ZyXEL Communications Unified Security Gateway ZyWALL 1000 manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation ZyXEL Communications Unified Security Gateway ZyWALL 1000. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel ZyXEL Communications Unified Security Gateway ZyWALL 1000 ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation ZyXEL Communications Unified Security Gateway ZyWALL 1000 décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation ZyXEL Communications Unified Security Gateway ZyWALL 1000 devrait contenir:
- informations sur les caractéristiques techniques du dispositif ZyXEL Communications Unified Security Gateway ZyWALL 1000
- nom du fabricant et année de fabrication ZyXEL Communications Unified Security Gateway ZyWALL 1000
- instructions d'utilisation, de réglage et d’entretien de l'équipement ZyXEL Communications Unified Security Gateway ZyWALL 1000
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage ZyXEL Communications Unified Security Gateway ZyWALL 1000 ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles ZyXEL Communications Unified Security Gateway ZyWALL 1000 et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service ZyXEL Communications en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées ZyXEL Communications Unified Security Gateway ZyWALL 1000, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif ZyXEL Communications Unified Security Gateway ZyWALL 1000, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation ZyXEL Communications Unified Security Gateway ZyWALL 1000. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    www .zyxel.com ZyW ALL USG 1000 Unified Security Gateway User ’ s Guide V ersion 2.00 10/2007 Edition 1 DEFAULT LOGIN LAN Port P1 IP Address http://1 92 .168.1.1 User Name admin Password 1234[...]

  • Page 2

    [...]

  • Page 3

    About This User's Guide ZyWALL USG 1000 User’s Guide 3 About This User's Guide This manual is designed to guide you thr ough the configuration of your ZyW ALL for its various applications . Generally , it is or ganized as follows. • Introduction (ZyW ALL, web configurator) • Features (by menu item in the web configurator) • Overvi[...]

  • Page 4

    About This User's Guide ZyWALL USG 1000 U ser’s Guide 4 " It is recommended you use the web conf igurator to configure the ZyW ALL. • W eb Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementa ry information. • Supporting Disk Refer to the included CD for support documents. ?[...]

  • Page 5

    Document Conventions ZyWALL USG 1000 User’s Guide 5 Document Conventions W arnings and Notes These are how warnings and notes are shown in this User ’ s Guide. 1 W arnings tell you about things that could harm you or your device. " Notes tell you other important informati on (for example, other things you may need to configure or helpful t[...]

  • Page 6

    Document Conventions ZyWALL USG 1000 U ser’s Guide 6 Icons Used in Figures Figures in this User ’ s Guide may use the followi ng generic icons. The ZyW ALL icon is not an exact representation of your device. ZyW ALL Computer Notebook computer Server Firewall T e lephone Switch Router[...]

  • Page 7

    Safety Warnings ZyWALL USG 1000 User’s Guide 7 Safety Warnings 1 For your safety , be sure to read and follow all warni ng notices and instructions. • Do NOT use this product near water , for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store thin gs on the [...]

  • Page 8

    Safety Warnings ZyWALL USG 1000 U ser’s Guide 8[...]

  • Page 9

    Contents Overview ZyWALL USG 1000 User’s Guide 9 Contents Overview Introduction .......................................... ........................................................................ .......... 51 Introducing the ZyWALL .............. ................ ................. ................ ................ ................ ......... ....[...]

  • Page 10

    Contents Overview ZyWALL USG 1000 U ser’s Guide 10 Content Filter Screens ................. ................ ................. ................ ................ ................ ...... ..... 463 Content Filter Reports ........ ................... ............. ................ ................ ................ ............. ... ..... 483 Device H[...]

  • Page 11

    Table of Contents ZyWALL USG 1000 User’s Guide 11 Table of Contents About This User's Guide ..................................................... ................................................... .. 3 Document Conventions.................................................................. ......................................... .5 Safety W[...]

  • Page 12

    Table of Contents ZyWALL USG 1000 U ser’s Guide 12 3.1 Web Configurator Requirements .. ................ ................... ................ ................. ................ ... 65 3.2 Web Configurator Access ................ ................ ................ ............. ................ ................ ...... .6 5 3.3 Web Configurator Main[...]

  • Page 13

    Table of Contents ZyWALL USG 1000 User’s Guide 13 5.2 T erminology in the ZyWALL ............. ................ ................ ............. ................ ................ ......1 12 5.3 Physical Ports, Interfaces , and Zones ....... ................ ................ ................ ................ .........1 12 5.3.1 Network T opology Exa[...]

  • Page 14

    Table of Contents ZyWALL USG 1000 U ser’s Guide 14 6.2.2 Set up the VPN Gatew ay . ............ ................. ................ ................ ................ ........... 132 6.2.3 Set up the VPN Connection ......... ................. ................ ................ ................ ........... 133 6.2.4 Set up the Policy Route for the VP[...]

  • Page 15

    Table of Contents ZyWALL USG 1000 User’s Guide 15 8.1 myZyXEL.com Overview . ................ ............. ................ ................ ................ ................ ..... 1 65 8.1.1 Subscription S ervices Available on the ZyW ALL ............................. ................ ........ 165 8.2 Registration ..................... ........[...]

  • Page 16

    Table of Contents ZyWALL USG 1000 U ser’s Guide 16 10.6.1 PPPoE/PPTP Overview ................. ................ ................ ................ ................ ........ 210 10.6.2 PPPoE/PPTP Interfaces Overview ... ............. ................ ................ ................ .........21 1 10.6.3 PPPoE/PPTP Interface Summary ........... ..[...]

  • Page 17

    Table of Contents ZyWALL USG 1000 User’s Guide 17 13.3 OSPF Overview ......... ................ ................ ................ ................ ............. ................ ..... ... 237 13.3.1 OSPF Areas ...... ...... ............. ................ ................ ................ ............. ................ ..... 23 8 13.3.2 OSPF Route[...]

  • Page 18

    Table of Contents ZyWALL USG 1000 U ser’s Guide 18 18.1 ALG Introduction ..... .... ......... ................ ................. ................ ............. ................ ......... ..... 265 18.1.1 Application Layer Gateway (ALG) and NA T ............. ............ ................. ................ . 265 18.1.2 ALG and T runk s ...........[...]

  • Page 19

    Table of Contents ZyWALL USG 1000 User’s Guide 19 20.4.2 Additional T opics for IKE SA ................................ ................ ................. ................. 310 20.4.3 VPN Gateway Summary ...... ................ ... ............. ............. ................ ................ ..... 312 20.4.4 VPN Gateway Add/Edit . ..............[...]

  • Page 20

    Table of Contents ZyWALL USG 1000 U ser’s Guide 20 24.3.1 Downloading a F ile ............... ............. ................ ................ ................ ................ ..... 341 24.3.2 Saving a File ........... ... ............. ................ ................. ............ ................. ................ . 341 24.4 Creating a New Fo[...]

  • Page 21

    Table of Contents ZyWALL USG 1000 User’s Guide 21 27.5.1 Setting the Interface’s Bandwidth ................ ................ ................ ................ ........... 385 27.5.2 SIP Any to W AN B andwidth Management Example ................ ................... ........... 385 27.5.3 SIP W AN to Any B andwidth Management Example ............[...]

  • Page 22

    Table of Contents ZyWALL USG 1000 U ser’s Guide 22 29.3 Configuring IDP General .. .......... ................ ................ ................ ............. ................ ........ 4 18 29.4 Configuring IDP Bindings ................. ....... ......... ................. ................ ................ ............. . 4 20 29.5 Introducing ID[...]

  • Page 23

    Table of Contents ZyWALL USG 1000 User’s Guide 23 Chapter 31 Content Filter Screens......................................................... ................................................ .4 6 3 31.1 Content Filter Overvi ew . ................ ................ ................ ................ ................. ............ .... .4 6 3 31.1.1 C[...]

  • Page 24

    Table of Contents ZyWALL USG 1000 U ser’s Guide 24 34.1.4 Access Users and the ZyWALL ............ ....... ............. ................ ................ .............. 5 05 34.1.5 Force User Authenticati on Policy ......... ............. ................ ................ ................ ..... 5 05 34.2 User Summary .. ................ ........[...]

  • Page 25

    Table of Contents ZyWALL USG 1000 User’s Guide 25 38.2 Directory Service (AD/ LDAP) Overview ............... ................ ................ ................ ........... 532 38.2.1 Directory S tructure ............................ ................... ................ ................. ................ . 532 38.2.2 Distinguished Name (DN) .... .[...]

  • Page 26

    Table of Contents ZyWALL USG 1000 U ser’s Guide 26 Chapter 42 SSL Application ......................................................................................... ........................... 567 42.1 SSL Application Overv iew ... ................ ................. ................ ................ ................ ........... 56 7 42.1.1 App[...]

  • Page 27

    Table of Contents ZyWALL USG 1000 User’s Guide 27 44.3 Configuring WWW ............ ................ ................ ................. ................ ................ ............. .5 8 9 44.4 Service Control Rules ... .......... ................ ................ ................ ............. ................ ......... .. 592 44.5 HTTPS Examp[...]

  • Page 28

    Table of Contents ZyWALL USG 1000 U ser’s Guide 28 45.2 Configuration File Screen ................. ............. ................ ................ ............. ................ ..... 618 45.3 Firmware Package Screen .............. ................ ................. ................ ................ .............. 620 45.4 Shell Script Screen ..[...]

  • Page 29

    Table of Contents ZyWALL USG 1000 User’s Guide 29 Appendix F Open Software Announcement s ...................................................... ................. 719 Appendix G Legal Information ............................................. ................................................. 755 Appendix H Customer Support ........................[...]

  • Page 30

    Table of Contents ZyWALL USG 1000 U ser’s Guide 30[...]

  • Page 31

    List of Figures ZyWALL USG 1000 User’s Guide 31 List of Figures Figure 1 ZyW ALL USG 1000 Front Panel .......................... ................ .................... ................ ............ .... 53 Figure 2 Managing the ZyW ALL: Web Configurator . ....... ............. ................ ................ ................ .......... 5 4 Figur[...]

  • Page 32

    List of Figure s ZyWALL USG 1000 U ser’s Guide 32 Figure 39 VPN Advanced Wizard: S tep 3 ........... ............. ................ ................ ................ ............. .... .... 104 Figure 40 VPN Advanced Wizard: S tep 4 .......... ................ ................ ................ ............. ................ . .... 106 Figure 41 V[...]

  • Page 33

    List of Figures ZyWALL USG 1000 User’s Guide 33 Figure 82 AppPatrol > http > Edit Default ..... ...... ................ ............. ................ ................ ............. ........ 1 44 Figure 83 Object > Schedule > Recurring > add ... ....... ................ ................ ................ ............. .......... .1 [...]

  • Page 34

    List of Figure s ZyWALL USG 1000 U ser’s Guide 34 Figure 125 Network > Interface > Ethernet > Edit ........... ................ ................ ................ ................ ... .. 190 Figure 126 Network > Interface > Et hernet > Edit > Edit static DHCP table ........... ................... ........... 194 Figure 127 Por[...]

  • Page 35

    List of Figures ZyWALL USG 1000 User’s Guide 35 Figure 168 HTTP Redirect Example ................ ... ............. ................ ............. ................ ................ . ....... 262 Figure 169 Network > HTTP Redirect ... ............. ... ................ ............. ................ ................. ........... ...... 263 Figu[...]

  • Page 36

    List of Figure s ZyWALL USG 1000 U ser’s Guide 36 Figure 21 1 VPN > IPSec VPN > SA Monitor ...................... ................ ................ .................... ............. .3 2 1 Figure 212 VPN > SSL VPN > Ac cess Privilege ..... .................... ................ ................ ................... ..... 3 24 Figure 21[...]

  • Page 37

    List of Figures ZyWALL USG 1000 User’s Guide 37 Figure 254 Connect L2TP to Zy W ALL: Security ....... ................. ................ ................ ................... ........ 359 Figure 255 Connect ZyW ALL L2TP: Security > Advanc ed .... ................. ................ ............. ................ . 359 Figure 256 L2TP to ZyW ALL [...]

  • Page 38

    List of Figure s ZyWALL USG 1000 U ser’s Guide 38 Figure 297 LAN to W AN, O utbound 200 kbps, Inbound 500 kbps .... ................ ................. ................ . 382 Figure 298 Bandwidth Management Behavior ...... ................ ................. ................ ................ .............. 3 83 Figure 299 Application Patrol Ba ndwi[...]

  • Page 39

    List of Figures ZyWALL USG 1000 User’s Guide 39 Figure 340 Base Profiles ....... ... ................ ................ ............. ................. ................ ............. . ................ 449 Figure 341 Anti-X > ADP > Profile ................ ... ......... ................. ................ ................ ............. ... ..[...]

  • Page 40

    List of Figure s ZyWALL USG 1000 U ser’s Guide 40 Figure 383 Object > Service > Service > Edit ..... ................ ................ ................ .................... ......... ..... 5 23 Figure 384 Object > Service > Service Group .................... ................ ................ ................. .............. ... 524[...]

  • Page 41

    List of Figures ZyWALL USG 1000 User’s Guide 41 Figure 426 Secure and Insecure Service Access From the WAN .......... ................... ................ ........... 587 Figure 427 HTTP/HTTPS Implementation ............. ................ ............. ................ ................. ............... .. 589 Figure 428 System > WWW ........ .[...]

  • Page 42

    List of Figure s ZyWALL USG 1000 U ser’s Guide 42 Figure 469 Maintenance > Log > L og Setting .................... ................ ................ ................. ............... .. 628 Figure 470 Maintenance > Log > L og Setting > E-mail > Edit ......... ................ ................ .................... . 630 Figure 47[...]

  • Page 43

    List of Tables ZyWALL USG 1000 User’s Guide 43 List of Tables T able 1 Front Panel LEDs ........ ................ ................ ................. ................ ................ ............ .............. ... 54 T able 2 Managing the ZyW ALL: Cons ole Port ...... ............. ................ ................ ............. ................[...]

  • Page 44

    List of Tables ZyWALL USG 1000 U ser’s Guide 44 T able 39 Licensing > Registration ................ ................ ................ ................... ................ ......... ........... . 167 T able 40 Licensing > Registration > Service .. ...................... ............. ................ ................. ............ ..... 1[...]

  • Page 45

    List of Tables ZyWALL USG 1000 User’s Guide 45 T able 82 Network > HTTP Redirect > Edit ...... ...... ................ ............. ................ ................. ............ ..... 263 T able 83 Network > ALG ................. ................ ............. ................ ................ ................ ......... ..............[...]

  • Page 46

    List of Tables ZyWALL USG 1000 U ser’s Guide 46 T able 125 Anti-X > Anti-Virus > Setting > Black List Add .... ................. ................ ................... ........... 4 13 T able 126 Anti-X > Anti-Virus > Signature ............ .................... ................ ................ ................ .... ....... 414 T abl[...]

  • Page 47

    List of Tables ZyWALL USG 1000 User’s Guide 47 T able 168 Object > Address > Address Group > Add .................. ................ ................ ................ ........ 5 18 T able 169 Object > Service > Service .................. ................ ................. ................ ................ ...... ........ 522 T able[...]

  • Page 48

    List of Tables ZyWALL USG 1000 U ser’s Guide 48 T able 21 1 SNMP T raps ...... ................ ................ ................ ................ ................ ................. .. ............... 607 T able 212 System > SNMP ...... ................ ................ ................. ................ ................ ............... ......[...]

  • Page 49

    List of Tables ZyWALL USG 1000 User’s Guide 49 T able 254 Interface Logs ......... ................ ................ ................. ................ ................ ........... ........... ..... 699 T able 255 Account Logs .... ................ ............. ................ ................ ................ ................ ...... ..........[...]

  • Page 50

    List of Tables ZyWALL USG 1000 U ser’s Guide 50[...]

  • Page 51

    51 P ART I Introduction Introducing the ZyW ALL (53) Features and Applications (57) W eb Configurator (65) Configuration Basics (1 11) T utorials (125) St atus (157) Registration (165) Update (171)[...]

  • Page 52

    52[...]

  • Page 53

    ZyWALL USG 1000 User’s Guide 53 C HAPTER 1 Introducing the ZyWALL This chapter gives an overview of the ZyW ALL. It explains the front panel ports, LEDs, introduces the management meth ods, and lists different ways to start or stop the ZyW ALL. 1.1 Overview and Key Default Settings The ZyW A LL is an Internet Security Gateway designed for Small a[...]

  • Page 54

    Chapter 1 Introducing the ZyWALL ZyWALL USG 1000 U ser’s Guide 54 The following table describes the LEDs. 1.3 Management Overview Y ou can use the fol lowing ways to manage the ZyW ALL. Web Configurator The web configurator allows easy ZyW ALL setup and management using an Internet browser . This User ’ s Guide provides inform ation about the w[...]

  • Page 55

    Chapter 1 Introducin g the ZyWALL ZyWALL USG 1000 User’s Guide 55 Command-Line Interface (CLI) The CLI allows you to use text-based comman ds to configure the ZyW ALL. Y ou can access it using remote management (for example, SSH or T elnet) or via the console port. See the Command Reference Guide for more information about the CLI. Console Port Y[...]

  • Page 56

    Chapter 1 Introducing the ZyWALL ZyWALL USG 1000 U ser’s Guide 56 " It is recommended you use the shutdown command before turning off the ZyW ALL. When you apply configuration files or running shell scripts, t he ZyW ALL does not stop or start the system processes. However , you might lose access to network resources temporarily while the Zy[...]

  • Page 57

    ZyWALL USG 1000 User’s Guide 57 C HAPTER 2 Features and Applications This chapter introduces the main feat ures and applications of the ZyW ALL. 2.1 Features The ZyW ALL’ s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prev ention), ADP (Anomaly Dete ction and Protection), and certificates.[...]

  • Page 58

    Chapter 2 Features and Applications ZyWALL USG 1000 U ser’s Guide 58 Intrusion Detection and Prevention (IDP) IDP (Intrusion Detection an d Protection) can de tect malicious or suspicious packets and respond instantaneously . It detects pattern-ba sed attacks in order to protect against network- based intrusions. See Section 29.8.2 on page 427 fo[...]

  • Page 59

    Chapter 2 Features an d Applications ZyWALL USG 1000 User’s Guide 59 2.2.1 Interface to In terface (Through ZyW ALL) Ethernet -> VLAN -> Encap -> ALG -> AC -> DNA T -> Routing -> FW -> AC -> IDP -> A V - > AP -> CF -> SNA T -> BWM -> Encap -> VLAN -> Ethernet 2.2.2 Interface to In terface (T o/Fr[...]

  • Page 60

    Chapter 2 Features and Applications ZyWALL USG 1000 U ser’s Guide 60 Ethernet -> VLAN -> Encap -> ALG -> AC -> DNA T -> Routing -> FW -> AC -> IDP -> A V -> AP -> CF -> SNA T -> IPSec E -> Routing -> BWM -> Encap -> VLAN -> Ethernet 2.3 Applications These are some example applicatio ns for [...]

  • Page 61

    Chapter 2 Features an d Applications ZyWALL USG 1000 User’s Guide 61 W ith reverse proxy mode, remote users can easily acc ess any web-based applications on the local network by clicking on links or entering the provided URL. Y ou do not have to install additional client software on the re mote user computers for access. Figure 4 Network Acce ss [...]

  • Page 62

    Chapter 2 Features and Applications ZyWALL USG 1000 U ser’s Guide 62 Figure 6 Applications: User-Awar e Access Control 2.3.4 Multiple W AN Interfaces Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can ba lance the lo ads between them. Figure 7 Applications: Mult[...]

  • Page 63

    Chapter 2 Features an d Applications ZyWALL USG 1000 User’s Guide 63 Figure 8 Applications: Device HA[...]

  • Page 64

    Chapter 2 Features and Applications ZyWALL USG 1000 U ser’s Guide 64[...]

  • Page 65

    ZyWALL USG 1000 User’s Guide 65 C HAPTER 3 Web Configurator The ZyW ALL web configurator allows easy ZyW ALL setup and mana gement using an Internet browser . 3.1 W eb Configurator Requirement s In order to use the web con figurator , you must • Use Internet Explorer 6.0 or later , Netsca pe Na vigator 7.2 or later , or Firefox 1.0.7 or later ?[...]

  • Page 66

    Chapter 3 Web Con figurator ZyWALL USG 1000 U ser’s Guide 66 Figure 9 Login Screen 3 T ype the user name (default: “adm in”) and password (default: “1234”). If your account is configured to use an AS AS authentication server , use the OTP (One - T ime Password) token to generate a number . Enter it in the One-Time Password field. The numb[...]

  • Page 67

    Chapter 3 Web Configurator ZyWALL USG 1000 User’s Guide 67 5 The screen above appears ever y time you log in using the de fault user name and default password. If you change the password for the de fault user account, this screen does not appear anymore. Follow the directions in this screen. If you change the de fault password, the Login screen ([...]

  • Page 68

    Chapter 3 Web Con figurator ZyWALL USG 1000 U ser’s Guide 68 The icons provide th e following functions. 3.3.2 Navigation Panel Use the men u items on the navi gation panel to open screens to configure ZyW ALL features. The following tables describe each menu item. T able 5 Title B ar: Web Co nfigurator Icons ICON DESCRIPTION Help : Click this ic[...]

  • Page 69

    Chapter 3 Web Configurator ZyWALL USG 1000 User’s Guide 69 Routing Policy Route Use this screen to create and manage routing policies. S tatic Route Use this screen to create and manage IP static routing information. RIP Use this screen to configure device-level RIP settings. OSPF Use this screen to configure device-level OSPF settings, including[...]

  • Page 70

    Chapter 3 Web Con figurator ZyWALL USG 1000 U ser’s Guide 70 IDP General Use this screen to look at and manage IDP bindi ngs. Profile Use this screen to create and manage IDP profiles. Custom Signatures Use this screen to create, import, or export custom signatures. ADP General Use this screen to look at and manage ADP bindings. Profile Use this [...]

  • Page 71

    Chapter 3 Web Configurator ZyWALL USG 1000 User’s Guide 71 3.3.3 Main Window The main window shows the screen you select in th e menu. It is discussed in the rest of this document. Right after you log in, the St a t u s screen is displayed. See Chapter 7 on page 157 for more information about the St a t u s screen. Host Name Use this screen to co[...]

  • Page 72

    Chapter 3 Web Con figurator ZyWALL USG 1000 U ser’s Guide 72 3.3.4 Message Bar Check the message bar when you click Apply or OK to verify that the configuration has been updated. Figure 12 Message Bar 3.3.4.1 W arning Messages Click the up arrow to view the ZyW ALL’ s current warning message s. These warning messages display in a popup window ,[...]

  • Page 73

    Chapter 3 Web Configurator ZyWALL USG 1000 User’s Guide 73 Figure 14 CLI Messages Click Change Display S tyle to show or hide the index numbers for the co mmands (the commands are more convenient to copy and paste without the index numbers). Click Refr esh Now to update the screen. For example, if you just enab led a particular feature, you can l[...]

  • Page 74

    Chapter 3 Web Con figurator ZyWALL USG 1000 U ser’s Guide 74[...]

  • Page 75

    ZyWALL USG 1000 User’s Guide 75 C HAPTER 4 Wizard Setup This chapter provides informa tion on configuring the Wizar d setup sc reens in the web configurator . See the feature-specific chapte rs in this User ’ s Guide for background information. 4.1 Wizard Setup Overview " Use the wizards only for initial conf iguration starting from the de[...]

  • Page 76

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 76 Use VPN SETUP to configure a VPN connection. See Section 4 .6 on page 95 . Figure 15 Wizard Setup Welcome 4.2 Inst allation Setup, One ISP The wizard screens vary depending on what enca psulation type you use. Refer to information provided by your ISP to kn ow wh at to enter in each field. L[...]

  • Page 77

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 77 Figure 16 Internet Access: S tep 1 The following table describes the labels in this screen. 4.3 St ep 1 Internet Access Encapsula tion : Choose the Ethernet option when the W AN port is used as a regular Ethernet. Otherwise, choose PPPoE or PP TP for a dial-up connection ac cording to the inf[...]

  • Page 78

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 78 IP Address Assignment : Select Auto If your ISP did not assign you a fixed IP address. Select St a t i c If the ISP assigned a fixed IP address. 4.3.1 Ethernet: Auto IP Address Assignment If you select Auto as the IP Addr ess Assignme nt in the previous screen, the following screen displays.[...]

  • Page 79

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 79 Figure 18 Ethernet Encapsulation: Static The following table describes the labels in this screen. The ZyW ALL applies the configuration settings. T able 8 Ethernet Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet conne ction you are confi[...]

  • Page 80

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 80 4.3.3 St ep 2 Inter net Access Ethernet Y ou do not configure this screen if you selected Au to as the IP Address Assignment in the previous screen. " Enter the Internet access information ex actly as given to you by your ISP . W AN Interface : This is the number of the interf ace that [...]

  • Page 81

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 81 Y ou can click Ne xt and use the following screen to perform a basic registration (see Section 4.4 on page 91 ). If you want to do a more detailed regi stration or manag e your account details, click myZyXEL.com . Alternatively , click Close to exit the wizard. 4.3.4 PPPoE: Auto IP Address As[...]

  • Page 82

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 82 The ZyW ALL applies the configuration settings. Figure 21 PPPoE Encapsulatio n: Auto: Fin ish Y ou have set up your ZyW ALL to access the Internet. " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Y ou can clic[...]

  • Page 83

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 83 Figure 22 PPPoE Encapsul ation: Static The following table describes the labels in this screen. T able 10 PPPoE Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. Service Name T ype the PPPoE service name giv[...]

  • Page 84

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 84 4.3.6 St ep 2 In ternet Access PPPoE " Enter the Internet access information ex actly as given to you by your ISP . 4.3.6.1 ISP Parameters T ype the PPPoE Serv ice Name from your service provider . Ty p e t h e User Name given to you by your ISP . Ty p e t h e Password associated with t[...]

  • Page 85

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 85 Figure 23 PPPoE Encapsulatio n: Static: Finish Y ou have set up your ZyW ALL to access the Internet. " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Y ou can click Ne xt and use the following screen to perform [...]

  • Page 86

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 86 Figure 24 PPTP Encapsulation: Auto The following table describes the labels in this screen. Ta b l e 11 PPTP Encapsulation: Auto LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. User Name T ype the user name given to you by you[...]

  • Page 87

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 87 The ZyW ALL applies the configuration settings. Figure 25 PPTP Encapsulation: Auto : Finish Y ou have set up your ZyW ALL to access the Internet. Connection ID En ter the connection ID or connection na me in this field. It mu st follow the "c:id" and "n:name" format. For e[...]

  • Page 88

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 88 " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Y ou can click Ne xt and use the following screen to perform a basic registration (see Section 4.4 on page 91 ). If you want to do a more detailed regi stration [...]

  • Page 89

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 89 4.3.9 St ep 2 In ternet Access PPTP " Enter the Internet access information ex actly as given to you by your ISP . 4.3.9.1 ISP Parameters Ty p e t h e User Name given to you by your ISP . User Name T ype the user name given to you by your ISP . Y ou can use alphanumeric and - _ @$./ char[...]

  • Page 90

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 90 Ty p e t h e Password associated with the user name. Select Nailed-Up if you do not want the conn ection to time out. Otherwise, type the Idle Tim eo u t in seconds that elapses be fore the router automatica lly disconnects from the PP TP server . 4.3.9.2 PPTP Configuration Base Interface : [...]

  • Page 91

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 91 4.3.10 S tep 4 Internet Access - Finish Y ou have set up your ZyW ALL to access the Internet. " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Y ou can click Ne xt and use the following screen to perform a basic[...]

  • Page 92

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 92 Figure 28 Registrat ion The following table describes the labels in this screen. T able 13 Registration LABEL DESCRIPTION Device Registrati on If you select existing myZyXEL .com account , only the User N ame and Password fields are availab le. new myZyXEL.com account If you haven’t create[...]

  • Page 93

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 93 Figure 29 Registration: Re gistered Device 4.5 Inst allation Setup, T wo Internet Service Providers This wizard allows you to configure two in terfaces for Internet access through either two different Internet Service Providers (ISPs) or two dif fere nt accounts with the same ISP . The config[...]

  • Page 94

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 94 Figure 30 Internet Acc ess: S tep 1: First W AN Interface After you configure the First W AN Interface , you can configur e the Second W AN Interface . Click Next to continue. Figure 31 Internet Access: S tep 3: Second W AN Interface After you configure the Second W AN Interface , a summary [...]

  • Page 95

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 95 Figure 32 Internet Access: Finish " Y ou can register your ZyW A LL with myZyXEL.com and activate trials of services like IDP . Use the myZyXEL.com link if you do alrea dy ha ve a myZyXEL.com account. If you already have a myZyXEL.com accou nt, you can click Next and use the following sc[...]

  • Page 96

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 96 Click VPN SETUP in the Wizard Setup W elcome screen ( Figure 1 5 on page 76 ) to open the following screen. Use it to select which type of VPN settings you want to configure. Figure 33 VPN Wizard: Wizard T ype The following table describes the labels in this screen. 4.7 VPN Wizards A VPN (V [...]

  • Page 97

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 97 4.7.1 VPN Express Wizard Click the Express radio button as shown in Figure 33 on page 96 to display the following screen. Figure 34 VPN Express Wizard: S tep 2 The following table describes the labels in this screen. 4.8 VPN Express Wizard - Remote Gateway The Remote Gateway policy identifies[...]

  • Page 98

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 98 Name : T ype the name used to identify this VP N connection (and VPN gateway). Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-), but the fi rst character cannot be a number . This value is case-sensitive. Secure Gateway : Enter the W AN IP address or domain name of [...]

  • Page 99

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 99 4.8.1 VPN Express Wizard - Policy Setting The Policy Setting specifies which devices can use the VPN tunnel. Local and remote IP addresses must be static. Local Policy (IP/Mask) : T ype the IP address of a computer on your network. Y ou can also specify a subnet. This must matc h the remote I[...]

