Host Name screen ( Figure 486 on page 666 ) to configure a unique name for the ZyW ALL in your network. • Use the System > Date/Ti[...]

  • Página 666

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 666 • V antage CNM (Centraliz ed Network Management) is a browser-based global management tool that allows an administ rator to manage Zy XEL devices. Use the System > V antage CNM screen ( Figure 525 on page 701 ) to allow your Zy W ALL to be managed by the V antage CNM server . •U[...]

  • Página 667

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 667 Figure 487 System > Date and T ime The following table describes the labels in this screen. T able 230 System > Date and Time LABEL DESCRIPTION Current T ime and Date Current T ime T his fi eld displays the present ti me of your ZyW AL L. Current Date T his fi eld displays the pr[...]

  • Página 668

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 668 43.3.1 Pre-define d NTP Time Servers List When you turn on the ZyW ALL for the first time, the date an d time start at 2003 -01-01 00:00:00. The ZyW ALL then atte mpts to synchronize with one o f the following pre-defined list of Network T ime Protocol (NTP) time servers. Synchronize N[...]

  • Página 669

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 669 The ZyW ALL continues to use the following pre- defined list of NTP time servers if you do not specify a time server or it cannot synchr onize with the time server you specified. When the ZyW ALL uses the pre-defined list of NTP time servers, it randomly selects one server and tries to[...]

  • Página 670

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 670 43.4 Console Port Sp eed This section shows you how to set the console port speed wh en you connect to the ZyW ALL via the console port using a te rminal emulation program. See T able 2 on page 55 for default console port settings. Click System > Console Speed to open the Console Sp[...]

  • Página 671

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 671 43.5.2 Configuring the DNS Screen Click System > DNS to change your ZyW ALL’ s DNS settings. Use the DNS screen to configure the ZyW ALL to use a DNS server to resolve domain name s for ZyW ALL system features like VPN, DDNS and the time server . Y ou can also configure the ZyW AL[...]

  • Página 672

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 672 Domain Zone A domain zone is a fully qualified domain name without the h ost. For example, zyxel.com.tw is the domain zone for the www .zyxel.com.tw full y qualified domain name. A “*” means all domain zones. From This displays whether the DNS server IP address is assigned by the I[...]

  • Página 673

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 673 43.5.3 Address Record An address record contains the mapping of a fu lly qualified domain na me (FQDN) to an IP address. An FQDN consists of a host and do main name. For example, www .zyxel.com is a fully qualified domain name, where “www” is th e host, “zyxel” is the second-le[...]

  • Página 674

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 674 The following table describes the labels in this screen. 43.5.6 Domain Zone Forwarder A domain zone forwarder contains a DNS serv er ’ s IP address. The ZyW ALL can query the DNS server to resolve domain zones for fe atures like VPN, DDNS and the time server . A domain zone is a full[...]

  • Página 675

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 675 The following table describes the labels in this screen. 43.5.8 MX Record A MX (Mail eXchange) record indi cates which host is responsible for the mail for a particular domain, that is, contro ls where mail is se nt for that domain. If you do not configure proper MX records for your do[...]

  • Página 676

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 676 43.5.10 Adding a DN S Service Control Rule Click the Add icon in the Service Control table to add a service control rule. Figure 494 System > DNS > Service Control Rule Add The following table describes the labels in this screen. 43.6 WWW Overview The following figure shows secu [...]

  • Página 677

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 677 Figure 495 Secure and Insecure Service Acce ss From the WAN • See Section 5.6.1 on page 122 for related informa tion on these screens. " T o allow the ZyW ALL to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-ZyW ALL[...]

  • Página 678

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 678 43.6.3 HTTPS Y ou can set the ZyW ALL to use HTTP or HTTPS (HTTPS adds security) for web configurator sessions. Specify which zones allow web configurator ac cess and from which IP address the access can come. HTTPS (HyperT ext T ransfer Protocol over Secure Socket Layer , or HTTP over[...]

  • Página 679

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 679 43.6.4 Configuring WWW Click System > WWW to open the WW W screen. Use this scree n to specify from which zones you can access the ZyW ALL using HTTP or HTTPS. Y ou can also specify which IP addresses the access can come from. " Admin Service Control deals with management acces[...]

  • Página 680

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 680 Server Port The HTTPS server listens on port 443 by default. If you change the HT TPS server port to a different number on the ZyW ALL, for example 8443, then you must notify people who need to access the ZyWALL web configurator to use “https://ZyW ALL IP Address: 8443 ” as the URL[...]

  • Página 681

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 681 43.6.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW , SSH , Te l n e t , FTP or SNM P screen to add a service control rule. Figure 498 System > Service Control Rule Edit # This is the index number of the se rvice control rule . The entry with a hyphe[...]

  • Página 682

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 682 The following table describes the labels in this screen. 43.6.6 HTTPS Example If you haven’t changed the default HTTPS port on the ZyW ALL, then in your browser enter “https://ZyW ALL IP Address/” as the web site address where “Z yW ALL IP Address” is the IP address or domain[...]

  • Página 683

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 683 43.6.6.2 Net scape Navigator W arning Messages When you attempt to access the ZyW ALL HTTPS server , a W ebsite Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that th e certificate is from the[...]

  • Página 684

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 684 • For the browser to trust a self-signed certific ate, import the self-signed certificate into your operating system as a trusted certificate. • T o have the browser trust the certificates i ssued by a certificate authority , import the certificate authority’ s certifica te into [...]

  • Página 685

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 685 43.6.6.5.1 Installing the CA’ s Certificate 1 Double click the CA ’ s trusted certificate to produce a screen similar to the one shown next. Figure 504 CA Certificate Example 2 Click Install Certificate and follow the wizard as show n earlier in this appendix. 43.6.6.5.2 Installing[...]

  • Página 686

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 686 Figure 505 Personal Certificate Import Wizard 1 2 The file name and path of the certificate y ou double-clicked should automatically appear in the File name text box. Click Br owse if you wish to import a dif ferent certific ate. Figure 506 Personal Certificate Import Wizard 2 3 Enter [...]

  • Página 687

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 687 Figure 507 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificat e should be saved on your computer or select Place all certificates in the following stor e and choose a different location. Figure 508 Personal Certificate Import Wizard 4 5 Click Finish t[...]

  • Página 688

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 688 Figure 509 Personal Certificate Import Wizard 5 6 Y ou should see the following screen when the ce rtificate is correctly installed on your computer . Figure 510 Personal Certificate Import Wizard 6 43.6.6.6 Using a Certificate When Accessing the ZyW ALL Example Use the following proce[...]

  • Página 689

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 689 Figure 512 SSL Client Authentication 3 Y ou next see the web configurator login screen. Figure 513 Secure W eb Configurator Login Screen 43.7 SSH Y ou can use SSH (Secure SHell) to securely access the ZyW ALL’ s command line interface. Specify which zones allow SSH access and from wh[...]

  • Página 690

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 690 Figure 514 SSH Communication Over the W AN Example 43.7.1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1. Figure 515 How SSH v1 Works Example 1 Host Identification The SSH client s ends a connection reque[...]

  • Página 691

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 691 43.7.2 SSH Implementation on the ZyW ALL Y our ZyW ALL supports SSH version s 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour and Blowfish ). The SSH server is implemented on the ZyW ALL for management using port 22 (by default). 43.7.3 Requirement s f[...]

  • Página 692

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 692 43.7.5 Secure T elnet Using SSH Examples This section shows two examples using a comm and interface and a graphical interface SSH client program to remotely access the ZyW ALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client pro[...]

  • Página 693

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 693 43.7.5.2 Example 2: Linux This section describes how to access the ZyW A LL using the OpenSSH client program that comes with most Linux di stributions. 1 T est whether the SSH service is available on the ZyW ALL. Enter “ telnet 192.168.1.1 22 ” at a terminal prompt and press [ENTER[...]

  • Página 694

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 694 Figure 520 System > T elnet The following table describes the labels in this screen. 43.9 FTP Y ou can upload and download the ZyW ALL’ s firm ware and configuration files using FTP . T o use this feature, your computer must have an FTP client. Ple ase se e Chapter 44 on page 705 [...]

  • Página 695

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 695 43.9.1 Configuring FTP T o change your ZyW ALL’ s FTP settings, click System > FTP tab. The screen appears as shown. Use this screen to sp ecify from which zones FTP can be used to access the ZyW ALL. Y ou can also specify from whic h IP addresses the access can come . Figure 521 [...]