  • Page 100

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 100 4.8.2 VPN Express Wizard - Summary This summary of VPN tunnel settings is read-only . Name : Identifies the VPN gateway policy . Secure Gateway : IP addre ss or domain name of the peer IPSec device. Pre-Shar ed Key : VPN tunnel password. Local Policy : IP address and subnet mask of the comp[...]

  • Page 101

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 101 " If you have not already done so, use the myZyXEL.co m link and register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Alternatively , click Close to exit the wizard. 4.8.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. " If you have not alr[...]

  • Page 102

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 102 Figure 38 VPN Advanced Wizard: S tep 2 The following table describes the labels in this screen. T able 18 VPN Advanced Wizard: S tep 2 LABEL DESCRIPTION Remote Gateway Name T ype the name used to identify this VPN connection (and VPN gateway). Y ou may use 1-31 alphanumeric characters, unde[...]

  • Page 103

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 103 4.8.5 VPN Advanced Wizard - Remote Gateway The Remote Gateway policy identifies the IPSec devices at either end of a VPN tunnel. Name : T ype the name used to identify this VP N connection (and VPN gateway). Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-), but the [...]

  • Page 104

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 104 Figure 39 VPN Advanced Wizard: S tep 3 The following table describes the labels in this screen. T able 19 VPN Advanced Wizard: S tep 3 LABEL DESCRIPTION Negotiation Mode Select Main for identity p rotection. Select Aggressive to allow more incoming connections from dynamic IP addresses to u[...]

  • Page 105

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 105 4.8.6 VPN Advanced Wizard - Phase 1 Phases : IKE (Internet Key Exchange) negotiatio n has two pha ses. A phase 1 exchange establishes an IKE SA (Security Association) and phase 2 (Key Ex change) uses the SA to negotiate SAs for IPSec. " Multiple SAs connecting through a se cure gateway [...]

  • Page 106

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 106 4.8.6.1 Phase 2 Setting Phase 2 in an IKE uses the SA that was establ ished in phase 1 to negotiate SAs for IPSec. Figure 40 VPN Advanced Wizard: S tep 4 The following table describes the labels in this screen. T able 20 VPN Advanced Wizard: S tep 4 LABEL DESCRIPTION Phase 2 Setting Active [...]

  • Page 107

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 107 4.8.7 VPN Advanced Wizard - Phase 2 Active Protocol : ESP is compatible with NA T , AH is not. Encapsula tion : T unnel is compatible with NA T , Tr a n s p o r t is not. Proposal : 3DES and AES use encryption. The longer the AES key , the higher the security (this may affect throughput). Nu[...]

  • Page 108

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 108 Figure 41 VPN Advanced Wizard: S tep 5 The following table describes the labels in this screen. 4.8.8 VPN Advanced Wizard - Summary This summary of VPN tunnel settings is read-only . Name : Identifies the VPN connec tion (and the VPN gateway). T able 21 VPN Advanced Wizard: S tep 5 LABEL DE[...]

  • Page 109

    Chapter 4 Wizard Setup ZyWALL USG 1000 User’s Guide 109 Secure Gateway : IP addre ss or domain name of the peer IPSec device. Pre-Shar ed Key : VPN tunnel password. Local Policy : IP address and subnet mask of the computers on the netw ork behind your ZyW ALL that can use the tunnel. Remote Policy : IP address and subnet mask of the co mputers on[...]

  • Page 110

    Chapter 4 Wizard Setup ZyWALL USG 1000 U ser’s Guide 11 0 " If you have not alr eady done so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Y ou can click Ne xt and use the following screen to perform a basic registration (see Section 4.4 on page 91 ). If you want to do a more detailed regi stratio[...]

  • Page 111

    ZyWALL USG 1000 User’s Guide 111 C HAPTER 5 Configuration Basics This section provides info rmation to help y ou configure the ZyW ALL effectively . Some of it is helpful when you are just gettin g started. Some of it is provid ed for your reference when you configure various features in the ZyW ALL. • Section 5.1 on page 11 1 introduces (very [...]

  • Page 112

    Chapter 5 Configu ration Basics ZyWALL USG 1000 U ser’s Guide 11 2 5.2 T erminology in the ZyW ALL This section highlights some differences in terminology or o rganization between the ZyW ALL and other routers, particularly ZyNOS ro uters. 5.3 Physical Port s, Interfaces, and Zones If you want to configure the ZyW ALL effectivel y , you should un[...]

  • Page 113

    Chapter 5 Configura tion Basics ZyWALL USG 1000 User’s Guide 11 3 A physical port is the place to which y ou connect the cable. As shown above, you do not usually configure physical ports to use variou s features. Y ou configur e interfaces and zones. The ZyW ALL supports one-to-one, on e-to-many , many-to-one, and many-to-none relationships betw[...]

  • Page 114

    Chapter 5 Configu ration Basics ZyWALL USG 1000 U ser’s Guide 11 4 Figure 43 Interfaces and Zones: Examp le • The LAN zone contains the ge1 (Gigabit Ethernet 1) interface. This is a protected zone and uses private IP addresses. ge1 uses 19 2.168.1.1 and the connecte d devices use IP addresses in the 192.168.1. 2 to 192.168.1.254 range. • The [...]

  • Page 115

    Chapter 5 Configura tion Basics ZyWALL USG 1000 User’s Guide 11 5 Example: This provides a simple example to show you how to configure this feature. The example is usually based on the network topolo gy in Figure 43 on page 114 . " PREQUISITES or WHERE USED does no t appear if there are no prerequisites or references in other features to thi[...]

  • Page 116

    Chapter 5 Configu ration Basics ZyWALL USG 1000 U ser’s Guide 11 6 Example: See Chapter 6 on page 125 . 5.4.4 IPSec VPN Use IPSec VPN to prov ide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for comm unication. The ZyW ALL also of fers hub-and- spoke VPN. Example: See Chapter 6 on page 125 . 5.[...]

  • Page 117

    Chapter 5 Configura tion Basics ZyWALL USG 1000 User’s Guide 11 7 Zones cannot overlap. Each interface and VPN tu nnel can be assigned to at most one zone. V irtual interfaces are automatica lly assigned to the same zone as the interface on which they run. When you create a zone, the ZyW ALL does not cre ate any firewall rules, assign an IDP prof[...]

  • Page 118

    Chapter 5 Configu ration Basics ZyWALL USG 1000 U ser’s Guide 11 8 2 Click Network > Routing > Policy Route to go to the policy ro ute configuration screen. Add a policy route. 3 Name the policy route. 4 Select the interface that the traffic comes in through ( ge4 in this example). 5 Select the FTP server ’ s ad dress as the source addres[...]

  • Page 119

    Chapter 5 Configura tion Basics ZyWALL USG 1000 User’s Guide 11 9 2 Create an address object for the V oIP server ( Object > Address ). 3 Click Fir e wall to go to the firewall configuration. 4 Select from the DMZ-2 zone to the LAN zone, and add a firewa ll rule using the items you have configured. • Y ou don’t need to specify the schedule[...]

  • Page 120

    Chapter 5 Configu ration Basics ZyWALL USG 1000 U ser’s Guide 120 5.4.14 Anti-Virus Use anti-virus to detect a nd take action on viru ses. Y ou must subscribe to use anti-virus. Y ou can subscribe using the Licensing > Registration sc reens or one of the wizards. 5.4.15 IDP Use IDP to detect and take actio n on malicious or suspicious packe ts[...]

  • Page 121

    Chapter 5 Configura tion Basics ZyWALL USG 1000 User’s Guide 121 11 Add a policy that uses the schedule, the filteri ng profile and the user that you created. 5.4.18 V irtual Server (Port Forwarding) Use this to change the address and/or port number of packets coming in from a specified interface. This is also known as port forwarding. The ZyW AL[...]

  • Page 122

    Chapter 5 Configu ration Basics ZyWALL USG 1000 U ser’s Guide 122 5.4.20 ALG The ZyW ALL’ s Application Laye r Gateway (ALG) allows V oIP and FTP applicatio ns to go through NA T on the ZyW ALL. Y ou can also specify additional si gnaling port numbers. 5.5 Object s Objects store information and are referenced by other features. If you up date t[...]

  • Page 123

    Chapter 5 Configura tion Basics ZyWALL USG 1000 User’s Guide 123 If you want to force users to log in to the ZyW ALL before the ZyW ALL routes traffic for them, you might have to configure prerequisites first. 5.6 System Management and Maintenance This section introduces some of the management an d maintenance feature s in the ZyW ALL. Use Host N[...]

  • Page 124

    Chapter 5 Configu ration Basics ZyWALL USG 1000 U ser’s Guide 124 5.6.2 File Manager Use these screens to upload, download, delete, or run scri pts of CLI commands. Y ou can manage • Configuration files. Use configuration fil es to back up and restore the complete configuration of the ZyW ALL. Y ou can store multiple configuration files in the [...]

  • Page 125

    ZyWALL USG 1000 User’s Guide 125 C HAPTER 6 Tutorials This chapter provides so me examples of using th e web configurator to set up features in the ZyW ALL. See also Chapter 26 on page 351 for an example of configurin g L2TP . 6.1 Interfaces and Zones The following example shows how to use port grouping, Eth ernet interfaces, trunks, and zones to[...]

  • Page 126

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 126 Figure 44 Network > Interf ace > Port Grouping, Initial 2 Drag physical po rt 2 onto representative interface ge1 , as shown below . Figure 45 Network > Interface > Port Grouping, Dra g-and-Drop 3 Click Apply . 4 Click St a t u s , and look at the Interface S tatus Summary , shown [...]

  • Page 127

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 127 Figure 46 S tatus: Interfa ce St atus Summary After Po rt Grouping 6.1.2 Set up Ethernet Interfaces This example sets up the Ethernet interfaces as shown below . Y ou have decided to use the defa ult settings for ge1 and ge3, so it is not necessary to edit these interfaces. Y ou can also skip g[...]

  • Page 128

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 128 Figure 48 Network > In terface > Et hernet > ge 4 3 Use the default values for the rest of the settings. Click Apply to save these changes and return to the previous screen. Click the Edit icon for ge5, and set up the IP address as shown below . Figure 49 Network > Interface > E[...]

  • Page 129

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 129 Figure 51 S tatus > In terface S tatus Summary , After Ethernet Interface Edits 6.1.3 W AN T runk This example sets up trunk W AN_TRUNK with ge3 and ge4. Th is example uses the default settings for the trunk and shows how to add the interfaces to it. There are no existing trunks at the begin[...]

  • Page 130

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 130 Figure 54 Network > Interface > T runk > Edit > Member 4 Use the default values for the rest of the settings. Click OK to save thes e changes and return to the previous screen. 6.1.4 Zones This example sets up the LAN, W AN, and DMZ zones as shown below . Ethernet interface ge2 doe[...]

  • Page 131

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 131 Figure 56 Network > Zone > DMZ , Remove ge4 3 Select IF ACE/ge4 and click the left arrow to remove ge4 from the Member list. Click OK to save these changes and retu rn to the previous screen. 4 Click the Edit icon for WA N . The following screen appears. Figure 57 Network > Zo ne > [...]

  • Page 132

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 132 6.2 IPSec VPN This example is going to show you how to create the VPN tunnel illustrated below . Figure 59 VPN Example In this example, the ZyW ALL is router X (172.23.37.240/24), and the remote IPSec rou ter is router Y (220.123.143.10/24). Create the VPN tunnel betw een IP addresses 192.168.[...]

  • Page 133

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 133 Figure 60 VPN > IPSec VPN > VPN Gateway > Add 6.2.3 Set up the VPN Connectio n The VPN co nnection manages the IPSec SA. Y ou ha ve to set up the address objects for the local network and remote network befo re you can set up the VPN connection. 1 Click Object > Addr es s > Addre[...]

  • Page 134

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 134 Figure 62 VPN > IPSec VPN > VPN Connection > add 6.2.4 Set up the Policy Route for the VPN T unnel Y ou should create a new policy route to use th e VPN tunnel. This policy route will only use the existing address objects, so you do not have t o create any additional objects first. 1 [...]

  • Page 135

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 135 Figure 64 Network > Routing > Policy Route > Add Because the new VPN connection has not be en assign ed to a zone yet, there are no restrictions (for example, firewall) on traffic to or from this VPN connection. Y ou should set up the VPN settings on the remote IPSec router and try to [...]

  • Page 136

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 136 6.3 Device HA This example is going to show you how to set up device HA as illustrated below . Figure 66 Device HA Example In this example, router A is the default gateway for th e network and uses IP address 192.168.1.1. This i s the default gateway IP address for the network. There are two Z[...]

  • Page 137

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 137 Figure 67 Device HA > VRRP Group > Add: ge 1 3 Click St a t u s , and scroll down to the Interface S tatus Summary . The H/A S tatus field is Active . Figure 68 S tatus: Interfac e St atus Summary: Device HA Master Configured 4 Repeat these steps for the interf ace that is connected to th[...]

  • Page 138

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 138 Figure 69 Network > Device HA > VRRP Group > Add: ge4 " Once you configure an interface in a VRRP group, you should not configure the interface to have a dynamic IP address. 6.3.3 Set up the Password for Synchronization 1 Click Device HA > Synchr onize . 2 T ype the password f[...]

  • Page 139

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 139 6.3.4 Finish Configuring the Master Finish configuring the master . The backup router will get th ese updates later , when it synchronizes w ith the master . 6.3.5 Set up the Ethern et Interfaces on the Backup On the backup ZyW ALL, ge1 should be co nfigur ed exactly the same way it is configur[...]

  • Page 140

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 140 6.3.7 Synchronize the Backup 1 Connect the backup to the same network as the master . 2 Click Device HA > Synchr onize . 3 T ype the password for synchronization in the Password field. Enter the IP address of the master (on a secure network), and click Sync Now to get the configuration from[...]

  • Page 141

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 141 6.4.1 Set up User Account s Set up one user account for each user account in the RA DIUS server . If it is possible to export user names from the RADIUS server to a text file, then you might create a script to create the user accounts instead. This exam ple uses the web configurator . 1 Click U[...]

  • Page 142

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 142 6.4.3 Set up User Authenti cation Using th e RADIUS Server This step sets up user authentication using the RADIUS server . First, configure the settings for the RADIUS server . Then, set up the authentic ation method, and configure the ZyW ALL to use the authentication method. Finally , force [...]

  • Page 143

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 143 " The users will have to log in using the web configurator login screen before they can use HTTP or MSN. Figure 79 Object > User/Group > Setting > Add (Force User Auth entication Po licy) When the users try to browse the web (or use a ny HTTP/HTTPS application), the Login screen a[...]

  • Page 144

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 144 Figure 81 AppPatrol > http > Edit Default 4 Click the Add icon in the policy list . In the new polic y , s elect one of the user groups tha t is allowed to browse the web and set the co rresponding bandwidth restriction in the Inbound and Outbound fields. Click OK . Repeat this process t[...]

  • Page 145

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 145 Figure 83 Object > Schedule > Recurring > add 3 Follow the steps in Section 6.4.4 o n page 143 to set up the appropriate policies for MSN in application patrol. Make su re to specif y the schedule when you configure the policy for the Sales group’ s MSN acc ess. 6.4.6 Set up LAN-to-D[...]

  • Page 146

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 146 Figure 85 Firewall > LAN > DMZ > Add 5 Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ. 6.5 T runks The following examp le shows how to set up a trunk fo r two connections (ge2 and ge3) to the Internet. The avai lable bandwidth[...]

  • Page 147

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 147 Figure 87 Network > In terface > Et hernet > Edit > ge2 2 Click the Edit icon for ge3, and en ter the available bandwidth (512 kbps ) in the Upstream Bandwid th and Downstream Bandwidth fields. Click OK . 6.5.2 Change W AN T runk Algorithm 1 Click Network > Interface > T runk [...]

  • Page 148

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 148 The firewall is enabled, so you also need to cr eate a rule to allow traf fic in from the W AN zone. Figure 89 NA T 1:1 Examp le Network T opology 6.6.1 NA T 1:1 Address Object s First create two address objects for the priv ate and public IP addresses (LAN_SMTP and W A N_EG) in the Object >[...]

  • Page 149

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 149 6.6.2 NA T 1:1 V i rtual Server This section sets up a virtual se rver rule that changes the des tination of SMTP traffic coming to IP address 1.1.1.1 at the ZyW ALL’ s ge3 (W AN) interface, to the LAN SMTP server ’ s IP address (192.168.1.21). This is also called Destination NA T (DNA T) F[...]

  • Page 150

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 150 Figure 94 NA T 1:1 Examp le Policy Route Click Network > Routing > Policy Route > Add and configure the scree n as shown next. Be careful of where you create the route as routes are ordered in descending priority . Figure 95 Create a Po licy Route 6.6.4 NA T 1:1 Firewall Rule Create a[...]

  • Page 151

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 151 Figure 96 Create a Firewall Rule 6.7 NA T Loopback The NA T 1:1 example in Section 6.6 on page 147 maps a public IP address to the private IP address of a LAN SMTP mail server to allow user s to access the SMTP mail server from the W A N. LAN users can also use an IP address to access the mail [...]

  • Page 152

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 152 6.7.1 NA T Loopback Vi rtual Server When a LAN user sends SMTP traffic to IP a ddress 1.1.1.1, the traf fic comes into the ZyW ALL through the ge1 (LAN) interface, thus it does not match the NA T 1:1 mapping’ s virtual server rule for SMTP traffic coming to IP 1.1.1.1 from ge3 (the W AN). So[...]

  • Page 153

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 153 6.7.2 NA T Loopback Policy Route W ithout a NA T loopback policy route, the LAN user SMTP tr af fic goes to the LAN SMTP server has the LAN computer ’ s IP address as the source. The source address is in the same subnet, so the LAN SMTP server replies directly . The return traffic uses the SM[...]

  • Page 154

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 154 Figure 102 Create a Policy Route Now the LAN SMTP server replies to th e ZyW ALL’ s LAN IP address and the ZyW ALL changes the source address to 1.1.1.1 before sending it to the LAN user ’ s computer . The source in the return traffic matches the original destination address (1.1.1.1) and [...]

  • Page 155

    Chapter 6 Tutorials ZyWALL USG 1000 User’s Guide 155 6.8 Service Control and the Firewall Service control lets you config ure rules that control HTTP an d HTTPS management access (to the web configurator) and separate rules that control HTTP and HTTPS user access (logging into SSL VPN for example). See Chapter 43 on page 575 for more on service c[...]

  • Page 156

    Chapter 6 Tutorials ZyWALL USG 1000 U ser’s Guide 156 Figure 105 System > WWW > Service Control Rule Edit 4 Click Apply . Figure 106 System > WWW Now administrators can only log into the we b configurator from the LAN zone. Non-admin users can still use HTTPS to log into the ZyW A LL from any of the ZyW ALL’ s zones (to use SSL VPN for[...]

  • Page 157

    ZyWALL USG 1000 User’s Guide 157 C HAPTER 7 Status This chapter explains the St a t u s screen, which is the screen you see when you first log in to the ZyW ALL or when you click St a t u s . 7.1 St atus Screen Use this screen to look at the ZyW ALL’ s genera l device in formation, system status, system resource usage, licensed service status, [...]

  • Page 158

    Chapter 7 Status ZyWALL USG 1000 U ser’s Guide 158 The following table describes the labels in this screen. T able 34 Status LABEL DESCRIPTION Device Information System Name This field displays the name used to identify the ZyWALL on any network. Click the icon on the right to o pen the screen where you can change it. See Secti on 43.2 on page 57[...]

  • Page 159

    Chapter 7 Status ZyWALL USG 1000 User’s Guide 159 Signature Ve r s i o n This field displays the version number , da te, and time of the current set of signature s the ZyWALL is using. Last Update Ti m e This field displ ays the last time the Z yW ALL received updated si gnatures. To t a l Signature Number This field displays the total number of [...]

  • Page 160

    Chapter 7 Status ZyWALL USG 1000 U ser’s Guide 160 7.2 VPN S t atus Use this screen to look at the VPN tunnels that are currently established. T o access this scre en, click VPN S tatus in the St a t u s screen. HA S tatus This field displays the status of the interface in the virtual router . Active - This interface is the master interface in th[...]

  • Page 161

    Chapter 7 Status ZyWALL USG 1000 User’s Guide 161 Figure 108 S tatus > VPN S tatus The following table describes the labels in this screen. 7.3 DHCP T able Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. T o access this screen, click the icon beside DHCP T[...]

  • Page 162

    Chapter 7 Status ZyWALL USG 1000 U ser’s Guide 162 Figure 109 S tatus > DHCP T able The following table describes the labels in this screen. 7.4 Port S t atistics Use this screen to look at packet statistics for each physical port. T o acc ess this screen, click Port S tatistics in the St a t u s screen. T able 36 Status > DHCP Table LABEL [...]

  • Page 163

    Chapter 7 Status ZyWALL USG 1000 User’s Guide 163 Figure 1 10 S tatus > Port S tatistics The following table describes the labels in this screen. 7.5 Current Users Use this screen to look at a list of the users currently logged into th e ZyW ALL. T o access this screen, click the Number of Login Users Detail icon in the St a t u s screen. T ab[...]

  • Page 164

    Chapter 7 Status ZyWALL USG 1000 U ser’s Guide 164 Figure 1 1 1 S tatus > Current User s The following table describes the labels in this screen. T able 38 Status > Current Use rs LABEL DESCRIPTION # This field is a seq uential value and is not associated with any entry . User ID This field displ ays the user name of each user who is curren[...]

  • Page 165

    ZyWALL USG 1000 User’s Guide 165 C HAPTER 8 Registration This chapter shows you how to register for the ZyW ALL’ s subscription services. 8.1 myZyXEL.com Overview myZyXEL.com is ZyXEL ’ s online services center wh ere you can register your ZyW ALL and manage subscription services available for the ZyW ALL. " Y ou need to create an accoun[...]

  • Page 166

    Chapter 8 Registration ZyWALL USG 1000 U ser’s Guide 166 • SSL VPN tunnels provide secure network access to remote users. Y ou can purchase and enter a license key to have the ZyW ALL use more SSL VPN tunnels. • The content filter allows or blocks access to web sites. Subscr ibe to category-based content filtering to block access to categorie[...]

  • Page 167

    Chapter 8 Registration ZyWALL USG 1000 User’s Guide 167 The following table describes the labels in this screen. " If the ZyW ALL is register ed already , this screen is read-only and indicates whether trial services are activated (if any). Y ou can still select the unchecked trial service(s) to acti vate it after regist ration. Use the Serv[...]

  • Page 168

    Chapter 8 Registration ZyWALL USG 1000 U ser’s Guide 168 Figure 1 13 Lic ensing > Registration: Re gistered Device 8.3 Service After you activate a trial, you can also use this screen to register and enter your iCard’ s PIN number (license key). Click Licensing > Registration > Service to open the screen as shown next. Figure 1 14 Lic [...]

  • Page 169

    Chapter 8 Registration ZyWALL USG 1000 User’s Guide 169 Expiration date This field displays the date your service expires. Y ou can continue to use IDP/AppPatrol or Anti-Virus after the registration expires, you just won’t receive up dated signatures. Count This field displays how many VPN tunnels yo u can use with your current license. This fi[...]

  • Page 170

    Chapter 8 Registration ZyWALL USG 1000 U ser’s Guide 170[...]

  • Page 171

    ZyWALL USG 1000 User’s Guide 171 C HAPTER 9 Update This chapter shows you h o w to upda te the ZyW ALL’ s signature packages. 9.1 Up dating Anti-virus Signatures When scheduling signature updates, choose a day and time when your network is least busy to minimize disruption to your netw ork. Y our custom signature config urations are not over- w[...]

  • Page 172

    Chapter 9 Upda te ZyWALL USG 1000 U ser’s Guide 172 Figure 1 15 Licensing > Update >Anti-V irus The following table describes the labels in this screen. LABEL DESCRIPTION Signature Information Current V e rsion This field displays the signa tures version number currently used by the ZyW A LL. This number is defined by the ZyXEL Security Res[...]

  • Page 173

    Chapter 9 Update ZyWALL USG 1000 User’s Guide 173 9.2 Up dating IDP and Application Patrol Signatures The ZyW A LL comes with signatures for the ID P and application patrol features. The se signatures are continually updated as new attack types evolve. New signatures can be downloaded to the ZyW ALL periodically if you have subscribed for IDP ser[...]

  • Page 174

    Chapter 9 Upda te ZyWALL USG 1000 U ser’s Guide 174 Figure 1 17 Downloading IDP Signatures Figure 1 18 Successful IDP Signature Download Auto Update Select this check box to have the ZyW A LL automatically check fo r new IDP signatures regularly at t he time and day specified. Y ou should select a time when you r network is not busy for minimal i[...]

  • Page 175

    Chapter 9 Update ZyWALL USG 1000 User’s Guide 175 9.3 Up dating System Protect Signatures The ZyW A LL comes with signatures that the ZyW ALL uses to protect itself from intrusions. These signatures are continually updated as new attack types evolve. These system protect signature updates are free and can be do wnloaded to the ZyW ALL periodicall[...]

  • Page 176

    Chapter 9 Upda te ZyWALL USG 1000 U ser’s Guide 176 Figure 120 Downloading System Protect Signatur es Figure 121 Successful System Protect Sign ature Down load Daily Sel ect this option to have the ZyWA L L check for new signatures every day at the specified time. T he time format is the 24 hour clock, so ‘23’ means 1 1PM for example . Weekly[...]

  • Page 177

    177 P ART II Network Interface (179) T runks (219) Policy and S tatic Routes (225) Routing Protocols (235) Zones (245) DDNS (249) V irtual Servers (255) HTTP Redirect (261) ALG (265)[...]

  • Page 178

    178[...]

  • Page 179

    ZyWALL USG 1000 User’s Guide 179 C HAPTER 10 Interface See Section 5.4.2 on page 1 15 for related information on these screens. 10.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity th rough which (layer -3) packets pass. • An interface is bound to a physical port or another int[...]

  • Page 180

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 180 • T runks mana ge load balancing betwe en interfaces. Port groups, trunks, and the aux iliary interface have a lot of char acteristics that are specific to each type of interface. They are discussed in more detail in Section 10.3.1 on page 1 9 4 , Chapter 1 1 on page 219 , and Section 10.7.[...]

  • Page 181

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 181 Figure 122 Example: Entry in the Routing T able Derived from Interfaces For example, if the ZyW ALL ge ts a packet wi th a destination address of 100.100.25.25, it routes the packet to interface ge1. If the ZyW ALL gets a packet with a destinat ion address of 200.200.200.20 0, it routes the p[...]

  • Page 182

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 182 10.1.3 Interface Parameters The ZyW A LL restricts the amount of traffi c into and out of the ZyW ALL through each interface. • Upstream bandwidth is the amount of traf fi c from the ZyW ALL through the interface to the network. • Downstream bandwi dth is the amount of traffic from the ne[...]

  • Page 183

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 183 The ZyW A LL cannot assign the first addre ss (network address) or the last address (broadcast address) in the subn et defined by the interface’ s IP address and subnet mask. For example, in the first entry , if the subne t mask is 255.255.2 55.0, the ZyW ALL cannot assign 50.50.50.0 or 5 0[...]

  • Page 184

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 184 10.1.6 Relationship s Between Interfaces In the ZyW ALL, interfaces are usually created on top of other interfaces. Only Et hernet interfaces are created directly on top of the physical ports (or port groups). Th e relationships between interfaces are explai ned in the following table. * - Y [...]

  • Page 185

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 185 In addition, you use Ethern et interfaces to control which physical ports exchange routing information with other routers and how much information is ex changed through each one. The more routing information is exchanged, the more efficient th e routers should be. However , the routers also g[...]

  • Page 186

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 186 Figure 123 Network > Interface > Interface Summary Each field is described in the following table. T able 48 Network > Interface > Interface S ummary LABEL DESCRIPTION Interface Summa ry If an Ethernet interface does not have any physical ports associated with it, its entry is dis[...]

  • Page 187

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 187 S tatus This field displays the current status of each interfa ce. The possible values depend on what type of interface it is. For port groups: Inactive - The port group is disabled. Port Group Down - The port g roup is enabled b ut not connected. Port Group Up - The port group is enabled, an[...]

  • Page 188

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 188 10.2.3 Ethernet Summary Screen This screen lists every Etherne t interface an d virtual interface created on top of Ethernet interfaces. T o access this screen, click Network > Interface . Figure 124 Network > Interface > Ethernet Interface St a t i s t i c s This table provides pack[...]

  • Page 189

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 189 Each field is described in the following table. 10.2.4 Ethernet Edit The Ethernet Edit screen lets you configure IP a ddress assignment, interface parameters, RIP settings, OSPF settings, DHCP settings, and ping check settings. T o access this screen, click an Edit icon in the Ethernet Summar[...]

  • Page 190

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 190 Figure 125 Network > Interface > Ethernet > Edit[...]

  • Page 191

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 191 Each field is described in the table below . T able 50 Network > Interface > Ethernet > Edit LABEL DESCRIPTION Ethernet Interface Properties Enable Select this to enable this interface. Clear this to disable this interface. Interface Name This field is read-only . Th is is the name o[...]

  • Page 192

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 192 Direction This field is e ffect ive when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and recei ves routing information. In-Only - This interface re ceives routing information. Out-Only - T his interface sends r outing information. Send V [...]

  • Page 193

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 193 Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the ZyW AL L is a DHCP Server . IP Pool S tart Address Enter the IP address fro m which the ZyWALL begins allocating IP addresses. If you want to assign a static IP addre[...]

  • Page 194

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 194 10.3 Port Grouping This section introduces po rt groups and then explains the screen for port groups. 10.3.1 Port Grouping Overview Use port grouping to create port groups and to assign physical ports and port groups to Ethernet interfaces. Edit static DHCP tab le Click this if you want the Z[...]

  • Page 195

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 195 Each physical port is assigned to one Ethernet interface. In port gro uping, the Ethernet interfaces are ca lled repr esentative inte rfaces . If you assign more than one physical port to a representative interface, you create a port group . Port groups have th e following characteristics: ?[...]

  • Page 196

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 196 Figure 129 Network > Interface > Port Grouping Each section in this scr een is described below . 10.4 VLAN Interfaces This section introduces VLAN and VLAN interfa ces and then explains the screens for VLAN interfaces. 10.4.1 VLAN Overview A V irtual Local Area Network (VLAN) divid es a[...]

  • Page 197

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 197 Figure 130 Example: Before VLAN In this example, there are two phys ical networks and three departmen ts A , B , and C . The physical networks are conn ected to hubs, and the hubs are connected to the router . Alternatively , you c an divide the ph ysical networks into three VLANs. Figure 131[...]

  • Page 198

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 198 • Better manageability - Y ou can align network policies more ap propriately for users. For example, you can create different content filte ring rules for each VLAN (each department in the example above), and you can set diff erent bandwidth limits for each VLAN. These rules are also indepe[...]

  • Page 199

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 199 10.4.4 VLAN Add/Edit This screen lets you configure IP address assi gnment, interface bandwidth parameters, DHCP settings, and ping check for each VLAN inte rface. T o access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLA[...]

  • Page 200

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 200 Figure 133 Network > Interface > VLAN > Edit[...]

  • Page 201

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 201 Each field is explained in the following table. T able 53 Network > Interface > VLAN > Edit LABEL DESCRIPTION VLAN Interface Properties Enable Select this to enable this interface. Clear this to disable this interface. Interface Name This field is read-only if you ar e editing the in[...]

  • Page 202

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 202 DHCP Select what type of DHCP service t he ZyWALL provides to the network. Choices ar e: None - the ZyW ALL does not provide any DHCP services. There is already a DHCP server on the network. DHCP Relay - the ZyW ALL routes DHCP requests to one or more DHCP servers you specify . The DHCP serve[...]

  • Page 203

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 203 10.5 Bridge Interfaces This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces. Edit static DHCP tab le Click this if you want the ZyW ALL to a ssign static IP addre sses to computers. The St atic DHC P screen appears. Figure 134 Network > [...]

  • Page 204

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 204 10.5.1 Bridge Overview A bridge creates a connectio n between two or more netw ork segments at the layer-2 (MAC address) level. In the foll owing example, bridge X co nnects four network segments. When the bridge receives a packet, the bridge records the source MAC address and the port on whi[...]

  • Page 205

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 205 10.5.2 Bridge Interface Overview A bridge interface creates a software bridge be tween the members of the bridge interface. It also becomes the ZyW ALL’ s interface for the resulting network. A bridge interface may co nsis t of the following members: • Zero or one VLAN interfaces (and any[...]

  • Page 206

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 206 10.5.4 Bridge Add/Edit This screen lets you configure IP address assi gnment, interface bandwidth parameters, DHCP settings, and ping check for each bridge interface. T o a ccess this screen, click the Add icon at the top of the Ad d column in the Bridge Summary screen , or click an Edit icon[...]

  • Page 207

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 207 Figure 136 Network > Interface > Bridge > Edit[...]

  • Page 208

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 208 In this example, you are creating a ne w bridge. If you are editing a bridge, the Interface Name field is read-only . Each field is described in the table below . T able 58 Network > Interface > Bridge > Edit LABEL DESCRIPTION Bridge Interface Properties Enable Select this to enable [...]

  • Page 209

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 209 MTU Maximum T ran smission Unit. T ype the maximum size of ea ch data packet, in bytes, that can move through this inte rface. If a larger packet arrives, the ZyW ALL di vides it into smaller fragm ents. Allowed values are 576 - 1500. Usually , this va lue is 1500. DHCP Settings DHCP Select w[...]

  • Page 210

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 210 10.6 PPPoE/PPTP Interfaces This section introduces PPPoE, PP TP , and PPPoE/PP TP interfaces and then explains the screens for PPPoE/PP TP interfaces. 10.6.1 PPPoE/PPTP Overview Point-to-Point Protocol over Ethernet (PPPo E, RFC 2516) and Point-to-Point T unneling Protocol (PP TP , RFC 2637) [...]

  • Page 211

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 21 1 PPPoE is often used with cable modems an d DSL connections. It provides the following advantages: • The access and authentication method works with existing systems, including RADIUS. • Y ou can access one of several network servi ces. This makes it easier for the service provider to off[...]

  • Page 212

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 212 10.6.3 PPPoE/PPTP Interface Summary " Y ou have to set up an ISP account before you create a PPPoE/PP TP interface. This screen lists every PPPoE/PP TP inte rface. T o access this screen, click Network > Interface > PPPoE/PP TP . Figure 139 Network > Interface > PPPoE/PPTP Ea[...]

  • Page 213

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 213 10.6.4 PPPoE/PPTP Interface Add/Edit " Y ou have to set up an ISP account before you create a PPPoE/PP TP interface. This screen lets you configure new or existin g PPPoE/PP TP interfaces. T o access this screen, click the Add icon or an Edit icon in the PPPoE/PPTP Interface Summary scre[...]

  • Page 214

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 214 Each field is explained in the following table. T able 60 Network > Interface > PPPoE/PPTP > Edit LABEL DESCRIPTION PPP Interfac e Properties Enable Select this to enable this interface. Clear this to disable this interface. Interface Name This field is read-only if you ar e editing [...]

  • Page 215

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 215 10.7 Auxiliary Interface This section introduces the auxiliary interface and then explains the screen for it. 10.7.1 Auxiliary Interface Overview Use the auxiliary interface to dial out from th e ZyW ALL’ s auxiliary port. For example, you might use this interface as a backup W AN interfac [...]

  • Page 216

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 216 Figure 141 Network > Interface > Auxiliary Each field is described in the table below . T able 61 Network > Interface > Auxiliary LABEL DESCRIPTION Auxiliary Interface Properties Enable Select this to turn on the auxiliary dial up interface. The in terface does not dial out, howev[...]

  • Page 217

    Chapter 10 Interfac e ZyWALL USG 1000 User’s Guide 217 10.8 V irtual Interfaces Use virtual interfaces to tell the ZyW ALL where to route pack ets. V irtual interfaces can also be used in VPN gateways (see Chapter 20 on page 291 ) and VRRP groups (see Chapter 33 on page 493 ). V irtual interfaces can be created on top of Ethernet interfaces, VLAN[...]

  • Page 218

    Chapter 10 Interface ZyWALL USG 1000 U ser’s Guide 218 Figure 142 Network > Interface > Add Each field is described in the table below . T able 62 Network > Interface > Add LABEL DESCRIPTION Virtual Interface Properties Interface Name This field is read-only . It disp la ys the name of the virtual interface, which is automatically der[...]

  • Page 219

    ZyWALL USG 1000 User’s Guide 219 C HAPTER 11 Trunks This chapter shows you how to configure trunks on your ZyW ALL. See Section 5 .4.3 on page 11 5 for related informa tion on these screens. 1 1.1 T runks Overview Y ou can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall networ[...]

  • Page 220

    Chapter 11 Trun ks ZyWALL USG 1000 U ser’s Guide 220 Maybe you have two conn ections with diff erent bandwidths . For jitter-sensitive traf fic (like video for example), you could set up a trunk gr oup that uses spillover or weighted round robin load balancing to make sure that most of the jitter -sensitiv e traffic goes through the higher- bandw[...]

  • Page 221

    Chapter 11 Trunks ZyWALL USG 1000 User’s Guide 221 1 1.4.2 W eighted Round Robin Round Robin scheduling services queues on a rota ting basis and is activated only when an interface has more traf fic than it can handle. A queue is giv en an amount of bandwidth irrespective of the incoming traf fic on that interf ace. This queue then moves to the b[...]

  • Page 222

    Chapter 11 Trun ks ZyWALL USG 1000 U ser’s Guide 222 Figure 145 S p illover Algorithm Example 1 1.5 T runk Summary Click Network > Interface > T runk to open the T runk screen. This screen lists the configured trunks and the load balancing al gorithm that each is configured to use. Figure 146 Network > Interface > T runk The following[...]

  • Page 223

    Chapter 11 Trunks ZyWALL USG 1000 User’s Guide 223 Figure 147 Network > Interface > T runk > Edit Each field is described in the table below . T able 65 Network > Interface > Trunk > Edit LABEL DESCRIPTION Name Enter a descriptive name for this trunk. Y ou may use 1-31 alphanumeri c characters, underscores( _ ), or dashes (-), b[...]

  • Page 224

    Chapter 11 Trun ks ZyWALL USG 1000 U ser’s Guide 224 S pillover This field displays with th e spillover load balancing algorithm. S pec ify the maximum bandwidth of traffic i n kilobits per second (1~1048576) to send out th rough the interface before using another interface. When th is spillover bandwidth limit is exceeded, the ZyWALL sends new s[...]

  • Page 225

    ZyWALL USG 1000 User’s Guide 225 C HAPTER 12 Policy and Static Routes This chapter shows you how to configure policies for IP routin g and static routes on your ZyW ALL. See Section 5 .4.10 on page 1 17 for related information on the policy route screens. 12.1 Policy Route T raditionally , routing is based on the destination address only and the [...]

  • Page 226

    Chapter 12 Policy and Static Routes ZyWALL USG 1000 U ser’s Guide 226 IPPR follows the existing packet filtering fac ility of RAS in style and in implementation. 12.2.1 NA T and SNA T NA T (Network Address T ra nslation - NA T , RFC 1631 ) is the translation of the IP address in a packet in one network to a different IP addres s in another networ[...]

  • Page 227

    Chapter 12 Policy and Sta tic Routes ZyWALL USG 1000 User’s Guide 227 Figure 148 T rigger Por t Forwarding Example 12.2.3 Maximize Bandwid th Usage The maximize bandwi dth usage option allows the ZyW ALL to div ide up any available bandwidth on the interface (inclu ding unallocated bandwidth and any allocated bandwidth that a policy route is not [...]

  • Page 228

    Chapter 12 Policy and Static Routes ZyWALL USG 1000 U ser’s Guide 228 Figure 149 Network > Routing > Policy Route The following table describes the labels in this screen. T able 66 Network > Routing > Policy Route LABEL DESCRIPTION Enable BWM This is a global settin g for enabling or disabling bandwidth management on the ZyW ALL . Y o[...]

  • Page 229

    Chapter 12 Policy and Sta tic Routes ZyWALL USG 1000 User’s Guide 229 12.4 Policy Route Edit Click Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. " Configure NA T loopback if you have a virtual server th at local users will use a domain name to access. See Section 6[...]

  • Page 230

    Chapter 12 Policy and Static Routes ZyWALL USG 1000 U ser’s Guide 230 Figure 150 Network > Routing > Policy Route > Edit The following table describes the labels in this screen. T able 67 Network > Routing > Policy Route > Edit LABEL DESCRIPTION Configuration Enable Select this to activate the policy . Description Enter a descri[...]

  • Page 231

    Chapter 12 Policy and Sta tic Routes ZyWALL USG 1000 User’s Guide 231 T ype Select Auto to have the ZyW ALL use the rout in g table to find a n ext-hop and forward the matched packets automatically . Select Gateway to route the matched packets to the next-hop router or switch you specified in the Gate way field. Y ou have to set up the next-hop r[...]

  • Page 232

    Chapter 12 Policy and Static Routes ZyWALL USG 1000 U ser’s Guide 232 12.5 IP S tatic Routes The ZyW ALL has no knowledge of the networ ks beyond the network that is directly connected to the ZyW ALL. For instan ce, th e ZyW ALL knows about network N2 in the following figure through gatew ay R1 . However , the ZyW ALL is unable to route a packet [...]

  • Page 233

    Chapter 12 Policy and Sta tic Routes ZyWALL USG 1000 User’s Guide 233 12.6 S t atic Route Summary Click Network > Routing > S tatic Route to open the St a t i c R o u t e screen. Figure 152 Network > Routing > S tatic Route The following table describes the labels in this screen. 12.7 Edit a S tatic Route Select a static route index n[...]

  • Page 234

    Chapter 12 Policy and Static Routes ZyWALL USG 1000 U ser’s Guide 234 The following table describes the labels in this screen. T able 69 Network > Routing > S tatic Route > Edit LABEL DESCRIPTION Destination IP This parameter specifies the IP network addr ess of the final destination. Routing is always based on netw ork number . If you n[...]

  • Page 235

    ZyWALL USG 1000 User’s Guide 235 C HAPTER 13 Routing Protocols This chapter describes how to set up RIP and OSPF routing protocol settings for the ZyW ALL. First, it provides an overview of R IP and OSPF , and, then, it introduces the RIP and OSPF screens used to config ure routing protoc ols. See Section 5.5 on pa ge 122 for related information [...]

  • Page 236

    Chapter 13 Routing Protocols ZyWALL USG 1000 U ser’s Guide 236 RIP uses UDP port 520. 13.1.2 Authentication T ypes Authentication is used to gu arantee the integrity , but not the confidentiality , of routing updates. The transmitting router uses its key to encrypt the original message into a sma ller message, and the smaller message is transmitt[...]

  • Page 237

    Chapter 13 Routing Protocols ZyWALL USG 1000 User’s Guide 237 Figure 154 Network > Routing > RIP The following table describes the labels in this screen. 13.3 OSPF Overview OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous System (AS[...]

  • Page 238

    Chapter 13 Routing Protocols ZyWALL USG 1000 U ser’s Guide 238 • OSPF filters and summarizes routing informat ion, which reduces the size of routing tables throughout the network. • OSPF responds to ch anges in the network, such as the loss of a router , more quickly . • OSPF considers several facto rs, including bandwidth, hop coun t, thro[...]

  • Page 239

    Chapter 13 Routing Protocols ZyWALL USG 1000 User’s Guide 239 This OSPF AS consists of four areas, areas 0- 3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X an d Y . Are a 2 is a stub area. It has routing information a[...]

  • Page 240

    Chapter 13 Routing Protocols ZyWALL USG 1000 U ser’s Guide 240 Figure 156 OSPF: T ypes of Routers In order to reduce the amount of traffic betwee n routers, a group of routers that are directly connected to each other selects a des ignated router (DR) an d a backup des ignated router (BDR). All of the routers only exchange info rmation with the D[...]

  • Page 241

    Chapter 13 Routing Protocols ZyWALL USG 1000 User’s Guide 241 2 Set up the OSPF areas. 3 Configure the appropriate interfaces. See Section 10.2.1 on page 184 . 4 Set up virtual links, as needed . 13.4 OSPF Screens The OSPF screens are used to specify the ID the ZyW ALL us es in the OSPF AS and to maintain the policies for redistribu tion. In addi[...]

  • Page 242

    Chapter 13 Routing Protocols ZyWALL USG 1000 U ser’s Guide 242 13.4.2 OSPF Area Add/Edit The OSPF Ar ea Add/Edit screen allows you to create a new area or edit an existing one. T o access this screen, go to the OSPF summary screen (see Section 13.4.1 on page 241 ), and click either the Add icon or an Edit icon. Active Select this check box to adv[...]

  • Page 243

    Chapter 13 Routing Protocols ZyWALL USG 1000 User’s Guide 243 Figure 159 Network > Routing > OSPF > Edit The following table describes the labels in this screen. T able 74 Network > Routing > OSPF > Edit LABEL DESCRIPTION Area ID T ype the unique , 32-bit identifie r for the area in IP address format. T ype This field displays t[...]

  • Page 244

    Chapter 13 Routing Protocols ZyWALL USG 1000 U ser’s Guide 244 T ext Authentication Key This field is available if the Authentication is Te x t . T ype the password for text authentication. The key can consist of a lphanumeric characte rs and the underscore, and it can be up to 8 characte rs long. MD5 Authentication ID This field is available if [...]

  • Page 245

    ZyWALL USG 1000 User’s Guide 245 C HAPTER 14 Zones Set up zones to configure n etwork security and network policies in the ZyW ALL. See Section 5.4.7 on page 116 for related informa tion on these screens. 14.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The ZyW ALL uses zones, not interfaces, in many security and policy se tti[...]

  • Page 246

    Chapter 14 Zone s ZyWALL USG 1000 U ser’s Guide 246 Intra-zone traffic is traf fic betw een interfaces or VPN tunnels in the same zone. For e xample, in Figure 160 on page 245 , traffic between VLAN 2 and the Ethernet is intra-zone traf fic. In each zone, you can either allow or prohibit all intra-zone traffi c. For example, in Figure 160 on page[...]

  • Page 247

    Chapter 14 Zones ZyWALL USG 1000 User’s Guide 247 14.3 Zone Add/Edit The Zone Add/Edit screen allows you to define a zone or edit an existing one. T o access this screen, go to the Zone screen (see Section 14.2 on page 246 ), and click either the Add icon or an Edit icon. Figure 162 Network > Zone > Edit The following table describes the la[...]

  • Page 248

    Chapter 14 Zone s ZyWALL USG 1000 U ser’s Guide 248[...]

  • Page 249

    ZyWALL USG 1000 User’s Guide 249 C HAPTER 15 DDNS This chapter describes how to configure dy namic DN S (DDNS) services for the ZyW ALL. First, it provides an overview , and then it introduces the screens. See Section 5.4.9 on page 11 7 for related informa tion on these screens. 15.1 DDNS Overview DNS maps a domain name to a correspondin g IP add[...]

  • Page 250

    Chapter 15 DDNS ZyWALL USG 1000 U ser’s Guide 250 15.1.2 High A vailability (HA) The DDNS server maps a domain name to th e IP address of one of the ZyW ALL’ s W AN ports. If that W AN port loses its connection, high availa bility allows the ZyW ALL to substitute the HA port’ s IP addre ss in the domain name mapping. 15.1.3 Mail Exchanger Dyn[...]

  • Page 251

    Chapter 15 DDNS ZyWALL USG 1000 User’s Guide 251 15.3 DDNS Summary The DDNS screen provides a summary of all DDNS do main names and their configuration. In addition, this screen allows yo u to add new domain names, edit the configuration for existing domain names, and de lete domain names. T o access this screen, login to the web confi gurator . [...]

  • Page 252

    Chapter 15 DDNS ZyWALL USG 1000 U ser’s Guide 252 15.4 Dynamic DNS Add/Edit The DDNS Add/Edit screen allows you to add a domain name to the ZyW ALL or to edit the configuration of an existing domain name. T o access this screen, click Network > DDNS , and click either the Add icon or an Edit icon. Figure 164 Network > DDNS > Edit The fol[...]

  • Page 253

    Chapter 15 DDNS ZyWALL USG 1000 User’s Guide 253 HA Interface This field is only available when the IP Addre ss Update Policy is Interface . Select the alternative WAN interface to map to the do main name when the W AN interface is not available. If you do not want to use HA, select none . Custom IP This field is only available w hen the IP Addr [...]

  • Page 254

    Chapter 15 DDNS ZyWALL USG 1000 U ser’s Guide 254[...]

  • Page 255

    ZyWALL USG 1000 User’s Guide 255 C HAPTER 16 Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. First, it provides an overview of virtual servers, and, then, it introduces the virtual server screens and commands. See Section 5.4.18 on page 1 21 for related information on these screens. 16.1 V irtual Server O[...]

  • Page 256

    Chapter 16 Virtual Serv ers ZyWALL USG 1000 U ser’s Guide 256 The ZyW A LL checks virtual servers before it applies to-ZyW ALL firewall rules, so to- ZyW ALL firewall rules do not apply to traffic that is forwarded by virtual servers. The ZyW ALL still checks regular (t hrough-ZyW ALL) firewall rules according to the source IP address and mapp ed[...]

  • Page 257

    Chapter 16 Virtual Servers ZyWALL USG 1000 User’s Guide 257 Figure 166 Network > Virtual Server The following table describes the labels in this screen. See Section 16.4.1 on page 258 below for more information as well. T able 79 Network > Virt ual Server LABEL DESCRIPTION T otal Virtual Serve rs This is how many virtual server entri es are[...]

  • Page 258

    Chapter 16 Virtual Serv ers ZyWALL USG 1000 U ser’s Guide 258 16.4.1 V irtual Server Add/Edit The V irtual Server Add/Edit screen lets you create new virtual servers and edit existing ones. T o open this window , open the Virtual Server summary screen. (See Section 16.4 on page 256 .) Then, click on an Add icon or Edit icon to open the following [...]

  • Page 259

    Chapter 16 Virtual Servers ZyWALL USG 1000 User’s Guide 259 User Defined This field is availa ble if Ori ginal IP is User Define d . T ype the destina tion IP address that this virtual se rver supports. Mapped IP T y pe the translated destination IP address, if th is virtual server forwards th e packet. Mapping T ype Use the drop-down li st box t[...]

  • Page 260

    Chapter 16 Virtual Serv ers ZyWALL USG 1000 U ser’s Guide 260[...]

  • Page 261

    ZyWALL USG 1000 User’s Guide 261 C HAPTER 17 HTTP Redirect This chapter shows you h o w to configure HTTP red irection on your ZyW ALL. See Section 5.4.19 on page 121 for related information on these screens. 17.1 HTTP Redirect Overview HTTP redirect forwards the client’ s HTTP re quest (except HTTP traf fic destined for the ZyW ALL) to a web p[...]

  • Page 262

    Chapter 17 HTTP Redirect ZyWALL USG 1000 U ser’s Guide 262 Figure 168 HTTP Redirect Example In the example, proxy server A is connected to ge4 in the DMZ zo ne. When a client connected to ge1 wants to open a web page, its HTTP requ est is redirected to proxy server A first. If proxy server A cannot find the web page in its cache, a policy route a[...]

  • Page 263

    Chapter 17 HTTP Redirect ZyWALL USG 1000 User’s Guide 263 Figure 169 Network > HTTP Redirect The following table describes the labels in this screen. 17.4 HTTP Redirect Edit Click Network > HTTP Redirect to open the HTTP Redir ect screen. Then click the Add or Edit icon to open th e HTTP Redir ect Edit screen where you can configure the rul[...]

  • Page 264

    Chapter 17 HTTP Redirect ZyWALL USG 1000 U ser’s Guide 264 Interface Select the interface on which the HTTP request must be received for the ZyWALL to forward it to the specified proxy server . Proxy Ser ver Enter the IP address of the proxy server . Port Enter the port number that the proxy server uses. OK Click OK to save your changes back to t[...]

  • Page 265

    ZyWALL USG 1000 User’s Guide 265 C HAPTER 18 ALG This chapter covers how to use the ZyW ALL’ s AL G feature to allow certain applications to pass through the ZyW ALL. See Section 5.4.20 on page 122 for related information on these screens. 18.1 ALG Introduction The ZyW ALL can function as an Application Laye r Gateway (ALG) to allow certain NA [...]

  • Page 266

    Chapter 18 ALG ZyWALL USG 1000 U ser’s Guide 266 Y ou could also have a trun k with one interface set to active and a second interface set to passive. The ZyW ALL does not automatically ch ange ALG-managed connections to the second (pas sive) interface when the active interface’ s connection g oes down. When the ac tive interface’ s connectio[...]

  • Page 267

    Chapter 18 ALG ZyWALL USG 1000 User’s Guide 267 Figure 171 H.323 ALG Examp le 18.1.6 SIP The Session Initiation Protocol (SIP ) is an application-layer cont rol (si gnaling) protocol that handles the setting up, altering and tearing down of voice and multimed ia sessions over the Internet. SIP is used in V oIP (V oice over IP), the sending of voi[...]

  • Page 268

    Chapter 18 ALG ZyWALL USG 1000 U ser’s Guide 268 18.1.6.2 SIP Signaling Session Timeout Most SIP clients have an “ expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packe ts to the SIP server periodi cally and keeps the session alive in the ZyW ALL. If the SIP client does not have this mech[...]

  • Page 269

    Chapter 18 ALG ZyWALL USG 1000 User’s Guide 269 For example, you configure firewall and virt ual server rules to allow LAN IP address A to receive calls through public W AN IP address 1 . Y ou configure different firewa ll and port forwarding rules to allow LAN IP address B to receive calls through public W AN IP address 2 . Y ou configure corres[...]

  • Page 270

    Chapter 18 ALG ZyWALL USG 1000 U ser’s Guide 270 The following table describes the labels in this screen. T able 83 Network > ALG LABEL DESCRIPTION Enable SIP T ransformations SIP is a signaling protocol used in V oIP (V oi ce over IP), the sending of voice signals over Internet Protocol. Turn on the SIP ALG to allow SIP sessions to pass throu[...]

  • Page 271

    Chapter 18 ALG ZyWALL USG 1000 User’s Guide 271 18.4 W AN to LAN SIP Peer-to-peer Calls Example This example shows how to configure firewall an d virtual server (port forwarding) rules to allow H.323 calls to come in th rough W AN IP address 10.0.0.8 to computer A at IP address 192.168.1. 56 on the LAN. Figure 176 W AN to LAN H.323 Peer-to-peer C[...]

  • Page 272

    Chapter 18 ALG ZyWALL USG 1000 U ser’s Guide 272 Figure 178 Firewall > W AN to LAN 5 Configure the screen as follows. For the Destination , select Create Object . Figure 179 Firewall > W AN > LAN > Add 6 Configure an address object for the ZyW ALL’ s 10.0.0.8 W AN IP address as follows and click OK . Figure 180 Object > Address &[...]

  • Page 273

    Chapter 18 ALG ZyWALL USG 1000 User’s Guide 273 Figure 181 Firewall > W AN > LAN > Add[...]

  • Page 274

    Chapter 18 ALG ZyWALL USG 1000 U ser’s Guide 274[...]

  • Page 275

    275 P ART III Firewall and VPN Firewall (277) IPSec VPN (291) SSL VPN (323) SSL User Screens (331) SSL User Application Screens (337) SSL User File Sharing Screens (339) L2TP VPN (345) L2TP VPN Example (351)[...]

  • Page 276

    276[...]

  • Page 277

    ZyWALL USG 1000 User’s Guide 277 C HAPTER 19 Firewall This chapter introduces the ZyW ALL’ s firewa ll and shows you ho w to configure your ZyW ALL’ s firewall. See Section 5.4.12 on page 1 18 for related information on these screens. 19.1 Firewall Overview The ZyW ALL’ s firewall is a s tateful inspec tion firewall. The ZyW ALL restricts a[...]

  • Page 278

    Chapter 19 Firewall ZyWALL USG 1000 U ser’s Guide 278 Y our customized rules take precedence and override the ZyW ALL’ s default settings . The ZyW ALL checks the schedule, user name (user ’ s login name on the ZyW ALL), source IP address, destinatio n IP address and IP protocol type of network traffic against the firewall rules (in the order[...]

  • Page 279

    Chapter 19 Firewall ZyWALL USG 1000 User’s Guide 279 The following table explains the default firewa ll rules for traf fic going through the ZyW ALL. See Section 19.2.1.2 on p a ge 279 for details on the firewall ru les for traffic going to the ZyW ALL itself. " If you enable in tra-zone traffic blocking (see the chapter about zones), the fi[...]

  • Page 280

    Chapter 19 Firewall ZyWALL USG 1000 U ser’s Guide 280 " The ZyW ALL checks the firewall rules befor e the service control rules for traffic destined for the ZyW ALL. " Y ou can configure a to-ZyW ALL firewall rule (with From Any T o ZyW ALL direction) for traf fic from an interface which is not in a zone. 19.2.2 Firewall and VPN T raffi[...]

  • Page 281

    Chapter 19 Firewall ZyWALL USG 1000 User’s Guide 281 Y our firewall would have the following configuration. • The first row blocks LAN access to the IRC service on the W AN. • The second row is the firewall’ s default policy that allows all traffic from the LAN to go to the W AN. The ZyW ALL applies the firewall rules in order . So for this[...]

  • Page 282

    Chapter 19 Firewall ZyWALL USG 1000 U ser’s Guide 282 Y our firewall would have the following configuration. • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the W AN . • The second row blocks LAN access to the IRC servic e on the W AN. • The third row is (still) the fi rewall’ s default polic[...]

  • Page 283

    Chapter 19 Firewall ZyWALL USG 1000 User’s Guide 283 Y ou can have the ZyW ALL permit the use of asymmetrical route topology on the network (not reset the connection). Allowing asymmetrical routes may let traffic from the W AN go directly to the LAN without passing through the ZyW ALL. A better solution is to use virtual interfaces to put the ZyW[...]

  • Page 284

    Chapter 19 Firewall ZyWALL USG 1000 U ser’s Guide 284 Figure 186 Firewall The following table describes the labels in this screen. T able 88 Firewall LABEL DESCRIPTION Global Setting Enable Firewall Select this check box to activate the firew all. The ZyWALL performs access control when the firewall is activated. Allow Asymmetrical Route If an al[...]

  • Page 285

    Chapter 19 Firewall ZyWALL USG 1000 User’s Guide 285 Maximum session per ho st Use this field to se t the highest number of sessions that the ZyW ALL will permit a computer with the same IP address to h ave at one time . When computers use peer to p eer applicat ion s, such as file sharing applications, they may use a large n umber of NA T se ssi[...]

  • Page 286

    Chapter 19 Firewall ZyWALL USG 1000 U ser’s Guide 286 19.6.1 Edit a Firewall Rule In the Fir e wall screen, click the Edit or Add icon to display the Fir ewall Rule Edit screen. Refer to the following table for information on the labels. Figure 187 Firewall > Edit The following table describes the labels in this screen. Add icon Click the Add [...]

  • Page 287

    Chapter 19 Firewall ZyWALL USG 1000 User’s Guide 287 19.7 Firewall Rule Configuration Example The following Internet firewall rule example allows a hypoth etical MyService from the W AN to IP addresses 10.0.0.10 through 10.0.0.15 (Dest_1) on the LAN. 1 Click Fir e wall . Click the Add icon ( ) in the heading row to configure a new first entry (as[...]

  • Page 288

    Chapter 19 Firewall ZyWALL USG 1000 U ser’s Guide 288 Figure 188 Firewall Example: Select the Traveling Direction of T raffic 2 Select From W AN and To L A N and enter a description. Select Create Object in the Destination drop-down list box. Figure 189 Firewall Example: Edit a Firewall Rule 1 3 The screen for configur ing an address obj ect open[...]