  • Página 696

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 696 43.10 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Y our ZyW A LL supports SNMP agent functionality , which allows a manager station to manage and monitor the ZyW ALL through the network. The ZyW ALL supports [...]

  • Página 697

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 697 An agent is a management software module th at resi des in a managed device (the ZyW ALL). An agent translates the local management info rmation from the managed device into a form compatible with SNMP . The manager is the co nsole th rough which network administrators perform network [...]

  • Página 698

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 698 43.10.3 Configuring SN MP T o change your ZyW ALL’ s SNMP settings, click System > SNMP ta b. The screen appears as shown. Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the ZyW ALL. Y ou can also specify from which IP addres[...]

  • Página 699

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 699 43.1 1 Dial-in Management Connect an external serial modem to the AUX port to provide a management connectio n in case the ZyW ALL’ s other W AN connections are do wn. This is like an auxiliary interface, except it is used for management connectio ns coming into the ZyW ALL instead o[...]

  • Página 700

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 700 Figure 524 System > Dial-in Mgmt The following table describes the labels in this screen. 43.12 V ant age CNM V antage CNM (Centraliz ed Network Managemen t ) is a browser-based global managemen t solution that allows an administrator from any location to easily conf igure, manage, [...]

  • Página 701

    Chapter 43 System ZyWALL USG 100/200 Series User’s Gu ide 701 Figure 525 System > V antage CNM The following table describes the labels in this screen. T able 246 System > V antage CNM LABEL DESCRIPTION V antage CNM Click Ad vanced to display more confi guration fields or click B asic to display fewer fields. Enable Select thi s check box t[...]

  • Página 702

    Chapter 43 Sy stem ZyWALL USG 100/200 Series User’s Guide 702 43.13 Language Screen Click System > Language to open the following screen. Use this screen to select a display language for the ZyW ALL’ s web configurator screens. Figure 526 System > Langu age The following table describes the labels in this screen. Apply Click Apply to save[...]

  • Página 703

    703 P ART X Maintenance, T roubleshooting, & S pecifications File Manager (705) Logs (715) Reports (727) Diagnostics (741) Reboot (743) T roubleshooting (745) Product Specification s (749)[...]

  • Página 704

    704[...]

  • Página 705

    ZyWALL USG 100/200 Series User’s Gu ide 705 C HAPTER 44 File Manager 44.1 Overview Configuration files define the ZyW ALL’ s settings . Shell scripts are files of commands that you can store on the ZyW ALL and run when yo u need them. Y ou can apply a configuration file or run a shell script without the ZyW ALL r estarting. Y ou can store multi[...]

  • Página 706

    Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Guide 706 These files have the same synt ax, whic h is also identical to the way you run CLI commands manually . An example is shown below . While configuration files and shell scripts have the same syntax, the ZyW ALL applies configuration files dif ferently than it runs shell scripts. Thi[...]

  • Página 707

    Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Gu ide 707 " “exit” or “!'” must follow sub commands if it is to make the ZyW ALL exit sub command mode. Line 3 in the following example ex its sub command mode. Lines 1 and 3 in t he followin g example are comments and lin e 4 exits sub command mode. Lines 1 and 2 are com[...]

  • Página 708

    Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Guide 708 Once your ZyW ALL is co nfigured and function i ng properly , it is highly recommended that you back up your configuration file befo re making further configuratio n changes. The backup configuration file will be useful in case you need to return to yo ur previous settings. Config[...]

  • Página 709

    Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Gu ide 709 The following table describes the labels in this screen. T able 249 Maintenanc e > File Mana g er > Configuration File LABEL DESCRIPTION Download Click a configura tion file’s row to select it and click Download to save the configuration to your computer . Copy Use this b[...]

  • Página 710

    Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Guide 710 44.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmwar e Package screen. Use the Firmware Package screen to check your current firmware version and upload firmware to the ZyW ALL. " The web configurator is the reco mmend[...]

  • Página 711

    Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Gu ide 71 1 The ZyW ALL’ s firmware packag e canno t go through the ZyW A LL when you enable the anti- virus Destroy compr essed files that could not be decompressed option. The ZyW ALL classifies the firmware package as not being able to be decompressed and deletes it. Y ou can upload th[...]

  • Página 712

    Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Guide 712 " The ZyW ALL automatically reboo ts after a successful upload. The ZyW ALL automatically restarts causing a temporary network disconnect. In some operating systems, you may see th e following icon on your desktop. Figure 533 Network T emporarily Disconnected After five minut[...]

  • Página 713

    Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Gu ide 713 Each field is described in the following table. T able 251 Maintenanc e > File Ma nager > Shell Script LABEL DESCRIPTION Download Click a shell script file’s ro w to select it and click Download to save the con figuration to your computer . Copy Use this button to save a [...]

  • Página 714

    Chapter 44 File Manager ZyWALL USG 100/200 Series User’s Guide 714 Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. T able 251 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION[...]

  • Página 715

    ZyWALL USG 100/200 Series User’s Gu ide 715 C HAPTER 45 Logs 45.1 Overview This chapter provides gene ral information about the ZyW ALL’ s log feature. See Appendix A on page 759 for individual log descriptions. The following table displays the maximum number of system log messages in the ZyW ALL. " When a log reaches the maximum number of[...]

  • Página 716

    Chapter 45 L ogs ZyWALL USG 100/200 Series User’s Guide 716 Figure 538 Maintenance > L o g > View Log Events that generate an alert (a s well as a log message ) display in red. Regular logs display in black. The following table d escribe s the labels in this screen. T able 253 Maintenance > Log > V iew Log LABEL DESCRIPTION Show Filte[...]

  • Página 717

    Chapter 45 Logs ZyWALL USG 100/200 Series User’s Gu ide 717 The W eb configurator saves the filter settings if you leave the Vi e w L o g screen and return to it later . 45.4 Log Setting Screens The Log Setting screens control log messages and alerts. A log message stores the information for viewing (for example, in the Vie w L o g tab) or regula[...]

  • Página 718

    Chapter 45 L ogs ZyWALL USG 100/200 Series User’s Guide 718 The Log Settings Summary screen provides a summary of all the settings. Y ou can use the Log Settings Edit screen to maintain the detailed setti ngs (such as log categories, e-mail addresses, server names, etc.) for any log. Alternatively , if you want to edit what events is included in [...]

  • Página 719

    Chapter 45 Logs ZyWALL USG 100/200 Series User’s Gu ide 719 45.4.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 45.4.1 on page 718 ), and click the system log Edit icon. Active Log Summa r[...]

  • Página 720

    Chapter 45 L ogs ZyWALL USG 100/200 Series User’s Guide 720 Figure 540 Maintenance > Log > Log Setting > Edit (System Log)[...]

  • Página 721

    Chapter 45 Logs ZyWALL USG 100/200 Series User’s Gu ide 721 The following table describes the labels in this screen. T able 255 Maintenance > Log > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section. Y ou specify what kinds of[...]

  • Página 722

    Chapter 45 L ogs ZyWALL USG 100/200 Series User’s Guide 722 45.4.3 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each l og in the remote server (syslog). Go to the Log Settings Summary screen (see Section 45.4.1 on page 718 ), and click a remote server Edit icon. Active Select this to acti vate lo[...]

  • Página 723

    Chapter 45 Logs ZyWALL USG 100/200 Series User’s Gu ide 723 Figure 541 Maintenance > L og > Log Sett ing > Edit (Remote Server)[...]

  • Página 724

    Chapter 45 L ogs ZyWALL USG 100/200 Series User’s Guide 724 The following table describes the labels in this screen. 45.4.4 Active Log Summary Screen The Active Lo g Summary screen allows you to v iew and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let you change other [...]

  • Página 725

    Chapter 45 Logs ZyWALL USG 100/200 Series User’s Gu ide 725 Figure 542 Active Log Summary This screen provides a different view and a dif ferent way of indicating which mes sages are included in each log and each ale rt. Please see Section 45.4.2 on page 719 , where this process is discussed. (The Default category includes debugging messag es gen[...]

  • Página 726

    Chapter 45 L ogs ZyWALL USG 100/200 Series User’s Guide 726 Selection Select wh at information you w ant to log from ea ch Log Category (except All Logs ; see below). Choices are: disable a ll logs (red X) - do not log any information from this category enable normal logs (g reen checkmark) - log regular information and alerts from this category [...]

  • Página 727

    ZyWALL USG 100/200 Series User’s Gu ide 727 C HAPTER 46 Reports 46.1 Overview This chapter provides information about the report screens. Use the Report screens to s tart or stop data collection and view various statisti cs about traf fic passing through yo ur ZyW ALL. " Data collection may decrease the Zy W ALL’s traffic throughput rate. [...]

  • Página 728

    Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 728 Figure 543 Maintenance > Report > T raf fic S tatistics There is a limit on the number of re cords shown in the report. Please see T able 259 on page 730 for more information. The following tabl e describes the labe ls in this screen. T able 258 Maintenanc e > Report > T [...]

  • Página 729

    Chapter 46 Reports ZyWALL USG 100/200 Series User’s Gu ide 729 Flush Data Click th is button to disca rd all of the screen’s statistics and upda te the report display . These fields are available when the T raffic T ype is Host IP Address/User . # This field is the rank of each record. T he IP addresses and users are sorted by the amount of tra[...]

  • Página 730

    Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 730 The following table disp lays the maximum number of records shown in the report, the byte count limit, and the hit count limit. 46.3 The Session Screen The Session screen displays informa tion about active sessions for debugging or statistical analysis. It is not possible to manage s[...]

  • Página 731

    Chapter 46 Reports ZyWALL USG 100/200 Series User’s Gu ide 731 Figure 544 Maintenance > Report > Sessio n The following table describes the labels in this screen. T able 260 Maintenanc e > Rep ort > Sessio n LABEL DESCRIPTION View Select how you want the information to be displaye d. Choices are: sessions by users - display all active[...]

  • Página 732

    Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 732 46.4 The Anti-V irus Report Screen Click Maintenance > Report > Anti-V irus to display the following screen. This screen displays anti-virus statistics. Figure 545 Maintenance > Report > Anti-V irus: Virus Name The following table describes the labels in this screen. User[...]

  • Página 733

    Chapter 46 Reports ZyWALL USG 100/200 Series User’s Gu ide 733 The statistics display as follows when yo u display the top entries by source. Figure 546 Maintenance > Report > Anti-V irus: Source The statistics display as follows when you display the top entr ies by destination. Figure 547 Maintenance > Report > Anti-V irus: Destinati[...]

  • Página 734

    Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 734 Figure 548 Maintenance > Report > IDP: Signature Name The following table describes the labels in this screen. T able 262 Maintenanc e > Rep or t > IDP LABEL DESCRIPTI ON Collect St a t i s t i c s Select this check box to have the ZyWALL collect IDP st atistics. The coll[...]

  • Página 735

    Chapter 46 Reports ZyWALL USG 100/200 Series User’s Gu ide 735 The statistics display as follows when yo u display the top entries by source. Figure 549 Maintenance > Report > IDP: Source The statistics display as follows when you display the top entr ies by destination. Figure 550 Maintenance > Report > IDP: Destination 46.6 The Anti[...]

  • Página 736

    Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 736 Figure 551 Maintenance > Report > Anti-S pam: Sender IP The following table describes the labels in this screen. T able 263 Maintenanc e > Rep ort > Anti- Sp am LABEL DESCRIPTI ON Collect St a t i s t i c s Select this check box to have the ZyWALL collect anti-sp am stati[...]

  • Página 737

    Chapter 46 Reports ZyWALL USG 100/200 Series User’s Gu ide 737 46.7 The Email Daily Report Screen Click Maintenance > Report > Email Daily Report to display the following screen. Configure this screen to have the ZyW ALL e-mail you system statistics every day . Mail Sessions Forwarded This is how many e-mail sessions th e ZyWALL allowed bec[...]

  • Página 738

    Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 738 Figure 552 Maintenance > Report > Email Daily Report The following table describes the labels in this screen. T able 264 Maintenance > Report > Email Daily R eport LABEL DESCRIPTI ON Enable Email Daily Report Select this to send reports by e-mail every day . Mail Server T[...]

  • Página 739

    Chapter 46 Reports ZyWALL USG 100/200 Series User’s Gu ide 739 Password This box is effective when you select the SMTP Authentication check box. T ype the password to provide to the SMTP server when the log is e-mailed. Send Report Now Click this button to have the ZyWALL send the daily e-mail report immediately . T ime for sending report Select [...]

  • Página 740

    Chapter 46 Rep or ts ZyWALL USG 100/200 Series User’s Guide 740[...]

  • Página 741

    ZyWALL USG 100/200 Series User’s Gu ide 741 C HAPTER 47 Diagnostics 47.1 The Diagnostics Screen The Diagnostics s creen provides an easy way for you to generate a file containing the ZyW ALL’ s configuration and d i ag nostic information. Y ou may need to generate this file and send it to customer support during troubleshooting. Click Maintenan[...]

  • Página 742

    Chapter 47 Diagnostics ZyWALL USG 100/200 Series User’s Guide 742[...]

  • Página 743

    ZyWALL USG 100/200 Series User’s Gu ide 743 C HAPTER 48 Reboot 48.1 Overview Use this to restart the device (for example, if th e device begins behaving erratically ). See also Section 1.4 on page 55 for information on different wa ys to start and stop the ZyW ALL. 48.1.1 What Y ou Need T o Know About Reboot If you applied changes in the W eb con[...]

  • Página 744

    Chapter 48 Reboot ZyWALL USG 100/200 Series User’s Guide 744[...]

  • Página 745

    ZyWALL USG 100/200 Series User’s Gu ide 745 C HAPTER 49 Troubleshooting This chapter offers some suggestions to so lve problems you might encounter . V I cannot set up an IPSec VPN tunnel to another device. If the IPSec tunnel does not build properly , the pr oblem is likely a configuration error at one of the IPSec routers. Log into both ZyXEL I[...]

  • Página 746

    Chapter 49 Tro u blesh oo tin g ZyWALL USG 100/200 Series User’s Guide 746 • If you have the ZyW ALL and remote IPSec rout er use certific ates to authenticate each other , make sure they trust each other ’ s cer tificates. If the ZyW ALL’ s certificate is self- signed, import it into the remote IPsec router . If it is signed by a CA, make [...]

  • Página 747

    Chapter 49 Trou bleshooting ZyWALL USG 100/200 Series User’s Gu ide 747 V I changed the LAN IP addr ess and can no longer access the Internet. The ZyW ALL automatically updates address ob jects based on an interface’ s IP address, subnet, or gateway if the interface’ s IP addr ess settings change. Ho wever , you need to manually edit any addr[...]

  • Página 748

    Chapter 49 Tro u blesh oo tin g ZyWALL USG 100/200 Series User’s Guide 748 49.1 Resetting the ZyW ALL If you cannot access the ZyW ALL by any me thod, try restarting it by disconnecting and reconnecting the power . If you still cannot acc ess the ZyW ALL by any method or you forget the administrator password(s), you can reset the ZyW ALL to its f[...]

  • Página 749

    ZyWALL USG 100/200 Series User’s Gu ide 749 C HAPTER 50 Product Specifications 50.1 General Sp ecifications The following specificatio ns are subject to change without notice. See Chapter 2 on page 57 for a general overview of key features. This table provides basic device specifications. This table provides hardware specifications. T able 266 De[...]

  • Página 750

    Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Guide 750 1 It is recommended that you do NOT wa ll-mount the ZyW ALL . A wall-mounting kit is not included. This table gives details a bout the ZyW ALL’ s features. Rack-mounting Rack-mountable (rack-mount kit included) W all-mounti ng The ZyW ALL has wall-mo untin g holes on t[...]

  • Página 751

    Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Gu ide 751 USER PROFILES Maximum Local Users 192 128 Maximum Admin Users 5 5 Maximum User Groups 64 32 Maximum Users in One User Group 192 1 28 OBJECTS Address Objects 500 200 Address Groups 100 50 Service O bjects 500 200 Service Groups 100 50 Schedule Objects 64 3 2 Maximum Numb[...]

  • Página 752

    Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Guide 752 Admin E-mail Addresses 2 2 Syslog Servers 4 4 IDP Maximum Number of IDP Profiles 8 8 Custom Signatures 64 3 2 Maximum Number of IDP Rules 32 32 ADP Maximum Number of ADP Profiles 8 8 Maximum Number of ADP Rules 32 32 Maximum Blo ck Host Numbe r 1000 1000 Maximum Block Pe[...]

  • Página 753

    Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Gu ide 753 The following table, which is not exhaustive, lists standards referenced by ZyW ALL features. SSL VPN Maximum SSL VPN Conn ections 2 with out a license 10 with lice n s e 2 without a license 5 with licen se OTHERS Maximum Number of Devi ce HA VRRP Groups 16 16 Maximum N[...]