  • Page 289

    Chapter 19 Firewall ZyWALL USG 1000 User’s Guide 289 Figure 190 Firewall Example: Create an Address Object 4 Select Create Object in the Service drop-down list box. 5 The screen for configuring a service object opens. Configure it as follows and click OK . Figure 191 Firewall Example: Create a Service Object 6 Enter the name of the firewall rule.[...]

  • Page 290

    Chapter 19 Firewall ZyWALL USG 1000 U ser’s Guide 290 Figure 193 Firewall Example: MyService Example Rule in Summary[...]

  • Page 291

    ZyWALL USG 1000 User’s Guide 291 C HAPTER 20 IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyW ALL. See Section 5.4.4 on page 116 for related informa tion on these screens. 20.1 IPSec VPN Overview A virtual private network (VPN) provides secu re communications between sites without the expense of leased site-to-site[...]

  • Page 292

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 292 Figure 195 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B . Inside networks A and B , the data is transmitte d the same way data is normally transmitted in the networks. Between routers X and Y , the data is protected by tunne[...]

  • Page 293

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 293 Usually , you should select ESP . AH does not support encryption, and ESP is more suitable with NA T . 20.1.1.3 Encap sulation There are two ways to e ncapsulate packets. Usua lly , you should use tunnel mode because it is more secure. T ransport mode is only used wh en the IPSec SA is used fo[...]

  • Page 294

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 294 If you enable PFS, the ZyW ALL and remote IPSe c router perform a DH key exchan ge every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if on e encryption key is comprom ised, other encryp tion keys remain secure. If you do not en[...]

  • Page 295

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 295 • Source address in outbound packets - this translation is necessary if you want the ZyW ALL to route packets from computers outs ide the local network through the IPSec SA. • Source address in inbound packets - this tran slation hides the source address of computers in the remote network.[...]

  • Page 296

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 296 • Destination - the original destination address; the local network ( A ). • SNA T - the translated source address; a dif ferent IP address (range of addresses) to hide the original source address. 20.1.2.2.3 Destination Address in Inb ound Packets (Inbound T raffic, Destination NA T) Y o[...]

  • Page 297

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 297 • Make sure the to-ZyW ALL firewall rules allow IPSec VPN traffic to the ZyW ALL. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyW ALL supports UDP port 500 and UDP p o rt 4500 for NA T traversal. If you enable this, make sure the to-ZyW ALL firewall ru[...]

  • Page 298

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 298 Each field is discussed in the following table. See Section 20.3.3 on page 302 and Section 20.3.2 on page 298 for more information. 20.3.2 VPN Connection Add/Edit IKE The VPN Connection Add/Edit Gateway screen allows you to cre ate a new VPN connection using a VPN gateway (with IKE) or edit a[...]

  • Page 299

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 299 Figure 199 VPN > IPSec VPN > VPN Connection > Edit (IKE) Each field is described in the following table. T able 91 VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION VPN Connection Connection Name T ype the name used to identi fy this IPSec SA. Y ou may use 1-31 alphan[...]

  • Page 300

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 300 Active Protocol Select which protocol you want to use in the IPSec SA. Choices are: AH (RFC 2402) - provides integrity , aut henti cation, sequence integri ty (replay resistance), and non-repudiation but not encryption. If you select AH , you must select an Authentication algorithm. ESP (RFC [...]

  • Page 301

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 301 Policy Enforcem ent Select this if you want the ZyWALL to drop traffic whose source and destination IP addresses do not match the local and remote policy . This makes the IPSec SA more secure. Note: Y ou must clear this field, however , if you want to use the IPSec SA in a VPN concentrator . L[...]

  • Page 302

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 302 20.3.3 VPN Connection Add/Edit Manual Key The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an exist ing one using a manual key . This is useful if you h ave problems with IKE key management. T o access this screen, go to the VPN Connection summa [...]

  • Page 303

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 303 Figure 200 VPN > IPSec VPN > VPN Connec tion > Manual Key > Edit The following table describes the labels in this screen. T able 92 VPN > IPSec VPN > VPN Conne ction > Manual Key > Edit LABEL DESCRIPTION VPN Connection Connection Name T ype the name used to identify thi[...]

  • Page 304

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 304 Encapsulation Mode Select which t ype of encapsul ation the IPSec SA uses. Choices are T unnel - this mode encrypts the IP header information and the data Tr a n s p o r t - this mode only encrypts the data. Y ou should only select this if the IPSec SA is used for communication between the Zy[...]

  • Page 305

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 305 Authentication Key Enter the authenticati on key , which dep ends on the authentication algorithm. MD5 - type a unique ke y 16-20 characters long SHA1 - type a uniq ue key 20 characters long Y ou ca n use any alphanu meric characters or ,;|`~!@#$%^&*()_ +{}':./<>=-". If yo[...]

  • Page 306

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 306 20.4 VPN Gateway Screens Y ou use the VPN Gate way summary screen to look at the VPN gateways you have set up, and you use the VPN Gateway Add/Edit screen to create or to edit VPN gateways. 20.4.1 IKE SA Overview The IKE SA provides a secure connection between the ZyW ALL and remote IPSec rou[...]

  • Page 307

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 307 It takes several steps to establish an IKE SA. The negotiation mode determines how many . There are two negotiation modes--main mode and aggressive mode. Main mode provides better security , while aggressive mode is faster . " Both routers must use the same negotiation mode. These modes a[...]

  • Page 308

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 308 " Both routers must use the same encryption algorithm , authentication algorithm, and DH key group. In most ZyW ALLs, you c an select one of th e following encryption algorithms for each proposal. The algorithms are listed in order from weakest to strongest. • Data Encryption S tandard[...]

  • Page 309

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 309 In main mode, the ZyW ALL and remote IPSec rout er authenticate each other in steps 5 and 6, as illustrated below . The identities are also en crypted using the encryption algorithm and encryption key the ZyW ALL and remote IP Sec router selected in previous steps. Figure 203 IKE SA: Main Nego[...]

  • Page 310

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 310 For example, in T able 93 on page 31 0 , the ZyW ALL and the remote IPSec rou ter authenticate each other successfully . In contrast, in T able 94 on page 310 , the ZyW ALL and the remote IPSec router cannot authenticate each other an d, therefore, ca nnot establish an IKE SA. It is also poss[...]

  • Page 311

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 31 1 20.4.2.2 VPN, NA T, and NA T T raversal In the following example, there is another router ( A ) between router X and router Y . Figure 204 VPN/NA T Example If router A does NA T , it might change the IP addre sses, port numbers, or both. If router X and router Y try to establish a VPN tunnel,[...]

  • Page 312

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 312 • Instead of using the pre -shared key , th e ZyW ALL and remote IPSec router check the signatures on each other ’ s certificates. Unlike pre-share d keys, the signatures do not have to match. • The local and peer ID type and content come from the certificates. " Y ou must set up t[...]

  • Page 313

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 313 20.4.4 VPN Gateway Add/Edit The VPN Gatew ay Add/Edit screen allows you to create a new VPN gateway or edit an existing one. T o access this screen, go to the VPN Gateway summary screen (see Section 20.4.3 on page 312 ), and click either the Add icon or an Edit icon. Add icon This column provi[...]

  • Page 314

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 314 Figure 206 VPN > IPSec VPN > VPN Gateway > Edit Each field is described in the following table. T able 96 VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION VPN Gateway VPN Gateway Name T ype the name used to identify this VPN gateway . Y ou may use 1-31 alphanumeric cha[...]

  • Page 315

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 315 Proposal # This field is a sequential value , and it is not associated with a specific proposal. The sequence of proposals sho uld not affect performance significantly . Encryption Select which key size and encryption algorithm to use in the IKE SA. Choices are: DES - a 56-bit key with the DES[...]

  • Page 316

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 316 Secure Gateway Address T ype the IP address or the domain name of the remo te IPSec router . Set this fie ld to 0.0.0.0 if the remote IPSec router has a dynamic IP address. Y ou can provide a second IP address or domain name. In this case, if the ZyWALL cannot establish an IKE SA with the fir[...]

  • Page 317

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 317 Peer ID T ype Select which type of identificatio n is used to i dentify the remo te IPSec router during authentica tion. Choices are: IP - the remote IPSec route r is identified by an IP address DNS - the remote IPSec router is identified by a domain name E-mail - the remote IPSec router is id[...]

  • Page 318

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 318 20.5 VPN Concentrator A VPN concentrator combines several VPN connections into one secure netw ork. Figure 207 on page 318 shows an example of this, as well as one alternative approach. Figure 207 VPN T opologies The VPN concentrator is used in the second approach. In the first (fully-meshed)[...]

  • Page 319

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 319 20.5.1 VPN Concentrator Summary Yo u u s e t h e VPN Concentrator summa ry screen to look at the VPN concentrators you have set up. The VPN Conce ntrator summary screen displays th e VPN concentrators in the ZyW ALL. T o access this screen, click VPN > IPSec VPN > Concentrator . The foll[...]

  • Page 320

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 320 Each field is described in the following table. 20.6 SA Monitor Screen Y ou can use the SA Mon itor screen to display and to mana ge active IPSec SA . T o access this screen, click VPN > IPSec VPN > SA Monitor . The following screen appears. T able 98 VPN > IPSec VPN > Concen trat[...]

  • Page 321

    Chapter 20 IPSec VPN ZyWALL USG 1000 User’s Guide 321 Figure 21 1 VPN > IPSec VPN > SA Monitor Each field is described in the following table. T able 99 VPN > IPSec VPN > SA Monitor LABEL DESCRIPTION Name Enter the name of a IPSec SA here and click Search to find it (if it i s associated). Y o u can use a keyword or regular expression[...]

  • Page 322

    Chapter 20 IPSec VPN ZyWALL USG 1000 U ser’s Guide 322 20.6.1 Regular Expressions in Sear ching IPSec SAs by Name or Policy A question mark (?) lets a single character in the VPN co nnection or policy name vary . For example, use “a?c” (without the quotation ma rks) to specify abc, acc and so on. W ildcards (*) let multiple VPN connection or [...]

  • Page 323

    ZyWALL USG 1000 User’s Guide 323 C HAPTER 21 SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login. See Section 5.4.5 on page 1 16 for related informa tion on these screens . 21.1 SSL Access Policy An SSL access policy allows the ZyW ALL to perform the following tasks: • limit user access to specific applicati[...]

  • Page 324

    Chapter 21 SSL VPN ZyWALL USG 1000 U ser’s Guide 324 21.1.2 SSL Access Policy Limit ations Y ou cannot delete an object that is used by an SSL access policy . T o delete the object, you must first unassociate the obje ct from the SSL access policy . 21.2 SSL Access Privilege List Click VPN > SLL VPN to open the Access Privilege screen. This sc[...]

  • Page 325

    Chapter 21 SSL VPN ZyWALL USG 1000 User’s Guide 325 21.3 Creating/Editing an SSL Access Policy T o create a new or edit an existing SSL access policy , click the Add or Edit icon in the Access Privilege screen. Figure 213 VPN > SSL VPN > Access Privilege > Add/Edit The following table describes the labels in this screen. T able 102 VPN &[...]

  • Page 326

    Chapter 21 SSL VPN ZyWALL USG 1000 U ser’s Guide 326 21.4 SSL Connection Monitor The ZyW ALL keeps track of the users who ar e currently logged in to the VPN SSL client portal. Click VPN > SSL VPN in the navigation panel and click the Connection Moni tor tab to display the user list. Use this screen to do the following: • view a list of user[...]

  • Page 327

    Chapter 21 SSL VPN ZyWALL USG 1000 User’s Guide 327 • log out a user and delete related session information. Once a user logs out, the corres ponding entry is removed from the Connection Monitor screen. Figure 214 VPN > SSL VPN > Connection Monitor The following table describes the labels in this screen. 21.5 Configuring SSL Global Settin[...]

  • Page 328

    Chapter 21 SSL VPN ZyWALL USG 1000 U ser’s Guide 328 Figure 215 VPN > SSL VPN > Global Setting The following table describes the labels in this screen. T able 104 VPN > SSL VPN > Global Setting LABEL DESCRIPTION Global Setting Network Extension IP Address S pecify the IP address of the ZyWALL (or a gateway device) for full tunnel mode[...]

  • Page 329

    Chapter 21 SSL VPN ZyWALL USG 1000 User’s Guide 329 21.5.1 Uploading a Custom Logo Follow the steps below to upload a custom logo on the ZyW ALL. 1 Click VPN > SSL VPN and click the Global Setting tab to display the configurati on screen. 2 Click Br owse to locate the logo graphic. Make sure the file is in GIF format. 3 Click Apply to start th[...]

  • Page 330

    Chapter 21 SSL VPN ZyWALL USG 1000 U ser’s Guide 330 Figure 217 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated” message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal screens, re[...]

  • Page 331

    ZyWALL USG 1000 User’s Guide 331 C HAPTER 22 SSL User Screens This chapter introduces secure network access and gives an overview of the remote user screens on the ZyW ALL. 22.1 Overview The ZyW ALL provides secure co nnections to network resources such as applications, files, intranet sites or e-mail through a web-based interface and using Micro[...]

  • Page 332

    Chapter 22 SSL User Screen s ZyWALL USG 1000 U ser’s Guide 332 • Internet Explorer 5.5 and above (for IE7, JRE 1.6 must be enabled) • Netscape 7.2 and above • Firefox 1.0 and ab ove • Mozilla 1.7.3 and above • Sun Java V irtua l Machine (JVM) installed with a minimum version of 1.4. • Java enabled in Internet Expl orer on W indows com[...]

  • Page 333

    Chapter 22 SSL User Screens ZyWALL USG 1000 User’s Guide 333 Figure 220 Login Security Screen 3 A login screen displays. Enter the user na me and password of you r login account. If a token password is also required, enter it in the One-Time Password field. 4 Select Log into SSL VPN and click Login to log in and establish an SSL VPN connection to[...]

  • Page 334

    Chapter 22 SSL User Screen s ZyWALL USG 1000 U ser’s Guide 334 " Available resource lin ks vary depending on the confi guration your network administrator made. 22.3 SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 223 Remote User Screen The following table describes the various parts of a remo[...]

  • Page 335

    Chapter 22 SSL User Screens ZyWALL USG 1000 User’s Guide 335 22.4 Bookmark Y ou can create a bookmark of the ZyW ALL by clicking the Add to Favorite icon. This allows you to access the ZyW ALL using the bo okmark without having to enter the address every time. 1 In any remote user screen, click the Add to Favorite icon. 2 A screen displays. Accep[...]

  • Page 336

    Chapter 22 SSL User Screen s ZyWALL USG 1000 U ser’s Guide 336[...]

  • Page 337

    ZyWALL USG 1000 User’s Guide 337 C HAPTER 23 SSL User Application Screens This chapter describes the Application screens you use to acce ss an application on the network through the SSL VPN co nnection. 23.1 Overview Depending on the config uration of your network administrator , you can use the Application screen to access web-based applications[...]

  • Page 338

    Chapter 23 SSL User Application Screens ZyWALL USG 1000 U ser’s Guide 338[...]

  • Page 339

    ZyWALL USG 1000 User’s Guide 339 C HAPTER 24 SSL User File Sharing Screens This chapter describes the File Sharing screen you use to access files on a file server through the SSL VPN connection. 24.1 Overview Use the File Sharing screen to display and access shared files/folders on a file server . Y ou can also perform the following actions: • [...]

  • Page 340

    Chapter 24 SSL User File Shar ing Screens ZyWALL USG 1000 U ser’s Guide 340 Figure 228 File Sharing 24.3 Opening a File or Folder Y ou can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer . 1 Log in as a remote user and click the File Sharing tab. 2 Click on a file sha[...]

  • Page 341

    Chapter 24 SSL User File Sharing Screens ZyWALL USG 1000 User’s Guide 341 4 A list of files/folders displays. Click on a f ile to open it in a separate browser window . Y ou can also click a folder to access it. For this exam ple, click on a .doc file to open the W ord document. Figure 230 File Sharing: Open a W ord File 24.3.1 Downloading a File[...]

  • Page 342

    Chapter 24 SSL User File Shar ing Screens ZyWALL USG 1000 U ser’s Guide 342 Figure 231 File Sharing: Save a W ord File 24.4 Creating a New Folder T o create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder . Y ou can enter up to 356 characters. Then click Add . " Make sure the leng[...]

  • Page 343

    Chapter 24 SSL User File Sharing Screens ZyWALL USG 1000 User’s Guide 343 Figure 233 File Sharing: Rename A popup window displa ys. Specify the new name an d/or file extension in the field provided. Y ou can enter up to 356 characters. Then click App ly . " Make sure the length of the name does not exceed the maximum allowed on the file serv[...]

  • Page 344

    Chapter 24 SSL User File Shar ing Screens ZyWALL USG 1000 U ser’s Guide 344 24.7 Uploading a File Follow the steps below to upload a file to the file server . 1 Log into the remote user screen and click the File Sharing tab. 2 Specify the location and/or name of th e file you want to upload. Or click Br owse to locate it. 3 Click Upload to send t[...]

  • Page 345

    ZyWALL USG 1000 User’s Guide 345 C HAPTER 25 L2TP VPN This chapter explains how to set up and maintain L2TP VPNs in the ZyW ALL. See Section 5.4.6 on page 116 for related informa tion on these screens. 25.1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IP Sec client software included with their computers’ operating systems to se[...]

  • Page 346

    Chapter 25 L2TP VPN ZyWALL USG 1000 U ser’s Guide 346 • Use transport mode. • Not be a manual key VPN co nnection. •U s e Pr e-Shared Key authentication. • Use a VPN ga teway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. 25.2.1 Using the Defau lt L2TP VPN Connection [...]

  • Page 347

    Chapter 25 L2TP VPN ZyWALL USG 1000 User’s Guide 347 25.4 L2TP VPN Configuration Click VPN > L2TP VPN to open the following screen. Use this screen to configure the ZyW ALL’ s L2TP VPN settings. " Disconnect any existing L2TP VPN se ssions before modifying L2TP VPN settings. The remote us ers must make any needed matching configuration [...]

  • Page 348

    Chapter 25 L2TP VPN ZyWALL USG 1000 U ser’s Guide 348 25.5 L2TP VPN Session Monitor Click VPN > L2TP VPN > Session Monitor to open the following scr een. Use this screen to display and manage the ZyW ALL’ s connected L2TP VPN sessions. Figure 240 VPN > L2TP VPN > Session Monitor The following table describes the fields in this scree[...]

  • Page 349

    Chapter 25 L2TP VPN ZyWALL USG 1000 User’s Guide 349 Disconnect Click the Disconnect icon next to an L2TP VPN connection to disconnect it. Refresh Click Refre sh to update the information in the display . T able 107 VPN > L2TP VPN > Session Monitor (continued) LABEL DESCRIPTION[...]

  • Page 350

    Chapter 25 L2TP VPN ZyWALL USG 1000 U ser’s Guide 350[...]

  • Page 351

    ZyWALL USG 1000 User’s Guide 351 C HAPTER 26 L2TP VPN Example This chapter shows how to create a basic L2TP VPN tunnel. 26.1 L2TP VPN Example This chapter uses the following settings in creating a basic L2TP VPN tunnel. Figure 241 L2TP VPN Example • The ZyW ALL has a static IP address of 172.23.37.205 fo r the ge3 interface. • The remote user[...]

  • Page 352

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 352 Figure 242 VPN > IPSec VPN > VPN Gateway > Edit • Configure the My Addr ess setting. This example uses interface ge3 with static IP address 172.23.37.205 . • Configure the Pr e-Shared Key . This example us es top-sec ret . Cli c k OK . 2 Click the Default_L2TP_VPN_GW entr[...]

  • Page 353

    Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide 353 26.3 Configuring the Default L2TP VPN Connection Example 1 Click VPN > Network > IPSec VPN to open the screen that lists the VPN connections. Click the Default_L2TP_VPN_Connection ’s Edit icon. Figure 244 VPN > IPSec VPN > VPN Connection > Edit 2 Enforce and configure t[...]

  • Page 354

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 354 Figure 245 VPN > IPSec VPN > VPN Connection (Enable) 26.4 Configuring the L2TP VPN Settings Example 1 Click VPN > L2TP VPN to open the following screen. Figure 246 VPN > L2TP VPN Example 2 Configure the following. • Enable the connection. • Set it to use the Default_L2[...]

  • Page 355

    Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide 355 Figure 247 Routing > Add: L2TP VPN Example 2 Configure the following. • Enable the policy route . • Set the policy route’ s Source Addr ess to the address object tha t you want to allow the remote users to access ( LAN_SUBNET in this example). • Set the Destination Addr ess t[...]

  • Page 356

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 356 26.6.1 Configuring L2TP in Windows XP In W indows XP do the following to establish an L2TP VPN connection. 1 Click S tart > Control Panel > Network Co nnect ions > New Connection Wizard . 2 Click Next in the We l c o m e screen. 3 Select Connect to the network at my workplace[...]

  • Page 357

    Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide 357 Figure 250 New Connection Wizard: Conn ection Name 6 Select Do not dial the initial connection and click Ne xt . Figure 251 New Connection Wizard: Public Network 7 Enter the domain name or W AN IP address configured as the My Address in the VPN gateway configuration that the ZyW ALL is [...]

  • Page 358

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 358 Figure 252 New Connection Wizard: VPN Server Selection 8 Click Finish . 9 The Connect L2TP to ZyW ALL screen appears. Click Properties > Security . Figure 253 Connect L2TP to ZyW ALL 10 Click Security , select Advanced (custom settings) and click Settings .[...]

  • Page 359

    Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide 359 Figure 254 Connect L2TP to ZyW ALL: S ecurity 11 Select Optional encryption (conne ct even if no encryption) and the Allow these pro tocols radio button. Select Unencrypted password (P AP) and clear all of the other check boxes. Click OK . Figure 255 Connect ZyW ALL L2TP: Security > [...]

  • Page 360

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 360 Figure 256 L2TP to Z y W ALL Properties > Secu rity 13 Select the Use pre-shar ed key for authentication check box and enter the pre-shared key used in the VPN gateway configuratio n that the ZyW ALL is using for L2TP VPN. Click OK . Figure 257 L2TP to Z y W ALL Properties > Sec[...]

  • Page 361

    Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide 361 Figure 259 Connect L2TP to ZyW ALL 16 A window appears while the user name and password are verified. 17 A ZyW ALL-L2TP icon displays in your s ystem tray . Double-click it to open a status screen. Figure 260 ZyW ALL-L2TP System T ray Icon 18 Click Details to see the address that you re[...]

  • Page 362

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 362 1 Click St a r t > R u n . T ype regedit and click OK . Figure 262 S tarting the Registry Editor 2 Click Registry > Export Registry File and save a b ackup copy of your registry . Y ou can go back to using this backup if you misconfigure the registry settings. 3 Select HKEY_LOCA[...]

  • Page 363

    Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide 363 Figure 265 ProhibitIpSec DWORD V alue 6 Restart the computer an d con tinue with the next section. 26.6.2.2 Configure the W indows 2000 IPSec Policy After you have created the registry entry and re started the computer , use the se directions to configure an IPSec policy for the compute[...]

  • Page 364

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 364 Figure 268 Add > IP Security Policy Management > Finish 4 Right-click IP Security Policies on Local Machine and click Cr eate IP Security Policy . Click Next in the welcome scree n. Figure 269 Create IP Security Policy 5 Name the IP security policy L2TP to ZyW ALL , and click Ne[...]

  • Page 365

    Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide 365 Figure 270 IP Security Policy: Name 6 Clear the Activate the default response rule check box and click Next . Figure 271 IP Security Policy: Request for Secure Communication 7 Leave the Edit Properties check box selected and click Finish . Figure 272 IP Security Policy: Completing the I[...]

  • Page 366

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 366 8 In the properties d ialog box, click Add > Next . Figure 273 IP Security Policy Properties > Add 9 Select This rule does not specify a tunnel and click Next . Figure 274 IP Security Policy Properties : Tunnel En dpoint 10 Select All network connections and click Next .[...]

  • Page 367

    Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide 367 Figure 275 IP Security Policy Pr opertie s: Network T ype 11 Select Use this string to protect the key exchange (preshar ed key) , type password in the text box, and click Next . Figure 276 IP Security Policy Proper ties: Authentication Method 12 Click Add .[...]

  • Page 368

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 368 Figure 277 IP Securit y Policy Properties: IP Filt er List 13 Ty p e ZyW ALL W A N_IP in the Name field. Clear the Use Add Wizard chec k box and click Add . Figure 278 IP Security Policy Prop erties: IP Filter List > Add 14 Configure the following in the Addr essing tab. Select My [...]

  • Page 369

    Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide 369 Figure 279 Filter Propertie s: Addressing 15 Configure the following in the Filter Pr operties window’ s Protocol tab. Set the protocol type to UDP from port 1701. Select To a n y p o r t . Click Apply , OK, and then Close . Figure 280 Filter Properti es: Protocol 16 Select ZyW ALL W [...]

  • Page 370

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 370 Figure 281 IP Securit y Policy Properties: IP Filt er List 17 Select Require Security and click Next . Then click Finish and Close . Figure 282 IP Securit y Policy Properties: IP Filt er List 18 In the Console window , right-click L2TP to ZyW ALL and sele ct Assign . Figure 283 Consol[...]

  • Page 371

    Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide 371 26.6.2.3 Configure the W indows 2000 Network Connection After you have configured the IPSec policy , use these directions to create a network connection. 1 Click S tart > Settings > Network and Dial-up connections > Make New Connection . In the wizard welcome screen, click Next[...]

  • Page 372

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 372 Figure 286 New Connection Wizard: Destination Address 4 Select For all users and click Next . Figure 287 New Connection Wizard: Connection Availability 5 Name the co nnection L2TP to ZyW ALL and clic k Finish . Figure 288 New Connection Wizar d : Naming the Connectio n[...]

  • Page 373

    Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide 373 6 Click Pr operties . Figure 289 Connect L2TP to ZyW ALL 7 Click Security and select Advanced (custom settings) and click Settings . Figure 290 Connect L2TP to ZyW ALL: S ecurity 8 Select Optional encryption allowed (c onnect even if no encryption) and the Allow these protocols radio bu[...]

  • Page 374

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 374 Figure 291 Connect L2TP to ZyW ALL: S ecurity > Advanced 9 Click Networking and select Layer 2 T unneling Pr otocol (L2TP) from the drop-down list box. Click OK . Figure 292 Connect L2TP to ZyW ALL: Networking 10 Enter your user name and password and click Connect . It may take up [...]

  • Page 375

    Chapter 26 L2TP VPN Example ZyWALL USG 1000 User’s Guide 375 Figure 293 Connect L2TP to ZyW ALL 11 A ZyW ALL-L2TP icon displays in your s ystem tray . Double-click it to open a status screen. Figure 294 ZyW ALL-L2TP System T ray Icon 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the [...]

  • Page 376

    Chapter 26 L2TP VPN E xample ZyWALL USG 1000 U ser’s Guide 376[...]

  • Page 377

    377 P ART IV Application Patrol & Anti-X Application Patrol (379) Anti-V irus (403) IDP (417) ADP (445) Content Filter Screens (463) Content Filter Reports (483)[...]

  • Page 378

    378[...]

  • Page 379

    ZyWALL USG 1000 User’s Guide 379 C HAPTER 27 Application Patrol This chapter describes how to use application patrol for the ZyW ALL. It provides an overview first and then introduces the screens. See Section 5.4.13 on page 1 19 for related information on these screens. 27.1 Application Patrol Overview Application patrol provides a co nven ient w[...]

  • Page 380

    Chapter 27 Applicat ion Patrol ZyWALL USG 1000 U ser’s Guide 380 " The ZyW ALL allows the fi rst eight packets to go through the firewall, regardless of the applicat ion patrol policy for the application. The ZyW ALL examines these first eight packet s to ide ntify the applicatio n. The second approach is called service ports. In this approa[...]

  • Page 381

    Chapter 27 Application Patrol ZyWALL USG 1000 User’s Guide 381 27.4.1 Connection and Packet Directions Application patrol looks at the connection direction, that is from which zone the connection was initiated and to which zone the connection is going. A connection has outbound and in bound packet flows. The ZyW ALL controls the bandwidth of traf[...]

  • Page 382

    Chapter 27 Applicat ion Patrol ZyWALL USG 1000 U ser’s Guide 382 Figure 297 LAN to W AN, Outbound 200 kbps, Inbound 500 kbps 27.4.3 Bandwid th Management Priority The ZyW A LL gives bandwidth to higher -priority traffic first, until it reaches its configured bandwidth rate. Then lower-priority traffic gets bandwidth. The ZyW A LL uses a fairness-[...]

  • Page 383

    Chapter 27 Application Patrol ZyWALL USG 1000 User’s Guide 383 Figure 298 Bandwidth Ma nagement Behavior 27.4.5.1 Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usa ge is disabled, both servers get their configured rate. 27.4.5.2 Priority Effect Here the configured[...]

  • Page 384

    Chapter 27 Applicat ion Patrol ZyWALL USG 1000 U ser’s Guide 384 27.4.5.4 Priority and Over Allotment of Bandwid th Effect Server A has a configured rate that equals the total amount of available bandwidth and a higher priority . Y ou should regard extreme over allotment of traffic wi th different priorities (as shown here) as a configura tion er[...]

  • Page 385

    Chapter 27 Application Patrol ZyWALL USG 1000 User’s Guide 385 Figure 299 Application Patrol B andwidth Managem ent Example 27.5.1 Setting the Interface’ s Bandwidth Use the interface screens to set the W AN zone in terface’ s upstream bandwidth to be equal to (or slightly less than) what th e connected device can supp ort. This example uses [...]

  • Page 386

    Chapter 27 Applicat ion Patrol ZyWALL USG 1000 U ser’s Guide 386 Figure 300 SIP Any to W AN Bandwidth Management Example 27.5.3 SIP W AN to Any Bandwid th Management Example Y ou also create a policy for calls coming in from the SIP server on the W AN. It is the same as the SIP Any to W AN policy , but with the directio ns reversed (W AN to Any i[...]

  • Page 387

    Chapter 27 Application Patrol ZyWALL USG 1000 User’s Guide 387 • Third highest priority (3). • Disable maximize bandwidth usage since you do no t want to give FTP more bandwidth. Figure 302 FTP W AN to DMZ Bandwid th Management Example 27.5.6 FTP LAN to DMZ Bandwid th Management Example • The LAN and DMZ zone interfaces are connected to Eth[...]

  • Page 388

    Chapter 27 Applicat ion Patrol ZyWALL USG 1000 U ser’s Guide 388 27.6 Other Applications Sometimes, the ZyW ALL cannot identify the application. For example, the application might be a new application, or the pac kets might arrive out of sequence . (The ZyW ALL does not reorder packets when id entifying the application.) In th ese cases, you can [...]

  • Page 389

    Chapter 27 Application Patrol ZyWALL USG 1000 User’s Guide 389 Figure 304 AppPatrol > General The following table describes the labels in this screen. See Section 27.9.1 on page 391 for more information as well. T able 1 12 AppPatrol > Genera l LABEL DESCRIPTION Enable Applicati on Patrol Select this check box to turn on application patrol.[...]

  • Page 390

    Chapter 27 Applicat ion Patrol ZyWALL USG 1000 U ser’s Guide 390 27.9 Application Patrol Applications Use the application patrol Common , Instant Messenger , Peer to Peer , Vo I P , or St r e a m i n g screen to manage traffic o f individual applications. Use the Common screen (shown here as an example) t o manage traffic of the most commonly use[...]

  • Page 391

    Chapter 27 Application Patrol ZyWALL USG 1000 User’s Guide 391 27.9.1 Application Patrol Edit Use this screen to edit the settin gs for an applicat ion. T o access this screen, go to the application patrol Comm on , Instant Me ssenger , Peer to Peer , Vo I P , or St r e a m i n g screen and click an application’ s Edit icon. The screen displaye[...]

  • Page 392

    Chapter 27 Applicat ion Patrol ZyWALL USG 1000 U ser’s Guide 392 # This fiel d is a sequentia l value, and it is not associated with a specific condition. Note: The ZyW ALL checks conditions in the o rder they appear in the list. While this sequence doe s not affect the functionality , you might improve the perform ance of the ZyW ALL by putting [...]

  • Page 393

    Chapter 27 Application Patrol ZyWALL USG 1000 User’s Guide 393 27.9.2 Application Patrol Policy Edit The Application Policy Edit screen allows you to edit a group of settings for an application. T o access this screen, go to the application patrol Common , Instant Messenger , Peer to Peer , Vo I P , or St r e a m i n g screen and click an applica[...]

  • Page 394

    Chapter 27 Applicat ion Patrol ZyWALL USG 1000 U ser’s Guide 394 Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 37 on page 527 for details). Otherwise, select none to make the policy always effec tive. User Select a user n ame or user group to which to apply the policy .[...]

  • Page 395

    Chapter 27 Application Patrol ZyWALL USG 1000 User’s Guide 395 27.10 Other Protocol Screen The Other Pr otocol screen controls the default policy for TCP and UDP traffic that the ZyW ALL cannot identify . In other words, you can control what the ZyW ALL does when it does not recognize the application. This screen also allows you to ad d, edit, an[...]

  • Page 396

    Chapter 27 Applicat ion Patrol ZyWALL USG 1000 U ser’s Guide 396 The following table describes the labels in this screen. See Section 27.10 .1 on page 397 for more information as well. T able 1 16 AppPatrol > Other LABEL DESCRIPTION Policy This table lists the policies config ured for traffic which does not match an application. # This field i[...]

  • Page 397

    Chapter 27 Application Patrol ZyWALL USG 1000 User’s Guide 397 27.10.1 Other Conf iguration Add/Edit The Other Configuration Add/Ed it screen allows you to create a new condition or edit an existing one. T o access this screen, go to the Other Protocol scree n (see Section 27.10 on page 395 ), and click either the Add icon or an Edit icon. Figure[...]

  • Page 398

    Chapter 27 Applicat ion Patrol ZyWALL USG 1000 U ser’s Guide 398 Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 37 on page 527 for details). Otherwise, select any to make the policy always effectiv e. User Select a user n ame or user group to which to apply the policy . [...]

  • Page 399

    Chapter 27 Application Patrol ZyWALL USG 1000 User’s Guide 399 27.1 1 Application Patrol St atistics This screen displays a band width usage gr aph and statistics for selected protocols. Click AppPatr ol > S tatistics to open the following screen. 27.1 1.1 Application Patrol St atistics: Gen eral Setup Use the top of the AppPatr ol > S tati[...]

  • Page 400

    Chapter 27 Applicat ion Patrol ZyWALL USG 1000 U ser’s Guide 400 The following table describes the labels in this screen. 27.1 1.2 Application Patrol St atistics: Bandwidth S t atistics The middle of the AppPatrol > S tatistics screen displays a bandwidth usage line graph for the selected protocols. Figure 31 1 AppPatrol > St atistics: Band[...]

  • Page 401

    Chapter 27 Application Patrol ZyWALL USG 1000 User’s Guide 401 Figure 312 AppPatrol > S tatistics: Pr otocol S tatistics The following table describes the labels in this screen. T able 1 19 AppPatrol > S tatistics: Protocol S tatistics LABEL DESCRIPTION Service This is the protocol. Cli ck the expand icon (+) to display the statistics for e[...]

  • Page 402

    Chapter 27 Applicat ion Patrol ZyWALL USG 1000 U ser’s Guide 402 Forwarded Data (KB) This is how much of the application’s traf fic the ZyW ALL has se nt (in kilobytes). Dropped Data (KB) This is how much of the application’s tr affic the ZyWALL has discarded without notifying the client (in kil obytes). This traffic was dropped because it ma[...]

  • Page 403

    ZyWALL USG 1000 User’s Guide 403 C HAPTER 28 Anti-Virus This chapter introduces and shows you ho w to configure the anti-virus scanner . See Section 5.4.14 on page 120 for related information on these screens. 28.1 Anti-V irus Overview A computer virus is a small program designed to corrupt and/or alter the operati on of other legitimate programs[...]

  • Page 404

    Chapter 28 Anti-Viru s ZyWALL USG 1000 U ser’s Guide 404 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially . 28.1.3 T ypes of Anti-Virus Scanner The section describes two types of anti-viru s scanner: host-based and ne twork-based. A host-based anti-virus (HA V) scanne r is often sof[...]

  • Page 405

    Chapter 28 Anti-Viru s ZyWALL USG 1000 User’s Guide 405 Figure 313 ZyW ALL Anti-virus Example The following describes the virus scanning process on the ZyW ALL. 1 The ZyW ALL first identifies SMTP , POP3 , IMAP 4, HTTP and FTP packets through standard ports. 2 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the[...]

  • Page 406

    Chapter 28 Anti-Viru s ZyWALL USG 1000 U ser’s Guide 406 • Encrypted traffic. This could be password-protected files or VPN traf fic where the ZyW ALL is not the endpoint (pass-through VPN traffic). • T raffic thro ugh custom (non-standard) port s. The only exception is FTP traf fic. The ZyW ALL scans whatever port number is specified for FTP[...]

  • Page 407

    Chapter 28 Anti-Viru s ZyWALL USG 1000 User’s Guide 407 The following table describes the labels in this screen. T able 121 Anti-X > Anti-V irus > General LABEL DESCRIPTION Enable Anti -Virus and Anti-S pyware Select this check box to check traffic fo r viruses and spyware. The following table lists rules that define which traffic the ZyW A[...]

  • Page 408

    Chapter 28 Anti-Viru s ZyWALL USG 1000 U ser’s Guide 408 28.3.1 Anti-V irus Policy Edit Click the Add or Edit icon in the Anti-X > Anti-V irus > General screen to display the configuration screen as sh own next. Figure 315 Anti-X > Anti-Virus > Gene ral > Edit The following table describes the labels in this screen. Released Date T[...]

  • Page 409

    Chapter 28 Anti-Viru s ZyWALL USG 1000 User’s Guide 409 Protocol s to Scan Select which protocols of traf fic to scan for viruses. FTP applies to traffic using the TCP port number spe cified for FTP in the ALG screen. HTTP applies to traffic using TCP ports 80, 8080 and 3128. SMTP appli es to traffic using TCP port 25. POP3 applie s to traffic us[...]

  • Page 410

    Chapter 28 Anti-Viru s ZyWALL USG 1000 U ser’s Guide 410 28.4 Anti-V irus Setting Click Anti-X > Anti-V irus > Setting screen to display the configuration screen as shown next. Figure 316 Anti-X > Anti-Virus > Setting Destroy compressed files that could not be decompressed Note: When you select this option, the ZyW ALL deletes ZIP fil[...]

  • Page 411

    Chapter 28 Anti-Viru s ZyWALL USG 1000 User’s Guide 41 1 The following table describes the labels in this screen. T able 123 Anti-X > Anti-Virus > Setting LABEL DESCRIPTION Scan EICA R Select this option to have the ZyWALL check for the EICAR test file an d treat it in the same way as a rea l virus file. The EICAR test file is a standardize[...]

  • Page 412

    Chapter 28 Anti-Viru s ZyWALL USG 1000 U ser’s Guide 412 28.5 Anti-V irus White List Add/Edit From the Anti-X > Anti-V irus > Setting screen, click a white list Add icon or Edit icon to display the following screen. Use this screen to create an anti-virus white list entry for a file pattern that should cause the ZyW ALL to not s can a file [...]

  • Page 413

    Chapter 28 Anti-Viru s ZyWALL USG 1000 User’s Guide 413 28.6 Anti-V irus Black List Add/Edit From the Anti-X > Anti-V irus > Setting screen, click a black list Add icon or Edit icon to display the following screen. Use this screen to create an anti-virus black list entry for a file pattern that should cause the Zy W ALL to log and delete a [...]

  • Page 414

    Chapter 28 Anti-Viru s ZyWALL USG 1000 U ser’s Guide 414 Figure 319 Anti-X > Anti-Virus > Signature: Search by Severity The following table describes the labels in this screen. T able 126 Anti-X > Anti-V irus > Signature LABEL DESCRIPTION Signatures Search Select the criteria on whic h to perform the search. Select By Name from the dr[...]

  • Page 415

    Chapter 28 Anti-Viru s ZyWALL USG 1000 User’s Guide 415 Severity This is the severity le vel of the an ti-viru s signature. Cli ck the severity column header to sort your search results by ascending or descending severity . Category This column displays whether the signat ure is for identifying a virus or spyware. Click the column heading to sort[...]

  • Page 416

    Chapter 28 Anti-Viru s ZyWALL USG 1000 U ser’s Guide 416[...]

  • Page 417

    ZyWALL USG 1000 User’s Guide 417 C HAPTER 29 IDP This chapter introduces IDP (In trusion, Detection and Preventio n), IDP profiles, binding an IDP profile to a traffic direction, custom signatures and updating signatures. See Section 5.4.15 on page 120 for related information on these screens. 29.1 Introduction to IDP An IDP system can detect mal[...]

  • Page 418

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 418 29.1.4 Signatures If a packet matches a signature, the action specifi ed by the signature is taken. Y ou can ch ange the default signature actions in the profile screens. 29.2 T raffic Directions and Profiles A zone is a combination of ZyW ALL interfaces and VPN connections for security . See the z[...]

  • Page 419

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 419 Figure 320 Anti-X > IDP > General The following table describes th e screens in this screen. T able 127 Anti-X > IDP > General LABEL DESCRIPTION General Setup Enable Signature Detection Y ou must register for IDP service in orde r to use packet inspection signatures. If you don’t have [...]

  • Page 420

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 420 29.4 Configuring IDP Bindings Click Anti-X > IDP > General and then an Add or Edit icon to display the following screen. Use this screen to bind an IDP profile to a traffic direction. (Icons) Click the Add icon in the headi ng row to add a new first entry . The Ac tive icon displays whether t[...]

  • Page 421

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 421 Figure 321 Anti-X > IDP > General > Add The following table describes th e screens in this screen. 29.5 Introducing IDP Profiles An IDP profile is a set of packet inspection signatures. Packet inspection signatures examine packet co ntent for malicious data. Packet inspection applies to OSI[...]

  • Page 422

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 422 Figure 322 Base Profiles The following table describes this screen. 29.6 Profile Summary Screen Select Anti-X > IDP > Pr ofile . Use this screen to: • Add a new profile • Edit an existing profile • Delete an existing profile T able 129 Base Profiles BASE PROFILE DESCRIPTION all All sign[...]

  • Page 423

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 423 Figure 323 Anti-X > IDP > Profile The following table describes th e fields in this screen. 29.7 Creating New Profiles Y ou may want to create a new profile if not all signatures in a base profile are applicable to your network. In this case you should disable non-applicable signatures so as t[...]

  • Page 424

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 424 " If Internet Explorer opens a warning screen about a scrip t making Internet Explorer run slowly and the computer maybe becoming unr esponsive, just click No to continue. 3 T ype a new profile name 4 Enable or disable individu al signatures. 5 Edit the default log options an d actions. 29.8 P[...]

  • Page 425

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 425 Figure 324 Anti-X > IDP > Profile > Edit : Group View[...]

  • Page 426

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 426 The following table describes th e fields in this screen. T able 131 Anti-X > IDP > Profile > Group V iew LABEL DESCRIPTION Name Thi s is the name of the profile. Y ou may use 1-31 alpha numeric characters, underscores( _ ), or dashes (-), but the first character cannot be a number . This [...]

  • Page 427

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 427 29.8.2 Policy T ypes This section describes IDP policy types, also kn own as attack types, as categorized in the ZyW ALL. Y ou may refer to these types wh en categorizing your own custom rules. Action Select what action the ZyW A LL should take when a packet matches a signature here. original s etti[...]

  • Page 428

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 428 29.8.3 IDP Service Group s An IDP service group is a set of related packet inspec tion signatures. DoS/DDoS The goa l of Denial of Service (DoS) at tacks is not to steal information, but to disable a device or network on the Internet. A distributed denial-of-service (DDoS) attack is one in which mu[...]

  • Page 429

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 429 The following figure sh ows the WEB_PHP service g roup that contains signatures related to attacks on web servers using PHP ex ploits. PHP (PHP: Hypertext Preprocessor) is a server- side HTML embedded scripting language that allows web developers to build d ynamic websites. Logs and actions applied [...]

  • Page 430

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 430 Figure 326 Anti-X > IDP > Profile: Query View The following table describes th e fields in this screen. T able 134 Anti-X > IDP > Profile: Query View LABEL DESCRIPTION Name This is the name of the profile that you created in the IDP > Profiles > Gr oup View screen. Switch to group[...]

  • Page 431

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 431 29.8.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attack T ype: DDoS • Platform: W indo ws 2000 and W indows XP co mputers •S e r v i c e : A n y • Actions: Any Figure 327 Query Example Sear ch Criteria Search Click this button to begin the[...]

  • Page 432

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 432 Figure 328 Query Example Sear ch Results 29.9 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. Y ou need some knowledge of packet headers and attack t[...]

  • Page 433

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 433 Figure 329 IP v4 Packet Headers The header fields are discussed below: T able 135 IP v4 Packet Headers HEADER DESCRIPTIO N V ersion The value 4 ind icates IP version 4. IHL IP Header Len gth is the number of 32 b it words forming the total length of the header (usually five). T ype of Service Th e T[...]

  • Page 434

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 434 29.10 Configuring Custom Signatures Select Anti-X > IDP > Custom Signature s. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature. Y ou can d[...]

  • Page 435

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 435 The following table describes th e fields in this screen. 29.10.1 Creating or Ed iting a Custom Signature Click the Add icon to create a new signature or click the Edit icon to edit an existing signature in the screen as shown in Figure 330 on page 434 . A packet must match all items you configure i[...]

  • Page 436

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 436 Figure 331 Anti-X > IDP > Custom Signatures > Add/Edit[...]

  • Page 437

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 437 The following table describes the fields in this screen. T able 137 Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name T ype the name of your custom si gnature. Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-), but the fi rst character cannot be a n[...]

  • Page 438

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 438 IP Options IP options is a vari able-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier , (security and handling restrictions for the military), Record Route (have each router record its IP address), Loos e Source Routing (specifies a list of IP addresses [...]

  • Page 439

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 439 29.10.2 Custom Signature Example Before creating a custom signature, you must fi rst clearly understand the vulnerability . 29.10.2.1 Underst and the V ulnerability Check the ZyW ALL logs when the attack oc curs . Use web sites such as Google and security focus to get as much inform ation about the [...]

  • Page 440

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 440 29.10.2.2 Analyze Packet s Then use a packet sniffer such as TCPdum p or Ethereal to investigate some more. From the NetBIOS header you see that the first byte ‘00’ defines the message type. The next three bytes represent the length of data , so you can ignore it. Therefore enter |00| as the fi[...]

  • Page 441

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 441 Figure 335 Example Custom Signature[...]

  • Page 442

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 442 29.10.3 Applying Custom Signatures After you create your custom signature, it beco mes available in the IDP service group category in the IDP > Profile > Packet Inspection screen. Custom signatures have an SID from 9000000 t o 9999999. Y ou can activate the signature, configure what actio n t[...]

  • Page 443

    Chapter 29 IDP ZyWALL USG 1000 User’s Guide 443 Figure 337 Custom Signature Log 29.10.5 Snort Signatures Y ou may want to refer to open source Snort signatures when creating custom ZyW ALL ones. Most Snort rules are written in a single line. Snort rules are divi ded into two logical sections, the rule header and the rule options as s hown in the [...]

  • Page 444

    Chapter 29 IDP ZyWALL USG 1000 U ser’s Guide 444 " Not all Snort functionality is supported in the ZyW ALL. Flow flow Flags fl ags Sequence Number seq Ack Number ack Window Size wi ndow T ransport Protocol: UDP (In Sn ort rule header) Port (In Snort rule header) T ransport Prot ocol: ICMP T ype itype Code icode ID icmp_id Sequence Number icm[...]

  • Page 445

    ZyWALL USG 1000 User’s Guide 445 C HAPTER 30 ADP This chapter introduces ADP (Anomaly Detection and Prev ention), anomaly profiles and binding an ADP profile to a traffic direction. See Section 5.4.16 on page 120 for related information on these screens. 30.1 Introduction to ADP An ADP system can detect malicious or suspicio us packets a nd respo[...]

  • Page 446

    Chapter 30 ADP ZyWALL USG 1000 U ser’s Guide 446 30.1.3 ADP on the ZyW ALL ADP on the ZyW ALL protec ts against network-based intrusions. See Section 30.8 on page 450 and Section 30.9 on page 4 56 for more on the kinds of attacks that the ZyW ALL can protect against. Y ou can also create your own custom ADP rules. 30.2 T raffic Directions and Pro[...]

  • Page 447

    Chapter 30 ADP ZyWALL USG 1000 User’s Guide 447 The following table describes th e screens in this screen. 30.4 Configuring Anomaly Profile Bindings Click Anti-X > ADP > General and then an Add or Edit icon to display the following screen. Use this screen to bind an anomaly profile to a traf fic direction. T able 139 Anti-X > ADP > Ge[...]

  • Page 448

    Chapter 30 ADP ZyWALL USG 1000 U ser’s Guide 448 Figure 339 Anti-X > ADP > General > Add The following table describes th e screens in this screen. 30.5 Introducing ADP Profiles An ADP profile is a set of traffic anom aly rules and protocol anomaly rules. • T raffic anomaly rules look for abnormal be havior or events such as port scann[...]

  • Page 449

    Chapter 30 ADP ZyWALL USG 1000 User’s Guide 449 Figure 340 Base Profiles These are the default base profiles at the time of writing. 30.6 Profile Summary Screen Select Anti-X > ADP > Pr ofile . U se this screen to: • Add a new profile • Edit an existing profile • Delete an existing profile Figure 341 Anti-X > ADP > Profile The f[...]

  • Page 450

    Chapter 30 ADP ZyWALL USG 1000 U ser’s Guide 450 30.7 Creating New Profiles Y ou may want to create a new profi le if not all rules in a base profile are applicable to your network. In this case you should disab le non- applicable rules so as to improve ZyW ALL ADP processing efficiency . Y ou may also find that certain rules are trigge ring too [...]

  • Page 451

    Chapter 30 ADP ZyWALL USG 1000 User’s Guide 451 30.8.1 Port Scanning An attacker scans device(s) to determine what types of network protocols or services a device supports. One of the most common port scanning tools in use today is Nmap. Many connection attempts to di fferent ports (services) may in dicate a port scan. These are some port scan ty[...]

  • Page 452

    Chapter 30 ADP ZyWALL USG 1000 U ser’s Guide 452 30.8.1.4 Filtered Port Scans A filtered port scan may indicate that there we re no network errors (ICMP unreachables or TCP RST s ) or responses on closed ports have been suppressed. Active network devices, such as NA T routers, may trigger these alerts if they send out many connec tion attempts wi[...]

  • Page 453

    Chapter 30 ADP ZyWALL USG 1000 User’s Guide 453 30.8.2.3 TCP SYN Flood Att ack Usually a client starts a session by sending a SYN (synchronize) packet to a serve r . The receiver returns an AC K (acknowledgment) pack et and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established[...]

  • Page 454

    Chapter 30 ADP ZyWALL USG 1000 U ser’s Guide 454 30.8.2.5 UDP Flood Att ack UDP is a connection-less protoc ol and it does no t require any connection setup procedure to transfer data. A UDP flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will det[...]

  • Page 455

    Chapter 30 ADP ZyWALL USG 1000 User’s Guide 455 30.8.3 Profile > T r affic Anomaly Screen Figure 345 Profiles: T raffic Anomaly[...]

  • Page 456

    Chapter 30 ADP ZyWALL USG 1000 U ser’s Guide 456 The following table describes th e fields in this screen. 30.9 Profiles: Protocol Anomaly Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (P A) rules check for protocol compliance ag ainst the rele vant RFC (Request for Comments). T able 143 ADP > Profile > Tr affic A[...]

  • Page 457

    Chapter 30 ADP ZyWALL USG 1000 User’s Guide 457 Protocol anomaly detection includes HTTP Inspection, TC P Decoder, UDP Decoder and ICMP Decoder where each category refl ects the packet type inspec ted. Protocol anomaly rules may be upda ted when you upload n e w firmware. 30.9.1 HTTP Inspection and TCP/UDP/ICMP Decoders The following table gi ves[...]

  • Page 458

    Chapter 30 ADP ZyWALL USG 1000 U ser’s Guide 458 OVERSIZE-CHUNK- ENCODING A TT ACK This rule is an anomaly detector for abnormally large chun k sizes. This picks up the apache chunk encod ing exploits and may also be triggered on HTTP tunneling t hat uses chun k encoding. OVERSIZE-REQUEST -URI- DIRECTOR Y A TT ACK This rule takes a non-zero posit[...]

  • Page 459

    Chapter 30 ADP ZyWALL USG 1000 User’s Guide 459 30.9.2 Protocol Anomaly Configuration In the Anti-X > ADP > Pr ofile screen, click the Edit icon or click the Add icon and choose a base profile, then select the Protocol Anomaly tab. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save [...]

  • Page 460

    Chapter 30 ADP ZyWALL USG 1000 U ser’s Guide 460 Figure 346 Profiles: Proto col Anomaly[...]

  • Page 461

    Chapter 30 ADP ZyWALL USG 1000 User’s Guide 461 The following table describes th e fields in this screen. T able 145 ADP > Profile > Pr otocol Anomaly LABEL DESCRIPTION Name This is the name of the profile. Y o u may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-), but the first char acter cannot be a nu mber . This value [...]

  • Page 462

    Chapter 30 ADP ZyWALL USG 1000 U ser’s Guide 462[...]

  • Page 463

    ZyWALL USG 1000 User’s Guide 463 C HAPTER 31 Content Filter Screens This chapter covers how to use the conten t filter feature to control web access. See Section 5.4.17 on page 120 for related information on these screens. 31.1 Content Filter Overview Content filter allows you to block certain web f eatures, such as cookies, and/or block access t[...]

  • Page 464

    Chapter 31 Content Filter Screens ZyWALL USG 1000 U ser’s Guide 464 31.1.3 Content Filter Configuration Guidelines Y ou must configure an address ob ject, a schedule object and a filtering profile before you can set up a content filter policy . When the ZyW A LL receives an HTTP request, the content filter searches for a policy that matc hes the [...]

  • Page 465

    Chapter 31 Conten t Filter Screens ZyWALL USG 1000 User’s Guide 465 Block web access when no policy is applied Select this check box to stop users fr om accessing the Internet by default when their attempted access does not match a content filter po licy . # This column lists the index number s of the content filter policies. Address A conten t f[...]

  • Page 466

    Chapter 31 Content Filter Screens ZyWALL USG 1000 U ser’s Guide 466 31.3 Content Filter Policy Screen Click Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen. Use this screen to configure a content filter policy . A content filter policy defines which content filter profile should be applied, wh en [...]

  • Page 467

    Chapter 31 Conten t Filter Screens ZyWALL USG 1000 User’s Guide 467 The following table describes the labels in this screen. 31.4 Content Filter Profile Screen Click Anti-X > Content Filter > Filter Pr ofile to open the Filter Profile screen. A content filter profile defines to which web services, web s ites or web site categories access is[...]

  • Page 468

    Chapter 31 Content Filter Screens ZyWALL USG 1000 U ser’s Guide 468 31.5 External W eb Filtering Service When you register for and enable the external web filtering service, your ZyW ALL accesses an external database that has millions of web sites categorized based on content. Y ou can have the ZyW A LL block, block and/or log access to web sites[...]

  • Page 469

    Chapter 31 Conten t Filter Screens ZyWALL USG 1000 User’s Guide 469 31.6 Content Filter Categories Screen Click Anti-X > Content Filter > Filter Pr ofile > Add or Edit to open the Categories screen. Use this screen to enable external database content filtering and select which web site categories to block and/or log. " Y ou must reg[...]

  • Page 470

    Chapter 31 Content Filter Screens ZyWALL USG 1000 U ser’s Guide 470 Figure 351 Anti-X > Content Filter > Filter Profile > Add The following table describes the labels in this screen. T able 149 Anti-X > Content Filter > Filter Profile > Add LABEL DESCRIPTION Name Enter a descriptive name for this content filtering profile name. [...]

  • Page 471

    Chapter 31 Conten t Filter Screens ZyWALL USG 1000 User’s Guide 471 Enable External Web Filter Servi ce Enable external database content filt ering to have the ZyWALL check an external database to find to which category a requested web page belongs. The ZyWALL then blocks or forwards access to the web page depending on the configuration of the re[...]

  • Page 472

    Chapter 31 Content Filter Screens ZyWALL USG 1000 U ser’s Guide 472 Intimate Apparel/Swimsuit Selectin g this category excludes pages that contain images or offer the sale of swimsuits or intimate apparel or other types of suggestive clothing. It does not include pages selling undergarments as a subsection of other products offered. Nudity Select[...]

  • Page 473

    Chapter 31 Conten t Filter Screens ZyWALL USG 1000 User’s Guide 473 Arts/Entertainment Selectin g this category excludes pages that pro mote and provide information about motion pictures, video s, television, music and programming guides, books, comics, mo vie theatres, galleri es, artists or reviews on entertainment. Business/Economy Selecting t[...]

  • Page 474

    Chapter 31 Content Filter Screens ZyWALL USG 1000 U ser’s Guide 474 Political/Activist Groups Selecting this category excludes pages sponsored by or which provide information on political parties, special interest groups, or any organization that promotes change or reform in publi c policy , publi c opinion, social practice, or economic acti viti[...]

  • Page 475

    Chapter 31 Conten t Filter Screens ZyWALL USG 1000 User’s Guide 475 Open Image/Media Search Selecting this catego ry excludes pages with image or video search capabilities which return graphical re sults (i.e. thumbnail pictures) that include potentially porn ographic c ontent along with non-pornograph ic content (as defined in the Pornography ca[...]

  • Page 476

    Chapter 31 Content Filter Screens ZyWALL USG 1000 U ser’s Guide 476 Sexuality/Alternative Lifestyles Selecting this category excludes pages that provide info rmation, promote, or cater to gays, lesbians, swinger s, oth er sexual orientations or practices, or a particular fetish. Th is category does not include sites th at are sexually gratuitous [...]

  • Page 477

    Chapter 31 Conten t Filter Screens ZyWALL USG 1000 User’s Guide 477 31.7 Content Filter Customization Screen Click Anti-X > Content Filter > Filter Pr ofile > Add or Edit > Customization to open the Customization screen. Y ou can c reate a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. Y ou c[...]

  • Page 478

    Chapter 31 Content Filter Screens ZyWALL USG 1000 U ser’s Guide 478 Figure 352 Anti-X > Content Filter > F ilter Profile > Customization The following table describes the labels in this screen. T able 150 Anti-X > Content Filter > F ilter Profile > Customization LABEL DESCRIPTION Filter Profile Name Enter a descriptive name for [...]

  • Page 479

    Chapter 31 Conten t Filter Screens ZyWALL USG 1000 User’s Guide 479 Allow Web traf fic for trusted web sites only When this box is select ed, the ZyW ALL blocks Web access to sites that are not on the T rusted We b Sites list. If they are chosen carefully , this is the most effective way to block objectionable material. Restricted Web Features Se[...]

  • Page 480

    Chapter 31 Content Filter Screens ZyWALL USG 1000 U ser’s Guide 480 31.8 Keyword Blocking URL Checking The ZyW A LL checks the URL ’ s domain name (or IP address) and file path separately when performing keyword blocking. The URL ’ s domain name or IP address is the char acters that come before the first slash in the URL. For example, with th[...]

  • Page 481

    Chapter 31 Conten t Filter Screens ZyWALL USG 1000 User’s Guide 481 Please see Section 32.2 on page 488 for how to submit a web site that has been incorrectly categorized. Figure 353 Anti-X > Content Filter > Cache The following table describes the labels in this screen. T able 151 Anti-X > Content Filter > Cache LABEL DESCRIPTION URL[...]

  • Page 482

    Chapter 31 Content Filter Screens ZyWALL USG 1000 U ser’s Guide 482 Page x of x This is the number of the page of entrie s currently displayed and the total number of pages of entries. T ype a page number to go to or use the arrows to navigate the pages of entries. # This is the index number of a categorized web site addre ss record. Category Thi[...]