  • Página 754

    Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Guide 754 50.2 3G or WLAN PCMCIA Card Inst allation Only insert a compatible 802.1 1b/g-compliant wireless LAN PCMCIA or CardBus card or 3G card. Slide the connector end of the card into the slot as shown next. " Do not force, bend or twis t the wireless LAN card, 3G card or [...]

  • Página 755

    Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Gu ide 755 POWER CONSUMPTION 20 W MAX. SAFETY ST ANDARDS UL, CUL (UL 60950-1 FIRST EDITIONCSA C22.2 NO. 60950-1-03 1ST .) T able 271 European Plug Standards AC POWER ADAP TOR MODEL PSA18R-120P (ZE)-R INPUT POWER 100-240V AC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 3.5A POWER CONSUMPTION[...]

  • Página 756

    Chapter 50 Product Specifications ZyWALL USG 100/200 Series User’s Guide 756[...]

  • Página 757

    757 P ART XI Appendices and Index Common Services (815) Displaying Anti-V irus Alert Messages in W indows (819) Open Software Announcements (845) Legal Information (873) Customer Support (877) Index (883)[...]

  • Página 758

    758[...]

  • Página 759

    ZyWALL USG 100/200 Series User’s Gu ide 759 A PPENDIX A Log Descriptions This appendix provides descripti ons of example log messages. T able 276 Content Filter Logs LOG MESSAGE DESCRIPTION Content filter has been enabled An administrator tu rned the content filter on. Content filter has been disabled An administrator tu rned the content filter o[...]

  • Página 760

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 760 %s: Service is unavailable Content filter rating service is te mporarily unavailable and access to the web site was blocked due to: 1. Can't resolve rating server IP (No DNS) 2. Invalid service license 4. Rating service is restarting 5. Can’t connect to ratin g server[...]

  • Página 761

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 761 Anti-Spam policy %d has been inserted. The anti-spam policy with the specified index number (%d) has be en added into the list. Anti-Spam policy %d has been appended. The anti-spam policy with the specified index number (%d) has be en added to the end of the list. Anti-Spam p[...]

  • Página 762

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 762 DNSBL domain %s has been deleted. The specified DNSBL domain name (%s) has been removed. DNSBL domain %s has been activated. The specified DNSBL domain n ame (%s) has been turned o n. DNSBL domain %s has been deactivated. The specified DNSBL domain name (%s) has been turned [...]

  • Página 763

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 763 The %s address-object is wrong type for '1st-dns' in SSL Policy %s. The listed address object (first %s) is not t he right kind for the fi rst DNS server specified in the listed SSL VPN policy (second %s). The %s address-object is wrong type for '2nd-dns' [...]

  • Página 764

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 764 The SSL VPN policy %s does not configure users or user groups. There are no use r s or u s er g rou ps configured for the listed SSL VPN policy (%s). SSL VPN policy rule %s has been inserted. The listed SSL VPN policy (%s) has been inserted in the list of SSL VPN policy rule[...]

  • Página 765

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 765 Failed login attempt to SSLVPN from %s (reach the max. number of simultaneous logon) The listed user (%s) failed to log into SSL VPN be cause the maximum number of simultaneous logons was al ready reached. Failed login attempt to SSLVPN from %s (incorrect password or inexiste[...]

  • Página 766

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 766 The ZySH logs deal with internal system errors. User %s has been granted an L2TP over IPSec session. A user with the specified user na me (%s) was given access to the L2TP over IPSec service. L2TP over IPSec sessions have been all disconnected since configuration of Tunnel %[...]

  • Página 767

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 767 can't get name for entry %d! 1st:zysh entry index can't get reference count: %s! 1st:zysh list name can't print entry name: %s! 1st:zysh entry name Can't append entry: %s! 1st:zysh entry name Can't set entry: %s! 1st:zysh entry name Can't define [...]

  • Página 768

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 768 T able 283 ADP Logs LOG MESSAGE DESCRIPTION from <zone> to <zone> [type=<type>] <message> , Action: <action>, Severity: <severity> The ZyW ALL detected an an omaly in traffic traveling between the specified zones. The <type> = {scan-[...]

  • Página 769

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 769 Reloading Anti-Virus signature reference table has failed. The ZyWALL failed to reload the anti -virus signatures due to an internal error . %s Virus infected - ID:%d,%s,%s. The ZyW ALL’s anti-virus feature detected a virus-infected file. 1st %s: The protocol of the infecte[...]

  • Página 770

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 770 AV signature update has failed. An anti-virus signatures update failed for unknown reasons. Anti-Virus signatures missing, refer to your user documentation to recover the default database file. When the ZyW ALL started it could not find the anti-virus signature file. See the[...]

  • Página 771

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 771 %s, due to decompress malfunction, %s could not be decompressed. Action on file: %s File decompression failed due to an internal error . 1st %s: The protocol of the packet. 2nd %s: The filename of the related file. 3rd %s: Whether the file was deleted (DESTROY) or forwarded ([...]

  • Página 772

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 772 Failed login attempt to ZyWALL from %s (reach the max. number of simultaneous logon) The ZyW ALL blocked a login because the maximum simultaneous login capacity for the administra tor or access account has already been reached. %s: service name User %s has been denied access[...]

  • Página 773

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 773 Standard service activation has failed:%s. S tandard service activation failed, this log will append an error message returned by the MyZyXEL.com server . %s: error message returned by the myZyXEL.com server Standard service activation has succeeded. S tandard service activat[...]

  • Página 774

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 774 Change Anti-Virus engine type has failed. Because of lack must fields. The device failed to change the type of anti-virus engine beca use th e response from th e server is missing req uired fields. Resolve server IP has failed. Update stop. The update ha s stopped because th[...]

  • Página 775

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 775 IDP signature download has failed. The device still cannot download the ID P signature after 3 retries. Anti-Virus signature download has succeeded. The device successfully downloaded an anti-virus signature file. Anti-Virus signature update has succeeded. The device successf[...]

  • Página 776

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 776 System bootup. Do expiration daily- check. The device pro cesses a service expi ration day check immediately after it starts up. After register. Do expiration daily- check immediately. The device pro cesses a service expi ration day check immediately after device regi st rat[...]

  • Página 777

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 777 Download file size is wrong. The file size downl oaded for AS is not identical with content-length Parse HTTP header has failed. Device can't parse the HTTP header in a response returned by a server . Maybe some HTTP headers are missi ng. T able 287 IDP Logs LOG MESSAGE [...]

  • Página 778

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 778 Custom signature import error: line <line>, sid <sid>, <error_message>. An attempt to import a custom IDP signature failed. The errored lin e number in the file, the error sid and error message are displayed. Custom signature replace error: line <line>[...]

  • Página 779

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 779 IDP system-protect signature update from version <version> to version <version> has succeeded. An update of th e IDP system-protect sign atures succ eeded. The previous and updated signat u re versions are listed. System-protect error. Create IDP debug directory f[...]

  • Página 780

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 780 IDP system-protect signature update failed. Invalid signature content. An IDP system-protect signature update failed. Enable IDP system- protect succeeded. The IDP system-prote ct feature was succ essfully turned on. Disable IDP system- protect succeeded. The IDP system-prot[...]

  • Página 781

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 781 T able 288 Application Patrol MESSAGE EXPLANATION Service=%s Mode=%s Rule=%s Access=%s Common packet logging. 1st %s: Protocol Name, 2nd %s: "port- less" or "port-base", 3rd %s: Rule In dex, 4th %s: "forward", "dro p" or "reject&qu[...]

  • Página 782

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 782 System fatal error: 60011002. The device failed to get the application patrol protocol list. System fatal error: 60011003. The device failed to initiate XML. System fatal error: 60011004. The device failed to turn applicatio n p atrol off while the system was initiating. T a[...]

  • Página 783

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 783 [SA] : Tunnel [%s] Phase 1 authentication method mismatch %s is the tunnel name. When negoti ating Phase -1, the authentication method did not match. [SA] : Tunnel [%s] Phase 1 encryption algorithm mismatch %s is the tunnel name. When nego tiating Phase -1, the encryption alg[...]

  • Página 784

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 784 Cannot resolve Secure Gateway Addr %s for Tunnel [%s] 1st %s is my ip address. 2nd %s is the tunnel name; When selecting a matched proposal in phase-1, the engine could not get the correct secure gateway address. Could not dial dynamic tunnel "%s" %s is the tunnel [...]

  • Página 785

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 785 Tunnel [%s] Sending IKE request %s is the tunnel name. The device sent an IKE request. Tunnel [%s] IKE Negotiation is in process %s is the tunnel name. When IKE request is already sent but still attempting to dial a tunnel. VPN gateway %s was disabled %s is the gateway name. [...]