  • Page 483

    ZyWALL USG 1000 User’s Guide 483 C HAPTER 32 Content Filter Reports This chapter describes how to view content filtering reports after yo u have activated the category-based content filtering subscription service. See Chapter 8 on pa ge 165 on how to create a myZyXEL.com account, register your device and activate the subscription services. 32.1 V[...]

  • Page 484

    Chapter 32 Content Filter Reports ZyWALL USG 1000 U ser’s Guide 484 ZyW ALL using the Rename button in the Service Management screen (see Figure 35 6 on page 484 ). Figure 355 myZyXEL.com: Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen. Figure 356 myZyXEL.com: Service M[...]

  • Page 485

    Chapter 3 2 Content Filt er Reports ZyWALL USG 1000 User’s Guide 485 6 Click Submit . Figure 357 Blue Coat: Login 7 In the W eb Filter Home screen, click the Reports tab. Figure 358 Blue Coat Conten t Filter Repor ts Main Screen 8 Select items under Global Reports or Single Use r Reports to view the corresponding reports.[...]

  • Page 486

    Chapter 32 Content Filter Reports ZyWALL USG 1000 U ser’s Guide 486 Figure 359 Blue Coat: Report Ho me 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Ta k e n field and a category (or enter the user name if you want to view sing le user reports) and click Run Report .The screens vary accordin g to the repo[...]

  • Page 487

    Chapter 3 2 Content Filt er Reports ZyWALL USG 1000 User’s Guide 487 Figure 360 Global Report Screen Example 11 Y ou can click a ca tegory in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.[...]

  • Page 488

    Chapter 32 Content Filter Reports ZyWALL USG 1000 U ser’s Guide 488 Figure 361 Requested URLs Example 32.2 W eb Site Submission Y ou may find that a web site has not been accura tely categorized or that a web site’ s contents have changed and the content filtering cate gory needs to be updat ed. Use the following procedure to submit the web sit[...]

  • Page 489

    Chapter 3 2 Content Filt er Reports ZyWALL USG 1000 User’s Guide 489 Figure 362 Web Pag e Review Process Screen 3 T ype the web site’ s URL in the field and click Submit to have the web site reviewed.[...]

  • Page 490

    Chapter 32 Content Filter Reports ZyWALL USG 1000 U ser’s Guide 490[...]

  • Page 491

    491 P ART V Device HA & Object s Device HA (493) User/Group (503) Addresses (515) Services (521) Schedules (527) AAA Server (531) Authentication Objects (541) Certificates (545) ISP Accounts (563) SSL Application (567)[...]

  • Page 492

    492[...]

  • Page 493

    ZyWALL USG 1000 User’s Guide 493 C HAPTER 33 Device HA Use device HA and V irtual Router Redundancy Protocol (VRRP) to increase network reliability . See Section 5.4.8 on page 1 17 for related information on these screens. 33.1 V irtual Router Redundanc y Protocol (VRRP) Overview Every computer on a network may send pac kets to a default gatewa y[...]

  • Page 494

    Chapter 33 Device HA ZyWALL USG 1000 U ser’s Guide 494 " Every router in a virtual router must use the same advertisement interval. If Router A becomes unavailable, it stop s sending messages to Router B . Router B detects this and assumes the role of the master router . This is illustrated below . Figure 364 Example: VRRP , Master Becomes U[...]

  • Page 495

    Chapter 33 Device HA ZyWALL USG 1000 User’s Guide 495 33.1.1 Additional VRRP Notes • It is possible to set up two virtual ro ut ers so that they back up each other . • VRRP uses IP protocol 1 12. 33.2 VRRP Group Overview In the ZyW ALL, you should create a VRRP group to add on e of its interfaces to a virtual router . Y ou can add any Et hern[...]

  • Page 496

    Chapter 33 Device HA ZyWALL USG 1000 U ser’s Guide 496 33.2.1 Link Monitoring and Remote Management W ith link monitoring enabled, a backup ZyW A LL that takes over for an unavailable master ZyW ALL takes over all of the master ZyW ALL’ s static IP addresses. This way the backup ZyW ALL takes over all of the master ZyW ALL’ s functions. Howev[...]

  • Page 497

    Chapter 33 Device HA ZyWALL USG 1000 User’s Guide 497 Figure 366 Device HA > VRRP Group The following table describes the labels in this screen. See Section 33.5 on page 49 8 for more information as well. T able 152 Device HA > VRRP Group LABEL DESCRIPTION Refresh Click this button to updat e the information in this screen. # This field is [...]

  • Page 498

    Chapter 33 Device HA ZyWALL USG 1000 U ser’s Guide 498 33.5 VRRP Group Add/Edit The VRRP Gr oup Add/Edit screen allows you to add VRRP groups to the ZyW ALL or to edit the configuration of an existing VRRP group. • Y ou can only use interfa ces that have static IP addresses. In addition, yo u should set the static IP address to the IP address o[...]

  • Page 499

    Chapter 33 Device HA ZyWALL USG 1000 User’s Guide 499 VRID T ype the virtu al router ID number . Description T ype the description of the VRRP group . This field is on ly for your refe rence. It may be up to sixty printable ASCII characters long. VRRP Interface Select the interface in this device that is part of the virtua l router . Y ou can onl[...]

  • Page 500

    Chapter 33 Device HA ZyWALL USG 1000 U ser’s Guide 500 33.6 Synchronization Overview In a virtual router , backup ro uters do not au tomatically get configur ation updates from the master router . In this c ase, the master ZyW A LL ca n send these upda tes to backup ZyW ALLs. This is called synchronization. During synchronization, the master ZyW [...]

  • Page 501

    Chapter 33 Device HA ZyWALL USG 1000 User’s Guide 501 " Y ou must subscribe to serv ices on the backup ZyW ALL before synchronizing it with the master ZyW ALL. 33.6.2 Synchronize Screen Use this screen if you want the ZyW ALL to get or to send up dated IDP signatures, and configuration information in the virtual router . " Y ou can only[...]

  • Page 502

    Chapter 33 Device HA ZyWALL USG 1000 U ser’s Guide 502 Sync. Now Click this button to get updated ce rtificates, A V signatur es, IDP and appl ication patrol signatures, system prot ect signatures, and configur ation information from the specified ZyWALL router . Note: If the new configuratio n is different from the existing one on this backup Zy[...]

  • Page 503

    ZyWALL USG 1000 User’s Guide 503 C HAPTER 34 User/Group This chapter describes how to se t up user accounts, user grou ps, and user settings for the ZyW ALL. Y ou ca n also set up rules that contro l when users have to log in to the ZyW ALL before the ZyW ALL routes traffic for them. See Section 5.5.1 on page 122 for related information on these [...]

  • Page 504

    Chapter 34 User /Group ZyWALL USG 1000 U ser’s Guide 504 34.1.2 Ext-User Account s Set up an Ext-User account if the user is authenticated by an external server and you want to set up specific policies for this user in the Zy W ALL. If you do not want to set up policies for this user , you do not ha ve to set up an Ext-User account. Ext-User user[...]

  • Page 505

    Chapter 34 User/Group ZyWALL USG 1000 User’s Guide 505 34.1.2.2 Creating a Large Number of Ext-User Accounts If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the web configurator , to create the accounts. Extract the user names from the LDAP or RADIUS server , and create a shell script that creates[...]

  • Page 506

    Chapter 34 User /Group ZyWALL USG 1000 U ser’s Guide 506 " This works with HTTP traffic only . The Zy W ALL does not force users to log in before it routes othe r kinds of traf fic. The ZyW ALL does not automatica lly route the request that prompted the login, h o wever , so users have to make this request again. 34.2 User Summary The User s[...]

  • Page 507

    Chapter 34 User/Group ZyWALL USG 1000 User’s Guide 507 Figure 372 User/Group > User > Edit The following table describes the labels in this screen. T able 158 User/Group > User > Edit LABEL DESCRIPTION User Name T ype the user name for this user account. Y ou may use 1-31 alphanu meric characters, underscores( _ ), or da shes (-), but[...]

  • Page 508

    Chapter 34 User /Group ZyWALL USG 1000 U ser’s Guide 508 34.2.1.1 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only cont ain the follo wing characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] • - [dashes] The first character must be alphabetical (A-Z a- z), an underscore (_[...]

  • Page 509

    Chapter 34 User/Group ZyWALL USG 1000 User’s Guide 509 34.3.1 Group Add/Edit The Gr oup Ad d/Edit screen allows you to cr eate a new u ser group or edit an existing one. T o access this screen, go to the Group screen (see Sectio n 34.3 on page 508 ), and click either the Add icon or an Edit icon. Figure 374 User/Group > Group > Add The foll[...]

  • Page 510

    Chapter 34 User /Group ZyWALL USG 1000 U ser’s Guide 510 34.4 Setting Screen The Setting screen controls default settings, login settings, lock out settings, and other user settings for the ZyW ALL. Y ou can also use this sc reen to specify when users must log in to the ZyW ALL before it ro utes traffic for them. T o access this screen, login to [...]

  • Page 511

    Chapter 34 User/Group ZyWALL USG 1000 User’s Guide 51 1 User Logon Setting Limit ... for administratio n account Select this check box if you wan t to set a li mit on the number of simultaneous logins by admin users. If you do not select this, admin users can l ogin as many times as they want at the same time using the same or different IP addres[...]

  • Page 512

    Chapter 34 User /Group ZyWALL USG 1000 U ser’s Guide 512 34.4.1 Force User Authen tication Policy Add/Edit Use this screen to specify a cond ition when users must log in or do not have to log in to the ZyW ALL before their HTTP traf fic can pa ss through the ZyW ALL. Figure 376 User/Group > Setting > Force User Authenticatio n Policy > A[...]

  • Page 513

    Chapter 34 User/Group ZyWALL USG 1000 User’s Guide 513 The following table describes the labels in this screen. 34.5 W eb Configurator for Non-Admin Users Access users cannot use the W eb configurator to browse the configuration of the ZyW ALL. Instead, when acce ss users log in to the Zy W A LL (forced in the screen as shown in Figure 375 on pag[...]

  • Page 514

    Chapter 34 User /Group ZyWALL USG 1000 U ser’s Guide 514 The following table describes the labels in this screen. T able 164 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined lease time (max ... minutes) Access users can specify a lease time s horter than or equal to the one that you specified. The default valu e is the lease ti[...]

  • Page 515

    ZyWALL USG 1000 User’s Guide 515 C HAPTER 35 Addresses This chapter describes how to set up addr esses and address groups for the ZyW ALL. See Section 5.5 on page 12 2 for related information on these screens. 35.1 Addresses Overview Address objects can represent a single IP address or a ra nge of IP addresses. Address groups are composed of addr[...]

  • Page 516

    Chapter 35 Addre sses ZyWALL USG 1000 U ser’s Guide 516 Figure 378 Object > Address > Address The following table describes the labels in this screen. See Section 35.2.2 on page 516 for more information as well. 35.2.2 Address Add/Edit The Addr ess Add/Edit screen allows you to create a new address or edit an existing one. T o access this s[...]

  • Page 517

    Chapter 35 Ad dresses ZyWALL USG 1000 User’s Guide 517 The following table describes the labels in this screen. 35.3 Address Group Screens Use the Address Gr oup summa ry screen and the Address Gr oup Add/Edit screen, to maintain address groups in the ZyW ALL. 35.3.1 Address Group Summary The Addr es s Group screen provides a summary of all addre[...]

  • Page 518

    Chapter 35 Addre sses ZyWALL USG 1000 U ser’s Guide 518 The following table describes the labels in this screen. See Section 35.3.2 on page 518 for more information as well. 35.3.2 Address Group Add/Edit The Addr ess Group Add/Edit screen allows you to create a new address group or edit an existing one. T o access this screen, go to the Address G[...]

  • Page 519

    Chapter 35 Ad dresses ZyWALL USG 1000 User’s Guide 519 Available This field displays the names of the addre ss and address group objects that can be added to the address group. Select address and address group objects that you want to be members of this group and click th e right arrow to add them to the member list. Member This field displ ays t[...]

  • Page 520

    Chapter 35 Addre sses ZyWALL USG 1000 U ser’s Guide 520[...]

  • Page 521

    ZyWALL USG 1000 User’s Guide 521 C HAPTER 36 Services Use service objects to define TCP applicatio ns, UDP applications, and ICMP messages. Y ou can also create service groups to refer to mu ltiple service objects in other features. See Section 5.5 on page 122 for related information on these screens. 36.1 Services Overview See Appendix C on pa g[...]

  • Page 522

    Chapter 36 Service s ZyWALL USG 1000 U ser’s Guide 522 • UDP applications • ICMP messages • user -defined services (for other types of IP protocols) These objects are us ed in policy rout es, firewall rules, and IDP profiles. Use service groups when you want to create th e same rule for several services, instead of creating separate rules f[...]

  • Page 523

    Chapter 36 Services ZyWALL USG 1000 User’s Guide 523 36.2.1 Service Add/Edit The Service Add/Edit screen allows you to create a new service or edit an existing one. T o access this screen, go to the Service screen (see Section 36.2 o n page 522 ), and click either the Add icon or an Edit icon. Figure 383 Object > Service > Service > Edit[...]

  • Page 524

    Chapter 36 Service s ZyWALL USG 1000 U ser’s Guide 524 36.3 Service Group Summary Screen The Service Gr oup summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. T o access this screen, log in to the web configurator, and click Object > Service > Service Group .[...]

  • Page 525

    Chapter 36 Services ZyWALL USG 1000 User’s Guide 525 Figure 385 Object > Service > Service Group > Edit The following table describes the labels in this screen. T able 172 Object > Service > Service Group > Edit LABEL DESCRIPTION Name Enter the name of the service group. Y ou ma y use 1-31 alphanumeric characters, underscores( _[...]

  • Page 526

    Chapter 36 Service s ZyWALL USG 1000 U ser’s Guide 526[...]

  • Page 527

    ZyWALL USG 1000 User’s Guide 527 C HAPTER 37 Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. See Section 5. 5 on page 122 for related information on these screens. 37.1 Schedule Overview The ZyW A LL supports two types of schedules: one-time and recur[...]

  • Page 528

    Chapter 37 Schedu les ZyWALL USG 1000 U ser’s Guide 528 Figure 386 Object > Schedule The following table describes the labels in this screen. See Section 37.2.2 on page 528 an d Section 37.2.3 on page 5 2 9 for more information as well. 37.2.2 One-T ime Schedule Add/Edit The One-Time S chedule Add/Edit screen allows you to define a one-time sc[...]

  • Page 529

    Chapter 37 Sc hedules ZyWALL USG 1000 User’s Guide 529 Figure 387 Object > Schedule > Edit (One Time) The following table describes the labels in this screen. 37.2.3 Recurring Schedule Add/Edit The Recurring Schedu le Add/Edit screen allows you to define a recurring schedule or ed it an existing one. T o access this screen, go to the Schedu[...]

  • Page 530

    Chapter 37 Schedu les ZyWALL USG 1000 U ser’s Guide 530 Figure 388 Object > Schedule > Edit (Recurring) The Ye a r , Month , and Day columns are not used in recurri ng schedules and are disabled in this screen. The following table describes the remaining labels in this screen. T able 175 Object > Schedule > Edit (Recurring) LABEL DESC[...]

  • Page 531

    ZyWALL USG 1000 User’s Guide 531 C HAPTER 38 AAA Server This chapter introduces and shows you how to configure the ZyW ALL to use external authentication servers. 38.1 AAA Server Overview Y ou can use an AAA (Authent ication, Authoriz ation, Ac counting) server to provide access control to your network. The following lists the types of auth entic[...]

  • Page 532

    Chapter 38 AAA Server ZyWALL USG 1000 U ser’s Guide 532 5 Configure the ASAS as a RADI US server in the ZyW ALL’ s Object > AAA Server screens. 6 Give the OTP tokens to (local or remote) users. 38.1.2 User Authentication Method Y ou can select to authenticate users using th e local user database and/or a specified authentication server . By [...]

  • Page 533

    Chapter 38 AAA Server ZyWALL USG 1000 User’s Guide 533 Figure 390 Basic Directory S tructure 38.2.2 Distinguished Name (DN) A DN uniquely identifies an entry in a direct ory . A DN consists of attribute-value pairs separated by commas. The leftmo st attribute is the Relative Di stinguished Name (RDN). This provides a unique name for entries that [...]

  • Page 534

    Chapter 38 AAA Server ZyWALL USG 1000 U ser’s Guide 534 Figure 391 Object > AAA Server > Active Directory (or LDAP) > Default The following table describes the labels in this screen. 38.3 Active Directory or LDAP Group Summary Y ou can configure a group of AD or LDAP servers in the Active Dir ec tory (or LDAP ) > Group screen. This is[...]

  • Page 535

    Chapter 38 AAA Server ZyWALL USG 1000 User’s Guide 535 1 Click Object > AAA Server > Active Directory (or LDAP ) > Group to display the screen. Figure 392 Object > AAA Server > Active Directory (or LDAP) > Group The following table describes the labels in this screen. 2 Click the Add icon or an Edit icon to display the configura[...]

  • Page 536

    Chapter 38 AAA Server ZyWALL USG 1000 U ser’s Guide 536 The following table describes the labels in this screen. 38.4 RADIUS Server RADIUS (Remote Authentication Dial-In User Se rvice) authentication is a popular protocol used to authenticate users by means of an external server in stead of (or in addition to) an internal device user database tha[...]

  • Page 537

    Chapter 38 AAA Server ZyWALL USG 1000 User’s Guide 537 Figure 394 RADIUS Server Network Example 38.5 Configuring a Default RADIUS Server T o configure the default extern al RADIUS server to use fo r user authentication, click Object > AAA Server > RADIUS to display the screen as shown. Figure 395 Object > AAA Server > RADIUS > Defa[...]

  • Page 538

    Chapter 38 AAA Server ZyWALL USG 1000 U ser’s Guide 538 38.6 Configuring a Group of RADIUS Servers Y ou can configure a group of RADIUS servers in the RADIUS > Group screen. This is useful if you have more than one authentication se rver for user authentication in a network. 1 Click Object > AAA Server > RADIUS > Group to display the [...]

  • Page 539

    Chapter 38 AAA Server ZyWALL USG 1000 User’s Guide 539 The following table describes the labels in this screen. T able 181 Object > AAA Server > RADIUS > Group > Add LABEL DESCRIPTION Configuration All RADIUS servers in a group s hare the same settings in the fields below . Name Enter a de scriptive name (up to 63 alphanumeric charact[...]

  • Page 540

    Chapter 38 AAA Server ZyWALL USG 1000 U ser’s Guide 540[...]

  • Page 541

    ZyWALL USG 1000 User’s Guide 541 C HAPTER 39 Authentication Objects This chapter shows you how to select different auth entication methods fo r user authentication using the AAA servers or the internal user data base. 39.1 Authentication Object s Overview After you have created the AAA serv er objects in the AAA Server screens, you can specify th[...]

  • Page 542

    Chapter 39 Authen tication Objects ZyWALL USG 1000 U ser’s Guide 542 39.3 Creating an Authentication Object Follow the steps below to crea te an authentication object. 1 Click Object > Auth. Method . 2 Click Add . 3 Specify a descriptive name fo r identification purposes in the Name field. Y ou may use 1-31 alphanumeric characters, underscores[...]

  • Page 543

    Chapter 39 Auth entication Objects ZyWALL USG 1000 User’s Guide 543 The following table describes the labels in this screen. 39.3.1 Example: Selecting a VPN Authentication Method After you set up an auth entication method i n the Auth. Method screens, you can use it in the VPN Gateway screen to authen ticate VPN users for establishing a VPN conne[...]

  • Page 544

    Chapter 39 Authen tication Objects ZyWALL USG 1000 U ser’s Guide 544 Figure 400 Example: Using Authentication Method in VPN[...]

  • Page 545

    ZyWALL USG 1000 User’s Guide 545 C HAPTER 40 Certificates This chapter gives background in formation about public-key certificates and explains how to use the Certificates screens. See Section 5.5 on page 122 for related information on these screens. 40.1 Certificates Overview The ZyW A LL can use certificates (also called digita l IDs) to authen[...]

  • Page 546

    Chapter 40 Certificates ZyWALL USG 1000 U ser’s Guide 546 Certification authorities maintain directory ser vers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled exp iration is called a CRL (Certificate Revocation List). The ZyW A LL can check a peer ’ s certificate against[...]

  • Page 547

    Chapter 40 Certificates ZyWALL USG 1000 User’s Guide 547 " Be careful to not convert a binary file to text during the transf er process. It is easy for this to occur since many programs use text files by default. 40.4 Certificate Configuration Screens Summary This section summarizes how to manage certificates on the ZyW ALL. Use the My Certi[...]

  • Page 548

    Chapter 40 Certificates ZyWALL USG 1000 U ser’s Guide 548 Figure 402 Certificate Details 4 Use a secure method to verify that the certificate owner ha s the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS conne[...]

  • Page 549

    Chapter 40 Certificates ZyWALL USG 1000 User’s Guide 549 The following table describes the labels in this screen. 40.6.1 My Certificates Add Screen Click Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the ZyW ALL create a self-signed certificate, enroll a certific[...]

  • Page 550

    Chapter 40 Certificates ZyWALL USG 1000 U ser’s Guide 550 Figure 404 Object > Certificate > My Certificates > Add The following table describes the labels in this screen. T able 185 Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name T ype a name to identify th is certific ate. Y ou can use up to 31 alphanumeric [...]

  • Page 551

    Chapter 40 Certificates ZyWALL USG 1000 User’s Guide 551 Organization Identify the company or group to which the certificate ow ner belongs. Y ou can use up to 31 characters. Y ou can use a lphanumeric characte rs, the hyphen and the underscore. Country Identify the nation where the certi ficat e owner i s located. Y ou can use up to 31 character[...]

  • Page 552

    Chapter 40 Certificates ZyWALL USG 1000 U ser’s Guide 552 If you configured the My Cert ificate Create screen to have the ZyW ALL enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certif icate Create screen. Click Return and check your information in the My C[...]

  • Page 553

    Chapter 40 Certificates ZyWALL USG 1000 User’s Guide 553 Figure 405 Object > Certificate > My Certificates > Edit The following table describes the labels in this screen. T able 186 Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificat e. Y ou can use up [...]

  • Page 554

    Chapter 40 Certificates ZyWALL USG 1000 U ser’s Guide 554 T ype T his field displays general informa ti on about the certificat e. CA-signed mea ns that a Certification Authority signed the certificate . Self-signed means that the certificate’s owner signed the certificate (not a certification authority). “X.509” means that this certificate[...]

  • Page 555

    Chapter 40 Certificates ZyWALL USG 1000 User’s Guide 555 40.6.3 My Certificate Import Screen Click Object > Certificate > My Certificates > Import to open the My Certif icate Import screen. Follow the instruc tions in this screen to save an existing certificate to the ZyW ALL. " Y ou can import a certificate that matche s a correspo[...]

  • Page 556

    Chapter 40 Certificates ZyWALL USG 1000 U ser’s Guide 556 The following table describes the labels in this screen. 40.7 T rusted Certificates Screen Click Object > Certificate > T rusted Certificates to open the T rusted Certificates screen. This screen displays a summary list of certificate s that you have set the ZyW ALL to accept as trus[...]

  • Page 557

    Chapter 40 Certificates ZyWALL USG 1000 User’s Guide 557 40.8 T rusted Certif icates Edit Screen Click Object > Certificate > T rusted Certificates and then a certificate’ s Edit icon to open the T rusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate’ s name and set [...]

  • Page 558

    Chapter 40 Certificates ZyWALL USG 1000 U ser’s Guide 558 Figure 408 Object > Certificate > Tr us ted Certificates > Edit The following table describes the labels in this screen. T able 189 Object > Certificate > T r usted Certificat es > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. Y[...]

  • Page 559

    Chapter 40 Certificates ZyWALL USG 1000 User’s Guide 559 Refresh Click Refresh to display the certification path. Enable X.509v3 CRL Distribution Points and OCSP checking Select this check box to have the ZyWALL check incoming certificates that ar e signed by this certificate against a Cert ificate Revocati on List (CRL) or an OCSP server . Y ou [...]

  • Page 560

    Chapter 40 Certificates ZyWALL USG 1000 U ser’s Guide 560 40.9 T rusted Certif icates Import Screen Click Object > Certificate > T rusted Certificates > Import to open the T rusted Certificates I mport screen. Follow the instructions in this screen to save a trusted certificate to the ZyW ALL. " Y ou must remove any spaces from th e[...]

  • Page 561

    Chapter 40 Certificates ZyWALL USG 1000 User’s Guide 561 Figure 409 Object > Certificate > Tr us ted Certificates > Import The following table describes the labels in this screen. T able 190 Object > Certificate > T r us ted Certificat es > Import LABEL DESCRIPTION File Path T ype in the loca tion of the file yo u want to up loa[...]

  • Page 562

    Chapter 40 Certificates ZyWALL USG 1000 U ser’s Guide 562[...]

  • Page 563

    ZyWALL USG 1000 User’s Guide 563 C HAPTER 41 ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/ PP TP interfaces. See Section 5.5 on page 122 for related informa tion on these screens. 41.1 ISP Account s Overview An ISP account is a profile of settings fo r Internet access using PPPoE or PP TP .[...]

  • Page 564

    Chapter 41 ISP Accoun ts ZyWALL USG 1000 U ser’s Guide 564 41.3 ISP Account Edit The ISP Account Edit screen lets you add informa tion about new accounts and edit information about existing accounts. T o open this window , open the ISP Account screen. (See Section 41.2 on page 563 .) Then, click on an Add icon or Edit icon to open the ISP Account[...]

  • Page 565

    Chapter 41 ISP Accoun ts ZyWALL USG 1000 User’s Guide 565 Encryption Method This field is a vailable if th is ISP account uses the PPTP protocol. Use th e drop- down list box to select the type of Micr osoft Point-to-Point Encryption (MPPE). Options are: nomppe - This ISP account does not use MPPE. mppe-40 - This ISP account uses 40-bit MPPE. mpp[...]

  • Page 566

    Chapter 41 ISP Accoun ts ZyWALL USG 1000 U ser’s Guide 566[...]

  • Page 567

    ZyWALL USG 1000 User’s Guide 567 C HAPTER 42 SSL Application This chapter describes how to configure SS L application objects for use in SSL VPN. 42.1 SSL Application Overview Configure an SSL application object to specify a service and a co rresponding IP address of the server on the local network. Y ou can apply on e or more SSL application obj[...]

  • Page 568

    Chapter 42 SSL Application ZyWALL USG 1000 U ser’s Guide 568 The following table describes the labels in this screen. 42.3 Creating/Editing an SSL Application T o create or edit an SSL application object, click the Add or Edit button in the SSL Application screen. There are two types of SSL appl ications: web-based and file sharing. 42.3.1 W eb-b[...]

  • Page 569

    Chapter 42 SSL Application ZyWALL USG 1000 User’s Guide 569 The following table describes the labels in this screen. 42.3.2 Example: S p ecifying a Web Site for Access This example shows you how to create a web-based application for an internal web site. The address of the web site is http://info with web page encryption. 1 Click Object > SSL [...]

  • Page 570

    Chapter 42 SSL Application ZyWALL USG 1000 U ser’s Guide 570 7 Click Apply to save the settings. The configuration screen should look similar to the following figure. Figure 414 Example: SSL Application: Spec ifying a Web Site for Access 42.3.3 Configuring File Sharing Y ou can sp ecify the name of a folder o n a file server (Linux or W indows) w[...]

  • Page 571

    Chapter 42 SSL Application ZyWALL USG 1000 User’s Guide 571 " Y ou must then configure the shared folder on the file server for remote access. Refer to the document that co mes with your file server . Shared Path S pecify the IP add ress, domain name or NetBIOS name (computer name) of the file server and the name of the share to which you wa[...]

  • Page 572

    Chapter 42 SSL Application ZyWALL USG 1000 U ser’s Guide 572[...]

  • Page 573

    573 P ART VI System System (575) Service Control (587)[...]

  • Page 574

    574[...]

  • Page 575

    ZyWALL USG 1000 User’s Guide 575 C HAPTER 43 System This chapter provides information on the general system screens. See Chapter 44 on page 587 for details on the system screens that control service access. 43.1 System Overview The system scre ens can help you configure general ZyW ALL informat ion, the system time and the console port connection[...]

  • Page 576

    Chapter 43 System ZyWALL USG 1000 U ser’s Guide 576 43.3 T ime and Date This section shows yo u how: 1 T o manually set the ZyW ALL date and time. 2 T o get the ZyW ALL date and time from a time server . For effective scheduling and logging, the ZyW ALL system time must be accurate. The ZyW ALL’ s Real T ime Chip (R TC) ke eps track of the time[...]

  • Page 577

    Chapter 43 System ZyWALL USG 1000 User’s Guide 577 Manual Select this radio button to enter the time and da te manually . If you configure a new time and date, time zone and daylight saving at the same time, th e time zone and daylight saving will affect the new time and date you entered. When you enter the time set tings manually , t he ZyWALL u[...]

  • Page 578

    Chapter 43 System ZyWALL USG 1000 U ser’s Guide 578 43.3.1 Pre-define d NTP Time Servers List When you turn on the ZyW ALL for t he first time, the date an d time start at 2003-01-01 00:00:00. The ZyW ALL then atte mpts to synchronize with one of the followi ng pre-defined list of Network T ime Protocol (NTP) time servers. The ZyW ALL continues t[...]

  • Page 579

    Chapter 43 System ZyWALL USG 1000 User’s Guide 579 Figure 418 Synchronization in Process The Curr ent T ime and Current Date fields will display the appropriate settings if the synchronization is successful. If the synchronization was not successful, a log displays in the Vi e w L o g screen. T ry reconfiguring the Date/T ime sc reen. T o manuall[...]

  • Page 580

    Chapter 43 System ZyWALL USG 1000 U ser’s Guide 580 Figure 419 System > Console Po rt S peed The following table describes the labels in this screen. 43.5 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely impo rtant because without it, you must know th[...]

  • Page 581

    Chapter 43 System ZyWALL USG 1000 User’s Guide 581 Figure 420 System > DNS The following table describes the labels in this screen. T able 200 System > DNS LABEL DESCRIPTION Address/PTR Record This record specifies the mappin g of a fully qualified d omain name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example[...]

  • Page 582

    Chapter 43 System ZyWALL USG 1000 U ser’s Guide 582 From This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or co nfigured manually . DNS Server This is the IP address of a DNS server . Thi s field displays N/A if you have the ZyW ALL get a DNS server IP address from the ISP dyna mical[...]

  • Page 583

    Chapter 43 System ZyWALL USG 1000 User’s Guide 583 43.5.4 Address Record An address record contains the mapping of a fu lly qualified domain na me (FQDN) to an IP address. An FQDN consists of a host and do main name. For example, www .zyxel.com is a fully qualified domain name, where “www” is th e host, “zyxel” is the second-level domain,[...]

  • Page 584

    Chapter 43 System ZyWALL USG 1000 U ser’s Guide 584 43.5.7 Domain Zone Forwarder A domain zone forwarder contains a DNS serv er ’ s IP address. The ZyW ALL can query the DNS server to resolve domain zones for fe atures like VPN, DDNS and the time server . A domain zone is a fully qualifie d domain name without the host. For example, zyxel.com.t[...]

  • Page 585

    Chapter 43 System ZyWALL USG 1000 User’s Guide 585 43.5.9 MX Record A MX (Mail eXchange) record indi cates which host is responsible for the mail for a particular domain, that is, contro ls where mail is se nt for that domain. If you do not configure proper MX records for your domain or other domain, exte rnal e-mail from other ma il servers will[...]

  • Page 586

    Chapter 43 System ZyWALL USG 1000 U ser’s Guide 586 The following table describes the labels in this screen. 43.6 Language Screen Click System > Language to open the following screen. Use this screen to select a display language for the ZyW ALL’ s web configurator screens. Figure 425 System > Langu age The following table describes the la[...]

  • Page 587

    ZyWALL USG 1000 User’s Guide 587 C HAPTER 44 Service Control This chapter covers controllin g access to the ZyW ALL. See Chapter 43 on page 575 for the general system configuration screens. 44.1 Service Control Overview Use this chapter to control wh ich services can access the ZyW ALL. The following figure shows secu re and insecure management o[...]

  • Page 588

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 588 44.1.1 Service Access Limit ations A service cannot be used to access the ZyW ALL when: 1 Y ou have disabled that service in the corresponding screen. 2 The allowed IP address (address object) in the Se rvice Control table does not match the client IP address (the ZyW ALL disallows the[...]

  • Page 589

    Chapter 44 Service Control ZyWALL USG 1000 User’s Guide 589 Figure 427 HTTP/HTTPS Implementation " If you disable HTTP in the WWW screen, then the ZyW ALL blocks all HTTP connection attempts. 44.3 Configuring WWW Click System > WWW to open the WW W screen. Use this scree n to specify from which zones you can access the ZyW ALL using HTTP [...]

  • Page 590

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 590 Figure 428 System > WWW The following table describes the labels in this screen. T able 206 System > WWW LABEL DESCRIPTION HTTPS Enable Select th e check box to allow or disallo w the computer with the IP address that matches the IP address(es) in the Service Control table to acc[...]

  • Page 591

    Chapter 44 Service Control ZyWALL USG 1000 User’s Guide 591 Admin/User Service Control Admin Service Control specifies fro m which zones an administrator can use HTTPS to manage the ZyW ALL (using the w eb configurator). Y ou can also specify the IP addresses from which the administrators ca n manage the ZyWALL. User Servi ce Control specifies fr[...]

  • Page 592

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 592 44.4 Service Control Rules Click Add or Edit in the Service Control table in a WWW , SSH , Te l n e t , FTP or SNMP screen to add a service control rule. Figure 429 System > Service Control Rule Edit The following table describes the labels in this screen. 44.5 HTTPS Example If you [...]

  • Page 593

    Chapter 44 Service Control ZyWALL USG 1000 User’s Guide 593 44.5.1 Internet Explorer W arning Messages When you attempt to access the ZyW ALL HT TPS server , a W indows dialog box pops up asking if you trust the server certificate. Click V iew Cert ificate if you want to verify that the certificate is from the ZyW ALL. Y ou see the following Secu[...]

  • Page 594

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 594 Figure 431 Security Certificate 1 (Net scape) Figure 432 Security Certificate 2 (Net scape) 44.5.3 A voiding Browser W arning Messages The following describes the main reasons that your browser displays warnings about the ZyW ALL’ s HTTPS server certificate and what you can do to avo[...]

  • Page 595

    Chapter 44 Service Control ZyWALL USG 1000 User’s Guide 595 44.5.4 Login Screen After you accept the certificate, the ZyW ALL lo gin screen appears. The lock displayed in the bottom of the browser status bar denotes a secure conne ction. Figure 433 Login Screen (Internet E xplorer) 44.5.5 Enrolling and Import ing SSL Client Certificates The SSL c[...]

  • Page 596

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 596 Figure 435 CA Certificate Example 2 Click Install Certificate and follow the wizard as show n earlier in this appendix. 44.5.5.2 Inst alling Y our Personal Certificat e(s) Y ou need a password in advance. The CA may is sue the passwo rd or you may have to specify it during the enrollme[...]

  • Page 597

    Chapter 44 Service Control ZyWALL USG 1000 User’s Guide 597 2 The file name and path of the certificate y ou double-clicked should automatically appear in the File name text box. Click Br ow se if you wish to import a different certificate. Figure 437 Personal Certificate Import Wizard 2 3 Enter the password give n to you by the CA. Figure 438 Pe[...]

  • Page 598

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 598 Figure 439 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. Figure 440 Personal Certificate Import Wizard 5 6 Y ou should see the following screen when the ce rtificate is correctly installed on your computer . Figure 441 Personal[...]

  • Page 599

    Chapter 44 Service Control ZyWALL USG 1000 User’s Guide 599 44.5.6 Using a Certificate When Accessing the ZyW ALL Example Use the following procedure to access the ZyW ALL via HTTPS. 1 Enter ‘https://ZyW ALL IP Address/ in your browser ’ s web address field. Figure 442 Access the ZyW ALL Via HTTPS 2 When Authenticate Client Certificates is se[...]

  • Page 600

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 600 44.6 SSH Y ou can use SSH (Secure SHell) to securely access the ZyW ALL’ s command line interface. Specify which zones allow SSH access and from which IP address the ac cess can come. SSH is a secure communication protocol that combines authentication an d data encryption to provide [...]

  • Page 601

    Chapter 44 Service Control ZyWALL USG 1000 User’s Guide 601 The client automatically saves any new server public keys. In subsequent connections, the server public key is checked ag ainst the saved version on the client computer . 2 Encryption Method Once the identification is verified, both the c lient and server must agree on the type of encryp[...]

  • Page 602

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 602 The following table describes the labels in this screen. 44.7 Secure T elnet Using SSH Examples This section shows two examples using a comm and interface and a graphical interface SSH client program to remotely access the ZyW ALL. The configuration and c onnection steps are similar fo[...]

  • Page 603

    Chapter 44 Service Control ZyWALL USG 1000 User’s Guide 603 Figure 448 SSH Example 1: S tore Host Key Enter the password to log in to the Zy W ALL. The CLI screen displays next. 44.7.2 Example 2: Linux This section describes how to access the ZyW A LL using the OpenSSH client program that comes with most Linux di stributions. 1 T est whether the [...]

  • Page 604

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 604 3 The CLI screen displays next. 44.8 T elnet Y ou can use T e lnet to access the ZyW A LL’ s command line interface. Specify which zones allow T elnet access and from which IP address the ac cess can come. 44.8.1 Configuring T elnet Click System > TELNET to configure your ZyW ALL [...]

  • Page 605

    Chapter 44 Service Control ZyWALL USG 1000 User’s Guide 605 44.9 Configuring FTP Y ou can upload and download the ZyW ALL’ s firm ware and configuration files using FTP . T o use this feature, your computer must have an FTP client. Ple ase see Chapter 45 on page 615 for more information about firm ware and configuration files. T o change your Z[...]

  • Page 606

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 606 44.10 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Y our ZyW ALL supports SNMP agent functionality , which allows a manager station to manage and monitor the ZyW ALL through the network. The ZyW ALL supports S[...]

  • Page 607

    Chapter 44 Service Control ZyWALL USG 1000 User’s Guide 607 An agent is a management software module th at resi des in a managed device (the ZyW ALL). An agent translates the local management info rmation from the managed device into a form compatible with SNMP . The manager is the co nsole through wh ich network administrators perform network ma[...]

  • Page 608

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 608 44.10.3 Configuring SN MP T o change your ZyW ALL’ s SNMP settings, click System > SNMP tab. The screen a ppears as shown. Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the ZyW ALL. Y ou can also specify from which IP addres[...]

  • Page 609

    Chapter 44 Service Control ZyWALL USG 1000 User’s Guide 609 44.1 1 Dial-in Management Connect an external serial modem to the AUX port to provide a management connection in case the ZyW ALL’ s other W AN connections are do wn. This is l ike an auxiliary interface, except it is used for management connectio ns coming into the ZyW ALL instead of [...]

  • Page 610

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 610 Figure 455 System > Dial-in Mgmt The following table describes the labels in this screen. 44.13 V ant age CNM V antage CNM (Centralized Network Managemen t) is a browser-based global managemen t solution that allows an administrator from any location to easily conf igure, manage, mo[...]

  • Page 611

    Chapter 44 Service Control ZyWALL USG 1000 User’s Guide 61 1 44.14 Configuring V ant age CNM V ant age CNM is disabled on the device by default. Click System > V antage CNM to configure your device’ s V antage CNM settings. Figure 456 System > V antage CNM The following table describes the labels in this screen. T able 214 System > V a[...]

  • Page 612

    Chapter 44 Serv ice Control ZyWALL USG 1000 U ser’s Guide 612 HTTPS Authentication When you are using HTTP s, select this option to have the ZyWALL authenticate the V antage CNM server ’s ce rtificate. In order to do this you need to import the V antage CNM server ’s public key (certificate) into the ZyW ALL’s trusted certificates. V antage[...]

  • Page 613

    613 P ART VII Maintenance & T roubleshooting File Manager (615) Logs (625) Reports (637) Diagnostics (647) Reboot (649) T roubleshooting (651)[...]

  • Page 614

    614[...]

  • Page 615

    ZyWALL USG 1000 User’s Guide 615 C HAPTER 45 File Manager This chapter covers how to use the ZyW ALL’ s File Manager screens to handle the ZyW ALL’ s configuration, firm ware and shell script files. 45.1 Configuration Files and Shell Script s Overview The File Manager screens allow you to store multiple conf iguration files and shell script f[...]

  • Page 616

    Chapter 45 File Manager ZyWALL USG 1000 U ser’s Guide 616 While configuration files and shell scripts have the same syntax, the ZyW ALL applies configuration files dif ferently than it runs shell scripts. This is explained below . Y ou have to run the example in Figure 457 on page 615 as a shell script because the first command is run in Privileg[...]

  • Page 617

    Chapter 45 File Manager ZyWALL USG 1000 User’s Guide 617 Lines 1 and 2 are comments. Line 5 exits sub command mode. 45.1.2 Errors in Configur ation Files or Shell Script s When you apply a configuration file or run a shell script, the ZyW ALL processes the file line- by-line. The ZyW ALL checks the fi rst line and applies the line if no errors ar[...]

  • Page 618

    Chapter 45 File Manager ZyWALL USG 1000 U ser’s Guide 618 Y ou can change the way the startup- config.conf file is applied. Include the setenv- startup stop-on-error off command. The ZyW ALL igno res any errors in the startup- config.conf file and applies all of the valid commands. The ZyW ALL still generates a log for any errors. 45.2 Configurat[...]

  • Page 619

    Chapter 45 File Manager ZyWALL USG 1000 User’s Guide 619 The following table describes the labels in this screen. T able 216 Maintenanc e > File Mana g er > Configuration File LABEL DESCRIPTION Download Click a configura tion file’s row to select it and click Download to save the configuration to your computer . Copy Use this button to sa[...]

  • Page 620

    Chapter 45 File Manager ZyWALL USG 1000 U ser’s Guide 620 45.3 Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmwar e Package screen. Use the Firmware Package screen to check your current firmware version and upload firmware to the ZyW A LL. " The web configurator is the reco mmended method fo[...]

  • Page 621

    Chapter 45 File Manager ZyWALL USG 1000 User’s Guide 621 The ZyW ALL’ s firmware packag e cannot go throug h the ZyW A LL when you enable the anti- virus Destroy compr essed files that could not be decompressed option. The ZyW ALL classifies the firmware package as not being able to be decompressed and deletes it. Y ou can upload the firmware p[...]

  • Page 622

    Chapter 45 File Manager ZyWALL USG 1000 U ser’s Guide 622 Figure 462 Firmware Uplo ad In Process The ZyW ALL automatically restarts in this tim e causing a tempora ry network disconne ct. In some operating systems, you may see the following icon on your desktop. Figure 463 Network T emporarily Disconnected After five minutes, log in again and ch [...]

  • Page 623

    Chapter 45 File Manager ZyWALL USG 1000 User’s Guide 623 Figure 465 Maintenance > File Manager > Shell Scri pt Each field is described in the following table. T able 218 Maintenanc e > File Ma nager > Shell Script LABEL DESCRIPTION Download Click a shell script file’s row to select it and click Download to save the configuration to [...]

  • Page 624

    Chapter 45 File Manager ZyWALL USG 1000 U ser’s Guide 624 Rename Use this button to change the label of a shell script file on the ZyWALL. Y ou cannot rename a shell script to the name of another shell script in the ZyW ALL. Click a shell script’ s row to select it and click Rename to open the Rename File screen. Figure 467 Maintenance > Fil[...]

  • Page 625

    ZyWALL USG 1000 User’s Guide 625 C HAPTER 46 Logs This chapter provides gene ral information about the ZyW ALL’ s log feature. See Appendix B on page 663 for individual log descriptions. The following table displays the maximum number of system log messages in the ZyW ALL. " When a log reaches the maximum number of log messages, new log me[...]

  • Page 626

    Chapter 46 Logs ZyWALL USG 1000 U ser’s Guide 626 Figure 468 Maintenance > L o g > V iew Log If an event generates log messages and alerts, it is displayed in red. Othe rwise, it is displayed in black. The following table descri bes the labels in this screen. T able 220 Maintenance > Log > V iew Log LABEL DESCRIPTION Show Filter / Hid[...]

  • Page 627

    Chapter 46 Lo gs ZyWALL USG 1000 User’s Guide 627 The W eb configurator saves the filter settings if you leave the Vi e w L o g screen and return to it later . 46.2 Log Settings Screens The Log Settings screens control log messages and a lerts. A log message stores the information for viewing (for example, in the Vie w L o g tab) or regular e-mai[...]

  • Page 628

    Chapter 46 Logs ZyWALL USG 1000 U ser’s Guide 628 For alerts, the Log Settings tab controls which events generate alerts and where alerts are e- mailed. The Log Settings Summary screen provides a summary of all the settings. Y ou can use the Log Settings Edit screen to maintain the detailed setti ngs (such as log categories, e-mail addresses, ser[...]

  • Page 629

    Chapter 46 Lo gs ZyWALL USG 1000 User’s Guide 629 46.3.1 Log Settings Edit E-mail The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 46.3 on page 628 ), and click the appropriate Edit icon. Modify This column provide s [...]

  • Page 630

    Chapter 46 Logs ZyWALL USG 1000 U ser’s Guide 630 Figure 470 Maintenance > Log > Log Setting > E-mail > Edit[...]

  • Page 631

    Chapter 46 Lo gs ZyWALL USG 1000 User’s Guide 631 The following table describes the labels in this screen. T able 222 Maintenance > Log > Log Setting > E-mail > Edit LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and a lerts according to the information in this section. Y ou specify what kinds of log messa[...]

  • Page 632

    Chapter 46 Logs ZyWALL USG 1000 U ser’s Guide 632 46.3.2 Log Settings Edit syslog The Log Settings Edit screen controls the detailed settings for each l og in the remote server (syslog). Go to the Log Settings Summary screen (see Section 46 .3 on page 628 ), and click the appropriate Edit icon. Log Consolidation Active Select this to activate log[...]

  • Page 633

    Chapter 46 Lo gs ZyWALL USG 1000 User’s Guide 633 Figure 471 Maintenance > Log > Log Setting > Remo te Server > Edit[...]

  • Page 634

    Chapter 46 Logs ZyWALL USG 1000 U ser’s Guide 634 The following table describes the labels in this screen. 46.3.3 Active Log Summary The Active Lo g Summary screen allows you to v iew and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let you change other lo g settings (fo[...]

  • Page 635

    Chapter 46 Lo gs ZyWALL USG 1000 User’s Guide 635 Figure 472 Active Log Summary This screen provides a different view and a dif ferent way of indicating which mes sages are included in each log and each ale rt. Please see Section 46.3.1 on page 629 , where this process is discussed. (The Default category includes debugging messag es generated by [...]

  • Page 636

    Chapter 46 Logs ZyWALL USG 1000 U ser’s Guide 636 Selection Select what information you want to log from each Log Category (except All Logs ; see below). Choices are: disable a ll logs (red X) - do not log any information from this category enable normal logs (g reen checkmark) - log regular information and alerts from this category enable all lo[...]

  • Page 637

    ZyWALL USG 1000 User’s Guide 637 C HAPTER 47 Reports This chapter provides informa tion about the report sc reens. 47.1 T raffic Screen Click Maintenance > Report > T r affic to display the T raffic screen. The T raffic sc reen provides basic information ab out the following metrics: • Most-visited W eb sites and the number of tim es e ac[...]

  • Page 638

    Chapter 47 Repor ts ZyWALL USG 1000 U ser’s Guide 638 Figure 473 Maintenance > Report > T raffic There is a limit on the number of re cords shown in the report. Please see T able 226 on page 640 for more information. The following tabl e describes the labe ls in this screen. T able 225 Maintenanc e > Report > Traffic LABEL DESCRIPTION[...]

  • Page 639

    Chapter 47 Reports ZyWALL USG 1000 User’s Guide 639 T raffic T ype Select the type of report to display . Choices are: Host IP Address/User - displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one. Service/Port - displays th e most-used protocols or service ports and th e amount of traffic[...]

  • Page 640

    Chapter 47 Repor ts ZyWALL USG 1000 U ser’s Guide 640 The following table disp lays the maximum number of records shown in the report, the byte count limit, and the hit count limit. 47.2 Session Screen The Session screen displays informa tion about active sessions for debugging or statistical analysis. It is not possible to manage sessions in thi[...]

  • Page 641

    Chapter 47 Reports ZyWALL USG 1000 User’s Guide 641 Figure 474 Maintenance > Report > Sessio n The following table describes the labels in this screen. T able 227 Maintenanc e > Report > Session LABEL DESCRIPTION View Select how you want the information to be displayed. Choices are: sessions by users - display all active sessions by u[...]

  • Page 642

    Chapter 47 Repor ts ZyWALL USG 1000 U ser’s Guide 642 47.3 Anti-V irus Report Screen Click Maintenance > Report > Anti-V irus to display the following screen. This screen displays anti-virus statistics. Figure 475 Maintenance > Report > Anti-V irus: Virus Name The following table describes the labels in this screen. Protoc ol Servi ce[...]

  • Page 643

    Chapter 47 Reports ZyWALL USG 1000 User’s Guide 643 The statistics display as follows when yo u display the top entries by source. Figure 476 Maintenance > Report > Anti-V irus: Source The statistics display as follows when you display the top entr ies by destination. Figure 477 Maintenance > Report > Anti-V irus: Destination 47.4 IDP[...]

  • Page 644

    Chapter 47 Repor ts ZyWALL USG 1000 U ser’s Guide 644 Figure 478 Maintenance > Report > IDP: Signature Name The following table describes the labels in this screen. T able 229 Maintenanc e > Report > IDP LABEL DESCRIPTI ON Collect St a t i s t i c s Select this check box to have the ZyW ALL collect IDP statistics. The collection start[...]

  • Page 645

    Chapter 47 Reports ZyWALL USG 1000 User’s Guide 645 The statistics display as follows when yo u display the top entries by source. Figure 479 Maintenance > Report > IDP: Source The statistics display as follows when you display the top entr ies by destination. Figure 480 Maintenance > Report > IDP: Destination Ty p e This column displ[...]

  • Page 646

    Chapter 47 Repor ts ZyWALL USG 1000 U ser’s Guide 646[...]

  • Page 647

    ZyWALL USG 1000 User’s Guide 647 C HAPTER 48 Diagnostics This chapter covers how to use the Diagnostics screen. 48.1 Diagnostics The Diagnostics s creen provides an easy way for you to generate a file containing the ZyW ALL’ s configuration and di agnostic information. Y ou may need to generate this file and send it to customer support during t[...]

  • Page 648

    Chapter 48 Diagnostics ZyWALL USG 1000 U ser’s Guide 648[...]

  • Page 649

    ZyWALL USG 1000 User’s Guide 649 C HAPTER 49 Reboot Use this to restart the device (for example, if th e device begins behaving erratically ). See also Section 1.4 on page 55 for information on different wa ys to start and stop the ZyW ALL. If you applied changes in the W eb con figurator , these were saved au tomatically and do not change when y[...]

  • Page 650

    Chapter 49 Reboot ZyWALL USG 1000 U ser’s Guide 650[...]

  • Page 651

    ZyWALL USG 1000 User’s Guide 651 C HAPTER 50 Troubleshooting This chapter offers some suggestions to so lve problems you might encounter . V I cannot set up an IPSec VPN tunnel to another device. If the IPSec tunnel does not build properly , the pr oblem is likely a configuration error at one of the IPSec routers. Log into both ZyXEL IPSec router[...]

  • Page 652

    Chapter 50 Trou bleshooting ZyWALL USG 1000 U ser’s Guide 652 Routing policies define how the ZyW ALL forwards packets to the ir d estinations. Y ou must create a policy route for the ZyW ALL to rout e VPN traf fic through a VPN tunnel to the remote network. The VPN wiza rd automatically creates a co rres ponding policy route. If you use th e VPN[...]

  • Page 653

    Chapter 50 Trou bleshooting ZyWALL USG 1000 User’s Guide 653 If you want to reboot the device without changing the current configuration, see Chapter 49 on page 649 . 1 Make sure the SYS LED is on and not bli nking. 2 Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.) 3 Release the RESET[...]

  • Page 654

    Chapter 50 Trou bleshooting ZyWALL USG 1000 U ser’s Guide 654[...]

  • Page 655

    655 P ART VIII Appendices and Index Product Specification s (657) Common Services (703) Displaying Anti-V irus Alert Messages in W indows (707) Open Software Announcements (719) Legal Information (755) Customer Support (759) Index (765)[...]

  • Page 656

    656[...]

  • Page 657

    ZyWALL USG 1000 User’s Guide 657 A PPENDIX A Product S pecifications The following specificatio ns are subject to change without notice. See Chapter 2 on page 57 for a general overview of key features. This table provides basic device specifications. This table provides hardware specifications. This table gives details a bout the ZyW ALL’ s fea[...]

  • Page 658

    Appendix A Product Specifications ZyWALL USG 1000 U ser’s Guide 658 T able 233 Feature Specifications V ERSION # FEATURE V2.00 # of MAC 5 Flash Siz e 256 DRAM Size 1024 INTERFACE VLAN 32 Virtual (alias) 4 per interface PPP 12 Bridge 12 ROUTING S tatic Routes 256 Policy Routes 5,000 Sessions 200,000 NA T Virtual Servers up to 1,024 T rigger Port R[...]

  • Page 659

    Appendix A Product Specifications ZyWALL USG 1000 User’s Guide 659 Service Groups 1000 Schedule Objects 512 ISP Accounts 128 Maximum Number of LDAP Gro ups 16 Maximum Number of LDAP Servers fo r Each LDAP Group 4 Maximum Number of RADIUS Groups 16 Maximum Number of RADIUS Servers for Each RADIUS Group 4 Maximum Number of Authenti cation Methods 1[...]

  • Page 660

    Appendix A Product Specifications ZyWALL USG 1000 U ser’s Guide 660 The following table, which is not exhaustive, lists standards referenced by ZyW ALL features. Maximum Number of Conte nt Filter Policies 64 Maximum Number of Conte nt Filter Profiles 64 Maximum Number of Forbid den Domain Entries 256 per profile Maximum Number of Trusted Domain E[...]

  • Page 661

    Appendix A Product Specifications ZyWALL USG 1000 User’s Guide 661 Built-in service, SNMP agent RFCs 1067, 1 213, 2576, 2578, 2579, 2580, 2741 , 2667, 2981, 3371 Login, LDAP support. RFCs 2251, 2252, 2253, 2254, 2255, 22 56, 2589, 2829, 2830 Used by Apache RFCs 243 7, 2246, 2560, 2712, 3268, 3280, 3820, 4132 Built-in service, FTP server RFCs 959 [...]

  • Page 662

    Appendix A Product Specifications ZyWALL USG 1000 U ser’s Guide 662[...]

  • Page 663

    ZyWALL USG 1000 User’s Guide 663 A PPENDIX B Log Descriptions This appendix provides descripti ons of example log messages. T able 235 Content Filter Logs LOG MESSAGE DESCRIPTION Content filter has been enabled An administrator turned the content filter on. Content filter has been disabled An administrator turned the content filter off. T able 23[...]

  • Page 664

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 664 %s: Service is unavailable Content filter rating service is te mporarily un available and access to the web site was blocked due to: 1. Can't resolve rating server IP (No DNS) 2. Invalid service license 4. Rating service is restarting 5. Can’t connect to ratin g server 6. Query[...]

  • Page 665

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 665 T able 238 User Logs LOG MESSAGE DESCRIPTION %s %s has logged in from %s The specified user signed in. 1st %s: Administrator|Limited-Admin|User|Ext-User|Guest 2nd %s: username 3rd %s: service name (HTTP/HTTPS, FTP , telnet, SSH, console) NOTE field: %s means u sername. %s %s has logged [...]

  • Page 666

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 666 T able 239 myZyXEL.com Logs LOG MESSAGE DESCRIPTION Send registration message to MyZyXEL.com server has failed. The device was not able to send a registration message to MyZyXEL.com. Get server response has failed. The device sent packet s to the MyZyXEL.com server , but d id not rece[...]

  • Page 667

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 667 Service expiration check has succeeded. The servic e expiration da y check was successful. Service expiration check has failed. Because of lack must fields. The device received an incomplete response from the myZyXEL.com server and it caused a parsing error for the device. Server settin[...]

  • Page 668

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 668 Update server is b usy now. File download after %d seconds. The update server was busy so the device will wait for the specified number of seconds and send the dow nload request to the update server again. Device has latest file. No need to update. The device already has the latest ve[...]

  • Page 669

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 669 Do expiration daily- check has failed. Because of lack must fields. The device received an incomplete response to the daily se rvice expiration check and the packets caused a parsing error for the device. Server setting error. The device could not retrieve the server's IP address o[...]

  • Page 670

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 670 Certification verification failed: Depth: %d, Error Number(%d):%s. V e rificati on of a server ’s certificat e faile d while processing an HTTPS connection. This log identifie s the reason for the failu re. 1st %d: certificate chain level 2nd %d: error number %s: error message Certi[...]

  • Page 671

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 671 IDP service standard license is expired. Update signature failed. IDP service standard license is ex pired. IDP signature canno t update. IDP service standard license is not registered. Update signature failed. IDP service standard license is not registered. IDP signature cannot update.[...]

  • Page 672

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 672 IDP off-line update failed. File damaged. IDP signature off-line update faile d. Signature file maybe corrupt. IDP signature update failed. File crashed. IDP signature update failed. Decrypt signature file fail ed. IDP signature update failed. File damaged. IDP signature update failed[...]

  • Page 673

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 673 IDP signature update failed. Invalid signature content. IDP signature update failed. Sigquery check signature content fail ed. System internal error. Create IDP traffic anomaly entry failed. System internal error . Create IDP traffic anomaly entry failed. Query signature version failed.[...]

  • Page 674

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 674 System fatal error: 60018009. Error when do ioctl L7_ACTION_IOCTL_ADDR_USAGE. System fatal error: 60018010. Error when do ioctl L7_ACTION_IOCTL_PROTO_ADDR_NUMS. System fatal error: 60018011. Fail to user lib user_profile to retrieve current login user . System fatal error: 60018012. F[...]

  • Page 675

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 675 App Patrol Name=%s Type=%s %s=%d Protocol=%s Action=%s Packets logging. 1st %s: Protocol Name, 2nd %s: Category Name, 3rd %s: Default Rule or Exception Rule , 1st %d: Rule Index, 4th %s: TCP or UDP , 5th %s: Action. App Patrol resources ran out. User %s is unrestricted by rule [ %s:%d ][...]

  • Page 676

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 676 [SA] : Tunnel [%s] Phase 1 authentication algorithm mismatch %s is the tunnel name. When negoti ating Phase -1, the authentication algorithm did not match. [SA] : Tunnel [%s] Phase 1 authentication method mismatch %s is the tunnel name. When negoti ating Phase -1, the authentication m[...]

  • Page 677

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 677 Cannot resolve My IP Addr %s for Tunnel [%s] 1st %s is my ip address. 2nd %s is the tunnel name. When selecting a matched proposal in phase-1, the engin e could not get My-IP address. Cannot resolve Secure Gateway Addr %s for Tunnel [%s] 1st %s is my ip address. 2nd %s is the tunnel nam[...]

  • Page 678

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 678 The cookie pair is : 0x%08x%08x / 0x%08x%08x Indicates the initiator/ responder cookie pair . The IPSec tunnel "%s" is already established %s is the tunnel name. When diali ng a tunnel, the tunnel is already dialed. Tunnel [%s] built successfully %s is the tunnel name. The p[...]