  • Página 786

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 786 T able 290 IPSec Logs LOG MESSAGE DESCRIPTION Corrupt packet, Inbound transform operation fail The device received corrupt IPse c p ackets and could not process them. Encapsulated packet too big with length An outgoing packet needed to be transforme d but was longer than 655[...]

  • Página 787

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 787 Firewall rule %d has been moved to %d. 1st %d is the old global index of rule, 2nd %d is the new global index of rule Firewall rule %d has been deleted. %d is the globa l index of rule Firewall rules have been flushed. Firewall rules were flushed Firewall rule %d was %s. %d i[...]

  • Página 788

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 788 To send message to policy route daemon failed! Failed to send control message to policy routing manager . The policy route %d allocates memory fail! Allocatin g poli cy routing rule fails: insufficient memory . %d: the policy route rule number The policy route %d uses empty [...]

  • Página 789

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 789 HTTPS port has been changed to default port. An administrator changed the port number for HTTPS back to the default (443). HTTP port has changed to port %s. An administrator changed the port number for HTTP . %s is port number a ssigned by user HTTP port has changed to defaul[...]

  • Página 790

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 790 DHCP Server on Interface %s will be reapplied due to Device HA status is Active When an interface has become the HA master , the DHCP server needs to start operating. %s is interface na me DHCP's DNS option:%s has changed. DHCP pool's DNS option support from WAN i [...]

  • Página 791

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 791 Interface %s ping check is failed. Zone Forwarder removes DNS servers in records. Ping check failed, remove DNS servers from bind. %s is interface na me Interface %s ping check is disabled. Zone Forwarder adds DNS servers in records. Ping check disabled, add DNS servers in bi[...]

  • Página 792

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 792 %s is dead at %s A daemon (process) is gone (was ki lled by the operating system). 1st %s: Daemon Name, 2nd %s: date and time %s process count is incorrect at %s The count of the listed process is incorrect. 1st %s: Daemon Name, 2nd %s: date and time %s becomes Zombie at %s [...]

  • Página 793

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 793 DHCP request received via interface %s (%s:%s), src_mac: %s with requested IP: %s The device received a DHCP request through the specified interface. IP confliction is detected. Send back DHCP-NAK. IP conflict was detected. Send back DHCP-NAK. Clear ARP cache done Clea r ARP [...]

  • Página 794

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 794 Update the profile %s has failed because of invalid system parameters. Some system parameters are invalid to update FQDN, %s i s the profile name. Update the profile %s has failed because the FQDN %s was blocked. The FQDN is blocked by DynDNS , 1 s t %s is the profil e name,[...]

  • Página 795

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 795 Update the profile %s has failed because WAN interface was link- down. DDNS profile cannot be updated for WAN IP because W AN iface is link-down, %s is the profile name. Update the profile %s has failed because WAN interface was not connected. DDNS profile cannot be updated f[...]

  • Página 796

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 796 DDNS Initialization has failed. Initialize DD NS failed, All DDNS profiles are deleted All DDNS profiles have been removed. Collect Diagnostic Information has failed - Server did not respond. There was an error and the diagnostics were not comple te d. Collect Diagnostic Inf[...]

  • Página 797

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 797 Can't get BROADCAST address of %s interface The connectivity check process can't get broadcast ad dress of interface %s: interface name Can't use MULTICAST IP for destination The connectivity check process can't use multicast address to check link-status. [...]

  • Página 798

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 798 Master firmware version can not be recognized. Stop syncing from Master. Synchronizing stoppe d because the firmware version file was not found in the Master . A Backup dev ice only synchronizes from the Master if the firmware versions ar e the sa me between the Master and t[...]

  • Página 799

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 799 Device HA authentication string of AH for VRRP group %s maybe wrong. A VRRP group’s AH S trin g (IPSec AH) configuration may no t match between the Backup and the Mast er . %s: The name of the VRRP group. Retrying to update %s for %s. Retry: %d. An update failed. Retryi ng [...]

  • Página 800

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 800 Invalid RIP text authentication. RIP text authentication has been set witho ut setting au thentication key first RIP on interface %s has been activated. RIP on interface %s has been activated. %s: Interface Name RIP direction on interface %s has b een changed to In-Only. RIP[...]

  • Página 801

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 801 RIP v2-broadcast on interface %s has b een enabled. RIP v2-broadcast on interface %s has been enabled. %s: Interface Name. RIP send-version on interface %s has b een changed to %s. RIP send-version on interface %s has been changed to version 1 or 2 or both 1 2. %s: Interface [...]

  • Página 802

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 802 Interface %s does not belong to any OSPF area. Interface %s has been set OSPF authentication same-as-area, however the interface does not belong to any OSPF area. %s: Interface Name Invalid OSPF authentication of area %s on interface %s. Interface %s has been set OSPF authen[...]

  • Página 803

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 803 T able 300 PKI Logs LOG MESSAGE DESCRIPTION Generate X509certifiate "%s" successfully The router create d an X509 format ce rtificate with the specified name. Generate X509 certificate "%s" failed, errno %d The router wa s not able to create an X509 format[...]

  • Página 804

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 804 Import PKCS#7 certificate "%s" into "My Certificate" successfully The device imp o rte d a PKC S# 7 fo rma t cert i fi c at e int o My Cert if ica t es. %s is the certif icate request name. Import PKCS#7 certificate "%s" into "Trusted Certi[...]

  • Página 805

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 805 CODE DESCRIPTION 1 Algorithm mismatch between the cert ificate and the search constraints. 2 Key usage mismatch between the cert ificate and the search constra ints. 3 Certificat e was not valid in the time interval. 4 (Not used) 5 Certificat e is not valid. 6 Certificate sig[...]

  • Página 806

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 806 AUX Interface disconnecting failed. This AUX interface is not enabled. The AUX interface is not enabled and a user tried to us e the disconnect aux command. Please type phone number of interface AUX first then dial again. A user tried to dial th e AUX interface, but the AUX [...]

  • Página 807

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 807 Interface %s links down. Default route will not apply until interface %s links u p. An administrator set a static gateway in interface but this interface is link down. At this time the configur ation will be saved b ut route will not take ef fect until the link becomes up.1st[...]

  • Página 808

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 808 Interface %s connect failed: Connect timeout. A PPPOE connection timed out due to a lack of response from the PPPOE server . %s: PPP interface name. Interface %s create failed because has no member. A bridge interface has no memb er . %s: bridge in terface name. "Interf[...]

  • Página 809

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 809 "Incorrect PIN code of interface cellular%d. Please check the PIN code setting. The listed cellular interface (%d) does has the wrong PIN code config ured. "Unable to query the signal quality from the device in %s. Please try to remove then insert the device. The Zy[...]

  • Página 810

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 810 Create interface %s has failed. Wlan device does not exist. The wireless device failed to create the specified WLAN i nterface (%s). Remove the wireless device and reinst all it. System internal error. No 802.1X or WPA enabled! IEEE 802.1x or WP A is not enabled. System inte[...]

  • Página 811

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 81 1 T able 303 Account Logs LOG MESSAGE DESCRIPTION Account %s %s has been deleted. A user deleted an ISP account profile. 1st %s: profile type, 2nd %se: profile name. Account %s %s has been changed. A user changed an ISP account profile’s options. 1st %s: profile type, 2nd %s[...]

  • Página 812

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 812 T able 306 File Manager Logs LOG MESSAGE DESCRIPTION ERROR:#%s, %s Apply configuration failed, this lo g will be what CLI command is and what error message is. 1st %s is CLI command. 2nd %s is error message when apply CLI command. WARNING:#%s, %s Apply configuration failed, [...]

  • Página 813

    Appendix A Log Descriptions ZyWALL USG 100/200 Series User’s Gu ide 813[...]

  • Página 814

    Appendix A Log Descrip tio ns ZyWALL USG 100/200 Series User’s Guide 814[...]

  • Página 815

    ZyWALL USG 100/200 Series User’s Gu ide 815 A PPENDIX B Common Services The following table l ists some commonly-used se rvices and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name : This is a short, de[...]

  • Página 816

    Appendix B Com mon Servic es ZyWALL USG 100/200 Series User’s Guide 816 FTP TCP TCP 20 21 File T ransfer Program, a program to enable fast transfe r of files, i ncluding large files that may not be possible by e-mail. H.323 TCP 1720 NetMeeting uses this protoco l. HTTP TCP 80 Hyper T ext T ransfer Protocol - a cl ient/ server protocol for the wor[...]

  • Página 817

    Appendix B Common Services ZyWALL USG 100/200 Series User’s Gu ide 817 RTS P TCP/UDP 554 The Real Time S treaming (media contro l) Protocol (R TSP) is a remote control for multimedia on the Internet. SFTP TCP 11 5 Simple File Transfer Protocol. SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enabl[...]

  • Página 818

    Appendix B Com mon Servic es ZyWALL USG 100/200 Series User’s Guide 818[...]

  • Página 819

    ZyWALL USG 100/200 Series User’s Gu ide 819 A PPENDIX C Displaying Anti-V irus Alert Messages in Windows W ith the anti-virus packet scan , when a virus is detected, you can have the ZyW ALL display an alert message on Misc rosoft W indows-based computers. If the log shows that virus files are being detected but yo ur Miscrosoft W indows-based co[...]

  • Página 820

    Appendix C Dis playing Anti-Virus Alert Messages in Windows ZyWALL USG 100/200 Series User’s Guide 820 Figure 557 Windows XP: S tarting the Messenger Service 3 Close the window when you are done. Windows 2000 1 Click S tart > Settings > Control Panel > Administrative T ools > Services . Figure 558 Windows 2000: Op ening the Services W[...]

  • Página 821

    Appendix C Displaying Anti-Virus Alert Messages in Windows ZyWALL USG 100/200 Series User’s Gu ide 821 Figure 559 Windows 2000: S tarting the Messen ger Service 3 Close the window when you are done. Windows 98 SE/Me For W indows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages. Click St a r t > Run and ente[...]

  • Página 822

    Appendix C Dis playing Anti-Virus Alert Messages in Windows ZyWALL USG 100/200 Series User’s Guide 822 Figure 562 Windows 98 SE: T ask Bar Properties 3 Double-click Programs and click St a r t U p . 4 Right-click in the St a r t U p pane and click New , Shortcut . Figure 563 Windows 98 SE: S tartUp 5 A Cr eate Shortcut window displays. Enter “w[...]

  • Página 823

    Appendix C Displaying Anti-Virus Alert Messages in Windows ZyWALL USG 100/200 Series User’s Gu ide 823 Figure 564 Windows 98 SE: S tartup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish . Figure 565 Windows 98 SE: S tartup: Select a T itle for the Program 7 A shortcut is created in the St a r t U p pane. [...]

  • Página 824

    Appendix C Dis playing Anti-Virus Alert Messages in Windows ZyWALL USG 100/200 Series User’s Guide 824 Figure 566 Windows 98 SE: S tartup: Shortcut " The WinPopup window displays after t he computer finishes the st artup process (see Figure 560 on page 821 ).[...]

  • Página 825

    ZyWALL USG 100/200 Series User’s Gu ide 825 A PPENDIX D Importing Certificates This appendix shows importing certificates ex amples using Netscape Na vigator and Internet Explorer 5. This appe nd ix uses the ZyW ALL 70 as an example. Other models should be similar . Import ZyW ALL Certificates into Net scape Navigator In Netscape Navigator , you [...]

  • Página 826

    Appendix D Importing Certificates ZyWALL USG 100/200 Series User’s Guide 826 Figure 568 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 569 Certificate General Information befor e Import 3 Click Next to begin the Install Certificate wizard.[...]

  • Página 827

    Appendix D Importi ng Certificates ZyWALL USG 100/200 Series User’s Gu ide 827 Figure 570 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next . Figure 571 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.[...]

  • Página 828

    Appendix D Importing Certificates ZyWALL USG 100/200 Series User’s Guide 828 Figure 572 Certificate Import Wizard 3 6 Click Ye s to add the ZyW ALL certifi cate to the root store. Figure 573 Root Certificate S t ore[...]

  • Página 829

    Appendix D Importi ng Certificates ZyWALL USG 100/200 Series User’s Gu ide 829 Figure 574 Certificate General Information af ter Import[...]

  • Página 830

    Appendix D Importing Certificates ZyWALL USG 100/200 Series User’s Guide 830[...]

  • Página 831

    ZyWALL USG 100/200 Series User’s Gu ide 831 A PPENDIX E W ireless LANs Wireless LAN T opologies This section discusses ad-hoc and in frastructure w ireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an inde pendent (Ad-hoc) WLAN that connects a se t of computers with wireless adapters (A, B, C). An y time[...]

  • Página 832

    Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 832 Figure 576 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlappi ng BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This [...]

  • Página 833

    Appendix E Wir eless LANs ZyWALL USG 100/200 Series User’s Gu ide 833 Figure 577 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your g eographical area. Y ou may have a choice of channels (for your region) so you should use a channel different f[...]

  • Página 834

    Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 834 Figure 578 RTS/ CT S When station A sends data to the AP , it might not know that the station B is already using the channel. If these two stations se nd data at the same time, collis ions may occur when both sets of data arrive at the AP at the same time, r esulting in a loss [...]

  • Página 835

    Appendix E Wir eless LANs ZyWALL USG 100/200 Series User’s Gu ide 835 If the Fragmentation Threshold value is smaller than the RT S / C T S value (see previously) you set then the R TS (Request T o Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmen ted before they reach R TS/CTS size. Preamble T ype Preamble is us[...]

  • Página 836

    Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 836 W ireless security methods available on the Zy W ALL are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyW ALL identity . The following figure shows th e relative effectiveness of th ese wireless security methods availa[...]

  • Página 837

    Appendix E Wir eless LANs ZyWALL USG 100/200 Series User’s Gu ide 837 Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’ s network activity . RADIUS is a simple package exchange in whic h your AP acts as a message rela y between the wireless client a[...]

  • Página 838

    Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 838 For EAP-TLS authentication type, you must firs t hav e a wired connection to the network an d obtain the certificate(s) from a certificate authorit y (CA). A certificate (als o called digital IDs) can be used to authenticate users and a CA issu es certificates and guar antees t[...]

  • Página 839

    Appendix E Wir eless LANs ZyWALL USG 100/200 Series User’s Gu ide 839 Dynamic WEP Key Exchange The AP maps a unique ke y that is generated w ith the RADIUS se rver . This key expires when the wireless connection times out, disconnects or reauthentic ation times out. A new WEP key is generated each time r eauthentication is performed. If this feat[...]

  • Página 840

    Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 840 Encryption WP A improves data encry ption by using T emporal Key In te grity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WP A2 also uses TKIP when required for compatibility reasons, but offers stronger encr yption than TKIP with Advanced Encryption Standard[...]

  • Página 841

    Appendix E Wir eless LANs ZyWALL USG 100/200 Series User’s Gu ide 841 Wireless Client WP A Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WP A. At the time of writing, the most widely available supplicant is the WP A patch for W indows XP , Funk Software's [...]

  • Página 842

    Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 842 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handsha[...]

  • Página 843

    Appendix E Wir eless LANs ZyWALL USG 100/200 Series User’s Gu ide 843 Antenna Overview An antenna couples RF signals onto air . A tran smitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air . The antenna also operates in reverse by capturing RF signals fro m the air . Positioning the antenn[...]

  • Página 844

    Appendix E Wirele ss LA Ns ZyWALL USG 100/200 Series User’s Guide 844 Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point ap plication, position both antennas at the same height and in a direct line of si ght to each othe r to attain the best performance. For om[...]

  • Página 845

    ZyWALL USG 100/200 Series User’s Gu ide 845 A PPENDIX F Open Sof tware Announcement s Notice Information herein is subject to change without notice. Compan ies, names, and data used in examples herein are fictitious unless otherwise no ted. No part may be reproduced or transmit- ted in any form or by any means, electronic or mechanical, for any p[...]

  • Página 846

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 846 " This Product includes Netkit T elnet -0 .17 soft ware under the Netkit T elnet License Netkit T elnet License Copyright (c) 1989 Regents of th e University of California. All rights reserved. Redistribution and use in source and binary fo rms, with or with[...]

  • Página 847

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 847 " This Product includes expat-1.95.6 sof tware under the Expat License Exp at License Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associa[...]

  • Página 848

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 848 The above copy righ t notic e an d t his permis sio n notice shall be included in all copies or substantial portions of the Software. " This Product includes openssl-0.9. 8d-ocf software under the OpenSSL License OpenSSL The OpenSSL toolkit stays unde r a du[...]

  • Página 849

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 849 OTHER WISE) ARISING IN ANY W A Y OUT OF THE USE OF THIS SOFTW ARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Y oung (eay@cryptsoft.com). This product includes software written by T im Hu dson (t[...]