  • Page 679

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 679 Tunnel [%s:%s] Sending IKE request The variables represent the phase 1 name and tunnel name. The device sent an IKE request. Tunnel [%s:0x%x] is disconnected The variables represent the tun nel name and the SPI of a tunnel that was disconnected. Tunnel [%s] rekeyed successfully %s is th[...]

  • Page 680

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 680 T able 244 Firewall Logs LOG MESSAGE DESCRIPTION priority:%lu, from %s to %s, service %s, %s 1st variable is the global index of rule, 2nd is the from zone, 3rd is the to zone, 4th is the service name, 5th i s ACCEPT/DROP/ REJECT . %s:%d: in %s(): Firewall is dead, trace to %s is whic[...]

  • Page 681

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 681 Cannot get handle from UAM, user-aware PR is disabled User-aware policy routing is disabled due to some reason. mblock: allocate memory failed! Allocating policy routing rule fails: insufficient memory . pt: allocate memory failed! Allocating policy routing rule fails: insufficient memo[...]

  • Page 682

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 682 T able 247 Built-in Services Logs LOG MESSAGE DESCRIPTION User on %u.%u.%u.%u has been denied access from %s HTTP/HTTPS/TELNET/SSH/FT P/SNMP access to the device was denied. %u.%u.%u.%u is IP address %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET HTTPS certificate:%s does not exist. HTTPS servi[...]

  • Page 683

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 683 Console baud has b een changed to %s. An administrator changed the console port baud rate. %s is baud rate assigned by user Console baud has b een reset to %d. An administrator changed the console port baud rate back to the default (1 15200). %d is default baud rate DHCP Server on Inter[...]

  • Page 684

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 684 The default record of Zone Forwarder have reached the maximum number of 128 DNS servers. The default record DNS servers is more than 128. Interface %s ping check is successful. Zone Forwarder adds DNS servers in records. Ping check ok, add DNS servers in bind. %s is interface na me In[...]

  • Page 685

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 685 Access control rule %d of %s was moved to %d. An access control rule was moved successfully . 1st %d is the previous index . %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET . 2nd %d is current previous index. SNMP trap can not be sent successfully Cannot send a SNMP trap to a remote host due to ne[...]

  • Page 686

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 686 Receive an ARP response from an unknown client The device received an ARP response from an unknown client. In total, received %d arp response packets for the requested IP address The device received the specified total number of ARP response packets for th e requested IP address. Clea[...]

  • Page 687

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 687 Update the profile %s has failed because the FQDN %s is not under your control. The owner of this FQDN is not the user , 1s t %s is the profile name, 2nd %s is the FQDN of the profile. Update the profile %s has failed because the FQDN %s was blocked for abuse. The FQDN is blocked by Dyn[...]

  • Page 688

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 688 Update the profile %s has failed because Custom IP was empty. The DDNS profile' s IP select type i s custom, and a custo m IP was not defined, %s is the profile name. Update the profile %s has failed because WAN interface was empty. If the DDNS profile's IP se lect type is i[...]

  • Page 689

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 689 DDNS has been enabled by Device-HA. DDNS is enabled by Device-HA, because one of VRRP groups is active. Disable DDNS has succeeded. Disable DDNS. Enable DDNS has succeeded. Enable DDNS. DDNS profile %s has been renamed as %s. Rename DDNS profi le, 1st %s is the o riginal profile name, 2[...]

  • Page 690

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 690 Can't get remote address of %s interface The connectivity check process can't get remote address of PPP interface %s: interface name Can't get NETMASK address of %s interface The connectivity check p rocess can't get netmask address of i nterface. %s: interface nam[...]

  • Page 691

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 691 Master configuration is the same with Backup. Skip updating it. The System S tartup config u ration file synchronized from the Master is the same with the one in the Back up, so the configuration does not have to be updated. %s file not existed, Skip syncing it fo r %s There is no file [...]

  • Page 692

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 692 Device HA authentication type for VRRP group %s maybe wrong. A VRRP group’s Authentication T ype (Md5 or IPSec AH) configuration may not match between the Backup and the Master . %s: The name of the VRRP group. Device HA authenticaton string of text for VRRP group %s maybe wrong. A [...]

  • Page 693

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 693 T able 251 Routing Protocol Logs LOG MESSAGE DESCRIPTION RIP on interface %s has been stopped because Device-HA binds this interface. Device-HA is currently running on t he interface %s, so all the local service have to be stopped including RIP . %s: Interface Name RIP on all interfaces[...]

  • Page 694

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 694 RIP md5 authentication id and key have been deleted. RIP md5 authentication id and key have been del eted. RIP global version has been deleted. RIP global version has been deleted. RIP redistribute OSPF routes has been disabled. RIP redistribute OSPF routes has been disabled. RIP redi[...]

  • Page 695

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 695 Invalid OSPF virtual- link %s authentication of area %s. Virtual-link %s authentication has been set to same-as-area but the area has invalid authenticatio n co nfigurati on. %s: Virtual-Link ID Invalid OSPF md5 authentication on interface %s. Invalid OSPF md5 authenti cation is set on [...]

  • Page 696

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 696 Register H.323 ALG extra port=%d failed. H323 ALG apply additional signal port failed . %d: Port number Register H.323 ALG signal port=%d failed. H323 ALG apply signal port failed. %d: Port number Register FTP ALG extra port=%d failed. FTP ALG apply additional signal port failed . %d:[...]

  • Page 697

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 697 Import X509 certificate "%s" into My Certificate successfully The device imp orted a x509 format certificat e into My Certificates. %s is the certificat e request name . Import X509 certificate "%s" into Trusted Certificate successfully The device imported a x509 for[...]

  • Page 698

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 698 Export X509 certificate "%s" from "My Certificate" failed The device was not able to export a x509 format certificate from My Certificates. %s is the certificate request name. Import PKCS#12 certificate "%s" with incorrect password An administrator used t[...]

  • Page 699

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 699 27 Path was not verified. 28 Maximum path length reached. T able 254 Interface Logs LOG MESSAGE DESCRIPTION Interface %s has b een deleted. An administrator deleted an interfac e. %s i s the interface name. AUX Interface dialing failed. This AUX interface is not enabled. A user tried to[...]

  • Page 700

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 700 %s MTU > (%s MTU - 8), %s may not work correctly. An administrator configured a PPP interface, PPP interface MTU > (base interface MTU - 8), PPP interf ace may not run correctly because PPP packets will be fragmented by base interface ans peer will not receive correct PPP packet[...]

  • Page 701

    Appendix B Log Descriptions ZyWALL USG 1000 User’s Guide 701 Interface %s is disconnected. A PPP or AUX interface disconnected successf ully . %s: interface name. Interface %s connect failed: Peer not responding. The interface’s connection will be te rmi nated because the server did not send any LCP packet s. %s: interface name. Interface %s co[...]

  • Page 702

    Appendix B Log Descrip tions ZyWALL USG 1000 U ser’s Guide 702 T able 257 Force Authentication Logs LOG MESSAGE DESCRIPTION Force User Authentication will be enabled due to http server is enabled. Force user authentication will be tu rn ed on because HTTP server was turned on. Force User Authentication will be disabled due to http server is disab[...]

  • Page 703

    ZyWALL USG 1000 User’s Guide 703 A PPENDIX C Common Services The following table l ists some commonly-used se rvices and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name : This is a short, descrip tive [...]

  • Page 704

    Appendix C Common Services ZyWALL USG 1000 U ser’s Guide 704 FTP TCP TCP 20 21 File T ra nsfer Program, a program to enable fast transfe r of files, i ncluding large files that may not be possible by e-mail. H.323 TCP 1720 NetMeeting uses this protoco l. HTTP TCP 80 Hyper T ext T ransfer Protocol - a cl ient/ server protocol for the world wide we[...]

  • Page 705

    Appendix C Common Services ZyWALL USG 1000 User’s Guide 705 RTS P TCP/UDP 554 The Real Time S treaming (media contro l) Protocol (R TSP) is a remote control for multimedia on the Internet. SFTP TCP 11 5 Simple File Transfer Protocol. SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to m[...]

  • Page 706

    Appendix C Common Services ZyWALL USG 1000 U ser’s Guide 706[...]

  • Page 707

    ZyWALL USG 1000 User’s Guide 707 A PPENDIX D Displaying Anti-V irus Alert Messages in Windows W ith the anti-virus packet scan , when a virus is detected, you can have the ZyW ALL display an alert message on Misc rosoft W indows-based compute rs. If the log shows that virus files are being detected but yo ur Miscrosoft W indows-based computer is [...]

  • Page 708

    Appendix D Dis playing Anti-Virus Alert Messages in Windows ZyWALL USG 1000 U ser’s Guide 708 Figure 484 Windows XP: S tarting the Messenger Service 3 Close the window when you are done. Windows 2000 1 Click S tart > Settings > Control Panel > Administrative T ools > Services . Figure 485 Windows 2000: Op ening the Services Window 2 S[...]

  • Page 709

    Appendix D Displaying Anti-Virus Alert Messages in Windows ZyWALL USG 1000 User’s Guide 709 Figure 486 Windows 2000: S tarting the Me ssenger Service 3 Close the window when you are done. Windows 98 SE/Me For W indows 98 SE/Me, you must open the W inPopup window in order to view real-time alert messages. Click St a r t > Run and enter “winpo[...]

  • Page 710

    Appendix D Dis playing Anti-Virus Alert Messages in Windows ZyWALL USG 1000 U ser’s Guide 710 Figure 489 Windows 98 SE: T ask Bar Propertie s 3 Double-click Programs and click St a r t U p . 4 Right-click in the St a r t U p pane and click New , Shortcut . Figure 490 Windows 98 SE: S tartUp 5 A Cr eate Shortcut window displays. Enter “winpopup?[...]

  • Page 711

    Appendix D Displaying Anti-Virus Alert Messages in Windows ZyWALL USG 1000 User’s Guide 71 1 Figure 491 Windows 98 SE: S tartup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish . Figure 492 Windows 98 SE: S tartup: Select a T itle for the Program 7 A shortcut is created in the St a r t U p pane. Restart th[...]

  • Page 712

    Appendix D Dis playing Anti-Virus Alert Messages in Windows ZyWALL USG 1000 U ser’s Guide 712 Figure 493 Windows 98 SE: S tartup: Shortcut " The WinPopup window displays after t he computer finishes the st artup process (see Figure 487 on page 709 ).[...]

  • Page 713

    ZyWALL USG 1000 User’s Guide 713 A PPENDIX E Importing Certificates This appendix shows importing certificates ex amples using Netscape Na vigator and Internet Explorer 5. This appe ndix uses the ZyW ALL 70 as an example. Other models should be similiar . Import ZyW ALL Certificates into Net scape Navigator In Netscape Navigator , you ca n perman[...]

  • Page 714

    Appendix E Importin g Certificates ZyWALL USG 1000 U ser’s Guide 714 Figure 495 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 496 Certificate General Information befor e Import 3 Click Next to begin the Install Certificate wizard.[...]

  • Page 715

    Appendix E Importi ng Certificates ZyWALL USG 1000 User’s Guide 715 Figure 497 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next . Figure 498 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.[...]

  • Page 716

    Appendix E Importin g Certificates ZyWALL USG 1000 U ser’s Guide 716 Figure 499 Certificate Import Wizard 3 6 Click Ye s to add the ZyW ALL certifi cate to the root store. Figure 500 Root Certificate S t ore[...]

  • Page 717

    Appendix E Importi ng Certificates ZyWALL USG 1000 User’s Guide 717 Figure 501 Certificate General Information af ter Import[...]

  • Page 718

    Appendix E Importin g Certificates ZyWALL USG 1000 U ser’s Guide 718[...]

  • Page 719

    ZyWALL USG 1000 User’s Guide 719 A PPENDIX F Open Sof tware Announcement s Notice Information herein is subject to change withou t notice. Companies, name s, and data used in examples herein are fictitious unless otherwise noted. No part may be reproduced or transmitted in any form or by any means, electronic or mechanical , for any purpos e, exc[...]

  • Page 720

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 720 " This Product includes Netkit T elnet -0 .17 software under the Netkit T elnet License Netkit T elnet License Copyright (c) 1989 Regents of th e University of California. All rights reserved. Redistribution and use in source and binary fo rms, with or without modifi[...]

  • Page 721

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 721 " This Product includes expat-1.95.6 sof tware under the Expat License Exp at License Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documen[...]

  • Page 722

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 722 " This Product includes openssl-0.9. 8d-ocf software under the OpenSSL License OpenSSL The OpenSSL toolkit stays unde r a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual lice[...]

  • Page 723

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 723 OTHER WISE) ARISING IN ANY W A Y OUT OF THE USE OF THIS SOFTW ARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Y oung (eay@cryptsoft.com). This product includes software written by T im Hu dson (tjh@cryptsof[...]

  • Page 724

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 724 " This Product includes libevent-1.1a an d xinetd-2.3.14 soft ware under the a 3- clause BSD License a 3-clause BS D-style license This is a Free Software License • This license is compatible with The GNU General Public License, V ersion 1 • This license is compa[...]

  • Page 725

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 725 The ISC license for bind is: Copyright (c) 1993 -1999 by In ternet Software Consortium. Permission to use, copy , modify , and dis tribute this software for any purpose with or without fee is hereby granted, provided that the ab ove copyright notice and th is permission noti[...]

  • Page 726

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 726 Ap ache License V ersion 2.0, January 2004 http://www .apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIB UTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections[...]

  • Page 727

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 727 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to Y ou a perpetual, worldwide, non-exclusive, no-ch arge, royalty- free, irrevocable copyright license to reprod uce, prepare Derivative W orks of, publicly di[...]

  • Page 728

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 728 6. T rademarks. This License does not grant perm ission to use the trade names, trademarks, service marks, or product names of the Licensor , exce pt as required for reasonable and customary use in describing the origin of the W ork and reproducing the content of the NOTI[...]

  • Page 729

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 729 Products derived from this softwa re may not be called "Apache", nor may "Apache" appear in their name, without prior wr itten permission of the Apache Software Foundatio n. THIS SOFTW ARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED W A R[...]

  • Page 730

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 730 This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Soft ware Found a tion and other aut hors who decide to use it. Y ou can u se it too, but we su ggest you first think carefully abou t[...]

  • Page 731

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 731 For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library , so that it becomes a de-facto standard. T o achieve this, non-free programs must be allowed to use the library . A more frequent case is that a free librar[...]

  • Page 732

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 732 2. Y ou may modify you r copy or copies of the Library or any portio n of it, thus forming a work based on the Libra ry , and copy an d dist ribute such modifications o r work under the terms of Section 1 above, provid ed that you also meet all of these conditions: a) The[...]

  • Page 733

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 733 However , linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The ex ecutable is therefore c overed by[...]

  • Page 734

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 734 It may happen that this requirement co ntradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system . Such a contradiction means you cannot use bo th them and the Library toge ther in an executable that you distribu[...]

  • Page 735

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 735 12. If the distribution and/or use of the Librar y is restricted in certain countries either by patents or by copyrighted interfaces, the orig inal copyright holder who places the Library under this License may add an explicit geog raphical distribution limitation excluding [...]

  • Page 736

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 736 " This Product includes bridge-utils, dhcpc d-1.3.22-pl4, rp-pppoe-3.5, vlan-1.8, keepalived-1.1.1 1-p1, quag ga-0.99.2, ez-ipupdate-3.0. 1 1b7, proftpd-1.2.10, libol-0.3.14, syslog-ng-1.6.5, pam- 0.76, bison, tzcode2006c, iproute2, iptables-1.2.1 1/netfilter(k ernel[...]

  • Page 737

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 737 TERMS AND CONDITIONS FOR COPYING , DISTRIBUTION AND MODIFICA TION 0. This License ap plies to any program or othe r work which contains a notice pla ced by the copyright holder saying it may be distributed under the terms of this Ge neral Public License. The "Program&qu[...]

  • Page 738

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 738 right to control the distribution of derivative or colle ctive works based on the Program. In addition, mere aggregation of another work no t based on the Program with the Program (or with a work based on the P rogram) on a volume of a storage or distribution mediu m does[...]

  • Page 739

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 739 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (wh ether by court order , agreement or otherwise) that contradict the conditions of this License, they do n[...]

  • Page 740

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 740 FITNESS FOR A P AR TICULAR PURPOSE. THE ENTIRE RISK AS T O THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSAR Y SER VICING , REP AIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUI R ED BY APPLICABLE[...]

  • Page 741

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 741 AND ON ANY THEOR Y OF LIABILITY , WHETHER IN CONTRAC T , STRICT LIABILITY , OR TOR T (INCLUDING NEGLIGENCE OR OTHER WISE) ARISIN G IN ANY W A Y OUT OF THE USE OF THIS SOFTW ARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. " This Product includes libxml2-2.6. 8 so[...]

  • Page 742

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 742 THIS SOFTW ARE IS PROVIDED BY THE OPENLDAP FOUNDA TION AN D ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED W ARRANTIES, INCLUDING , BUT NOT LIMITED T O, THE IMPLIED W ARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A P AR TICULAR PURPOSE ARE DISCLAIMED. I[...]

  • Page 743

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 743 2.1 GUBUSOFT hereby grants Customer the following non-exclusive, n on-transferable right to use the SOFTW ARE. 2.1.3 LIMIT A TIONS Customer may not rent, lease, or transfer the rights to the SOFTW ARE to someone else. Customer may redistribute an d use SOFTW ARE in source co[...]

  • Page 744

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 744 Defensive Suspension. If Customer commences or participates in any legal proceeding against GUBUSOFT , then GUBUSOFT may , in its sole di scretion, suspend or terminate all license grants and any o ther rights provided under this LICENSE during the pendency of such legal [...]

  • Page 745

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 745 " This Product includes over LIB software under the ov erLIB License (Artistic) License (Artistic) Preamble The intent of this document is to state t he conditions under which a Package may be copied, such that the Copyright Holder maintains some semblance of artistic c[...]

  • Page 746

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 746 make other distribution arrangements with the Copyright Holder . Y ou may distribute the programs of this Package in object co de or executable form, provided that you do at least ONE of the following: distribute a Standard V e rsion of the executables an d library files,[...]

  • Page 747

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 747 BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEP T AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS YOU THE RIGHTS CONT AINED HERE IN CONSIDERA TION OF YOUR ACCEP T ANCE OF SUCH TERMS AND CONDITIONS. 1. Definitions a."Collective W ork[...]

  • Page 748

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 748 ii.Mechanical Ri ghts and Statuto ry Royalties. Li censor waives the exclusive right to collect, whether individually or via a m usic rights ag ency or designated agent (e.g. Harry Fox Agency), royalties for any phonorecord Y ou create from the W ork ("cover version&[...]

  • Page 749

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 749 5. Representations, W arranties and Disclaimer UNLESS OTHER WISE MUTUALL Y AGREED TO BY THE P AR TIES IN WRITING , LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENT A TIONS OR W A RRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, ST A TUTOR Y OR OTHER WISE, INC[...]

  • Page 750

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 750 e.This License constitutes the en tire agreement between the parti es with respect to the W ork licensed here. There are no under standings, agreements or repr esentations with respect to the W ork not specified here. Licensor shall not be bound by any additiona l provisi[...]

  • Page 751

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 751 Y ou have no ownership rights in the Sof tware. Rather , you have a license to use the Software as long as this License Agre ement remains in fu ll force and effect. Ownership of the Software, Documentation an d all intellectual property rights ther ein shall remain at all t[...]

  • Page 752

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 752 THE W AIVER OR EXCLUSION OF IMPLIED W A RRANTIES SO THEY MA Y NOT APPL Y TO YOU. IF THIS EXCLUSION IS HELD TO BE UNENFORCEABLE BY A COUR T OF COMPETENT JURISDICTION, THEN ALL EXPRESS AND IMPLIED W A RRANTIES SHALL BE LIMITED IN DURA TION TO A PERIOD OF THIR TY (30) DA YS [...]

  • Page 753

    Appendix F Open Software Anno uncements ZyWALL USG 1000 User’s Guide 753 This License Agreement is eff ective until it is terminated. Y ou may terminate this License Agreement at any time by destro ying or returning to ZyXEL all copies of the Software and Documentation in your possession or under your control. Zy XEL may terminate this License Ag[...]

  • Page 754

    Appendix F Op en Software An nouncement s ZyWALL USG 1000 U ser’s Guide 754[...]

  • Page 755

    ZyWALL USG 1000 User’s Guide 755 A PPENDIX G Legal Information Copyright Copyright © 2007 by ZyXEL Communications Corporation. The contents of this publication may not be reprod uced in any part or as a whole, transcribed, stored in a retrieval system, tran slated into any language, or transmitted in any form or by any means, el ectronic, mechan[...]

  • Page 756

    Appendix G Legal Information ZyWALL USG 1000 U ser’s Guide 756 FCC W arning This device has been tested and foun d to comply with the limits for a Class A digital switch, pursuant to Part 15 of the FCC Rules. Thes e limits are designed to provide reasonable protection against harmful interference in a co mmercial environment. Thi s device generat[...]

  • Page 757

    Appendix G Legal Information ZyWALL USG 1000 User’s Guide 757 Note Repair or replacement, as provided under this warranty , is the exclusive remedy of the purchaser . This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness fo r a particular use or purpose. ZyXEL shall in n[...]

  • Page 758

    Appendix G Legal Information ZyWALL USG 1000 U ser’s Guide 758[...]

  • Page 759

    ZyWALL USG 1000 User’s Guide 759 A PPENDIX H Customer Support Please have the following information r eady when you contact customer support. Required Information • Product model and serial number . • W arranty Information. • Date that you received your de vice. • Brief description of the problem and the steps you took to solv e it. “+?[...]

  • Page 760

    Appendix H Custo mer Support ZyWALL USG 1000 U ser’s Guide 760 • Re g u la r M ai l : ZyXEL Communications, Czech s.r .o., Modranská 621, 143 01 Praha 4 - Modrany , Ceská Republika Denmark • Support E-mail: support@zyxel.dk • Sales E-mail: sales@zyxel.dk • T elephone: +45-39-55-07-00 • Fax: +45-39-55-07-07 • W eb: www .zyxel.dk • [...]

  • Page 761

    Appendix H Customer Support ZyWALL USG 1000 User’s Guide 761 India • Support E-mail: support@zyxel.in • Sales E-mail: sales@zyxel.in • T elephone: +91-1 1-30888144 to +91-1 1-30888153 • Fax: +91-1 1-30888149, +91-1 1-26810715 • W eb: http://www .zyxel.in • Re g u l ar M ai l : India - ZyXEL T e chnology Indi a Pvt Ltd. , I I -F l o o [...]

  • Page 762

    Appendix H Custo mer Support ZyWALL USG 1000 U ser’s Guide 762 • Regular Mail: ZyXEL Communications Inc., 1 130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no • T elephone: +47-22-80-61-80 • Fax: +47-22-80-61-81 • W eb: www .zyxel.no • Re g u la r Ma i l : ZyXE[...]

  • Page 763

    Appendix H Customer Support ZyWALL USG 1000 User’s Guide 763 Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • T elephone: +46-31-744-7700 • Fax: +46-31-744-77 0 1 • W eb: www .zyxel.se • Re g ul a r M a i l: ZyXEL Communications A/S, Sjöporten 4, 41764 Götebor g, Sweden Thailand • Support E-mail: support@[...]

  • Page 764

    Appendix H Custo mer Support ZyWALL USG 1000 U ser’s Guide 764[...]

  • Page 765

    Index ZyWALL USG 1000 User’s Guide 765 Index Numerics 3DES 308 A AAA servers 531 and authentication me thods 541 and users 504 LDAP Default 533 LDAP Group 534 LDAP group members 536 RADIUS default 537 RADIUS group 538 RADIUS group members 539 RADIUS. See also RADIUS. where used 122 access control 428 access users 503 , 505 forcing login 505 forci[...]

  • Page 766

    Index ZyWALL USG 1000 U ser’s Guide 766 and virtual servers 268 FTP 265 H.323 265 , 266 peer-to-peer calls 268 RTP 266 See also V oIP pass through. 265 SIP 265 , 267 SIP timeout 268 answer rings 610 Anti-Virus trial service activation 167 updating signatures 171 Anti-virus prerequisites 120 anti-virus 403 alert message 707 alerts 409 black list 4[...]

  • Page 767

    Index ZyWALL USG 1000 User’s Guide 767 and policy routes 232 behavior 382 configured rate effect 383 examples 384 in application patrol 380 interface, outbound. See interfaces. interface’s bandwidth 385 maximize bandwidth usage 227 , 232 , 382 , 383 , 384 , 395 , 39 9 OSI level-7. See application patrol. over allotment of bandwidth 384 priority[...]

  • Page 768

    Index ZyWALL USG 1000 U ser’s Guide 768 SSL 326 console port 55 speed 579 content (pattern) 439 content filtering 463 , 464 and address groups 463 , 464 , 467 and address objects 463 , 46 4 , 467 and registrati on 466 , 469 and schedules 463 , 464 , 467 and user gr oups 463 and users 463 by category 463 , 468 , 471 by keyword (in URL) 463 , 480 b[...]

  • Page 769

    Index ZyWALL USG 1000 User’s Guide 769 and interfaces 183 Domain Name System. See DNS. double-encoding 457 DTR 609 Dynamic Domain Name System. See DDNS. Dynamic Host Configurat ion Protocol. See DHCP . DynDNS 249 see also DDNS. E e-Donkey 427 EGP (Exterior Gateway Protocol) 451 EICAR 41 1 e-mail virus 403 e-Mule 427 Encapsulating Security Payload[...]

  • Page 770

    Index ZyWALL USG 1000 U ser’s Guide 770 and address objects 513 and schedules 513 prerequisites 123 fragmentation flag 437 fragmentation offset 437 FTP 605 additional signaling port 270 and address groups 606 and address objects 606 and certificates 605 and zones 605 signaling port 270 with T ransport Laye r Security (TLS) 605 full tunnel mode 61[...]

  • Page 771

    Index ZyWALL USG 1000 User’s Guide 771 IDP 418 Snort signatures 443 statistics 643 traffic directions 418 updating signatures 173 verifying custom signatures 442 IDP (Intrusion, Detection an d Prevention) 417 IDP and AppPatrol trial service activation 167 IDP profiles 421 IDP service group 428 IDP signature categori es 427 IDP signatures and sync[...]

  • Page 772

    Index ZyWALL USG 1000 U ser’s Guide 772 IP st atic routes. See st atic routes. IP stream identifier 434 IP v4 packet headers 433 IPSec 291 basic troubleshooting 297 connections 296 Default_L2TP_VPN_Conne ction 346 Default_L2TP_VPN_Conne ction example 353 Default_L2TP_VPN_GW 346 Default_L2TP_VPN_GW example 351 established in two phases 291 L2TP VP[...]

  • Page 773

    Index ZyWALL USG 1000 User’s Guide 773 types of 625 log optio ns 409 log option s (IDP) 426 logged in us ers 163 login default settings 657 SSL user 332 logo 328 logout SSL user 335 logs and firewall 287 configuration overview 124 descriptions 663 e-mail profiles 627 e-mailing log messages 626 , 631 formats 628 log consolidation 63 2 specificatio[...]

  • Page 774

    Index ZyWALL USG 1000 U ser’s Guide 774 and RIP 239 and static routes 239 and to-ZyW AL L firewall 238 area 0 239 areas. See OSPF areas. authentication method 185 autonomous system (AS) 237 backbone 239 Configuration steps 240 direction 185 link cost 185 priority 185 redistribute 239 redistribute type (cost) 242 routers. See OSPF routers. virtual[...]

  • Page 775

    Index ZyWALL USG 1000 User’s Guide 775 as VPN 21 1 product registration 757 profiles ADP 448 packet inspection 424 protocol usage statistics 400 protocol anomaly 448 , 457 protocol anomaly dete ction 457 proxy servers 261 web. See web proxy servers. Public-Key Infrastructure (PKI) 546 public-private key pairs 545 Q query view (IDP) 426 , 429 Quic[...]

  • Page 776

    Index ZyWALL USG 1000 U ser’s Guide 776 and authentication algo rithms 236 and Ethernet interfaces 185 RTP 266 See also ALG . 266 S safety warnings 7 same IP 438 scanner types 404 schedules 527 and content filtering 463 , 464 , 467 and current da te/time 527 and firewall 287 , 394 , 396 , 39 8 and force user authentication policies 513 and policy[...]

  • Page 777

    Index ZyWALL USG 1000 User’s Guide 777 SSH 600 and address groups 602 and address objects 602 and certificates 602 and zones 602 client requirements 601 encryption methods 601 for secure T elnet 602 how connection is established 600 versions 601 with Linux 603 with Microsoft Windows 602 SSL 326 , 588 certificates 332 computer names 326 full-tunne[...]

  • Page 778

    Index ZyWALL USG 1000 U ser’s Guide 778 T T/TCP 458 task bar properties 710 TCP 521 ACK (acknowledgment) 453 ACK number 438 connections 521 port numbers 521 SYN (synchronize) 453 window size 438 TCP Decoder 457 TCP decoy portscan 45 1 TCP distributed portscan 451 TCP flag bits 438 TCP portscan 451 TCP portsweep 451 TCP RST 452 TCP SYN flood 453 T[...]

  • Page 779

    Index ZyWALL USG 1000 User’s Guide 779 and content filtering 463 and firewall 287 and policy routes 230 , 392 , 394 , 396 , 398 configuration overview 122 user names rules 508 user portal See SSL user screens. 331 , 334 user portal links 567 user portal logo 328 user sessions. See sessions. user SSL screens 331 , 334 access methods 331 bookmarks [...]

  • Page 780

    Index ZyWALL USG 1000 U ser’s Guide 780 advantages 318 and IPSec SA policy enforcement 320 disadvantages 318 VPN connections and address objects 296 and policy routes 230 , 231 , 296 VPN gateways and certificates 296 and extended a uthentication 296 and interfaces 296 and to-ZyW AL L firewall 297 VPN. See also IKE SA, IPSec SA. VRRP 493 advertise[...]