  • Página 850

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 850 ANY W A Y OUT OF THE USE OF THIS SOFTW ARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence a nd distribution terms for any publically available version or derivative of this code cannot b e ch anged. i. e. th is code cann ot si mpl y be copied and[...]

  • Página 851

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 851 " This Product includes bind-9.2.3 soft ware under the Internet Sof tware Consortium and Nominum License Copyright (C) 1996-2002 In ternet Software Consortium. Permission to use, copy , modify , and dis tribute this software for any purpose with or without fe[...]

  • Página 852

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 852 THE SOFTW ARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL W ARRANTIES WITH REGARD TO THIS SOFTW ARE INCLUDING ALL IMPLIED W ARRANTIES OF MERCHANT ABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT , INDIRECT , OR CONSEQUENTIAL DA[...]

  • Página 853

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 853 "W ork" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright no tice that is included in or attached to the work (an example is provided in the Appendix below). "Derivativ[...]

  • Página 854

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 854 (d) If the W ork includes a "NOTIC E" text file as part of its distrib u tion, then any Derivative W orks that Y ou distribute must include a readab le copy of the attribution notices contained within such NOTICE file, exclud ing those notices that do n[...]

  • Página 855

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 855 Ve r s i o n 1 . 1 Copyright (c) 1999-2 0 03 The Apache Software Foundation. All rights reserved. Redistribution and use in source and binary fo rms, with or without modification, are permi tted provided that the following conditions are met: Redistributions of so[...]

  • Página 856

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 856 59 T emple Place, Suite 33 0, Boston, MA 0211 1-1307 USA Everyone is permitted to co py and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first re leased version of the Lesser GPL. It also counts as the successo[...]

  • Página 857

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 857 When a program is linked with a library , whethe r statically or using a shared library , the combination of the two is legally speaking a combined work, a deriva tive of the original library . The ordinary General Publ ic License ther efo r e pe rmit s su ch link[...]

  • Página 858

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 858 Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Li brary (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the [...]

  • Página 859

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 859 4. Y ou may copy and distribute the Library (or a po rtion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with th e complete corresponding machine-r eadable source co[...]

  • Página 860

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 860 copy of the library already present on the user's computer system , rather than copying library functions into the execut able, and (2) will operate properly with a modified version of the library , if the user installs one, as long as the modified version i[...]

  • Página 861

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 861 simultaneously your obligations un der this Licen se and any other pertinen t obligations, then as a consequence you ma y not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those w[...]

  • Página 862

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 862 16. IN NO EVENT UNLESS REQUI R ED BY APPLICABLE LA W OR AGREED T O IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER P AR TY WHO MA Y MODIFY AND/OR REDISTRIBUTE THE LIBRAR Y AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDE[...]

  • Página 863

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 863 T o protect your rights, we need to make restrictio ns that forbid anyone to deny yo u these rights or to ask you to surrender the rights. These re strictions translate to certain responsibilities for you if you distribute copies of the software, or if y ou mod if[...]

  • Página 864

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 864 c) If the modified program norm ally reads co mm ands interactively when ru n, you must c aus e it, when started running for such interactive use in t h e most ordi nary way , to print or display an announcement including an appropriate copyright notice an d a no[...]

  • Página 865

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 865 4. Y ou may not copy , modify , sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherw ise to copy , modify , sublicense or distribute the Program is void, and will au tomaticall y terminate your rights under this[...]

  • Página 866

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 866 10. If you wish to incorporate parts of the Program into ot her free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foun dation, write to the Free Software Fo[...]

  • Página 867

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 867 Redistributions in binary form must reprod uce the above copyright not ice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the University nor of the Laboratory ma[...]

  • Página 868

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 868 The Public License V ersion 2.8, 17 August 2003 Redistribution and use of this software and associated d oc umentation ("Software"), with or without modification, are permitted provid ed that the following conditions are met: 1. Redistributions in sourc[...]

  • Página 869

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 869 End-User License Agreement for “Z yW ALL USG 100 and ZyW ALL USG 200” W ARNING: ZyXEL Communications Corp. IS WILLING T O LICENSE THE ENCLOSED SOFTW ARE TO YOU ONL Y UPON THE CONDITION THA T YOU ACCEP T ALL OF THE TERMS CONT AINED IN THIS LICENSE AGREEMENT . P[...]

  • Página 870

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 870 Y ou acknowledge that the Software contains proprietary trade secrets of ZyXEL and you hereby agree to maintain the confidentiality of the Software using at least as great a degree of care as you use to maintain th e confidentiality of your own mo st confidential[...]

  • Página 871

    Appendix F Open Software Anno uncements ZyWALL USG 100/200 Series User’s Gu ide 871 ORDERS, OR OTHER RESTRICTIONS. YOU AGREE T O INDEMNIFY ZyXEL AGAINST ALL CLAIMS, LOSSES, DAMAGES, LIABILITIES, COSTS AND EXPENSES, INCLUDING REASONABLE A TTORNEYS' FEES, T O THE EXTENT SUCH CLAIMS ARISE OUT OF ANY BREACH OF THIS SECTION 8. 9.Audit Rights ZyXE[...]

  • Página 872

    Appendix F Op en Software An nouncement s ZyWALL USG 100/200 Series User’s Guide 872[...]

  • Página 873

    ZyWALL USG 100/200 Series User’s Gu ide 873 A PPENDIX G Legal Information Copyright Copyright © 2008 by ZyXEL Communications Corporation. The contents of this publication may not be reprod uced in any part or as a whole, transcribed, stored in a retrieval system, tran slated into any language, or transmitted in any form or by any means, el ectro[...]

  • Página 874

    Appendix G Legal In formation ZyWALL USG 100/200 Series User’s Guide 874 If this device does cause harmful inte rference to radio/television reception, which can be determined by turning th e device off and on, the user is enc ouraged to try to correct the interference by one or more of the following measures: 1 Reorient or relocate the receiving[...]

  • Página 875

    Appendix G Legal Information ZyWALL USG 100/200 Series User’s Gu ide 875 ZyXEL Limited W arranty ZyXEL warrants to the original en d user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to five years from the da te of purchase. During the warranty period, and upon proof of purchase, should the[...]

  • Página 876

    Appendix G Legal In formation ZyWALL USG 100/200 Series User’s Guide 876[...]

  • Página 877

    ZyWALL USG 100/200 Series User’s Gu ide 877 A PPENDIX H Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor . If you cannot contact yo ur vendor , then contac t a ZyXEL office for the region in which you bought the dev ice. Regional of fices are listed below (see also http:// www .z[...]

  • Página 878

    Appendix H Customer Support ZyWALL USG 100/200 Series User’s Guide 878 • Address: 1005F , ShengGao Internationa l T ower , No.137 XianXia Rd., Shanghai • W eb: http://www .zyxel.cn Cost a Rica • Support E-mail: soporte@zyxel.co.cr • Sales E-mail: sales@zyxel.co.cr • T elephone: +506-2017878 • Fax: +506-2 015098 • W eb: www .zyxel.co[...]

  • Página 879

    Appendix H Customer Support ZyWALL USG 100/200 Series User’s Gu ide 879 Germany • Support E-mail: support@zyxel.de • Sales E-mail: sales@zyxel.de • T elephone: +49-2405-6909 -69 • Fax: +49-2405-6909-99 • W eb: www .zyxel.de • Re g u l ar M a i l: ZyXEL Deut schland GmbH., Adenauerstr . 20/A2 D-52146, W uerselen, Germany Hungary • Su[...]

  • Página 880

    Appendix H Customer Support ZyWALL USG 100/200 Series User’s Guide 880 Malaysia • Support E-mail: support@zyxel.com.my • Sales E-mail: sales@zyxel.com.my • T elephone: +603-8076-9933 • Fax: +603-8076-98 33 • W eb: http://www .zyxel.com.my • Regular Mail: ZyXEL Malaysia Sdn Bhd., 1-02 & 1-03, Jalan Kenari 17F , Bandar Puchong Jaya,[...]

  • Página 881

    Appendix H Customer Support ZyWALL USG 100/200 Series User’s Gu ide 881 Singapore • Support E-mail: support@zyxel.com.sg • Sales E-mail: sales@zyxel.com.sg • T elephone: +65-6899-6678 • Fax: +65-6899-8887 • W eb: http://www .zyxel.com.sg • Regular Mail: ZyXEL Singapore Pte Ltd., No. 2 International Business Park, The Strategy #03-28, [...]

  • Página 882

    Appendix H Customer Support ZyWALL USG 100/200 Series User’s Guide 882 T urkey • Support E-mail: cso@zyxel.com.tr • T elephone: +90 212 222 5 5 22 • Fax: +90-212-220-2 526 • W eb: http:www .zyxel.com.tr • Address: Kaptanpasa Mahallesi Piyalep asa Bulvari Ortadogu Plaza N:14/13 K:6 Okmeydani/Sisli Istanbul/T urkey Ukraine • Support E-m[...]

  • Página 883

    Index ZyWALL USG 100/200 Series User’s Gu ide 883 Index Numerics 3DES 374 3G 129 3G see also cellular 226 A AAA server 625 AD 626 and users 594 directory service 625 LDAP 625 , 626 LDAP Default 628 LDAP Group 629 LDAP group members 630 local user database 626 object, where used 121 RADIUS 625 , 626 RADIUS default 631 RADIUS group 632 RADIUS group[...]

  • Página 884

    Index ZyWALL USG 100/200 Series User’s Guide 884 alerts 717 , 721 , 724 , 72 5 anti-spam 564 anti-virus 475 IDP 492 ALG 325 , 330 and firewall 325 , 327 and NA T 326 and policy routes 327 , 330 and trunks 330 and virtual servers 327 configuration overview 120 FTP 326 H.323 326 , 331 peer-to-peer calls 327 RTP 331 See also V oIP pass through 326 S[...]

  • Página 885

    Index ZyWALL USG 100/200 Series User’s Gu ide 885 allowing through the firewall 344 vs virtual interfaces 343 A T command strings 699 authentication LDAP/AD 626 authentication algorithms 295 , 373 , 374 and active pr ot ocol 374 and routing protocol s 295 MD5 295 , 374 SHA1 374 text 295 Authentication Header . See AH. authentication method object[...]

  • Página 886

    Index ZyWALL USG 100/200 Series User’s Guide 886 and FTP 695 and HTTPS 678 and IKE SA 378 and SSH 691 and synchronization (device HA) 589 and VPN gateways 353 and WWW 680 certification path 640 , 647 , 652 expired 640 factory-default 640 file formats 640 fingerprints 648 , 654 importing 643 in the VPN wizard 101 not used for encryption 640 revoke[...]

  • Página 887

    Index ZyWALL USG 100/200 Series User’s Gu ide 887 copyright 873 CPU usage 173 , 175 CTS (Clear to Send) 834 current date/time 173 , 666 and schedules 619 daylight savings 668 setting manually 669 time se rver 669 current user list 389 custom signatures 498 applying 508 example 505 verifying 508 custom.rules 501 customer support 877 D data collect[...]

  • Página 888

    Index ZyWALL USG 100/200 Series User’s Guide 888 double-encoding 527 DTR 699 Dynamic Domain Name System. See DDNS. Dynamic Host Configurat ion Protocol. See DHCP . dynamic WEP key exchange 839 DynDNS 303 DynDNS see also DDNS. 303 Dynu see DDNS. 303 E EAP Authentication 837 e-Donkey 493 EGP (Exterior Gateway Protocol) 524 egress bandwidth 210 , 23[...]

  • Página 889

    Index ZyWALL USG 100/200 Series User’s Gu ide 889 vs application patrol 335 , 337 firmware and restart 710 boot module. See boot module. current version 172 , 71 1 getting updated 710 uploading 710 , 71 1 uploading with FTP 694 flags 499 flash usage 173 flood dete ction 525 force log out 390 force user authentica tion policies 601 and address gro[...]

  • Página 890

    Index ZyWALL USG 100/200 Series User’s Guide 890 custom signature example 505 custom signatures 498 false negatives 489 false positives 489 inline profile 489 license status 173 log optio n s 492 monitor profile 489 packet inspection profiles 490 packet inspection signatures 49 0 policies 486 policy types 493 prerequisites 11 8 profiles 483 , 485[...]

  • Página 891

    Index ZyWALL USG 100/200 Series User’s Gu ide 891 trunks. See also trunks. types 200 virtual. See also virtual interfaces. VLAN. See also VLAN interfaces. where used 11 4 WLAN 200 Internet Control Message Protocol. See ICMP . Internet Message Acce ss Protocol. See IMAP . 560 Internet Protocol Security . See IPSec. Internet Protocol. See IP . Intr[...]

  • Página 892

    Index ZyWALL USG 100/200 Series User’s Guide 892 Default_L2TP_VPN_GW example 415 DNS 412 example 415 , 418 IPSec configuration 410 policy route 410 policy route example 41 8 prerequisites 11 5 remote user configuration 419 session monitor 412 where used 11 5 WINS 412 LAND attack 526 lastgood.conf 708 , 710 Layer 2 T unneli ng Protocol Virtual Pri[...]

  • Página 893

    Index ZyWALL USG 100/200 Series User’s Gu ide 893 N NA T 285 , 30 9 1 to 1 example 313 address mapping. See policy routes. ALG . See ALG . and address objects 282 and ALG 326 and policy routes 278 , 282 and VPN 377 and VPN. See also VPN. port forwarding. See virtual servers. port translation. See virtual servers. port triggering. See also policy [...]

  • Página 894

    Index ZyWALL USG 100/200 Series User’s Guide 894 Pairwise Master Key (PMK) 840 , 842 payload option 504 payload size 505 PCMCIA card installation 754 Peanut Hull see DDNS. 303 peer-to-peer (P2P) managing 443 peer-to-peer calls 159 , 32 7 Perfect Forward Secrecy (PFS) Diffie-Hellman key group 380 Personal Identification Number code see PIN code 23[...]

  • Página 895

    Index ZyWALL USG 100/200 Series User’s Gu ide 895 R RADIUS 625 , 626 , 836 advantages 625 and IKE SA 378 and PPPoE 268 and users 594 message types 837 messages 837 shared secret key 837 user attributes 604 real-time alert message 821 Real-time Transport Protocol. See RTP . reauthentication time 243 , 244 reboot 55 , 743 vs reset 743 record route [...]

  • Página 896

    Index ZyWALL USG 100/200 Series User’s Guide 896 and force user authentication policies 603 and policy routes 282 , 455 , 457 , 459 , 461 one-time 619 recurring 619 types of 619 where used 121 screen resolution 65 Secure Hash Algo rithm. See SHA1. Secure Socket Layer . See SSL. security associations. See VPN. self-referential directories 528 sens[...]

  • Página 897

    Index ZyWALL USG 100/200 Series User’s Gu ide 897 spam 559 specifications 749 device 749 feature 750 hardware 749 spillover (for load balancing) 272 SQL slammer 509 SSH 689 and address groups 692 and address objects 692 and certificates 691 and zones 692 client requirements 691 encryption methods 691 for secure T elnet 692 how connection is estab[...]

  • Página 898

    Index ZyWALL USG 100/200 Series User’s Guide 898 SYN flood 526 synchronization 576 and subscription service s 576 information synchronized 588 passwor d 581 , 585 port number 581 , 585 restrictions 589 syntax conventions 5 syslog 718 , 724 syslog servers. See logs. system log. See logs. system name 172 , 666 system protect updating signatures 194[...]

  • Página 899

    Index ZyWALL USG 100/200 Series User’s Gu ide 899 messages 613 port numbers 613 UDP Decoder 520 UDP decoy portscan 524 UDP distributed portscan 524 UDP flood attack 526 UDP portscan 524 UDP portsweep 524 undersize-len attack 528 , 529 undersize-offset attack 528 unsolicited commercial e-mail 559 update configuration overview 123 prerequisites 123[...]

  • Página 900

    Index ZyWALL USG 100/200 Series User’s Guide 900 Virtual Private Network. See VPN. virtual router 578 Virtual Router ID number (VRID). 584 Virtual Router Redundancy Protocol. See VRRP . virtual server tutorial 167 virtual servers 309 and address objects (HOST) 312 and ALG 327 and firewall 344 and interfaces 31 1 and to-ZyW AL L firewall 313 and V[...]

  • Página 901

    Index ZyWALL USG 100/200 Series User’s Gu ide 901 white list anti-spam 564 , 566 , 567 whitelist 567 anti-spam 559 Wi-Fi Protected Access 83 9 Windows Internet Naming Service. See WINS. WinPopup windo w 821 WINS 213 , 239 , 254 , 261 , 268 , 389 L2TP VPN 412 WINS server 213 , 239 , 254 , 261 , 412 wireless MAC filter 245 wireless client 233 wirel[...]

  • Página 902

    Index ZyWALL USG 100/200 Series User’s Guide 902[...]